Bug 1429148 - Policy: Don't let a Master Password to be set. r=keeler

MozReview-Commit-ID: 8Adqg0KU7cZ --HG-- extra : rebase_source : ec20e2f117d974edaa5df844091a086d12607771

Bug 1429148 - Policy: Don't let a Master Password to be set. r=keeler
MozReview-Commit-ID: 8Adqg0KU7cZ --HG-- extra : rebase_source : ec20e2f117d974edaa5df844091a086d12607771
d261cc7c · Felipe Gomes · 254ff126 · d261cc7c · d261cc7c · d261cc7c
Commit d261cc7c authored Feb 20, 2018 by Felipe Gomes
--- a/browser/components/enterprisepolicies/Policies.jsm
+++ b/browser/components/enterprisepolicies/Policies.jsm
@@ -111,6 +111,14 @@ this.Policies = {
    }
  },

+  "CreateMasterPassword": {
+    onBeforeUIStartup(manager, param) {
+      if (!param) {
+        manager.disallowFeature("createMasterPassword");
+      }
+    }
+  },
+
  "DisableFirefoxScreenshots": {
    onBeforeAddons(manager, param) {
      if (param) {

--- a/browser/components/enterprisepolicies/helpers/sample.json
+++ b/browser/components/enterprisepolicies/helpers/sample.json
@@ -13,6 +13,7 @@
      ]
    },

-    "block_about_profiles": true
+    "block_about_profiles": true,
+    "CreateMasterPassword": false
  }
 }
--- a/browser/components/enterprisepolicies/schemas/policies-schema.json
+++ b/browser/components/enterprisepolicies/schemas/policies-schema.json
@@ -67,6 +67,14 @@
      "enum": [true]
    },

+    "CreateMasterPassword": {
+      "description": "If false, removes access to create a master password.",
+      "first_available": "60.0",
+
+      "type": "boolean",
+      "enum": [false]
+    },
+
    "DisableFirefoxScreenshots": {
      "description": "Prevents usage of the Firefox Screenshots feature.",
      "first_available": "60.0",

--- a/browser/components/enterprisepolicies/tests/browser/browser.ini
+++ b/browser/components/enterprisepolicies/tests/browser/browser.ini
@@ -19,6 +19,7 @@ support-files =
 [browser_policy_block_set_desktop_background.js]
 [browser_policy_default_browser_check.js]
 [browser_policy_disable_fxscreenshots.js]
+[browser_policy_disable_masterpassword.js]
 [browser_policy_display_bookmarks.js]
 [browser_policy_disable_formhistory.js]
 [browser_policy_display_menu.js]

--- a/browser/components/enterprisepolicies/tests/browser/browser_policy_disable_masterpassword.js
+++ b/browser/components/enterprisepolicies/tests/browser/browser_policy_disable_masterpassword.js
+/* Any copyright is dedicated to the Public Domain.
+ * http://creativecommons.org/publicdomain/zero/1.0/ */
+
+"use strict";
+
+const MASTER_PASSWORD = "omgsecret!";
+const mpToken = Cc["@mozilla.org/security/pk11tokendb;1"]
+                  .getService(Ci.nsIPK11TokenDB)
+                  .getInternalKeyToken();
+
+async function checkDeviceManager({buttonIsDisabled}) {
+  let deviceManagerWindow = window.openDialog("chrome://pippki/content/device_manager.xul", "", "");
+  await new Promise(resolve => {
+    deviceManagerWindow.addEventListener("load", resolve, {once: true});
+  });
+
+  let tree = deviceManagerWindow.document.getElementById("device_tree");
+  ok(tree, "The device tree exists");
+
+  // Find and select the item related to the internal key token
+  for (let i = 0; i < tree.view.rowCount; i++) {
+    tree.view.selection.select(i);
+
+    try {
+      let selected_token = deviceManagerWindow.selected_slot.getToken();
+      if (selected_token.isInternalKeyToken) {
+        break;
+      }
+    } catch (e) {}
+  }
+
+  // Check to see if the button was updated correctly
+  let changePwButton = deviceManagerWindow.document.getElementById("change_pw_button");
+  is(changePwButton.getAttribute("disabled") == "true", buttonIsDisabled,
+     "Change Password button is in the correct state: " + buttonIsDisabled);
+
+  await BrowserTestUtils.closeWindow(deviceManagerWindow);
+}
+
+async function checkAboutPreferences({checkboxIsDisabled}) {
+  await BrowserTestUtils.withNewTab("about:preferences#privacy", async browser => {
+  // eslint-disable-next-line mozilla/no-cpows-in-tests
+  is(browser.contentDocument.getElementById("useMasterPassword").disabled, checkboxIsDisabled,
+    "Master Password checkbox is in the correct state: " + checkboxIsDisabled);
+});
+
+}
+
+add_task(async function test_policy_disable_masterpassword() {
+  ok(!mpToken.hasPassword, "Starting the test with no password");
+
+  // No password and no policy: access to setting a master password
+  // should be enabled.
+  await checkDeviceManager({buttonIsDisabled: false});
+  await checkAboutPreferences({checkboxIsDisabled: false});
+
+  await setupPolicyEngineWithJson({
+    "policies": {
+      "CreateMasterPassword": false
+    }
+  });
+
+  // With the `CreateMasterPassword: false` policy active, the
+  // UI entry points for creating a Master Password should be disabled.
+  await checkDeviceManager({buttonIsDisabled: true});
+  await checkAboutPreferences({checkboxIsDisabled: true});
+
+  mpToken.changePassword("", MASTER_PASSWORD);
+  ok(mpToken.hasPassword, "Master password was set");
+
+  // If a Master Password is already set, there's no point in disabling
+  // the
+  await checkDeviceManager({buttonIsDisabled: false});
+  await checkAboutPreferences({checkboxIsDisabled: false});
+
+  // Clean up
+  mpToken.changePassword(MASTER_PASSWORD, "");
+  ok(!mpToken.hasPassword, "Master password was cleaned up");
+});
--- a/browser/components/preferences/in-content/privacy.js
+++ b/browser/components/preferences/in-content/privacy.js
@@ -1124,6 +1124,7 @@ var gPrivacyPane = {

    var checkbox = document.getElementById("useMasterPassword");
    checkbox.checked = !noMP;
+    checkbox.disabled = noMP && !Services.policies.isAllowed("createMasterPassword");
  },

  /**

--- a/security/manager/pki/resources/content/device_manager.js
+++ b/security/manager/pki/resources/content/device_manager.js
@@ -162,6 +162,12 @@ function enableButtons() {
          }
        }
      }
+
+      if (!Services.policies.isAllowed("createMasterPassword") &&
+          selected_token.isInternalKeyToken &&
+          !selected_token.hasPassword) {
+        pw_toggle = "true";
+      }
    }
    showSlotInfo();
  }