8 files changed, 127 insertions, 13 deletions

diff --git a/chrome/app/generated_resources.grd b/chrome/app/generated_resources.grd
index 16960594..862b29d 100644
--- a/chrome/app/generated_resources.grd
+++ b/chrome/app/generated_resources.grd
@@ -6361,6 +6361,12 @@ Keep your key file in a safe place. You will need it to create new versions of y
       <message name="IDS_FLAGS_SYNC_APP_NOTIFICATIONS_DESCRIPTION" desc="Description for the flag to disable syncing the app notifications datatype">
         Disable app notifications in the sync settings. This turns off syncing notifications received from your apps to other clients.
       </message>
+      <message name="IDS_FLAGS_SYNC_KEYSTORE_ENCRYPTION_NAME" desc="Title for the flag to enable sync's keystore encryption options">
+        Enable sync keystore encryption.
+      </message>
+      <message name="IDS_FLAGS_SYNC_KEYSTORE_ENCRYPTION_DESCRIPTION" desc="Description for the flag to enable sync's keystore encryption options">
+        Switch to sync's new server supported encryption schema. Warning: this will modify your sync data, possibly making it unreadable to other clients.
+      </message>
       <if expr="pp_ifdef('android')">
         <message name="IDS_FLAGS_SYNC_TYPED_URLS_NAME" desc="Mobile: Title for the flag to enable syncing the TypedUrl datatype">
           Enable syncing typed URLs
@@ -6542,7 +6548,7 @@ Keep your key file in a safe place. You will need it to create new versions of y
       </message>
       <message name="IDS_FLAGS_ENABLE_TAB_SCRUBBING_DESCRIPTION" desc="Title for the flag to enable advanced gestures.">
         Enables tab switching via ctrl + left drag.
-      </message>      
+      </message>
       <message name="IDS_FLAGS_ENABLE_MEMORY_MONITOR_NAME" desc="Title for the flag to enable advanced gestures.">
         Enable memory monitor
       </message>
diff --git a/chrome/browser/about_flags.cc b/chrome/browser/about_flags.cc
index a7c2e28..36a49ed 100644
--- a/chrome/browser/about_flags.cc
+++ b/chrome/browser/about_flags.cc
@@ -530,6 +530,13 @@ const Experiment kExperiments[] = {
     SINGLE_VALUE_TYPE(switches::kDisableSyncAppNotifications)
   },
   {
+    "sync-keystore-encryption",
+    IDS_FLAGS_SYNC_KEYSTORE_ENCRYPTION_NAME,
+    IDS_FLAGS_SYNC_KEYSTORE_ENCRYPTION_DESCRIPTION,
+    kOsAll,
+    SINGLE_VALUE_TYPE(switches::kSyncKeystoreEncryption)
+  },
+  {
     "enable-gesture-tap-highlight",
     IDS_FLAGS_ENABLE_GESTURE_TAP_HIGHLIGHTING_NAME,
     IDS_FLAGS_ENABLE_GESTURE_TAP_HIGHLIGHTING_DESCRIPTION,
diff --git a/chrome/browser/sync/profile_sync_service.cc b/chrome/browser/sync/profile_sync_service.cc
index 3df2212..ef31b0d 100644
--- a/chrome/browser/sync/profile_sync_service.cc
+++ b/chrome/browser/sync/profile_sync_service.cc
@@ -661,14 +661,9 @@ void ProfileSyncService::ClearUnrecoverableError() {
 }
 
 // static
+// TODO(sync): Consider having syncer::Experiments provide this.
 std::string ProfileSyncService::GetExperimentNameForDataType(
     syncer::ModelType data_type) {
-  switch (data_type) {
-    case syncer::SESSIONS:
-      return "sync-tabs";
-    default:
-      break;
-  }
   NOTREACHED();
   return "";
 }
@@ -917,6 +912,12 @@ void ProfileSyncService::OnExperimentsChanged(
 #endif
   }
 
+  if (experiments.keystore_encryption) {
+    about_flags::SetExperimentEnabled(g_browser_process->local_state(),
+                                      syncer::kKeystoreEncryptionFlag,
+                                      true);
+  }
+
   current_experiments = experiments;
 }
 
diff --git a/net/tools/testserver/chromiumsync.py b/net/tools/testserver/chromiumsync.py
index 92542e3..8e25482 100644
--- a/net/tools/testserver/chromiumsync.py
+++ b/net/tools/testserver/chromiumsync.py
@@ -108,6 +108,9 @@ UNIX_TIME_EPOCH = (1970, 1, 1, 0, 0, 0, 3, 1, 0)
 # The number of characters in the server-generated encryption key.
 KEYSTORE_KEY_LENGTH = 16
 
+# The hashed client tag for the keystore encryption experiment node.
+KEYSTORE_ENCRYPTION_EXPERIMENT_TAG = "pis8ZRzh98/MKLtVEio2mr42LQA="
+
 class Error(Exception):
   """Error class for this module."""
 
