Added authorized install with a script to do the copy.

chrome/installer/mac/app/AuthorizedInstall.m

Index: chrome/installer/mac/app/AuthorizedInstall.m
diff --git a/chrome/installer/mac/app/AuthorizedInstall.m b/chrome/installer/mac/app/AuthorizedInstall.m
new file mode 100644
index 0000000000000000000000000000000000000000..61df2e9c09078ac13dedf3025ef997c6157fe863
--- /dev/null
+++ b/chrome/installer/mac/app/AuthorizedInstall.m
@@ -0,0 +1,79 @@
+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#import "AuthorizedInstall.h"
+
+// TODO: Move attemptAuthorizedInstall body into Unpacker method which will
+// provide
+// alternative in the case where authorization failed.
+void attemptAuthorizedInstall() {
+  NSString* toolPath =
+      [[NSBundle mainBundle] pathForResource:@"install" ofType:@"sh"];
+  NSFileManager* manager = [NSFileManager defaultManager];
+  if (![manager fileExistsAtPath:toolPath]) {
+    exit(1);

[Elly Fong-Jones, 2016/08/16 14:59:42]

that seems kind of abrupt? maybe we should signal an error here

[ivanhernandez, 2016/08/16 17:18:38]

Acknowledged.

+  }
+
+  NSString* appBundleName = @"Google Chrome.app";
+
+  NSArray* applicationDirectories = NSSearchPathForDirectoriesInDomains(
+      NSApplicationDirectory, NSLocalDomainMask, YES);
+  NSString* applicationDirectory = applicationDirectories.firstObject;
+
+  // TODO: Change sourceAppBundlePath to the temporary folder that chrome will
+  // be downloaded and extracted to.
+  NSArray* downloadDirectories = NSSearchPathForDirectoriesInDomains(
+      NSDownloadsDirectory, NSUserDomainMask, YES);
+  NSString* sourceAppBundlePath = [NSString
+      pathWithComponents:@[ downloadDirectories.firstObject, appBundleName ]];
+  NSString* destinationAppBundlePath =
+      [NSString pathWithComponents:@[ applicationDirectory, appBundleName ]];
+
+  const char* sourcePath = [sourceAppBundlePath UTF8String];
+  const char* destinationPath = [applicationDirectory UTF8String];
+  const char* fullDestinationPath = [destinationAppBundlePath UTF8String];
+  const char* args[] = {sourcePath, destinationPath, fullDestinationPath, NULL};
+
+  AuthorizationRef authRef;
+  OSStatus status;
+
+  if (attemptAuthorization(&authRef, &status)) {
+    authorizedMoveToApplications(&authRef, &status, [toolPath UTF8String],
+                                 args);
+    AuthorizationFree(authRef, kAuthorizationFlagDestroyRights);
+  } else {
+    // TODO: call on unauthorized install
+  }
+}
+
+// Does the setup needed to authorize a tool to run as admin.
+BOOL attemptAuthorization(AuthorizationRef* authRef, OSStatus* status) {
+  *status = AuthorizationCreate(NULL, kAuthorizationEmptyEnvironment,
+                                kAuthorizationFlagDefaults, authRef);
+
+  AuthorizationItem items = {kAuthorizationRightExecute, 0, NULL, 0};
+  AuthorizationRights rights = {1, &items};
+  AuthorizationFlags flags =
+      kAuthorizationFlagDefaults | kAuthorizationFlagInteractionAllowed |
+      kAuthorizationFlagPreAuthorize | kAuthorizationFlagExtendRights;
+
+  *status = AuthorizationCopyRights(*authRef, &rights, NULL, flags, NULL);
+  return (*status == errAuthorizationSuccess);
+}
+
+BOOL authorizedMoveToApplications(AuthorizationRef* authRef,
+                                  OSStatus* status,
+                                  const char* toolPath,
+                                  const char** args) {
+  if (*status != errAuthorizationSuccess)
+    return false;
+
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wdeprecated-declarations"
+  *status = AuthorizationExecuteWithPrivileges(

[Elly Fong-Jones, 2016/08/16 14:59:42]

Hm - if this is deprecated, is there a newer, shinier way we should be using?

[Mark Mentovai, 2016/08/16 15:06:32]

Elly Jones wrote:
Ivan asked me about this. There isn’t a replacement that works for us.

+      *authRef, toolPath, kAuthorizationFlagDefaults, (char* const*)args, NULL);
+#pragma clang diagnostic pop
+
+  return (*status == errAuthorizationSuccess);
+}