Add a SigninAllowed policy.

chrome/browser/signin/signin_manager.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/signin/signin_manager.h"
 
 #include <string>
 #include <vector>
 
 #include "base/callback_helpers.h"
 #include "base/command_line.h"
 #include "base/memory/ref_counted.h"
 #include "base/string_split.h"
 #include "base/string_util.h"
 #include "base/time.h"
 #include "base/utf_string_conversions.h"
 #include "chrome/browser/browser_process.h"
 #include "chrome/browser/content_settings/cookie_settings.h"
 #include "chrome/browser/prefs/pref_service.h"
 #include "chrome/browser/profiles/profile.h"
+#include "chrome/browser/profiles/profile_io_data.h"
 #include "chrome/browser/signin/about_signin_internals.h"
 #include "chrome/browser/signin/about_signin_internals_factory.h"
 #include "chrome/browser/signin/signin_global_error.h"
 #include "chrome/browser/signin/signin_internals_util.h"
 #include "chrome/browser/signin/token_service.h"
 #include "chrome/browser/signin/token_service_factory.h"
 #include "chrome/browser/sync/profile_sync_service.h"
 #include "chrome/browser/ui/global_error/global_error_service.h"
 #include "chrome/browser/ui/global_error/global_error_service_factory.h"
 #include "chrome/common/chrome_notification_types.h"
@@ skipping 173 matching lines @@
       signin_global_error_.get());
   PrefService* local_state = g_browser_process->local_state();
   // local_state can be null during unit tests.
   if (local_state) {
     local_state_pref_registrar_.Init(local_state);
     local_state_pref_registrar_.Add(
         prefs::kGoogleServicesUsernamePattern,
         base::Bind(&SigninManager::OnGoogleServicesUsernamePatternChanged,
                    base::Unretained(this)));
   }
+  signin_allowed_.Init(prefs::kSigninAllowed, profile_->GetPrefs(),
+                       base::Bind(&SigninManager::OnSigninAllowedPrefChanged,
+                                  base::Unretained(this)));
 
   // If the user is clearing the token service from the command line, then
   // clear their login info also (not valid to be logged in without any
   // tokens).
   CommandLine* cmd_line = CommandLine::ForCurrentProcess();
   if (cmd_line->HasSwitch(switches::kClearTokenService))
     profile->GetPrefs()->ClearPref(prefs::kGoogleServicesUsername);
 
   std::string user = profile_->GetPrefs()->GetString(
       prefs::kGoogleServicesUsername);
   if (!user.empty())
     SetAuthenticatedUsername(user);
   // TokenService can be null for unit tests.
   TokenService* token_service = TokenServiceFactory::GetForProfile(profile_);
   if (token_service) {
     token_service->Initialize(GaiaConstants::kChromeSource, profile_);
     // ChromeOS will kick off TokenService::LoadTokensFromDB from
     // OAuthLoginManager once the rest of the Profile is fully initialized.
     // Starting it from here would cause OAuthLoginManager mismatch the origin
     // of OAuth2 tokens.
 #if !defined(OS_CHROMEOS)
     if (!authenticated_username_.empty()) {
       token_service->LoadTokensFromDB();
     }
 #endif
   }
-  if (!user.empty() && !IsAllowedUsername(user)) {
+  if ((!user.empty() && !IsAllowedUsername(user)) || !IsSigninAllowed()) {
     // User is signed in, but the username is invalid - the administrator must
     // have changed the policy since the last signin, so sign out the user.
     SignOut();
   }
 }
 
 bool SigninManager::IsInitialized() const {
   return profile_ != NULL;
 }
 
 bool SigninManager::IsAllowedUsername(const std::string& username) const {
   PrefService* local_state = g_browser_process->local_state();
   if (!local_state)
     return true; // In a unit test with no local state - all names are allowed.
 
   std::string pattern = local_state->GetString(
       prefs::kGoogleServicesUsernamePattern);
   return IsAllowedUsername(username, pattern);
 }
 
+bool SigninManager::IsSigninAllowed() const {
+  return signin_allowed_.GetValue();
+}
+
+// static
+bool SigninManager::IsSigninAllowedOnIOThread(ProfileIOData* io_data) {
+  DCHECK(content::BrowserThread::CurrentlyOn(content::BrowserThread::IO));
+  return io_data->signin_allowed()->GetValue();
+}
+
 void SigninManager::CleanupNotificationRegistration() {
 #if !defined(OS_CHROMEOS)
   content::Source<TokenService> token_service(
       TokenServiceFactory::GetForProfile(profile_));
   if (registrar_.IsRegistered(this,
                               chrome::NOTIFICATION_TOKEN_AVAILABLE,
                               token_service)) {
     registrar_.Remove(this,
                       chrome::NOTIFICATION_TOKEN_AVAILABLE,
                       token_service);
@@ skipping 470 matching lines @@
 
 void SigninManager::OnGoogleServicesUsernamePatternChanged() {
   if (!authenticated_username_.empty() &&
       !IsAllowedUsername(authenticated_username_)) {
     // Signed in user is invalid according to the current policy so sign
     // the user out.
     SignOut();
   }
 }
 
+void SigninManager::OnSigninAllowedPrefChanged() {
+  if (!IsSigninAllowed())
+    SignOut();
+}
+
 void SigninManager::AddSigninDiagnosticsObserver(
     SigninDiagnosticsObserver* observer) {
   signin_diagnostics_observers_.AddObserver(observer);
 }
 
 void SigninManager::RemoveSigninDiagnosticsObserver(
     SigninDiagnosticsObserver* observer) {
   signin_diagnostics_observers_.RemoveObserver(observer);
 }
 
 void SigninManager::NotifyDiagnosticsObservers(
     const UntimedSigninStatusField& field,
     const std::string& value) {
   FOR_EACH_OBSERVER(SigninDiagnosticsObserver,
                     signin_diagnostics_observers_,
                     NotifySigninValueChanged(field, value));
 }
 
 void SigninManager::NotifyDiagnosticsObservers(
     const TimedSigninStatusField& field,
     const std::string& value) {
   FOR_EACH_OBSERVER(SigninDiagnosticsObserver,
                     signin_diagnostics_observers_,
                     NotifySigninValueChanged(field, value));
 }