@@ -974,6 +977,34 @@ class SyncDataModel(object):
                               if spec.name == "Synced Bookmarks"]
     self._CreatePermanentItem(synced_bookmarks_spec)
 
+  def TriggerEnableKeystoreEncryption(self):
+    """Create the keystore_encryption experiment entity and enable it.
+
+    A new entity within the EXPERIMENTS datatype is created with the unique
+    client tag "keystore_encryption" if it doesn't already exist. The
+    keystore_encryption message is then filled with |enabled| set to true.
+    """
+
+    experiment_id = self._ServerTagToId("google_chrome_experiments")
+    keystore_encryption_id = self._ClientTagToId(
+        EXPERIMENTS,
+        KEYSTORE_ENCRYPTION_EXPERIMENT_TAG)
+    keystore_entry = self._entries.get(keystore_encryption_id)
+    if keystore_entry is None:
+      keystore_entry = sync_pb2.SyncEntity()
+      keystore_entry.id_string = keystore_encryption_id
+      keystore_entry.name = "Keystore Encryption"
+      keystore_entry.client_defined_unique_tag = (
+          KEYSTORE_ENCRYPTION_EXPERIMENT_TAG)
+      keystore_entry.folder = False
+      keystore_entry.deleted = False
+      keystore_entry.specifics.CopyFrom(GetDefaultEntitySpecifics(EXPERIMENTS))
+      self._WritePosition(keystore_entry, experiment_id)
+
+    keystore_entry.specifics.experiments.keystore_encryption.enabled = True
+
+    self._SaveEntry(keystore_entry)
+
   def SetInducedError(self, error, error_frequency,
                       sync_count_before_errors):
     self.induced_error = error
@@ -1130,6 +1161,14 @@ class TestServer(object):
         200,
         '<html><title>Synced Bookmarks</title><H1>Synced Bookmarks</H1></html>')
 
+  def HandleEnableKeystoreEncryption(self):
+    """Enables the keystore encryption experiment."""
+    self.account.TriggerEnableKeystoreEncryption()
+    return (
+        200,
+        '<html><title>Enable Keystore Encryption</title>'
+            '<H1>Enable Keystore Encryption</H1></html>')
+
   def HandleCommand(self, query, raw_request):
     """Decode and handle a sync command from a raw input of bytes.
 
diff --git a/net/tools/testserver/chromiumsync_test.py b/net/tools/testserver/chromiumsync_test.py
index 7a68b40..56970b3 100755
--- a/net/tools/testserver/chromiumsync_test.py
+++ b/net/tools/testserver/chromiumsync_test.py
@@ -604,6 +604,35 @@ class SyncDataModelTest(unittest.TestCase):
     self.assertTrue(len(key1) > 0)
     self.assertEqual(key1, key2)
 
+  def testTriggerEnableKeystoreEncryption(self):
+    version1, changes, remaining = (
+        self.GetChangesFromTimestamp([chromiumsync.EXPERIMENTS], 0))
+    keystore_encryption_id_string = (
+        self.model._ClientTagToId(
+            chromiumsync.EXPERIMENTS,
+            chromiumsync.KEYSTORE_ENCRYPTION_EXPERIMENT_TAG))
+
+    self.assertFalse(self.model._ItemExists(keystore_encryption_id_string))
+    self.model.TriggerEnableKeystoreEncryption()
+    self.assertTrue(self.model._ItemExists(keystore_encryption_id_string))
+
+    # The creation of the experiment should be downloaded on the next
+    # GetUpdates.
+    version2, changes, remaining = (
+        self.GetChangesFromTimestamp([chromiumsync.EXPERIMENTS], version1))
+    self.assertEqual(len(changes), 1)
+    self.assertEqual(changes[0].id_string, keystore_encryption_id_string)
+    self.assertNotEqual(version1, version2)
+
+    # Verify the experiment was created properly and is enabled.
+    self.assertEqual(chromiumsync.KEYSTORE_ENCRYPTION_EXPERIMENT_TAG,
+                     changes[0].client_defined_unique_tag)
+    self.assertTrue(changes[0].HasField("specifics"))
+    self.assertTrue(changes[0].specifics.HasField("experiments"))
+    self.assertTrue(
+        changes[0].specifics.experiments.HasField("keystore_encryption"))
+    self.assertTrue(
+        changes[0].specifics.experiments.keystore_encryption.enabled)
 
