UserPolicyCache only becomes ready after policy has been fetched.

chrome/browser/chromeos/login/login_utils.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/login/login_utils.h"
 
 #include <vector>
 
 #include "base/command_line.h"
 #include "base/compiler_specific.h"
@@ skipping 85 matching lines @@
 const char kServiceScopeChromeOS[] =
     "https://www.googleapis.com/auth/chromesync";
 
 const char kServiceScopeChromeOSDeviceManagement[] =
     "https://www.googleapis.com/auth/chromeosdevicemanagement";
 }  // namespace
 
 // Task for fetching tokens from UI thread.
 class StartSyncOnUIThreadTask : public Task {
  public:
-  StartSyncOnUIThreadTask(
+  explicit StartSyncOnUIThreadTask(
       const GaiaAuthConsumer::ClientLoginResult& credentials)
       : credentials_(credentials) {}
   virtual ~StartSyncOnUIThreadTask() {}
 
   // Task override.
-  virtual void Run() {
+  virtual void Run() OVERRIDE {
     DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
     LoginUtils::Get()->FetchCookies(ProfileManager::GetDefaultProfile(),
                                     credentials_);
     LoginUtils::Get()->StartSync(ProfileManager::GetDefaultProfile(),
-                                   credentials_);
+                                 credentials_);
   }
 
  private:
   GaiaAuthConsumer::ClientLoginResult credentials_;
+
+  DISALLOW_COPY_AND_ASSIGN(StartSyncOnUIThreadTask);
 };
 
 // Transfers initial set of Profile cookies from the default profile.
 class TransferDefaultCookiesOnIOThreadTask : public Task {
  public:
   TransferDefaultCookiesOnIOThreadTask(
       net::URLRequestContextGetter* auth_context,
       net::URLRequestContextGetter* new_context)
           : auth_context_(auth_context),
             new_context_(new_context) {}
   virtual ~TransferDefaultCookiesOnIOThreadTask() {}
 
   // Task override.
-  virtual void Run() {
+  virtual void Run() OVERRIDE {
     DCHECK(BrowserThread::CurrentlyOn(BrowserThread::IO));
     net::CookieStore* default_store =
         auth_context_->GetURLRequestContext()->cookie_store();
     net::CookieMonster* default_monster = default_store->GetCookieMonster();
     default_monster->SetKeepExpiredCookies();
     default_monster->GetAllCookiesAsync(
         base::Bind(
             &TransferDefaultCookiesOnIOThreadTask::InitializeCookieMonster,
             base::Unretained(this)));
   }
 
   void InitializeCookieMonster(const net::CookieList& cookies) {
      DCHECK(BrowserThread::CurrentlyOn(BrowserThread::IO));
      net::CookieStore* new_store =
-       new_context_->GetURLRequestContext()->cookie_store();
+         new_context_->GetURLRequestContext()->cookie_store();
      net::CookieMonster* new_monster = new_store->GetCookieMonster();
 
     if (!new_monster->InitializeFrom(cookies)) {
       LOG(WARNING) << "Failed initial cookie transfer.";
     }
   }
 
  private:
   net::URLRequestContextGetter* auth_context_;
   net::URLRequestContextGetter* new_context_;
@@ skipping 56 matching lines @@
                                      GaiaConstants::kPicasaService,
                                      oauth1_token_,
                                      oauth1_secret_);
     }
   }
 
   // GaiaOAuthConsumer implementation:
   virtual void OnOAuthLoginSuccess(const std::string& sid,
                                    const std::string& lsid,
                                    const std::string& auth) OVERRIDE {
-    GaiaAuthConsumer::ClientLoginResult credentials(sid,
-      lsid, auth, std::string());
+    GaiaAuthConsumer::ClientLoginResult credentials(
+        sid, lsid, auth, std::string());
     UserManager::Get()->set_offline_login(false);
     BrowserThread::PostTask(BrowserThread::UI, FROM_HERE,
                             new StartSyncOnUIThreadTask(credentials));
   }
 
   virtual void OnOAuthLoginFailure(
       const GoogleServiceAuthError& error) OVERRIDE {
     LOG(WARNING) << "Failed to verify OAuth1 access tokens,"
                  << " error.state=" << error.state();
 
@@ skipping 64 matching lines @@
     // error. That will make us verify user OAuth token and try to fetch session
     // cookies again once we detect that the machine comes online.
     if (error.state() == GoogleServiceAuthError::CONNECTION_FAILED)
       UserManager::Get()->set_offline_login(true);
   }
 
