Merge pull request #3692 from brave/group_policy_for_tor

Disable tor by group policy on Windows.
brave · Nov 11, 2019 · a4dfd66 · a4dfd66
1 parent 86c5c7b
commit a4dfd66
Show file tree

Hide file tree

Showing 24 changed files with 564 additions and 24 deletions.
diff --git a/browser/BUILD.gn b/browser/BUILD.gn
@@ -114,10 +114,11 @@ source_set("browser_process") {
     "renderer_host",
     "ui",
     "//base",
-    "//brave/browser/tor",
+    "//brave/browser/tor:buildflags",
     "//brave/browser/translate/buildflags",
     "//brave/browser/notifications",
     "//brave/common",
+    "//brave/common:pref_names",
     "//brave/components/brave_ads/browser",
     "//brave/components/brave_component_updater/browser",
     "//brave/components/brave_drm",
@@ -143,6 +144,7 @@ source_set("browser_process") {
     "//components/gcm_driver:gcm_driver",
     "//components/gcm_driver:gcm_buildflags",
     "//components/password_manager/core/common",
+    "//components/policy/core/browser",
     "//components/prefs",
     "//components/safe_browsing/common:safe_browsing_prefs",
     "//components/search_engines",
@@ -181,8 +183,6 @@ source_set("browser_process") {
       "//brave/app:brave_generated_resources_grit",
     ]
   } else {
-
-
     sources += [
       "android/brave_relaunch_utils.cc",
       "android/brave_shields_content_settings.cc",
@@ -218,8 +218,9 @@ source_set("browser_process") {
 
   if (enable_tor) {
     deps += [
+      "//brave/browser/tor",
       "//brave/components/services/tor/public/cpp:manifest",
-      "tor",
+      "//brave/common/tor:pref_names",
     ]
   }
 

diff --git a/browser/brave_browser_main_parts.h b/browser/brave_browser_main_parts.h
@@ -19,6 +19,8 @@ class BraveBrowserMainParts : public ChromeBrowserMainParts {
   void PostProfileInit() override;
 
  private:
+  friend class ChromeBrowserMainExtraPartsTor;
+
   DISALLOW_COPY_AND_ASSIGN(BraveBrowserMainParts);
 };
 

diff --git a/browser/extensions/BUILD.gn b/browser/extensions/BUILD.gn
@@ -1,3 +1,4 @@
+import("//brave/browser/tor/buildflags/buildflags.gni")
 import("//brave/components/brave_rewards/browser/buildflags/buildflags.gni")
 import("//brave/components/brave_sync/buildflags/buildflags.gni")
 import("//brave/components/brave_wallet/browser/buildflags/buildflags.gni")
@@ -60,11 +61,13 @@ source_set("extensions") {
   deps = [
     "//base",
     "//brave/app:brave_generated_resources_grit",
+    "//brave/common",
     "//brave/common:pref_names",
     "//brave/common/extensions/api",
     "//brave/components/brave_component_updater/browser",
     "//brave/components/brave_extension:generated_resources",
     "//brave/components/brave_extension:static_resources",
+    "//chrome/browser/extensions",
     "//components/gcm_driver:gcm_driver",
     "//components/gcm_driver:gcm_buildflags",
     "//components/prefs",
@@ -110,6 +113,11 @@ source_set("extensions") {
       "brave_webtorrent_navigation_throttle.h",
     ]
   }
+  if (enable_tor) {
+    deps += [
+      "//brave/browser/tor:buildflags",
+    ]
+  }
 }
 
 config("infura_config") {

diff --git a/browser/extensions/brave_extension_management.cc b/browser/extensions/brave_extension_management.cc
@@ -7,10 +7,8 @@
 
 #include <memory>
 
-#include "base/command_line.h"
 #include "brave/browser/brave_browser_process_impl.h"
 #include "brave/browser/tor/buildflags.h"
-#include "brave/common/brave_switches.h"
 #include "brave/common/extensions/extension_constants.h"
 #include "brave/common/pref_names.h"
 #include "brave/browser/extensions/brave_extension_provider.h"
@@ -35,6 +33,7 @@ BraveExtensionManagement::BraveExtensionManagement(Profile* profile)
         static_cast<content::BrowserContext*>(profile)));
   providers_.push_back(
       std::make_unique<BraveExtensionProvider>());
+  CleanupBraveExtensions();
   RegisterBraveExtensions();
 }
 
