DLP: CheckIfLaunchAllowed implementation

- Added the implementation details of DlpFilesController::CheckIfLaunchAllowed to block apps according
to their types.
- Arc, Plugin_VM, and Crostini should be restricted if
the corresponding component is restricted.
- Chrome apps should be restricted if chrome-extension://<extension-id>
is set to be restricted.
- Web app should be blocked if the publisher url is set to be restricted.

BUG=1362527, 1378653

Change-Id: Ie88c4729d7c5c42d67c5e616d4cc63f96b4a4294
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3926161
Reviewed-by: Tim Sergeant <tsergeant@chromium.org>
Commit-Queue: Tim Sergeant <tsergeant@chromium.org>
Reviewed-by: Sergey Poromov <poromov@chromium.org>
Auto-Submit: Aya Elsayed <ayaelattar@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1070006}

chrome/browser/apps/app_service/app_service_proxy_ash.cc

@@ -321,8 +321,14 @@ void AppServiceProxyAsh::LaunchAppWithIntent(const std::string& app_id,
 
   policy::DlpFilesController* files_controller = GetDlpFilesController();
   if (files_controller) {
-    files_controller->CheckIfLaunchAllowed(app_id, std::move(intent_copy),
-                                           std::move(launch_callback));
+    auto app_found = app_registry_cache_.ForOneApp(
+        app_id, [&files_controller, &intent_copy,
+                 &launch_callback](const apps::AppUpdate& update) {
+          files_controller->CheckIfLaunchAllowed(update, std::move(intent_copy),
+                                                 std::move(launch_callback));
+        });
+    if (!app_found)
+      std::move(launch_callback).Run(/*is_allowed=*/true);
   } else {
     std::move(launch_callback).Run(/*is_allowed=*/true);
   }

chrome/browser/ash/policy/dlp/dlp_files_controller.cc

@@ -23,7 +23,9 @@
 #include "base/functional/bind.h"
 #include "base/logging.h"
 #include "base/ranges/algorithm.h"
+#include "base/strings/strcat.h"
 #include "base/time/time.h"
+#include "chrome/browser/apps/app_service/file_utils.h"
 #include "chrome/browser/ash/drive/drive_integration_service.h"
 #include "chrome/browser/ash/extensions/file_manager/system_notification_manager.h"
 #include "chrome/browser/ash/file_manager/fileapi_util.h"
@@ -43,9 +45,11 @@
 #include "chrome/browser/profiles/profile_manager.h"
 #include "chromeos/dbus/dlp/dlp_client.h"
 #include "chromeos/dbus/dlp/dlp_service.pb.h"
+#include "chromeos/ui/base/file_icon_util.h"
 #include "components/strings/grit/components_strings.h"
 #include "content/public/browser/browser_task_traits.h"
 #include "content/public/browser/browser_thread.h"
+#include "extensions/common/constants.h"
 #include "storage/browser/file_system/file_system_context.h"
 #include "storage/browser/file_system/file_system_url.h"
 #include "storage/browser/file_system/recursive_operation_delegate.h"
@@ -578,11 +582,58 @@ void DlpFilesController::CheckIfDownloadAllowed(
 }
 