   GaiaAuthFetcher gaia_fetcher_;
   DISALLOW_COPY_AND_ASSIGN(UserSessionCookieFetcher);
 };
 
-
-// Fetches an OAuth token and initializes user policy with it.
+// Fetches the oauth token for the device management service. Since Profile
+// creation might be blocking on a user policy fetch, this fetcher must always
+// send a (possibly empty) token to the BrowserPolicyConnector, which will then
+// let the policy subsystem proceed and resume Profile creation.
+// Sending the token even when no Profile is pending is also OK.
 class PolicyOAuthFetcher : public GaiaOAuthConsumer {
  public:
+  // Fetches the device management service's oauth token using |oauth1_token|
+  // and |oauth1_secret| as access tokens.
   PolicyOAuthFetcher(Profile* profile,
                      const std::string& oauth1_token,
                      const std::string& oauth1_secret)
       : oauth_fetcher_(this,
                        profile->GetRequestContext(),
                        profile,
                        kServiceScopeChromeOSDeviceManagement),
         oauth1_token_(oauth1_token),
         oauth1_secret_(oauth1_secret) {
-    oauth_fetcher_.SetAutoFetchLimit(
-        GaiaOAuthFetcher::OAUTH2_SERVICE_ACCESS_TOKEN);
   }
+
+  // Fetches the device management service's oauth token, after also retrieving
+  // the access tokens.
+  explicit PolicyOAuthFetcher(Profile* profile)
+      : oauth_fetcher_(this,
+                       profile->GetRequestContext(),
+                       profile,
+                       kServiceScopeChromeOSDeviceManagement) {
+  }
+
   virtual ~PolicyOAuthFetcher() {}
 
   void Start() {
-    oauth_fetcher_.StartOAuthWrapBridge(
-        oauth1_token_, oauth1_secret_, GaiaConstants::kGaiaOAuthDuration,
-        std::string(kServiceScopeChromeOSDeviceManagement));
+    oauth_fetcher_.SetAutoFetchLimit(
+        GaiaOAuthFetcher::OAUTH2_SERVICE_ACCESS_TOKEN);
+
+    if (oauth1_token_.empty()) {
+      oauth_fetcher_.StartGetOAuthTokenRequest();
+    } else {
+      oauth_fetcher_.StartOAuthWrapBridge(
+          oauth1_token_, oauth1_secret_, GaiaConstants::kGaiaOAuthDuration,
+          std::string(kServiceScopeChromeOSDeviceManagement));
+    }
   }
 
-  // GaiaOAuthConsumer implementation:
+  const std::string& oauth1_token() const { return oauth1_token_; }
+  const std::string& oauth1_secret() const { return oauth1_secret_; }
+
+ private:
+  virtual void OnGetOAuthTokenSuccess(const std::string& oauth_token) OVERRIDE {
+    VLOG(1) << "Got OAuth request token";
+  }
+
+  virtual void OnGetOAuthTokenFailure(
+      const GoogleServiceAuthError& error) OVERRIDE {
+    LOG(WARNING) << "Failed to get OAuth request token";
+    SetPolicyToken("");
+  }
+
+  virtual void OnOAuthGetAccessTokenSuccess(
+      const std::string& token,
+      const std::string& secret) OVERRIDE {
+    VLOG(1) << "Got OAuth access token";
+    oauth1_token_ = token;
+    oauth1_secret_ = secret;
+  }
+
+  virtual void OnOAuthGetAccessTokenFailure(
+      const GoogleServiceAuthError& error) OVERRIDE {
+    LOG(WARNING) << "Failed to get OAuth access token";
+    SetPolicyToken("");
+  }
+
   virtual void OnOAuthWrapBridgeSuccess(
       const std::string& service_name,
       const std::string& token,
       const std::string& expires_in) OVERRIDE {
-    policy::BrowserPolicyConnector* browser_policy_connector =
-        g_browser_process->browser_policy_connector();
-    browser_policy_connector->RegisterForUserPolicy(token);
+    VLOG(1) << "Got OAuth access token for " << service_name;
+    SetPolicyToken(token);
   }
 
   virtual void OnOAuthWrapBridgeFailure(
       const std::string& service_name,
       const GoogleServiceAuthError& error) OVERRIDE {
     LOG(WARNING) << "Failed to get OAuth access token for " << service_name;
+    SetPolicyToken("");
   }
 
