chrome/browser/signin/android/signin_manager_android.cc - chromium/src - Git at Google

 // Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #include "chrome/browser/signin/android/signin_manager_android.h"

 #include <utility>
 #include <vector>

 #include "base/android/callback_android.h"
 #include "base/android/jni_string.h"
 #include "base/feature_list.h"
 #include "base/functional/bind.h"
 #include "base/functional/callback_helpers.h"
 #include "base/memory/raw_ptr.h"
 #include "base/metrics/histogram_macros.h"
 #include "base/task/single_thread_task_runner.h"
 #include "base/time/time.h"
 #include "chrome/browser/browser_process.h"
 #include "chrome/browser/browsing_data/chrome_browsing_data_remover_constants.h"
 #include "chrome/browser/enterprise/util/managed_browser_utils.h"
 #include "chrome/browser/policy/cloud/user_policy_signin_service_factory.h"
 #include "chrome/browser/policy/cloud/user_policy_signin_service_mobile.h"
 #include "chrome/browser/profiles/profile.h"
 #include "chrome/browser/signin/account_id_from_account_info.h"
 #include "chrome/browser/signin/identity_manager_factory.h"
 #include "chrome/browser/sync/sync_service_factory.h"
 #include "chrome/common/pref_names.h"
 #include "components/google/core/common/google_util.h"
 #include "components/password_manager/core/browser/split_stores_and_local_upm.h"
 #include "components/policy/core/common/cloud/user_cloud_policy_manager.h"
 #include "components/policy/core/common/policy_switches.h"
 #include "components/prefs/pref_service.h"
 #include "components/signin/public/base/signin_pref_names.h"
 #include "components/signin/public/base/signin_switches.h"
 #include "components/signin/public/identity_manager/account_managed_status_finder.h"
 #include "components/signin/public/identity_manager/accounts_cookie_mutator.h"
 #include "components/signin/public/identity_manager/identity_manager.h"
 #include "components/sync/service/sync_service.h"
 #include "content/public/browser/browser_context.h"
 #include "content/public/browser/browsing_data_filter_builder.h"
 #include "content/public/browser/browsing_data_remover.h"
 #include "content/public/browser/storage_partition.h"
 #include "google_apis/gaia/gaia_auth_util.h"

 // Must come after all headers that specialize FromJniType() / ToJniType().
 #include "chrome/android/chrome_jni_headers/SigninManagerImpl_jni.h"

 using base::android::JavaParamRef;

 namespace {

 // The cache expiration time for IsAccountManaged(), i.e. the maximum time
 // interval between two calls to IsAccountManaged() where the second may return
 // the cached outcome of the first (for the same user).
 constexpr base::TimeDelta kIsAccountManagedCacheExpirationTime =
     base::Minutes(1);

 // A BrowsingDataRemover::Observer that clears Profile data and then invokes
 // a callback and deletes itself. It can be configured to delete all data
 // (for enterprise users) or only Google's service workers (for all users).
 class ProfileDataRemover : public content::BrowsingDataRemover::Observer {
  public:
   ProfileDataRemover(Profile* profile,
                      bool all_data,
                      base::OnceClosure callback)
       : profile_(profile),
         all_data_(all_data),
         callback_(std::move(callback)),
         origin_runner_(base::SingleThreadTaskRunner::GetCurrentDefault()),
         remover_(profile->GetBrowsingDataRemover()) {
     remover_->AddObserver(this);

     if (all_data) {
       chrome_browsing_data_remover::DataType removed_types =
           chrome_browsing_data_remover::ALL_DATA_TYPES;
       if (password_manager::UsesSplitStoresAndUPMForLocal(
               profile_->GetPrefs())) {
         // If usesSplitStoresAndUPMForLocal() is true, browser sign-in won't
         // upload existing passwords, so there's no reason to wipe them
         // immediately before. Similarly, on browser sign-out, account passwords
         // should survive (outside of the browser) to be used by other apps,
         // until system-level sign-out. In other words, the browser has no
         // business deleting any passwords here.
         removed_types &= ~chrome_browsing_data_remover::DATA_TYPE_PASSWORDS;
       }
       remover_->RemoveAndReply(base::Time(), base::Time::Max(), removed_types,
                                chrome_browsing_data_remover::ALL_ORIGIN_TYPES,
                                this);
     } else {
       std::unique_ptr<content::BrowsingDataFilterBuilder> google_tld_filter =
           content::BrowsingDataFilterBuilder::Create(
               content::BrowsingDataFilterBuilder::Mode::kDelete);

