Set enterprise policy defaults in lacros

Currently default_for_enterprise_users flag in policy_templates.json
affects ash only, this CL changes it to affect lacros too. For this
purpose generated function SetEnterpriseUsersDefaults is divided into
two subfunctions so that enterprise default values for profile and
system-wide policies are set separately.

Test: manually on DUT + unittests
Bug: 1202130
Change-Id: Ibcd933fa3d9364a1f9abc4823b7afb38477cc17d
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2878842
Reviewed-by: Eric Orth <ericorth@chromium.org>
Reviewed-by: Takashi Toyoshima <toyoshim@chromium.org>
Reviewed-by: Maksim Ivanov <emaxx@chromium.org>
Commit-Queue: Olya Kalitova <okalitova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#885525}

chrome/browser/loader/signed_exchange_policy_browsertest.cc

@@ -4,7 +4,6 @@
 
 #include "base/strings/utf_string_conversions.h"
 #include "base/values.h"
-#include "build/chromeos_buildflags.h"
 #include "chrome/browser/ssl/cert_verifier_browser_test.h"
 #include "chrome/browser/ui/browser.h"
 #include "chrome/test/base/ui_test_utils.h"
@@ -77,8 +76,8 @@ IN_PROC_BROWSER_TEST_F(SignedExchangePolicyBrowserTest, BlackList) {
                policy::POLICY_SCOPE_USER, policy::POLICY_SOURCE_CLOUD,
                blacklist.Clone(), nullptr);
 
-#if BUILDFLAG(IS_CHROMEOS_ASH)
-  policy::SetEnterpriseUsersDefaults(&policies);
+#if defined(OS_CHROMEOS)
+  policy::SetEnterpriseUsersProfileDefaults(&policies);
 #endif
   policy_provider_.UpdateChromePolicy(policies);
   base::RunLoop loop;

chrome/browser/net/errorpage_browsertest.cc

@@ -79,16 +79,7 @@
 #include "net/url_request/url_request_test_job.h"
 #include "services/network/public/cpp/features.h"
 #include "ui/base/l10n/l10n_util.h"
-
-#if BUILDFLAG(IS_CHROMEOS_ASH)
-#include "chrome/browser/browser_process.h"
-#include "chrome/browser/chromeos/chrome_browser_main_chromeos.h"
-#include "chrome/browser/chromeos/policy/browser_policy_connector_chromeos.h"
-#include "chromeos/tpm/stub_install_attributes.h"
-#include "components/policy/core/common/policy_types.h"
-#else
 #include "chrome/browser/policy/profile_policy_connector_builder.h"
-#endif
 #include "build/chromeos_buildflags.h"
 #include "components/policy/core/common/mock_configuration_policy_provider.h"
 
@@ -819,54 +810,30 @@ class ErrorPageOfflineTest : public ErrorPageTest {
 
  protected:
   void SetUpInProcessBrowserTestFixture() override {
-#if BUILDFLAG(IS_CHROMEOS_ASH)
-    if (enroll_) {
-      // Set up fake install attributes.
-      test_install_attributes_ =
-          std::make_unique<chromeos::ScopedStubInstallAttributes>(
-              chromeos::StubInstallAttributes::CreateCloudManaged("example.com",
-                                                                  "fake-id"));
-    }
-#endif
-
     // Sets up a mock policy provider for user and device policies.
     EXPECT_CALL(policy_provider_, IsInitializationComplete(testing::_))
         .WillRepeatedly(testing::Return(true));
     EXPECT_CALL(policy_provider_, IsFirstPolicyLoadComplete(testing::_))
         .WillRepeatedly(testing::Return(true));
 
     policy::PolicyMap policy_map;
-#if BUILDFLAG(IS_CHROMEOS_ASH)
-    if (enroll_)
-      SetEnterpriseUsersDefaults(&policy_map);
-#endif
     if (set_allow_dinosaur_easter_egg_) {
       policy_map.Set(policy::key::kAllowDinosaurEasterEgg,
                      policy::POLICY_LEVEL_MANDATORY, policy::POLICY_SCOPE_USER,
                      policy::POLICY_SOURCE_CLOUD,
                      base::Value(value_of_allow_dinosaur_easter_egg_), nullptr);
     }
-    policy_provider_.UpdateChromePolicy(policy_map);
 