 if __name__ == '__main__':
   unittest.main()
diff --git a/net/tools/testserver/testserver.py b/net/tools/testserver/testserver.py
index 0ab49c0..4ee0b38 100755
--- a/net/tools/testserver/testserver.py
+++ b/net/tools/testserver/testserver.py
@@ -1769,7 +1769,8 @@ class SyncPageHandler(BasePageHandler):
                     self.ChromiumSyncTransientErrorOpHandler,
                     self.ChromiumSyncErrorOpHandler,
                     self.ChromiumSyncSyncTabFaviconsOpHandler,
-                    self.ChromiumSyncCreateSyncedBookmarksOpHandler]
+                    self.ChromiumSyncCreateSyncedBookmarksOpHandler,
+                    self.ChromiumSyncEnableKeystoreEncryptionOpHandler]
 
     post_handlers = [self.ChromiumSyncCommandHandler,
                      self.ChromiumSyncTimeHandler]
@@ -1983,6 +1984,19 @@ class SyncPageHandler(BasePageHandler):
     self.wfile.write(raw_reply)
     return True
 
+  def ChromiumSyncEnableKeystoreEncryptionOpHandler(self):
+    test_name = "/chromiumsync/enablekeystoreencryption"
+    if not self._ShouldHandleRequest(test_name):
+      return False
+    result, raw_reply = (
+        self.server._sync_handler.HandleEnableKeystoreEncryption())
+    self.send_response(result)
+    self.send_header('Content-Type', 'text/html')
+    self.send_header('Content-Length', len(raw_reply))
+    self.end_headers()
+    self.wfile.write(raw_reply)
+    return True
+
 
 class OCSPHandler(BasePageHandler):
   def __init__(self, request, client_address, socket_server):
diff --git a/sync/internal_api/public/util/experiments.h b/sync/internal_api/public/util/experiments.h
index 7cea6d6..b5730ce 100644
--- a/sync/internal_api/public/util/experiments.h
+++ b/sync/internal_api/public/util/experiments.h
@@ -9,17 +9,25 @@
 
 namespace syncer {
 
+const char kKeystoreEncryptionTag[] = "keystore_encryption";
+const char kKeystoreEncryptionFlag[] = "sync-keystore-encryption";
+
 // A structure to hold the enable status of experimental sync features.
 struct Experiments {
-  Experiments() : sync_tab_favicons(false) {}
+  Experiments() : sync_tab_favicons(false),
+                  keystore_encryption(false) {}
 
   bool Matches(const Experiments& rhs) {
-    return (sync_tab_favicons == rhs.sync_tab_favicons);
+    return (sync_tab_favicons == rhs.sync_tab_favicons &&
+            keystore_encryption == rhs.keystore_encryption);
   }
 
   // Enable syncing of favicons within tab sync (only has an effect if tab sync
   // is already enabled). This takes effect on the next restart.
   bool sync_tab_favicons;
+
+  // Enable keystore encryption logic and the new encryption UI.
+  bool keystore_encryption;
 };
 
 }  // namespace syncer
diff --git a/sync/internal_api/sync_manager_impl.cc b/sync/internal_api/sync_manager_impl.cc
index f7abea4..bd528f7 100644
--- a/sync/internal_api/sync_manager_impl.cc
+++ b/sync/internal_api/sync_manager_impl.cc
@@ -1298,16 +1298,26 @@ UserShare* SyncManagerImpl::GetUserShare() {
 
 bool SyncManagerImpl::ReceivedExperiment(Experiments* experiments) {
   ReadTransaction trans(FROM_HERE, GetUserShare());
-  ReadNode node(&trans);
-  if (node.InitByTagLookup(kNigoriTag) != BaseNode::INIT_OK) {
+  ReadNode nigori_node(&trans);
+  if (nigori_node.InitByTagLookup(kNigoriTag) != BaseNode::INIT_OK) {
     DVLOG(1) << "Couldn't find Nigori node.";
     return false;
   }
   bool found_experiment = false;
-  if (node.GetNigoriSpecifics().sync_tab_favicons()) {
+  if (nigori_node.GetNigoriSpecifics().sync_tab_favicons()) {
     experiments->sync_tab_favicons = true;
     found_experiment = true;
   }
+
+  ReadNode keystore_node(&trans);
+  if (keystore_node.InitByClientTagLookup(
+          syncer::EXPERIMENTS,
+          syncer::kKeystoreEncryptionTag) == BaseNode::INIT_OK &&
+      keystore_node.GetExperimentsSpecifics().keystore_encryption().enabled()) {
+    experiments->keystore_encryption = true;
+    found_experiment = true;
+  }
+
   return found_experiment;
 }