Add CheckAndroidManagement to ARC sign-in flow.

chrome/browser/chromeos/arc/arc_auth_service.cc

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/arc/arc_auth_service.h"
 
 #include <utility>
 
 #include "base/bind.h"
 #include "base/bind_helpers.h"

[bartfab (slow), 2016/05/02 14:55:48]

Nit: No longer used.

[Polina Bondarenko, 2016/05/03 13:41:54]

Done.

 #include "base/command_line.h"
 #include "base/lazy_instance.h"
+#include "base/strings/string16.h"

[bartfab (slow), 2016/05/02 14:55:48]

Nit: Where is this used?

[Polina Bondarenko, 2016/05/03 13:41:54]

It's used in ShowUI() and it's calls.

 #include "base/strings/stringprintf.h"
 #include "base/threading/thread_checker.h"
+#include "chrome/browser/browser_process.h"
+#include "chrome/browser/browser_process_platform_part.h"
 #include "chrome/browser/chromeos/arc/arc_auth_notification.h"
 #include "chrome/browser/chromeos/arc/arc_optin_uma.h"
+#include "chrome/browser/chromeos/policy/browser_policy_connector_chromeos.h"
 #include "chrome/browser/chromeos/profiles/profile_helper.h"
 #include "chrome/browser/extensions/extension_util.h"
 #include "chrome/browser/policy/profile_policy_connector.h"
 #include "chrome/browser/policy/profile_policy_connector_factory.h"
 #include "chrome/browser/prefs/pref_service_syncable_util.h"
 #include "chrome/browser/profiles/profile.h"
 #include "chrome/browser/signin/profile_oauth2_token_service_factory.h"
 #include "chrome/browser/signin/signin_manager_factory.h"
 #include "chrome/browser/ui/app_list/arc/arc_app_launcher.h"
 #include "chrome/browser/ui/extensions/app_launch_params.h"
 #include "chrome/browser/ui/extensions/application_launch.h"
 #include "chrome/common/pref_names.h"
 #include "chrome/grit/generated_resources.h"
 #include "chromeos/chromeos_switches.h"
 #include "components/arc/arc_bridge_service.h"
+#include "components/policy/core/browser/browser_policy_connector.h"
+#include "components/policy/core/common/cloud/device_management_service.h"
 #include "components/pref_registry/pref_registry_syncable.h"
 #include "components/prefs/pref_service.h"
 #include "components/signin/core/browser/profile_oauth2_token_service.h"
 #include "components/signin/core/browser/signin_manager_base.h"
 #include "components/syncable_prefs/pref_service_syncable.h"
 #include "components/user_manager/user.h"
 #include "content/public/browser/storage_partition.h"
 #include "content/public/common/url_constants.h"
 #include "extensions/browser/app_window/app_window_registry.h"
 #include "extensions/browser/extension_prefs.h"
@@ skipping 11 matching lines @@
 base::LazyInstance<base::ThreadChecker> thread_checker =
     LAZY_INSTANCE_INITIALIZER;
 
 const char kPlayStoreAppId[] = "gpkmicpkkebkmabiaedjognfppcchdfa";
 const char kArcSupportExtensionId[] = "cnbgggchhmkkdmeppjobngjoejnihlei";
 const char kArcSupportStorageId[] = "arc_support";
 
 // Skip creating UI in unit tests
 bool disable_ui_for_testing = false;
 
+// Do check Android management requirement in browser tests.

[bartfab (slow), 2016/05/02 14:55:48]

The comment says "do check" but the default value is |false|. That does not
match.

[Polina Bondarenko, 2016/05/03 13:41:54]

Done.

