UserPolicyCache only becomes ready after policy has been fetched.

chrome/browser/chromeos/login/login_utils.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/login/login_utils.h"
 
 #include <vector>
 
 #include "base/command_line.h"
 #include "base/compiler_specific.h"
@@ skipping 84 matching lines @@
 const char kServiceScopeChromeOS[] =
     "https://www.googleapis.com/auth/chromesync";
 
 const char kServiceScopeChromeOSDeviceManagement[] =
     "https://www.googleapis.com/auth/chromeosdevicemanagement";
 }  // namespace
 
 // Task for fetching tokens from UI thread.
 class StartSyncOnUIThreadTask : public Task {
  public:
-  StartSyncOnUIThreadTask(
+  explicit StartSyncOnUIThreadTask(
       const GaiaAuthConsumer::ClientLoginResult& credentials)
       : credentials_(credentials) {}
   virtual ~StartSyncOnUIThreadTask() {}
 
   // Task override.
-  virtual void Run() {
+  virtual void Run() OVERRIDE {
     DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
     LoginUtils::Get()->FetchCookies(ProfileManager::GetDefaultProfile(),
                                     credentials_);
     LoginUtils::Get()->StartSync(ProfileManager::GetDefaultProfile(),
-                                   credentials_);
+                                 credentials_);
   }
 
  private:
   GaiaAuthConsumer::ClientLoginResult credentials_;
+
+  DISALLOW_COPY_AND_ASSIGN(StartSyncOnUIThreadTask);
 };
 
 // Transfers initial set of Profile cookies from the default profile.
 class TransferDefaultCookiesOnIOThreadTask : public Task {
  public:
   TransferDefaultCookiesOnIOThreadTask(
       net::URLRequestContextGetter* auth_context,
       net::URLRequestContextGetter* new_context)
           : auth_context_(auth_context),
             new_context_(new_context) {}
   virtual ~TransferDefaultCookiesOnIOThreadTask() {}
 
   // Task override.
-  virtual void Run() {
+  virtual void Run() OVERRIDE {
     DCHECK(BrowserThread::CurrentlyOn(BrowserThread::IO));
     net::CookieStore* default_store =
         auth_context_->GetURLRequestContext()->cookie_store();
     net::CookieMonster* default_monster = default_store->GetCookieMonster();
     default_monster->SetKeepExpiredCookies();
     default_monster->GetAllCookiesAsync(
         base::Bind(
             &TransferDefaultCookiesOnIOThreadTask::InitializeCookieMonster,
             base::Unretained(this)));
   }
 
   void InitializeCookieMonster(const net::CookieList& cookies) {
      DCHECK(BrowserThread::CurrentlyOn(BrowserThread::IO));
      net::CookieStore* new_store =
-       new_context_->GetURLRequestContext()->cookie_store();
+         new_context_->GetURLRequestContext()->cookie_store();
      net::CookieMonster* new_monster = new_store->GetCookieMonster();
 
     if (!new_monster->InitializeFrom(cookies)) {
       LOG(WARNING) << "Failed initial cookie transfer.";
     }
   }
 
  private:
   net::URLRequestContextGetter* auth_context_;
   net::URLRequestContextGetter* new_context_;
@@ skipping 56 matching lines @@
                                      GaiaConstants::kPicasaService,
                                      oauth1_token_,
                                      oauth1_secret_);
     }
   }
 
   // GaiaOAuthConsumer implementation:
   virtual void OnOAuthLoginSuccess(const std::string& sid,
                                    const std::string& lsid,
                                    const std::string& auth) OVERRIDE {
-    GaiaAuthConsumer::ClientLoginResult credentials(sid,
-      lsid, auth, std::string());
+    GaiaAuthConsumer::ClientLoginResult credentials(
+        sid, lsid, auth, std::string());
     UserManager::Get()->set_offline_login(false);
     BrowserThread::PostTask(BrowserThread::UI, FROM_HERE,
                             new StartSyncOnUIThreadTask(credentials));
   }
 
   virtual void OnOAuthLoginFailure(
       const GoogleServiceAuthError& error) OVERRIDE {
-    LOG(WARNING) << "Failed to verify OAuth1 access tokens,"
-                 << " error.state=" << error.state();
+    LOG(WARNING) << "Failed to verify OAuth1 access tokens, error: "
+                 << error.state();
 