       // TODO(msramek): BrowsingDataFilterBuilder was not designed for
       // large filters. Optimize it.
       for (const std::string& domain :
            google_util::GetGoogleRegistrableDomains()) {
         google_tld_filter->AddRegisterableDomain(domain);
       }

       remover_->RemoveWithFilterAndReply(
           base::Time(), base::Time::Max(),
           content::BrowsingDataRemover::DATA_TYPE_CACHE_STORAGE,
           chrome_browsing_data_remover::ALL_ORIGIN_TYPES,
           std::move(google_tld_filter), this);
     }
   }

   ProfileDataRemover(const ProfileDataRemover&) = delete;
   ProfileDataRemover& operator=(const ProfileDataRemover&) = delete;

   ~ProfileDataRemover() override = default;

   void OnBrowsingDataRemoverDone(uint64_t failed_data_types) override {
     remover_->RemoveObserver(this);

     if (all_data_) {
       // All the Profile data has been wiped. Clear the last signed in username
       // as well, so that the next signin doesn't trigger the account
       // change dialog.
       profile_->GetPrefs()->ClearPref(prefs::kGoogleServicesLastSyncingGaiaId);
       profile_->GetPrefs()->ClearPref(
           prefs::kGoogleServicesLastSyncingUsername);
       profile_->GetPrefs()->ClearPref(
           prefs::kGoogleServicesLastSignedInUsername);
     }

     origin_runner_->PostTask(FROM_HERE, std::move(callback_));
     origin_runner_->DeleteSoon(FROM_HERE, this);
   }

  private:
   raw_ptr<Profile> profile_;
   bool all_data_;
   base::OnceClosure callback_;
   scoped_refptr<base::SingleThreadTaskRunner> origin_runner_;
   raw_ptr<content::BrowsingDataRemover> remover_;
 };

 // Returns whether the user *may* be a managed user.
 bool ShouldLoadPolicyForUser(const std::string& username) {
   return signin::AccountManagedStatusFinder::MayBeEnterpriseUserBasedOnEmail(
       username);
 }

 }  // namespace

 SigninManagerAndroid::SigninManagerAndroid(
     Profile* profile,
     signin::IdentityManager* identity_manager)
     : profile_(profile),
       identity_manager_(identity_manager),
       user_cloud_policy_manager_(profile_->GetUserCloudPolicyManager()),
       user_policy_signin_service_(
           policy::UserPolicySigninServiceFactory::GetForProfile(profile_)),
       weak_factory_(this) {
   DCHECK(profile_);
   DCHECK(identity_manager_);
   DCHECK(user_cloud_policy_manager_);
   DCHECK(user_policy_signin_service_);

   signin_allowed_.Init(
       prefs::kSigninAllowed, profile_->GetPrefs(),
       base::BindRepeating(&SigninManagerAndroid::OnSigninAllowedPrefChanged,
                           base::Unretained(this)));

   force_browser_signin_.Init(prefs::kForceBrowserSignin,
                              g_browser_process->local_state());

   java_signin_manager_ = Java_SigninManagerImpl_create(
       base::android::AttachCurrentThread(), reinterpret_cast<intptr_t>(this),
       profile_, identity_manager_,
       identity_manager_->GetIdentityMutatorJavaObject(),
       SyncServiceFactory::GetForProfile(profile_)->GetJavaObject());
 }

 base::android::ScopedJavaLocalRef<jobject>
 SigninManagerAndroid::GetJavaObject() {
   return base::android::ScopedJavaLocalRef<jobject>(java_signin_manager_);
 }

