Minimal attestation-based enrollment flow.

chrome/browser/chromeos/login/enrollment/enrollment_screen.cc

Index: chrome/browser/chromeos/login/enrollment/enrollment_screen.cc
diff --git a/chrome/browser/chromeos/login/enrollment/enrollment_screen.cc b/chrome/browser/chromeos/login/enrollment/enrollment_screen.cc
index 09b46e20989ac864de6936189a069a106e0f1bbf..f4e3e94080d6332291a664836c124a6f8fbf8e12 100644
--- a/chrome/browser/chromeos/login/enrollment/enrollment_screen.cc
+++ b/chrome/browser/chromeos/login/enrollment/enrollment_screen.cc
@@ -27,6 +27,7 @@
 #include "google_apis/gaia/gaia_auth_util.h"
 
 using namespace pairing_chromeos;
+using policy::EnrollmentConfig;
 
 // Do not change the UMA histogram parameters without renaming the histograms!
 #define UMA_ENROLLMENT_TIME(histogram_name, elapsed_timer) \
@@ -63,9 +64,10 @@ EnrollmentScreen::EnrollmentScreen(BaseScreenDelegate* base_screen_delegate,
     : BaseScreen(base_screen_delegate),
       shark_controller_(NULL),
       actor_(actor),
+      current_auth_(AUTH_OAUTH),
+      last_auth_(AUTH_OAUTH),
       enrollment_failed_once_(false),
-      weak_ptr_factory_(this) {
-}
+      weak_ptr_factory_(this) {}
 
 EnrollmentScreen::~EnrollmentScreen() {
   DCHECK(!enrollment_helper_ || g_browser_process->IsShuttingDown());
@@ -75,14 +77,61 @@ void EnrollmentScreen::SetParameters(
     const policy::EnrollmentConfig& enrollment_config,
     pairing_chromeos::ControllerPairingController* shark_controller) {
   enrollment_config_ = enrollment_config;
+  switch (enrollment_config_.auth_mechanism) {
+    case EnrollmentConfig::AUTH_MECHANISM_INTERACTIVE:
+      current_auth_ = AUTH_OAUTH;
+      last_auth_ = AUTH_OAUTH;
+      break;
+    case EnrollmentConfig::AUTH_MECHANISM_ATTESTATION:
+      current_auth_ = AUTH_ATTESTATION;
+      last_auth_ = AUTH_ATTESTATION;
+      break;
+    case EnrollmentConfig::AUTH_MECHANISM_BEST_AVAILABLE:
+      current_auth_ = AUTH_ATTESTATION;
+      last_auth_ = AUTH_OAUTH;
+      break;
+  }
   shark_controller_ = shark_controller;
-  actor_->SetParameters(this, enrollment_config_);
+  SetConfig();
+}
+
+void EnrollmentScreen::SetConfig() {
+  config_ = enrollment_config_;
+  if (current_auth_ == AUTH_ATTESTATION) {
+    if (last_auth_ == current_auth_) {
+      config_.mode = policy::EnrollmentConfig::MODE_ATTESTATION;
+    } else {
+      config_.mode = policy::EnrollmentConfig::MODE_ATTESTATION_FORCED;
+    }
+  }
+  actor_->SetParameters(this, config_);
+  enrollment_helper_ = nullptr;
+}
+
+bool EnrollmentScreen::AdvanceToNextAuth() {
+  if (current_auth_ == last_auth_) {

[pastarmovj, 2016/08/19 10:29:18]

This looks like too much of a boilerplate for juggling only 2 cases. Are you
expecting this to grow more in the near future? If not I would embed the
knowledge of that in the logic directly for now. E.g.:

if (current_auth_ != last_auth_ && current_auth_ == AUTH_ATTESTATION) {
  current_auth_ = AUTH_OAUTH;
  if (enrollment_config_.should_enroll_interactively()) {
    SetConfig();
    return true;
  }
}
return false;

And if you plan for more then maybe having an array of the options would be a
better idea in that case.

[The one and only Dr. Crash, 2016/08/19 17:49:29]

I like that.

