Setup Sync to use OAuth token for managed users.

chrome/browser/sync/profile_sync_service.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/sync/profile_sync_service.h"
 
 #include <cstddef>
 #include <map>
 #include <set>
 #include <utility>
@@ skipping 102 matching lines @@
     "https://clients4.google.com/chrome-sync/dev";
 
 static const int kSyncClearDataTimeoutInSeconds = 60;  // 1 minute.
 
 static const char* kOAuth2Scopes[] = {
   GaiaConstants::kChromeSyncOAuth2Scope,
   // GoogleTalk scope is needed for notifications.
   GaiaConstants::kGoogleTalkOAuth2Scope
 };
 
+static const char* kManagedOAuth2Scopes[] = {
+  GaiaConstants::kChromeSyncManagedOAuth2Scope
+};
 
 static const char* kSyncUnrecoverableErrorHistogram =
     "Sync.UnrecoverableErrors";
 
 const net::BackoffEntry::Policy kRequestAccessTokenBackoffPolicy = {
   // Number of initial errors (in sequence) to ignore before applying
   // exponential back-off rules.
   0,
 
   // Initial delay for exponential back-off in ms.
@@ skipping 1783 matching lines @@
   if (!IsUsingSecondaryPassphrase())
     SetEncryptionPassphrase(passphrase, IMPLICIT);
 }
 
 void ProfileSyncService::RequestAccessToken() {
   // Only one active request at a time.
   if (access_token_request_ != NULL)
     return;
   request_access_token_retry_timer_.Stop();
   OAuth2TokenService::ScopeSet oauth2_scopes;
-  for (size_t i = 0; i < arraysize(kOAuth2Scopes); i++)
-    oauth2_scopes.insert(kOAuth2Scopes[i]);
+  if (ManagedUserService::ProfileIsManaged(profile_)) {
+    for (size_t i = 0; i < arraysize(kManagedOAuth2Scopes); i++)
+      oauth2_scopes.insert(kManagedOAuth2Scopes[i]);
+  } else {
+    for (size_t i = 0; i < arraysize(kOAuth2Scopes); i++)
+      oauth2_scopes.insert(kOAuth2Scopes[i]);
+  }
+

[pavely, 2013/06/17 22:36:31]

Currently access token is passed to both sync server and xmpp server. I suspect
chromesync_playpen scope will not work with xmpp server and it will return
CREDENTIALS_REJECTED status which will cause ProfileSyncService to request
access token again. I didn't try it yet.
Could you try this scenario before committing.

If it is true then there should also be a change in
SyncManagerImpl::OnInvalidatorStateChange not to propagate CREDENTIALS_REJECTED
when running under managed user. 
Alternatively there could be change to disable notifications for MU completely
through InvalidatorFactory, but i don't have specific ideas on how to do it as
I'm not yet familiar with that code.

[Bernhard Bauer, 2013/06/18 13:44:35]

Hm, true. I did notice this when testing and worked around this by running
against the Python server (which accepts any token), but obviously that won't
work for production.
Me neither, but that doesn't stop me ;-)

I went with the latter approach, as it seems more dependency-inject-y to me to
not create the invalidator in the first place then to find out whether the
profile is managed deep in the bowels of the SyncManagerImpl or
ServerConnectionManager (both of which can't depend on Profile, AFAICT). So,
PTAL?

   OAuth2TokenService* token_service =
       ProfileOAuth2TokenServiceFactory::GetForProfile(profile_);
   // Invalidate previous token, otherwise token service will return the same
   // token again.
   token_service->InvalidateToken(oauth2_scopes, access_token_);
   access_token_.clear();
   access_token_request_ = token_service->StartRequest(oauth2_scopes, this);
 }
 
 void ProfileSyncService::SetEncryptionPassphrase(const std::string& passphrase,
@@ skipping 277 matching lines @@
 std::string ProfileSyncService::GetEffectiveUsername() {
 #if defined(ENABLE_MANAGED_USERS)
   if (ManagedUserService::ProfileIsManaged(profile_)) {
     DCHECK_EQ(std::string(), signin_->GetAuthenticatedUsername());
     return ManagedUserService::GetManagedUserPseudoEmail();
   }
 #endif
 
   return signin_->GetAuthenticatedUsername();
 }