From: uazo Date: Tue, 22 Nov 2022 16:49:58 +0000 Subject: Add browser policy License: GPL-2.0-or-later - https://spdx.org/licenses/GPL-2.0-or-later.html --- base/win/win_util.cc | 63 +------- chrome/android/java/AndroidManifest.xml | 4 - .../privacy_preferences_manager_impl.cc | 5 + .../metrics/chrome_feature_list_creator.cc | 12 ++ .../policy/chrome_browser_policy_connector.cc | 2 - ...nfiguration_policy_handler_list_factory.cc | 6 +- .../account_consistency_mode_manager.cc | 7 +- ...ccount_consistency_mode_manager_factory.cc | 2 +- chrome/browser/signin/chrome_signin_client.cc | 7 +- .../ui/webui/policy/policy_ui_handler.cc | 104 ++++++++++++- .../ui/webui/policy/policy_ui_handler.h | 2 + .../commerce/core/commerce_feature_list.cc | 24 +-- .../core/browser/browser_policy_connector.cc | 3 + .../common/command_line_policy_provider.cc | 3 + .../core/common/policy_loader_command_line.cc | 140 ++++++++++++++++-- .../policy/core/common/policy_pref_names.cc | 3 + .../policy/core/common/policy_pref_names.h | 1 + .../policy/core/common/policy_service_impl.cc | 3 + .../policy/core/common/policy_switches.cc | 2 + .../policy/core/common/policy_switches.h | 1 + .../Miscellaneous/SyncDisabled.yaml | 2 +- .../policy/resources/webui/policy_row.html | 1 + .../policy/resources/webui/policy_row.ts | 12 ++ components/policy_strings.grdp | 4 +- .../gaia_cookie_manager_service.cc | 4 + google_apis/gaia/gaia_auth_fetcher.cc | 1 + 26 files changed, 311 insertions(+), 107 deletions(-) diff --git a/base/win/win_util.cc b/base/win/win_util.cc --- a/base/win/win_util.cc +++ b/base/win/win_util.cc @@ -126,76 +126,19 @@ bool EnablePerMonitorV2() { } bool* GetDomainEnrollmentStateStorage() { - static bool state = IsOS(OS_DOMAINMEMBER); + static bool state = false; return &state; } bool* GetRegisteredWithManagementStateStorage() { - static bool state = []() { - // Mitigate the issues caused by loading DLLs on a background thread - // (http://crbug/973868). - SCOPED_MAY_LOAD_LIBRARY_AT_BACKGROUND_PRIORITY(); - - ScopedNativeLibrary library( - FilePath(FILE_PATH_LITERAL("MDMRegistration.dll"))); - if (!library.is_valid()) - return false; - - using IsDeviceRegisteredWithManagementFunction = - decltype(&::IsDeviceRegisteredWithManagement); - IsDeviceRegisteredWithManagementFunction - is_device_registered_with_management_function = - reinterpret_cast( - library.GetFunctionPointer("IsDeviceRegisteredWithManagement")); - if (!is_device_registered_with_management_function) - return false; - - BOOL is_managed = FALSE; - HRESULT hr = - is_device_registered_with_management_function(&is_managed, 0, nullptr); - return SUCCEEDED(hr) && is_managed; - }(); + static bool state = false; return &state; } // TODO (crbug/1300219): return a DSREG_JOIN_TYPE* instead of bool*. bool* GetAzureADJoinStateStorage() { - static bool state = []() { - base::ElapsedTimer timer; - - // Mitigate the issues caused by loading DLLs on a background thread - // (http://crbug/973868). - SCOPED_MAY_LOAD_LIBRARY_AT_BACKGROUND_PRIORITY(); - - ScopedNativeLibrary netapi32( - base::LoadSystemLibrary(FILE_PATH_LITERAL("netapi32.dll"))); - if (!netapi32.is_valid()) - return false; - - const auto net_get_aad_join_information_function = - reinterpret_cast( - netapi32.GetFunctionPointer("NetGetAadJoinInformation")); - if (!net_get_aad_join_information_function) - return false; - - const auto net_free_aad_join_information_function = - reinterpret_cast( - netapi32.GetFunctionPointer("NetFreeAadJoinInformation")); - DPCHECK(net_free_aad_join_information_function); - - DSREG_JOIN_INFO* join_info = nullptr; - HRESULT hr = net_get_aad_join_information_function(/*pcszTenantId=*/nullptr, - &join_info); - const bool is_aad_joined = SUCCEEDED(hr) && join_info; - if (join_info) { - net_free_aad_join_information_function(join_info); - } - - base::UmaHistogramTimes("EnterpriseCheck.AzureADJoinStatusCheckTime", - timer.Elapsed()); - return is_aad_joined; - }(); + static bool state = false; return &state; } diff --git a/chrome/android/java/AndroidManifest.xml b/chrome/android/java/AndroidManifest.xml --- a/chrome/android/java/AndroidManifest.xml +++ b/chrome/android/java/AndroidManifest.xml @@ -73,9 +73,7 @@ by a child template that "extends" this file. - - @@ -86,7 +84,6 @@ by a child template that "extends" this file. - @@ -130,7 +127,6 @@ by a child template that "extends" this file. - {% block extra_uses_permissions %} {% endblock %} diff --git a/chrome/browser/android/preferences/privacy_preferences_manager_impl.cc b/chrome/browser/android/preferences/privacy_preferences_manager_impl.cc --- a/chrome/browser/android/preferences/privacy_preferences_manager_impl.cc +++ b/chrome/browser/android/preferences/privacy_preferences_manager_impl.cc @@ -56,6 +56,11 @@ static jboolean JNI_PrivacyPreferencesManagerImpl_IsMetricsReportingDisabledByPolicy( JNIEnv* env) { const PrefService* local_state = g_browser_process->local_state(); + // this point (policy with 'future') gave me false, false + // LOG(INFO) << "---IsMetricsReportingDisabledByPolicy " + // << local_state->IsManagedPreference(metrics::prefs::kMetricsReportingEnabled) + // << " " + // << local_state->GetBoolean(metrics::prefs::kMetricsReportingEnabled); return local_state->IsManagedPreference( metrics::prefs::kMetricsReportingEnabled) && !local_state->GetBoolean(metrics::prefs::kMetricsReportingEnabled); diff --git a/chrome/browser/metrics/chrome_feature_list_creator.cc b/chrome/browser/metrics/chrome_feature_list_creator.cc --- a/chrome/browser/metrics/chrome_feature_list_creator.cc +++ b/chrome/browser/metrics/chrome_feature_list_creator.cc @@ -57,6 +57,8 @@ #include "content/public/common/content_switches.h" #include "services/network/public/cpp/network_switches.h" #include "ui/base/resource/resource_bundle.h" +#include "components/policy/core/common/policy_pref_names.h" +#include "components/policy/core/common/policy_switches.h" #if BUILDFLAG(IS_CHROMEOS_ASH) #include "chrome/browser/ash/policy/core/browser_policy_connector_ash.h" @@ -222,6 +224,16 @@ void ChromeFeatureListCreator::CreatePrefService() { // ManagementService's cache. if (local_state_pref_store->ReadPrefs() == JsonPrefStore::PREF_READ_ERROR_NONE) { + // add list of user disabled policies to command line + base::CommandLine* command_line = base::CommandLine::ForCurrentProcess(); + const base::Value* stored_value = nullptr; + if (local_state_pref_store->GetValue(policy::policy_prefs::kDisabledDefaultPoliciesList, &stored_value) && + stored_value->is_string()) { + std::string disabled_policies = stored_value->GetString(); + if (!disabled_policies.empty()) { + command_line->AppendSwitchASCII(policy::switches::kForceDisabledPolicies, disabled_policies); + } + } auto* platform_management_service = policy::ManagementServiceFactory::GetForPlatform(); platform_management_service->UsePrefStoreAsCache(local_state_pref_store); diff --git a/chrome/browser/policy/chrome_browser_policy_connector.cc b/chrome/browser/policy/chrome_browser_policy_connector.cc --- a/chrome/browser/policy/chrome_browser_policy_connector.cc +++ b/chrome/browser/policy/chrome_browser_policy_connector.cc @@ -159,8 +159,6 @@ bool ChromeBrowserPolicyConnector::HasMachineLevelPolicies() { if (ProviderHasPolicies(machine_level_user_cloud_policy_manager())) return true; #endif // !BUILDFLAG(IS_CHROMEOS_ASH) - if (ProviderHasPolicies(command_line_provider_)) - return true; return false; } diff --git a/chrome/browser/policy/configuration_policy_handler_list_factory.cc b/chrome/browser/policy/configuration_policy_handler_list_factory.cc --- a/chrome/browser/policy/configuration_policy_handler_list_factory.cc +++ b/chrome/browser/policy/configuration_policy_handler_list_factory.cc @@ -2046,9 +2046,9 @@ bool AreFuturePoliciesEnabledByDefault() { if (base::CommandLine::ForCurrentProcess()->HasSwitch(switches::kTestType)) { return true; } - version_info::Channel channel = chrome::GetChannel(); - return channel != version_info::Channel::STABLE && - channel != version_info::Channel::BETA; + // Future policies are allowed but not active without + // kEnableExperimentalPolicies policy + return true; } } // namespace diff --git a/chrome/browser/signin/account_consistency_mode_manager.cc b/chrome/browser/signin/account_consistency_mode_manager.cc --- a/chrome/browser/signin/account_consistency_mode_manager.cc +++ b/chrome/browser/signin/account_consistency_mode_manager.cc @@ -160,7 +160,7 @@ void AccountConsistencyModeManager::SetIgnoreMissingOAuthClientForTesting() { // static