     // Mark this account's OAuth token state as invalid if the failure is not
     // caused by network error.
     if (error.state() != GoogleServiceAuthError::CONNECTION_FAILED) {
       UserManager::Get()->SaveUserOAuthStatus(username_,
                                               User::OAUTH_TOKEN_STATUS_INVALID);
     } else {
       UserManager::Get()->set_offline_login(true);
     }
   }
@@ skipping 23 matching lines @@
   }
 
   // GaiaAuthConsumer overrides.
   virtual void OnIssueAuthTokenSuccess(const std::string& service,
                                        const std::string& auth_token) OVERRIDE {
     gaia_fetcher_.StartMergeSession(auth_token);
   }
 
   virtual void OnIssueAuthTokenFailure(const std::string& service,
       const GoogleServiceAuthError& error) OVERRIDE {
-    LOG(WARNING) << "Failed IssueAuthToken request,"
-                 << " error.state=" << error.state();
+    LOG(WARNING) << "Failed IssueAuthToken request, error: " << error.state();
     HandlerGaiaAuthError(error);
     delete this;
   }
 
   virtual void OnMergeSessionSuccess(const std::string& data) OVERRIDE {
     VLOG(1) << "MergeSession successful.";
     delete this;
   }
 
   virtual void OnMergeSessionFailure(
       const GoogleServiceAuthError& error) OVERRIDE {
-    LOG(WARNING) << "Failed MergeSession request,"
-                 << " error.state=" << error.state();
+    LOG(WARNING) << "Failed MergeSession request, error: " << error.state();
     HandlerGaiaAuthError(error);
     delete this;
   }
 
  private:
   void HandlerGaiaAuthError(const GoogleServiceAuthError& error) {
     // Mark this account's login state as offline if we encountered a network
     // error. That will make us verify user OAuth token and try to fetch session
     // cookies again once we detect that the machine comes online.
     if (error.state() == GoogleServiceAuthError::CONNECTION_FAILED)
       UserManager::Get()->set_offline_login(true);
   }
 
   GaiaAuthFetcher gaia_fetcher_;
   DISALLOW_COPY_AND_ASSIGN(UserSessionCookieFetcher);
 };
 
-
-// Fetches an OAuth token and initializes user policy with it.
+// Fetches the oauth token for the device management service. Since Profile
+// creation might be blocking on a user policy fetch, this fetcher must always
+// send a (possibly empty) token to the BrowserPolicyConnector, which will then
+// let the policy subsystem proceed and resume Profile creation.
+// Sending the token even when no Profile is pending is also OK.
 class PolicyOAuthFetcher : public GaiaOAuthConsumer {
  public:
+  // Fetches the device management service's oauth token using |oauth1_token|
+  // and |oauth1_secret| as access tokens.
   PolicyOAuthFetcher(Profile* profile,
                      const std::string& oauth1_token,
                      const std::string& oauth1_secret)
       : oauth_fetcher_(this,
                        profile->GetRequestContext(),
                        profile,
                        kServiceScopeChromeOSDeviceManagement),
         oauth1_token_(oauth1_token),
         oauth1_secret_(oauth1_secret) {
-    oauth_fetcher_.SetAutoFetchLimit(
-        GaiaOAuthFetcher::OAUTH2_SERVICE_ACCESS_TOKEN);
   }
+
+  // Fetches the device management service's oauth token, after also retrieving
+  // the access tokens.
+  explicit PolicyOAuthFetcher(Profile* profile)
+      : oauth_fetcher_(this,
+                       profile->GetRequestContext(),
+                       profile,
+                       kServiceScopeChromeOSDeviceManagement) {
+  }
+
   virtual ~PolicyOAuthFetcher() {}
 
