Add CheckAndroidManagement to ARC sign-in flow.

chrome/browser/chromeos/arc/arc_auth_service.cc

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/arc/arc_auth_service.h"
 
 #include <utility>
 
 #include "base/bind.h"
 #include "base/bind_helpers.h"
 #include "base/command_line.h"
 #include "base/lazy_instance.h"
+#include "base/strings/string16.h"
 #include "base/strings/stringprintf.h"
 #include "base/threading/thread_checker.h"
+#include "chrome/browser/browser_process.h"
+#include "chrome/browser/browser_process_platform_part.h"
 #include "chrome/browser/chromeos/arc/arc_auth_notification.h"
 #include "chrome/browser/chromeos/arc/arc_optin_uma.h"
+#include "chrome/browser/chromeos/policy/browser_policy_connector_chromeos.h"
 #include "chrome/browser/chromeos/profiles/profile_helper.h"
 #include "chrome/browser/extensions/extension_util.h"
 #include "chrome/browser/policy/profile_policy_connector.h"
 #include "chrome/browser/policy/profile_policy_connector_factory.h"
 #include "chrome/browser/prefs/pref_service_syncable_util.h"
 #include "chrome/browser/profiles/profile.h"
 #include "chrome/browser/signin/profile_oauth2_token_service_factory.h"
 #include "chrome/browser/signin/signin_manager_factory.h"
 #include "chrome/browser/ui/app_list/arc/arc_app_launcher.h"
 #include "chrome/browser/ui/extensions/app_launch_params.h"
 #include "chrome/browser/ui/extensions/application_launch.h"
 #include "chrome/common/pref_names.h"
 #include "chrome/grit/generated_resources.h"
 #include "chromeos/chromeos_switches.h"
 #include "components/arc/arc_bridge_service.h"
+#include "components/policy/core/browser/browser_policy_connector.h"
+#include "components/policy/core/common/cloud/device_management_service.h"
 #include "components/pref_registry/pref_registry_syncable.h"
 #include "components/prefs/pref_service.h"
 #include "components/signin/core/browser/profile_oauth2_token_service.h"
 #include "components/signin/core/browser/signin_manager_base.h"
 #include "components/syncable_prefs/pref_service_syncable.h"
 #include "components/user_manager/user.h"
 #include "content/public/browser/storage_partition.h"
 #include "content/public/common/url_constants.h"
 #include "extensions/browser/app_window/app_window_registry.h"
 #include "extensions/browser/extension_prefs.h"
@@ skipping 11 matching lines @@
 base::LazyInstance<base::ThreadChecker> thread_checker =
     LAZY_INSTANCE_INITIALIZER;
 
 const char kPlayStoreAppId[] = "gpkmicpkkebkmabiaedjognfppcchdfa";
 const char kArcSupportExtensionId[] = "cnbgggchhmkkdmeppjobngjoejnihlei";
 const char kArcSupportStorageId[] = "arc_support";
 
 // Skip creating UI in unit tests
 bool disable_ui_for_testing = false;
 
+// Do check Android management requirement in browser tests.
+bool enable_check_android_management_for_testing = false;
+
 const char kStateStopped[] = "STOPPED";
 const char kStateFetchingCode[] = "FETCHING_CODE";
 const char kStateActive[] = "ACTIVE";
+
 }  // namespace
 
 ArcAuthService::ArcAuthService(ArcBridgeService* bridge_service)
-    : ArcService(bridge_service), binding_(this) {
+    : ArcService(bridge_service), binding_(this), weak_ptr_factory_(this) {
   DCHECK(!arc_auth_service);
   DCHECK(thread_checker.Get().CalledOnValidThread());
 
   arc_auth_service = this;
 
   arc_bridge_service()->AddObserver(this);
 }
 
 ArcAuthService::~ArcAuthService() {
   DCHECK(thread_checker.Get().CalledOnValidThread());
@@ skipping 24 matching lines @@
 void ArcAuthService::DisableUIForTesting() {
   disable_ui_for_testing = true;
 }
 
 // static
 bool ArcAuthService::IsOptInVerificationDisabled() {
   return base::CommandLine::ForCurrentProcess()->HasSwitch(
       chromeos::switches::kDisableArcOptInVerification);
 }
 