bool AccountConsistencyModeManager::ShouldBuildServiceForProfile( Profile* profile) { - return profile->IsRegularProfile(); + return false; } AccountConsistencyMethod @@ -198,7 +198,8 @@ AccountConsistencyModeManager::ComputeAccountConsistencyMethod( #endif #if BUILDFLAG(ENABLE_MIRROR) - return AccountConsistencyMethod::kMirror; + // always disabled + return AccountConsistencyMethod::kDisabled; #endif #if BUILDFLAG(ENABLE_DICE_SUPPORT) @@ -208,7 +209,7 @@ AccountConsistencyModeManager::ComputeAccountConsistencyMethod( return AccountConsistencyMethod::kDisabled; } - return AccountConsistencyMethod::kDice; + return AccountConsistencyMethod::kDisabled; #endif NOTREACHED(); diff --git a/chrome/browser/signin/account_consistency_mode_manager_factory.cc b/chrome/browser/signin/account_consistency_mode_manager_factory.cc --- a/chrome/browser/signin/account_consistency_mode_manager_factory.cc +++ b/chrome/browser/signin/account_consistency_mode_manager_factory.cc @@ -45,5 +45,5 @@ void AccountConsistencyModeManagerFactory::RegisterProfilePrefs( bool AccountConsistencyModeManagerFactory::ServiceIsCreatedWithBrowserContext() const { - return true; + return false; } diff --git a/chrome/browser/signin/chrome_signin_client.cc b/chrome/browser/signin/chrome_signin_client.cc --- a/chrome/browser/signin/chrome_signin_client.cc +++ b/chrome/browser/signin/chrome_signin_client.cc @@ -130,7 +130,9 @@ void ChromeSigninClient::DoFinalInit() { bool ChromeSigninClient::ProfileAllowsSigninCookies(Profile* profile) { scoped_refptr cookie_settings = CookieSettingsFactory::GetForProfile(profile); - return signin::SettingsAllowSigninCookies(cookie_settings.get()); + // Make ChromeSigninClient compliant to SigninAllowed policy + bool cookiesAllowed = signin::SettingsAllowSigninCookies(cookie_settings.get()); + return cookiesAllowed && profile->GetPrefs()->GetBoolean(prefs::kSigninAllowed); } PrefService* ChromeSigninClient::GetPrefs() { return profile_->GetPrefs(); } @@ -242,6 +244,9 @@ bool ChromeSigninClient::AreNetworkCallsDelayed() { } void ChromeSigninClient::DelayNetworkCall(base::OnceClosure callback) { + // Make ChromeSigninClient compliant to SigninAllowed policy + if (!AreSigninCookiesAllowed()) return; + wait_for_network_callback_helper_->DelayNetworkCall(std::move(callback)); } diff --git a/chrome/browser/ui/webui/policy/policy_ui_handler.cc b/chrome/browser/ui/webui/policy/policy_ui_handler.cc --- a/chrome/browser/ui/webui/policy/policy_ui_handler.cc +++ b/chrome/browser/ui/webui/policy/policy_ui_handler.cc @@ -22,6 +22,7 @@ #include "base/memory/raw_ptr.h" #include "base/memory/weak_ptr.h" #include "base/notreached.h" +#include "base/strings/string_split.h" #include "base/strings/utf_string_conversions.h" #include "base/task/task_traits.h" #include "base/task/thread_pool.h" @@ -64,6 +65,7 @@ #include "components/policy/core/common/policy_details.h" #include "components/policy/core/common/policy_logger.h" #include "components/policy/core/common/policy_pref_names.h" +#include "components/policy/core/common/policy_pref_names.h" #include "components/policy/core/common/policy_scheduler.h" #include "components/policy/core/common/policy_types.h" #include "components/policy/core/common/remote_commands/remote_commands_service.h" @@ -177,6 +179,10 @@ void PolicyUIHandler::RegisterMessages() { "exportPoliciesJSON", base::BindRepeating(&PolicyUIHandler::HandleExportPoliciesJson, base::Unretained(this))); + web_ui()->RegisterMessageCallback( + "setEnabledPolicy", + base::BindRepeating(&PolicyUIHandler::HandleSetEnabledPolicy, + base::Unretained(this))); web_ui()->RegisterMessageCallback( "listenPoliciesUpdates", base::BindRepeating(&PolicyUIHandler::HandleListenPoliciesUpdates, @@ -424,8 +430,102 @@ void PolicyUIHandler::SendPolicies() { "policies-updated", base::Value( policy_value_and_status_aggregator_->GetAggregatedPolicyNames()), - base::Value( - policy_value_and_status_aggregator_->GetAggregatedPolicyValues())); + base::Value(GetPolicyValues())); +} + +base::Value::Dict PolicyUIHandler::GetPolicyValues() { + base::Value::Dict policy = + policy_value_and_status_aggregator_->GetAggregatedPolicyValues(); + base::Value::Dict* policy_values = + policy.FindDict(policy::kPolicyValuesKey); + DCHECK(policy_values); + + PrefService* local_state = g_browser_process->local_state(); + DCHECK(local_state); + + // get user disabled list from local state + std::string disabled_policies_pref = + local_state->GetString(policy::policy_prefs::kDisabledDefaultPoliciesList); + std::vector disabled_policies = + base::SplitString(disabled_policies_pref, ",", + base::TRIM_WHITESPACE, base::SPLIT_WANT_NONEMPTY); + + auto* root = policy_values->FindDict(policy::kChromePoliciesId); + if (root) { + auto* list = root->FindDict(policy::kPoliciesKey); + if (list) { + // for each policy check if is disabled by the user + for (const auto name : *list) { + bool disabled = base::Contains(disabled_policies, name.first); + name.second.GetDict().Set("disabled", base::Value(disabled)); + } + + // add disabled policies so user can enable them + for (const std::string& name : disabled_policies) { + base::Value::Dict value; + value.Set("disabled", base::Value(true)); + + // set with some value (only for the ui) + // see components/policy/core/browser/policy_conversions_client.cc + value.Set("value", base::Value(false)); + value.Set("scope", base::Value("machine")); + value.Set("level", base::Value("mandatory")); + value.Set("source", base::Value("sourceDefault")); + list->Set(name, std::move(value)); + } + } + } + return policy; +} + +void PolicyUIHandler::HandleSetEnabledPolicy( + const base::Value::List& args) { + CHECK_EQ(2u, args.size()); + const std::string policy_name = args[0].GetString(); + bool enabled = args[1].GetBool(); + + // Check if policy exists + base::Value::Dict policy = + policy_value_and_status_aggregator_->GetAggregatedPolicyValues(); + base::Value::Dict* policy_values = + policy.FindDict(policy::kPolicyValuesKey); + DCHECK(policy_values); + + bool exists = false; + auto* root = policy_values->FindDict(policy::kChromePoliciesId); + if (root && g_browser_process) { + auto* list = root->FindDict(policy::kPoliciesKey); + if (list) { + for (const auto name : *list) { + if (name.first == policy_name) { + exists = true; + break; + } + } + } + } + + PrefService* local_state = g_browser_process->local_state(); + DCHECK(local_state); + + // get user disabled list from local state + std::string disabled_policies_pref = + local_state->GetString(policy::policy_prefs::kDisabledDefaultPoliciesList); + std::vector disabled_policies = + base::SplitString(disabled_policies_pref, ",", + base::TRIM_WHITESPACE, base::SPLIT_WANT_NONEMPTY); + + // remove policy + base::EraseIf(disabled_policies, + [policy_name](const std::string& name) { return name == policy_name; }); + + // readd if exists and enabled + if (exists && !enabled) + disabled_policies.push_back(policy_name); + + // save current user disabled policy in local state + local_state->SetString(policy::policy_prefs::kDisabledDefaultPoliciesList, + base::JoinString(disabled_policies, ",")); } void PolicyUIHandler::SendStatus() { diff --git a/chrome/browser/ui/webui/policy/policy_ui_handler.h b/chrome/browser/ui/webui/policy/policy_ui_handler.h --- a/chrome/browser/ui/webui/policy/policy_ui_handler.h +++ b/chrome/browser/ui/webui/policy/policy_ui_handler.h @@ -58,6 +58,8 @@ class PolicyUIHandler : public content::WebUIMessageHandler, private: void HandleExportPoliciesJson(const base::Value::List& args); + void HandleSetEnabledPolicy(const base::Value::List& args); + base::Value::Dict GetPolicyValues(); void HandleListenPoliciesUpdates(const base::Value::List& args); void HandleReloadPolicies(const base::Value::List& args); void HandleCopyPoliciesJson(const base::Value::List& args); diff --git a/components/commerce/core/commerce_feature_list.cc b/components/commerce/core/commerce_feature_list.cc --- a/components/commerce/core/commerce_feature_list.cc +++ b/components/commerce/core/commerce_feature_list.cc @@ -159,8 +159,8 @@ BASE_FEATURE(kCommercePriceTrackingChipExperiment, #if BUILDFLAG(IS_ANDROID) BASE_FEATURE(kCommercePriceTrackingRegionLaunched, - "CommercePriceTrackingRegionLaunched", - base::FEATURE_ENABLED_BY_DEFAULT); + "CommercePriceTrackingRegionLaunched", // disabled + base::FEATURE_DISABLED_BY_DEFAULT); // by default #else BASE_FEATURE(kCommercePriceTrackingRegionLaunched, "CommercePriceTrackingRegionLaunched", @@ -227,8 +227,8 @@ BASE_FEATURE(kShoppingList, "ShoppingList", base::FEATURE_DISABLED_BY_DEFAULT); #if BUILDFLAG(IS_ANDROID) || BUILDFLAG(IS_WIN) || BUILDFLAG(IS_MAC) || \ BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS) BASE_FEATURE(kShoppingListRegionLaunched, - "ShoppingListRegionLaunched", - base::FEATURE_ENABLED_BY_DEFAULT); + "ShoppingListRegionLaunched", // disabled + base::FEATURE_DISABLED_BY_DEFAULT); // by default #else BASE_FEATURE(kShoppingListRegionLaunched, "ShoppingListRegionLaunched", @@ -273,12 +273,12 @@ BASE_FEATURE(kDiscountConsentV2, base::FEATURE_ENABLED_BY_DEFAULT); BASE_FEATURE(kCommerceHintAndroid, - "CommerceHintAndroid", - base::FEATURE_DISABLED_BY_DEFAULT); + "CommerceHintAndroid", // disabled + base::FEATURE_DISABLED_BY_DEFAULT); // by default BASE_FEATURE(kMerchantWidePromotion, - "MerchantWidePromotion", - base::FEATURE_ENABLED_BY_DEFAULT); + "MerchantWidePromotion", // disabled + base::FEATURE_DISABLED_BY_DEFAULT); // by default BASE_FEATURE(kCodeBasedRBD, "CodeBasedRBD", base::FEATURE_ENABLED_BY_DEFAULT); @@ -287,11 +287,11 @@ BASE_FEATURE(kChromeCartDomBasedHeuristics, base::FEATURE_DISABLED_BY_DEFAULT); BASE_FEATURE(kParcelTracking, - "ParcelTracking", - base::FEATURE_ENABLED_BY_DEFAULT); + "ParcelTracking", // disabled + base::FEATURE_DISABLED_BY_DEFAULT); // by default BASE_FEATURE(kParcelTrackingRegionLaunched, - "ParcelTrackingRegionLaunched", - base::FEATURE_DISABLED_BY_DEFAULT); + "ParcelTrackingRegionLaunched", // disabled + base::FEATURE_DISABLED_BY_DEFAULT); // by default // Params for Discount Consent V2 in the NTP Cart module. const char kNtpChromeCartModuleDiscountConsentNtpVariationParam[] = diff --git a/components/policy/core/browser/browser_policy_connector.cc b/components/policy/core/browser/browser_policy_connector.cc --- a/components/policy/core/browser/browser_policy_connector.cc +++ b/components/policy/core/browser/browser_policy_connector.cc @@ -140,6 +140,9 @@ void BrowserPolicyConnector::RegisterPrefs(PrefRegistrySimple* registry) { CloudPolicyRefreshScheduler::kDefaultRefreshDelayMs); registry->RegisterBooleanPref( policy_prefs::kCloudManagementEnrollmentMandatory, false); + // register the pref for user disabled policies + registry->RegisterStringPref( + policy_prefs::kDisabledDefaultPoliciesList, std::string()); } } // namespace policy diff --git a/components/policy/core/common/command_line_policy_provider.cc b/components/policy/core/common/command_line_policy_provider.cc --- a/components/policy/core/common/command_line_policy_provider.cc +++ b/components/policy/core/common/command_line_policy_provider.cc @@ -23,6 +23,9 @@ std::unique_ptr CommandLinePolicyProvider::CreateIfAllowed( const base::CommandLine& command_line, version_info::Channel channel) { + if ((true)) + return base::WrapUnique(new CommandLinePolicyProvider(command_line)); + #if BUILDFLAG(IS_ANDROID) if (channel == version_info::Channel::STABLE || channel == version_info::Channel::BETA) { diff --git a/components/policy/core/common/policy_loader_command_line.cc b/components/policy/core/common/policy_loader_command_line.cc --- a/components/policy/core/common/policy_loader_command_line.cc +++ b/components/policy/core/common/policy_loader_command_line.cc @@ -11,6 +11,31 @@ #include "components/policy/core/common/policy_bundle.h" #include "components/policy/core/common/policy_switches.h" #include "components/policy/core/common/policy_types.h" +#include "base/strings/string_split.h" +#include "components/policy/core/common/policy_map.h" +#include "components/policy/core/common/policy_namespace.h" +#include "components/policy/policy_constants.h" + +#include "chrome/browser/preloading/preloading_prefs.h" +#include "chrome/browser/policy/browser_signin_policy_handler.h" + +namespace { + // adds the policy if the user has allowed it + void AddPolicy( + const std::vector& disabled_policies, + policy::PolicyMap& policy_map, + const std::string& policy_name, + base::Value value) { + + if (std::find(disabled_policies.begin(), disabled_policies.end(), policy_name) + == disabled_policies.end()) { + policy_map.Set(policy_name, + policy::POLICY_LEVEL_MANDATORY, policy::POLICY_SCOPE_MACHINE, + policy::POLICY_SOURCE_COMMAND_LINE, + std::move(value), nullptr); + } + } +} namespace