chrome/browser/chromeos/arc/arc_policy_bridge.cc - chromium/src - Git at Google

 // Copyright 2016 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #include "chrome/browser/chromeos/arc/arc_policy_bridge.h"

 #include <memory>
 #include <string>
 #include <utility>

 #include "base/json/json_reader.h"
 #include "base/json/json_string_value_serializer.h"
 #include "base/logging.h"
 #include "base/memory/ptr_util.h"
 #include "base/values.h"
 #include "chrome/browser/chromeos/profiles/profile_helper.h"
 #include "chrome/browser/policy/profile_policy_connector.h"
 #include "chrome/browser/policy/profile_policy_connector_factory.h"
 #include "chromeos/network/onc/onc_utils.h"
 #include "components/arc/arc_bridge_service.h"
 #include "components/onc/onc_constants.h"
 #include "components/policy/core/common/policy_map.h"
 #include "components/policy/core/common/policy_namespace.h"
 #include "components/policy/policy_constants.h"
 #include "components/user_manager/user.h"
 #include "mojo/public/cpp/bindings/string.h"

 namespace arc {

 namespace {

 const char kArcGlobalAppRestrictions[] = "globalAppRestrictions";
 const char kArcCaCerts[] = "caCerts";

 // invert_bool_value: If the Chrome policy and the ARC policy with boolean value
 // have opposite semantics, set this to true so the bool is inverted before
 // being added. Otherwise, set it to false.
 void MapBoolToBool(const std::string& arc_policy_name,
                    const std::string& policy_name,
                    const policy::PolicyMap& policy_map,
                    bool invert_bool_value,
                    base::DictionaryValue* filtered_policies) {
   const base::Value* const policy_value = policy_map.GetValue(policy_name);
   if (!policy_value)
     return;
   if (!policy_value->IsType(base::Value::TYPE_BOOLEAN)) {
     LOG(ERROR) << "Policy " << policy_name << " is not a boolean.";
     return;
   }
   bool bool_value;
   policy_value->GetAsBoolean(&bool_value);
   filtered_policies->SetBoolean(arc_policy_name,
                                 bool_value != invert_bool_value);
 }

 // int_true: value of Chrome OS policy for which arc policy is set to true.
 // It is set to false for all other values.
 void MapIntToBool(const std::string& arc_policy_name,
                   const std::string& policy_name,
                   const policy::PolicyMap& policy_map,
                   int int_true,
                   base::DictionaryValue* filtered_policies) {
   const base::Value* const policy_value = policy_map.GetValue(policy_name);
   if (!policy_value)
     return;
   if (!policy_value->IsType(base::Value::TYPE_INTEGER)) {
     LOG(ERROR) << "Policy " << policy_name << " is not an integer.";
     return;
   }
   int int_value;
   policy_value->GetAsInteger(&int_value);
   filtered_policies->SetBoolean(arc_policy_name, int_value == int_true);
 }

 void AddGlobalAppRestriction(const std::string& arc_app_restriction_name,
                              const std::string& policy_name,
                              const policy::PolicyMap& policy_map,
                              base::DictionaryValue* filtered_policies) {
   const base::Value* const policy_value = policy_map.GetValue(policy_name);
   if (policy_value) {
     base::DictionaryValue* global_app_restrictions = nullptr;
     if (!filtered_policies->GetDictionary(kArcGlobalAppRestrictions,
                                           &global_app_restrictions)) {
       global_app_restrictions = new base::DictionaryValue();
       filtered_policies->Set(kArcGlobalAppRestrictions,
                              global_app_restrictions);
     }
     global_app_restrictions->SetWithoutPathExpansion(
         arc_app_restriction_name, policy_value->CreateDeepCopy());
   }
 }

 void AddOncCaCertsToPolicies(const policy::PolicyMap& policy_map,
                              base::DictionaryValue* filtered_policies) {
   const base::Value* const policy_value =
       policy_map.GetValue(policy::key::kArcCertificatesSyncMode);
   int32_t mode = ArcCertsSyncMode::SYNC_DISABLED;

   // Old certs should be uninstalled if the sync is disabled or policy is not
   // set.
   if (!policy_value || !policy_value->GetAsInteger(&mode) ||
       mode != ArcCertsSyncMode::COPY_CA_CERTS) {
     return;
   }

