Add a SigninAllowed policy.

chrome/browser/signin/signin_tracker.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/signin/signin_tracker.h"
 
 #include "chrome/browser/profiles/profile.h"
 #include "chrome/browser/signin/signin_manager.h"
 #include "chrome/browser/signin/signin_manager_factory.h"
 #include "chrome/browser/signin/token_service.h"
@@ skipping 116 matching lines @@
   HandleServiceStateChange();
 }
 
 void SigninTracker::HandleServiceStateChange() {
   if (state_ != SERVICES_INITIALIZING) {
     // Ignore service updates until after our GAIA credentials are validated.
     return;
   }
 
   SigninManager* signin = SigninManagerFactory::GetForProfile(profile_);
-  if (signin->GetAuthenticatedUsername().empty()) {
+  if (signin->GetAuthenticatedUsername().empty() ||
+      !signin->IsSigninAllowed()) {

[sail, 2013/02/08 20:18:57]

This code doesn't make any sense. If sign in is now allowed then why would you
want to trigger a signin failure?

[Andrew T Wilson (Slow), 2013/02/08 20:33:11]

Because signin isn't allowed, so signin should fail?

In any case, we could probably skip this check since SigninManager will
SignOut() if SigninAllowed transitions to true during the signin process.

[Adrian Kuegel, 2013/02/11 16:47:30]

IsSigninAllowed returns true if signin is allowed. So here I check if signin is
not allowed, and if it is not allowed, a signin failure is triggered. This
should cover the case that the policy currently doesn't allow signin, but
somehow a user still was able to sign in. I am not sure if we could ever end up
in this path, so I removed it now.

     // User is signed out, trigger a signin failure.
     state_ = WAITING_FOR_GAIA_VALIDATION;
     observer_->SigninFailed(
         GoogleServiceAuthError(GoogleServiceAuthError::REQUEST_CANCELED));
     return;
   }
 
   // Wait until all of our services are logged in. For now this just means sync.
   // Long term, we should separate out service auth failures from the signin
   // process, but for the current UI flow we'll validate service signin status
   // also.
-  ProfileSyncService* service = profile_->IsSyncAccessible() ?
-      ProfileSyncServiceFactory::GetForProfile(profile_) : NULL;
+  ProfileSyncService* service =

[sail, 2013/02/08 20:18:57]

Why this change?

[Adrian Kuegel, 2013/02/11 16:47:30]

Sorry, that was a relict from an earlier version of this changelist, and I
forgot to change it back.

+      profile_->IsSyncAccessible() ?
+          ProfileSyncServiceFactory::GetForProfile(profile_) : NULL;
   if (service && service->waiting_for_auth()) {
     // Still waiting for an auth token to come in so stay in the INITIALIZING
     // state (we do this to avoid triggering an early signin error in the case
     // where there's a previous auth error in the sync service that hasn't
     // been cleared yet).
     return;
   }
 
   // If we haven't loaded all our service tokens yet, just exit (we'll be called
   // again when another token is loaded, or will transition to SigninFailed if
@@ skipping 29 matching lines @@
   // Don't care about the sync state if sync is disabled by policy.
   if (!profile->IsSyncAccessible())
     return true;
   ProfileSyncService* service =
       ProfileSyncServiceFactory::GetForProfile(profile);
   return (service->IsSyncEnabledAndLoggedIn() &&
           service->IsSyncTokenAvailable() &&
           service->GetAuthError().state() == GoogleServiceAuthError::NONE &&
           !service->HasUnrecoverableError());
 }