+// static
+void ArcAuthService::EnableCheckAndroidManagementForTesting() {
+  enable_check_android_management_for_testing = true;
+}
+
 void ArcAuthService::OnAuthInstanceReady() {
   arc_bridge_service()->auth_instance()->Init(
       binding_.CreateInterfacePtrAndBind());
 }
 
 std::string ArcAuthService::GetAndResetAuthCode() {
   DCHECK(thread_checker.Get().CalledOnValidThread());
   std::string auth_code;
   auth_code_.swap(auth_code);
   return auth_code;
@@ skipping 78 matching lines @@
   const user_manager::User* const primary_user =
       user_manager::UserManager::Get()->GetPrimaryUser();
   Profile* const profile =
       chromeos::ProfileHelper::Get()->GetProfileByUser(primary_user);
   const policy::ProfilePolicyConnector* const profile_policy_connector =
       policy::ProfilePolicyConnectorFactory::GetForBrowserContext(profile);
   callback.Run(profile_policy_connector->IsManaged());
 }
 
 void ArcAuthService::SetState(State state) {
-  if (state_ == state)
+  if (state_ == state && !enable_check_android_management_for_testing)
     return;
 
   state_ = state;
   FOR_EACH_OBSERVER(Observer, observer_list_, OnOptInChanged(state_));
 }
 
 void ArcAuthService::OnPrimaryUserProfilePrepared(Profile* profile) {
   DCHECK(profile && profile != profile_);
   DCHECK(thread_checker.Get().CalledOnValidThread());
 
@@ skipping 12 matching lines @@
       prefs::kArcEnabled, this);
 
   // Reuse storage used in ARC OptIn platform app.
   const std::string site_url =
       base::StringPrintf("%s://%s/persist?%s", content::kGuestScheme,
                          kArcSupportExtensionId, kArcSupportStorageId);
   storage_partition_ = content::BrowserContext::GetStoragePartitionForSite(
       profile_, GURL(site_url));
   CHECK(storage_partition_);
 
+  // Get token service and account ID to fetch auth tokens.
+  token_service_ = ProfileOAuth2TokenServiceFactory::GetForProfile(profile_);
+  SigninManagerBase* signin_manager =
+      SigninManagerFactory::GetForProfile(profile_);
+  CHECK(token_service_ && signin_manager);
+  account_id_ = signin_manager->GetAuthenticatedAccountId();
+
   // In case UI is disabled we assume that ARC is opted-in.
   if (!IsOptInVerificationDisabled()) {
+    if (!disable_ui_for_testing || enable_check_android_management_for_testing)
+      StartAndroidManagementClient();
+
     pref_change_registrar_.Init(profile_->GetPrefs());
     pref_change_registrar_.Add(
         prefs::kArcEnabled,
         base::Bind(&ArcAuthService::OnOptInPreferenceChanged,
                    base::Unretained(this)));

[khmel, 2016/04/27 16:07:42]

Once we are using weak_ptr, would it make sense to change to
weak_ptr_factory_.GetWeakPtr() here as well?

[Polina Bondarenko, 2016/04/27 16:58:50]

Done.

     if (profile_->GetPrefs()->GetBoolean(prefs::kArcEnabled)) {
       OnOptInPreferenceChanged();
     } else {
       UpdateEnabledStateUMA(false);
       PrefServiceSyncableFromProfile(profile_)->AddObserver(this);
       OnIsSyncingChanged();
     }
   } else {
     auth_code_.clear();
     StartArc();
@@ skipping 18 matching lines @@
 }
 
 void ArcAuthService::Shutdown() {
   ShutdownBridgeAndCloseUI();
   if (profile_) {
     syncable_prefs::PrefServiceSyncable* pref_service_syncable =
         PrefServiceSyncableFromProfile(profile_);
     pref_service_syncable->RemoveObserver(this);
     pref_service_syncable->RemoveSyncedPrefObserver(prefs::kArcEnabled, this);
   }
+  android_management_client_.reset();
   pref_change_registrar_.RemoveAll();
   profile_ = nullptr;
 }
 
 void ArcAuthService::ShowUI(UIPage page, const base::string16& status) {
   if (disable_ui_for_testing || IsOptInVerificationDisabled())
     return;
 
   SetUIPage(page, status);
   const extensions::AppWindowRegistry* const app_window_registry =
       extensions::AppWindowRegistry::Get(profile_);
   DCHECK(app_window_registry);
   if (app_window_registry->GetCurrentAppWindowForApp(kArcSupportExtensionId))
     return;
 
   const extensions::Extension* extension =
       extensions::ExtensionRegistry::Get(profile_)->GetInstalledExtension(
           kArcSupportExtensionId);
   CHECK(extension &&
         extensions::util::IsAppLaunchable(kArcSupportExtensionId, profile_));
 
