Public Sessions: fetch device robot api token during enterprise enrollment.

chrome/browser/policy/cloud/cloud_policy_client.cc

Index: chrome/browser/policy/cloud/cloud_policy_client.cc
diff --git a/chrome/browser/policy/cloud/cloud_policy_client.cc b/chrome/browser/policy/cloud/cloud_policy_client.cc
index 5622ce0ed796ef89dbbad67335acd7256ea80c51..7edbb66db2d9f00aef1e39c059fb88d45c65fac8 100644
--- a/chrome/browser/policy/cloud/cloud_policy_client.cc
+++ b/chrome/browser/policy/cloud/cloud_policy_client.cc
@@ -16,6 +16,8 @@ namespace policy {
 
 namespace {
 
+const char kAnyApiOAuth2Scope[] = "https://www.googleapis.com/auth/any-api";

[Mattias Nissler (ping if slow), 2013/03/19 06:33:08]

This should probably go into gaia_constants.h (or whereever the scope strings
are right now).

[David Roche, 2013/04/02 01:59:25]

Done.

+
 // Translates the DeviceRegisterResponse::DeviceMode |mode| to the enum used
 // internally to represent different device modes.
 DeviceMode TranslateProtobufDeviceMode(
@@ -177,6 +179,26 @@ void CloudPolicyClient::FetchPolicy() {
                                  base::Unretained(this)));
 }
 
+void CloudPolicyClient::FetchRobotAuthTokens(const std::string& auth_token) {
+  CHECK(is_registered());
+  DCHECK(!auth_token.empty());
+
+  request_job_.reset(service_->CreateJob(
+      DeviceManagementRequestJob::TYPE_API_AUTH_CODE_FETCH));
+  // The credentials of a domain user are needed in order to mint a new OAuth2
+  // authorization token for the robot account.
+  request_job_->SetOAuthToken(auth_token);
+  request_job_->SetClientID(client_id_);
+
+  em::DeviceServiceApiAccessRequest* request =
+      request_job_->GetRequest()->mutable_service_api_access_request();
+  request->add_auth_scope(kAnyApiOAuth2Scope);
+
+  request_job_->Start(
+      base::Bind(&CloudPolicyClient::OnFetchRobotAuthTokensCompleted,
+                 base::Unretained(this)));
+}
+
 void CloudPolicyClient::Unregister() {
   DCHECK(service_);
   request_job_.reset(
@@ -249,6 +271,29 @@ void CloudPolicyClient::OnRegisterCompleted(
   }
 }
 
+void CloudPolicyClient::OnFetchRobotAuthTokensCompleted(
+    DeviceManagementStatus status,
+    const em::DeviceManagementResponse& response) {
+  if (status == DM_STATUS_SUCCESS &&
+      (!response.has_service_api_access_response() ||
+       response.service_api_access_response().auth_code().empty())) {
+    // TODO: retry on transient errors?

[Mattias Nissler (ping if slow), 2013/03/19 06:33:08]

Not needed for now - the user can retry manually.

[David Roche, 2013/04/02 01:59:25]

Done.

+    LOG(WARNING) << "Invalid service api access response.";
+    status = DM_STATUS_RESPONSE_DECODING_ERROR;
+  }
+
+  status_ = status;
+  if (status == DM_STATUS_SUCCESS) {
+    robot_api_auth_code_ = response.service_api_access_response().auth_code();
+    DVLOG(1) << "Device robot account auth code fetch complete - code = "
+             << robot_api_auth_code_;
+
+    NotifyRobotAuthCodesFetched();
+  } else {
+    NotifyClientError();
+  }
+}
+
 void CloudPolicyClient::OnPolicyFetchCompleted(
     DeviceManagementStatus status,
     const em::DeviceManagementResponse& response) {
@@ -319,6 +364,10 @@ void CloudPolicyClient::NotifyRegistrationStateChanged() {
   FOR_EACH_OBSERVER(Observer, observers_, OnRegistrationStateChanged(this));
 }
 
+void CloudPolicyClient::NotifyRobotAuthCodesFetched() {
+  FOR_EACH_OBSERVER(Observer, observers_, OnRobotAuthCodesFetched(this));
+}
+
 void CloudPolicyClient::NotifyClientError() {
   FOR_EACH_OBSERVER(Observer, observers_, OnClientError(this));
 }