From f35ee757311e0144b1a76b697ed9709e288abff6 Mon Sep 17 00:00:00 2001 From: Brian Clifton Date: Mon, 23 Sep 2024 12:43:52 -0700 Subject: [PATCH] Rework our existing group policies and match the style that Chromium uses. The assets generated now include all of the Brave group policies in a group called "BraveSoftware". Fixes https://github.com/brave/brave-browser/issues/26502 --- .../policy/resources/policy_templates.py | 120 +++++++++++ .../policy/tools/generate_policy_source.py | 197 +----------------- components/policy/BUILD.gn | 16 +- components/policy/pack_policy_templates.py | 76 ++++--- .../BraveSoftware/.group.details.yaml | 2 + .../BraveSoftware/BraveAIChatEnabled.yaml | 39 ++++ .../BraveSoftware/BraveRewardsDisabled.yaml | 37 ++++ .../BraveShieldsDisabledForUrls.yaml | 32 +++ .../BraveShieldsEnabledForUrls.yaml | 32 +++ .../BraveSoftware/BraveSyncUrl.yaml | 29 +++ .../BraveSoftware/BraveVPNDisabled.yaml | 38 ++++ .../BraveSoftware/BraveWalletDisabled.yaml | 37 ++++ .../BraveSoftware/TorDisabled.yaml | 39 ++++ .../templates/policy_definitions/README.md | 20 ++ ...policy-resources-policy_templates.py.patch | 11 + 15 files changed, 503 insertions(+), 222 deletions(-) create mode 100644 chromium_src/components/policy/resources/policy_templates.py mode change 100644 => 100755 components/policy/pack_policy_templates.py create mode 100644 components/policy/resources/templates/policy_definitions/BraveSoftware/.group.details.yaml create mode 100644 components/policy/resources/templates/policy_definitions/BraveSoftware/BraveAIChatEnabled.yaml create mode 100644 components/policy/resources/templates/policy_definitions/BraveSoftware/BraveRewardsDisabled.yaml create mode 100644 components/policy/resources/templates/policy_definitions/BraveSoftware/BraveShieldsDisabledForUrls.yaml create mode 100644 components/policy/resources/templates/policy_definitions/BraveSoftware/BraveShieldsEnabledForUrls.yaml create mode 100644 components/policy/resources/templates/policy_definitions/BraveSoftware/BraveSyncUrl.yaml create mode 100644 components/policy/resources/templates/policy_definitions/BraveSoftware/BraveVPNDisabled.yaml create mode 100644 components/policy/resources/templates/policy_definitions/BraveSoftware/BraveWalletDisabled.yaml create mode 100644 components/policy/resources/templates/policy_definitions/BraveSoftware/TorDisabled.yaml create mode 100644 components/policy/resources/templates/policy_definitions/README.md create mode 100644 patches/components-policy-resources-policy_templates.py.patch diff --git a/chromium_src/components/policy/resources/policy_templates.py b/chromium_src/components/policy/resources/policy_templates.py new file mode 100644 index 000000000000..0feab27a23ba --- /dev/null +++ b/chromium_src/components/policy/resources/policy_templates.py @@ -0,0 +1,120 @@ +# Copyright (c) 2024 The Brave Authors. All rights reserved. +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this file, +# You can obtain one at https://mozilla.org/MPL/2.0/. + +import hashlib +import json +import os +import override_utils +import shutil + +from brave_chromium_utils import wspath + + +@override_utils.override_function(globals()) +def _LoadPolicies(orig_func): + policies = orig_func() + + # `policies` will have the following notable keys: + # + # "policy_definitions" + # there will be one "group" for every folder found under + # `//components/policy/resources/templates/policy_definitions` + # Chromium considers the folder name the group name for the policy. + # Brave uses the group name "BraveSoftware". The child element for the + # group is the policy itself (those are the yaml files in the folder). + # + # Brave specific entries are get copied into place by `update_policy_files`. + # We copy the files from: + # `//brave/components/policy/resources/templates/policy_definitions/BraveSoftware` # pylint: disable=line-too-long + # to: + # `//components/policy/resources/templates/policy_definitions` + # + # + # "policies" + # This has the contents of: + # `//components/policy/resources/templates/policies.yaml` + # This is where we need to inject the Brave specific names. The policies + # themselves are already defined (under `policy_definitions`), we just need + # to add a mapping for ID (integer; unique) and name (matches name under + # `policy_definitions`). + # + # + # There are some other fields which are not used by this script. + + policy_yaml = policies['policies'] + policy_section = policy_yaml['policies'] + + # get the highest ID in the file + highest_number = 0 + for key, _ in policy_section.items(): + if int(key) > highest_number: + highest_number = int(key) + + # append our entries to the ones from policies.yaml + # TODO(bsclifton): we can create this array dynamically by reading the file + # names from: + # `//brave/components/policy/resources/templates/policy_definitions/BraveSoftware` # pylint: disable=line-too-long + brave_policies = [ + 'TorDisabled', 'BraveRewardsDisabled', 'BraveWalletDisabled', + 'BraveVPNDisabled', 'BraveAIChatEnabled', 'BraveSyncUrl', + 'BraveShieldsDisabledForUrls', 'BraveShieldsEnabledForUrls' + ] + for entry in brave_policies: + highest_number += 1 + #policy_key = str(highest_number) + policy_section[highest_number] = entry + + return policies + + +def update_policy_files(): + # Chromium stores all group policy definitions under + # `//components/policy/resources/templates/policy_definitions/` + # + # The name of the file (minus the extension; ex: TorDisable.yaml => TorDisable) + # corresponds to an auto-generated entry in: + # `//out//gen/chrome/app/policy/policy_templates.json + # + # That auto-generated value (ex: `policy::key::kTorDisabled`) is referenced + # when we map to a preference in our policy map: + # `//brave/browser/policy/brave_simple_policy_map.h` + # + # When the code below is ran this will copy the group policy files from: + # `//brave/components/policy/resources/templates/policy_definitions/` + # to their expected place in Chromium: + # `//components/policy/resources/templates/policy_definitions/` + # + policy_dir = wspath( + "//brave/components/policy/resources/templates/policy_definitions/") + with os.scandir(policy_dir) as entries: + for entry in entries: + if not entry.is_dir(): + continue + src_dir = entry.path + src_dir_name = entry.name + dst_dir = wspath( + f"//components/policy/resources/templates/policy_definitions/{src_dir_name}" # pylint: disable=line-too-long + ) + shutil.copytree(src_dir, + dst_dir, + dirs_exist_ok=True, + copy_function=copy_only_if_modified) + + +def copy_only_if_modified(src, dst): + """Copy file if it doesn't exist or if its hash is different.""" + + def file_hash(file_path): + with open(file_path, "rb") as f: + return hashlib.file_digest(f, "sha256").digest() + + if not os.path.exists(dst) or file_hash(src) != file_hash(dst): + shutil.copy2(src, dst) + + +@override_utils.override_function(globals()) +def main(orig_func): + update_policy_files() + orig_func() diff --git a/chromium_src/components/policy/tools/generate_policy_source.py b/chromium_src/components/policy/tools/generate_policy_source.py index af1362ede0ca..470ea4690f14 100644 --- a/chromium_src/components/policy/tools/generate_policy_source.py +++ b/chromium_src/components/policy/tools/generate_policy_source.py @@ -3,198 +3,9 @@ # License, v. 2.0. If a copy of the MPL was not distributed with this file, # You can obtain one at https://mozilla.org/MPL/2.0/. -import override_utils +assert ('CHROMIUM_POLICY_KEY' in globals()) +# This override controls the constant written out to: +# `//out//gen/components/policy/policy_constants.cc` +# which is then used for the `policy_templates.zip` CHROMIUM_POLICY_KEY = 'SOFTWARE\\\\Policies\\\\BraveSoftware\\\\Brave' - -@override_utils.override_function(globals()) -def _LoadJSONFile(orig_func, json_file): - json = orig_func(json_file) - AddBravePolicies(json) - return json - -def AddBravePolicies(template_file_contents): - highest_id = template_file_contents['highest_id_currently_used'] - policies = [ - { - 'name': 'TorDisabled', - 'type': 'main', - 'schema': { - 'type': 'boolean' - }, - 'supported_on': [ - 'chrome.win:78-', 'chrome.mac:93-', 'chrome.linux:93-' - ], - 'features': { - 'dynamic_refresh': False, - 'per_profile': False, - 'can_be_recommended': False, - 'can_be_mandatory': True - }, - 'example_value': True, - 'id': 0, - 'caption': '''Disables the tor feature.''', - 'tags': [], - 'desc': ('''This policy allows an admin to specify that tor ''' - '''must be disabled at startup.'''), - }, - { - 'name': 'BraveRewardsDisabled', - 'type': 'main', - 'schema': { - 'type': 'boolean' - }, - 'supported_on': ['chrome.*:105-'], - 'features': { - 'dynamic_refresh': False, - 'per_profile': True, - 'can_be_recommended': False, - 'can_be_mandatory': True - }, - 'example_value': True, - 'id': 2, - 'caption': '''Disable Brave Rewards feature.''', - 'tags': [], - 'desc': ('''This policy allows an admin to specify that Brave ''' - '''Rewards feature will be disabled.'''), - }, - { - 'name': 'BraveWalletDisabled', - 'type': 'main', - 'schema': { - 'type': 'boolean' - }, - 'supported_on': ['chrome.*:106-'], - 'features': { - 'dynamic_refresh': False, - 'per_profile': True, - 'can_be_recommended': False, - 'can_be_mandatory': True - }, - 'example_value': True, - 'id': 3, - 'caption': '''Disable Brave Wallet feature.''', - 'tags': [], - 'desc': ('''This policy allows an admin to specify that Brave ''' - '''Wallet feature will be disabled.'''), - }, - { - 'name': 'BraveShieldsDisabledForUrls', - 'type': 'main', - 'schema': { - 'type': 'array', - 'items': { - 'type': 'string' - }, - }, - 'supported_on': ['chrome.*:107-'], - 'features': { - 'dynamic_refresh': False, - 'per_profile': True, - 'can_be_recommended': False, - 'can_be_mandatory': True - }, - 'example_value': ['https://brave.com'], - 'id': 4, - 'caption': '''Disables Brave Shields for urls.''', - 'tags': [], - 'desc': ('''This policy allows an admin to specify that Brave ''' - '''Shields disabled.'''), - }, - { - 'name': 'BraveShieldsEnabledForUrls', - 'type': 'main', - 'schema': { - 'type': 'array', - 'items': { - 'type': 'string' - }, - }, - 'supported_on': ['chrome.*:107-'], - 'features': { - 'dynamic_refresh': False, - 'per_profile': True, - 'can_be_recommended': False, - 'can_be_mandatory': True - }, - 'example_value': ['https://brave.com'], - 'id': 5, - 'caption': '''Enables Brave Shields for urls.''', - 'tags': [], - 'desc': ('''This policy allows an admin to specify that Brave ''' - '''Shields enabled.'''), - }, - { - 'name': 'BraveVPNDisabled', - 'type': 'main', - 'schema': { - 'type': 'boolean' - }, - 'supported_on': ['chrome.*:112-'], - 'future_on': ['android'], - 'features': { - 'dynamic_refresh': False, - 'per_profile': True, - 'can_be_recommended': False, - 'can_be_mandatory': True - }, - 'example_value': True, - 'id': 6, - 'caption': '''Disable Brave VPN feature.''', - 'tags': [], - 'desc': ('''This policy allows an admin to specify that Brave ''' - '''VPN feature will be disabled.'''), - }, - { - 'name': 'BraveAIChatEnabled', - 'type': 'main', - 'schema': { - 'type': 'boolean' - }, - 'supported_on': ['chrome.*:121-'], - 'future_on': ['android'], - 'features': { - 'dynamic_refresh': False, - 'per_profile': True, - 'can_be_recommended': False, - 'can_be_mandatory': True - }, - 'example_value': True, - 'id': 7, - 'caption': '''Enable Brave AI Chat feature.''', - 'tags': [], - 'desc': ('''This policy allows an admin to specify that Brave ''' - '''AI Chat feature will be enabled.'''), - }, - { - 'name': 'BraveSyncUrl', - 'type': 'main', - 'schema': { - 'type': 'string' - }, - 'supported_on': ['chrome.