Add CheckAndroidManagement to ARC sign-in flow.

chrome/browser/chromeos/arc/arc_auth_service.cc

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/arc/arc_auth_service.h"
 
 #include <utility>
 
 #include "base/bind.h"
 #include "base/bind_helpers.h"
 #include "base/command_line.h"
 #include "base/lazy_instance.h"
+#include "base/strings/string16.h"
 #include "base/strings/stringprintf.h"
 #include "base/threading/thread_checker.h"
+#include "chrome/browser/browser_process.h"
+#include "chrome/browser/browser_process_platform_part.h"
 #include "chrome/browser/chromeos/arc/arc_auth_notification.h"
 #include "chrome/browser/chromeos/arc/arc_optin_uma.h"
+#include "chrome/browser/chromeos/policy/browser_policy_connector_chromeos.h"
 #include "chrome/browser/chromeos/profiles/profile_helper.h"
 #include "chrome/browser/extensions/extension_util.h"
 #include "chrome/browser/policy/profile_policy_connector.h"
 #include "chrome/browser/policy/profile_policy_connector_factory.h"
 #include "chrome/browser/prefs/pref_service_syncable_util.h"
 #include "chrome/browser/profiles/profile.h"
 #include "chrome/browser/signin/profile_oauth2_token_service_factory.h"
 #include "chrome/browser/signin/signin_manager_factory.h"
 #include "chrome/browser/ui/app_list/arc/arc_app_launcher.h"
 #include "chrome/browser/ui/extensions/app_launch_params.h"
 #include "chrome/browser/ui/extensions/application_launch.h"
 #include "chrome/common/pref_names.h"
 #include "chrome/grit/generated_resources.h"
 #include "chromeos/chromeos_switches.h"
 #include "components/arc/arc_bridge_service.h"
+#include "components/policy/core/browser/browser_policy_connector.h"
+#include "components/policy/core/common/cloud/device_management_service.h"
 #include "components/pref_registry/pref_registry_syncable.h"
 #include "components/prefs/pref_service.h"
 #include "components/signin/core/browser/profile_oauth2_token_service.h"
 #include "components/signin/core/browser/signin_manager_base.h"
 #include "components/syncable_prefs/pref_service_syncable.h"
 #include "components/user_manager/user.h"
 #include "content/public/browser/storage_partition.h"
 #include "content/public/common/url_constants.h"
 #include "extensions/browser/app_window/app_window_registry.h"
 #include "extensions/browser/extension_prefs.h"
@@ skipping 11 matching lines @@
 base::LazyInstance<base::ThreadChecker> thread_checker =
     LAZY_INSTANCE_INITIALIZER;
 
 const char kPlayStoreAppId[] = "gpkmicpkkebkmabiaedjognfppcchdfa";
 const char kArcSupportExtensionId[] = "cnbgggchhmkkdmeppjobngjoejnihlei";
 const char kArcSupportStorageId[] = "arc_support";
 
 // Skip creating UI in unit tests
 bool disable_ui_for_testing = false;
 
+// Do check Android management requirement in browser tests.
+bool enable_check_android_management_for_testing = false;
+const char* fake_access_token = nullptr;
+
 const char kStateStopped[] = "STOPPED";
 const char kStateFetchingCode[] = "FETCHING_CODE";
 const char kStateActive[] = "ACTIVE";
+
 }  // namespace
 
 ArcAuthService::ArcAuthService(ArcBridgeService* bridge_service)
-    : ArcService(bridge_service), binding_(this) {
+    : ArcService(bridge_service),
+      OAuth2TokenService::Consumer("arc_auth_service"),
+      binding_(this),
+      weak_ptr_factory_(this) {
   DCHECK(!arc_auth_service);
   DCHECK(thread_checker.Get().CalledOnValidThread());
 
   arc_auth_service = this;
 
   arc_bridge_service()->AddObserver(this);
 }
 
 ArcAuthService::~ArcAuthService() {
   DCHECK(thread_checker.Get().CalledOnValidThread());
@@ skipping 24 matching lines @@
 void ArcAuthService::DisableUIForTesting() {
   disable_ui_for_testing = true;
 }
 