   void Start() {
-    oauth_fetcher_.StartOAuthWrapBridge(
-        oauth1_token_, oauth1_secret_, GaiaConstants::kGaiaOAuthDuration,
-        std::string(kServiceScopeChromeOSDeviceManagement));
+    oauth_fetcher_.SetAutoFetchLimit(
+        GaiaOAuthFetcher::OAUTH2_SERVICE_ACCESS_TOKEN);
+
+    if (oauth1_token_.empty()) {
+      oauth_fetcher_.StartGetOAuthTokenRequest();
+    } else {
+      oauth_fetcher_.StartOAuthWrapBridge(
+          oauth1_token_, oauth1_secret_, GaiaConstants::kGaiaOAuthDuration,
+          std::string(kServiceScopeChromeOSDeviceManagement));
+    }
   }
 
-  // GaiaOAuthConsumer implementation:
+  const std::string& oauth1_token() const { return oauth1_token_; }
+  const std::string& oauth1_secret() const { return oauth1_secret_; }
+  bool failed() const {
+    return !oauth_fetcher_.HasPendingFetch() && policy_token_.empty();
+  }
+
+ private:
+  virtual void OnGetOAuthTokenSuccess(const std::string& oauth_token) OVERRIDE {
+    VLOG(1) << "Got OAuth request token";
+  }
+
+  virtual void OnGetOAuthTokenFailure(
+      const GoogleServiceAuthError& error) OVERRIDE {
+    LOG(WARNING) << "Failed to get OAuth request token, error: "
+                 << error.state();
+    SetPolicyToken("");
+  }
+
+  virtual void OnOAuthGetAccessTokenSuccess(
+      const std::string& token,
+      const std::string& secret) OVERRIDE {
+    VLOG(1) << "Got OAuth access token";
+    oauth1_token_ = token;
+    oauth1_secret_ = secret;
+  }
+
+  virtual void OnOAuthGetAccessTokenFailure(
+      const GoogleServiceAuthError& error) OVERRIDE {
+    LOG(WARNING) << "Failed to get OAuth access token, error: "
+                 << error.state();
+    SetPolicyToken("");
+  }
+
   virtual void OnOAuthWrapBridgeSuccess(
       const std::string& service_name,
       const std::string& token,
       const std::string& expires_in) OVERRIDE {
-    policy::BrowserPolicyConnector* browser_policy_connector =
-        g_browser_process->browser_policy_connector();
-    browser_policy_connector->RegisterForUserPolicy(token);
+    VLOG(1) << "Got OAuth access token for " << service_name;
+    SetPolicyToken(token);
   }
 
   virtual void OnOAuthWrapBridgeFailure(
       const std::string& service_name,
       const GoogleServiceAuthError& error) OVERRIDE {
-    LOG(WARNING) << "Failed to get OAuth access token for " << service_name;
+    LOG(WARNING) << "Failed to get OAuth access token for " << service_name
+                 << ", error: " << error.state();
+    SetPolicyToken("");
   }
 
- private:
+  void SetPolicyToken(const std::string& token) {
+    policy_token_ = token;
+    g_browser_process->browser_policy_connector()->RegisterForUserPolicy(token);
+  }
+
   GaiaOAuthFetcher oauth_fetcher_;
   std::string oauth1_token_;
   std::string oauth1_secret_;
+  std::string policy_token_;
 
   DISALLOW_COPY_AND_ASSIGN(PolicyOAuthFetcher);
 };
 
 // Used to request a restart to switch to the guest mode.
 class JobRestartRequest
     : public base::RefCountedThreadSafe<JobRestartRequest> {
  public:
   JobRestartRequest(int pid, const std::string& command_line)
       : pid_(pid),
@@ skipping 88 matching lines @@
                                       Profile* new_profile) OVERRIDE;
   virtual void TransferDefaultAuthCache(Profile* default_profile,
                                         Profile* new_profile) OVERRIDE;
 
