1 files changed, 97 insertions, 0 deletions

diff --git a/chromium/components/policy/core/browser/signin/user_cloud_signin_restriction_policy_fetcher.h b/chromium/components/policy/core/browser/signin/user_cloud_signin_restriction_policy_fetcher.h
new file mode 100644
index 00000000000..5c9d09fc8d8
--- /dev/null
+++ b/chromium/components/policy/core/browser/signin/user_cloud_signin_restriction_policy_fetcher.h
@@ -0,0 +1,97 @@
+// Copyright 2021 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef COMPONENTS_POLICY_CORE_BROWSER_SIGNIN_USER_CLOUD_SIGNIN_RESTRICTION_POLICY_FETCHER_H_
+#define COMPONENTS_POLICY_CORE_BROWSER_SIGNIN_USER_CLOUD_SIGNIN_RESTRICTION_POLICY_FETCHER_H_
+
+#include <memory>
+#include <string>
+
+#include "base/callback_forward.h"
+#include "base/memory/raw_ptr.h"
+#include "components/policy/policy_export.h"
+#include "components/signin/public/identity_manager/access_token_info.h"
+#include "google_apis/gaia/google_service_auth_error.h"
+#include "services/network/public/cpp/shared_url_loader_factory.h"
+#include "url/gurl.h"
+
+struct CoreAccountId;
+
+namespace network {
+class SimpleURLLoader;
+}
+
+namespace signin {
+class AccessTokenFetcher;
+class IdentityManager;
+}  // namespace signin
+
+namespace policy {
+
+class BrowserPolicyConnector;
+
+class POLICY_EXPORT UserCloudSigninRestrictionPolicyFetcher {
+ public:
+  UserCloudSigninRestrictionPolicyFetcher(
+      policy::BrowserPolicyConnector* browser_policy_connector,
+      scoped_refptr<network::SharedURLLoaderFactory> url_loader_factory);
+  ~UserCloudSigninRestrictionPolicyFetcher();
+
+  UserCloudSigninRestrictionPolicyFetcher(
+      const UserCloudSigninRestrictionPolicyFetcher&) = delete;
+  UserCloudSigninRestrictionPolicyFetcher& operator=(
+      const UserCloudSigninRestrictionPolicyFetcher&) = delete;
+
+  // Fetched the value of the ManagedAccountsSigninRestriction set at the
+  // account level for `account_id` and calls `callback` with the resulting
+  // value. If the policy was not set or we were not able to retrieve it, the
+  // result will be an empty string.
+  void GetManagedAccountsSigninRestriction(
+      signin::IdentityManager* identity_manager,
+      const CoreAccountId& account_id,
+      base::OnceCallback<void(const std::string&)> callback);
+
+  void SetURLLoaderFactoryForTesting(
+      network::mojom::URLLoaderFactory* factory) {
+    url_loader_factory_for_testing_ = factory;
+  }
+
+ private:
+  // Fetches an access token for `accound_id` and calls `callback` with the
+  // access token.
+  void FetchAccessToken(signin::IdentityManager* identity_manager,
+                        const CoreAccountId& account_id,
+                        base::OnceCallback<void(const std::string&)> callback);
+
+  void OnFetchAccessTokenResult(
+      base::OnceCallback<void(const std::string&)> callback,
+      GoogleServiceAuthError error,
+      signin::AccessTokenInfo token_info);
+
+  // Calls the SecureConnect API to get the ManagedAccountsSigninRestriction
+  // policy using `access_token` for the authentication. Calls
+  // `OnManagedAccountsSigninRestrictionResult` with the result from the API.
+  void GetManagedAccountsSigninRestrictionInternal(
+      base::OnceCallback<void(const std::string&)> callback,
+      const std::string& access_token);
+
+  // Retrieves the policy value from `response_body` and calls `callback` with
+  // that value.
+  void OnManagedAccountsSigninRestrictionResult(
+      base::OnceCallback<void(const std::string&)> callback,
+      std::unique_ptr<std::string> response_body);
+
+  GURL GetSecureConnectApiGetAccountSigninRestrictionUrl() const;
+
+  const raw_ptr<policy::BrowserPolicyConnector> browser_policy_connector_;
+  std::unique_ptr<signin::AccessTokenFetcher> access_token_fetcher_;
+  scoped_refptr<network::SharedURLLoaderFactory> url_loader_factory_;
+  raw_ptr<network::mojom::URLLoaderFactory> url_loader_factory_for_testing_ =
+      nullptr;
+  std::unique_ptr<network::SimpleURLLoader> url_loader_;
+};
+
+}  //  namespace policy
+
+#endif  // COMPONENTS_POLICY_CORE_BROWSER_SIGNIN_USER_CLOUD_SIGNIN_RESTRICTION_POLICY_FETCHER_H_