*:129-'], - 'features': { - 'dynamic_refresh': False, - 'per_profile': True, - 'can_be_recommended': False, - 'can_be_mandatory': True - }, - 'example_value': ['https://sync-v2.brave.com/v2'], - 'id': 8, - 'caption': '''Custom sync server URL.''', - 'tags': [], - 'desc': ('''This policy allows an admin to specify a custom ''' - '''sync server URL for Brave.'''), - }, - ] - - # Our new polices are added with highest id - next_id = highest_id + 1 - for policy in policies: - next_id += 1 - policy['id'] = next_id - template_file_contents['policy_definitions'].append(policy) - - # Update highest id - template_file_contents['highest_id_currently_used'] = highest_id + \ - len(policies) diff --git a/components/policy/BUILD.gn b/components/policy/BUILD.gn index 96863041c2d0..f0808f0e2dd6 100644 --- a/components/policy/BUILD.gn +++ b/components/policy/BUILD.gn @@ -1,7 +1,21 @@ +# Copyright (c) 2024 The Brave Authors. All rights reserved. +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this file, +# You can obtain one at https://mozilla.org/MPL/2.0/. + +# See `//components/policy/BUILD.gn` for more info about how these files +# are generated. Also see: +# `//brave/chromium_src/components/policy/resources/policy_templates.py` +# for Brave specific group policy definitions. + if (is_win) { action("pack_policy_templates") { chrome_pack_policy_templates = "//components/policy:pack_policy_templates" - deps = [ chrome_pack_policy_templates ] + deps = [ + "//components/policy:generate_policy_templates", + "//components/policy:policy_templates", + chrome_pack_policy_templates, + ] script = "pack_policy_templates.py" chrome_policy_templates_zip = get_label_info(chrome_pack_policy_templates, "root_out_dir") + diff --git a/components/policy/pack_policy_templates.py b/components/policy/pack_policy_templates.py old mode 100644 new mode 100755 index 245e94b5962c..86803e5a5cda --- a/components/policy/pack_policy_templates.py +++ b/components/policy/pack_policy_templates.py @@ -4,6 +4,25 @@ # License, v. 2.0. If a copy of the MPL was not distributed with this file, # You can obtain one at https://mozilla.org/MPL/2.0/. +# Script that prepares a Brave-specific version of the `policy_templates.zip` +# file that folks expect for administering Brave via group policy. +# +# For more info, see: +# https://support.brave.com/hc/en-us/articles/360039248271-Group-Policy +# and +# https://github.com/brave/brave-browser/issues/26502 +# +# NOTE: There are assets on other platforms but we don't currently use them. +# +# - macOS should have two assets: +# - $root_out_dir/mac/app-Manifest.plist +# - $root_out_dir/mac/jamf.json +# +# - Linux has one asset: +# - $root_out_dir/linux/examples/chrome.json +# +# For more info, see: +# https://source.chromium.org/chromium/chromium/src/+/main:components/policy/resources/policy_templates.gni # pylint: disable=line-too-long """ Create a Zip file of Windows Group Policy templates similar to Chrome's. """ @@ -16,37 +35,38 @@ from zipfile import ZipFile, ZIP_DEFLATED def main(): - chrome_policy_zip, dest_zip = _get_args() - _pack_policy_templates(chrome_policy_zip, dest_zip) + chrome_policy_zip, dest_zip = _get_args() + _pack_policy_templates(chrome_policy_zip, dest_zip) def _get_args(): - parser = argparse.ArgumentParser() - parser.add_argument('chrome_policy_zip', - help="Path to Chrome's policy_templates.zip") - parser.add_argument('dest_zip', - help="Path to the Zip file to be created") - args = parser.parse_args() - return args.chrome_policy_zip, args.dest_zip + parser = argparse.ArgumentParser() + parser.add_argument('chrome_policy_zip', + help="Path to Chrome's policy_templates.zip") + parser.add_argument('dest_zip', help="Path to the Zip file to be created") + args = parser.parse_args() + return args.chrome_policy_zip, args.dest_zip def _pack_policy_templates(chrome_policy_zip, dest_zip): - with TemporaryDirectory() as tmp_dir: - with ZipFile(chrome_policy_zip) as src_zip: - src_zip.extract('VERSION', tmp_dir) - namelist = src_zip.namelist() - for dir_ in ('windows/adm/', 'windows/admx/', 