Don't register gmail users at the device management server

chrome/browser/policy/device_token_fetcher.cc

 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/policy/device_token_fetcher.h"
 
 #include "base/file_util.h"
 #include "base/path_service.h"
 #include "base/singleton.h"
+#include "base/string_util.h"
 #include "chrome/browser/guid.h"
 #include "chrome/browser/net/gaia/token_service.h"
 #include "chrome/browser/policy/proto/device_management_local.pb.h"
+#include "chrome/browser/profile.h"
 #include "chrome/common/chrome_paths.h"
 #include "chrome/common/net/gaia/gaia_constants.h"
 #include "chrome/common/notification_details.h"
 #include "chrome/common/notification_service.h"
 #include "chrome/common/notification_source.h"
 #include "chrome/common/notification_type.h"
 
+#if defined(OS_CHROMEOS)
+#include "chrome/browser/chromeos/login/user_manager.h"
+#else
+#include "chrome/browser/browser_signin.h"
+#endif
+
+namespace {
+
+// Domain names that are known not to be managed.
+// We don't register the device when such a user logs in.
+const char* kNonManagedDomains[] = {
+  "@googlemail.com",
+  "@gmail.com"
+};
+
+// Checks the domain part of the given username against the list of known
+// non-managed domain names. Returns false if |username| is empty or its
+// in a domain known not to be managed.
+bool CanBeInManagedDomain(const std::string& username) {
+  if (username.empty()) {
+    // This means incognito user in case of ChromiumOS and
+    // no logged-in user in case of Chromium (SigninService).
+    return false;
+  }
+  for (size_t i = 0; i < arraysize(kNonManagedDomains); i++) {
+    if (EndsWith(username, kNonManagedDomains[i], true)) {
+      return false;
+    }
+  }
+  return true;
+}
+
+}  // namespace
+
 namespace policy {
 
 namespace em = enterprise_management;
 
 DeviceTokenFetcher::DeviceTokenFetcher(
     DeviceManagementBackend* backend,
-    TokenService* token_service,
+    Profile* profile,
     const FilePath& token_path)
-    : token_path_(token_path),
+    : profile_(profile),
+      token_path_(token_path),
       backend_(backend),
-      token_service_(token_service),
       state_(kStateNotStarted),
       device_token_load_complete_event_(true, false) {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
 
-  auth_token_ = token_service_->GetTokenForService(
+  TokenService* token_service = profile_->GetTokenService();
+  auth_token_ = token_service->GetTokenForService(
       GaiaConstants::kDeviceManagementService);
 
   registrar_.Add(this,
                  NotificationType::TOKEN_AVAILABLE,
-                 Source<TokenService>(token_service_));
+                 Source<TokenService>(token_service));
+  // Register for the event of user login. The device management token won't
+  // be fetched until we know the domain of the currently logged in user.
+#if defined(OS_CHROMEOS)
+  registrar_.Add(this,
+                 NotificationType::LOGIN_USER_CHANGED,
+                 NotificationService::AllSources());
+#else
+  registrar_.Add(this,
+                 NotificationType::GOOGLE_SIGNIN_SUCCESSFUL,
+                 Source<Profile>(profile_));
+#endif
 }
 
 void DeviceTokenFetcher::Observe(NotificationType type,
                                  const NotificationSource& source,
                                  const NotificationDetails& details) {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
   if (type == NotificationType::TOKEN_AVAILABLE) {
-    if (Source<TokenService>(source).ptr() == token_service_) {
+    if (Source<TokenService>(source).ptr() == profile_->GetTokenService()) {
       const TokenService::TokenAvailableDetails* token_details =
           Details<const TokenService::TokenAvailableDetails>(details).ptr();
       if (token_details->service() == GaiaConstants::kDeviceManagementService) {
         if (!HasAuthToken()) {
           auth_token_ = token_details->token();
           SendServerRequestIfPossible();
         }
       }
     }
+#if defined(OS_CHROMEOS)
+  } else if (type == NotificationType::LOGIN_USER_CHANGED) {
+    SendServerRequestIfPossible();
+#else
+  } else if (type == NotificationType::GOOGLE_SIGNIN_SUCCESSFUL) {
+    if (profile_ == Source<Profile>(source).ptr()) {
+      SendServerRequestIfPossible();
+    }
+#endif
   } else {
     NOTREACHED();
   }
 }
 
