Update CheckPolicySettings to validate the policy First-Party Set lists.

This CL:
- Implements CheckPolicySettings as described in the design doc.
- Adds unit tests.
- Adds a ValidateEnterprisePolicy method to the FirstPartySetsHandler
  header so that it's accessible from chrome/browser.
- Updates FirstPartySetParser::ParseFromEnterpriseSets to take a
  base::Value::Dict rather than a base::Value.

This CL does *not* add this handler to the list that is built in the
ConfigurationPolicyHandlerListFactory, so landing it won't have any
effect yet.

Bug: 1244990, 1277128
Change-Id: Iab0c5c80d955d52d15fde464674d0110f16ed758
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3525494
Reviewed-by: Chris Fredrickson <cfredric@chromium.org>
Reviewed-by: Avi Drissman <avi@chromium.org>
Commit-Queue: Kirubel Aklilu <kaklilu@chromium.org>
Cr-Commit-Position: refs/heads/main@{#988614}

chrome/browser/first_party_sets/first_party_sets_overrides_policy_handler.cc

@@ -4,16 +4,56 @@
 
 #include "chrome/browser/first_party_sets/first_party_sets_overrides_policy_handler.h"
 
-#include "chrome/browser/first_party_sets/first_party_sets_pref_names.h"
+#include "base/strings/stringprintf.h"
+#include "base/values.h"
 #include "components/policy/core/browser/configuration_policy_handler.h"
 #include "components/policy/core/browser/policy_error_map.h"
 #include "components/policy/core/common/policy_map.h"
 #include "components/policy/core/common/schema.h"
 #include "components/policy/policy_constants.h"
 #include "components/prefs/pref_value_map.h"
+#include "content/public/browser/first_party_sets_handler.h"
+#include "net/base/schemeful_site.h"
 
 namespace first_party_sets {
 
+namespace {
+
+const char kFirstPartySetPolicyReplacementsField[] = "replacements";
+const char kFirstPartySetPolicyAdditionsField[] = "additions";
+
+// Converts a ParseError to an appropriate string to be outputted to enterprise
+// administrators.
+std::string ParseErrorToString(
+    content::FirstPartySetsHandler::ParseError error) {
+  switch (error) {
+    case content::FirstPartySetsHandler::ParseError::kInvalidType:
+      return "This set is an invalid type.";
+    case content::FirstPartySetsHandler::ParseError::kInvalidOrigin:
+      return "This set contains an invalid origin.";
+    case content::FirstPartySetsHandler::ParseError::kSingletonSet:
+      return "This set doesn't contain any sites in its members list.";
+    case content::FirstPartySetsHandler::ParseError::kNonDisjointSets:
+      return "This set contains a domain that also exists in another "
+             "First-Party Set.";
+    case content::FirstPartySetsHandler::ParseError::kRepeatedDomain:
+      return "This set contains more than one occurrence of the same domain.";
+  }
+}
+
+// Converts a PolicySetType to an string describing the type.
+const char* SetTypeToString(
+    content::FirstPartySetsHandler::PolicySetType set_type) {
+  switch (set_type) {
+    case content::FirstPartySetsHandler::PolicySetType::kReplacement:
+      return kFirstPartySetPolicyReplacementsField;
+    case content::FirstPartySetsHandler::PolicySetType::kAddition:
+      return kFirstPartySetPolicyAdditionsField;
+  }
+}
+
+}  // namespace
+
 FirstPartySetsOverridesPolicyHandler::FirstPartySetsOverridesPolicyHandler(
     const policy::Schema& schema)
     : policy::SchemaValidatingPolicyHandler(
@@ -24,10 +64,43 @@ FirstPartySetsOverridesPolicyHandler::FirstPartySetsOverridesPolicyHandler(
 FirstPartySetsOverridesPolicyHandler::~FirstPartySetsOverridesPolicyHandler() =
     default;
 
+bool FirstPartySetsOverridesPolicyHandler::CheckPolicySettings(
+    const policy::PolicyMap& policies,
+    policy::PolicyErrorMap* errors) {
+  std::unique_ptr<base::Value> policy_value;
+  if (!policy::SchemaValidatingPolicyHandler::CheckAndGetValue(policies, errors,
+                                                               &policy_value) ||
+      !policy_value) {
+    return false;
+  }
+
+  // Output error and return false if any of the sets provided in the
+  // "replacements" or "additions" list are not valid First-Party Sets.
+  if (absl::optional<content::FirstPartySetsHandler::PolicyParsingError>
+          maybe_error = content::FirstPartySetsHandler::GetInstance()
+                            ->ValidateEnterprisePolicy(policy_value->GetDict());
+      maybe_error.has_value()) {
+    errors->AddError(policy_name(),
+                     base::StringPrintf("%s.items[%d]",
+                                        SetTypeToString(maybe_error->set_type),
+                                        maybe_error->error_index),
+                     ParseErrorToString(maybe_error->error));
+    return false;
+  }
+
+  validated_dict_ = std::move(policy_value->GetDict());
+  return true;
+}
+
 void FirstPartySetsOverridesPolicyHandler::ApplyPolicySettings(
     const policy::PolicyMap& policies,
     PrefValueMap* prefs) {
   NOTIMPLEMENTED();
 }
 
+base::Value::Dict
+FirstPartySetsOverridesPolicyHandler::GetValidatedDictForTesting() {
+  return validated_dict_.value().Clone();
+}
+
 }  // namespace first_party_sets

chrome/browser/first_party_sets/first_party_sets_overrides_policy_handler.h

@@ -31,8 +31,23 @@ class FirstPartySetsOverridesPolicyHandler
   ~FirstPartySetsOverridesPolicyHandler() override;
 
   // ConfigurationPolicyHandler methods:
+  bool CheckPolicySettings(const policy::PolicyMap& policies,
+                           policy::PolicyErrorMap* errors) override;
   void ApplyPolicySettings(const policy::PolicyMap& policies,
                            PrefValueMap* prefs) override;
+
+  // Returns the validated policy, which is stored in the 'validated_dict_'
+  // member variable.
+  //
+  // This method must only be called after CheckPolicySettings returns true,
+  // which indicates that validating the policy was successful and the member
+  // variable was populated.
+  base::Value::Dict GetValidatedDictForTesting();
+
+ private:
+  // Result of validating the policy sets, stored for future use in
+  // ApplyPolicySettings
+  absl::optional<base::Value::Dict> validated_dict_;
 };
 
 }  // namespace first_party_sets