   // ProfileManagerObserver implementation:
   virtual void OnProfileCreated(Profile* profile, Status status) OVERRIDE;
 
   // GaiaOAuthConsumer overrides.
   virtual void OnGetOAuthTokenSuccess(const std::string& oauth_token) OVERRIDE;
   virtual void OnGetOAuthTokenFailure(
-    const GoogleServiceAuthError& error) OVERRIDE;
+      const GoogleServiceAuthError& error) OVERRIDE;
   virtual void OnOAuthGetAccessTokenSuccess(const std::string& token,
                                             const std::string& secret) OVERRIDE;
   virtual void OnOAuthGetAccessTokenFailure(
       const GoogleServiceAuthError& error) OVERRIDE;
 
   // net::NetworkChangeNotifier::OnlineStateObserver overrides.
   virtual void OnOnlineStateChanged(bool online) OVERRIDE;
 
   // Given the authenticated credentials from the cookie jar, try to exchange
   // fetch OAuth request, v1 and v2 tokens.
@@ skipping 123 matching lines @@
 
   username_ = username;
   password_ = password;
 
   credentials_ = credentials;
   pending_requests_ = pending_requests;
   using_oauth_ = using_oauth;
   has_cookies_ = has_cookies;
   delegate_ = delegate;
 
+  policy::BrowserPolicyConnector* connector =
+      g_browser_process->browser_policy_connector();
+
+  // If this is an enterprise device and the user belongs to the enterprise
+  // domain, then wait for a policy fetch before logging the user in. This
+  // will delay Profile creation until the policy is fetched, so that features
+  // controlled by policy (e.g. Sync, Startup tabs) only start after the
+  // PrefService has the right values.
+  // Profile creation is also resumed if the fetch attempt fails.
+  bool wait_for_policy_fetch =
+      using_oauth_ &&
+      authenticator_.get() &&
+      (connector->GetUserAffiliation(username) ==
+          policy::CloudPolicyDataStore::USER_AFFILIATION_MANAGED);
+
   // Initialize user policy before the profile is created so the profile
-  // initialization code sees the policy settings.
-  g_browser_process->browser_policy_connector()->InitializeUserPolicy(username);
+  // initialization code sees the cached policy settings.
+  connector->InitializeUserPolicy(username, wait_for_policy_fetch);
+
+  if (wait_for_policy_fetch) {
+    // Profile creation will block until user policy is fetched, which
+    // requires the DeviceManagement token. Try to fetch it now.
+    VLOG(1) << "Profile creation requires policy token, fetching now";
+    policy_oauth_fetcher_.reset(
+        new PolicyOAuthFetcher(authenticator_->authentication_profile()));
+    policy_oauth_fetcher_->Start();
+  }
 
   // The default profile will have been changed because the ProfileManager
   // will process the notification that the UserManager sends out.
   ProfileManager::CreateDefaultProfileAsync(this);
 }
 
 void LoginUtilsImpl::DelegateDeleted(Delegate* delegate) {
   if (delegate_ == delegate)
     delegate_ = NULL;
 }
 
 void LoginUtilsImpl::OnProfileCreated(Profile* user_profile, Status status) {
   CHECK(user_profile);
   switch (status) {
     case STATUS_INITIALIZED:
       break;
     case STATUS_CREATED:
       if (UserManager::Get()->current_user_is_new())
         SetFirstLoginPrefs(user_profile->GetPrefs());
       RespectLocalePreference(user_profile);
       return;
     case STATUS_FAIL:
     default:
       NOTREACHED();
       return;
   }
 
   // Initialize the user-policy backend.
-  policy::BrowserPolicyConnector* browser_policy_connector =
-      g_browser_process->browser_policy_connector();
-
   if (!using_oauth_) {
-    browser_policy_connector->SetUserPolicyTokenService(
-        user_profile->GetTokenService());
+    g_browser_process->browser_policy_connector()->
+        SetUserPolicyTokenService(user_profile->GetTokenService());
   }
 