 // static
 bool ArcAuthService::IsOptInVerificationDisabled() {
   return base::CommandLine::ForCurrentProcess()->HasSwitch(
       chromeos::switches::kDisableArcOptInVerification);
 }
 
+// static
+void ArcAuthService::EnableCheckAndroidManagementForTesting(
+    const char* access_token) {
+  enable_check_android_management_for_testing = true;
+  fake_access_token = access_token;
+}
+
 void ArcAuthService::OnAuthInstanceReady() {
   arc_bridge_service()->auth_instance()->Init(
       binding_.CreateInterfacePtrAndBind());
 }
 
 std::string ArcAuthService::GetAndResetAuthCode() {
   DCHECK(thread_checker.Get().CalledOnValidThread());
   std::string auth_code;
   auth_code_.swap(auth_code);
   return auth_code;
@@ skipping 78 matching lines @@
   const user_manager::User* const primary_user =
       user_manager::UserManager::Get()->GetPrimaryUser();
   Profile* const profile =
       chromeos::ProfileHelper::Get()->GetProfileByUser(primary_user);
   const policy::ProfilePolicyConnector* const profile_policy_connector =
       policy::ProfilePolicyConnectorFactory::GetForBrowserContext(profile);
   callback.Run(profile_policy_connector->IsManaged());
 }
 
 void ArcAuthService::SetState(State state) {
-  if (state_ == state)
+  if (state_ == state && !enable_check_android_management_for_testing)

[xiyuan, 2016/04/26 17:48:10]

Why we need this? Could ArcAuthServiceStateObserver in test check
ArcAuthService::state() before running its wait loop?

[Polina Bondarenko, 2016/04/27 15:19:57]

We need this to test ManagedAndroidAccount scenario:

ARC is forbidden for accounts with the required Android management.
The client should send CheckAndroidManagementRequest to DM server and receive a
response from DM server (LocalPolicyTestServer in browsertest), which tells
whether client's account management requires Android management or not, before
start ARC.

The observer's role is this case is to wait until the client receives DM
server's response, and a state changes from STOPPED to STOPPED.

If the observer checks the state before Wait(), it gets a right STOPPED state,
but client has only sent a CheckAndroidManagementRequest and hasn't got a
server's response at that time.

[xiyuan, 2016/04/27 16:00:57]

It is strange to observe a state change which does not change the state. It
looks like the test is more interested to know ShutdownBridge() is called. How
about add that to Observer interface and make the test observe that?

[Polina Bondarenko, 2016/05/02 12:22:06]

Sorry, I've missed this comment. Yes, that's much better. Done.

     return;
 
   state_ = state;
   FOR_EACH_OBSERVER(Observer, observer_list_, OnOptInChanged(state_));
 }
 
 void ArcAuthService::OnPrimaryUserProfilePrepared(Profile* profile) {
   DCHECK(profile && profile != profile_);
   DCHECK(thread_checker.Get().CalledOnValidThread());
 
@@ skipping 14 matching lines @@
   // Reuse storage used in ARC OptIn platform app.
   const std::string site_url =
       base::StringPrintf("%s://%s/persist?%s", content::kGuestScheme,
                          kArcSupportExtensionId, kArcSupportStorageId);
   storage_partition_ = content::BrowserContext::GetStoragePartitionForSite(
       profile_, GURL(site_url));
   CHECK(storage_partition_);
 
