Make an online wildcard login check for enterprise devices.

chrome/browser/chromeos/policy/user_cloud_policy_manager_chromeos.cc

Index: chrome/browser/chromeos/policy/user_cloud_policy_manager_chromeos.cc
diff --git a/chrome/browser/chromeos/policy/user_cloud_policy_manager_chromeos.cc b/chrome/browser/chromeos/policy/user_cloud_policy_manager_chromeos.cc
index e6be0a560701675c45632f91102b6e88a0237f65..739e0a65b308df63ea2c69af842d271341498f94 100644
--- a/chrome/browser/chromeos/policy/user_cloud_policy_manager_chromeos.cc
+++ b/chrome/browser/chromeos/policy/user_cloud_policy_manager_chromeos.cc
@@ -13,7 +13,9 @@
 #include "chrome/browser/browser_process.h"
 #include "chrome/browser/chromeos/policy/policy_oauth2_token_fetcher.h"
 #include "chrome/browser/chromeos/policy/user_cloud_policy_manager_factory_chromeos.h"
+#include "chrome/browser/chromeos/policy/wildcard_login_checker.h"
 #include "chrome/browser/chromeos/profiles/profile_helper.h"
+#include "chrome/browser/lifetime/application_lifetime.h"
 #include "components/policy/core/common/cloud/cloud_external_data_manager.h"
 #include "components/policy/core/common/cloud/cloud_policy_refresh_scheduler.h"
 #include "components/policy/core/common/cloud/device_management_service.h"
@@ -47,6 +49,20 @@ const char kUMAInitialFetchOAuth2Error[] =
 const char kUMAInitialFetchOAuth2NetworkError[] =
     "Enterprise.UserPolicyChromeOS.InitialFetch.OAuth2NetworkError";
 
+void OnWildcardCheckCompleted(const std::string& username, bool result) {
+  if (!result) {
+    LOG(ERROR) << "Online wildcard login check failed, terminating session.";
+
+    // TODO(mnissler): This only removes the user pod from the login screen, but
+    // the cryptohome remains. This is because deleting the cryptohome for a
+    // logged-in session is not possible. Fix this either by delaying the
+    // cryptohome deletion operation or by getting rid of the in-session
+    // wildcard check.
+    chromeos::UserManager::Get()->RemoveUserFromList(username);
+    chrome::AttemptUserExit();
+  }
+}
+
 }  // namespace
 
 UserCloudPolicyManagerChromeOS::UserCloudPolicyManagerChromeOS(
@@ -125,6 +141,14 @@ void UserCloudPolicyManagerChromeOS::Connect(
 void UserCloudPolicyManagerChromeOS::OnAccessTokenAvailable(
     const std::string& access_token) {
   access_token_ = access_token;
+
+  if (!wildcard_username_.empty()) {
+    wildcard_login_checker_.reset(new WildcardLoginChecker());
+    wildcard_login_checker_->StartWithAccessToken(
+        access_token,
+        base::Bind(&OnWildcardCheckCompleted, wildcard_username_));
+  }
+
   if (service() && service()->IsInitializationComplete() &&
       client() && !client()->is_registered()) {
     OnOAuth2PolicyTokenFetched(
@@ -136,6 +160,11 @@ bool UserCloudPolicyManagerChromeOS::IsClientRegistered() const {
   return client() && client()->is_registered();
 }
 
+void UserCloudPolicyManagerChromeOS::EnableWildcardLoginCheck(
+    const std::string& username) {
+  wildcard_username_ = username;

[Andrew T Wilson (Slow), 2014/01/28 16:31:13]

So, this breaks if for some reason EnableWildcardLoginCheck() is called after
the access token is available. I don't think it's possible for this to happen,
but you should probably add a DCHECK(access_token_.empty()) here to ensure it.

[Mattias Nissler (ping if slow), 2014/01/29 12:12:32]

Done.

+}
+
 void UserCloudPolicyManagerChromeOS::Shutdown() {
   if (client())
     client()->RemoveObserver(this);
@@ -181,8 +210,7 @@ void UserCloudPolicyManagerChromeOS::OnInitializationCompleted(
     if (wait_for_policy_fetch_) {
       FetchPolicyOAuthTokenUsingSigninProfile();
     } else if (!access_token_.empty()) {
-      OnOAuth2PolicyTokenFetched(
-          access_token_, GoogleServiceAuthError(GoogleServiceAuthError::NONE));
+      OnAccessTokenAvailable(access_token_);
     }
   }
 
@@ -267,7 +295,6 @@ void UserCloudPolicyManagerChromeOS::OnOAuth2PolicyTokenFetched(
     const std::string& policy_token,
     const GoogleServiceAuthError& error) {
   DCHECK(!client()->is_registered());
-
   time_token_available_ = base::Time::Now();
   if (wait_for_policy_fetch_) {
     UMA_HISTOGRAM_MEDIUM_TIMES(kUMAInitialFetchDelayOAuth2Token,