 SigninManagerAndroid::~SigninManagerAndroid() = default;

 void SigninManagerAndroid::Shutdown() {
   Java_SigninManagerImpl_destroy(base::android::AttachCurrentThread(),
                                  java_signin_manager_);
 }

 SigninManagerAndroid::ManagementCredentials::ManagementCredentials(
     const std::string& dm_token,
     const std::string& client_id,
     const std::vector<std::string>& user_affiliation_ids)
     : dm_token(dm_token),
       client_id(client_id),
       user_affiliation_ids(user_affiliation_ids) {}

 SigninManagerAndroid::ManagementCredentials::~ManagementCredentials() = default;

 bool SigninManagerAndroid::IsSigninAllowed() const {
   return signin_allowed_.GetValue();
 }

 bool SigninManagerAndroid::IsSigninAllowedByPolicy(JNIEnv* env) const {
   return IsSigninAllowed();
 }

 bool SigninManagerAndroid::IsForceSigninEnabled(JNIEnv* env) {
   return force_browser_signin_.GetValue();
 }

 // static
 bool SigninManagerAndroid::MatchesCachedIsAccountManagedEntry(
     const CachedIsAccountManaged& cached_entry,
     const CoreAccountInfo& account) {
   return cached_entry.gaia_id == account.gaia &&
          cached_entry.expiration_time > base::Time::Now();
 }

 void SigninManagerAndroid::OnSigninAllowedPrefChanged() const {
   VLOG(1) << "::OnSigninAllowedPrefChanged() " << IsSigninAllowed();
   Java_SigninManagerImpl_onSigninAllowedByPolicyChanged(
       base::android::AttachCurrentThread(), java_signin_manager_,
       IsSigninAllowed());
 }

 void SigninManagerAndroid::StopApplyingCloudPolicy(JNIEnv* env) {
   user_policy_signin_service_->ShutdownCloudPolicyManager();
 }

 void SigninManagerAndroid::RegisterPolicyWithAccount(
     const CoreAccountInfo& account,
     RegisterPolicyWithAccountCallback callback) {
   if (!ShouldLoadPolicyForUser(account.email)) {
     std::move(callback).Run(std::nullopt);
     return;
   }

   user_policy_signin_service_->RegisterForPolicyWithAccountId(
       account.email, account.account_id,
       base::BindOnce(
           [](RegisterPolicyWithAccountCallback callback,
              const std::string& dm_token, const std::string& client_id,
              const std::vector<std::string>& user_affiliation_ids) {
             std::optional<ManagementCredentials> credentials;
             if (!dm_token.empty()) {
               credentials.emplace(dm_token, client_id, user_affiliation_ids);
             }
             std::move(callback).Run(credentials);
           },
           std::move(callback)));
 }

 void SigninManagerAndroid::FetchAndApplyCloudPolicy(
     JNIEnv* env,
     const base::android::JavaParamRef<jobject>& j_account_info,
     const base::RepeatingClosure& callback) {
   CoreAccountInfo account = ConvertFromJavaCoreAccountInfo(env, j_account_info);
   RegisterPolicyWithAccount(
       account,
       base::BindOnce(&SigninManagerAndroid::OnPolicyRegisterDone,
                      weak_factory_.GetWeakPtr(), account, std::move(callback)));
 }

 void SigninManagerAndroid::OnPolicyRegisterDone(
     const CoreAccountInfo& account,
     base::OnceCallback<void()> policy_callback,
     const std::optional<ManagementCredentials>& credentials) {
   if (credentials) {
     FetchPolicyBeforeSignIn(account, std::move(policy_callback),
                             credentials.value());
   } else {
     // User's account does not have a policy to fetch.
     std::move(policy_callback).Run();
   }
 }

