Add support for loading user cloud policy on desktop.

chrome/browser/policy/user_policy_signin_service.cc

+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/policy/user_policy_signin_service.h"
+
+#include "chrome/browser/browser_process.h"
+#include "chrome/browser/policy/browser_policy_connector.h"
+#include "chrome/browser/policy/cloud_policy_service.h"
+#include "chrome/browser/policy/user_cloud_policy_manager.h"
+#include "chrome/browser/prefs/pref_service.h"
+#include "chrome/browser/profiles/profile.h"
+#include "chrome/browser/signin/signin_manager.h"
+#include "chrome/browser/signin/signin_manager_factory.h"
+#include "chrome/browser/signin/token_service.h"
+#include "chrome/browser/signin/token_service_factory.h"
+#include "chrome/common/chrome_notification_types.h"
+#include "chrome/common/net/gaia/gaia_constants.h"
+#include "chrome/common/net/gaia/gaia_urls.h"
+#include "chrome/common/net/gaia/oauth2_access_token_fetcher.h"
+#include "chrome/common/pref_names.h"
+#include "content/public/browser/notification_details.h"
+#include "content/public/browser/notification_source.h"
+
+namespace {
+// TODO(atwilson): Move this once we add OAuth token support to TokenService.

[Mattias Nissler (ping if slow), 2012/08/03 12:19:08]

So we still don't have it? I was under the impression it got implemented, but I
may be wrong.

[Andrew T Wilson (Slow), 2012/08/04 00:54:41]

There are two separate but related issues:

a) Using ClientOAuth in SigninManager to allow logging in with an OTP. This
generates an OAuth token that we turn around and generate a sid/lsid token with,
and then fetch a bunch of old-style ClientLogin tokens for various services.
b) Switching over our chrome services to use OAuth tokens, and changing
TokenService to fetch/persist these OAuth tokens so each service doesn't have to
fetch their own.

a) is somewhat done, although disabled because the GAIA server-side isn't ready
to support it at scale yet.
b) is not done at all. Right now, even though we generate an OAuth login refresh
token, the TokenService doesn't automatically fetch these tokens for services
(since it only knows about ClientLogin), nor does it refresh them if they time
out, etc. So every service has to wrangle their own, which is inefficient and
fragile.

I'm talking about b) in this comment.

[Mattias Nissler (ping if slow), 2012/08/06 08:33:52]

Ah, thanks for the clarification!

+const char kServiceScopeChromeOSDeviceManagement[] =
+    "https://www.googleapis.com/auth/chromeosdevicemanagement";
+
+// How long to delay before starting device policy network requests. Set to a
+// few seconds to alleviate contention during initial startup.
+const int64 kPolicyServiceInitializationDelayMilliseconds = 2000;
+}  // namespace
+
+namespace policy {
+
+UserPolicySigninService::UserPolicySigninService(
+    Profile* profile, UserCloudPolicyManager* manager)

[Mattias Nissler (ping if slow), 2012/08/03 12:19:08]

arguments on separate lines (as per Chromium style)

[Andrew T Wilson (Slow), 2012/08/04 00:54:41]

Done.

+    : profile_(profile),
+      manager_(manager) {
+
+  // Initialize/shutdown the UserCloudPolicyManager when the user signs in or
+  // out.
+  registrar_.Add(this,
+                 chrome::NOTIFICATION_GOOGLE_SIGNED_OUT,
+                 content::Source<Profile>(profile));
+  registrar_.Add(this,
+                 chrome::NOTIFICATION_TOKEN_AVAILABLE,
+                 content::Source<TokenService>(
+                     TokenServiceFactory::GetForProfile(profile)));
+
+  // The Profile is not yet fully initialized when this object is created,
+  // so wait until the initialization has finished to initialize the
+  // UserCloudPolicyManager as otherwise various crashes ensue from services
+  // trying to access the partially-initialized Profile.
+  // TODO(atwilson): Remove this once ProfileImpl::DoFinalInit() goes away and
+  // the profile is fully initialized before ProfileKeyedServices are created.
+  registrar_.Add(this,
+                 chrome::NOTIFICATION_PROFILE_ADDED,
+                 content::Source<Profile>(profile));
+}
+
+UserPolicySigninService::~UserPolicySigninService() {
+}
+
+void UserPolicySigninService::Observe(
+    int type,
+    const content::NotificationSource& source,
+    const content::NotificationDetails& details) {
+  switch (type) {
+    case chrome::NOTIFICATION_PROFILE_ADDED:
+      // Profile is initialized so it's safe to initialize the
+      // UserCloudPolicyManager now.
+      ConfigureUserCloudPolicyManager();
+      break;
+    case chrome::NOTIFICATION_GOOGLE_SIGNED_OUT:
+      ConfigureUserCloudPolicyManager();
+      break;
+    case chrome::NOTIFICATION_TOKEN_AVAILABLE: {
+      const TokenService::TokenAvailableDetails& token_details =
+          *(content::Details<const TokenService::TokenAvailableDetails>(
+              details).ptr());
+      if (token_details.service() ==
+          GaiaConstants::kGaiaOAuth2LoginRefreshToken) {
+        // TokenService now has a refresh token, so reconfigure the
+        // UserCloudPolicyManager to initiate a DMToken fetch if needed.
+        ConfigureUserCloudPolicyManager();
+      }
+      break;
+    }
+    default:
+      NOTREACHED();
+  }
+}
+
+
+void UserPolicySigninService::ConfigureUserCloudPolicyManager() {
+  // Don't do anything unless cloud policy is enabled.
+  if (!profile_->GetPrefs()->GetBoolean(prefs::kLoadCloudPolicyOnSignin))
+    return;
+
+  // Either startup or shutdown the UserCloudPolicyManager depending on whether
+  // the user is signed in or not.
+  if (!manager_)
+    return;  // Can be null in unit tests.
+
+  SigninManager* signin_manager = SigninManagerFactory::GetForProfile(profile_);
+  if (signin_manager->GetAuthenticatedUsername().empty()) {
+    manager_->Shutdown();
+  } else {
+    if (!manager_->cloud_policy_service()) {
+      // Make sure we've initialized the DeviceManagementService. It's OK to
+      // call this multiple times so we do it every time we initialize the
+      // UserCloudPolicyManager.
+      g_browser_process->browser_policy_connector()->
+          ScheduleServiceInitialization(
+              kPolicyServiceInitializationDelayMilliseconds);
+      // Initialize the UserCloudPolicyManager if it isn't already initialized.
+      policy::DeviceManagementService* service = g_browser_process->
+          browser_policy_connector()->device_management_service();
+      manager_->Initialize(g_browser_process->local_state(),