   // Importing CA certificates from device policy is not allowed.
   // Import only from user policy.
   const base::Value* onc_policy_value =
       policy_map.GetValue(policy::key::kOpenNetworkConfiguration);
   if (!onc_policy_value) {
     VLOG(1) << "onc policy is not set.";
     return;
   }
   std::string onc_blob;
   if (!onc_policy_value->GetAsString(&onc_blob)) {
     LOG(ERROR) << "Value of onc policy has invalid format.";
     return;
   }

   base::ListValue certificates;
   {
     base::ListValue unused_network_configs;
     base::DictionaryValue unused_global_network_config;
     if (!chromeos::onc::ParseAndValidateOncForImport(
             onc_blob, onc::ONCSource::ONC_SOURCE_USER_POLICY,
             "" /* no passphrase */, &unused_network_configs,
             &unused_global_network_config, &certificates)) {
       LOG(ERROR) << "Value of onc policy has invalid format =" << onc_blob;
     }
   }

   std::unique_ptr<base::ListValue> ca_certs(
       base::MakeUnique<base::ListValue>());
   for (const auto& entry : certificates) {
     const base::DictionaryValue* certificate = nullptr;
     if (!entry->GetAsDictionary(&certificate)) {
       DLOG(FATAL) << "Value of a certificate entry is not a dictionary "
                   << "value.";
       continue;
     }

     std::string cert_type;
     certificate->GetStringWithoutPathExpansion(::onc::certificate::kType,
                                                &cert_type);
     if (cert_type != ::onc::certificate::kAuthority)
       continue;

     const base::ListValue* trust_list = nullptr;
     if (!certificate->GetListWithoutPathExpansion(
             ::onc::certificate::kTrustBits, &trust_list)) {
       continue;
     }

     bool web_trust_flag = false;
     for (const auto& list_val : *trust_list) {
       std::string trust_type;
       if (!list_val->GetAsString(&trust_type))
         NOTREACHED();

       if (trust_type == ::onc::certificate::kWeb) {
         // "Web" implies that the certificate is to be trusted for SSL
         // identification.
         web_trust_flag = true;
         break;
       }
     }
     if (!web_trust_flag)
       continue;

     std::string x509_data;
     if (!certificate->GetStringWithoutPathExpansion(::onc::certificate::kX509,
                                                     &x509_data)) {
       continue;
     }

     base::DictionaryValue data;
     data.SetString("X509", x509_data);
     ca_certs->Append(data.CreateDeepCopy());
   }
   filtered_policies->Set(kArcCaCerts, std::move(ca_certs));
 }

 std::string GetFilteredJSONPolicies(const policy::PolicyMap& policy_map) {
   base::DictionaryValue filtered_policies;
   // Parse ArcPolicy as JSON string before adding other policies to the
   // dictionary.
   const base::Value* const app_policy_value =
       policy_map.GetValue(policy::key::kArcPolicy);
   if (app_policy_value) {
     std::string app_policy_string;
     app_policy_value->GetAsString(&app_policy_string);
     std::unique_ptr<base::DictionaryValue> app_policy_dict =
         base::DictionaryValue::From(base::JSONReader::Read(app_policy_string));
     if (app_policy_dict) {
       // Need a deep copy of all values here instead of doing a swap, because
       // JSONReader::Read constructs a dictionary whose StringValues are
       // JSONStringValues which are based on StringPiece instead of string.
       filtered_policies.MergeDictionary(app_policy_dict.get());
     } else {
       LOG(ERROR) << "Value of ArcPolicy has invalid format: "
                  << app_policy_string;
     }
   }

   // Keep them sorted by the ARC policy names.
   MapBoolToBool("cameraDisabled", policy::key::kVideoCaptureAllowed, policy_map,
                 true, &filtered_policies);
   MapBoolToBool("debuggingFeaturesDisabled",
                 policy::key::kDeveloperToolsDisabled, policy_map, false,
                 &filtered_policies);
   MapBoolToBool("screenCaptureDisabled", policy::key::kDisableScreenshots,
                 policy_map, false, &filtered_policies);
   MapIntToBool("shareLocationDisabled", policy::key::kDefaultGeolocationSetting,
                policy_map, 2 /*BlockGeolocation*/, &filtered_policies);
   MapBoolToBool("unmuteMicrophoneDisabled", policy::key::kAudioCaptureAllowed,
                 policy_map, true, &filtered_policies);
   MapBoolToBool("mountPhysicalMediaDisabled",
                 policy::key::kExternalStorageDisabled, policy_map, false,
                 &filtered_policies);

