[M65 Merge] Enable installation of root certificates from policy for …

…Web browsing in Public Sessions

TBR=isandrk@chromium.org

(cherry picked from commit 4c08568)

Bug: chromium:572103, chromium:803531
Change-Id: I02dcc1636f20991f9ad3e0f2be78b3c506810e67
Reviewed-on: https://chromium-review.googlesource.com/874451
Commit-Queue: Ivan Šandrk <isandrk@chromium.org>
Reviewed-by: Julian Pastarmov <pastarmovj@chromium.org>
Reviewed-by: Pavol Marko <pmarko@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#530515}
Reviewed-on: https://chromium-review.googlesource.com/880585
Reviewed-by: Ivan Šandrk <isandrk@chromium.org>
Cr-Commit-Position: refs/branch-heads/3325@{#25}
Cr-Branched-From: bc084a8-refs/heads/master@{#530369}

chrome/browser/chromeos/policy/user_network_configuration_updater_factory.cc

@@ -75,27 +75,20 @@ KeyedService* UserNetworkConfigurationUpdaterFactory::BuildServiceInstanceFor(
   if (user != user_manager::UserManager::Get()->GetPrimaryUser())
     return nullptr;
 
+  // Guest sessions don't get user policy, but a UserNetworkConfigurationUpdater
+  // can be created for them anyway.
+  const bool allow_trusted_certs_from_policy =
+      user->GetType() != user_manager::USER_TYPE_GUEST;
+
   ProfilePolicyConnector* profile_connector =
       ProfilePolicyConnectorFactory::GetForBrowserContext(context);
 
   return UserNetworkConfigurationUpdater::CreateForUserPolicy(
-             profile, AllowTrustedCertsFromPolicy(user), *user,
+             profile, allow_trusted_certs_from_policy, *user,
              profile_connector->policy_service(),
              chromeos::NetworkHandler::Get()
                  ->managed_network_configuration_handler())
       .release();
 }
 
-// static
-bool UserNetworkConfigurationUpdaterFactory::AllowTrustedCertsFromPolicy(
-    const user_manager::User* user) {
-  user_manager::UserType user_type = user->GetType();
-
-  // Disallow trusted root certs for public sessions.
-  // Also, guest sessions don't get user policy, but a
-  // UserNetworkCofnigurationUpdater can be created for them anyway.
-  return user_type != user_manager::USER_TYPE_GUEST &&
-         user_type != user_manager::USER_TYPE_PUBLIC_ACCOUNT;
-}
-
 }  // namespace policy

chrome/browser/chromeos/policy/user_network_configuration_updater_factory.h

@@ -14,10 +14,6 @@ template <typename T>
 struct DefaultSingletonTraits;
 }  // namespace base
 
-namespace user_manager {
-class User;
-}
-
 class Profile;
 
 namespace policy {
@@ -50,8 +46,6 @@ class UserNetworkConfigurationUpdaterFactory
   KeyedService* BuildServiceInstanceFor(
       content::BrowserContext* context) const override;
 
-  static bool AllowTrustedCertsFromPolicy(const user_manager::User* user);
-
   DISALLOW_COPY_AND_ASSIGN(UserNetworkConfigurationUpdaterFactory);
 };
 

chrome/browser/chromeos/policy/user_network_configuration_updater_factory_browsertest.cc

@@ -302,7 +302,7 @@ class PolicyProvidedTrustRootsPublicSessionTest
 };
 
 IN_PROC_BROWSER_TEST_F(PolicyProvidedTrustRootsPublicSessionTest,
-                       NotAllowedInPublicSession) {
+                       AllowedInPublicSession) {
   StartLogin();
   WaitForSessionStart();
 
@@ -312,8 +312,7 @@ IN_PROC_BROWSER_TEST_F(PolicyProvidedTrustRootsPublicSessionTest,
   ASSERT_TRUE(browser);
 
   SetRootCertONCPolicy(browser->profile());
-  EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID,
-            VerifyTestServerCert(browser->profile()));
+  EXPECT_EQ(net::OK, VerifyTestServerCert(browser->profile()));
 }
 
 }  // namespace policy