Public Sessions: fetch device robot api token during enterprise enrollment.

chrome/browser/chromeos/policy/enrollment_handler_chromeos.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/policy/enrollment_handler_chromeos.h"
 
 #include "base/bind.h"
 #include "base/logging.h"
 #include "base/message_loop.h"
+#include "chrome/browser/browser_process.h"
 #include "chrome/browser/chromeos/policy/device_cloud_policy_store_chromeos.h"
 #include "chrome/browser/chromeos/policy/enterprise_install_attributes.h"
 #include "chrome/browser/chromeos/policy/proto/chrome_device_policy.pb.h"
 #include "chrome/browser/policy/cloud/cloud_policy_constants.h"
 #include "chrome/browser/policy/cloud/proto/device_management_backend.pb.h"
+#include "google_apis/gaia/gaia_urls.h"
 
 namespace em = enterprise_management;
 
 namespace policy {
 
 namespace {
 
 // Retry for InstallAttrs initialization every 500ms.
 const int kLockRetryIntervalMs = 500;
 // Maximum time to retry InstallAttrs initialization before we give up.
 const int kLockRetryTimeoutMs = 10 * 60 * 1000;  // 10 minutes.
+// Number of times to retry fetching the device-level API refresh token.
+const int kRobotRefreshTokenFetchRetryCount = 2;
 
 }  // namespace
 
 EnrollmentHandlerChromeOS::EnrollmentHandlerChromeOS(
     DeviceCloudPolicyStoreChromeOS* store,
     EnterpriseInstallAttributes* install_attributes,
     scoped_ptr<CloudPolicyClient> client,
     const std::string& auth_token,
     const std::string& client_id,
     bool is_auto_enrollment,
@@ skipping 67 matching lines @@
   validator.release()->StartValidation(
       base::Bind(&EnrollmentHandlerChromeOS::PolicyValidated,
                  weak_factory_.GetWeakPtr()));
 }
 
 void EnrollmentHandlerChromeOS::OnRegistrationStateChanged(
     CloudPolicyClient* client) {
   DCHECK_EQ(client_.get(), client);
 
   if (enrollment_step_ == STEP_REGISTRATION && client_->is_registered()) {
-    enrollment_step_ = STEP_POLICY_FETCH,
+    enrollment_step_ = STEP_ROBOT_AUTH_FETCH,
     device_mode_ = client_->device_mode();
     if (device_mode_ == DEVICE_MODE_NOT_SET)
       device_mode_ = DEVICE_MODE_ENTERPRISE;
     if (!allowed_device_modes_.test(device_mode_)) {
       LOG(ERROR) << "Bad device mode " << device_mode_;
       ReportResult(EnrollmentStatus::ForStatus(
           EnrollmentStatus::STATUS_REGISTRATION_BAD_MODE));
       return;
     }
-    client_->FetchPolicy();
+    client_->FetchRobotAuthTokens(auth_token_);
   } else {
     LOG(FATAL) << "Registration state changed to " << client_->is_registered()
                << " in step " << enrollment_step_;
   }
 }
 
+void EnrollmentHandlerChromeOS::OnRobotAuthCodesFetched(
+    CloudPolicyClient* client) {
+  DCHECK_EQ(client_.get(), client);
+  CHECK_EQ(STEP_ROBOT_AUTH_FETCH, enrollment_step_);
+
+  enrollment_step_ = STEP_ROBOT_AUTH_REFRESH;
+
+  gaia::OAuthClientInfo client_info;
+  client_info.client_id = GaiaUrls::GetInstance()->oauth2_chrome_client_id();
+  client_info.client_secret =
+      GaiaUrls::GetInstance()->oauth2_chrome_client_secret();
+
+  // Use the system request context to avoid sending user cookies.

[Mattias Nissler (ping if slow), 2013/04/02 14:16:46]

Is that actually accurate? The system request context does have a cookie store.

[David Roche, 2013/04/04 01:39:53]

I think it is, from my reading of the code.  The important distinction, I think,
is that we're not sending the _user_ cookies for the enrolling user.