@@ -43,14 +42,18 @@ BraveExtensionManagement::~BraveExtensionManagement() {
 
 void BraveExtensionManagement::RegisterBraveExtensions() {
 #if BUILDFLAG(ENABLE_TOR)
-  const base::CommandLine& command_line =
-      *base::CommandLine::ForCurrentProcess();
-  if (!command_line.HasSwitch(switches::kDisableTorClientUpdaterExtension) &&
-      !profile_->AsTestingProfile())
+  if (!profile_->AsTestingProfile())
     g_brave_browser_process->tor_client_updater()->Register();
 #endif
 }
 
+void BraveExtensionManagement::CleanupBraveExtensions() {
+#if BUILDFLAG(ENABLE_TOR)
+  if (!profile_->AsTestingProfile())
+    g_brave_browser_process->tor_client_updater()->Cleanup();
+#endif
+}
+
 void BraveExtensionManagement::OnExtensionLoaded(
     content::BrowserContext* browser_context,
     const Extension* extension) {

diff --git a/browser/extensions/brave_extension_management.h b/browser/extensions/brave_extension_management.h
@@ -22,6 +22,7 @@ class BraveExtensionManagement : public ExtensionManagement,
 
  private:
   void RegisterBraveExtensions();
+  void CleanupBraveExtensions();
 
   // ExtensionRegistryObserver implementation.
   void OnExtensionLoaded(

diff --git a/browser/extensions/brave_tor_client_updater.cc b/browser/extensions/brave_tor_client_updater.cc
@@ -8,16 +8,27 @@
 #include <memory>
 #include <string>
 
+#include "base/command_line.h"
 #include "base/files/file_enumerator.h"
 #include "base/files/file_path.h"
 #include "base/files/file_util.h"
 #include "base/task/post_task.h"
 #include "base/task_runner.h"
 #include "base/task_runner_util.h"
+#include "brave/browser/tor/tor_profile_service.h"
+#include "brave/common/brave_switches.h"
+#include "chrome/browser/browser_process.h"
+#include "chrome/browser/profiles/profile_manager.h"
 #include "third_party/re2/src/re2/re2.h"
 
 using brave_component_updater::BraveComponent;
 
+namespace {
+void DeleteDir(const base::FilePath& path) {
+  base::DeleteFile(path, true);
+}
+}  // namespace
+
 namespace extensions {
 
 namespace {
@@ -110,15 +121,31 @@ BraveTorClientUpdater::~BraveTorClientUpdater() {
 }
 
 void BraveTorClientUpdater::Register() {
-  if (registered_)
+  const base::CommandLine& command_line =
+      *base::CommandLine::ForCurrentProcess();
+  if (tor::TorProfileService::IsTorDisabled() ||
+      command_line.HasSwitch(switches::kDisableTorClientUpdaterExtension) ||
+      registered_) {
     return;
+  }
 
   BraveComponent::Register(kTorClientComponentName,
-                               g_tor_client_component_id_,
-                               g_tor_client_component_base64_public_key_);
+                           g_tor_client_component_id_,
+                           g_tor_client_component_base64_public_key_);
   registered_ = true;
 }
 
+void BraveTorClientUpdater::Cleanup() {
+  // Delete tor binaries if tor is disabled by gpo.
+  if (tor::TorProfileService::IsTorDisabled()) {
+    ProfileManager* profile_manager = g_browser_process->profile_manager();
+    base::FilePath tor_component_dir =
+        profile_manager->user_data_dir().AppendASCII(kTorClientComponentId);
+    GetTaskRunner()->PostTask(FROM_HERE,
+                              base::BindOnce(&DeleteDir, tor_component_dir));
+  }
+}
+
 void BraveTorClientUpdater::SetExecutablePath(const base::FilePath& path) {
   executable_path_ = path;
   for (Observer& observer : observers_)

diff --git a/browser/extensions/brave_tor_client_updater.h b/browser/extensions/brave_tor_client_updater.h
@@ -52,6 +52,7 @@ class BraveTorClientUpdater : public BraveComponent {
   ~BraveTorClientUpdater() override;
 
   void Register();
+  void Cleanup();
   base::FilePath GetExecutablePath() const;
   scoped_refptr<base::SequencedTaskRunner> GetTaskRunner() {
     return task_runner_;