   OpenApplication(CreateAppLaunchParamsUserContainer(
       profile_, extension, NEW_WINDOW, extensions::SOURCE_CHROME_INTERNAL));
 }
 
 void ArcAuthService::OnMergeSessionSuccess(const std::string& data) {
   DCHECK(thread_checker.Get().CalledOnValidThread());
 
   DCHECK(!initial_opt_in_);
-  context_prepared_ = true;
-  ShowUI(UIPage::LSO_PROGRESS, base::string16());
+  CheckAndroidManagement();
 }
 
 void ArcAuthService::OnMergeSessionFailure(
     const GoogleServiceAuthError& error) {
   DCHECK(thread_checker.Get().CalledOnValidThread());
   VLOG(2) << "Failed to merge gaia session " << error.ToString() << ".";
   OnPrepareContextFailed();
 }
 
 void ArcAuthService::OnUbertokenSuccess(const std::string& token) {
@@ skipping 29 matching lines @@
   if (profile_->GetPrefs()->GetBoolean(prefs::kArcEnabled)) {
     if (state_ != State::ACTIVE) {
       CloseUI();
       auth_code_.clear();
 
       if (!profile_->GetPrefs()->GetBoolean(prefs::kArcSignedIn)) {
         // Need pre-fetch auth code and show OptIn UI if needed.
         initial_opt_in_ = true;
         StartUI();
       } else {
-        // Ready to start Arc.
-        StartArc();
+        // Ready to start Arc, but check android management first.
+        if (!disable_ui_for_testing ||
+            enable_check_android_management_for_testing) {
+          CheckAndroidManagement();
+        } else {
+          StartArc();
+        }
       }
 
       UpdateEnabledStateUMA(true);
     }
   } else {
     if (state_ != State::STOPPED)
       UpdateEnabledStateUMA(false);
     ShutdownBridgeAndCloseUI();
   }
 }
 
 void ArcAuthService::ShutdownBridge() {
   playstore_launcher_.reset();
   auth_callback_.reset();
   ubertoken_fethcher_.reset();
   merger_fetcher_.reset();
+  token_service_ = nullptr;
+  account_id_ = "";
   arc_bridge_service()->Shutdown();
   SetState(State::STOPPED);
 }
 
 void ArcAuthService::ShutdownBridgeAndCloseUI() {
   ShutdownBridge();
   CloseUI();
 }
 
 void ArcAuthService::ShutdownBridgeAndShowUI(UIPage page,
@@ skipping 62 matching lines @@
   if (ui_page_ == UIPage::ERROR)
     UpdateOptInActionUMA(OptInActionType::RETRY);
 
   initial_opt_in_ = false;
   StartUI();
 }
 
 void ArcAuthService::CancelAuthCode() {
   DCHECK(thread_checker.Get().CalledOnValidThread());
 
-  if (state_ != State::FETCHING_CODE)
+  if (state_ != State::FETCHING_CODE && ui_page_ != UIPage::ERROR)
     return;
 
   // Update UMA with user cancel only if error is not currently shown.
   if (ui_page_ != UIPage::ERROR && ui_page_ != UIPage::NO_PAGE)
     UpdateOptInCancelUMA(OptInCancelReason::USER_CANCEL);
 
   DisableArc();
 }
 
 void ArcAuthService::EnableArc() {
   DCHECK(thread_checker.Get().CalledOnValidThread());
   profile_->GetPrefs()->SetBoolean(prefs::kArcEnabled, true);
 }
 
 void ArcAuthService::DisableArc() {
   DCHECK(thread_checker.Get().CalledOnValidThread());
   profile_->GetPrefs()->SetBoolean(prefs::kArcEnabled, false);
 }
 
 void ArcAuthService::PrepareContext() {
   DCHECK(thread_checker.Get().CalledOnValidThread());
 
