Added PIN-less auth policy.

BUG=156182

Review URL: https://chromiumcodereview.appspot.com/20864002

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@215355 0039d316-1c4b-4281-b951-d872f2087c98

9 files changed, 90 insertions, 4 deletions

diff --git a/chrome/app/policy/policy_templates.json b/chrome/app/policy/policy_templates.json
index 93ef3fa..aeb4d5c9 100644
--- a/chrome/app/policy/policy_templates.json
+++ b/chrome/app/policy/policy_templates.json
@@ -112,7 +112,7 @@
 #   persistent IDs for all fields (but not for groups!) are needed. These are
 #   specified by the 'id' keys of each policy. NEVER CHANGE EXISTING IDs,
 #   because doing so would break the deployed wire format!
-#   For your editing convenience: highest ID currently used: 233
+#   For your editing convenience: highest ID currently used: 234
 #
 # Placeholders:
 #   The following placeholder strings are automatically substituted:
@@ -588,6 +588,22 @@
 
           If this setting is disabled or not set, then both local and remote users can interact with the host when it is being shared.''',
         },
+        {
+          'name': 'RemoteAccessHostAllowClientPairing',
+          'type': 'main',
+          'schema': { 'type': 'boolean' },
+          'supported_on': ['chrome.*:30-'],
+          'features': {
+            'dynamic_refresh': True,
+            'per_profile': False,
+          },
+          'example_value': False,
+          'id': 234,
+          'caption': '''Enable or disable PIN-less authentication''',
+          'desc': '''If this setting is enabled or not configured, then users can opt to pair clients and hosts at connection time, eliminating the need to enter a PIN every time.
+
+          If this setting is disabled, then this feature will not be available.''',
+        },
       ],
     },
     {
diff --git a/chrome/browser/policy/configuration_policy_handler_list.cc b/chrome/browser/policy/configuration_policy_handler_list.cc
index 47f3a7b..08a1a38 100644
--- a/chrome/browser/policy/configuration_policy_handler_list.cc
+++ b/chrome/browser/policy/configuration_policy_handler_list.cc
@@ -246,6 +246,9 @@ const PolicyToPreferenceMapEntry kSimplePolicyMap[] = {
   { key::kRemoteAccessHostRequireCurtain,
     prefs::kRemoteAccessHostRequireCurtain,
     Value::TYPE_BOOLEAN },
+  { key::kRemoteAccessHostAllowClientPairing,
+    prefs::kRemoteAccessHostAllowClientPairing,
+    Value::TYPE_BOOLEAN },
   { key::kCloudPrintProxyEnabled,
     prefs::kCloudPrintProxyEnabled,
     Value::TYPE_BOOLEAN },
diff --git a/chrome/common/pref_names.cc b/chrome/common/pref_names.cc
index 1f63833..db42627 100644
--- a/chrome/common/pref_names.cc
+++ b/chrome/common/pref_names.cc
@@ -1965,6 +1965,10 @@ const char kRemoteAccessHostTalkGadgetPrefix[] =
 const char kRemoteAccessHostRequireCurtain[] =
     "remote_access.host_require_curtain";
 
+// Boolean controlling whether curtaining is required when connecting to a host.
+const char kRemoteAccessHostAllowClientPairing[] =
+    "remote_access.host_allow_client_pairing";
+
 // The last used printer and its settings.
 const char kPrintPreviewStickySettings[] =
     "printing.print_preview_sticky_settings";
diff --git a/chrome/common/pref_names.h b/chrome/common/pref_names.h
index a99c44d..8666cd1 100644
--- a/chrome/common/pref_names.h
+++ b/chrome/common/pref_names.h
@@ -702,6 +702,7 @@ extern const char kRemoteAccessHostRequireTwoFactor[];
 extern const char kRemoteAccessHostDomain[];
 extern const char kRemoteAccessHostTalkGadgetPrefix[];
 extern const char kRemoteAccessHostRequireCurtain[];
+extern const char kRemoteAccessHostAllowClientPairing[];
 
 extern const char kPrintPreviewStickySettings[];
 extern const char kCloudPrintRoot[];
diff --git a/chrome/test/data/policy/policy_test_cases.json b/chrome/test/data/policy/policy_test_cases.json
index a03b518..b2db7bf 100644
--- a/chrome/test/data/policy/policy_test_cases.json
+++ b/chrome/test/data/policy/policy_test_cases.json
@@ -223,6 +223,14 @@
     ]
   },
 
