Device enterprise registration with a certificate.

components/policy/core/common/cloud/cloud_policy_client.h

Index: components/policy/core/common/cloud/cloud_policy_client.h
diff --git a/components/policy/core/common/cloud/cloud_policy_client.h b/components/policy/core/common/cloud/cloud_policy_client.h
index 2fb9f4bdc5c24a312649adeb212d321c6e072943..4c0013203eac4a991349781570783c0b02599be4 100644
--- a/components/policy/core/common/cloud/cloud_policy_client.h
+++ b/components/policy/core/common/cloud/cloud_policy_client.h
@@ -24,6 +24,10 @@
 #include "components/policy/policy_export.h"
 #include "policy/proto/device_management_backend.pb.h"
 
+namespace cryptohome {
+class AsyncMethodCaller;
+}
+
 namespace net {
 class URLRequestContextGetter;
 }
@@ -79,10 +83,29 @@ class POLICY_EXPORT CloudPolicyClient {
     virtual void OnClientError(CloudPolicyClient* client) = 0;
   };
 
+  // Data signing interface.
+  class POLICY_EXPORT SigningService {
+   public:
+    typedef base::Callback<void(bool success,
+                                enterprise_management::SignedData signed_data)>
+        SigningCallback;

[pastarmovj, 2016/08/22 15:09:43]

nit: please add a new line between the two.

[The one and only Dr. Crash, 2016/08/22 16:00:02]

Done.

+    virtual void SignData(const std::string& data,

[pastarmovj, 2016/08/22 15:09:43]

Please document this function so that whoever needs to implement it know what to
do.

[The one and only Dr. Crash, 2016/08/22 16:00:02]

Done.

+                          SigningCallback callback) = 0;
+  };
+
   // |provider| and |service| are weak pointers and it's the caller's
   // responsibility to keep them valid for the lifetime of CloudPolicyClient.
   // |verification_key_hash| contains an identifier telling the DMServer which
-  // verification key to use.
+  // verification key to use. The |signing_service| is used to sign sensitive
+  // requests.
+  CloudPolicyClient(

[pastarmovj, 2016/08/22 15:09:43]

Just thinking aloud here... could the signing service be specified by a setter
instead of in the constructor? It doesn't seem like it is needed at construction
time and most instantiations doesn't need it it seems?

[The one and only Dr. Crash, 2016/08/22 16:00:01]

I think the constructor patterns fits the code style better (I did consider both
a setter and passing it to the new API), and we expect to authenticate more
methods like this over time.

+      const std::string& machine_id,
+      const std::string& machine_model,
+      const std::string& verification_key_hash,
+      DeviceManagementService* service,
+      scoped_refptr<net::URLRequestContextGetter> request_context,
+      SigningService* signing_service);
+  // Constructs a client without signing support.
   CloudPolicyClient(
       const std::string& machine_id,
       const std::string& machine_model,
@@ -107,6 +130,17 @@ class POLICY_EXPORT CloudPolicyClient {
       const std::string& requisition,
       const std::string& current_state_key);
 
+  // Attempts to register with the device management service using a
+  // registration certificate. Results in a registration change or
+  // error notification.
+  virtual void RegisterWithCertificate(
+      enterprise_management::DeviceRegisterRequest::Type registration_type,
+      enterprise_management::DeviceRegisterRequest::Flavor flavor,
+      const std::string& pem_certificate_chain,
+      const std::string& client_id,
+      const std::string& requisition,
+      const std::string& current_state_key);
+
   // Sets information about a policy invalidation. Subsequent fetch operations
   // will use the given info, and callers can use fetched_invalidation_version
   // to determine which version of policy was fetched.
@@ -269,6 +303,10 @@ class POLICY_EXPORT CloudPolicyClient {
   // Callback for retries of registration requests.
   void OnRetryRegister(DeviceManagementRequestJob* job);
 
+  // Callback for siganture of requests.
+  void OnRegisterWithCertificateRequestSigned(bool success,
+      enterprise_management::SignedData signed_data);
+
   // Callback for registration requests.
   void OnRegisterCompleted(
       DeviceManagementStatus status,
@@ -376,6 +414,9 @@ class POLICY_EXPORT CloudPolicyClient {
   // Used for issuing requests to the cloud.
   DeviceManagementService* service_;
 
+  // Used for signing requests.
+  SigningService* signing_service_;
+
   // Only one outstanding policy fetch is allowed, so this is tracked in
   // its own member variable.
   std::unique_ptr<DeviceManagementRequestJob> policy_fetch_request_job_;
@@ -392,6 +433,8 @@ class POLICY_EXPORT CloudPolicyClient {
   scoped_refptr<net::URLRequestContextGetter> request_context_;
 
  private:
+  void SetClientId(const std::string& client_id);
+
   DISALLOW_COPY_AND_ASSIGN(CloudPolicyClient);
 };