-#if BUILDFLAG(IS_CHROMEOS_ASH)
-    policy::BrowserPolicyConnector::SetPolicyProviderForTesting(
-        &policy_provider_);
-#else
-    policy::PushProfilePolicyConnectorProviderForTesting(&policy_provider_);
+#if defined(OS_CHROMEOS)
+    SetEnterpriseUsersProfileDefaults(&policy_map);
 #endif
 
+    policy_provider_.UpdateChromePolicy(policy_map);
+    policy::PushProfilePolicyConnectorProviderForTesting(&policy_provider_);
     ErrorPageTest::SetUpInProcessBrowserTestFixture();
   }
 
   std::string NavigateToPageAndReadText() {
-#if BUILDFLAG(IS_CHROMEOS_ASH)
-    // Check enterprise enrollment
-    policy::BrowserPolicyConnectorChromeOS* connector =
-        g_browser_process->platform_part()
-        ->browser_policy_connector_chromeos();
-    EXPECT_EQ(enroll_, connector->IsEnterpriseManaged());
-#endif
-
     ui_test_utils::NavigateToURL(
         browser(),
         URLRequestFailedJob::GetMockHttpUrl(net::ERR_INTERNET_DISCONNECTED));
@@ -887,15 +854,6 @@ class ErrorPageOfflineTest : public ErrorPageTest {
   // The value of AllowDinosaurEasterEgg policy we want to set
   bool value_of_allow_dinosaur_easter_egg_;
 
-#if BUILDFLAG(IS_CHROMEOS_ASH)
-  // Whether to enroll this CrOS device
-  bool enroll_ = true;
-
-  std::unique_ptr<chromeos::ScopedStubInstallAttributes>
-      test_install_attributes_;
-#endif
-
-  // Mock policy provider for both user and device policies.
   testing::NiceMock<policy::MockConfigurationPolicyProvider> policy_provider_;
   std::unique_ptr<content::URLLoaderInterceptor> url_loader_interceptor_;
 };
@@ -918,17 +876,6 @@ class ErrorPageOfflineTestWithAllowDinosaurFalse : public ErrorPageOfflineTest {
   }
 };
 
-#if BUILDFLAG(IS_CHROMEOS_ASH)
-class ErrorPageOfflineTestUnEnrolledChromeOS : public ErrorPageOfflineTest {
- protected:
-  void SetUpInProcessBrowserTestFixture() override {
-    set_allow_dinosaur_easter_egg_ = false;
-    enroll_ = false;
-    ErrorPageOfflineTest::SetUpInProcessBrowserTestFixture();
-  }
-};
-#endif
-
 IN_PROC_BROWSER_TEST_F(ErrorPageOfflineTestWithAllowDinosaurTrue,
                        CheckEasterEggIsAllowed) {
   std::string result = NavigateToPageAndReadText();
@@ -943,7 +890,7 @@ IN_PROC_BROWSER_TEST_F(ErrorPageOfflineTestWithAllowDinosaurFalse,
   EXPECT_EQ(disabled_text, result);
 }
 
-#if BUILDFLAG(IS_CHROMEOS_ASH)
+#if defined(OS_CHROMEOS)
 IN_PROC_BROWSER_TEST_F(ErrorPageOfflineTest, CheckEasterEggIsDisabled) {
   std::string result = NavigateToPageAndReadText();
   std::string disabled_text =
@@ -957,16 +904,6 @@ IN_PROC_BROWSER_TEST_F(ErrorPageOfflineTest, CheckEasterEggIsAllowed) {
 }
 #endif
 
-#if BUILDFLAG(IS_CHROMEOS_ASH)
-IN_PROC_BROWSER_TEST_F(ErrorPageOfflineTestUnEnrolledChromeOS,
-                       CheckEasterEggIsAllowed) {
-  std::string result = NavigateToPageAndReadText();
-  std::string disabled_text =
-      l10n_util::GetStringUTF8(IDS_ERRORPAGE_FUN_DISABLED);
-  EXPECT_EQ("", result);
-}
-#endif
-
 IN_PROC_BROWSER_TEST_F(ErrorPageOfflineTestWithAllowDinosaurTrue,
                        CheckEasterEggHighScoreLoaded) {
   content::WebContents* web_contents =