+  "RemoteAccessHostAllowClientPairing": {
+    "os": [],
+    "test_policy": { "RemoteAccessHostAllowClientPairing": true },
+    "pref_mappings": [
+      { "pref": "remote_access.host_allow_client_pairing" }
+    ]
+  },
+
   "PrintingEnabled": {
     "os": ["win", "linux", "mac", "chromeos"],
     "test_policy": { "PrintingEnabled": false },
diff --git a/remoting/host/policy_hack/policy_watcher.cc b/remoting/host/policy_hack/policy_watcher.cc
index a7cae81..23b6c78 100644
--- a/remoting/host/policy_hack/policy_watcher.cc
+++ b/remoting/host/policy_hack/policy_watcher.cc
@@ -98,6 +98,9 @@ const char PolicyWatcher::kHostTokenUrlPolicyName[] =
 const char PolicyWatcher::kHostTokenValidationUrlPolicyName[] =
     "RemoteAccessHostTokenValidationUrl";
 
+const char PolicyWatcher::kHostAllowClientPairing[] =
+    "RemoteAccessHostAllowClientPairing";
+
 const char PolicyWatcher::kHostDebugOverridePoliciesName[] =
     "RemoteAccessHostDebugOverridePolicies";
 
@@ -117,6 +120,7 @@ PolicyWatcher::PolicyWatcher(
                                kDefaultHostTalkGadgetPrefix);
   default_values_->SetString(kHostTokenUrlPolicyName, std::string());
   default_values_->SetString(kHostTokenValidationUrlPolicyName, std::string());
+  default_values_->SetBoolean(kHostAllowClientPairing, true);
 #if !defined(NDEBUG)
   default_values_->SetString(kHostDebugOverridePoliciesName, std::string());
 #endif
diff --git a/remoting/host/policy_hack/policy_watcher.h b/remoting/host/policy_hack/policy_watcher.h
index 23e2209..7c9e4d0 100644
--- a/remoting/host/policy_hack/policy_watcher.h
+++ b/remoting/host/policy_hack/policy_watcher.h
@@ -55,7 +55,9 @@ class PolicyWatcher {
   // The name of the host domain policy.
   static const char kHostDomainPolicyName[];
 
-  // The name of the username policy.
+  // The name of the username policy. This policy is ignored on Windows.
+  // This policy is currently considered 'internal only' and so is not
+  // documented in policy_templates.json.
   static const char kHostMatchUsernamePolicyName[];
 
   // The name of the policy that controls the host talkgadget prefix.
@@ -68,6 +70,9 @@ class PolicyWatcher {
   static const char kHostTokenUrlPolicyName[];
   static const char kHostTokenValidationUrlPolicyName[];
 
+  // The name of the policy for disabling PIN-less authentication.
+  static const char kHostAllowClientPairing[];
+
   // The name of the policy for overriding policies, for use in testing.
   static const char kHostDebugOverridePoliciesName[];
 
diff --git a/remoting/host/policy_hack/policy_watcher_unittest.cc b/remoting/host/policy_hack/policy_watcher_unittest.cc
index 600f409..c88cfc9 100644
--- a/remoting/host/policy_hack/policy_watcher_unittest.cc
+++ b/remoting/host/policy_hack/policy_watcher_unittest.cc
@@ -68,6 +68,8 @@ class PolicyWatcherTest : public testing::Test {
     nat_true_and_overridden_.SetString(
         PolicyWatcher::kHostDebugOverridePoliciesName,
         kOverrideNatTraversalToFalse);
+    pairing_true_.SetBoolean(PolicyWatcher::kHostAllowClientPairing, true);
+    pairing_false_.SetBoolean(PolicyWatcher::kHostAllowClientPairing, false);
 #if !defined(NDEBUG)
     SetDefaults(nat_false_overridden_others_default_);
     nat_false_overridden_others_default_.SetBoolean(
@@ -115,6 +117,8 @@ class PolicyWatcherTest : public testing::Test {
   base::DictionaryValue unknown_policies_;
   base::DictionaryValue nat_true_and_overridden_;
   base::DictionaryValue nat_false_overridden_others_default_;
+  base::DictionaryValue pairing_true_;
+  base::DictionaryValue pairing_false_;
 
  private:
   void SetDefaults(base::DictionaryValue& dict) {
@@ -128,6 +132,7 @@ class PolicyWatcherTest : public testing::Test {
     dict.SetString(PolicyWatcher::kHostTokenUrlPolicyName, std::string());
     dict.SetString(PolicyWatcher::kHostTokenValidationUrlPolicyName,
                    std::string());
+    dict.SetBoolean(PolicyWatcher::kHostAllowClientPairing, true);
 #if !defined(NDEBUG)
     dict.SetString(PolicyWatcher::kHostDebugOverridePoliciesName, "");
 #endif
@@ -308,5 +313,21 @@ TEST_F(PolicyWatcherTest, DebugOverrideNatPolicy) {
   StopWatching();
 }
 
