Add immutable settings checks when handling policy.

chrome/browser/policy/enterprise_install_attributes.cc

Index: chrome/browser/policy/enterprise_install_attributes.cc
diff --git a/chrome/browser/policy/enterprise_install_attributes.cc b/chrome/browser/policy/enterprise_install_attributes.cc
new file mode 100644
index 0000000000000000000000000000000000000000..0fec96f96c9e59bff532b520be30947150cb74aa
--- /dev/null
+++ b/chrome/browser/policy/enterprise_install_attributes.cc
@@ -0,0 +1,112 @@
+// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/policy/enterprise_install_attributes.h"
+
+#include "base/logging.h"
+#include "chrome/browser/chromeos/cros/cryptohome_library.h"
+
+static const char kAttrEnterpriseOwned[] = "enterprise.owned";
+static const char kAttrEnterpriseUser[] = "enterprise.user";
+
+namespace policy {
+
+EnterpriseInstallAttributes::EnterpriseInstallAttributes(
+    chromeos::CryptohomeLibrary* cryptohome)
+    : cryptohome_(cryptohome),
+      device_locked_(false) {}
+
+EnterpriseInstallAttributes::LockResult EnterpriseInstallAttributes::LockDevice(
+    const std::string& user) {
+  // Check for existing lock first.
+  if (device_locked_) {
+    return !registration_user_.empty() && user == registration_user_ ?
+        LOCK_SUCCESS : LOCK_WRONG_USER;
+  }
+
+  if (!cryptohome_->InstallAttributesIsReady())
+    return LOCK_NOT_READY;
+
+  // Clearing the TPM password seems to be always a good deal.
+  if (cryptohome_->TpmIsEnabled() &&
+      !cryptohome_->TpmIsBeingOwned() &&
+      cryptohome_->TpmIsOwned()) {
+    cryptohome_->TpmClearStoredPassword();
+  }
+
+  // Make sure we really have a working InstallAttrs.
+  if (cryptohome_->InstallAttributesIsInvalid()) {
+    LOG(ERROR) << "Install attributes invalid.";
+    return LOCK_BACKEND_ERROR;
+  }
+
+  if (!cryptohome_->InstallAttributesIsFirstInstall())
+    return LOCK_WRONG_USER;
+
+  // Set values in the InstallAttrs and lock it.
+  if (!cryptohome_->InstallAttributesSet(kAttrEnterpriseOwned, "true") ||
+      !cryptohome_->InstallAttributesSet(kAttrEnterpriseUser, user)) {
+    LOG(ERROR) << "Failed writing attributes";
+    return LOCK_BACKEND_ERROR;
+  }
+
+  if (!cryptohome_->InstallAttributesFinalize() ||
+      cryptohome_->InstallAttributesIsFirstInstall() ||
+      GetRegistrationUser() != user) {
+    LOG(ERROR) << "Failed locking.";
+    return LOCK_BACKEND_ERROR;
+  }
+
+  return LOCK_SUCCESS;
+}
+
+bool EnterpriseInstallAttributes::IsEnterpriseDevice() {
+  ReadImmutableAttributes();
+  return device_locked_ && !registration_user_.empty();
+}
+
+std::string EnterpriseInstallAttributes::GetRegistrationUser() {
+  ReadImmutableAttributes();
+
+  if (!device_locked_)
+    return std::string();
+
+  return registration_user_;
+}
+
+std::string EnterpriseInstallAttributes::GetDomain() {
+  if (!IsEnterpriseDevice())
+    return std::string();
+
+  std::string domain;
+  size_t pos = registration_user_.find('@');
+  if (pos != std::string::npos)
+    domain = registration_user_.substr(pos + 1);
+
+  return domain;
+}
+
+void EnterpriseInstallAttributes::ReadImmutableAttributes() {
+  if (device_locked_)
+    return;
+
+  if (cryptohome_ &&
+      cryptohome_->InstallAttributesIsReady() &&
+      !cryptohome_->InstallAttributesIsInvalid() &&
+      !cryptohome_->InstallAttributesIsFirstInstall()) {
+    device_locked_ = true;
+    std::string enterprise_owned;
+    std::string enterprise_user;
+    if (cryptohome_->InstallAttributesGet(kAttrEnterpriseOwned,
+                                          &enterprise_owned) &&
+        cryptohome_->InstallAttributesGet(kAttrEnterpriseUser,
+                                          &enterprise_user) &&
+        enterprise_owned == "true" &&
+        !enterprise_user.empty()) {
+      registration_user_ = enterprise_user;
+    }
+  }
+}
+
+}  // namespace policy