 void SigninManagerAndroid::FetchPolicyBeforeSignIn(
     const CoreAccountInfo& account,
     base::OnceCallback<void()> policy_callback,
     const ManagementCredentials& credentials) {
   scoped_refptr<network::SharedURLLoaderFactory> url_loader_factory =
       profile_->GetDefaultStoragePartition()
           ->GetURLLoaderFactoryForBrowserProcess();
   user_policy_signin_service_->FetchPolicyForSignedInUser(
       AccountIdFromAccountInfo(account), credentials.dm_token,
       credentials.client_id, credentials.user_affiliation_ids,
       url_loader_factory,
       base::BindOnce([](base::OnceCallback<void()> callback,
                         bool success) { std::move(callback).Run(); },
                      std::move(policy_callback)));
 }

 void SigninManagerAndroid::IsAccountManaged(
     JNIEnv* env,
     const JavaParamRef<jobject>& j_account_info,
     const JavaParamRef<jobject>& j_callback) {
   base::Time start_time = base::Time::Now();
   CoreAccountInfo account = ConvertFromJavaCoreAccountInfo(env, j_account_info);
   base::android::ScopedJavaGlobalRef<jobject> callback(env, j_callback);

   if (cached_is_account_managed_.has_value() &&
       MatchesCachedIsAccountManagedEntry(*cached_is_account_managed_,
                                          account)) {
     // Cache hit, return cached value without issuing any request.
     bool is_managed = cached_is_account_managed_->is_account_managed;
     base::android::RunBooleanCallbackAndroid(callback, is_managed);
     return;
   }

   RegisterPolicyWithAccount(
       account,
       base::BindOnce(
           &SigninManagerAndroid::OnPolicyRegisterDoneForIsAccountManaged,
           weak_factory_.GetWeakPtr(), account, std::move(callback),
           start_time));
 }

 void SigninManagerAndroid::OnPolicyRegisterDoneForIsAccountManaged(
     const CoreAccountInfo& account,
     base::android::ScopedJavaGlobalRef<jobject> callback,
     base::Time start_time,
     const std::optional<ManagementCredentials>& credentials) {
   DEPRECATED_UMA_HISTOGRAM_MEDIUM_TIMES(
       "Signin.Android.IsAccountManagedDuration",
       (base::Time::Now() - start_time));

   bool is_managed = credentials.has_value();
   // Cache result in case IsAccountManaged() is invoked again for the same user.
   cached_is_account_managed_.emplace(
       account.gaia, is_managed,
       base::Time::Now() + kIsAccountManagedCacheExpirationTime);
   base::android::RunBooleanCallbackAndroid(callback, is_managed);
 }

 base::android::ScopedJavaLocalRef<jstring>
 SigninManagerAndroid::GetManagementDomain(JNIEnv* env) {
   base::android::ScopedJavaLocalRef<jstring> domain;

   policy::CloudPolicyStore* store = user_cloud_policy_manager_->core()->store();

   if (store && store->is_managed() && store->policy()->has_username()) {
     domain.Reset(base::android::ConvertUTF8ToJavaString(
         env, gaia::ExtractDomainName(store->policy()->username())));
   }

   return domain;
 }

 void SigninManagerAndroid::WipeProfileData(
     JNIEnv* env,
     const base::RepeatingClosure& callback) {
   WipeData(profile_, true /* all data */, callback);
 }

 void SigninManagerAndroid::WipeGoogleServiceWorkerCaches(
     JNIEnv* env,
     const base::RepeatingClosure& callback) {
   WipeData(profile_, false /* only Google service worker caches */, callback);
 }

 // static
 void SigninManagerAndroid::WipeData(Profile* profile,
                                     bool all_data,
                                     base::OnceClosure callback) {
   // The ProfileDataRemover deletes itself once done.
   new ProfileDataRemover(profile, all_data, std::move(callback));
 }

 std::string JNI_SigninManagerImpl_ExtractDomainName(JNIEnv* env,
                                                     std::string& email) {
   return gaia::ExtractDomainName(email);
 }

 void SigninManagerAndroid::SetUserAcceptedAccountManagement(
     JNIEnv* env,
     bool accepted_account_management) {
   enterprise_util::SetUserAcceptedAccountManagement(
       profile_, accepted_account_management);
 }

 bool SigninManagerAndroid::GetUserAcceptedAccountManagement(JNIEnv* env) {
   return enterprise_util::UserAcceptedAccountManagement(profile_);
 }
	// Copyright 2013 The Chromium Authors
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#include "chrome/browser/signin/android/signin_manager_android.h"