   // In case UI is disabled we assume that ARC is opted-in.
   if (!IsOptInVerificationDisabled()) {
+    if (!disable_ui_for_testing || enable_check_android_management_for_testing)
+      StartAndroidManagementClient();
+
     pref_change_registrar_.Init(profile_->GetPrefs());
     pref_change_registrar_.Add(
         prefs::kArcEnabled,
         base::Bind(&ArcAuthService::OnOptInPreferenceChanged,
                    base::Unretained(this)));
     if (profile_->GetPrefs()->GetBoolean(prefs::kArcEnabled)) {
       OnOptInPreferenceChanged();
     } else {
       UpdateEnabledStateUMA(false);
       PrefServiceSyncableFromProfile(profile_)->AddObserver(this);
@@ skipping 23 matching lines @@
 }
 
 void ArcAuthService::Shutdown() {
   ShutdownBridgeAndCloseUI();
   if (profile_) {
     syncable_prefs::PrefServiceSyncable* pref_service_syncable =
         PrefServiceSyncableFromProfile(profile_);
     pref_service_syncable->RemoveObserver(this);
     pref_service_syncable->RemoveSyncedPrefObserver(prefs::kArcEnabled, this);
   }
+  android_management_client_.reset();
   pref_change_registrar_.RemoveAll();
   profile_ = nullptr;
 }
 
 void ArcAuthService::ShowUI(UIPage page, const base::string16& status) {
   if (disable_ui_for_testing || IsOptInVerificationDisabled())
     return;
 
   SetUIPage(page, status);
   const extensions::AppWindowRegistry* const app_window_registry =
       extensions::AppWindowRegistry::Get(profile_);
   DCHECK(app_window_registry);
   if (app_window_registry->GetCurrentAppWindowForApp(kArcSupportExtensionId))
     return;
 
   const extensions::Extension* extension =
       extensions::ExtensionRegistry::Get(profile_)->GetInstalledExtension(
           kArcSupportExtensionId);
   CHECK(extension &&
         extensions::util::IsAppLaunchable(kArcSupportExtensionId, profile_));
 
   OpenApplication(CreateAppLaunchParamsUserContainer(
       profile_, extension, NEW_WINDOW, extensions::SOURCE_CHROME_INTERNAL));
 }
 
 void ArcAuthService::OnMergeSessionSuccess(const std::string& data) {
   DCHECK(thread_checker.Get().CalledOnValidThread());
 
   DCHECK(!initial_opt_in_);
-  context_prepared_ = true;
-  ShowUI(UIPage::LSO_PROGRESS, base::string16());
+  CheckAndroidManagement();
 }
 
 void ArcAuthService::OnMergeSessionFailure(
     const GoogleServiceAuthError& error) {
   DCHECK(thread_checker.Get().CalledOnValidThread());
   VLOG(2) << "Failed to merge gaia session " << error.ToString() << ".";
   OnPrepareContextFailed();
 }
 
 void ArcAuthService::OnUbertokenSuccess(const std::string& token) {
@@ skipping 29 matching lines @@
   if (profile_->GetPrefs()->GetBoolean(prefs::kArcEnabled)) {
     if (state_ != State::ACTIVE) {
       CloseUI();
       auth_code_.clear();
 
       if (!profile_->GetPrefs()->GetBoolean(prefs::kArcSignedIn)) {
         // Need pre-fetch auth code and show OptIn UI if needed.
         initial_opt_in_ = true;
         StartUI();
       } else {
-        // Ready to start Arc.
-        StartArc();
+        // Ready to start Arc, but check android management first.
+        if (!disable_ui_for_testing ||
+            enable_check_android_management_for_testing) {
+          CheckAndroidManagement();
+        } else {
+          StartArc();
+        }
       }
 
       UpdateEnabledStateUMA(true);
     }
   } else {
     if (state_ != State::STOPPED)
       UpdateEnabledStateUMA(false);
     ShutdownBridgeAndCloseUI();
   }
 }
 
 void ArcAuthService::ShutdownBridge() {
   playstore_launcher_.reset();
   auth_callback_.reset();
   ubertoken_fethcher_.reset();
   merger_fetcher_.reset();
+  token_service_ = nullptr;
+  account_id_ = "";
   arc_bridge_service()->Shutdown();
   SetState(State::STOPPED);
 }
 
 void ArcAuthService::ShutdownBridgeAndCloseUI() {
   ShutdownBridge();
   CloseUI();
 }
 
 void ArcAuthService::ShutdownBridgeAndShowUI(UIPage page,
@@ skipping 62 matching lines @@
   if (ui_page_ == UIPage::ERROR)
     UpdateOptInActionUMA(OptInActionType::RETRY);
 
   initial_opt_in_ = false;
   StartUI();
 }
 
 void ArcAuthService::CancelAuthCode() {
   DCHECK(thread_checker.Get().CalledOnValidThread());
 