+TEST_F(PolicyWatcherTest, PairingFalseThenTrue) {
+  testing::InSequence sequence;
+  EXPECT_CALL(mock_policy_callback_,
+              OnPolicyUpdatePtr(IsPolicies(&nat_true_others_default_)));
+  EXPECT_CALL(mock_policy_callback_,
+              OnPolicyUpdatePtr(IsPolicies(&pairing_false_)));
+  EXPECT_CALL(mock_policy_callback_,
+              OnPolicyUpdatePtr(IsPolicies(&pairing_true_)));
+
+  StartWatching();
+  policy_watcher_->SetPolicies(&empty_);
+  policy_watcher_->SetPolicies(&pairing_false_);
+  policy_watcher_->SetPolicies(&pairing_true_);
+  StopWatching();
+}
+
 }  // namespace policy_hack
 }  // namespace remoting
diff --git a/remoting/host/remoting_me2me_host.cc b/remoting/host/remoting_me2me_host.cc
index af8861b..fed6031 100644
--- a/remoting/host/remoting_me2me_host.cc
+++ b/remoting/host/remoting_me2me_host.cc
@@ -213,6 +213,7 @@ class HostProcess
   bool OnHostTalkGadgetPrefixPolicyUpdate(const std::string& talkgadget_prefix);
   bool OnHostTokenUrlPolicyUpdate(const GURL& token_url,
                                   const GURL& token_validation_url);
+  bool OnPairingPolicyUpdate(bool pairing_enabled);
 
   void StartHost();
 
@@ -266,6 +267,7 @@ class HostProcess
   scoped_ptr<policy_hack::PolicyWatcher> policy_watcher_;
   bool allow_nat_traversal_;
   std::string talkgadget_prefix_;
+  bool allow_pairing_;
 
   bool curtain_required_;
   GURL token_url_;
@@ -297,6 +299,7 @@ HostProcess::HostProcess(scoped_ptr<ChromotingHostContext> context,
     : context_(context.Pass()),
       state_(HOST_INITIALIZING),
       allow_nat_traversal_(true),
+      allow_pairing_(true),
       curtain_required_(false),
 #if defined(REMOTING_MULTI_PROCESS)
       desktop_session_connector_(NULL),
@@ -482,8 +485,10 @@ void HostProcess::CreateAuthenticatorFactory() {
     return;
   }
 
-  scoped_refptr<protocol::PairingRegistry> pairing_registry =
-      CreatePairingRegistry(context_->file_task_runner());
+  scoped_refptr<protocol::PairingRegistry> pairing_registry = NULL;
+  if (allow_pairing_) {
+    pairing_registry = CreatePairingRegistry(context_->file_task_runner());
+  }
 
   scoped_ptr<protocol::AuthenticatorFactory> factory;
 
@@ -748,6 +753,11 @@ void HostProcess::OnPolicyUpdate(scoped_ptr<base::DictionaryValue> policies) {
     restart_required |= OnHostTokenUrlPolicyUpdate(
         GURL(token_url_string), GURL(token_validation_url_string));
   }
+  if (policies->GetBoolean(
+          policy_hack::PolicyWatcher::kHostAllowClientPairing,
+          &bool_value)) {
+    restart_required |= OnPairingPolicyUpdate(bool_value);
+  }
 
   if (state_ == HOST_INITIALIZING) {
     StartHost();
@@ -893,6 +903,20 @@ bool HostProcess::OnHostTokenUrlPolicyUpdate(
   return false;
 }
 
+bool HostProcess::OnPairingPolicyUpdate(bool allow_pairing) {
+  DCHECK(context_->network_task_runner()->BelongsToCurrentThread());
+
+  if (allow_pairing_ == allow_pairing)
+    return false;
+
+  if (allow_pairing)
+    LOG(INFO) << "Policy enables client pairing.";
+  else
+    LOG(INFO) << "Policy disables client pairing.";
+  allow_pairing_ = allow_pairing;
+  return true;
+}
+
 void HostProcess::StartHost() {
   DCHECK(context_->network_task_runner()->BelongsToCurrentThread());
   DCHECK(!host_);