Minimal attestation-based enrollment flow.

chrome/browser/chromeos/login/enrollment/enterprise_enrollment_helper_impl.cc

Index: chrome/browser/chromeos/login/enrollment/enterprise_enrollment_helper_impl.cc
diff --git a/chrome/browser/chromeos/login/enrollment/enterprise_enrollment_helper_impl.cc b/chrome/browser/chromeos/login/enrollment/enterprise_enrollment_helper_impl.cc
index baec231eacd00abba756fe05d085c03b2f312396..bfd4aaed820580eb65dac33d603ee12e6ccb5677 100644
--- a/chrome/browser/chromeos/login/enrollment/enterprise_enrollment_helper_impl.cc
+++ b/chrome/browser/chromeos/login/enrollment/enterprise_enrollment_helper_impl.cc
@@ -72,8 +72,8 @@ EnterpriseEnrollmentHelperImpl::EnterpriseEnrollmentHelperImpl(
     : EnterpriseEnrollmentHelper(status_consumer),
       enrollment_config_(enrollment_config),
       enrolling_user_domain_(enrolling_user_domain),
-      started_(false),
-      finished_(false),
+      started_oauth_(false),
+      finished_oauth_(false),
       success_(false),
       auth_data_cleared_(false),
       weak_ptr_factory_(this) {
@@ -84,15 +84,15 @@ EnterpriseEnrollmentHelperImpl::EnterpriseEnrollmentHelperImpl(
 }
 
 EnterpriseEnrollmentHelperImpl::~EnterpriseEnrollmentHelperImpl() {
-  DCHECK(g_browser_process->IsShuttingDown() || !started_ ||
-         (finished_ && (success_ || auth_data_cleared_)));
+  DCHECK(g_browser_process->IsShuttingDown() || !started_oauth_ ||
+         (finished_oauth_ && (success_ || auth_data_cleared_)));
 }
 
 void EnterpriseEnrollmentHelperImpl::EnrollUsingAuthCode(
     const std::string& auth_code,
     bool fetch_additional_token) {
-  DCHECK(!started_);
-  started_ = true;
+  DCHECK(!started_oauth_);
+  started_oauth_ = true;
   oauth_fetcher_.reset(policy::PolicyOAuth2TokenFetcher::CreateInstance());
   oauth_fetcher_->StartWithAuthCode(
       auth_code, g_browser_process->system_request_context(),
@@ -103,28 +103,38 @@ void EnterpriseEnrollmentHelperImpl::EnrollUsingAuthCode(
 
 void EnterpriseEnrollmentHelperImpl::EnrollUsingToken(
     const std::string& token) {
-  DCHECK(!started_);
-  started_ = true;
-  DoEnrollUsingToken(token);
+  DCHECK(!started_oauth_);
+  started_oauth_ = true;
+  DoEnroll(token);
+}
+
+void EnterpriseEnrollmentHelperImpl::EnrollUsingAttestation() {
+  DCHECK(enrollment_config_.mode ==

[pastarmovj, 2016/08/19 10:29:18]

I wonder if this should not even be a CHECK. Could a bug cause this function to
be called with the wrong mode and cause the wrong type of enrollment? I am not
sure how much of an issue this really is but better safe then sorry :)

[The one and only Dr. Crash, 2016/08/19 17:49:29]

Sounds reasonable.

+             policy::EnrollmentConfig::MODE_ATTESTATION ||
+         enrollment_config_.mode ==
+             policy::EnrollmentConfig::MODE_ATTESTATION_FORCED);
+  DoEnroll("");
 }
 
 void EnterpriseEnrollmentHelperImpl::ClearAuth(const base::Closure& callback) {
-  // Do not revoke the additional token if enrollment has finished
-  // successfully.
-  if (!success_ && additional_token_.length())
-    (new TokenRevoker())->Start(additional_token_);
-
-  if (oauth_fetcher_) {
-    if (!oauth_fetcher_->OAuth2AccessToken().empty())
-      (new TokenRevoker())->Start(oauth_fetcher_->OAuth2AccessToken());
-
-    if (!oauth_fetcher_->OAuth2RefreshToken().empty())
-      (new TokenRevoker())->Start(oauth_fetcher_->OAuth2RefreshToken());
-
-    oauth_fetcher_.reset();
-  } else if (oauth_token_.length()) {
-    // EnrollUsingToken was called.
-    (new TokenRevoker())->Start(oauth_token_);
+  if (started_oauth_) {
+    // Do not revoke the additional token if enrollment has finished
+    // successfully.
+    if (!success_ && additional_token_.length())
+      (new TokenRevoker())->Start(additional_token_);
+
+    if (oauth_fetcher_) {
+      if (!oauth_fetcher_->OAuth2AccessToken().empty())
+        (new TokenRevoker())->Start(oauth_fetcher_->OAuth2AccessToken());
+
+      if (!oauth_fetcher_->OAuth2RefreshToken().empty())
+        (new TokenRevoker())->Start(oauth_fetcher_->OAuth2RefreshToken());
+
+      oauth_fetcher_.reset();
+    } else if (oauth_token_.length()) {
+      // EnrollUsingToken was called.
+      (new TokenRevoker())->Start(oauth_token_);
+    }
   }
 
   chromeos::ProfileHelper::Get()->ClearSigninProfile(
@@ -132,8 +142,7 @@ void EnterpriseEnrollmentHelperImpl::ClearAuth(const base::Closure& callback) {
                  weak_ptr_factory_.GetWeakPtr(), callback));
 }
 
-void EnterpriseEnrollmentHelperImpl::DoEnrollUsingToken(
-    const std::string& token) {
+void EnterpriseEnrollmentHelperImpl::DoEnroll(const std::string& token) {
   DCHECK(token == oauth_token_ || oauth_token_.empty());
   oauth_token_ = token;
   policy::BrowserPolicyConnectorChromeOS* connector =
@@ -143,7 +152,7 @@ void EnterpriseEnrollmentHelperImpl::DoEnrollUsingToken(
     LOG(ERROR) << "Trying to re-enroll to a different domain than "
                << connector->GetEnterpriseDomain();
     UMA(policy::kMetricEnrollmentPrecheckDomainMismatch);
-    finished_ = true;
+    finished_oauth_ = true;
     status_consumer()->OnOtherError(OTHER_ERROR_DOMAIN_MISMATCH);
     return;
   }
@@ -200,13 +209,13 @@ void EnterpriseEnrollmentHelperImpl::OnTokenFetched(
     const GoogleServiceAuthError& error) {
   if (error.state() != GoogleServiceAuthError::NONE) {
     ReportAuthStatus(error);
-    finished_ = true;
+    finished_oauth_ = true;
     status_consumer()->OnAuthError(error);
     return;
   }
 
   if (!is_additional_token) {
-    DoEnrollUsingToken(token);
+    EnrollUsingToken(token);
     return;
   }
 
@@ -225,7 +234,9 @@ void EnterpriseEnrollmentHelperImpl::OnEnrollmentFinished(
   // TODO(pbond): remove this LOG once http://crbug.com/586961 is fixed.
   LOG(WARNING) << "Enrollment finished";
   ReportEnrollmentStatus(status);
-  finished_ = true;
+  if (started_oauth_) {
+    finished_oauth_ = true;
+  }
   if (status.status() == policy::EnrollmentStatus::STATUS_SUCCESS) {
     success_ = true;
     StartupUtils::MarkOobeCompleted();