- private:
+  void SetPolicyToken(const std::string& token) {
+    g_browser_process->browser_policy_connector()->RegisterForUserPolicy(token);
+  }
+
   GaiaOAuthFetcher oauth_fetcher_;
   std::string oauth1_token_;
   std::string oauth1_secret_;
 
   DISALLOW_COPY_AND_ASSIGN(PolicyOAuthFetcher);
 };
 
 // Used to request a restart to switch to the guest mode.
 class JobRestartRequest
     : public base::RefCountedThreadSafe<JobRestartRequest> {
@@ skipping 89 matching lines @@
                                       Profile* new_profile) OVERRIDE;
   virtual void TransferDefaultAuthCache(Profile* default_profile,
                                         Profile* new_profile) OVERRIDE;
 
   // ProfileManagerObserver implementation:
   virtual void OnProfileCreated(Profile* profile, Status status) OVERRIDE;
 
   // GaiaOAuthConsumer overrides.
   virtual void OnGetOAuthTokenSuccess(const std::string& oauth_token) OVERRIDE;
   virtual void OnGetOAuthTokenFailure(
-    const GoogleServiceAuthError& error) OVERRIDE;
+      const GoogleServiceAuthError& error) OVERRIDE;
   virtual void OnOAuthGetAccessTokenSuccess(const std::string& token,
                                             const std::string& secret) OVERRIDE;
   virtual void OnOAuthGetAccessTokenFailure(
       const GoogleServiceAuthError& error) OVERRIDE;
 
   // net::NetworkChangeNotifier::OnlineStateObserver overrides.
   virtual void OnOnlineStateChanged(bool online) OVERRIDE;
 
   // Given the authenticated credentials from the cookie jar, try to exchange
   // fetch OAuth request, v1 and v2 tokens.
@@ skipping 46 matching lines @@
   std::string username_;
   std::string password_;
   GaiaAuthConsumer::ClientLoginResult credentials_;
   bool pending_requests_;
   bool using_oauth_;
   bool has_cookies_;
   // Has to be scoped_refptr, see comment for CreateAuthenticator(...).
   scoped_refptr<Authenticator> authenticator_;
   scoped_ptr<GaiaOAuthFetcher> oauth_fetcher_;
   scoped_ptr<PolicyOAuthFetcher> policy_oauth_fetcher_;
+  scoped_ptr<PolicyOAuthFetcher> policy_oauth_early_fetcher_;

[Mattias Nissler (ping if slow), 2011/11/11 11:41:23]

I don't see why we need two pointers here, wouldn't one do?

[Joao da Silva, 2011/11/11 12:55:14]

The 2nd pointer was used to distinguish early policy token fetches from those
done later or triggered through StartTokenServices. However, this fetch only has
to be performed once, so I've changed this to use only one fetcher now.

   scoped_ptr<OAuthLoginVerifier> oauth_login_verifier_;
 
   // Delegate to be fired when the profile will be prepared.
   LoginUtils::Delegate* delegate_;
 
   // Used to restart Chrome to switch to the guest mode.
   JobRestartRequest* job_restart_request_;
 
   DISALLOW_COPY_AND_ASSIGN(LoginUtilsImpl);
 };
@@ skipping 55 matching lines @@
   username_ = username;
   password_ = password;
 
   credentials_ = credentials;
   pending_requests_ = pending_requests;
   using_oauth_ = using_oauth;
   has_cookies_ = has_cookies;
   delegate_ = delegate;
 
   // Initialize user policy before the profile is created so the profile
-  // initialization code sees the policy settings.
-  g_browser_process->browser_policy_connector()->InitializeUserPolicy(username);
+  // initialization code sees the cached policy settings.
+  policy::BrowserPolicyConnector* connector =
+      g_browser_process->browser_policy_connector();
+  bool user_policy_needs_fetch = connector->InitializeUserPolicy(username);
+  if (user_policy_needs_fetch) {
+    if (using_oauth_ && authenticator_.get()) {
+      // Profile creation will block until user policy is fetched, which
+      // requires the DeviceManagement token. Try to fetch it now.
+      VLOG(1) << "Profile creation requires policy token, fetching now";
+      policy_oauth_early_fetcher_.reset(
+          new PolicyOAuthFetcher(authenticator_->authentication_profile()));
+      policy_oauth_early_fetcher_->Start();
+    } else {
+      // Tell the policy subsystem to resume without a policy fetch.
+      connector->RegisterForUserPolicy("");
+    }
+  }
 