'windows/examples/'): - src_zip.extractall(tmp_dir, (n for n in namelist if n.startswith(dir_))) - - # Some sanity checks: - assert exists(join(tmp_dir, 'windows/adm/en-US/chrome.adm')) - assert exists(join(tmp_dir, 'windows/admx/chrome.admx')) - assert exists(join(tmp_dir, 'windows/admx/en-US/chrome.adml')) - - with ZipFile(dest_zip, 'w', ZIP_DEFLATED) as dest_zipfile: - for dirpath, _, filenames in os.walk(tmp_dir): - for filename in filenames: - filepath = join(dirpath, filename) - arcname = relpath(filepath, tmp_dir).replace('chrome', 'brave') - dest_zipfile.write(filepath, arcname=arcname) + with TemporaryDirectory() as tmp_dir: + with ZipFile(chrome_policy_zip) as src_zip: + src_zip.extract('VERSION', tmp_dir) + namelist = src_zip.namelist() + for dir_ in ('windows/adm/', 'windows/admx/', 'windows/examples/'): + src_zip.extractall(tmp_dir, + (n for n in namelist if n.startswith(dir_))) + + # Some sanity checks: + assert exists(join(tmp_dir, 'windows/adm/en-US/chrome.adm')) + assert exists(join(tmp_dir, 'windows/admx/chrome.admx')) + assert exists(join(tmp_dir, 'windows/admx/en-US/chrome.adml')) + + with ZipFile(dest_zip, 'w', ZIP_DEFLATED) as dest_zipfile: + for dirpath, _, filenames in os.walk(tmp_dir): + for filename in filenames: + filepath = join(dirpath, filename) + arcname = relpath(filepath, + tmp_dir).replace('chrome', 'brave') + dest_zipfile.write(filepath, arcname=arcname) if __name__ == '__main__': - main() + main() diff --git a/components/policy/resources/templates/policy_definitions/BraveSoftware/.group.details.yaml b/components/policy/resources/templates/policy_definitions/BraveSoftware/.group.details.yaml new file mode 100644 index 000000000000..3fdad9868154 --- /dev/null +++ b/components/policy/resources/templates/policy_definitions/BraveSoftware/.group.details.yaml @@ -0,0 +1,2 @@ +caption: Brave Software settings +desc: Configure settings specific to the Brave Browser. diff --git a/components/policy/resources/templates/policy_definitions/BraveSoftware/BraveAIChatEnabled.yaml b/components/policy/resources/templates/policy_definitions/BraveSoftware/BraveAIChatEnabled.yaml new file mode 100644 index 000000000000..8162f5972ff5 --- /dev/null +++ b/components/policy/resources/templates/policy_definitions/BraveSoftware/BraveAIChatEnabled.yaml @@ -0,0 +1,39 @@ +caption: Disable AI Chat +default: null +desc: |- + Disable AI Chat in Brave. + + The smart AI assistant built right into your browser. Ask questions, summarize pages, create new content, and more. Privately. + + If this policy is set to true, AI Chat will always be disabled. + + If this policy is set to false, AI Chat will always be enabled. + + If you set this policy, users cannot change or override it. + + If this policy is left unset, AI Chat will be enabled by default. +example_value: true +features: + can_be_mandatory: true + can_be_recommended: false + dynamic_refresh: false + per_profile: true +items: +- caption: Enable AI Chat + value: false +- caption: Disable AI Chat + value: true +- caption: Allow the user to decide + value: null +owners: +- bbondy@brave.com +- peter@brave.com +- clifton@brave.com +schema: + type: boolean +supported_on: +- chrome.*:121- +future_on: +- android +tags: [] +type: main diff --git a/components/policy/resources/templates/policy_definitions/BraveSoftware/BraveRewardsDisabled.yaml b/components/policy/resources/templates/policy_definitions/BraveSoftware/BraveRewardsDisabled.yaml new file mode 100644 index 000000000000..0e2f37e07c02 --- /dev/null +++ b/components/policy/resources/templates/policy_definitions/BraveSoftware/BraveRewardsDisabled.yaml @@ -0,0 +1,37 @@ +caption: Disable Brave Rewards +default: null +desc: |- + Disable Brave Rewards in Brave. + + Allows users to support content creators and earn tokens for ads seen in Brave. Folks can use tokens to buy gift cards, exchange for other currencies, and more.. + + If this policy is set to true, Brave