   // We suck. This is a hack since we do not have the enterprise feature
   // done yet to pull down policies from the domain admin. We'll take this
   // out when we get that done properly.
   // TODO(xiyuan): Remove this once enterprise feature is ready.
   if (EndsWith(username_, "@google.com", true)) {
     PrefService* pref_service = user_profile->GetPrefs();
     pref_service->SetBoolean(prefs::kEnableScreenLock, true);
   }
 
   BootTimesLoader* btl = BootTimesLoader::Get();
   btl->AddLoginTimeMarker("UserProfileGotten", false);
 
   if (using_oauth_) {
+    // Reuse the access token fetched by the PolicyOAuthFetcher, if it was
+    // used to fetch policies before Profile creation.
+    if (policy_oauth_fetcher_.get() &&
+        !policy_oauth_fetcher_->oauth1_token().empty()) {
+      VLOG(1) << "Resuming profile creation after fetching policy token";
+      StoreOAuth1AccessToken(user_profile,
+                             policy_oauth_fetcher_->oauth1_token(),
+                             policy_oauth_fetcher_->oauth1_secret());
+    }
+
     // Transfer cookies when user signs in using extension.
     if (has_cookies_) {
       // Transfer cookies from the profile that was used for authentication.
       // This profile contains cookies that auth extension should have already
       // put in place that will ensure that the newly created session is
       // authenticated for the websites that work with the used authentication
       // schema.
       TransferDefaultCookies(authenticator_->authentication_profile(),
                              user_profile);
     }
@@ skipping 73 matching lines @@
   // TODO(altimofeev): Need to sanitize memory used to store password.
   credentials_ = GaiaAuthConsumer::ClientLoginResult();
 }
 
 void LoginUtilsImpl::FetchOAuth1AccessToken(Profile* auth_profile) {
   oauth_fetcher_.reset(new GaiaOAuthFetcher(this,
                                             auth_profile->GetRequestContext(),
                                             auth_profile,
                                             kServiceScopeChromeOS));
   // Let's first get the Oauth request token and OAuth1 token+secret.
-  // One we get that, we will kick off individial requests for OAuth2 tokens for
-  // all our services.
+  // Once we get that, we will kick off individual requests for OAuth2 tokens
+  // for all our services.
   oauth_fetcher_->SetAutoFetchLimit(GaiaOAuthFetcher::OAUTH1_ALL_ACCESS_TOKEN);
   oauth_fetcher_->StartGetOAuthTokenRequest();
 }
 
 void LoginUtilsImpl::FetchCookies(Profile* user_profile,
     const GaiaAuthConsumer::ClientLoginResult& credentials) {
   if (!using_oauth_) {
     // Take the credentials passed in and try to exchange them for
     // full-fledged Google authentication cookies.  This is
     // best-effort; it's possible that we'll fail due to network
@@ skipping 32 matching lines @@
         password_, false);
     username_ = "";
     password_ = "";
 
     token_service->Initialize(GaiaConstants::kChromeOSSource, user_profile);
     token_service->LoadTokensFromDB();
   }
   token_service->UpdateCredentials(credentials);
   if (token_service->AreCredentialsValid())
     token_service->StartFetchingTokens();
-
 }
 
 void LoginUtilsImpl::RespectLocalePreference(Profile* profile) {
   DCHECK(profile != NULL);
   PrefService* prefs = profile->GetPrefs();
   DCHECK(prefs != NULL);
   if (g_browser_process == NULL)
     return;
 
   std::string pref_locale = prefs->GetString(prefs::kApplicationLocale);
@@ skipping 247 matching lines @@
                               profile->GetRequestContext()));
 }
 
 void LoginUtilsImpl::OnGetOAuthTokenSuccess(const std::string& oauth_token) {
   VLOG(1) << "Got OAuth request token!";
 }
 
 void LoginUtilsImpl::OnGetOAuthTokenFailure(
     const GoogleServiceAuthError& error) {
   // TODO(zelidrag): Pop up sync setup UI here?
-  LOG(WARNING) << "Failed fetching OAuth request token";
+  LOG(WARNING) << "Failed fetching OAuth request token, error: "
+               << error.state();
 }
 
 void LoginUtilsImpl::OnOAuthGetAccessTokenSuccess(const std::string& token,
                                                   const std::string& secret) {
   VLOG(1) << "Got OAuth v1 token!";
   Profile* user_profile = ProfileManager::GetDefaultProfile();
   StoreOAuth1AccessToken(user_profile, token, secret);
 