-  if (state_ != State::FETCHING_CODE)
+  if (state_ != State::FETCHING_CODE && ui_page_ != UIPage::ERROR)
     return;
 
   // Update UMA with user cancel only if error is not currently shown.
   if (ui_page_ != UIPage::ERROR && ui_page_ != UIPage::NO_PAGE)
     UpdateOptInCancelUMA(OptInCancelReason::USER_CANCEL);
 
   DisableArc();
 }
 
 void ArcAuthService::EnableArc() {
   DCHECK(thread_checker.Get().CalledOnValidThread());
   profile_->GetPrefs()->SetBoolean(prefs::kArcEnabled, true);
 }
 
 void ArcAuthService::DisableArc() {
   DCHECK(thread_checker.Get().CalledOnValidThread());
   profile_->GetPrefs()->SetBoolean(prefs::kArcEnabled, false);
 }
 
 void ArcAuthService::PrepareContext() {
   DCHECK(thread_checker.Get().CalledOnValidThread());
 
-  // Get auth token to continue.
-  ProfileOAuth2TokenService* token_service =
-      ProfileOAuth2TokenServiceFactory::GetForProfile(profile_);
+  // Get token service and account ID to fetch auth tokens.
+  token_service_ = ProfileOAuth2TokenServiceFactory::GetForProfile(profile_);
   SigninManagerBase* signin_manager =
       SigninManagerFactory::GetForProfile(profile_);
-  CHECK(token_service && signin_manager);
-  const std::string& account_id = signin_manager->GetAuthenticatedAccountId();
+  CHECK(token_service_ && signin_manager);
+  account_id_ = signin_manager->GetAuthenticatedAccountId();
+
   ubertoken_fethcher_.reset(
-      new UbertokenFetcher(token_service, this, GaiaConstants::kChromeOSSource,
+      new UbertokenFetcher(token_service_, this, GaiaConstants::kChromeOSSource,
                            storage_partition_->GetURLRequestContext()));
-  ubertoken_fethcher_->StartFetchingToken(account_id);
+  ubertoken_fethcher_->StartFetchingToken(account_id_);
 }
 
 void ArcAuthService::StartUI() {
   DCHECK(thread_checker.Get().CalledOnValidThread());
 
   SetState(State::FETCHING_CODE);
 
   if (initial_opt_in_) {
     initial_opt_in_ = false;
     ShowUI(UIPage::START, base::string16());
   } else if (context_prepared_) {
     ShowUI(UIPage::LSO_PROGRESS, base::string16());
   } else {
     PrepareContext();
   }
 }
 
 void ArcAuthService::OnPrepareContextFailed() {
   DCHECK_EQ(state_, State::FETCHING_CODE);
 
   ShutdownBridgeAndShowUI(
       UIPage::ERROR,
       l10n_util::GetStringUTF16(IDS_ARC_SERVER_COMMUNICATION_ERROR));
   UpdateOptInCancelUMA(OptInCancelReason::NETWORK_ERROR);
 }
 