	#include <utility>
	#include <vector>

	#include "base/android/callback_android.h"
	#include "base/android/jni_string.h"
	#include "base/feature_list.h"
	#include "base/functional/bind.h"
	#include "base/functional/callback_helpers.h"
	#include "base/memory/raw_ptr.h"
	#include "base/metrics/histogram_macros.h"
	#include "base/task/single_thread_task_runner.h"
	#include "base/time/time.h"
	#include "chrome/browser/browser_process.h"
	#include "chrome/browser/browsing_data/chrome_browsing_data_remover_constants.h"
	#include "chrome/browser/enterprise/util/managed_browser_utils.h"
	#include "chrome/browser/policy/cloud/user_policy_signin_service_factory.h"
	#include "chrome/browser/policy/cloud/user_policy_signin_service_mobile.h"
	#include "chrome/browser/profiles/profile.h"
	#include "chrome/browser/signin/account_id_from_account_info.h"
	#include "chrome/browser/signin/identity_manager_factory.h"
	#include "chrome/browser/sync/sync_service_factory.h"
	#include "chrome/common/pref_names.h"
	#include "components/google/core/common/google_util.h"
	#include "components/password_manager/core/browser/split_stores_and_local_upm.h"
	#include "components/policy/core/common/cloud/user_cloud_policy_manager.h"
	#include "components/policy/core/common/policy_switches.h"
	#include "components/prefs/pref_service.h"
	#include "components/signin/public/base/signin_pref_names.h"
	#include "components/signin/public/base/signin_switches.h"
	#include "components/signin/public/identity_manager/account_managed_status_finder.h"
	#include "components/signin/public/identity_manager/accounts_cookie_mutator.h"
	#include "components/signin/public/identity_manager/identity_manager.h"
	#include "components/sync/service/sync_service.h"
	#include "content/public/browser/browser_context.h"
	#include "content/public/browser/browsing_data_filter_builder.h"
	#include "content/public/browser/browsing_data_remover.h"
	#include "content/public/browser/storage_partition.h"
	#include "google_apis/gaia/gaia_auth_util.h"

	// Must come after all headers that specialize FromJniType() / ToJniType().
	#include "chrome/android/chrome_jni_headers/SigninManagerImpl_jni.h"

	using base::android::JavaParamRef;

	namespace {

	// The cache expiration time for IsAccountManaged(), i.e. the maximum time
	// interval between two calls to IsAccountManaged() where the second may return
	// the cached outcome of the first (for the same user).
	constexpr base::TimeDelta kIsAccountManagedCacheExpirationTime =
	base::Minutes(1);

	// A BrowsingDataRemover::Observer that clears Profile data and then invokes
	// a callback and deletes itself. It can be configured to delete all data
	// (for enterprise users) or only Google's service workers (for all users).
	class ProfileDataRemover : public content::BrowsingDataRemover::Observer {
	public:
	ProfileDataRemover(Profile* profile,
	bool all_data,
	base::OnceClosure callback)
	: profile_(profile),
	all_data_(all_data),
	callback_(std::move(callback)),
	origin_runner_(base::SingleThreadTaskRunner::GetCurrentDefault()),
	remover_(profile->GetBrowsingDataRemover()) {
	remover_->AddObserver(this);

	if (all_data) {
	chrome_browsing_data_remover::DataType removed_types =
	chrome_browsing_data_remover::ALL_DATA_TYPES;
	if (password_manager::UsesSplitStoresAndUPMForLocal(
	profile_->GetPrefs())) {
	// If usesSplitStoresAndUPMForLocal() is true, browser sign-in won't
	// upload existing passwords, so there's no reason to wipe them
	// immediately before. Similarly, on browser sign-out, account passwords
	// should survive (outside of the browser) to be used by other apps,
	// until system-level sign-out. In other words, the browser has no
	// business deleting any passwords here.
	removed_types &= ~chrome_browsing_data_remover::DATA_TYPE_PASSWORDS;
	}
	remover_->RemoveAndReply(base::Time(), base::Time::Max(), removed_types,
	chrome_browsing_data_remover::ALL_ORIGIN_TYPES,
	this);
	} else {
	std::unique_ptr<content::BrowsingDataFilterBuilder> google_tld_filter =
	content::BrowsingDataFilterBuilder::Create(
	content::BrowsingDataFilterBuilder::Mode::kDelete);