policy { @@ -21,25 +46,108 @@ PolicyLoaderCommandLine::~PolicyLoaderCommandLine() = default; PolicyBundle PolicyLoaderCommandLine::Load() { PolicyBundle bundle; - if (!command_line_->HasSwitch(switches::kChromePolicy)) - return bundle; - auto policies = base::JSONReader::ReadAndReturnValueWithError( - command_line_->GetSwitchValueASCII(switches::kChromePolicy), - base::JSONParserOptions::JSON_ALLOW_TRAILING_COMMAS); + PolicyMap& policy_map = + bundle.Get(PolicyNamespace(POLICY_DOMAIN_CHROME, std::string())); - if (!policies.has_value()) { - VLOG(1) << "Command line policy error: " << policies.error().message; - return bundle; - } - if (!policies->is_dict()) { - VLOG(1) << "Command line policy is not a dictionary"; - return bundle; - } + // get disabled policies + std::string disabled_policies = + command_line_->GetSwitchValueASCII(switches::kForceDisabledPolicies); + std::vector disabled_policies_list = + base::SplitString(disabled_policies, ",", + base::KEEP_WHITESPACE, base::SPLIT_WANT_NONEMPTY); + + // whitelist a future policy. + base::Value::List enabled_future_policies; + + AddPolicy(disabled_policies_list, policy_map, policy::key::kSafeBrowsingEnabled, base::Value(false)); + AddPolicy(disabled_policies_list, policy_map, policy::key::kSafeBrowsingExtendedReportingEnabled, base::Value(false)); + + AddPolicy(disabled_policies_list, policy_map, policy::key::kScrollToTextFragmentEnabled, base::Value(false)); + +#if BUILDFLAG(IS_ANDROID) + AddPolicy(disabled_policies_list, policy_map, policy::key::kContextualSearchEnabled, base::Value(false)); +#endif + + AddPolicy(disabled_policies_list, policy_map, policy::key::kEnableMediaRouter, base::Value(false)); + + AddPolicy(disabled_policies_list, policy_map, policy::key::kUrlKeyedAnonymizedDataCollectionEnabled, base::Value(false)); + + AddPolicy(disabled_policies_list, policy_map, policy::key::kTranslateEnabled, base::Value(false)); + + AddPolicy(disabled_policies_list, policy_map, policy::key::kNetworkPredictionOptions, + base::Value(static_cast( + prefetch::NetworkPredictionOptions::kDisabled))); + + AddPolicy(disabled_policies_list, policy_map, policy::key::kBrowserSignin, + base::Value(static_cast( + policy::BrowserSigninMode::kDisabled))); + AddPolicy(disabled_policies_list, policy_map, policy::key::kSigninAllowed, base::Value(false)); + + // SyncDisabled need a change in policy_templates.json + // because is unofficially supported + // 1) remove future_on + // 2) add android supported_on + // and need some changes in code + // see https://bugs.chromium.org/p/chromium/issues/detail?id=1141797 + enabled_future_policies.Append(policy::key::kSyncDisabled); + AddPolicy(disabled_policies_list, policy_map, policy::key::kSyncDisabled, base::Value(true)); + + // MetricsReportingEnabled need a change in policy_templates.json + // because is unofficially supported + // 1) remove future_on + // 2) add android supported_on + // and need some changes in code + // set metrics::prefs::kMetricsReportingEnabled to false + // same of "Disable various metrics" patch + // and deactivate the ui under IsManagedPreference() + enabled_future_policies.Append(policy::key::kMetricsReportingEnabled); + AddPolicy(disabled_policies_list, policy_map, policy::key::kMetricsReportingEnabled, base::Value(false)); + + // Disable shopping list + AddPolicy(disabled_policies_list, policy_map, policy::key::kShoppingListEnabled, base::Value(false)); + +#if !BUILDFLAG(IS_ANDROID) + // Disable Google Search Side Panel + AddPolicy(disabled_policies_list, policy_map, policy::key::kGoogleSearchSidePanelEnabled, base::Value(false)); +#endif + + // Disable automatic https upgrade + AddPolicy(disabled_policies_list, policy_map, policy::key::kHttpsUpgradesEnabled, base::Value(false)); + + // Check RSA key usage for server certicates issued by local trust anchors + // Enforce TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 expects the digitalSignature key usage bit. + AddPolicy(disabled_policies_list, policy_map, policy::key::kRSAKeyUsageForLocalAnchorsEnabled, base::Value(true)); + + // Disable Insecure Handshake Hashes + AddPolicy(disabled_policies_list, policy_map, policy::key::kInsecureHashesInTLSHandshakesEnabled, base::Value(false)); + +#if !BUILDFLAG(IS_ANDROID) + AddPolicy(disabled_policies_list, policy_map, policy::key::kSideSearchEnabled, base::Value(false)); +#endif + + AddPolicy(disabled_policies_list, policy_map, policy::key::kBlockTruncatedCookies, base::Value(true)); + // kFirstPartySetsEnabled + // kLensCameraAssistedSearchEnabled + // kPasswordLeakDetectionEnabled + // kPasswordManagerEnabled + // kPromptForDownloadLocation + + // kAssistantWebEnabled + // BrowsingDataLifetime ?? + // ClickToCallEnabled + // UrlParamFilterEnabled + // kSSLErrorOverrideAllowed + // kAdvancedProtectionAllowed + // kUserFeedbackAllowed + // DesktopSharingHubEnabled + // kSigninInterceptionEnabled + + policy_map.Set(policy::key::kEnableExperimentalPolicies, + policy::POLICY_LEVEL_MANDATORY, policy::POLICY_SCOPE_MACHINE, + policy::POLICY_SOURCE_COMMAND_LINE, + base::Value(enabled_future_policies.Clone()), nullptr); - bundle.Get(PolicyNamespace(POLICY_DOMAIN_CHROME, std::string())) - .LoadFrom(policies->GetDict(), POLICY_LEVEL_MANDATORY, - POLICY_SCOPE_MACHINE, POLICY_SOURCE_COMMAND_LINE); return bundle; } diff --git a/components/policy/core/common/policy_pref_names.cc b/components/policy/core/common/policy_pref_names.cc --- a/components/policy/core/common/policy_pref_names.cc +++ b/components/policy/core/common/policy_pref_names.cc @@ -93,6 +93,9 @@ const char kReadAloudEnabled[] = "policy.read_aloud_enabled"; const char kUserAgentClientHintsGREASEUpdateEnabled[] = "policy.user_agent_client_hints_grease_update_enabled"; +const char kDisabledDefaultPoliciesList[] = + "policy.disabled_default_policies_list"; + // Boolean policy to allow isolated apps developer mode. const char kIsolatedAppsDeveloperModeAllowed[] = "policy.isolated_apps_developer_mode_allowed"; diff --git a/components/policy/core/common/policy_pref_names.h b/components/policy/core/common/policy_pref_names.h --- a/components/policy/core/common/policy_pref_names.h +++ b/components/policy/core/common/policy_pref_names.h @@ -50,6 +50,7 @@ extern const char kUrlAllowlist[]; extern const char kUserPolicyRefreshRate[]; extern const char kIntensiveWakeUpThrottlingEnabled[]; extern const char kUserAgentClientHintsGREASEUpdateEnabled[]; +extern const char kDisabledDefaultPoliciesList[]; #if BUILDFLAG(IS_ANDROID) extern const char kBackForwardCacheEnabled[]; extern const char kReadAloudEnabled[]; diff --git a/components/policy/core/common/policy_service_impl.cc b/components/policy/core/common/policy_service_impl.cc --- a/components/policy/core/common/policy_service_impl.cc +++ b/components/policy/core/common/policy_service_impl.cc @@ -47,6 +47,9 @@ namespace { // Metrics should not be enforced so if this policy is set as mandatory // downgrade it to a recommended level policy. void DowngradeMetricsReportingToRecommendedPolicy(PolicyMap* policies) { + // skip the change to 'Recommended' if the MetricsReportingEnabled + // policy is 'Mandatory'. + if ((true)) return; // Capture both the Chrome-only and device-level policies on Chrome OS. const std::vector metrics_keys = { #if BUILDFLAG(IS_CHROMEOS) diff --git a/components/policy/core/common/policy_switches.cc b/components/policy/core/common/policy_switches.cc --- a/components/policy/core/common/policy_switches.cc +++ b/components/policy/core/common/policy_switches.cc @@ -24,6 +24,8 @@ const char kChromePolicy[] = "policy"; // (go/crosman-file-storage-server) to upload log and support packet files. const char kFileStorageServerUploadUrl[] = "file-storage-server-upload-url"; +const char kForceDisabledPolicies[] = "force-disable-policies"; + #if BUILDFLAG(IS_CHROMEOS_ASH) // Disables the verification of policy signing keys. It just works on Chrome OS // test images and crashes otherwise. diff --git a/components/policy/core/common/policy_switches.h b/components/policy/core/common/policy_switches.h --- a/components/policy/core/common/policy_switches.h +++ b/components/policy/core/common/policy_switches.h @@ -19,6 +19,7 @@ extern const char kEncryptedReportingUrl[]; extern const char kChromePolicy[]; extern const char kSecureConnectApiUrl[]; extern const char kFileStorageServerUploadUrl[]; +extern const char kForceDisabledPolicies[]; #if BUILDFLAG(IS_CHROMEOS_ASH) extern const char kDisablePolicyKeyVerification[]; #endif // BUILDFLAG(IS_CHROMEOS_ASH) diff --git a/components/policy/resources/templates/policy_definitions/Miscellaneous/SyncDisabled.yaml b/components/policy/resources/templates/policy_definitions/Miscellaneous/SyncDisabled.yaml --- a/components/policy/resources/templates/policy_definitions/Miscellaneous/SyncDisabled.yaml +++ b/components/policy/resources/templates/policy_definitions/Miscellaneous/SyncDisabled.yaml @@ -13,7 +13,6 @@ features: dynamic_refresh: true per_profile: true future_on: -- android - fuchsia items: - caption: Disable Chrome Sync @@ -30,6 +29,7 @@ supported_on: - chrome.