Add UMA for consistency between TPM and install attributes.

chrome/browser/chromeos/policy/enterprise_install_attributes.h

Index: chrome/browser/chromeos/policy/enterprise_install_attributes.h
diff --git a/chrome/browser/chromeos/policy/enterprise_install_attributes.h b/chrome/browser/chromeos/policy/enterprise_install_attributes.h
index bb9a681c721e037fa0a6f657d8de611f46748e2a..029558292012c1ebb23e81654610b07648120f01 100644
--- a/chrome/browser/chromeos/policy/enterprise_install_attributes.h
+++ b/chrome/browser/chromeos/policy/enterprise_install_attributes.h
@@ -52,11 +52,11 @@ class EnterpriseInstallAttributes {
       chromeos::CryptohomeClient* cryptohome_client);
   ~EnterpriseInstallAttributes();
 
-  // Reads data from the cache file which is created early during the boot
-  // process.  The cache file is used to work around slow cryptohome startup,
-  // which takes a while to register its DBus interface.  See
-  // http://crosbug.com/37367 for background on this.
-  void ReadCacheFile(const base::FilePath& cache_file);
+  // Tries to read install attributes from the cache file which is created early
+  // during the boot process.  The cache file is used to work around slow
+  // cryptohome startup, which takes a while to register its DBus interface.
+  // (See http://crosbug.com/37367 for background on this.)
+  void Init(const base::FilePath& cache_file);
 
   // Makes sure the local caches for enterprise-related install attributes are
   // up-to-date with what cryptohome has. This method checks the readiness of
@@ -67,7 +67,8 @@ class EnterpriseInstallAttributes {
   // Locks the device to be an enterprise device registered by the given user.
   // This can also be called after the lock has already been taken, in which
   // case it checks that the passed user agrees with the locked attribute.
-  // |callback| must not be null and is called with the result.
+  // |callback| must not be null and is called with the result.  Must not be
+  // called while a previous LockDevice() invocation is still pending.
   void LockDevice(const std::string& user,
                   DeviceMode device_mode,
                   const std::string& device_id,
@@ -97,7 +98,19 @@ class EnterpriseInstallAttributes {
   DeviceMode GetMode();
 
  protected:
+  // True if install attributes have been read successfully.  False if read
+  // failed or no read attempt was made.
   bool device_locked_;
+
+  // Whether the TPM / install attributes consistency check is running.
+  bool consistency_check_running_;
+
+  // To be run after the consistency check has finished.
+  base::Closure post_check_action_;
+
+  // Wether the LockDevice() initiated TPM calls are running.
+  bool registration_running_;

[Mattias Nissler (ping if slow), 2015/06/24 13:26:06]

nit: "registration" is somewhat odd naming here - or is there precedent of
calling the process of locking install attributes "registration" anywhere else
in the code?

[Thiemo Nagel, 2015/06/24 14:05:40]

The registration_* members?  But I'd be happy to change that, how about
lock_device_running_?

[Mattias Nissler (ping if slow), 2015/06/24 18:37:10]

The registration_* members are called such because they hold information
pertinent to enrollment aka registration. Enrollment/Registration is much more
than just locking install attributes though. The code here is only concerned
with install attributes locking, which doesn't necessarily imply that there's an
enrollment/registration flow ongoing.

In fact, the code here also runs to lock install attributes for consumer kiosk
devices, in which there is no such thing as registration/enrollment. Although I
have to admit that the |registration_mode_| member is also named misleadingly as
it's also relevant for the consumer kiosk case.

That's to clarify the language I'm using and I think that language is used in
the majority of the code dealing with these things.

Anyhow, that's just for background, and I don't feel the name is strongly
misleading, which is why I left the decision with you.

[Thiemo Nagel, 2015/06/25 09:04:07]

Thanks.  I've changed the name to device_lock_running_.

+
   std::string registration_user_;
   std::string registration_domain_;
   std::string registration_device_id_;
@@ -158,6 +171,17 @@ class EnterpriseInstallAttributes {
   void OnReadImmutableAttributes(const std::string& user,
                                  const LockResultCallback& callback);
 
+  // Check state of install attributes against TPM lock state and generate UMA
+  // for the result.  Asynchronously retry |dbus_retries| times in case of DBUS
+  // errors (cryptohomed startup is slow).
+  void TriggerConsistencyCheck(int dbus_retries);
+
+  // Callback for TpmIsOwned() DBUS call.  Generates UMA or schedules retry in
+  // case of DBUS error.
+  void OnTpmOwnerCheckCompleted(int dbus_retries_remaining,
+                                chromeos::DBusMethodCallStatus call_status,
+                                bool result);
+
   chromeos::CryptohomeClient* cryptohome_client_;
 
   base::WeakPtrFactory<EnterpriseInstallAttributes> weak_ptr_factory_;