   // Add global app restrictions.
   AddGlobalAppRestriction("com.android.browser:URLBlacklist",
                           policy::key::kURLBlacklist, policy_map,
                           &filtered_policies);
   AddGlobalAppRestriction("com.android.browser:URLWhitelist",
                           policy::key::kURLWhitelist, policy_map,
                           &filtered_policies);

   // Add CA certificates.
   AddOncCaCertsToPolicies(policy_map, &filtered_policies);

   std::string policy_json;
   JSONStringValueSerializer serializer(&policy_json);
   serializer.Serialize(filtered_policies);
   return policy_json;
 }

 }  // namespace

 ArcPolicyBridge::ArcPolicyBridge(ArcBridgeService* bridge_service)
     : ArcService(bridge_service), binding_(this) {
   VLOG(2) << "ArcPolicyBridge::ArcPolicyBridge";
   arc_bridge_service()->policy()->AddObserver(this);
 }

 ArcPolicyBridge::ArcPolicyBridge(ArcBridgeService* bridge_service,
                                  policy::PolicyService* policy_service)
     : ArcService(bridge_service),
       binding_(this),
       policy_service_(policy_service) {
   VLOG(2) << "ArcPolicyBridge::ArcPolicyBridge(bridge_service, policy_service)";
   arc_bridge_service()->policy()->AddObserver(this);
 }

 ArcPolicyBridge::~ArcPolicyBridge() {
   VLOG(2) << "ArcPolicyBridge::~ArcPolicyBridge";
   arc_bridge_service()->policy()->RemoveObserver(this);
 }

 void ArcPolicyBridge::OverrideIsManagedForTesting(bool is_managed) {
   is_managed_ = is_managed;
 }

 void ArcPolicyBridge::OnInstanceReady() {
   VLOG(1) << "ArcPolicyBridge::OnPolicyInstanceReady";
   if (policy_service_ == nullptr) {
     InitializePolicyService();
   }
   policy_service_->AddObserver(policy::POLICY_DOMAIN_CHROME, this);

   mojom::PolicyInstance* const policy_instance =
       arc_bridge_service()->policy()->GetInstanceForMethod("Init");
   DCHECK(policy_instance);
   policy_instance->Init(binding_.CreateInterfacePtrAndBind());
 }

 void ArcPolicyBridge::OnInstanceClosed() {
   VLOG(1) << "ArcPolicyBridge::OnPolicyInstanceClosed";
   policy_service_->RemoveObserver(policy::POLICY_DOMAIN_CHROME, this);
   policy_service_ = nullptr;
 }

 void ArcPolicyBridge::GetPolicies(const GetPoliciesCallback& callback) {
   VLOG(1) << "ArcPolicyBridge::GetPolicies";
   if (!is_managed_) {
     callback.Run(mojo::String(""));
     return;
   }
   const policy::PolicyNamespace policy_namespace(policy::POLICY_DOMAIN_CHROME,
                                                  std::string());
   const policy::PolicyMap& policy_map =
       policy_service_->GetPolicies(policy_namespace);
   const std::string json_policies = GetFilteredJSONPolicies(policy_map);
   callback.Run(mojo::String(json_policies));
 }

 void ArcPolicyBridge::OnPolicyUpdated(const policy::PolicyNamespace& ns,
                                       const policy::PolicyMap& previous,
                                       const policy::PolicyMap& current) {
   VLOG(1) << "ArcPolicyBridge::OnPolicyUpdated";
   auto* instance =
       arc_bridge_service()->policy()->GetInstanceForMethod("OnPolicyUpdated");
   if (!instance)
     return;
   instance->OnPolicyUpdated();
 }

 void ArcPolicyBridge::InitializePolicyService() {
   const user_manager::User* const primary_user =
       user_manager::UserManager::Get()->GetPrimaryUser();
   Profile* const profile =
       chromeos::ProfileHelper::Get()->GetProfileByUser(primary_user);
   auto* profile_policy_connector =
       policy::ProfilePolicyConnectorFactory::GetForBrowserContext(profile);
   policy_service_ = profile_policy_connector->policy_service();
   is_managed_ = profile_policy_connector->IsManaged();
 }

