White-listing Chrome Remote Desktop to use the identity API in Public Session

chrome/browser/extensions/api/identity/identity_apitest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <set>
 #include <string>
 #include <vector>
 
 #include "base/command_line.h"
 #include "base/prefs/pref_service.h"
 #include "base/strings/string_util.h"
 #include "base/strings/stringprintf.h"
 #include "base/values.h"
 #include "chrome/browser/chrome_notification_types.h"
+#if defined(OS_CHROMEOS)
+#include "chrome/browser/chromeos/login/users/mock_user_manager.h"
+#include "chrome/browser/chromeos/login/users/scoped_user_manager_enabler.h"
+#include "chrome/browser/chromeos/policy/browser_policy_connector_chromeos.h"
+#include "chrome/browser/chromeos/policy/stub_enterprise_install_attributes.h"
+#include "extensions/common/extension_builder.h"
+#endif
 #include "chrome/browser/extensions/api/identity/identity_api.h"
 #include "chrome/browser/extensions/component_loader.h"
 #include "chrome/browser/extensions/extension_apitest.h"
 #include "chrome/browser/extensions/extension_browsertest.h"
 #include "chrome/browser/extensions/extension_function_test_utils.h"
 #include "chrome/browser/extensions/extension_service.h"
 #include "chrome/browser/profiles/profile.h"
 #include "chrome/browser/signin/account_tracker_service_factory.h"
 #include "chrome/browser/signin/fake_gaia_cookie_manager_service.h"
 #include "chrome/browser/signin/fake_profile_oauth2_token_service_builder.h"
@@ skipping 308 matching lines @@
             GoogleServiceAuthError::INVALID_GAIA_CREDENTIALS);
         OnGetTokenFailure(login_token_request_.get(), error);
       }
     } else {
       // Make a request to the token service. The test now must tell
       // the token service to issue an access token (or an error).
       IdentityGetAuthTokenFunction::StartLoginAccessTokenRequest();
     }
   }
 
+#if defined(OS_CHROMEOS)
+  void StartDeviceLoginAccessTokenRequest() override {
+    StartLoginAccessTokenRequest();
+  }
+#endif
+
   void ShowLoginPopup() override {
     EXPECT_FALSE(login_ui_shown_);
     login_ui_shown_ = true;
     if (login_ui_result_)
       SigninSuccess();
     else
       SigninFailed();
   }
 
   void ShowOAuthApprovalDialog(const IssueAdviceInfo& issue_advice) override {
@@ skipping 1254 matching lines @@
   EXPECT_TRUE(value->GetAsString(&access_token));
   EXPECT_EQ(std::string(kAccessToken), access_token);
 
   const ExtensionTokenKey* token_key = func->GetExtensionTokenKeyForTest();
   EXPECT_EQ(3ul, token_key->scopes.size());
   EXPECT_TRUE(ContainsKey(token_key->scopes, "email"));
   EXPECT_TRUE(ContainsKey(token_key->scopes, "foo"));
   EXPECT_TRUE(ContainsKey(token_key->scopes, "bar"));
 }
 