+bool enable_check_android_management_for_testing = false;
+
 const char kStateStopped[] = "STOPPED";
 const char kStateFetchingCode[] = "FETCHING_CODE";
 const char kStateActive[] = "ACTIVE";
+
 }  // namespace
 
 ArcAuthService::ArcAuthService(ArcBridgeService* bridge_service)
-    : ArcService(bridge_service), binding_(this) {
+    : ArcService(bridge_service), binding_(this), weak_ptr_factory_(this) {
   DCHECK(!arc_auth_service);
   DCHECK(thread_checker.Get().CalledOnValidThread());
 
   arc_auth_service = this;
 
   arc_bridge_service()->AddObserver(this);
 }
 
 ArcAuthService::~ArcAuthService() {
   DCHECK(thread_checker.Get().CalledOnValidThread());
@@ skipping 24 matching lines @@
 void ArcAuthService::DisableUIForTesting() {
   disable_ui_for_testing = true;
 }
 
 // static
 bool ArcAuthService::IsOptInVerificationDisabled() {
   return base::CommandLine::ForCurrentProcess()->HasSwitch(
       chromeos::switches::kDisableArcOptInVerification);
 }
 
+// static
+void ArcAuthService::EnableCheckAndroidManagementForTesting() {
+  enable_check_android_management_for_testing = true;
+}
+
 void ArcAuthService::OnAuthInstanceReady() {
   arc_bridge_service()->auth_instance()->Init(
       binding_.CreateInterfacePtrAndBind());
 }
 
 std::string ArcAuthService::GetAndResetAuthCode() {
   DCHECK(thread_checker.Get().CalledOnValidThread());
   std::string auth_code;
   auth_code_.swap(auth_code);
   return auth_code;
@@ skipping 111 matching lines @@
       prefs::kArcEnabled, this);
 
   // Reuse storage used in ARC OptIn platform app.
   const std::string site_url =
       base::StringPrintf("%s://%s/persist?%s", content::kGuestScheme,
                          kArcSupportExtensionId, kArcSupportStorageId);
   storage_partition_ = content::BrowserContext::GetStoragePartitionForSite(
       profile_, GURL(site_url));
   CHECK(storage_partition_);
 
+  // Get token service and account ID to fetch auth tokens.
+  token_service_ = ProfileOAuth2TokenServiceFactory::GetForProfile(profile_);
+  SigninManagerBase* signin_manager =

[bartfab (slow), 2016/05/02 14:55:48]

Nit: const pointer

[Polina Bondarenko, 2016/05/03 13:41:54]

Done.

+      SigninManagerFactory::GetForProfile(profile_);
+  CHECK(token_service_ && signin_manager);

[bartfab (slow), 2016/05/02 14:55:48]

Nit: #include "base/logging.h"

[Polina Bondarenko, 2016/05/03 13:41:54]

Done.

+  account_id_ = signin_manager->GetAuthenticatedAccountId();
+
   // In case UI is disabled we assume that ARC is opted-in.
   if (!IsOptInVerificationDisabled()) {
+    if (!disable_ui_for_testing || enable_check_android_management_for_testing)
+      StartAndroidManagementClient();
+
     pref_change_registrar_.Init(profile_->GetPrefs());
     pref_change_registrar_.Add(
         prefs::kArcEnabled,
         base::Bind(&ArcAuthService::OnOptInPreferenceChanged,
-                   base::Unretained(this)));
+                   weak_ptr_factory_.GetWeakPtr()));
     if (profile_->GetPrefs()->GetBoolean(prefs::kArcEnabled)) {
       OnOptInPreferenceChanged();
     } else {
       UpdateEnabledStateUMA(false);
       PrefServiceSyncableFromProfile(profile_)->AddObserver(this);
       OnIsSyncingChanged();
     }
   } else {
     auth_code_.clear();
     StartArc();

[bartfab (slow), 2016/05/02 14:55:48]

Will this not circumvent the management check?

[Polina Bondarenko, 2016/05/03 13:41:54]

Yes, it will. This branch of 'if' is used only for testing. When OptIn
verification is disabled. I think, that is better to disable Android management
check in this case too.

[bartfab (slow), 2016/05/03 14:25:18]

According to the documentation, that switch "disables ARC Opt-in verification
process and ARC is enabled by default." I am concerned that someone may decide
in the future to make this the default (no more opt-in needed) and then suddenly
your check is skipped.

[Polina Bondarenko, 2016/05/03 14:55:44]

Would you recommend to add check here too? This branch is used only for testing
right now, not sure which accounts do they use.