 void DlpFilesController::CheckIfLaunchAllowed(
-    const std::string& app_id,
+    const apps::AppUpdate& app_update,
     apps::IntentPtr intent,
     CheckIfLaunchAllowedCallback result_callback) {
-  // TODO(crbug.com/1362527): Add implementation details.
-  std::move(result_callback).Run(true);
+  if (intent->files.empty()) {
+    std::move(result_callback).Run(/*is_allowed=*/true);
+    return;
+  }
+  auto* profile = ProfileManager::GetPrimaryUserProfile();
+  DCHECK(profile);
+  ::dlp::CheckFilesTransferRequest request;
+  for (const auto& file : intent->files) {
+    auto file_url = apps::GetFileSystemURL(profile, file->url);
+    request.add_files_paths(file_url.path().value());
+  }
+
+  request.set_file_action(intent->IsShareIntent() ? ::dlp::FileAction::SHARE
+                                                  : ::dlp::FileAction::OPEN);
+
+  switch (app_update.AppType()) {
+    case apps::AppType::kStandaloneBrowserChromeApp:
+    case apps::AppType::kExtension:
+    case apps::AppType::kStandaloneBrowserExtension:
+    case apps::AppType::kChromeApp:
+      request.set_destination_url(base::StrCat(
+          {extensions::kExtensionScheme, "://", app_update.AppId()}));
+      break;
+
+    case apps::AppType::kArc:
+      request.set_destination_component(::dlp::DlpComponent::ARC);
+      break;
+    case apps::AppType::kCrostini:
+      request.set_destination_component(::dlp::DlpComponent::CROSTINI);
+      break;
+    case apps::AppType::kPluginVm:
+      request.set_destination_component(::dlp::DlpComponent::PLUGIN_VM);
+      break;
+    case apps::AppType::kWeb:
+      request.set_destination_url(app_update.PublisherId());
+      break;
+    case apps::AppType::kUnknown:
+    case apps::AppType::kBuiltIn:
+    case apps::AppType::kMacOs:
+    case apps::AppType::kStandaloneBrowser:
+    case apps::AppType::kRemote:
+    case apps::AppType::kBorealis:
+    case apps::AppType::kSystemWeb:
+      break;
+  }
+  chromeos::DlpClient::Get()->CheckFilesTransfer(
+      request, base::BindOnce(&DlpFilesController::LaunchIfAllowed,
+                              weak_ptr_factory_.GetWeakPtr(),
+                              std::move(result_callback)));
 }
 
 void DlpFilesController::IsFilesTransferRestricted(
@@ -891,6 +942,24 @@ void DlpFilesController::ReturnDlpMetadata(
   std::move(result_callback).Run(std::move(result));
 }
 
+void DlpFilesController::LaunchIfAllowed(
+    CheckIfLaunchAllowedCallback result_callback,
+    ::dlp::CheckFilesTransferResponse response) {
+  if (response.has_error_message()) {
+    LOG(ERROR) << "Failed to get check files transfer, error: "
+               << response.error_message();
+    std::move(result_callback).Run(/*is_allowed=*/true);
+    return;
+  }
+
+  if (!response.files_paths().empty()) {
+    // TODO(crbug.com/1382065): Show block notification.
+    std::move(result_callback).Run(/*is_allowed=*/false);
+    return;
+  }
+  std::move(result_callback).Run(/*is_allowed=*/true);
+}
+
 void DlpFilesController::MaybeReportEvent(
     ino64_t inode,
     const base::FilePath& path,

chrome/browser/ash/policy/dlp/dlp_files_controller.h

@@ -16,6 +16,7 @@
 #include "base/memory/weak_ptr.h"
 #include "chrome/browser/chromeos/policy/dlp/dlp_rules_manager.h"
 #include "chromeos/dbus/dlp/dlp_service.pb.h"
+#include "components/services/app_service/public/cpp/app_update.h"
 #include "components/services/app_service/public/cpp/intent.h"
 #include "storage/browser/file_system/file_system_url.h"
 #include "third_party/blink/public/mojom/choosers/file_chooser.mojom-forward.h"
@@ -50,7 +51,9 @@ class DlpFilesController {
     kUpload = 3,
     kCopy = 4,
     kMove = 5,
-    kMaxValue = kMove
+    kOpen = 6,
+    kShare = 7,
+    kMaxValue = kShare
   };
 
   // DlpFileMetadata keeps metadata about a file, such as whether it's managed
@@ -189,8 +192,8 @@ class DlpFilesController {
                               const base::FilePath& file_path,
                               CheckIfDownloadAllowedCallback result_callback);
 
-  // Checks whether launching `app_id` with `intent` is allowed.
-  void CheckIfLaunchAllowed(const std::string& app_id,
+  // Checks whether launching `app_update` with `intent` is allowed.
+  void CheckIfLaunchAllowed(const apps::AppUpdate& app_update,
                             apps::IntentPtr intent,
                             CheckIfLaunchAllowedCallback result_callback);
 
@@ -256,6 +259,9 @@ class DlpFilesController {
                          GetDlpMetadataCallback result_callback,
                          const ::dlp::GetFilesSourcesResponse response);
 
+  void LaunchIfAllowed(CheckIfLaunchAllowedCallback result_callback,
+                       ::dlp::CheckFilesTransferResponse response);
+
   // Reports an event if a `DlpReportingManager` instance exists. When
   // `dst_pattern` is missing, we report `dst.component.value()` instead. When
   // `level` is missing, we report a warning proceeded event.