diff --git a/browser/policy/brave_policy_browsertest.cc b/browser/policy/brave_policy_browsertest.cc
@@ -0,0 +1,93 @@
+/* Copyright (c) 2019 The Brave Authors. All rights reserved.
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "brave/browser/tor/buildflags.h"
+#include "brave/common/pref_names.h"
+#include "chrome/browser/profiles/profile.h"
+#include "chrome/browser/ui/browser.h"
+#include "chrome/test/base/in_process_browser_test.h"
+#include "components/policy/core/browser/browser_policy_connector.h"
+#include "components/policy/core/common/mock_configuration_policy_provider.h"
+#include "components/policy/policy_constants.h"
+#include "components/prefs/pref_service.h"
+
+#if BUILDFLAG(ENABLE_TOR)
+#include "brave/browser/tor/tor_profile_service.h"
+#include "brave/common/tor/pref_names.h"
+#endif
+
+using testing::_;
+using testing::Return;
+using NoTorPolicyBrowserTest = InProcessBrowserTest;
+
+namespace policy {
+
+class BravePolicyTest : public InProcessBrowserTest {
+ protected:
+  BravePolicyTest() {}
+  ~BravePolicyTest() override {}
+
+  void SetUpInProcessBrowserTestFixture() override {
+    EXPECT_CALL(provider_, IsInitializationComplete(_))
+        .WillRepeatedly(Return(true));
+    BrowserPolicyConnector::SetPolicyProviderForTesting(&provider_);
+  }
+
+  MockConfigurationPolicyProvider provider_;
+};
+
+#if BUILDFLAG(ENABLE_TOR)
+#if defined(OS_WIN)
+// This policy only exists on Windows.
+// Sets the tor policy before the browser is started.
+class TorDisabledPolicyBrowserTest : public BravePolicyTest {
+ public:
+  TorDisabledPolicyBrowserTest() {}
+  ~TorDisabledPolicyBrowserTest() override {}
+
+  void SetUpInProcessBrowserTestFixture() override {
+    BravePolicyTest::SetUpInProcessBrowserTestFixture();
+
+    PolicyMap policies;
+    policies.Set(key::kTorDisabled, POLICY_LEVEL_MANDATORY,
+                 POLICY_SCOPE_MACHINE, POLICY_SOURCE_PLATFORM,
+                 std::make_unique<base::Value>(true), nullptr);
+    provider_.UpdateChromePolicy(policies);
+  }
+};
+
+IN_PROC_BROWSER_TEST_F(TorDisabledPolicyBrowserTest, TorDisabledPrefValueTest) {
+  EXPECT_TRUE(tor::TorProfileService::IsTorDisabled());
+}
+
+class TorEnabledPolicyBrowserTest : public BravePolicyTest {
+ public:
+  TorEnabledPolicyBrowserTest() {}
+  ~TorEnabledPolicyBrowserTest() override {}
+
+  void SetUpInProcessBrowserTestFixture() override {
+    BravePolicyTest::SetUpInProcessBrowserTestFixture();
+
+    PolicyMap policies;
+    policies.Set(key::kTorDisabled, POLICY_LEVEL_MANDATORY,
+                 POLICY_SCOPE_MACHINE, POLICY_SOURCE_PLATFORM,
+                 std::make_unique<base::Value>(false), nullptr);
+    provider_.UpdateChromePolicy(policies);
+  }
+};
+
+IN_PROC_BROWSER_TEST_F(TorEnabledPolicyBrowserTest, TorDisabledPrefValueTest) {
+  EXPECT_FALSE(tor::TorProfileService::IsTorDisabled());
+}
+
+// W/o TorDisabled group policy, kTorDisabled pref value should be false.
+IN_PROC_BROWSER_TEST_F(NoTorPolicyBrowserTest,
+                       DefaultTorDisabledPrefValueTest) {
+  EXPECT_FALSE(tor::TorProfileService::IsTorDisabled());
+}
+#endif  // OS_WIN
+#endif  // ENABLE_TOR
+
+}  // namespace policy
diff --git a/browser/tor/tor_profile_service.cc b/browser/tor/tor_profile_service.cc
@@ -56,6 +56,13 @@ void TorProfileService::RegisterLocalStatePrefs(PrefRegistrySimple* registry) {
   const std::string tor_proxy_uri =
       std::string(kTorProxyScheme) + std::string(kTorProxyAddress) + ":" + port;
   registry->RegisterStringPref(prefs::kTorProxyString, tor_proxy_uri);
+  // Tor for group policy. Only can be true by group policy.
+  registry->RegisterBooleanPref(prefs::kTorDisabled, false);
+}
+
+// static
+bool TorProfileService::IsTorDisabled() {
+  return g_browser_process->local_state()->GetBoolean(prefs::kTorDisabled);
 }
 
 std::string TorProfileService::GetTorProxyURI() {

diff --git a/browser/tor/tor_profile_service.h b/browser/tor/tor_profile_service.h
@@ -39,6 +39,7 @@ class TorProfileService : public KeyedService {
   ~TorProfileService() override;
 
   static void RegisterLocalStatePrefs(PrefRegistrySimple* registry);
+  static bool IsTorDisabled();
 
   virtual void SetNewTorCircuit(content::WebContents* web_contents) = 0;
   virtual std::unique_ptr<net::ProxyConfigService>