   // The default profile will have been changed because the ProfileManager
   // will process the notification that the UserManager sends out.
   ProfileManager::CreateDefaultProfileAsync(this);
 }
 
 void LoginUtilsImpl::DelegateDeleted(Delegate* delegate) {
   if (delegate_ == delegate)
     delegate_ = NULL;
 }
 
 void LoginUtilsImpl::OnProfileCreated(Profile* user_profile, Status status) {
   CHECK(user_profile);
   switch (status) {
     case STATUS_INITIALIZED:
       break;
     case STATUS_CREATED:
       if (UserManager::Get()->current_user_is_new())
         SetFirstLoginPrefs(user_profile->GetPrefs());
       RespectLocalePreference(user_profile);
       return;
     case STATUS_FAIL:
     default:
       NOTREACHED();
       return;
   }
 
   // Initialize the user-policy backend.
-  policy::BrowserPolicyConnector* browser_policy_connector =
-      g_browser_process->browser_policy_connector();
-
   if (!using_oauth_) {
-    browser_policy_connector->SetUserPolicyTokenService(
-        user_profile->GetTokenService());
+    g_browser_process->browser_policy_connector()->
+        SetUserPolicyTokenService(user_profile->GetTokenService());
   }
 
   // We suck. This is a hack since we do not have the enterprise feature
   // done yet to pull down policies from the domain admin. We'll take this
   // out when we get that done properly.
   // TODO(xiyuan): Remove this once enterprise feature is ready.
   if (EndsWith(username_, "@google.com", true)) {
     PrefService* pref_service = user_profile->GetPrefs();
     pref_service->SetBoolean(prefs::kEnableScreenLock, true);
   }
 
   BootTimesLoader* btl = BootTimesLoader::Get();
   btl->AddLoginTimeMarker("UserProfileGotten", false);
 
   if (using_oauth_) {
+    // Reuse the access token fetched by the PolicyOAuthFetcher, if it was
+    // used to fetch policies before Profile creation.
+    if (policy_oauth_early_fetcher_.get()) {
+      VLOG(1) << "Resuming profile creation after fetching policy token";
+      StoreOAuth1AccessToken(user_profile,
+                             policy_oauth_early_fetcher_->oauth1_token(),
+                             policy_oauth_early_fetcher_->oauth1_secret());
+    }
+
     // Transfer cookies when user signs in using extension.
     if (has_cookies_) {
       // Transfer cookies from the profile that was used for authentication.
       // This profile contains cookies that auth extension should have already
       // put in place that will ensure that the newly created session is
       // authenticated for the websites that work with the used authentication
       // schema.
       TransferDefaultCookies(authenticator_->authentication_profile(),
                              user_profile);
     }
@@ skipping 73 matching lines @@
   // TODO(altimofeev): Need to sanitize memory used to store password.
   credentials_ = GaiaAuthConsumer::ClientLoginResult();
 }
 
 void LoginUtilsImpl::FetchOAuth1AccessToken(Profile* auth_profile) {
   oauth_fetcher_.reset(new GaiaOAuthFetcher(this,
                                             auth_profile->GetRequestContext(),
                                             auth_profile,
                                             kServiceScopeChromeOS));
   // Let's first get the Oauth request token and OAuth1 token+secret.
-  // One we get that, we will kick off individial requests for OAuth2 tokens for
-  // all our services.
+  // Once we get that, we will kick off individual requests for OAuth2 tokens
+  // for all our services.
   oauth_fetcher_->SetAutoFetchLimit(GaiaOAuthFetcher::OAUTH1_ALL_ACCESS_TOKEN);
   oauth_fetcher_->StartGetOAuthTokenRequest();
 }
 
 void LoginUtilsImpl::FetchCookies(Profile* user_profile,
     const GaiaAuthConsumer::ClientLoginResult& credentials) {
   if (!using_oauth_) {
     // Take the credentials passed in and try to exchange them for
     // full-fledged Google authentication cookies.  This is
     // best-effort; it's possible that we'll fail due to network
@@ skipping 32 matching lines @@
         password_, false);
     username_ = "";
     password_ = "";
 
     token_service->Initialize(GaiaConstants::kChromeOSSource, user_profile);
     token_service->LoadTokensFromDB();
   }
   token_service->UpdateCredentials(credentials);
   if (token_service->AreCredentialsValid())
     token_service->StartFetchingTokens();
-
 }
 
 void LoginUtilsImpl::RespectLocalePreference(Profile* profile) {
   DCHECK(profile != NULL);
   PrefService* prefs = profile->GetPrefs();
   DCHECK(prefs != NULL);
   if (g_browser_process == NULL)
     return;
 
   std::string pref_locale = prefs->GetString(prefs::kApplicationLocale);
@@ skipping 247 matching lines @@
 void LoginUtilsImpl::OnOAuthGetAccessTokenSuccess(const std::string& token,
                                                   const std::string& secret) {
   VLOG(1) << "Got OAuth v1 token!";
   Profile* user_profile = ProfileManager::GetDefaultProfile();
   StoreOAuth1AccessToken(user_profile, token, secret);
 
