Override SigninManager::SignOut if force-signin is enabled.

chrome/browser/signin/chrome_signin_client.cc

Index: chrome/browser/signin/chrome_signin_client.cc
diff --git a/chrome/browser/signin/chrome_signin_client.cc b/chrome/browser/signin/chrome_signin_client.cc
index f511232feaa28bda0f46822b30320ef4732eff3b..0925c6d21cd683bcba6388f2cf133fb2879f8c40 100644
--- a/chrome/browser/signin/chrome_signin_client.cc
+++ b/chrome/browser/signin/chrome_signin_client.cc
@@ -7,6 +7,7 @@
 #include <stddef.h>
 #include <utility>
 
+#include "base/bind.h"
 #include "base/command_line.h"
 #include "base/strings/utf_string_conversions.h"
 #include "build/build_config.h"
@@ -21,9 +22,12 @@
 #include "chrome/browser/signin/local_auth.h"
 #include "chrome/browser/signin/profile_oauth2_token_service_factory.h"
 #include "chrome/browser/signin/signin_manager_factory.h"
+#include "chrome/browser/ui/browser_list.h"
+#include "chrome/browser/ui/user_manager.h"
 #include "chrome/browser/web_data_service_factory.h"
 #include "chrome/common/channel_info.h"
 #include "chrome/common/features.h"
+#include "chrome/common/pref_names.h"
 #include "components/content_settings/core/browser/cookie_settings.h"
 #include "components/metrics/metrics_service.h"
 #include "components/prefs/pref_service.h"
@@ -53,11 +57,26 @@
 #include "chrome/browser/first_run/first_run.h"
 #endif
 
+namespace {
+
+bool IsForceSigninEnabled() {
+  PrefService* prefs = g_browser_process->local_state();
+  return prefs && prefs->GetBoolean(prefs::kForceBrowserSignin);
+}
+
+#if !defined(OS_ANDROID) && !defined(OS_CHROMEOS)
+void OnCloseBrowsersAborted(const base::FilePath& path) {}
+#endif
+
+}  // namespace
+
 ChromeSigninClient::ChromeSigninClient(
-    Profile* profile, SigninErrorController* signin_error_controller)
+    Profile* profile,
+    SigninErrorController* signin_error_controller)
     : OAuth2TokenService::Consumer("chrome_signin_client"),
       profile_(profile),
-      signin_error_controller_(signin_error_controller) {
+      signin_error_controller_(signin_error_controller),
+      is_force_signin_enabled_(IsForceSigninEnabled()) {
   signin_error_controller_->AddObserver(this);
 #if !defined(OS_CHROMEOS)
   net::NetworkChangeNotifier::AddNetworkChangeObserver(this);
@@ -260,6 +279,22 @@ void ChromeSigninClient::PostSignedIn(const std::string& account_id,
 #endif
 }
 
+void ChromeSigninClient::PreSignOut(const base::Callback<void()>& sign_out) {
+#if !defined(OS_ANDROID) && !defined(OS_CHROMEOS)
+  if (is_force_signin_enabled_ && !profile_->IsSystemProfile() &&
+      !profile_->IsGuestSession()) {
+    BrowserList::CloseAllBrowsersWithProfile(
+        profile_, base::Bind(&ChromeSigninClient::OnCloseBrowsersSuccess,
+                             base::Unretained(this), sign_out),
+        base::Bind(&OnCloseBrowsersAborted));
+  } else {
+#else
+  {
+#endif
+    SigninClient::PreSignOut(sign_out);
+  }
+}
+
 void ChromeSigninClient::OnErrorChanged() {
   // Some tests don't have a ProfileManager.
   if (g_browser_process->profile_manager() == nullptr)
@@ -385,3 +420,41 @@ void ChromeSigninClient::MaybeFetchSigninTokenHandle() {
   }
 #endif
 }
+
+void ChromeSigninClient::OnCredentialsBeingCopied() {
+  if (is_force_signin_enabled_)
+    // The signout after credential copy won't open UserManager after all
+    // browser window are closed. Because the browser window will be opened for
+    // the new profile soon.
+    is_user_manager_displayed_ = false;

[Roger Tawa OOO till Jul 10th, 2016/11/02 13:20:39]

Nit: since comment is below the if() statement, I'd put { and } around the
block.

[zmin, 2016/11/02 20:30:22]

Done.

+}
+
+void ChromeSigninClient::OnCloseBrowsersSuccess(
+    const base::Callback<void()>& sign_out,
+    const base::FilePath& profile_path) {
+  SigninClient::PreSignOut(sign_out);
+
+  // After sign out, lock the profile and show UserManager if necessary.
+  LockProfile(profile_path);
+  if (is_user_manager_displayed_) {
+    ShowUserManager(profile_path);
+  } else {
+    is_user_manager_displayed_ = true;

[Roger Tawa OOO till Jul 10th, 2016/11/02 13:20:39]

Maybe this member could be renamed should_display_user_manager_ ?

Why does it it need to be set at line 442?  I think  OnCredentialsBeingCopied()
can be called but OnCloseBrowsersSuccess() is not, like when aborted.  Would it
be better instead to set it somewhere else?

[zmin, 2016/11/02 20:30:22]

Done.

Good point. Because displaying UserManager is in the end of sign out process,
I'll just reset this flag in the abort callback as well.

+  }
+}
+
+void ChromeSigninClient::LockProfile(const base::FilePath& profile_path) {
+  ProfileAttributesEntry* entry;
+  bool has_entry = g_browser_process->profile_manager()
+                       ->GetProfileAttributesStorage()
+                       .GetProfileAttributesWithPath(profile_path, &entry);
+  DCHECK(has_entry);
+  entry->SetIsSigninRequired(true);
+}
+
+void ChromeSigninClient::ShowUserManager(const base::FilePath& profile_path) {
+#if !defined(OS_ANDROID) && !defined(OS_CHROMEOS)
+  UserManager::Show(profile_path, profiles::USER_MANAGER_NO_TUTORIAL,
+                    profiles::USER_MANAGER_SELECT_PROFILE_NO_ACTION);
+#endif
+}