Create ProvisionManagedClientCertificateForBrowser policy
Bug: 392927364
Change-Id: I215b5cc0b2da1f1a408d11b75109b849902ee7aa
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6216707
Reviewed-by: Sébastien Lalancette <seblalancette@chromium.org>
Reviewed-by: Artem Sumaneev <asumaneev@google.com>
Commit-Queue: Hamda Mare <hmare@google.com>
Cr-Commit-Position: refs/heads/main@{#1414959}
diff --git a/chrome/browser/policy/configuration_policy_handler_list_factory.cc b/chrome/browser/policy/configuration_policy_handler_list_factory.cc
index b68b34ae..9cee8aa 100644
--- a/chrome/browser/policy/configuration_policy_handler_list_factory.cc
+++ b/chrome/browser/policy/configuration_policy_handler_list_factory.cc
@@ -2331,6 +2331,9 @@
{ key::kProvisionManagedClientCertificateForUser,
client_certificates::prefs::kProvisionManagedClientCertificateForUserPrefs,
base::Value::Type::INTEGER },
+ { key::kProvisionManagedClientCertificateForBrowser,
+ client_certificates::prefs::kProvisionManagedClientCertificateForBrowserPrefs,
+ base::Value::Type::INTEGER },
#endif // BUILDFLAG(ENTERPRISE_CLIENT_CERTIFICATES)
#if !BUILDFLAG(IS_ANDROID)
diff --git a/components/enterprise/client_certificates/core/prefs.cc b/components/enterprise/client_certificates/core/prefs.cc
index 4810e767..1ad9089 100644
--- a/components/enterprise/client_certificates/core/prefs.cc
+++ b/components/enterprise/client_certificates/core/prefs.cc
@@ -11,6 +11,8 @@
namespace prefs {
const char kProvisionManagedClientCertificateForUserPrefs[] =
"client_certificates.provision_for_user.value";
+const char kProvisionManagedClientCertificateForBrowserPrefs[] =
+ "client_certificates.provision_for_browser.value";
} // namespace prefs
void RegisterProfilePrefs(PrefRegistrySimple* registry) {
@@ -19,4 +21,10 @@
/*default_value=*/0);
}
+void RegisterLocalStatePrefs(PrefRegistrySimple* registry) {
+ registry->RegisterIntegerPref(
+ prefs::kProvisionManagedClientCertificateForBrowserPrefs,
+ /*default_value=*/0);
+}
+
} // namespace client_certificates
diff --git a/components/enterprise/client_certificates/core/prefs.h b/components/enterprise/client_certificates/core/prefs.h
index 4b45c14..c866fa1 100644
--- a/components/enterprise/client_certificates/core/prefs.h
+++ b/components/enterprise/client_certificates/core/prefs.h
@@ -13,9 +13,14 @@
// Pref to which the "ProvisionManagedClientCertificateForUserPrefs" policy is
// mapped.
extern const char kProvisionManagedClientCertificateForUserPrefs[];
+
+// Pref to which the "ProvisionManagedClientCertificateForBrowserPrefs" policy
+// is mapped.