	// TODO(msramek): BrowsingDataFilterBuilder was not designed for
	// large filters. Optimize it.
	for (const std::string& domain :
	google_util::GetGoogleRegistrableDomains()) {
	google_tld_filter->AddRegisterableDomain(domain);
	}

	remover_->RemoveWithFilterAndReply(
	base::Time(), base::Time::Max(),
	content::BrowsingDataRemover::DATA_TYPE_CACHE_STORAGE,
	chrome_browsing_data_remover::ALL_ORIGIN_TYPES,
	std::move(google_tld_filter), this);
	}
	}

	ProfileDataRemover(const ProfileDataRemover&) = delete;
	ProfileDataRemover& operator=(const ProfileDataRemover&) = delete;

	~ProfileDataRemover() override = default;

	void OnBrowsingDataRemoverDone(uint64_t failed_data_types) override {
	remover_->RemoveObserver(this);

	if (all_data_) {
	// All the Profile data has been wiped. Clear the last signed in username
	// as well, so that the next signin doesn't trigger the account
	// change dialog.
	profile_->GetPrefs()->ClearPref(prefs::kGoogleServicesLastSyncingGaiaId);
	profile_->GetPrefs()->ClearPref(
	prefs::kGoogleServicesLastSyncingUsername);
	profile_->GetPrefs()->ClearPref(
	prefs::kGoogleServicesLastSignedInUsername);
	}

	origin_runner_->PostTask(FROM_HERE, std::move(callback_));
	origin_runner_->DeleteSoon(FROM_HERE, this);
	}

	private:
	raw_ptr<Profile> profile_;
	bool all_data_;
	base::OnceClosure callback_;
	scoped_refptr<base::SingleThreadTaskRunner> origin_runner_;
	raw_ptr<content::BrowsingDataRemover> remover_;
	};

	// Returns whether the user may be a managed user.
	bool ShouldLoadPolicyForUser(const std::string& username) {
	return signin::AccountManagedStatusFinder::MayBeEnterpriseUserBasedOnEmail(
	username);
	}

	} // namespace

	SigninManagerAndroid::SigninManagerAndroid(
	Profile* profile,
	signin::IdentityManager* identity_manager)
	: profile_(profile),
	identity_manager_(identity_manager),
	user_cloud_policy_manager_(profile_->GetUserCloudPolicyManager()),
	user_policy_signin_service_(
	policy::UserPolicySigninServiceFactory::GetForProfile(profile_)),
	weak_factory_(this) {
	DCHECK(profile_);
	DCHECK(identity_manager_);
	DCHECK(user_cloud_policy_manager_);
	DCHECK(user_policy_signin_service_);

	signin_allowed_.Init(
	prefs::kSigninAllowed, profile_->GetPrefs(),
	base::BindRepeating(&SigninManagerAndroid::OnSigninAllowedPrefChanged,
	base::Unretained(this)));

	force_browser_signin_.Init(prefs::kForceBrowserSignin,
	g_browser_process->local_state());

	java_signin_manager_ = Java_SigninManagerImpl_create(
	base::android::AttachCurrentThread(), reinterpret_cast<intptr_t>(this),
	profile_, identity_manager_,
	identity_manager_->GetIdentityMutatorJavaObject(),
	SyncServiceFactory::GetForProfile(profile_)->GetJavaObject());
	}

	base::android::ScopedJavaLocalRef<jobject>
	SigninManagerAndroid::GetJavaObject() {
	return base::android::ScopedJavaLocalRef<jobject>(java_signin_manager_);
	}