[Mattias Nissler (ping if slow), 2012/08/03 12:19:08]

I think you want the Profile's PrefService here to get the correct refresh rate
policy.

[Andrew T Wilson (Slow), 2012/08/04 00:54:41]

That pref is only registered as part of browser local state
(CloudPolicySubsystem::RegisterPrefs() is called from
BrowserPrefs::RegisterLocalState(), which means it doesn't exist on profile
prefs. We can move this to be per-profile in a separate CL if we think this
really should not be a global browser pref.

Anyhow, I think the right thing to do here is to pass in the refresh rate rather
than pass in prefs - that will make it simpler if we want to allow this to vary
per-profile, while still allowing us to reload device policy using browser
prefs?

[Mattias Nissler (ping if slow), 2012/08/06 08:33:52]

Agree (see also other comment).
Device policy could continue using local_state. Also, as mentioned elsewhere, we
want to be able to pick up changes to the pref. If you pass in the refresh rate,
you'll have to handle that separately.

+                           service,
+                           policy::USER_AFFILIATION_NONE);
+      DCHECK(manager_->cloud_policy_service());
+    }
+
+    // Register the CloudPolicyService if needed.
+    if (!manager_->IsClientRegistered())
+      RegisterCloudPolicyService();
+  }
+}
+
+void UserPolicySigninService::RegisterCloudPolicyService() {
+  // TODO(atwilson): Move the code to mint the devicemanagement token into
+  // TokenService.
+  std::string token = TokenServiceFactory::GetForProfile(profile_)->
+                          GetOAuth2LoginRefreshToken();
+  if (token.empty()) {
+    DLOG(WARNING) << "No OAuth Refresh Token - delaying policy download";
+    return;
+  }
+
+  // Do nothing if already fetching an access token.
+  if (oauth2_access_token_fetcher_.get())
+    return;
+
+  // Start fetching an OAuth2 access token for the device management service and
+  // hand it off to the CloudPolicyClient when done.
+  oauth2_access_token_fetcher_.reset(
+      new OAuth2AccessTokenFetcher(this, profile_->GetRequestContext()));
+  std::vector<std::string> scopes(1, kServiceScopeChromeOSDeviceManagement);
+  GaiaUrls* gaia_urls = GaiaUrls::GetInstance();
+  oauth2_access_token_fetcher_->Start(
+      gaia_urls->oauth2_chrome_client_id(),
+      gaia_urls->oauth2_chrome_client_secret(),
+      token,
+      scopes);
+}
+
+void UserPolicySigninService::OnGetTokenFailure(
+    const GoogleServiceAuthError& error) {
+  DLOG(WARNING) << "Could not fetch access token for "
+                << kServiceScopeChromeOSDeviceManagement;
+  oauth2_access_token_fetcher_.reset();
+  manager_->CancelWaitForPolicyFetch();
+}
+
+void UserPolicySigninService::OnGetTokenSuccess(
+    const std::string& access_token,
+    const base::Time& expiration_time) {
+  // Pass along the new access token to the CloudPolicyClient.
+  manager_->RegisterClient(access_token);
+  oauth2_access_token_fetcher_.reset();
+}
+
+}  // namespace policy