Enable client certificate patterns in device ONC policy

chrome/browser/chromeos/enrollment_dialog_view.cc

Index: chrome/browser/chromeos/enrollment_dialog_view.cc
diff --git a/chrome/browser/chromeos/enrollment_dialog_view.cc b/chrome/browser/chromeos/enrollment_dialog_view.cc
index 33f3af5a4bfdb2e073d95eb3517c9a7d5c812f09..0fdf43cd819df528a95029be7db92cb538a7aeff 100644
--- a/chrome/browser/chromeos/enrollment_dialog_view.cc
+++ b/chrome/browser/chromeos/enrollment_dialog_view.cc
@@ -16,6 +16,7 @@
 #include "chrome/browser/ui/browser_navigator.h"
 #include "chrome/browser/ui/browser_navigator_params.h"
 #include "chrome/grit/generated_resources.h"
+#include "chromeos/login/login_state.h"
 #include "chromeos/network/client_cert_util.h"
 #include "chromeos/network/managed_network_configuration_handler.h"
 #include "chromeos/network/network_event_log.h"
@@ -251,6 +252,37 @@ void EnrollmentComplete(const std::string& network_id) {
   NET_LOG_USER("Enrollment Complete", network_id);
 }
 
+// Decides if the enrollment dialog is allowed in the current login state.
+bool EnrollmentDialogAllowed(Profile* profile) {
+  // Enrollment dialog is currently not supported on the sign-in profile.
+  // This also applies to lock screen,
+  if (ProfileHelper::IsSigninProfile(profile))
+    return false;
+
+  chromeos::LoginState::LoggedInUserType user_type =
+      LoginState::Get()->GetLoggedInUserType();
+  switch (user_type) {
+    case LoginState::LOGGED_IN_USER_NONE:
+      return false;
+    case LoginState::LOGGED_IN_USER_REGULAR:
+      return true;
+    case LoginState::LOGGED_IN_USER_OWNER:
+      return true;
+    case LoginState::LOGGED_IN_USER_GUEST:
+      return true;
+    case LoginState::LOGGED_IN_USER_PUBLIC_ACCOUNT:
+      return false;
+    case LoginState::LOGGED_IN_USER_SUPERVISED:
+      return true;
+    case LoginState::LOGGED_IN_USER_KIOSK_APP:
+      return false;
+    case LoginState::LOGGED_IN_USER_ARC_KIOSK_APP:
+      return false;
+  }
+  NOTREACHED();
+  return false;
+}
+
 }  // namespace
 
 ////////////////////////////////////////////////////////////////////////////////
@@ -270,6 +302,8 @@ bool CreateEnrollmentDialog(const std::string& network_id,
   Browser* browser = chrome::FindBrowserWithWindow(owning_window);
   Profile* profile =
       browser ? browser->profile() : ProfileManager::GetPrimaryUserProfile();
+  if (!EnrollmentDialogAllowed(profile))
+    return false;
   std::string username_hash = ProfileHelper::GetUserIdHashFromProfile(profile);
 
   onc::ONCSource onc_source = onc::ONC_SOURCE_NONE;
@@ -278,14 +312,11 @@ bool CreateEnrollmentDialog(const std::string& network_id,
           ->managed_network_configuration_handler()
           ->FindPolicyByGUID(username_hash, network_id, &onc_source);
 
-  // We skip certificate patterns for device policy ONC so that an unmanaged
-  // user can't get to the place where a cert is presented for them
-  // involuntarily.
-  if (!policy || onc_source == onc::ONC_SOURCE_DEVICE_POLICY)
+  if (!policy)
     return false;
 
   client_cert::ClientCertConfig cert_config;
-  OncToClientCertConfig(*policy, &cert_config);
+  OncToClientCertConfig(onc_source, *policy, &cert_config);
 
   if (cert_config.client_cert_type != onc::client_cert::kPattern)
     return false;