Add support for loading user cloud policy on desktop.

chrome/browser/profiles/profile_impl.cc

Index: chrome/browser/profiles/profile_impl.cc
diff --git a/chrome/browser/profiles/profile_impl.cc b/chrome/browser/profiles/profile_impl.cc
index 0e03dbe5355b85a731a3e41ba2516da121ff3f61..babe81a8c7cdef6e8fbeb31c4040ea8e50aab2f2 100644
--- a/chrome/browser/profiles/profile_impl.cc
+++ b/chrome/browser/profiles/profile_impl.cc
@@ -56,6 +56,7 @@
 #include "chrome/browser/net/url_fixer_upper.h"
 #include "chrome/browser/plugin_prefs.h"
 #include "chrome/browser/policy/policy_service.h"
+#include "chrome/browser/policy/user_cloud_policy_manager.h"
 #include "chrome/browser/prefs/browser_prefs.h"
 #include "chrome/browser/prefs/scoped_user_pref_update.h"
 #include "chrome/browser/prerender/prerender_manager_factory.h"
@@ -285,10 +286,33 @@ ProfileImpl::ProfileImpl(const FilePath& path,
   session_restore_enabled_ =
       !command_line->HasSwitch(switches::kDisableRestoreSessionState);
 #if defined(ENABLE_CONFIGURATION_POLICY)
-  policy_service_.reset(
-      g_browser_process->browser_policy_connector()->CreatePolicyService(this));
+  if (command_line->HasSwitch(switches::kEnableCloudPolicyService)) {
+    bool wait_for_policy_fetch = false;
+#if defined(OS_CHROMEOS)
+    // TODO(mnissler): Revisit once Chrome OS gains multi-profiles support.
+    // Don't wait for a policy fetch if there's no logged in user.
+    if (chromeos::UserManager::Get()->IsUserLoggedIn()) {
+      wait_for_policy_fetch =
+          g_browser_process->browser_policy_connector()->GetUserAffiliation(
+              chromeos::UserManager::Get()->GetLoggedInUser().email()) ==
+                  policy::USER_AFFILIATION_MANAGED;

[Mattias Nissler (ping if slow), 2012/08/03 12:19:08]

Ah, I still feel bad for this hack. It would be nice if we could pass the
wait_for_policy_fetch flag on profile creation instead, not sure whether that's
possible though.

[Andrew T Wilson (Slow), 2012/08/04 00:54:41]

Well, ultimately PolicyService and UserCloudPolicyManager should be
ProfileKeyedServices - the problem is that they need to get initialized *before*
PrefService, which is not yet a ProfileKeyedService.

As an interim move, I will move all of this code into a
BrowserPolicyConnector::CreateUserCloudPolicyManager() function - it's not as
good as injecting these classes as constructor arguments, but I don't want to do
that work when the real long-term solution is to make them PKSes.

+    }
 #else
-    policy_service_.reset(new policy::PolicyServiceStub());
+    // On desktop, there's no way to figure out if a user is logged in yet
+    // because prefs are not yet initialized. So we do not block waiting for
+    // the policy fetch to happen (because that would inhibit startup for
+    // non-signed-in users) and instead rely on the fact that a signed-in
+    // profile will already have policy downloaded. If no policy is available
+    // (due to a previous fetch failing), the normal policy refresh mechanism
+    // will cause it to get downloaded eventually.

[Mattias Nissler (ping if slow), 2012/08/03 12:19:08]

Not sure this is going to fly long term. If we force signing in to make sure the
user gets policy, the admin will also expect that settings relevant to startup
(i.e. the RestoreOnStartup policy) takes effect. For that case, waiting for the
sign in and the policy fetch to complete before opening the browser window might
be the way to go.

I think it's fair for now though to ignore the issue.

[Andrew T Wilson (Slow), 2012/08/04 00:54:41]

Yeah, what we do here is very dependent on what kind of force-login UI we come
up with. Ideally, we could still just pass "wait_for_policy_fetch=false" to let
the Profile load up, then display some kind of blocking UI while we wait for the
policy to load - I think that's a better UX anyway, although it presumes that
Chrome can dynamically apply all of the policy updates without requiring a
restart (or at least the most important ones).
Agreed.

[Mattias Nissler (ping if slow), 2012/08/06 08:33:52]

Reapplying policy when it changes is generally our goal when writing policy
code, so this might actually be OK. As I said, I'm more concerned with policies
that influence startup behavior.

+#endif
+    cloud_policy_manager_ = policy::UserCloudPolicyManager::Create(
+        this, wait_for_policy_fetch);
+  }
+  policy_service_ =
+      g_browser_process->browser_policy_connector()->CreatePolicyService(this);
+#else
+  policy_service_.reset(new policy::PolicyServiceStub());
 #endif
   if (create_mode == CREATE_MODE_ASYNCHRONOUS) {
     prefs_.reset(PrefService::CreatePrefService(
@@ -643,6 +667,10 @@ bool ProfileImpl::WasCreatedByVersionOrLater(const std::string& version) {
   return (profile_version.CompareTo(arg_version) >= 0);
 }
 
+policy::UserCloudPolicyManager* ProfileImpl::GetUserCloudPolicyManager() {
+  return cloud_policy_manager_.get();
+}
+
 policy::PolicyService* ProfileImpl::GetPolicyService() {
   DCHECK(policy_service_.get());  // Should explicitly be initialized.
   return policy_service_.get();