White-listing Chrome Remote Desktop to use the identity API in Public Session

chrome/browser/extensions/api/identity/identity_api.cc

Index: chrome/browser/extensions/api/identity/identity_api.cc
diff --git a/chrome/browser/extensions/api/identity/identity_api.cc b/chrome/browser/extensions/api/identity/identity_api.cc
index 9aa4d7f65d9e8d2a400f1074ce54f7197921774c..fd3e01b93fb521d531dcb97ef558a132fd3da049 100644
--- a/chrome/browser/extensions/api/identity/identity_api.cc
+++ b/chrome/browser/extensions/api/identity/identity_api.cc
@@ -72,6 +72,16 @@ namespace {
 static const char kChromiumDomainRedirectUrlPattern[] =
     "https://%s.chromiumapp.org/";
 
+#if defined(OS_CHROMEOS)
+// The list of apps that are allowed to use the Identity API to retrieve the
+// token from the device robot account in a public session.
+const char* const kPublicSessionAllowedOrigins[] = {
+    // Chrome Remote Desktop - Chromium branding.
+    "chrome-extension://ljacajndfccfgnfohlgkdphmbnpkjflk/",
+    // Chrome Remote Desktop - Official branding.
+    "chrome-extension://gbchcmhmhahfdphkhkmpfmihenigjmpp/"};
+#endif
+
 std::string GetPrimaryAccountId(content::BrowserContext* context) {
   SigninManagerBase* signin_manager =
       SigninManagerFactory::GetForProfile(Profile::FromBrowserContext(context));
@@ -371,8 +381,16 @@ bool IdentityGetAuthTokenFunction::RunAsync() {
 #if defined(OS_CHROMEOS)
   policy::BrowserPolicyConnectorChromeOS* connector =
       g_browser_process->platform_part()->browser_policy_connector_chromeos();
-  if (user_manager::UserManager::Get()->IsLoggedInAsKioskApp() &&
-      connector->IsEnterpriseManaged()) {
+  bool is_kiosk = user_manager::UserManager::Get()->IsLoggedInAsKioskApp();
+  bool is_public_session =
+      user_manager::UserManager::Get()->IsLoggedInAsPublicAccount();
+
+  if (connector->IsEnterpriseManaged() && (is_kiosk || is_public_session)) {
+    if (is_public_session && !IsOriginWhitelistedInPublicSession()) {
+      CompleteFunctionWithError(identity_constants::kUserNotSignedIn);
+      return true;
+    }
+
     StartMintTokenFlow(IdentityMintRequestQueue::MINT_TYPE_NONINTERACTIVE);
     return true;
   }
@@ -495,7 +513,13 @@ void IdentityGetAuthTokenFunction::StartMintToken(
       case IdentityTokenCacheValue::CACHE_STATUS_NOTFOUND:
 #if defined(OS_CHROMEOS)
         // Always force minting token for ChromeOS kiosk app.
-        if (user_manager::UserManager::Get()->IsLoggedInAsKioskApp()) {
+        if (user_manager::UserManager::Get()->IsLoggedInAsPublicAccount() &&
+            !IsOriginWhitelistedInPublicSession()) {
+          return;

[Michael Courage, 2015/09/25 23:49:04]

What's the intended behavior here? Returning out here without setting an error,
or kicking off a token request will probably hang. I don't know if it's actually
possible to get to this line, but it seems kind of scary.

[kelvinp, 2015/09/28 22:02:58]

Done.

+        }
+
+        if (user_manager::UserManager::Get()->IsLoggedInAsKioskApp() ||
+            user_manager::UserManager::Get()->IsLoggedInAsPublicAccount()) {
           gaia_mint_token_mode_ = OAuth2MintTokenFlow::MODE_MINT_TOKEN_FORCE;
           policy::BrowserPolicyConnectorChromeOS* connector =
               g_browser_process->platform_part()
@@ -753,6 +777,18 @@ void IdentityGetAuthTokenFunction::StartDeviceLoginAccessTokenRequest() {
                             scopes,
                             this);
 }
+
+bool IdentityGetAuthTokenFunction::IsOriginWhitelistedInPublicSession() {
+  for (unsigned int i = 0; i < arraysize(kPublicSessionAllowedOrigins); i++) {
+    URLPattern allowed_origin(URLPattern::SCHEME_ALL,
+                              kPublicSessionAllowedOrigins[i]);
+    DCHECK(extension());
+    if (allowed_origin.MatchesSecurityOrigin(extension()->url())) {
+      return true;
+    }
+  }
+  return false;
+}
 #endif
 
 void IdentityGetAuthTokenFunction::StartLoginAccessTokenRequest() {