White-listing Chrome Remote Desktop to use the identity API in Public Session

chrome/browser/extensions/api/identity/identity_api.cc

Index: chrome/browser/extensions/api/identity/identity_api.cc
diff --git a/chrome/browser/extensions/api/identity/identity_api.cc b/chrome/browser/extensions/api/identity/identity_api.cc
index 9aa4d7f65d9e8d2a400f1074ce54f7197921774c..005d2069b6599c65f929b5863e6e045f3aa362a3 100644
--- a/chrome/browser/extensions/api/identity/identity_api.cc
+++ b/chrome/browser/extensions/api/identity/identity_api.cc
@@ -72,6 +72,16 @@ namespace {
 static const char kChromiumDomainRedirectUrlPattern[] =
     "https://%s.chromiumapp.org/";
 
+#if defined(OS_CHROMEOS)
+// The list of apps that are allowed to use the Identity API to retrieve the
+// token from the device robot account in a public session.
+const char* const kPublicSessionAllowedOrigins[] = {
+    // Chrome Remote Desktop - Chromium branding.
+    "chrome-extension://ljacajndfccfgnfohlgkdphmbnpkjflk/",
+    // Chrome Remote Desktop - Official branding.
+    "chrome-extension://gbchcmhmhahfdphkhkmpfmihenigjmpp/"};
+#endif
+
 std::string GetPrimaryAccountId(content::BrowserContext* context) {
   SigninManagerBase* signin_manager =
       SigninManagerFactory::GetForProfile(Profile::FromBrowserContext(context));
@@ -371,8 +381,16 @@ bool IdentityGetAuthTokenFunction::RunAsync() {
 #if defined(OS_CHROMEOS)
   policy::BrowserPolicyConnectorChromeOS* connector =
       g_browser_process->platform_part()->browser_policy_connector_chromeos();
-  if (user_manager::UserManager::Get()->IsLoggedInAsKioskApp() &&
-      connector->IsEnterpriseManaged()) {
+  bool is_kiosk = user_manager::UserManager::Get()->IsLoggedInAsKioskApp();
+  bool is_public_session =
+      user_manager::UserManager::Get()->IsLoggedInAsPublicAccount();
+
+  if (connector->IsEnterpriseManaged() && (is_kiosk || is_public_session)) {
+    if (is_public_session && !IsOriginWhitelistedInPublicSession()) {
+      CompleteFunctionWithError(identity_constants::kUserNotSignedIn);
+      return true;
+    }
+
     StartMintTokenFlow(IdentityMintRequestQueue::MINT_TYPE_NONINTERACTIVE);
     return true;
   }
@@ -495,7 +513,14 @@ void IdentityGetAuthTokenFunction::StartMintToken(
       case IdentityTokenCacheValue::CACHE_STATUS_NOTFOUND:
 #if defined(OS_CHROMEOS)
         // Always force minting token for ChromeOS kiosk app.

[Andrew T Wilson (Slow), 2015/09/29 13:20:30]

Comment is out of date since we support public session apps too.

[kelvinp, 2015/09/29 18:08:50]

Done.

-        if (user_manager::UserManager::Get()->IsLoggedInAsKioskApp()) {
+        if (user_manager::UserManager::Get()->IsLoggedInAsPublicAccount() &&
+            !IsOriginWhitelistedInPublicSession()) {
+          CompleteFunctionWithError(identity_constants::kUserNotSignedIn);
+          return;
+        }
+
+        if (user_manager::UserManager::Get()->IsLoggedInAsKioskApp() ||
+            user_manager::UserManager::Get()->IsLoggedInAsPublicAccount()) {
           gaia_mint_token_mode_ = OAuth2MintTokenFlow::MODE_MINT_TOKEN_FORCE;
           policy::BrowserPolicyConnectorChromeOS* connector =
               g_browser_process->platform_part()
@@ -753,6 +778,18 @@ void IdentityGetAuthTokenFunction::StartDeviceLoginAccessTokenRequest() {
                             scopes,
                             this);
 }
+
+bool IdentityGetAuthTokenFunction::IsOriginWhitelistedInPublicSession() {
+  for (unsigned int i = 0; i < arraysize(kPublicSessionAllowedOrigins); i++) {

[Andrew T Wilson (Slow), 2015/09/29 13:20:30]

nit: should i be size_t, not unsigned int? Also, we prefer ints over unsigned
ints wherever possible, so shouldn't use unsigned int here anyway since it's
prohibited by the style guide:
https://google-styleguide.googlecode.com/svn/trunk/cppguide.html#Integer_Types

[kelvinp, 2015/09/29 18:08:50]

Good catch.

+    URLPattern allowed_origin(URLPattern::SCHEME_ALL,
+                              kPublicSessionAllowedOrigins[i]);
+    DCHECK(extension());

[Andrew T Wilson (Slow), 2015/09/29 13:20:30]

Move this DCHECK outside the loop? And maybe also move construction of GURL
below outside the loop?

[kelvinp, 2015/09/29 18:08:49]

Done.

+    if (allowed_origin.MatchesSecurityOrigin(extension()->url())) {
+      return true;
+    }
+  }
+  return false;
+}
 #endif
 
 void IdentityGetAuthTokenFunction::StartLoginAccessTokenRequest() {