[bartfab (slow), 2016/05/03 15:26:38]

Yes, I think we should add the check to that code path too. If it breaks manual
testing, someone will come and complain to us. We can always adjust the check in
that case.

[Polina Bondarenko, 2016/05/03 16:42:16]

Ok, added check. It seems like nothing's failed for now.

   }
 }
 
 void ArcAuthService::OnIsSyncingChanged() {
   syncable_prefs::PrefServiceSyncable* const pref_service_syncable =
       PrefServiceSyncableFromProfile(profile_);
   if (!pref_service_syncable->IsSyncing())
     return;
 
   pref_service_syncable->RemoveObserver(this);
 
   if (profile_->GetPrefs()->GetBoolean(prefs::kArcEnabled))
     OnOptInPreferenceChanged();
 
   if (!disable_ui_for_testing && profile_->IsNewProfile() &&
       !profile_->GetPrefs()->HasPrefPath(prefs::kArcEnabled)) {
     arc::ArcAuthNotification::Show();
   }
 }
 
 void ArcAuthService::Shutdown() {
   ShutdownBridgeAndCloseUI();
   if (profile_) {
     syncable_prefs::PrefServiceSyncable* pref_service_syncable =
         PrefServiceSyncableFromProfile(profile_);
     pref_service_syncable->RemoveObserver(this);
     pref_service_syncable->RemoveSyncedPrefObserver(prefs::kArcEnabled, this);
   }
+  // Destroy here, because |android_management_client_| is used for each ARC

[bartfab (slow), 2016/05/02 14:55:48]

I do not understand what this comment is trying to tell me. What does "each
connect" refer to? What does it mean for ARC to be signed-in? Why does the
client have to be explicitly destroyed?

[Polina Bondarenko, 2016/05/03 13:41:54]

It doesn't have to, removed. I tried to show that CheckAndroidManagement is
called every time, even if ARC is signed-in and it can't be destroyed in
ShutdownBridge.

+  // connect, even if ARC is signed-in.
+  android_management_client_.reset();
   pref_change_registrar_.RemoveAll();
   profile_ = nullptr;
 }
 
 void ArcAuthService::ShowUI(UIPage page, const base::string16& status) {
   if (disable_ui_for_testing || IsOptInVerificationDisabled())
     return;
 
   SetUIPage(page, status);
   const extensions::AppWindowRegistry* const app_window_registry =
       extensions::AppWindowRegistry::Get(profile_);
   DCHECK(app_window_registry);
   if (app_window_registry->GetCurrentAppWindowForApp(kArcSupportExtensionId))
     return;
 
   const extensions::Extension* extension =
       extensions::ExtensionRegistry::Get(profile_)->GetInstalledExtension(
           kArcSupportExtensionId);
   CHECK(extension &&
         extensions::util::IsAppLaunchable(kArcSupportExtensionId, profile_));
 
   OpenApplication(CreateAppLaunchParamsUserContainer(
       profile_, extension, NEW_WINDOW, extensions::SOURCE_CHROME_INTERNAL));
 }
 
 void ArcAuthService::OnMergeSessionSuccess(const std::string& data) {
   DCHECK(thread_checker.Get().CalledOnValidThread());
 
   DCHECK(!initial_opt_in_);
-  context_prepared_ = true;
-  ShowUI(UIPage::LSO_PROGRESS, base::string16());
+  CheckAndroidManagement();
 }
 
 void ArcAuthService::OnMergeSessionFailure(
     const GoogleServiceAuthError& error) {
   DCHECK(thread_checker.Get().CalledOnValidThread());
   VLOG(2) << "Failed to merge gaia session " << error.ToString() << ".";
   OnPrepareContextFailed();
 }
 
 void ArcAuthService::OnUbertokenSuccess(const std::string& token) {
@@ skipping 29 matching lines @@
   if (profile_->GetPrefs()->GetBoolean(prefs::kArcEnabled)) {
     if (state_ != State::ACTIVE) {
       CloseUI();
       auth_code_.clear();
 
       if (!profile_->GetPrefs()->GetBoolean(prefs::kArcSignedIn)) {
         // Need pre-fetch auth code and show OptIn UI if needed.
         initial_opt_in_ = true;
         StartUI();
       } else {
-        // Ready to start Arc.
-        StartArc();
+        // Ready to start Arc, but check android management first.
+        if (!disable_ui_for_testing ||
+            enable_check_android_management_for_testing) {
+          CheckAndroidManagement();
+        } else {
+          StartArc();
+        }
       }
 