chrome/browser/policy/cloud/cloud_policy_test_utils.cc

@@ -19,6 +19,8 @@ void GetExpectedDefaultPolicy(PolicyMap* policy_map) {
                   base::Value(false), nullptr);
 #elif BUILDFLAG(IS_CHROMEOS_ASH)
   SetEnterpriseUsersDefaults(policy_map);
+#elif BUILDFLAG(IS_CHROMEOS_LACROS)
+  SetEnterpriseUsersProfileDefaults(policy_map);
 #endif
 }
 

chrome/browser/policy/policy_test_utils.cc

@@ -188,7 +188,7 @@ scoped_refptr<const extensions::Extension> PolicyTest::LoadUnpackedExtension(
 
 void PolicyTest::UpdateProviderPolicy(const PolicyMap& policy) {
   PolicyMap policy_with_defaults = policy.Clone();
-#if BUILDFLAG(IS_CHROMEOS_ASH)
+#if defined(OS_CHROMEOS)
   SetEnterpriseUsersDefaults(&policy_with_defaults);
 #endif
   provider_.UpdateChromePolicy(policy_with_defaults);

chrome/browser/policy/test/proxy_policies_browsertest.cc

@@ -30,7 +30,7 @@ IN_PROC_BROWSER_TEST_F(PolicyTest, SeparateProxyPoliciesMerging) {
   expected_value.SetIntKey(key::kProxyServerMode, 3);
   expected.Set(key::kProxySettings, POLICY_LEVEL_MANDATORY, POLICY_SCOPE_USER,
                POLICY_SOURCE_CLOUD, std::move(expected_value), nullptr);
-#if BUILDFLAG(IS_CHROMEOS_ASH)
+#if defined(OS_CHROMEOS)
   SetEnterpriseUsersDefaults(&expected);
 #endif
 
@@ -39,6 +39,7 @@ IN_PROC_BROWSER_TEST_F(PolicyTest, SeparateProxyPoliciesMerging) {
       g_browser_process->browser_policy_connector()
           ->GetPolicyService()
           ->GetPolicies(PolicyNamespace(POLICY_DOMAIN_CHROME, std::string()));
+
   EXPECT_TRUE(expected.Equals(actual_from_browser));
   const PolicyMap& actual_from_profile =
       browser()

components/policy/core/common/cloud/user_cloud_policy_manager.cc

@@ -11,6 +11,7 @@
 #include "base/callback_helpers.h"
 #include "base/sequenced_task_runner.h"
 #include "build/build_config.h"
+#include "build/chromeos_buildflags.h"
 #include "components/account_id/account_id.h"
 #include "components/policy/core/common/cloud/cloud_external_data_manager.h"
 #include "components/policy/core/common/cloud/cloud_policy_constants.h"
@@ -109,8 +110,14 @@ void UserCloudPolicyManager::GetChromePolicy(PolicyMap* policy_map) {
   // If the store has a verified policy blob received from the server then apply
   // the defaults for policies that haven't been configured by the administrator
   // given that this is an enterprise user.
-  // TODO(crbug.com/640950): We should just call SetEnterpriseUsersDefaults
-  // here.
+#if BUILDFLAG(IS_CHROMEOS_LACROS)
+  if (!store()->has_policy())
+    return;
+
+  // TODO(https://crbug.com/1206315): Don't apply enterprise defaults for Child
+  // user.
+  SetEnterpriseUsersProfileDefaults(policy_map);
+#endif
 #if defined(OS_ANDROID)
   if (store()->has_policy() &&
       !policy_map->Get(key::kNTPContentSuggestionsEnabled)) {

components/policy/core/common/generate_policy_source_unittest.cc

@@ -207,7 +207,7 @@ TEST(GeneratePolicySource, PolicyDetails) {
   // than 0, once a type 'external' policy is added.
 }
 
-#if BUILDFLAG(IS_CHROMEOS_ASH)
+#if defined(OS_CHROMEOS)
 TEST(GeneratePolicySource, SetEnterpriseDefaults) {
   PolicyMap policy_map;
 