	SigninManagerAndroid::~SigninManagerAndroid() = default;

	void SigninManagerAndroid::Shutdown() {
	Java_SigninManagerImpl_destroy(base::android::AttachCurrentThread(),
	java_signin_manager_);
	}

	SigninManagerAndroid::ManagementCredentials::ManagementCredentials(
	const std::string& dm_token,
	const std::string& client_id,
	const std::vector<std::string>& user_affiliation_ids)
	: dm_token(dm_token),
	client_id(client_id),
	user_affiliation_ids(user_affiliation_ids) {}

	SigninManagerAndroid::ManagementCredentials::~ManagementCredentials() = default;

	bool SigninManagerAndroid::IsSigninAllowed() const {
	return signin_allowed_.GetValue();
	}

	bool SigninManagerAndroid::IsSigninAllowedByPolicy(JNIEnv* env) const {
	return IsSigninAllowed();
	}

	bool SigninManagerAndroid::IsForceSigninEnabled(JNIEnv* env) {
	return force_browser_signin_.GetValue();
	}

	// static
	bool SigninManagerAndroid::MatchesCachedIsAccountManagedEntry(
	const CachedIsAccountManaged& cached_entry,
	const CoreAccountInfo& account) {
	return cached_entry.gaia_id == account.gaia &&
	cached_entry.expiration_time > base::Time::Now();
	}

	void SigninManagerAndroid::OnSigninAllowedPrefChanged() const {
	VLOG(1) << "::OnSigninAllowedPrefChanged() " << IsSigninAllowed();
	Java_SigninManagerImpl_onSigninAllowedByPolicyChanged(
	base::android::AttachCurrentThread(), java_signin_manager_,
	IsSigninAllowed());
	}

	void SigninManagerAndroid::StopApplyingCloudPolicy(JNIEnv* env) {
	user_policy_signin_service_->ShutdownCloudPolicyManager();
	}

	void SigninManagerAndroid::RegisterPolicyWithAccount(
	const CoreAccountInfo& account,
	RegisterPolicyWithAccountCallback callback) {
	if (!ShouldLoadPolicyForUser(account.email)) {
	std::move(callback).Run(std::nullopt);
	return;
	}

	user_policy_signin_service_->RegisterForPolicyWithAccountId(
	account.email, account.account_id,
	base::BindOnce(
	[](RegisterPolicyWithAccountCallback callback,
	const std::string& dm_token, const std::string& client_id,
	const std::vector<std::string>& user_affiliation_ids) {
	std::optional<ManagementCredentials> credentials;
	if (!dm_token.empty()) {
	credentials.emplace(dm_token, client_id, user_affiliation_ids);
	}
	std::move(callback).Run(credentials);
	},
	std::move(callback)));
	}

	void SigninManagerAndroid::FetchAndApplyCloudPolicy(
	JNIEnv* env,
	const base::android::JavaParamRef<jobject>& j_account_info,
	const base::RepeatingClosure& callback) {
	CoreAccountInfo account = ConvertFromJavaCoreAccountInfo(env, j_account_info);
	RegisterPolicyWithAccount(
	account,
	base::BindOnce(&SigninManagerAndroid::OnPolicyRegisterDone,
	weak_factory_.GetWeakPtr(), account, std::move(callback)));
	}

	void SigninManagerAndroid::OnPolicyRegisterDone(
	const CoreAccountInfo& account,
	base::OnceCallback<void()> policy_callback,
	const std::optional<ManagementCredentials>& credentials) {
	if (credentials) {
	FetchPolicyBeforeSignIn(account, std::move(policy_callback),
	credentials.value());
	} else {
	// User's account does not have a policy to fetch.
	std::move(policy_callback).Run();
	}
	}