       UpdateEnabledStateUMA(true);
     }
   } else {
     if (state_ != State::STOPPED)
       UpdateEnabledStateUMA(false);
     ShutdownBridgeAndCloseUI();
   }
 }
 
 void ArcAuthService::ShutdownBridge() {
+  FOR_EACH_OBSERVER(Observer, observer_list_, OnShutdownBridge());
   playstore_launcher_.reset();
   auth_callback_.reset();
   ubertoken_fethcher_.reset();
   merger_fetcher_.reset();
+  token_service_ = nullptr;
+  account_id_ = "";
   arc_bridge_service()->Shutdown();
   SetState(State::STOPPED);
 }
 
 void ArcAuthService::ShutdownBridgeAndCloseUI() {
   ShutdownBridge();
   CloseUI();
 }
 
 void ArcAuthService::ShutdownBridgeAndShowUI(UIPage page,
@@ skipping 63 matching lines @@
   if (ui_page_ == UIPage::ERROR)
     UpdateOptInActionUMA(OptInActionType::RETRY);
 
   initial_opt_in_ = false;
   StartUI();
 }
 
 void ArcAuthService::CancelAuthCode() {
   DCHECK(thread_checker.Get().CalledOnValidThread());
 
-  if (state_ != State::FETCHING_CODE)
+  if (state_ != State::FETCHING_CODE && ui_page_ != UIPage::ERROR)
     return;
 
   // Update UMA with user cancel only if error is not currently shown.
   if (ui_page_ != UIPage::ERROR && ui_page_ != UIPage::NO_PAGE)
     UpdateOptInCancelUMA(OptInCancelReason::USER_CANCEL);
 
   DisableArc();
 }
 
 void ArcAuthService::EnableArc() {
   DCHECK(thread_checker.Get().CalledOnValidThread());
   profile_->GetPrefs()->SetBoolean(prefs::kArcEnabled, true);
 }
 
 void ArcAuthService::DisableArc() {
   DCHECK(thread_checker.Get().CalledOnValidThread());
   profile_->GetPrefs()->SetBoolean(prefs::kArcEnabled, false);
 }
 
 void ArcAuthService::PrepareContext() {
   DCHECK(thread_checker.Get().CalledOnValidThread());
 
-  // Get auth token to continue.
-  ProfileOAuth2TokenService* token_service =
-      ProfileOAuth2TokenServiceFactory::GetForProfile(profile_);
-  SigninManagerBase* signin_manager =
-      SigninManagerFactory::GetForProfile(profile_);
-  CHECK(token_service && signin_manager);
-  const std::string& account_id = signin_manager->GetAuthenticatedAccountId();
   ubertoken_fethcher_.reset(
-      new UbertokenFetcher(token_service, this, GaiaConstants::kChromeOSSource,
+      new UbertokenFetcher(token_service_, this, GaiaConstants::kChromeOSSource,
                            storage_partition_->GetURLRequestContext()));
-  ubertoken_fethcher_->StartFetchingToken(account_id);
+  ubertoken_fethcher_->StartFetchingToken(account_id_);
 }
 
 void ArcAuthService::StartUI() {
   DCHECK(thread_checker.Get().CalledOnValidThread());
 
   SetState(State::FETCHING_CODE);
 
   if (initial_opt_in_) {
     initial_opt_in_ = false;
     ShowUI(UIPage::START, base::string16());
   } else if (context_prepared_) {
     ShowUI(UIPage::LSO_PROGRESS, base::string16());
   } else {
     PrepareContext();
   }
 }
 
 void ArcAuthService::OnPrepareContextFailed() {
   DCHECK_EQ(state_, State::FETCHING_CODE);
 