 }  // namespace arc
	// Copyright 2016 The Chromium Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#include "chrome/browser/chromeos/arc/arc_policy_bridge.h"

	#include <memory>
	#include <string>
	#include <utility>

	#include "base/json/json_reader.h"
	#include "base/json/json_string_value_serializer.h"
	#include "base/logging.h"
	#include "base/memory/ptr_util.h"
	#include "base/values.h"
	#include "chrome/browser/chromeos/profiles/profile_helper.h"
	#include "chrome/browser/policy/profile_policy_connector.h"
	#include "chrome/browser/policy/profile_policy_connector_factory.h"
	#include "chromeos/network/onc/onc_utils.h"
	#include "components/arc/arc_bridge_service.h"
	#include "components/onc/onc_constants.h"
	#include "components/policy/core/common/policy_map.h"
	#include "components/policy/core/common/policy_namespace.h"
	#include "components/policy/policy_constants.h"
	#include "components/user_manager/user.h"
	#include "mojo/public/cpp/bindings/string.h"

	namespace arc {

	namespace {

	const char kArcGlobalAppRestrictions[] = "globalAppRestrictions";
	const char kArcCaCerts[] = "caCerts";

	// invert_bool_value: If the Chrome policy and the ARC policy with boolean value
	// have opposite semantics, set this to true so the bool is inverted before
	// being added. Otherwise, set it to false.
	void MapBoolToBool(const std::string& arc_policy_name,
	const std::string& policy_name,
	const policy::PolicyMap& policy_map,
	bool invert_bool_value,
	base::DictionaryValue* filtered_policies) {
	const base::Value* const policy_value = policy_map.GetValue(policy_name);
	if (!policy_value)
	return;
	if (!policy_value->IsType(base::Value::TYPE_BOOLEAN)) {
	LOG(ERROR) << "Policy " << policy_name << " is not a boolean.";
	return;
	}
	bool bool_value;
	policy_value->GetAsBoolean(&bool_value);
	filtered_policies->SetBoolean(arc_policy_name,
	bool_value != invert_bool_value);
	}

	// int_true: value of Chrome OS policy for which arc policy is set to true.
	// It is set to false for all other values.
	void MapIntToBool(const std::string& arc_policy_name,
	const std::string& policy_name,
	const policy::PolicyMap& policy_map,
	int int_true,
	base::DictionaryValue* filtered_policies) {
	const base::Value* const policy_value = policy_map.GetValue(policy_name);
	if (!policy_value)
	return;
	if (!policy_value->IsType(base::Value::TYPE_INTEGER)) {
	LOG(ERROR) << "Policy " << policy_name << " is not an integer.";
	return;
	}
	int int_value;
	policy_value->GetAsInteger(&int_value);
	filtered_policies->SetBoolean(arc_policy_name, int_value == int_true);
	}

	void AddGlobalAppRestriction(const std::string& arc_app_restriction_name,
	const std::string& policy_name,
	const policy::PolicyMap& policy_map,
	base::DictionaryValue* filtered_policies) {
	const base::Value* const policy_value = policy_map.GetValue(policy_name);
	if (policy_value) {
	base::DictionaryValue* global_app_restrictions = nullptr;
	if (!filtered_policies->GetDictionary(kArcGlobalAppRestrictions,
	&global_app_restrictions)) {
	global_app_restrictions = new base::DictionaryValue();
	filtered_policies->Set(kArcGlobalAppRestrictions,
	global_app_restrictions);
	}
	global_app_restrictions->SetWithoutPathExpansion(
	arc_app_restriction_name, policy_value->CreateDeepCopy());
	}
	}

	void AddOncCaCertsToPolicies(const policy::PolicyMap& policy_map,
	base::DictionaryValue* filtered_policies) {
	const base::Value* const policy_value =
	policy_map.GetValue(policy::key::kArcCertificatesSyncMode);
	int32_t mode = ArcCertsSyncMode::SYNC_DISABLED;

	// Old certs should be uninstalled if the sync is disabled or policy is not
	// set.
	if (!policy_value \|\| !policy_value->GetAsInteger(&mode) \|\|
	mode != ArcCertsSyncMode::COPY_CA_CERTS) {
	return;
	}