Rewards will always be disabled. + + If this policy is set to false, Brave Rewards will always be enabled. + + If you set this policy, users cannot change or override it. + + If this policy is left unset, Brave Rewards will be enabled by default. +example_value: true +features: + can_be_mandatory: true + can_be_recommended: false + dynamic_refresh: false + per_profile: true +items: +- caption: Enable Brave Rewards + value: false +- caption: Disable Brave Rewards + value: true +- caption: Allow the user to decide + value: null +owners: +- ksmith@brave.com +- sszaloki@brave.com +- clifton@brave.com +schema: + type: boolean +supported_on: +- chrome.*:105- +tags: [] +type: main diff --git a/components/policy/resources/templates/policy_definitions/BraveSoftware/BraveShieldsDisabledForUrls.yaml b/components/policy/resources/templates/policy_definitions/BraveSoftware/BraveShieldsDisabledForUrls.yaml new file mode 100644 index 000000000000..8f15d43b10c3 --- /dev/null +++ b/components/policy/resources/templates/policy_definitions/BraveSoftware/BraveShieldsDisabledForUrls.yaml @@ -0,0 +1,32 @@ +caption: Disable Brave Shields for URLs +default: null +desc: |- + Forces the shields in Brave to be disabled for specific web sites. + + You can use special syntax to wildcard a domain. +example_value: +- "[*.]twitter.com" +- https://www.example.com +features: + can_be_mandatory: true + can_be_recommended: false + dynamic_refresh: false + per_profile: false +items: +- caption: Force disable shields for example.com + value: + - https://www.example.com +- caption: Shields on for all sites by default + value: null +owners: +- clifton@brave.com +schema: + items: + type: string + type: array +supported_on: +- chrome.win:107- +- chrome.mac:107- +- chrome.linux:107- +tags: [] +type: list diff --git a/components/policy/resources/templates/policy_definitions/BraveSoftware/BraveShieldsEnabledForUrls.yaml b/components/policy/resources/templates/policy_definitions/BraveSoftware/BraveShieldsEnabledForUrls.yaml new file mode 100644 index 000000000000..f457055674eb --- /dev/null +++ b/components/policy/resources/templates/policy_definitions/BraveSoftware/BraveShieldsEnabledForUrls.yaml @@ -0,0 +1,32 @@ +caption: Enable Brave Shields for URLs +default: null +desc: |- + Forces the shields in Brave to be enabled for specific web sites. + + You can use special syntax to wildcard a domain. +example_value: +- "[*.]brave.com" +- https://www.example.com +features: + can_be_mandatory: true + can_be_recommended: false + dynamic_refresh: false + per_profile: false +items: +- caption: Force enable shields for example.com + value: + - https://www.example.com +- caption: Shields on for all sites by default + value: null +owners: +- clifton@brave.com +schema: + items: + type: string + type: array +supported_on: +- chrome.win:107- +- chrome.mac:107- +- chrome.linux:107- +tags: [] +type: list diff --git a/components/policy/resources/templates/policy_definitions/BraveSoftware/BraveSyncUrl.yaml b/components/policy/resources/templates/policy_definitions/BraveSoftware/BraveSyncUrl.yaml new file mode 100644 index 000000000000..b8fb48e10bb3 --- /dev/null +++ b/components/policy/resources/templates/policy_definitions/BraveSoftware/BraveSyncUrl.yaml @@ -0,0 +1,29 @@ +caption: Specify Brave Sync server URL +default: null +desc: |- + Specify the URL for Brave to use with its sync service. + + If this policy is set to a non empty string, that string will be used as the URL with Brave Sync. + If this policy is not set, the URL will default to Brave's sync server URL. + The provided URL must use the `https` scheme. +example_value: https://sync-v2.brave.com/v2 +features: + can_be_mandatory: true + can_be_recommended: false + dynamic_refresh: false + per_profile: true +items: +- caption: Example of setting a host + value: https://sync-v2.brave.com/v2 +- caption: Default to Brave's sync service + value: null +owners: +- alexey@brave.com +- anthony@brave.com +- clifton@brave.com +schema: + type: string +supported_on: +- chrome.