	void SigninManagerAndroid::FetchPolicyBeforeSignIn(
	const CoreAccountInfo& account,
	base::OnceCallback<void()> policy_callback,
	const ManagementCredentials& credentials) {
	scoped_refptr<network::SharedURLLoaderFactory> url_loader_factory =
	profile_->GetDefaultStoragePartition()
	->GetURLLoaderFactoryForBrowserProcess();
	user_policy_signin_service_->FetchPolicyForSignedInUser(
	AccountIdFromAccountInfo(account), credentials.dm_token,
	credentials.client_id, credentials.user_affiliation_ids,
	url_loader_factory,
	base::BindOnce([](base::OnceCallback<void()> callback,
	bool success) { std::move(callback).Run(); },
	std::move(policy_callback)));
	}

	void SigninManagerAndroid::IsAccountManaged(
	JNIEnv* env,
	const JavaParamRef<jobject>& j_account_info,
	const JavaParamRef<jobject>& j_callback) {
	base::Time start_time = base::Time::Now();
	CoreAccountInfo account = ConvertFromJavaCoreAccountInfo(env, j_account_info);
	base::android::ScopedJavaGlobalRef<jobject> callback(env, j_callback);

	if (cached_is_account_managed_.has_value() &&
	MatchesCachedIsAccountManagedEntry(*cached_is_account_managed_,
	account)) {
	// Cache hit, return cached value without issuing any request.
	bool is_managed = cached_is_account_managed_->is_account_managed;
	base::android::RunBooleanCallbackAndroid(callback, is_managed);
	return;
	}

	RegisterPolicyWithAccount(
	account,
	base::BindOnce(
	&SigninManagerAndroid::OnPolicyRegisterDoneForIsAccountManaged,
	weak_factory_.GetWeakPtr(), account, std::move(callback),
	start_time));
	}

	void SigninManagerAndroid::OnPolicyRegisterDoneForIsAccountManaged(
	const CoreAccountInfo& account,
	base::android::ScopedJavaGlobalRef<jobject> callback,
	base::Time start_time,
	const std::optional<ManagementCredentials>& credentials) {
	DEPRECATED_UMA_HISTOGRAM_MEDIUM_TIMES(
	"Signin.Android.IsAccountManagedDuration",
	(base::Time::Now() - start_time));

	bool is_managed = credentials.has_value();
	// Cache result in case IsAccountManaged() is invoked again for the same user.
	cached_is_account_managed_.emplace(
	account.gaia, is_managed,
	base::Time::Now() + kIsAccountManagedCacheExpirationTime);
	base::android::RunBooleanCallbackAndroid(callback, is_managed);
	}

	base::android::ScopedJavaLocalRef<jstring>
	SigninManagerAndroid::GetManagementDomain(JNIEnv* env) {
	base::android::ScopedJavaLocalRef<jstring> domain;

	policy::CloudPolicyStore* store = user_cloud_policy_manager_->core()->store();

	if (store && store->is_managed() && store->policy()->has_username()) {
	domain.Reset(base::android::ConvertUTF8ToJavaString(
	env, gaia::ExtractDomainName(store->policy()->username())));
	}

	return domain;
	}

	void SigninManagerAndroid::WipeProfileData(
	JNIEnv* env,
	const base::RepeatingClosure& callback) {
	WipeData(profile_, true /* all data */, callback);
	}

	void SigninManagerAndroid::WipeGoogleServiceWorkerCaches(
	JNIEnv* env,
	const base::RepeatingClosure& callback) {
	WipeData(profile_, false /* only Google service worker caches */, callback);
	}

	// static
	void SigninManagerAndroid::WipeData(Profile* profile,
	bool all_data,
	base::OnceClosure callback) {
	// The ProfileDataRemover deletes itself once done.
	new ProfileDataRemover(profile, all_data, std::move(callback));
	}

	std::string JNI_SigninManagerImpl_ExtractDomainName(JNIEnv* env,
	std::string& email) {
	return gaia::ExtractDomainName(email);
	}

	void SigninManagerAndroid::SetUserAcceptedAccountManagement(
	JNIEnv* env,
	bool accepted_account_management) {
	enterprise_util::SetUserAcceptedAccountManagement(
	profile_, accepted_account_management);
	}

	bool SigninManagerAndroid::GetUserAcceptedAccountManagement(JNIEnv* env) {
	return enterprise_util::UserAcceptedAccountManagement(profile_);
	}