	// Importing CA certificates from device policy is not allowed.
	// Import only from user policy.
	const base::Value* onc_policy_value =
	policy_map.GetValue(policy::key::kOpenNetworkConfiguration);
	if (!onc_policy_value) {
	VLOG(1) << "onc policy is not set.";
	return;
	}
	std::string onc_blob;
	if (!onc_policy_value->GetAsString(&onc_blob)) {
	LOG(ERROR) << "Value of onc policy has invalid format.";
	return;
	}

	base::ListValue certificates;
	{
	base::ListValue unused_network_configs;
	base::DictionaryValue unused_global_network_config;
	if (!chromeos::onc::ParseAndValidateOncForImport(
	onc_blob, onc::ONCSource::ONC_SOURCE_USER_POLICY,
	"" /* no passphrase */, &unused_network_configs,
	&unused_global_network_config, &certificates)) {
	LOG(ERROR) << "Value of onc policy has invalid format =" << onc_blob;
	}
	}

	std::unique_ptr<base::ListValue> ca_certs(
	base::MakeUnique<base::ListValue>());
	for (const auto& entry : certificates) {
	const base::DictionaryValue* certificate = nullptr;
	if (!entry->GetAsDictionary(&certificate)) {
	DLOG(FATAL) << "Value of a certificate entry is not a dictionary "
	<< "value.";
	continue;
	}

	std::string cert_type;
	certificate->GetStringWithoutPathExpansion(::onc::certificate::kType,
	&cert_type);
	if (cert_type != ::onc::certificate::kAuthority)
	continue;

	const base::ListValue* trust_list = nullptr;
	if (!certificate->GetListWithoutPathExpansion(
	::onc::certificate::kTrustBits, &trust_list)) {
	continue;
	}

	bool web_trust_flag = false;
	for (const auto& list_val : *trust_list) {
	std::string trust_type;
	if (!list_val->GetAsString(&trust_type))
	NOTREACHED();

	if (trust_type == ::onc::certificate::kWeb) {
	// "Web" implies that the certificate is to be trusted for SSL
	// identification.
	web_trust_flag = true;
	break;
	}
	}
	if (!web_trust_flag)
	continue;

	std::string x509_data;
	if (!certificate->GetStringWithoutPathExpansion(::onc::certificate::kX509,
	&x509_data)) {
	continue;
	}

	base::DictionaryValue data;
	data.SetString("X509", x509_data);
	ca_certs->Append(data.CreateDeepCopy());
	}
	filtered_policies->Set(kArcCaCerts, std::move(ca_certs));
	}

	std::string GetFilteredJSONPolicies(const policy::PolicyMap& policy_map) {
	base::DictionaryValue filtered_policies;
	// Parse ArcPolicy as JSON string before adding other policies to the
	// dictionary.
	const base::Value* const app_policy_value =
	policy_map.GetValue(policy::key::kArcPolicy);
	if (app_policy_value) {
	std::string app_policy_string;
	app_policy_value->GetAsString(&app_policy_string);
	std::unique_ptr<base::DictionaryValue> app_policy_dict =
	base::DictionaryValue::From(base::JSONReader::Read(app_policy_string));
	if (app_policy_dict) {
	// Need a deep copy of all values here instead of doing a swap, because
	// JSONReader::Read constructs a dictionary whose StringValues are
	// JSONStringValues which are based on StringPiece instead of string.
	filtered_policies.MergeDictionary(app_policy_dict.get());
	} else {
	LOG(ERROR) << "Value of ArcPolicy has invalid format: "
	<< app_policy_string;
	}
	}

	// Keep them sorted by the ARC policy names.
	MapBoolToBool("cameraDisabled", policy::key::kVideoCaptureAllowed, policy_map,
	true, &filtered_policies);
	MapBoolToBool("debuggingFeaturesDisabled",
	policy::key::kDeveloperToolsDisabled, policy_map, false,
	&filtered_policies);
	MapBoolToBool("screenCaptureDisabled", policy::key::kDisableScreenshots,
	policy_map, false, &filtered_policies);
	MapIntToBool("shareLocationDisabled", policy::key::kDefaultGeolocationSetting,
	policy_map, 2 /BlockGeolocation/, &filtered_policies);
	MapBoolToBool("unmuteMicrophoneDisabled", policy::key::kAudioCaptureAllowed,
	policy_map, true, &filtered_policies);
	MapBoolToBool("mountPhysicalMediaDisabled",
	policy::key::kExternalStorageDisabled, policy_map, false,
	&filtered_policies);