+std::string DeviceTokenFetcher::GetCurrentUser() {
+#if defined(OS_CHROMEOS)
+  return chromeos::UserManager::Get()->logged_in_user().email();
+#else
+  return profile_->GetBrowserSignin()->GetSignedInUsername();
+#endif
+}
+
 void DeviceTokenFetcher::HandleRegisterResponse(
     const em::DeviceRegisterResponse& response) {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
   DCHECK_EQ(kStateRequestingDeviceTokenFromServer, state_);
   if (response.has_device_management_token()) {
     device_token_ = response.device_management_token();
     BrowserThread::PostTask(
         BrowserThread::FILE,
         FROM_HERE,
         NewRunnableFunction(&WriteDeviceTokenToDisk,
@@ skipping 41 matching lines @@
     // FILE thread.
     BrowserThread::PostTask(
         BrowserThread::FILE,
         FROM_HERE,
         NewRunnableMethod(this,
                           &DeviceTokenFetcher::AttemptTokenLoadFromDisk));
   }
 }
 
 void DeviceTokenFetcher::Shutdown() {
-  token_service_ = NULL;
+  profile_ = NULL;
   backend_ = NULL;
 }
 
 void DeviceTokenFetcher::AttemptTokenLoadFromDisk() {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::FILE));
   if (file_util::PathExists(token_path_)) {
     std::string data;
     em::DeviceCredentials device_credentials;
     if (file_util::ReadFileToString(token_path_, &data) &&
         device_credentials.ParseFromArray(data.c_str(), data.size())) {
@@ skipping 19 matching lines @@
 }
 
 void DeviceTokenFetcher::MakeReadyToRequestDeviceToken() {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
   SetState(kStateReadyToRequestDeviceTokenFromServer);
   SendServerRequestIfPossible();
 }
 
 void DeviceTokenFetcher::SendServerRequestIfPossible() {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
+  std::string username = GetCurrentUser();
   if (state_ == kStateReadyToRequestDeviceTokenFromServer
       && HasAuthToken()
-      && backend_) {
-    em::DeviceRegisterRequest register_request;
-    SetState(kStateRequestingDeviceTokenFromServer);
-    backend_->ProcessRegisterRequest(auth_token_,
-                                     GetDeviceID(),
-                                     register_request,
-                                     this);
+      && backend_
+      && !username.empty()) {

[Jakob Kummerow, 2010/11/27 10:56:29]

I strongly suggest to remove this line. 
The case "username.empty() == true" is handled by CanBeInManagedDomain(), and it
is imperative that kStateNotManaged is set in that case, which won't happen with
this additional check being in place. (Otherwise, the DeviceTokenFetcher will
never signal anything to the outside world, possibly leading to other components
waiting forever.)

+    if (CanBeInManagedDomain(username)) {
+      em::DeviceRegisterRequest register_request;
+      SetState(kStateRequestingDeviceTokenFromServer);
+      backend_->ProcessRegisterRequest(auth_token_,
+                                       GetDeviceID(),
+                                       register_request,
+                                       this);
+    } else {
+      SetState(kStateNotManaged);
+    }
   }
 }
 
 bool DeviceTokenFetcher::IsTokenPending() {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
   return !device_token_load_complete_event_.IsSignaled();
 }
 
 std::string DeviceTokenFetcher::GetDeviceToken() {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
@@ skipping 50 matching lines @@
   DCHECK(no_error);
   file_util::WriteFile(path, data.c_str(), data.length());
 }
 
 // static
 std::string DeviceTokenFetcher::GenerateNewDeviceID() {
   return guid::GenerateGUID();
 }
 
 }  // namespace policy