diff --git a/browser/ui/BUILD.gn b/browser/ui/BUILD.gn
@@ -155,16 +155,21 @@ source_set("ui") {
     "//brave/browser:sparkle_buildflags",
     "//brave/browser/devtools",
     "//brave/browser/gcm_driver",
+    "//brave/browser/profiles",
     "//brave/browser/resources/settings:resources",
     "//brave/browser/tor",
     "//brave/common",
+    "//brave/common:pref_names",
     "//brave/components/brave_adblock_ui:generated_resources",
     "//brave/components/brave_new_tab_ui:generated_resources",
     "//brave/components/brave_rewards/browser",
     "//brave/components/brave_rewards/resources",
     "//brave/components/brave_shields/browser",
+    "//brave/components/brave_sync/buildflags:buildflags",
+    "//brave/components/brave_wallet/browser/buildflags:buildflags",
     "//brave/components/brave_welcome_ui:generated_resources",
     "//chrome/app:command_ids",
+    "//chrome/app/vector_icons:vector_icons",
     "//chrome/common",
     "//components/gcm_driver:gcm_buildflags",
     "//components/prefs",
@@ -182,6 +187,7 @@ source_set("ui") {
       "//brave/components/brave_sync",
       "//brave/components/brave_sync:generated_resources",
       "//brave/components/brave_sync:static_resources",
+      "//brave/components/brave_sync:switches",
     ]
   }
 

diff --git a/browser/ui/brave_browser_command_controller.cc b/browser/ui/brave_browser_command_controller.cc
@@ -12,6 +12,7 @@
 #include "brave/browser/tor/buildflags.h"
 #include "brave/browser/ui/brave_pages.h"
 #include "brave/browser/ui/browser_commands.h"
+#include "brave/common/pref_names.h"
 #include "brave/components/brave_rewards/browser/buildflags/buildflags.h"
 #include "brave/components/brave_sync/buildflags/buildflags.h"
 #include "brave/components/brave_wallet/browser/buildflags/buildflags.h"
@@ -20,11 +21,16 @@
 #include "chrome/browser/ui/browser.h"
 #include "chrome/browser/ui/browser_commands.h"
 #include "chrome/browser/ui/tabs/tab_strip_model.h"
+#include "components/prefs/pref_service.h"
 
 #if BUILDFLAG(ENABLE_BRAVE_SYNC)
 #include "brave/components/brave_sync/switches.h"
 #endif
 
+#if BUILDFLAG(ENABLE_TOR)
+#include "brave/browser/tor/tor_profile_service.h"
+#endif
+
 namespace {
 
 bool IsBraveCommands(int id) {
@@ -133,8 +139,11 @@ void BraveBrowserCommandController::UpdateCommandForBraveAdblock() {
 }
 
 void BraveBrowserCommandController::UpdateCommandForTor() {
-  UpdateCommandEnabled(IDC_NEW_TOR_CONNECTION_FOR_SITE, true);
-  UpdateCommandEnabled(IDC_NEW_OFFTHERECORD_WINDOW_TOR, true);
+#if BUILDFLAG(ENABLE_TOR)
+  const bool is_tor_enabled = !tor::TorProfileService::IsTorDisabled();
+  UpdateCommandEnabled(IDC_NEW_TOR_CONNECTION_FOR_SITE, is_tor_enabled);
+  UpdateCommandEnabled(IDC_NEW_OFFTHERECORD_WINDOW_TOR, is_tor_enabled);
+#endif
 }
 
 void BraveBrowserCommandController::UpdateCommandForBraveSync() {

diff --git a/browser/ui/toolbar/brave_app_menu_model.cc b/browser/ui/toolbar/brave_app_menu_model.cc
@@ -79,7 +79,9 @@ void BraveAppMenuModel::InsertBraveMenuItems() {
         IDS_NEW_TOR_CONNECTION_FOR_SITE);
   }
 
-  InsertItemWithStringIdAt(GetIndexOfCommandId(IDC_NEW_INCOGNITO_WINDOW) + 1,
-                           IDC_NEW_OFFTHERECORD_WINDOW_TOR,
-                           IDS_NEW_OFFTHERECORD_WINDOW_TOR);
+  if (IsCommandIdEnabled(IDC_NEW_OFFTHERECORD_WINDOW_TOR)) {
+    InsertItemWithStringIdAt(GetIndexOfCommandId(IDC_NEW_INCOGNITO_WINDOW) + 1,
+                             IDC_NEW_OFFTHERECORD_WINDOW_TOR,
+                             IDS_NEW_OFFTHERECORD_WINDOW_TOR);
+  }
 }