Don't register gmail users at the device management server

chrome/browser/policy/device_token_fetcher.cc

 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/policy/device_token_fetcher.h"
 
 #include "base/file_util.h"
 #include "base/path_service.h"
 #include "base/singleton.h"
+#include "base/string_util.h"
 #include "chrome/browser/guid.h"
 #include "chrome/browser/net/gaia/token_service.h"
 #include "chrome/browser/policy/proto/device_management_local.pb.h"
+#include "chrome/browser/profile.h"
 #include "chrome/common/chrome_paths.h"
 #include "chrome/common/net/gaia/gaia_constants.h"
 #include "chrome/common/notification_details.h"
 #include "chrome/common/notification_service.h"
 #include "chrome/common/notification_source.h"
 #include "chrome/common/notification_type.h"
 
+#if defined(OS_CHROMEOS)
+#include "chrome/browser/chromeos/login/user_manager.h"
+#else
+#include "chrome/browser/browser_signin.h"
+#endif
+
+namespace {
+
+// Domain names that are known not to support Dasher.
+// We don't register the device when such a user logs in.
+const char* kNonDasherDomains[] = {

[danno, 2010/11/23 17:04:49]

See comment below about Dasher.

[gfeher, 2010/11/24 19:38:40]

Done.

+  "@googlemail.com",

[Nikita (slow), 2010/11/25 12:18:00]

Just a note, that I've been able to login with Google Account that is not
gmail/googlemail account.
It's also not an Apps account.

+  "@gmail.com"
+};
+
+// Checks the domain part of the given username against the list of known
+// non-dasher domain names. Returns false if |username| is empty or its
+// in a domain known not to be supported by dasher.
+bool CanBeInDasherDomain(const std::string& username) {

[danno, 2010/11/23 17:04:49]

Is it possible to login with a user name that has trailing whitespace? Does this
still work?

[gfeher, 2010/11/24 19:38:40]

I've made an experiment with ChromeOS. I could add trailing whitespaces and this
still worked. I guess whitespaces are trimmed at the GUI level. Or at least,
they should be.

+  if (username.empty()) {
+    // This means incognito user in case of ChromiumOS and
+    // no logged-in user in case of Chromium (SigninService).
+    return false;
+  }
+  for (size_t i = 0; i < arraysize(kNonDasherDomains); i++) {
+    if (EndsWith(username, kNonDasherDomains[i], true)) {
+      return false;
+    }
+  }
+  return true;
+}
+
+}  // namespace
+
 namespace policy {
 
 namespace em = enterprise_management;
 
 DeviceTokenFetcher::DeviceTokenFetcher(
     DeviceManagementBackend* backend,
-    TokenService* token_service,
+    Profile* profile,
     const FilePath& token_path)
-    : token_path_(token_path),
+    : profile_(profile),
+      token_path_(token_path),
       backend_(backend),
-      token_service_(token_service),
       state_(kStateNotStarted),
       device_token_load_complete_event_(true, false) {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
 
-  auth_token_ = token_service_->GetTokenForService(
+  TokenService* token_service = profile_->GetTokenService();
+  auth_token_ = token_service->GetTokenForService(
       GaiaConstants::kDeviceManagementService);
 
   registrar_.Add(this,
                  NotificationType::TOKEN_AVAILABLE,
-                 Source<TokenService>(token_service_));
+                 Source<TokenService>(token_service));
+  // Register for the event of user login. The device management token won't
+  // be fetched until we know the domain of the currently logged in user.
+#if defined(OS_CHROMEOS)
+  registrar_.Add(this,
+                 NotificationType::LOGIN_USER_CHANGED,
+                 NotificationService::AllSources());
+#else
+  registrar_.Add(this,
+                 NotificationType::GOOGLE_SIGNIN_SUCCESSFUL,
+                 Source<Profile>(profile_));
+#endif
 }
 