+extern const char kProvisionManagedClientCertificateForBrowserPrefs[];
} // namespace prefs
void RegisterProfilePrefs(PrefRegistrySimple* registry);
+void RegisterLocalStatePrefs(PrefRegistrySimple* registry);
} // namespace client_certificates
diff --git a/components/enterprise/connectors/core/connectors_prefs.cc b/components/enterprise/connectors/core/connectors_prefs.cc
index 25be918e..70f6472 100644
--- a/components/enterprise/connectors/core/connectors_prefs.cc
+++ b/components/enterprise/connectors/core/connectors_prefs.cc
@@ -86,6 +86,10 @@
void RegisterLocalStatePrefs(PrefRegistrySimple* registry) {
registry->RegisterInt64Pref(kLatestCrashReportCreationTime, 0);
+
+#if BUILDFLAG(ENTERPRISE_CLIENT_CERTIFICATES)
+ client_certificates::RegisterLocalStatePrefs(registry);
+#endif // BUILDFLAG(ENTERPRISE_CLIENT_CERTIFICATES)
}
} // namespace enterprise_connectors
diff --git a/components/policy/resources/templates/policies.yaml b/components/policy/resources/templates/policies.yaml
index 5472a1e..a7e3083 100644
--- a/components/policy/resources/templates/policies.yaml
+++ b/components/policy/resources/templates/policies.yaml
@@ -1332,6 +1332,7 @@
1331: ExternalStorageAllowlist
1332: WebAuthenticationRemoteDesktopAllowedOrigins
1333: ServiceWorkerToControlSrcdocIframeEnabled
+ 1334: ProvisionManagedClientCertificateForBrowser
atomic_groups:
1: Homepage
diff --git a/components/policy/resources/templates/policy_definitions/Miscellaneous/ProvisionManagedClientCertificateForBrowser.yaml b/components/policy/resources/templates/policy_definitions/Miscellaneous/ProvisionManagedClientCertificateForBrowser.yaml
new file mode 100644
index 0000000..b376f19
--- /dev/null
+++ b/components/policy/resources/templates/policy_definitions/Miscellaneous/ProvisionManagedClientCertificateForBrowser.yaml
@@ -0,0 +1,32 @@
+owners:
+- hmare@google.com
+- cbe-device-trust-eng@google.com
+- file://components/enterprise/client_certificates/OWNERS
+caption: Enables the provisioning of client certificates for managed browsers
+desc: |-
+ Setting this policy to <ph name="PROVISION_MANAGED_CLIENT_CERTIFICATE_FOR_BROWSER_ENABLED">Enabled</ph> (value 1) will make the <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> request a client certificate from the device management server for a managed browser session. This certificate will be made available for, e.g., mTLS connections.
+
+ Setting this policy to <ph name="PROVISION_MANAGED_CLIENT_CERTIFICATE_FOR_BROWSER_DISABLED">Disabled</ph> (value 0), or leaving unset will prevent <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> from requesting the client certificate. If a browser's managed client certificate had already been provisioned, due to this policy being enabled before, it will not be deleted, but it won't be available for mTLS connections and won't be renewed when it expires.
+
+future_on:
+- chrome.*
+features:
+ dynamic_refresh: true
+ per_profile: false
+ cloud_only: true
+type: int-enum
+schema:
+ type: integer
+ enum:
+ - 0
+ - 1
+items:
+- caption: Disable client certificate provisioning for browsers
+ name: Disabled
+ value: 0
+- caption: Enable client certificate provisioning for browsers
+ name: Enabled
+ value: 1
+default: 0
+example_value: 0
+tags: []
diff --git a/components/policy/test/data/pref_mapping/ProvisionManagedClientCertificateForBrowser.json b/components/policy/test/data/pref_mapping/ProvisionManagedClientCertificateForBrowser.json
new file mode 100644
index 0000000..21c39bc
--- /dev/null
+++ b/components/policy/test/data/pref_mapping/ProvisionManagedClientCertificateForBrowser.json
@@ -0,0 +1,18 @@
+[
+ {
+ "os": [
+ "mac",
+ "win",
+ "linux"
+ ],
+ "simple_policy_pref_mapping_test": {
+ "pref_name": "client_certificates.provision_for_browser.value",
+ "pref_location": "local_state",
+ "default_value": 0,
+ "values_to_test": [
+ 0,
+ 1
+ ]
+ }
+ }
+ ]
diff --git a/tools/metrics/histograms/metadata/enterprise/enums.xml b/tools/metrics/histograms/metadata/enterprise/enums.xml
index 2140cde61..e78edb3 100644
--- a/tools/metrics/histograms/metadata/enterprise/enums.xml
+++ b/tools/metrics/histograms/metadata/enterprise/enums.xml
@@ -2195,6 +2195,7 @@
<int value="1331" label="ExternalStorageAllowlist"/>
<int value="1332" label="WebAuthenticationRemoteDesktopAllowedOrigins"/>
<int value="1333" label="ServiceWorkerToControlSrcdocIframeEnabled"/>
+ <int value="1334" label="ProvisionManagedClientCertificateForBrowser"/>
</enum>
<enum name="EnterprisePoliciesSources">