+void ArcAuthService::OnGetTokenSuccess(
+    const OAuth2TokenService::Request* request,
+    const std::string& access_token,
+    const base::Time& expiration_time) {
+  DCHECK_EQ(token_request_.get(), request);
+  android_management_client_->CheckAndroidManagement(
+      access_token, base::Bind(&ArcAuthService::OnAndroidManagementChecked,
+                               weak_ptr_factory_.GetWeakPtr()));
+}
+
+void ArcAuthService::OnGetTokenFailure(
+    const OAuth2TokenService::Request* request,
+    const GoogleServiceAuthError& error) {
+  DCHECK_EQ(token_request_.get(), request);
+  OnAndroidManagementChecked(
+      policy::AndroidManagementClient::Result::RESULT_ERROR);
+}
+
+void ArcAuthService::StartAndroidManagementClient() {
+  policy::BrowserPolicyConnectorChromeOS* const connector =
+      g_browser_process->platform_part()->browser_policy_connector_chromeos();
+  policy::DeviceManagementService* const service =
+      connector->device_management_service();
+  service->ScheduleInitialization(0);
+  android_management_client_.reset(new policy::AndroidManagementClient(
+      service, g_browser_process->system_request_context()));
+}
+
+void ArcAuthService::CheckAndroidManagement() {
+  // Do not send requests for Chrome OS managed users.
+  if (policy::ProfilePolicyConnectorFactory::GetForBrowserContext(profile_)
+          ->IsManaged()) {
+    OnAndroidManagementChecked(
+        policy::AndroidManagementClient::Result::RESULT_UNMANAGED);
+    return;
+  }
+
+  // Do not send requests for well-known consumer domains.
+  if (policy::BrowserPolicyConnector::IsNonEnterpriseUser(
+          profile_->GetProfileUserName())) {
+    OnAndroidManagementChecked(
+        policy::AndroidManagementClient::Result::RESULT_UNMANAGED);
+    return;
+  }
+
+  // Do not request access token for testing, use |fake_access_token|.
+  if (enable_check_android_management_for_testing) {
+    android_management_client_->CheckAndroidManagement(
+        fake_access_token,
+        base::Bind(&ArcAuthService::OnAndroidManagementChecked,
+                   weak_ptr_factory_.GetWeakPtr()));
+    return;
+  }
+
+  DCHECK(!token_request_);
+  // The user must be signed in already.
+  DCHECK(token_service_->RefreshTokenIsAvailable(account_id_));
+
+  OAuth2TokenService::ScopeSet scopes;
+  scopes.insert(GaiaConstants::kDeviceManagementServiceOAuth);
+  scopes.insert(GaiaConstants::kOAuthWrapBridgeUserInfoScope);
+  token_request_ = token_service_->StartRequest(account_id_, scopes, this);

[xiyuan, 2016/04/26 17:48:09]

Think we should move access token fetching etc into AndroidManagementClient (or
a helper class). The code does not seem belonging to ArcAuthService.

[Polina Bondarenko, 2016/04/27 15:19:57]

Done.

+}
+
+void ArcAuthService::OnAndroidManagementChecked(
+    policy::AndroidManagementClient::Result result) {
+  switch (result) {
+    case policy::AndroidManagementClient::Result::RESULT_UNMANAGED:
+      context_prepared_ = true;
+      if (!profile_->GetPrefs()->GetBoolean(prefs::kArcSignedIn))
+        ShowUI(UIPage::LSO_PROGRESS, base::string16());
+      else
+        StartArc();
+      break;
+    case policy::AndroidManagementClient::Result::RESULT_MANAGED:
+      ShutdownBridgeAndShowUI(
+          UIPage::ERROR,
+          l10n_util::GetStringUTF16(IDS_ARC_ANDROID_MANAGEMENT_REQUIRED_ERROR));
+      UpdateOptInCancelUMA(OptInCancelReason::ANDROID_MANAGEMENT_REQUIRED);
+      break;
+    case policy::AndroidManagementClient::Result::RESULT_ERROR:
+      ShutdownBridgeAndShowUI(
+          UIPage::ERROR,
+          l10n_util::GetStringUTF16(IDS_ARC_SERVER_COMMUNICATION_ERROR));
+      UpdateOptInCancelUMA(OptInCancelReason::NETWORK_ERROR);
+      break;
+    default:
+      NOTREACHED();
+  }
+}
+
 std::ostream& operator<<(std::ostream& os, const ArcAuthService::State& state) {
   switch (state) {
     case ArcAuthService::State::STOPPED:
       return os << kStateStopped;
     case ArcAuthService::State::FETCHING_CODE:
       return os << kStateFetchingCode;
     case ArcAuthService::State::ACTIVE:
       return os << kStateActive;
     default:
       NOTREACHED();
       return os;
   }
 }
 
 }  // namespace arc