*:8- - chrome_os:11- - ios:96- +- android:8- tags: - filtering - google-sharing diff --git a/components/policy/resources/webui/policy_row.html b/components/policy/resources/webui/policy_row.html --- a/components/policy/resources/webui/policy_row.html +++ b/components/policy/resources/webui/policy_row.html @@ -163,6 +163,7 @@ a {
+ diff --git a/components/policy/resources/webui/policy_row.ts b/components/policy/resources/webui/policy_row.ts --- a/components/policy/resources/webui/policy_row.ts +++ b/components/policy/resources/webui/policy_row.ts @@ -15,6 +15,7 @@ import {getTemplate} from './policy_row.html.js'; export interface Policy { ignored?: boolean; name: string; + disabled: boolean; level: string; link?: string; scope: string; @@ -56,6 +57,9 @@ export class PolicyRowElement extends CustomElement { const copy = this.shadowRoot!.querySelector('.copy-value'); copy!.addEventListener('click', () => this.copyValue_()); + const enabledBox = this.shadowRoot!.querySelector('.enabled_box'); + enabledBox!.addEventListener('change', () => this.enabledChanged_()); + this.setAttribute('role', 'rowgroup'); this.classList.add('policy-data'); } @@ -94,6 +98,9 @@ export class PolicyRowElement extends CustomElement { this.toggleAttribute('no-help-link', true); } + const enabledBox = this.shadowRoot!.querySelector('.enabled_box'); + enabledBox!.checked = !policy.disabled; + // Populate the remaining columns with policy scope, level and value if a // value has been set. Otherwise, leave them blank. if (!this.unset_) { @@ -226,6 +233,11 @@ export class PolicyRowElement extends CustomElement { } } + enabledChanged_() { + const enabledBox = this.shadowRoot!.querySelector('.enabled_box'); + chrome.send('setEnabledPolicy', [this.policy.name, enabledBox.checked]); + } + // Copies the policy's value to the clipboard. private copyValue_() { const policyValueDisplay = diff --git a/components/policy_strings.grdp b/components/policy_strings.grdp --- a/components/policy_strings.grdp +++ b/components/policy_strings.grdp @@ -588,8 +588,8 @@ Additional details: Default - - Command line + + Bromite default Cloud diff --git a/components/signin/internal/identity_manager/gaia_cookie_manager_service.cc b/components/signin/internal/identity_manager/gaia_cookie_manager_service.cc --- a/components/signin/internal/identity_manager/gaia_cookie_manager_service.cc +++ b/components/signin/internal/identity_manager/gaia_cookie_manager_service.cc @@ -469,6 +469,8 @@ void GaiaCookieManagerService::RegisterPrefs(PrefRegistrySimple* registry) { } void GaiaCookieManagerService::InitCookieListener() { + // Make GaiaCookieManagerService compliant to SigninAllowed policy + if (!signin_client_->AreSigninCookiesAllowed()) return; DCHECK(!cookie_listener_receiver_.is_bound()); network::mojom::CookieManager* cookie_manager = @@ -891,6 +893,8 @@ void GaiaCookieManagerService::OnSetAccountsFinished( } void GaiaCookieManagerService::HandleNextRequest() { + // Make GaiaCookieManagerService compliant to SigninAllowed policy + if (!signin_client_->AreSigninCookiesAllowed()) requests_.clear(); VLOG(1) << "GaiaCookieManagerService::HandleNextRequest"; if (requests_.front().request_type() == GaiaCookieRequestType::LIST_ACCOUNTS) { diff --git a/google_apis/gaia/gaia_auth_fetcher.cc b/google_apis/gaia/gaia_auth_fetcher.cc --- a/google_apis/gaia/gaia_auth_fetcher.cc +++ b/google_apis/gaia/gaia_auth_fetcher.cc @@ -482,6 +482,7 @@ void GaiaAuthFetcher::StartListAccounts() { } } })"); + LOG(INFO) << "---CreateAndStartGaiaFetcher"; CreateAndStartGaiaFetcher( " ", // To force an HTTP POST. kFormEncodedContentType, "Origin: https://www.google.com", -- 2.25.1