 void DeviceTokenFetcher::Observe(NotificationType type,
                                  const NotificationSource& source,
                                  const NotificationDetails& details) {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
   if (type == NotificationType::TOKEN_AVAILABLE) {
-    if (Source<TokenService>(source).ptr() == token_service_) {
+    if (Source<TokenService>(source).ptr() == profile_->GetTokenService()) {
       const TokenService::TokenAvailableDetails* token_details =
           Details<const TokenService::TokenAvailableDetails>(details).ptr();
       if (token_details->service() == GaiaConstants::kDeviceManagementService) {
         if (!HasAuthToken()) {
           auth_token_ = token_details->token();
           SendServerRequestIfPossible();
         }
       }
     }
+#if defined(OS_CHROMEOS)
+  } else if (type == NotificationType::LOGIN_USER_CHANGED) {
+    SendServerRequestIfPossible();
+#else
+  } else if (type == NotificationType::GOOGLE_SIGNIN_SUCCESSFUL) {
+    if (profile_ == Source<Profile>(source).ptr()) {
+      SendServerRequestIfPossible();
+    }
+#endif
   } else {
     NOTREACHED();
   }
 }
 
+std::string DeviceTokenFetcher::GetCurrentUser() {
+#if defined(OS_CHROMEOS)
+  return chromeos::UserManager::Get()->logged_in_user().email();
+#else
+  return profile_->GetBrowserSignin()->GetSignedInUsername();
+#endif
+}
+
 void DeviceTokenFetcher::HandleRegisterResponse(
     const em::DeviceRegisterResponse& response) {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
   DCHECK_EQ(kStateRequestingDeviceTokenFromServer, state_);
   if (response.has_device_management_token()) {
     device_token_ = response.device_management_token();
     BrowserThread::PostTask(
         BrowserThread::FILE,
         FROM_HERE,
         NewRunnableFunction(&WriteDeviceTokenToDisk,
@@ skipping 27 matching lines @@
     // FILE thread.
     BrowserThread::PostTask(
         BrowserThread::FILE,
         FROM_HERE,
         NewRunnableMethod(this,
                           &DeviceTokenFetcher::AttemptTokenLoadFromDisk));
   }
 }
 
 void DeviceTokenFetcher::Shutdown() {
-  token_service_ = NULL;
+  profile_ = NULL;
   backend_ = NULL;
 }
 
 void DeviceTokenFetcher::AttemptTokenLoadFromDisk() {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::FILE));
   if (file_util::PathExists(token_path_)) {
     std::string data;
     em::DeviceCredentials device_credentials;
     if (file_util::ReadFileToString(token_path_, &data) &&
         device_credentials.ParseFromArray(data.c_str(), data.size())) {
@@ skipping 19 matching lines @@
 }
 
 void DeviceTokenFetcher::MakeReadyToRequestDeviceToken() {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
   SetState(kStateReadyToRequestDeviceTokenFromServer);
   SendServerRequestIfPossible();
 }
 
 void DeviceTokenFetcher::SendServerRequestIfPossible() {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
+  std::string username = GetCurrentUser();
   if (state_ == kStateReadyToRequestDeviceTokenFromServer
       && HasAuthToken()
-      && backend_) {
-    em::DeviceRegisterRequest register_request;
-    SetState(kStateRequestingDeviceTokenFromServer);
-    backend_->ProcessRegisterRequest(auth_token_,
-                                     GetDeviceID(),
-                                     register_request,
-                                     this);
+      && backend_
+      && !username.empty()) {
+    if (CanBeInDasherDomain(username)) {

[danno, 2010/11/23 17:04:49]

Don't use Dasher, use something like "IsGoogleAccountsForYourDomainUser" or
similar.

[gfeher, 2010/11/24 19:38:40]

How about simply saying "non-managed"?

+      em::DeviceRegisterRequest register_request;
+      SetState(kStateRequestingDeviceTokenFromServer);
+      backend_->ProcessRegisterRequest(auth_token_,
+                                       GetDeviceID(),
+                                       register_request,
+                                       this);
+    } else {
+      OnError(DeviceManagementBackend::kErrorServiceManagementNotSupported);

[danno, 2010/11/23 17:04:49]

There is a new method on the delegate for this, OnNonManaged, you should send
that instead.

[gfeher, 2010/11/24 19:38:40]

Done.

+    }
   }
 }
 
 bool DeviceTokenFetcher::IsTokenPending() {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
   return !device_token_load_complete_event_.IsSignaled();
 }
 
 std::string DeviceTokenFetcher::GetDeviceToken() {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
@@ skipping 49 matching lines @@
   DCHECK(no_error);
   file_util::WriteFile(path, data.c_str(), data.length());
 }
 
 // static
 std::string DeviceTokenFetcher::GenerateNewDeviceID() {
   return guid::GenerateGUID();
 }
 
 }  // namespace policy