-  // Get auth token to continue.
-  ProfileOAuth2TokenService* token_service =
-      ProfileOAuth2TokenServiceFactory::GetForProfile(profile_);
-  SigninManagerBase* signin_manager =
-      SigninManagerFactory::GetForProfile(profile_);
-  CHECK(token_service && signin_manager);
-  const std::string& account_id = signin_manager->GetAuthenticatedAccountId();
   ubertoken_fethcher_.reset(
-      new UbertokenFetcher(token_service, this, GaiaConstants::kChromeOSSource,
+      new UbertokenFetcher(token_service_, this, GaiaConstants::kChromeOSSource,
                            storage_partition_->GetURLRequestContext()));
-  ubertoken_fethcher_->StartFetchingToken(account_id);
+  ubertoken_fethcher_->StartFetchingToken(account_id_);
 }
 
 void ArcAuthService::StartUI() {
   DCHECK(thread_checker.Get().CalledOnValidThread());
 
   SetState(State::FETCHING_CODE);
 
   if (initial_opt_in_) {
     initial_opt_in_ = false;
     ShowUI(UIPage::START, base::string16());
   } else if (context_prepared_) {
     ShowUI(UIPage::LSO_PROGRESS, base::string16());
   } else {
     PrepareContext();
   }
 }
 
 void ArcAuthService::OnPrepareContextFailed() {
   DCHECK_EQ(state_, State::FETCHING_CODE);
 
   ShutdownBridgeAndShowUI(
       UIPage::ERROR,
       l10n_util::GetStringUTF16(IDS_ARC_SERVER_COMMUNICATION_ERROR));
   UpdateOptInCancelUMA(OptInCancelReason::NETWORK_ERROR);
 }
 
+void ArcAuthService::StartAndroidManagementClient() {
+  policy::BrowserPolicyConnectorChromeOS* const connector =
+      g_browser_process->platform_part()->browser_policy_connector_chromeos();
+  policy::DeviceManagementService* const service =
+      connector->device_management_service();
+  service->ScheduleInitialization(0);
+  android_management_client_.reset(new policy::AndroidManagementClient(
+      service, g_browser_process->system_request_context(), account_id_,
+      token_service_));
+}
+
+void ArcAuthService::CheckAndroidManagement() {
+  // Do not send requests for Chrome OS managed users.
+  if (policy::ProfilePolicyConnectorFactory::GetForBrowserContext(profile_)
+          ->IsManaged()) {
+    OnAndroidManagementChecked(
+        policy::AndroidManagementClient::Result::RESULT_UNMANAGED);
+    return;
+  }
+
+  // Do not send requests for well-known consumer domains.
+  if (policy::BrowserPolicyConnector::IsNonEnterpriseUser(
+          profile_->GetProfileUserName())) {
+    OnAndroidManagementChecked(
+        policy::AndroidManagementClient::Result::RESULT_UNMANAGED);
+    return;
+  }
+
+  android_management_client_->StartCheckAndroidManagement(
+      base::Bind(&ArcAuthService::OnAndroidManagementChecked,
+                 weak_ptr_factory_.GetWeakPtr()));
+}
+
+void ArcAuthService::OnAndroidManagementChecked(
+    policy::AndroidManagementClient::Result result) {
+  switch (result) {
+    case policy::AndroidManagementClient::Result::RESULT_UNMANAGED:
+      context_prepared_ = true;
+      if (!profile_->GetPrefs()->GetBoolean(prefs::kArcSignedIn))
+        ShowUI(UIPage::LSO_PROGRESS, base::string16());
+      else
+        StartArc();
+      break;
+    case policy::AndroidManagementClient::Result::RESULT_MANAGED:
+      ShutdownBridgeAndShowUI(
+          UIPage::ERROR,
+          l10n_util::GetStringUTF16(IDS_ARC_ANDROID_MANAGEMENT_REQUIRED_ERROR));
+      UpdateOptInCancelUMA(OptInCancelReason::ANDROID_MANAGEMENT_REQUIRED);
+      break;
+    case policy::AndroidManagementClient::Result::RESULT_ERROR:
+      ShutdownBridgeAndShowUI(
+          UIPage::ERROR,
+          l10n_util::GetStringUTF16(IDS_ARC_SERVER_COMMUNICATION_ERROR));
+      UpdateOptInCancelUMA(OptInCancelReason::NETWORK_ERROR);
+      break;
+    default:
+      NOTREACHED();
+  }
+}
+
 std::ostream& operator<<(std::ostream& os, const ArcAuthService::State& state) {
   switch (state) {
     case ArcAuthService::State::STOPPED:
       return os << kStateStopped;
     case ArcAuthService::State::FETCHING_CODE:
       return os << kStateFetchingCode;
     case ArcAuthService::State::ACTIVE:
       return os << kStateActive;
     default:
       NOTREACHED();
       return os;
   }
 }
 
 }  // namespace arc