*:129- +tags: [] +type: string diff --git a/components/policy/resources/templates/policy_definitions/BraveSoftware/BraveVPNDisabled.yaml b/components/policy/resources/templates/policy_definitions/BraveSoftware/BraveVPNDisabled.yaml new file mode 100644 index 000000000000..6134a7cb69a9 --- /dev/null +++ b/components/policy/resources/templates/policy_definitions/BraveSoftware/BraveVPNDisabled.yaml @@ -0,0 +1,38 @@ +caption: Disable Brave VPN +default: null +desc: |- + Disable Brave VPN in Brave. + + Allows users to use Brave VPN to block trackers and encrypt every connection to the Web, on every app, even outside the Brave browser. + + If this policy is set to true, Brave VPN will always be disabled. + + If this policy is set to false, Brave VPN will always be enabled. + + If you set this policy, users cannot change or override it. + + If this policy is left unset, Brave VPN will be enabled by default. +example_value: true +features: + can_be_mandatory: true + can_be_recommended: false + dynamic_refresh: false + per_profile: true +items: +- caption: Enable Brave VPN + value: false +- caption: Disable Brave VPN + value: true +- caption: Allow the user to decide + value: null +owners: +- shong@brave.com +- clifton@brave.com +schema: + type: boolean +supported_on: +- chrome.*:112- +future_on: +- android +tags: [] +type: main diff --git a/components/policy/resources/templates/policy_definitions/BraveSoftware/BraveWalletDisabled.yaml b/components/policy/resources/templates/policy_definitions/BraveSoftware/BraveWalletDisabled.yaml new file mode 100644 index 000000000000..4423a110745b --- /dev/null +++ b/components/policy/resources/templates/policy_definitions/BraveSoftware/BraveWalletDisabled.yaml @@ -0,0 +1,37 @@ +caption: Disable Brave Wallet +default: null +desc: |- + Disable Brave Wallet in Brave. + + Allows users to use the secure, built-in crypto wallet that supercharges the browser for Web3. + + If this policy is set to true, Brave Wallet will always be disabled. + + If this policy is set to false, Brave Wallet will always be enabled. + + If you set this policy, users cannot change or override it. + + If this policy is left unset, Brave Wallet will be enabled by default. +example_value: true +features: + can_be_mandatory: true + can_be_recommended: false + dynamic_refresh: false + per_profile: true +items: +- caption: Enable Brave Wallet + value: false +- caption: Disable Brave Wallet + value: true +- caption: Allow the user to decide + value: null +owners: +- james@brave.com +- ddaniel@brave.com +- clifton@brave.com +schema: + type: boolean +supported_on: +- chrome.*:106- +tags: [] +type: main diff --git a/components/policy/resources/templates/policy_definitions/BraveSoftware/TorDisabled.yaml b/components/policy/resources/templates/policy_definitions/BraveSoftware/TorDisabled.yaml new file mode 100644 index 000000000000..4bb57065433d --- /dev/null +++ b/components/policy/resources/templates/policy_definitions/BraveSoftware/TorDisabled.yaml @@ -0,0 +1,39 @@ +caption: Disable Tor functionality +default: null +desc: |- + Disable Tor functionality in Brave. + + Using Tor makes it more difficult to trace a user's Internet activity by preventing any single point on the Internet (other than the user's device) from being able to view both where traffic originated from and where it is ultimately going to at the same time. This conceals a user's location and usage from anyone performing network surveillance or traffic analysis from any such point, protecting the user's freedom and ability to communicate confidentially. + + If this policy is set to true, Tor functionality will always be disabled. + + If this policy is set to false, Tor functionality will always be enabled. + + If you set this policy, users cannot change or override it. + + If this policy is left