Add support for multiple allowed domains

components/policy/resources/policy_templates.json

Index: components/policy/resources/policy_templates.json
diff --git a/components/policy/resources/policy_templates.json b/components/policy/resources/policy_templates.json
index f6bcad30db3133be483b27060a47d863881de158..786739ac54b0ae32257776c0bb51cf4720f47c87 100644
--- a/components/policy/resources/policy_templates.json
+++ b/components/policy/resources/policy_templates.json
@@ -139,7 +139,7 @@
 #   persistent IDs for all fields (but not for groups!) are needed. These are
 #   specified by the 'id' keys of each policy. NEVER CHANGE EXISTING IDs,
 #   because doing so would break the deployed wire format!
-#   For your editing convenience: highest ID currently used: 360
+#   For your editing convenience: highest ID currently used: 362
 #   And don't forget to also update the EnterprisePolicies enum of
 #   histograms.xml.
 #
@@ -781,9 +781,39 @@
 
           If this setting is disabled or not set, then the default policy for the connection type is applied. For remote assistance, this allows clients from any domain can connect to the host; for anytime remote access, only the host owner can connect.
 
+          This setting will not override RemoteAccessHostClientDomainList. If both are set, a client can only connect if accepted by both policies.
+
           See also RemoteAccessHostDomain.''',
         },
         {
+          'name': 'RemoteAccessHostClientDomainList',
+          'type': 'list',
+          'schema': {
+            'type': 'array',
+            'items': { 'type': 'string' },
+          },
+          'supported_on': ['chrome.*:58-', 'chrome_os:58-'],
+          'features': {
+            'dynamic_refresh': True,
+            'per_profile': False,
+          },
+          'example_value': ['my-awesome-domain.com', 'my-auxiliary-domain.com'],
+          'id': 362,
+          'caption': '''Configure the required domain names for remote access clients''',
+          'tags': [],
+          'desc': '''Configures the required client domain names that will be imposed on remote access clients and prevents users from changing it.
+
+          This setting is similar to RemoteAccessHostClientDomain, but allows multiple allowed domains to be specified.
+
+          If this setting is enabled, then only clients from one of the specified domains can connect to the host.
+
+          If this setting is disabled or not set, then the default policy for the connection type is applied. For remote assistance, this allows clients from any domain can connect to the host; for anytime remote access, only the host owner can connect.
+
+          This setting will not override RemoteAccessHostClientDomain. If both are set, a client can only connect if accepted by both policies.
+
+          See also RemoteAccessHostDomainList.''',
+        },
+        {
           'name': 'RemoteAccessHostFirewallTraversal',
           'type': 'main',
           'schema': { 'type': 'boolean' },
@@ -823,9 +853,39 @@
 
           If this setting is disabled or not set, then hosts can be shared using any account.
 
+          This setting will not override RemoteAccessHostDomainList. If both are set, a host can be shared by an account satisfying both policies.
+
           See also RemoteAccessHostClientDomain.''',
         },
         {
+          'name': 'RemoteAccessHostDomainList',

[Sergey Ulanov, 2017/02/10 22:25:13]

Instead of adding new policy can we just extend RemoteAccessHostDomain to allow
comma-separate list of domains?

Same question about RemoteAccessHostClientDomainList

[rkjnsn, 2017/02/11 00:50:11]

Personally, I don't like the idea of parsing our own list from a string field
when policies support list fields. We could do it, but I don't like it.

[Sergey Ulanov, 2017/02/11 01:03:48]

I agree it's not ideal, but having two policies for the same feature seems worse
(particularly because it greatly complicates the code that handles these
policies).

+          'type': 'list',
+          'schema': {
+            'type': 'array',
+            'items': {'type': 'string' },
+          },
+          'supported_on': ['chrome.*:58-', 'chrome_os:58-'],
+          'features': {
+            'dynamic_refresh': True,
+            'per_profile': False,
+          },
+          'example_value': ['my-awesome-domain.com', 'my-auxiliary-domain.com'],
+          'id': 361,
+          'caption': '''Configure the required domain names for remote access hosts''',
+          'tags': [],
+          'desc': '''Configures the required host domain names that will be imposed on remote access hosts and prevents users from changing it.
+
+          This setting is similar to RemoteAccessHostDomain, but allows multiple allowed domains to be specified.
+
+          If this setting is enabled, then hosts can be shared only using accounts registered on one of the specified domain names.
+
+          If this setting is disabled or not set, then hosts can be shared using any account.
+
+          This setting will not override RemoteAccessHostDomain. If both are set, a host can be shared by an account satisfying both policies.
+
+          See also RemoteAccessHostClientDomainList.''',
+        },
+        {
           'name': 'RemoteAccessHostRequireTwoFactor',
           'type': 'main',
           'schema': { 'type': 'boolean' },