Supervised Users Initiated Installs v2

chrome/browser/supervised_user/supervised_user_service.h

Index: chrome/browser/supervised_user/supervised_user_service.h
diff --git a/chrome/browser/supervised_user/supervised_user_service.h b/chrome/browser/supervised_user/supervised_user_service.h
index 8e93e7576efa31e5e2a529401eb1d559d8a2536a..720fab329163a6c44a89d3804acaf642b051a94f 100644
--- a/chrome/browser/supervised_user/supervised_user_service.h
+++ b/chrome/browser/supervised_user/supervised_user_service.h
@@ -125,6 +125,15 @@ class SupervisedUserService : public KeyedService,
   // inappropriate URL.
   void ReportURL(const GURL& url, const SuccessCallback& callback);
 
+  // Adds an install request for the given WebStore item (App/Extension).
+  void AddExtensionInstallRequest(const std::string& extension_id,
+                                  const base::Version& version,
+                                  const SuccessCallback& callback);
+
+  // Same as above, but without a callback, just logging errors on failure.
+  void AddExtensionInstallRequest(const std::string& extension_id,
+                                  const base::Version& version);
+
   // Adds an update request for the given WebStore item (App/Extension).
   void AddExtensionUpdateRequest(const std::string& extension_id,
                                  const base::Version& version,
@@ -134,11 +143,10 @@ class SupervisedUserService : public KeyedService,
   void AddExtensionUpdateRequest(const std::string& extension_id,
                                  const base::Version& version);
 
-  // Get the string used to identify an extension update request. Public for
-  // testing.
-  static std::string GetExtensionUpdateRequestId(
-      const std::string& extension_id,
-      const base::Version& version);
+  // Get the string used to identify an extension install or update request.
+  // Public for testing.
+  static std::string GetExtensionRequestId(const std::string& extension_id,
+                                           const base::Version& version);
 
   // Returns the email address of the custodian.
   std::string GetCustodianEmailAddress() const;
@@ -214,8 +222,17 @@ class SupervisedUserService : public KeyedService,
   friend class SupervisedUserServiceFactory;
   FRIEND_TEST_ALL_PREFIXES(SingleClientSupervisedUserSettingsSyncTest, Sanity);
   FRIEND_TEST_ALL_PREFIXES(SupervisedUserServiceTest, ClearOmitOnRegistration);
-  FRIEND_TEST_ALL_PREFIXES(SupervisedUserServiceExtensionTest,
-                           ExtensionManagementPolicyProvider);
+  FRIEND_TEST_ALL_PREFIXES(SupervisedUserServiceTest,
+                           ChangesIncludedSessionOnChangedSettings);
+  FRIEND_TEST_ALL_PREFIXES(SupervisedUserServiceTest,
+                           ChangesSyncSessionStateOnChangedSettings);

[Marc Treib, 2016/05/24 09:54:58]

Any reason for adding these unrelated tests here?

[mamir, 2016/06/03 09:45:55]

Nop :-)
I think they came here during a rebase.

+  FRIEND_TEST_ALL_PREFIXES(
+      SupervisedUserServiceExtensionTest,
+      ExtensionManagementPolicyProviderWithDisabledSUInitiatedInstalls);
+  FRIEND_TEST_ALL_PREFIXES(
+      SupervisedUserServiceExtensionTest,
+      ExtensionManagementPolicyProviderWithEnabledSUInitiatedInstalls);
+
 
   using CreatePermissionRequestCallback =
       base::Callback<void(PermissionRequestCreator*, const SuccessCallback&)>;
@@ -297,6 +314,24 @@ class SupervisedUserService : public KeyedService,
                              base::string16* error) const override;
   bool MustRemainInstalled(const extensions::Extension* extension,
                            base::string16* error) const override;
+  bool MustRemainDisabled(const extensions::Extension* extension,
+                          extensions::Extension::DisableReason* reason,
+                          base::string16* error) const override;
+
+  // An extension can be in one of the following states:
+  //
+  // FORCED: if it is installed by the custodian.
+  // REQUIRE_APPROVAL: if it is installed by the supervised user and
+  //    hasn't been approved by the custodian yet.
+  // ALLOWED: Components, Themes, Default extensions ..etc
+  //    are generally allowed.  Extensions that have been approved by the
+  //    custodian are also allowed.
+  // BLOCKED: Extension is blocked if it is not ALLOWED or FORCED

[Marc Treib, 2016/05/24 09:54:58]

remove "Extension is blocked" to be consistent with the other case descriptions

[mamir, 2016/06/03 09:45:55]

Done.

+  //    and supervised users initiated installs are disabled.
+  enum class ExtensionState { FORCED, BLOCKED, ALLOWED, REQUIRE_APPROVAL };
+
+  ExtensionState GetExtensionState(
+      const extensions::Extension& extension) const;
 
   // Extensions helper to SetActive().
   void SetExtensionsActive();
@@ -352,6 +387,10 @@ class SupervisedUserService : public KeyedService,
   // corresponding preference is changed.
   void UpdateManualURLs();
 
+  // Updates the map of approved extensions when the corresponding preference
+  // is changed.
+  void UpdateApprovedExtensions();
+
   // Returns the human readable name of the supervised user.
   std::string GetSupervisedUserName() const;
 
@@ -388,6 +427,9 @@ class SupervisedUserService : public KeyedService,
 
   URLFilterContext url_filter_context_;
 
+  // Stores a map from extension_id -> latest approved version by the custodian.

[Marc Treib, 2016/05/24 09:54:58]

It's not really *latest* approved version, but rather exact approved version,
right?
Is the version here ever updated? What about extension updates that don't add
new permissions?
Also it's only relevant for SU-initiated installs.

[mamir, 2016/06/06 15:01:36]

Done.

+  std::map<std::string, base::Version> approved_extensions_map_;
+
   enum class BlacklistLoadState {
     NOT_LOADED,
     LOAD_STARTED,