Sign out profile when local_state file has been changed.

chrome/browser/profiles/profile_manager.cc

Index: chrome/browser/profiles/profile_manager.cc
diff --git a/chrome/browser/profiles/profile_manager.cc b/chrome/browser/profiles/profile_manager.cc
index 41aca8d675d178de5c471fb8df4a030129da7654..4643f50c7906d5666ef7d3c627d5ddfc5b050cee 100644
--- a/chrome/browser/profiles/profile_manager.cc
+++ b/chrome/browser/profiles/profile_manager.cc
@@ -51,6 +51,7 @@
 #include "chrome/browser/signin/account_tracker_service_factory.h"
 #include "chrome/browser/signin/gaia_cookie_manager_service_factory.h"
 #include "chrome/browser/signin/signin_manager_factory.h"
+#include "chrome/browser/signin/signin_util.h"
 #include "chrome/browser/sync/profile_sync_service_factory.h"
 #include "chrome/browser/ui/browser.h"
 #include "chrome/browser/ui/browser_finder.h"
@@ -336,6 +337,14 @@ bool IsProfileEphemeral(ProfileAttributesStorage* storage,
 }
 #endif
 
+#if !defined(OS_ANDROID) && !defined(OS_IOS) && !defined(OS_CHROMEOS)
+void SignOut(SigninManager* signin_manager) {
+  signin_manager->SignOut(
+      signin_metrics::AUTHENTICATION_FAILED_WITH_FORCE_SIGNIN,
+      signin_metrics::SignoutDelete::IGNORE_METRIC);
+}
+#endif
+
 }  // namespace
 
 ProfileManager::ProfileManager(const base::FilePath& user_data_dir)
@@ -1564,8 +1573,21 @@ void ProfileManager::AddProfileToStorage(Profile* profile) {
     bool has_entry = storage.GetProfileAttributesWithPath(profile->GetPath(),
                                                           &entry);
     if (has_entry) {
+#if !defined(OS_ANDROID) && !defined(OS_IOS) && !defined(OS_CHROMEOS)
+      bool was_authenticated_status = entry->IsAuthenticated();

[anthonyvd, 2017/03/13 18:47:30]

Can you move this 4 lines down to only have a single #if block?

[zmin, 2017/03/13 18:54:55]

Sign out only happened iff the authenticated state is True on local_state and
False on profile. So it have to be done before SetAuthInfo. 

Adding the #if here to avoid "never used variable" Compiler warning msg.

[anthonyvd, 2017/03/13 18:57:06]

Ah ok I see, SetAuthInfo() might change what IsAuthenticated() returns. Gotcha!

+#endif
       // The ProfileAttributesStorage's info must match the Signin Manager.
       entry->SetAuthInfo(account_info.gaia, username);
+#if !defined(OS_ANDROID) && !defined(OS_IOS) && !defined(OS_CHROMEOS)
+      // Sign out if force-sign-in policy is enabled and profile is not signed
+      // in.
+      if (signin_util::IsForceSigninEnabled() && was_authenticated_status &&
+          !entry->IsAuthenticated()) {
+        BrowserThread::PostTask(
+            BrowserThread::UI, FROM_HERE,
+            base::Bind(&SignOut, static_cast<SigninManager*>(signin_manager)));
+      }
+#endif
       return;
     }
   }