   // Verify OAuth1 token by doing OAuthLogin and fetching credentials.
   VerifyOAuth1AccessToken(user_profile, token, secret);
 }
 
+void LoginUtilsImpl::OnOAuthGetAccessTokenFailure(
+    const GoogleServiceAuthError& error) {
+  // TODO(zelidrag): Pop up sync setup UI here?
+  LOG(WARNING) << "Failed fetching OAuth request token, error: "
+               << error.state();
+}
+
 void LoginUtilsImpl::FetchSecondaryTokens(Profile* offrecord_profile,
                                           const std::string& token,
                                           const std::string& secret) {
   FetchPolicyToken(offrecord_profile, token, secret);
   // TODO(rickcam, zelidrag): Wire TokenService there when it becomes
   // capable of handling OAuth1 tokens directly.
 }
 
 bool LoginUtilsImpl::ReadOAuth1AccessToken(Profile* user_profile,
                                            std::string* token,
@@ skipping 54 matching lines @@
                                                      token,
                                                      secret,
                                                      username_));
   oauth_login_verifier_->Start();
 }
 
 
 void LoginUtilsImpl::FetchPolicyToken(Profile* offrecord_profile,
                                       const std::string& token,
                                       const std::string& secret) {
-  // Trigger oauth token fetch for user policy.
-  policy_oauth_fetcher_.reset(new PolicyOAuthFetcher(offrecord_profile,
-                                                     token,
-                                                     secret));
-  policy_oauth_fetcher_->Start();
+  // Fetch dm service token now, if it hasn't been fetched yet.
+  if (!policy_oauth_fetcher_.get() || policy_oauth_fetcher_->failed()) {
+    // Trigger oauth token fetch for user policy.
+    policy_oauth_fetcher_.reset(new PolicyOAuthFetcher(offrecord_profile,
+                                                       token,
+                                                       secret));
+    policy_oauth_fetcher_->Start();
+  }
 
   // TODO(zelidrag): We should add initialization of other services somewhere
   // here as well. This could be handled with TokenService class once it is
   // ready to handle OAuth tokens.
 
   // We don't need authenticator instance any more, reset it so that
   // ScreenLocker would create a separate instance.
   // TODO(nkostylev): There's a potential race if SL would be created before
   // OAuth tokens are fetched. It would use incorrect Authenticator instance.
   authenticator_ = NULL;
 }
 
-void LoginUtilsImpl::OnOAuthGetAccessTokenFailure(
-    const GoogleServiceAuthError& error) {
-  // TODO(zelidrag): Pop up sync setup UI here?
-  LOG(WARNING) << "Failed fetching OAuth v1 token, error: " << error.state();
-}
-
 void LoginUtilsImpl::OnOnlineStateChanged(bool online) {
   // If we come online for the first time after successful offline login,
   // we need to kick of OAuth token verification process again.
   if (UserManager::Get()->user_is_logged_in() &&
       UserManager::Get()->offline_login() && online) {
     KickStartAuthentication(ProfileManager::GetDefaultProfile());
   }
 }
 
 LoginUtils* LoginUtils::Get() {
@@ skipping 26 matching lines @@
   // Mark login host for deletion after browser starts.  This
   // guarantees that the message loop will be referenced by the
   // browser before it is dereferenced by the login host.
   if (login_host) {
     login_host->OnSessionStart();
     login_host = NULL;
   }
 }
 
 }  // namespace chromeos