	// Add global app restrictions.
	AddGlobalAppRestriction("com.android.browser:URLBlacklist",
	policy::key::kURLBlacklist, policy_map,
	&filtered_policies);
	AddGlobalAppRestriction("com.android.browser:URLWhitelist",
	policy::key::kURLWhitelist, policy_map,
	&filtered_policies);

	// Add CA certificates.
	AddOncCaCertsToPolicies(policy_map, &filtered_policies);

	std::string policy_json;
	JSONStringValueSerializer serializer(&policy_json);
	serializer.Serialize(filtered_policies);
	return policy_json;
	}

	} // namespace

	ArcPolicyBridge::ArcPolicyBridge(ArcBridgeService* bridge_service)
	: ArcService(bridge_service), binding_(this) {
	VLOG(2) << "ArcPolicyBridge::ArcPolicyBridge";
	arc_bridge_service()->policy()->AddObserver(this);
	}

	ArcPolicyBridge::ArcPolicyBridge(ArcBridgeService* bridge_service,
	policy::PolicyService* policy_service)
	: ArcService(bridge_service),
	binding_(this),
	policy_service_(policy_service) {
	VLOG(2) << "ArcPolicyBridge::ArcPolicyBridge(bridge_service, policy_service)";
	arc_bridge_service()->policy()->AddObserver(this);
	}

	ArcPolicyBridge::~ArcPolicyBridge() {
	VLOG(2) << "ArcPolicyBridge::~ArcPolicyBridge";
	arc_bridge_service()->policy()->RemoveObserver(this);
	}

	void ArcPolicyBridge::OverrideIsManagedForTesting(bool is_managed) {
	is_managed_ = is_managed;
	}

	void ArcPolicyBridge::OnInstanceReady() {
	VLOG(1) << "ArcPolicyBridge::OnPolicyInstanceReady";
	if (policy_service_ == nullptr) {
	InitializePolicyService();
	}
	policy_service_->AddObserver(policy::POLICY_DOMAIN_CHROME, this);

	mojom::PolicyInstance* const policy_instance =
	arc_bridge_service()->policy()->GetInstanceForMethod("Init");
	DCHECK(policy_instance);
	policy_instance->Init(binding_.CreateInterfacePtrAndBind());
	}

	void ArcPolicyBridge::OnInstanceClosed() {
	VLOG(1) << "ArcPolicyBridge::OnPolicyInstanceClosed";
	policy_service_->RemoveObserver(policy::POLICY_DOMAIN_CHROME, this);
	policy_service_ = nullptr;
	}

	void ArcPolicyBridge::GetPolicies(const GetPoliciesCallback& callback) {
	VLOG(1) << "ArcPolicyBridge::GetPolicies";
	if (!is_managed_) {
	callback.Run(mojo::String(""));
	return;
	}
	const policy::PolicyNamespace policy_namespace(policy::POLICY_DOMAIN_CHROME,
	std::string());
	const policy::PolicyMap& policy_map =
	policy_service_->GetPolicies(policy_namespace);
	const std::string json_policies = GetFilteredJSONPolicies(policy_map);
	callback.Run(mojo::String(json_policies));
	}

	void ArcPolicyBridge::OnPolicyUpdated(const policy::PolicyNamespace& ns,
	const policy::PolicyMap& previous,
	const policy::PolicyMap& current) {
	VLOG(1) << "ArcPolicyBridge::OnPolicyUpdated";
	auto* instance =
	arc_bridge_service()->policy()->GetInstanceForMethod("OnPolicyUpdated");
	if (!instance)
	return;
	instance->OnPolicyUpdated();
	}

	void ArcPolicyBridge::InitializePolicyService() {
	const user_manager::User* const primary_user =
	user_manager::UserManager::Get()->GetPrimaryUser();
	Profile* const profile =
	chromeos::ProfileHelper::Get()->GetProfileByUser(primary_user);
	auto* profile_policy_connector =
	policy::ProfilePolicyConnectorFactory::GetForBrowserContext(profile);
	policy_service_ = profile_policy_connector->policy_service();
	is_managed_ = profile_policy_connector->IsManaged();
	}

	} // namespace arc