   // Verify OAuth1 token by doing OAuthLogin and fetching credentials.
   VerifyOAuth1AccessToken(user_profile, token, secret);
 }
 
+void LoginUtilsImpl::OnOAuthGetAccessTokenFailure(
+    const GoogleServiceAuthError& error) {
+  // TODO(zelidrag): Pop up sync setup UI here?
+  LOG(WARNING) << "Failed fetching OAuth request token";

[Mattias Nissler (ping if slow), 2011/11/11 11:41:23]

This logged error.state() before, why did you drop this? It might also be
helpful to log more info about the fetch errors in the various LOG(WARNING)
incantations above.

[Joao da Silva, 2011/11/11 12:55:14]

Done.

+}
+
 void LoginUtilsImpl::FetchSecondaryTokens(Profile* offrecord_profile,
                                           const std::string& token,
                                           const std::string& secret) {
   FetchPolicyToken(offrecord_profile, token, secret);
   // TODO(rickcam, zelidrag): Wire TokenService there when it becomes
   // capable of handling OAuth1 tokens directly.
 }
 
 bool LoginUtilsImpl::ReadOAuth1AccessToken(Profile* user_profile,
                                            std::string* token,
@@ skipping 54 matching lines @@
                                                      token,
                                                      secret,
                                                      username_));
   oauth_login_verifier_->Start();
 }
 
 
 void LoginUtilsImpl::FetchPolicyToken(Profile* offrecord_profile,
                                       const std::string& token,
                                       const std::string& secret) {
-  // Trigger oauth token fetch for user policy.
-  policy_oauth_fetcher_.reset(new PolicyOAuthFetcher(offrecord_profile,
-                                                     token,
-                                                     secret));
-  policy_oauth_fetcher_->Start();
+  if (policy_oauth_early_fetcher_.get()) {
+    // User policy has already been fetched. Reset the early policy fetcher
+    // now, so that subsequent calls of FetchSecondaryTokens fetch the policy
+    // token again.
+    policy_oauth_early_fetcher_.reset();
+  } else {
+    // Trigger oauth token fetch for user policy.
+    policy_oauth_fetcher_.reset(new PolicyOAuthFetcher(offrecord_profile,
+                                                       token,
+                                                       secret));
+    policy_oauth_fetcher_->Start();
+  }
 
   // TODO(zelidrag): We should add initialization of other services somewhere
   // here as well. This could be handled with TokenService class once it is
   // ready to handle OAuth tokens.
 
   // We don't need authenticator instance any more, reset it so that
   // ScreenLocker would create a separate instance.
   // TODO(nkostylev): There's a potential race if SL would be created before
   // OAuth tokens are fetched. It would use incorrect Authenticator instance.
   authenticator_ = NULL;
 }
 
-void LoginUtilsImpl::OnOAuthGetAccessTokenFailure(
-    const GoogleServiceAuthError& error) {
-  // TODO(zelidrag): Pop up sync setup UI here?
-  LOG(WARNING) << "Failed fetching OAuth v1 token, error: " << error.state();
-}
-
 void LoginUtilsImpl::OnOnlineStateChanged(bool online) {
   // If we come online for the first time after successful offline login,
   // we need to kick of OAuth token verification process again.
   if (UserManager::Get()->user_is_logged_in() &&
       UserManager::Get()->offline_login() && online) {
     if (!authenticator_.get())
       CreateAuthenticator(NULL);
     std::string oauth1_token;
     std::string oauth1_secret;
     Profile* user_profile = ProfileManager::GetDefaultProfile();
@@ skipping 33 matching lines @@
   // Mark login host for deletion after browser starts.  This
   // guarantees that the message loop will be referenced by the
   // browser before it is dereferenced by the login host.
   if (login_host) {
     login_host->OnSessionStart();
     login_host = NULL;
   }
 }
 
 }  // namespace chromeos