+
+#if defined(OS_CHROMEOS)
+class GetAuthTokenFunctionPublicSessionTest : public GetAuthTokenFunctionTest {
+ public:
+  GetAuthTokenFunctionPublicSessionTest()
+      : user_manager_(new chromeos::MockUserManager) {}
+
+ protected:
+  void SetUpInProcessBrowserTestFixture() override {
+     GetAuthTokenFunctionTest::SetUpInProcessBrowserTestFixture();
+
+     // Set up the user manager to fake a public session.
+     EXPECT_CALL(*user_manager_, IsLoggedInAsKioskApp())
+         .WillRepeatedly(Return(false));
+     EXPECT_CALL(*user_manager_, IsLoggedInAsPublicAccount())
+         .WillRepeatedly(Return(true));
+
+    // Set up fake install attributes to make the device appeared as
+    // enterprise-managed.
+    scoped_ptr<policy::StubEnterpriseInstallAttributes> attributes(
+        new policy::StubEnterpriseInstallAttributes());
+    attributes->SetDomain("example.com");
+    attributes->SetRegistrationUser("user@example.com");
+    policy::BrowserPolicyConnectorChromeOS::SetInstallAttributesForTesting(
+        attributes.release());
+  }
+
+  scoped_refptr<Extension> CreateTestExtension(const std::string& id) {
+    return ExtensionBuilder()
+        .SetManifest(
+             DictionaryBuilder()
+                 .Set("name", "Test")
+                 .Set("version", "1.0")
+                 .Set(
+                     "oauth2",
+                     DictionaryBuilder()
+                         .Set("client_id", "clientId")
+                         .Set(
+                             "scopes",
+                             ListBuilder().Append("scope1"))))
+        .SetLocation(Manifest::UNPACKED)
+        .SetID(id)
+        .Build();
+  }
+
+  // Owned by |user_manager_enabler|.
+  chromeos::MockUserManager* user_manager_;
+};
+
+IN_PROC_BROWSER_TEST_F(GetAuthTokenFunctionPublicSessionTest, NonWhitelisted) {
+  // GetAuthToken() should return UserNotSignedIn in public sessions for
+  // non-whitelisted extensions.
+  chromeos::ScopedUserManagerEnabler user_manager_enabler(user_manager_);
+  scoped_refptr<FakeGetAuthTokenFunction> func(new FakeGetAuthTokenFunction());
+  func->set_extension(CreateTestExtension("test-id"));
+  std::string error = utils::RunFunctionAndReturnError(
+      func.get(), "[]", browser());
+  EXPECT_EQ(std::string(errors::kUserNotSignedIn), error);
+  EXPECT_FALSE(func->login_ui_shown());
+  EXPECT_FALSE(func->scope_ui_shown());
+}
+
+IN_PROC_BROWSER_TEST_F(GetAuthTokenFunctionPublicSessionTest, Whitelisted) {
+  // GetAuthToken() should return a token for whitelisted extensions.
+  chromeos::ScopedUserManagerEnabler user_manager_enabler(user_manager_);
+  scoped_refptr<FakeGetAuthTokenFunction> func(new FakeGetAuthTokenFunction());
+  func->set_extension(CreateTestExtension("ljacajndfccfgnfohlgkdphmbnpkjflk"));
+  func->set_mint_token_result(TestOAuth2MintTokenFlow::MINT_TOKEN_SUCCESS);
+  scoped_ptr<base::Value> value(
+      utils::RunFunctionAndReturnSingleResult(func.get(), "[{}]", browser()));
+  std::string access_token;
+  EXPECT_TRUE(value->GetAsString(&access_token));
+  EXPECT_EQ(std::string(kAccessToken), access_token);
+}
+
+#endif
+
+
 class RemoveCachedAuthTokenFunctionTest : public ExtensionBrowserTest {
  protected:
   bool InvalidateDefaultToken() {
     scoped_refptr<IdentityRemoveCachedAuthTokenFunction> func(
         new IdentityRemoveCachedAuthTokenFunction);
     func->set_extension(test_util::CreateEmptyExtension(kExtensionId).get());
     return utils::RunFunction(
         func.get(),
         std::string("[{\"token\": \"") + kAccessToken + "\"}]",
         browser(),
@@ skipping 210 matching lines @@
   EXPECT_EQ(std::string("https://abcdefghij.chromiumapp.org/callback#test"),
             url);
 }
 
 }  // namespace extensions
 
 // Tests the chrome.identity API implemented by custom JS bindings .
 IN_PROC_BROWSER_TEST_F(ExtensionApiTest, ChromeIdentityJsBindings) {
   ASSERT_TRUE(RunExtensionTest("identity/js_bindings")) << message_;
 }