In IOThread::Init(), I see
  // In-memory cookie store.
  globals_->system_cookie_store = new net::CookieMonster(NULL, NULL);

.. so it looks as if it's using a short-lived, in-memory cookie store that is
not associated with any user, and dies when the browser shuts down.

[Mattias Nissler (ping if slow), 2013/04/04 13:18:34]

You're right, I didn't missed the "user" part in the sentence.

+  gaia_oauth_client_.reset(new gaia::GaiaOAuthClient(
+      gaia::kGaiaOAuth2Url,
+      g_browser_process->system_request_context()));
+  gaia_oauth_client_->GetTokensFromAuthCode(client_info,
+                                            client->robot_api_auth_code(),
+                                            kRobotRefreshTokenFetchRetryCount,
+                                            this);
+}
+
+// GaiaOAuthClient::Delegate callback for OAuth2 refresh token fetched.
+void EnrollmentHandlerChromeOS::OnGetTokensResponse(
+    const std::string& refresh_token,
+    const std::string& access_token,
+    int expires_in_seconds) {
+  CHECK_EQ(STEP_ROBOT_AUTH_REFRESH, enrollment_step_);
+
+  enrollment_step_ = STEP_POLICY_FETCH,
+
+  // TODO: persist token in DeviceOAuth2TokenService when CL 12647008 lands.
+
+  client_->FetchPolicy();
+}
+
+// GaiaOAuthClient::Delegate
+void EnrollmentHandlerChromeOS::OnRefreshTokenResponse(
+    const std::string& access_token,
+    int expires_in_seconds) {
+  // We never use the code that should trigger this callback.
+  LOG(FATAL) << "Unexpected callback invoked";
+}
+
+// GaiaOAuthClient::Delegate OAuth2 error when fetching refresh token request.
+void EnrollmentHandlerChromeOS::OnOAuthError() {
+  ReportResult(EnrollmentStatus::ForStatus(
+      EnrollmentStatus::STATUS_ROBOT_REFRESH_FETCH_FAILED));
+}
+
+// GaiaOAuthClient::Delegate network error when fetching refresh token.
+void EnrollmentHandlerChromeOS::OnNetworkError(int response_code) {
+  LOG(ERROR) << "Network error while fetching API refresh token: "
+             << response_code;
+  ReportResult(EnrollmentStatus::ForStatus(
+      EnrollmentStatus::STATUS_ROBOT_REFRESH_FETCH_FAILED));
+}
+
 void EnrollmentHandlerChromeOS::OnClientError(CloudPolicyClient* client) {
   DCHECK_EQ(client_.get(), client);
 
-  if (enrollment_step_ < STEP_POLICY_FETCH)
+  if (enrollment_step_ == STEP_ROBOT_AUTH_FETCH)
+    ReportResult(EnrollmentStatus::ForRobotAuthError(client_->status()));
+  else if (enrollment_step_ < STEP_POLICY_FETCH)
     ReportResult(EnrollmentStatus::ForRegistrationError(client_->status()));
   else
     ReportResult(EnrollmentStatus::ForFetchError(client_->status()));
 }
 
 void EnrollmentHandlerChromeOS::OnStoreLoaded(CloudPolicyStore* store) {
   DCHECK_EQ(store_, store);
 
   if (enrollment_step_ == STEP_LOADING_STORE) {
+    // If the |store_| wasn't initialized when StartEnrollment() was
+    // called, then AttemptRegistration() bails silently.  This gets
+    // registration rolling again after the store finishes loading.
     AttemptRegistration();
   } else if (enrollment_step_ == STEP_STORE_POLICY) {
     ReportResult(EnrollmentStatus::ForStatus(EnrollmentStatus::STATUS_SUCCESS));
   }
 }
 
 void EnrollmentHandlerChromeOS::OnStoreError(CloudPolicyStore* store) {
   DCHECK_EQ(store_, store);
   ReportResult(EnrollmentStatus::ForStoreError(store_->status(),
                                                store_->validation_status()));
@@ skipping 89 matching lines @@
                  << " " << status.client_status()
                  << " " << status.validation_status()
                  << " " << status.store_status();
   }
 
   if (!callback.is_null())
     callback.Run(status);
 }
 
 }  // namespace policy