unset, Tor functionality will be enabled by default. +example_value: true +features: + can_be_mandatory: true + can_be_recommended: false + dynamic_refresh: false + per_profile: false +items: +- caption: Enable Tor functionality + value: false +- caption: Disable Tor functionality + value: true +- caption: Allow the user to decide + value: null +owners: +- clifton@brave.com +- fmarier@brave.com +- anthony@brave.com +schema: + type: boolean +supported_on: +- chrome.win:78- +- chrome.mac:93- +- chrome.linux:93- +tags: [] +type: main diff --git a/components/policy/resources/templates/policy_definitions/README.md b/components/policy/resources/templates/policy_definitions/README.md new file mode 100644 index 000000000000..c2c27e8e4e0d --- /dev/null +++ b/components/policy/resources/templates/policy_definitions/README.md @@ -0,0 +1,20 @@ +## Policy Settings in Brave + +These are Brave specific group policies. + +Our official documentation is [available here](https://support.brave.com/hc/en-us/articles/360039248271-Group-Policy). + +For information about adding a new policy, please see [this page](https://source.chromium.org/chromium/chromium/src/+/main:docs/enterprise/add_new_policy.md). + +In a nutshell, the steps for adding a new policy in Brave look like this: + +1. Create a new .yaml file under `//brave/components/policy/resources/templates/policy_definitions/BraveSoftware/`. The name of the file itself will be the policy name. Chromium uses capital casing. For example, we have a policy for disabling Brave Rewards called `BraveRewardsDisable.yaml`. The name used for matching is `BraveRewardsDisable`. +2. Update the properties in that file accordingly. Look at some of the existing ones as an example. +3. Go into `//brave/browser/policy/brave_simple_policy_map.h` and add your entry here. It'll be auto-generated as `policy::key::k` and then the policy name. With the above example, that would be `policy::key::kBraveRewardsDisable`. You must map this to a profile preference (you must create a new one). That new preference is what you'll check in the code. +4. Go into `//brave/chromium_src/components/policy/resources/policy_templates.py` and add your policy name to the end of the existing string array there. +5. In the code where you want to check the profile preference, you can tell if it's set via policy by checking `prefs->IsManagedPreference()`. If this is set to true, you might want to have the UI display something like "This setting is managed by your organization" and have it be read-only. +6. Build the project like regular (`npm run build`). +7. You can build the policy templates using `npm run build -- --target=brave/components/policy:pack_policy_templates`. +8. The group policy assets get output to `//out//brave_policy_templates.zip`. You can open this up and inspect the registry and adm/admx files. + +If rebuilding isn't picking up your policy, you can try to delete `//out//gen/components/policy/policy_constants.cc`. Rebuilding will trigger the rebuild for this file and your changes should be there. diff --git a/patches/components-policy-resources-policy_templates.py.patch b/patches/components-policy-resources-policy_templates.py.patch new file mode 100644 index 000000000000..258d1e8a9555 --- /dev/null +++ b/patches/components-policy-resources-policy_templates.py.patch @@ -0,0 +1,11 @@ +diff --git a/components/policy/resources/policy_templates.py b/components/policy/resources/policy_templates.py +index 13510d3ec7bf2a77d19fcbe30a61abe1b40cc518..a54af0542cff94577d47b16e8199b6f1ecf1c1a5 100755 +--- a/components/policy/resources/policy_templates.py ++++ b/components/policy/resources/policy_templates.py +@@ -414,5 +414,6 @@ def main(): + if args.deps_file: + _WriteDepFile(args.deps_file, args.dest, files) + ++from brave_chromium_utils import inline_chromium_src_override; inline_chromium_src_override(globals(), locals()) + if '__main__' == __name__: + sys.exit(main())