   ShutdownBridgeAndShowUI(
       UIPage::ERROR,
       l10n_util::GetStringUTF16(IDS_ARC_SERVER_COMMUNICATION_ERROR));
   UpdateOptInCancelUMA(OptInCancelReason::NETWORK_ERROR);
 }
 
+void ArcAuthService::StartAndroidManagementClient() {
+  policy::BrowserPolicyConnectorChromeOS* const connector =
+      g_browser_process->platform_part()->browser_policy_connector_chromeos();
+  policy::DeviceManagementService* const service =
+      connector->device_management_service();
+  service->ScheduleInitialization(0);
+  android_management_client_.reset(new policy::AndroidManagementClient(
+      service, g_browser_process->system_request_context(), account_id_,
+      token_service_));
+}
+
+void ArcAuthService::CheckAndroidManagement() {
+  // Do not send requests for Chrome OS managed users.
+  if (policy::ProfilePolicyConnectorFactory::GetForBrowserContext(profile_)
+          ->IsManaged()) {
+    OnAndroidManagementChecked(
+        policy::AndroidManagementClient::Result::RESULT_UNMANAGED);

[bartfab (slow), 2016/05/02 14:55:48]

It is a bit odd semantically that for a *managed* user, the result code we
synthesize is "unmanaged."

[Polina Bondarenko, 2016/05/03 13:41:54]

Yes, fixed to a plain code. Hopefully it doesn't look like copy-paste here.

[bartfab (slow), 2016/05/03 14:25:18]

You could always extract these four lines to a helper, StartArcIfSignedIn() or
some such.

[Polina Bondarenko, 2016/05/03 14:55:44]

Done.

+    return;
+  }
+
+  // Do not send requests for well-known consumer domains.
+  if (policy::BrowserPolicyConnector::IsNonEnterpriseUser(
+          profile_->GetProfileUserName())) {
+    OnAndroidManagementChecked(
+        policy::AndroidManagementClient::Result::RESULT_UNMANAGED);
+    return;
+  }
+
+  android_management_client_->StartCheckAndroidManagement(
+      base::Bind(&ArcAuthService::OnAndroidManagementChecked,
+                 weak_ptr_factory_.GetWeakPtr()));
+}
+
+void ArcAuthService::OnAndroidManagementChecked(
+    policy::AndroidManagementClient::Result result) {
+  switch (result) {
+    case policy::AndroidManagementClient::Result::RESULT_UNMANAGED:
+      context_prepared_ = true;
+      if (!profile_->GetPrefs()->GetBoolean(prefs::kArcSignedIn))
+        ShowUI(UIPage::LSO_PROGRESS, base::string16());
+      else
+        StartArc();
+      break;
+    case policy::AndroidManagementClient::Result::RESULT_MANAGED:
+      ShutdownBridgeAndShowUI(
+          UIPage::ERROR,
+          l10n_util::GetStringUTF16(IDS_ARC_ANDROID_MANAGEMENT_REQUIRED_ERROR));
+      UpdateOptInCancelUMA(OptInCancelReason::ANDROID_MANAGEMENT_REQUIRED);
+      break;
+    case policy::AndroidManagementClient::Result::RESULT_ERROR:
+      ShutdownBridgeAndShowUI(
+          UIPage::ERROR,
+          l10n_util::GetStringUTF16(IDS_ARC_SERVER_COMMUNICATION_ERROR));
+      UpdateOptInCancelUMA(OptInCancelReason::NETWORK_ERROR);
+      break;
+    default:
+      NOTREACHED();
+  }
+}
+
 std::ostream& operator<<(std::ostream& os, const ArcAuthService::State& state) {
   switch (state) {
     case ArcAuthService::State::STOPPED:
       return os << kStateStopped;
     case ArcAuthService::State::FETCHING_CODE:
       return os << kStateFetchingCode;
     case ArcAuthService::State::ACTIVE:
       return os << kStateActive;
     default:
       NOTREACHED();
       return os;
   }
 }
 
 }  // namespace arc