signin: move SigninManagerBase::Signout to SigninManager.

chrome/browser/signin/signin_manager.cc

Index: chrome/browser/signin/signin_manager.cc
diff --git a/chrome/browser/signin/signin_manager.cc b/chrome/browser/signin/signin_manager.cc
index dc4f30fe4ec20414576e587f4e8ba458e92ded80..56d8d1510dd3ba7a69f83973c42e12e21028b23a 100644
--- a/chrome/browser/signin/signin_manager.cc
+++ b/chrome/browser/signin/signin_manager.cc
@@ -361,7 +361,116 @@ void SigninManager::SignOut() {
 
   ClearTransientSigninData();
   RevokeOAuthLoginToken();
-  SigninManagerBase::SignOut();
+
+  GoogleServiceSignoutDetails details(GetAuthenticatedUsername());
+  clear_authenticated_username();
+  profile_->GetPrefs()->ClearPref(prefs::kGoogleServicesUsername);
+
+  // Erase (now) stale information from AboutSigninInternals.
+  NotifyDiagnosticsObservers(USERNAME, "");
+  NotifyDiagnosticsObservers(LSID, "");
+  NotifyDiagnosticsObservers(
+      signin_internals_util::SID, "");
+
+  TokenService* token_service = TokenServiceFactory::GetForProfile(profile_);

[Andrew T Wilson (Slow), 2013/05/06 09:06:00]

Maybe move this down to line 380 - no reason to grab it here before sending out
the notification.

[tim (not reviewing), 2013/05/06 17:28:57]

Done.

+  content::NotificationService::current()->Notify(
+      chrome::NOTIFICATION_GOOGLE_SIGNED_OUT,
+      content::Source<Profile>(profile_),
+      content::Details<const GoogleServiceSignoutDetails>(&details));
+  token_service->ResetCredentialsInMemory();
+  token_service->EraseTokensFromDB();
+}
+
+void SigninManager::Initialize(Profile* profile) {
+  SigninManagerBase::Initialize(profile);
+
+  // local_state can be null during unit tests.
+  PrefService* local_state = g_browser_process->local_state();
+  if (local_state) {
+    local_state_pref_registrar_.Init(local_state);
+    local_state_pref_registrar_.Add(
+        prefs::kGoogleServicesUsernamePattern,
+        base::Bind(&SigninManager::OnGoogleServicesUsernamePatternChanged,
+                   weak_pointer_factory_.GetWeakPtr()));
+  }
+  signin_allowed_.Init(prefs::kSigninAllowed, profile_->GetPrefs(),
+      base::Bind(&SigninManager::OnSigninAllowedPrefChanged,
+                 base::Unretained(this)));
+
+  std::string user = profile_->GetPrefs()->GetString(
+      prefs::kGoogleServicesUsername);
+  if ((!user.empty() && !IsAllowedUsername(user)) || !IsSigninAllowed()) {
+    // User is signed in, but the username is invalid - the administrator must
+    // have changed the policy since the last signin, so sign out the user.
+    SignOut();
+  }
+}
+
+void SigninManager::OnGoogleServicesUsernamePatternChanged() {
+  if (!GetAuthenticatedUsername().empty() &&
+      !IsAllowedUsername(GetAuthenticatedUsername())) {
+    // Signed in user is invalid according to the current policy so sign
+    // the user out.
+    SignOut();
+  }
+}
+
+bool SigninManager::IsSigninAllowed() const {
+  return signin_allowed_.GetValue();
+}
+
+// static
+bool SigninManager::IsSigninAllowedOnIOThread(ProfileIOData* io_data) {
+  DCHECK(content::BrowserThread::CurrentlyOn(content::BrowserThread::IO));
+  return io_data->signin_allowed()->GetValue();
+}
+
+void SigninManager::OnSigninAllowedPrefChanged() {
+  if (!IsSigninAllowed())
+    SignOut();
+}
+
+// static
+bool SigninManager::IsUsernameAllowedByPolicy(const std::string& username,
+                                              const std::string& policy) {
+  if (policy.empty())
+    return true;
+
+  // Patterns like "*@foo.com" are not accepted by our regex engine (since they
+  // are not valid regular expressions - they should instead be ".*@foo.com").
+  // For convenience, detect these patterns and insert a "." character at the
+  // front.
+  string16 pattern = UTF8ToUTF16(policy);
+  if (pattern[0] == L'*')
+    pattern.insert(pattern.begin(), L'.');
+
+  // See if the username matches the policy-provided pattern.
+  UErrorCode status = U_ZERO_ERROR;
+  const icu::UnicodeString icu_pattern(pattern.data(), pattern.length());
+  icu::RegexMatcher matcher(icu_pattern, UREGEX_CASE_INSENSITIVE, status);
+  if (!U_SUCCESS(status)) {
+    LOG(ERROR) << "Invalid login regex: " << pattern << ", status: " << status;
+    // If an invalid pattern is provided, then prohibit *all* logins (better to
+    // break signin than to quietly allow users to sign in).
+    return false;
+  }
+  string16 username16 = UTF8ToUTF16(username);
+  icu::UnicodeString icu_input(username16.data(), username16.length());
+  matcher.reset(icu_input);
+  status = U_ZERO_ERROR;
+  UBool match = matcher.matches(status);
+  DCHECK(U_SUCCESS(status));
+  return !!match;  // !! == convert from UBool to bool.
+}
+
+bool SigninManager::IsAllowedUsername(const std::string& username) const {
+  PrefService* local_state = g_browser_process->local_state();
+  if (!local_state)
+    return true; // In a unit test with no local state - all names are allowed.
+
+  std::string pattern = local_state->GetString(
+      prefs::kGoogleServicesUsernamePattern);
+  return IsUsernameAllowedByPolicy(username, pattern);
 }
 
 void SigninManager::RevokeOAuthLoginToken() {