+    return false;
+  }
+  switch (current_auth_) {
+    case AUTH_ATTESTATION:
+      current_auth_ = AUTH_OAUTH;
+      if (enrollment_config_.should_enroll_interactively()) {
+        SetConfig();
+        return true;
+      } else {
+        return false;
+      }
+    case AUTH_OAUTH:
+      return false;
+  }
+  return false;
 }
 
 void EnrollmentScreen::CreateEnrollmentHelper() {
-  DCHECK(!enrollment_helper_);
-  enrollment_helper_ = EnterpriseEnrollmentHelper::Create(
-      this, enrollment_config_, enrolling_user_domain_);
+  if (!enrollment_helper_) {
+    enrollment_helper_ = EnterpriseEnrollmentHelper::Create(
+        this, config_, enrolling_user_domain_);
+  }
 }
 
 void EnrollmentScreen::ClearAuth(const base::Closure& callback) {
@@ -96,7 +145,7 @@ void EnrollmentScreen::ClearAuth(const base::Closure& callback) {
 }
 
 void EnrollmentScreen::OnAuthCleared(const base::Closure& callback) {
-  enrollment_helper_.reset();
+  enrollment_helper_ = nullptr;
   callback.Run();
 }
 
@@ -106,6 +155,17 @@ void EnrollmentScreen::PrepareToShow() {
 
 void EnrollmentScreen::Show() {
   UMA(policy::kMetricEnrollmentTriggered);
+  switch (current_auth_) {
+    case AUTH_OAUTH:
+      ShowInteractiveScreen();
+      break;
+    case AUTH_ATTESTATION:
+      AuthenticateUsingAttestation();
+      break;
+  }
+}
+
+void EnrollmentScreen::ShowInteractiveScreen() {
   ClearAuth(base::Bind(&EnrollmentScreen::ShowSigninScreen,
                        weak_ptr_factory_.GetWeakPtr()));
 }
@@ -119,6 +179,15 @@ std::string EnrollmentScreen::GetName() const {
   return WizardController::kEnrollmentScreenName;
 }
 
+void EnrollmentScreen::AuthenticateUsingAttestation() {
+  VLOG(1) << "Authenticating using attestation.";
+  elapsed_timer_.reset(new base::ElapsedTimer());
+  actor_->Show();
+  actor_->ShowEnrollmentSpinnerScreen();
+  CreateEnrollmentHelper();
+  enrollment_helper_->EnrollUsingAttestation();
+}
+
 void EnrollmentScreen::OnLoginDone(const std::string& user,
                                    const std::string& auth_code) {
   LOG_IF(ERROR, auth_code.empty()) << "Auth code is empty.";
@@ -135,19 +204,22 @@ void EnrollmentScreen::OnLoginDone(const std::string& user,
 }
 
 void EnrollmentScreen::OnRetry() {
-  ClearAuth(base::Bind(&EnrollmentScreen::ShowSigninScreen,
-                       weak_ptr_factory_.GetWeakPtr()));
+  Show();
 }
 
 void EnrollmentScreen::OnCancel() {
+  if (AdvanceToNextAuth()) {
+    Show();
+    return;
+  }
+
   UMA(policy::kMetricEnrollmentCancelled);
   if (elapsed_timer_)
     UMA_ENROLLMENT_TIME(kMetricEnrollmentTimeCancel, elapsed_timer_);
 
   const BaseScreenDelegate::ExitCodes exit_code =
-      enrollment_config_.is_forced()
-          ? BaseScreenDelegate::ENTERPRISE_ENROLLMENT_BACK
-          : BaseScreenDelegate::ENTERPRISE_ENROLLMENT_COMPLETED;
+      config_.is_forced() ? BaseScreenDelegate::ENTERPRISE_ENROLLMENT_BACK
+                          : BaseScreenDelegate::ENTERPRISE_ENROLLMENT_COMPLETED;
   ClearAuth(
       base::Bind(&EnrollmentScreen::Finish, base::Unretained(this), exit_code));
 }
@@ -252,7 +324,7 @@ void EnrollmentScreen::ShowEnrollmentStatusOnSuccess() {
 }
 
 void EnrollmentScreen::UMA(policy::MetricEnrollment sample) {
-  EnrollmentUMA(sample, enrollment_config_.mode);
+  EnrollmentUMA(sample, config_.mode);
 }
 
 void EnrollmentScreen::ShowSigninScreen() {
@@ -262,6 +334,7 @@ void EnrollmentScreen::ShowSigninScreen() {
 
 void EnrollmentScreen::OnAnyEnrollmentError() {
   enrollment_failed_once_ = true;
+  //  TODO(drcrash): Maybe create multiple metrics for attestation vs oauth?
   if (elapsed_timer_)
     UMA_ENROLLMENT_TIME(kMetricEnrollmentTimeFailure, elapsed_timer_);
 }