@@ -229,6 +229,60 @@ TEST(GeneratePolicySource, SetEnterpriseDefaults) {
   expected = base::Value("test_value");
   EXPECT_TRUE(expected.Equals(multiprof_behavior));
 }
+
+TEST(GeneratePolicySource, SetEnterpriseSystemWideDefaults) {
+  PolicyMap policy_map;
+
+  // If policy not configured yet, set the enterprise system-wide default.
+  SetEnterpriseUsersSystemWideDefaults(&policy_map);
+
+  const base::Value* pin_unlock_autosubmit_enabled =
+      policy_map.GetValue(key::kPinUnlockAutosubmitEnabled);
+  ASSERT_TRUE(pin_unlock_autosubmit_enabled);
+  EXPECT_FALSE(pin_unlock_autosubmit_enabled->GetBool());
+  const base::Value* allow_dinosaur_easter_egg =
+      policy_map.GetValue(key::kAllowDinosaurEasterEgg);
+  EXPECT_EQ(nullptr, allow_dinosaur_easter_egg);
+
+  // If policy already configured, it's not changed to enterprise defaults.
+  policy_map.Set(key::kPinUnlockAutosubmitEnabled, POLICY_LEVEL_MANDATORY,
+                 POLICY_SCOPE_USER, POLICY_SOURCE_CLOUD, base::Value(true),
+                 nullptr);
+  SetEnterpriseUsersSystemWideDefaults(&policy_map);
+  pin_unlock_autosubmit_enabled =
+      policy_map.GetValue(key::kPinUnlockAutosubmitEnabled);
+  ASSERT_TRUE(pin_unlock_autosubmit_enabled);
+  EXPECT_TRUE(pin_unlock_autosubmit_enabled->GetBool());
+  allow_dinosaur_easter_egg = policy_map.GetValue(key::kAllowDinosaurEasterEgg);
+  EXPECT_EQ(nullptr, allow_dinosaur_easter_egg);
+}
+
+TEST(GeneratePolicySource, SetEnterpriseProfileDefaults) {
+  PolicyMap policy_map;
+
+  // If policy not configured yet, set the enterprise profile default.
+  SetEnterpriseUsersProfileDefaults(&policy_map);
+
+  const base::Value* allow_dinosaur_easter_egg =
+      policy_map.GetValue(key::kAllowDinosaurEasterEgg);
+  ASSERT_TRUE(allow_dinosaur_easter_egg);
+  EXPECT_FALSE(allow_dinosaur_easter_egg->GetBool());
+  const base::Value* pin_unlock_autosubmit_enabled =
+      policy_map.GetValue(key::kPinUnlockAutosubmitEnabled);
+  EXPECT_EQ(nullptr, pin_unlock_autosubmit_enabled);
+
+  // If policy already configured, it's not changed to enterprise defaults.
+  policy_map.Set(key::kAllowDinosaurEasterEgg, POLICY_LEVEL_MANDATORY,
+                 POLICY_SCOPE_USER, POLICY_SOURCE_CLOUD, base::Value(true),
+                 nullptr);
+  SetEnterpriseUsersProfileDefaults(&policy_map);
+  allow_dinosaur_easter_egg = policy_map.GetValue(key::kAllowDinosaurEasterEgg);
+  ASSERT_TRUE(allow_dinosaur_easter_egg);
+  EXPECT_TRUE(allow_dinosaur_easter_egg->GetBool());
+  pin_unlock_autosubmit_enabled =
+      policy_map.GetValue(key::kPinUnlockAutosubmitEnabled);
+  EXPECT_EQ(nullptr, pin_unlock_autosubmit_enabled);
+}
 #endif
 
 }  // namespace policy

components/policy/core/common/policy_loader_lacros.cc

@@ -18,6 +18,7 @@
 #include "components/policy/core/common/cloud/cloud_policy_validator.h"
 #include "components/policy/core/common/policy_bundle.h"
 #include "components/policy/core/common/policy_proto_decoders.h"
+#include "components/policy/policy_constants.h"
 #include "components/policy/proto/device_management_backend.pb.h"
 
 namespace policy {
@@ -86,6 +87,7 @@ std::unique_ptr<PolicyBundle> PolicyLoaderLacros::Load() {
                     PolicySource::POLICY_SOURCE_CLOUD_FROM_ASH,
                     PolicyScope::POLICY_SCOPE_USER, &policy_map,
                     PolicyPerProfileFilter::kFalse);
+  SetEnterpriseUsersSystemWideDefaults(&policy_map);
   bundle->Get(PolicyNamespace(POLICY_DOMAIN_CHROME, std::string()))
       .MergeFrom(policy_map);
   return bundle;