Setup Chromad user policy plumbing

chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos.h

Index: chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos.h
diff --git a/chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos.h b/chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos.h
index 6d17c8d3372977f2dede32b5dc7c95e1973b44aa..4b2dbfc74b4197ff7de9daa099903a6d7d05ea5a 100644
--- a/chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos.h
+++ b/chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos.h
@@ -30,17 +30,21 @@ class SessionManagerClient;
 
 namespace policy {
 
-// Implements a cloud policy store backed by the Chrome OS' session_manager,
-// which takes care of persisting policy to disk and is accessed via DBus calls
+// Implements a policy store backed by the Chrome OS' session_manager, which
+// takes care of persisting policy to disk and is accessed via DBus calls
 // through SessionManagerClient.
 class UserCloudPolicyStoreChromeOS : public UserCloudPolicyStoreBase {

[emaxx, 2016/12/28 19:09:20]

nit: Is there a TODO somewhere to rename this class too? If not, then worth
adding.

[Thiemo Nagel, 2016/12/29 15:08:27]

Done.

  public:
+  // Policy validation is relaxed when |is_active_directory| is set, most
+  // notably signature validation is disabled.  It is essential that this flag
+  // is only set when install attributes are locked into Active Directory mode.
   UserCloudPolicyStoreChromeOS(
       chromeos::CryptohomeClient* cryptohome_client,
       chromeos::SessionManagerClient* session_manager_client,
       scoped_refptr<base::SequencedTaskRunner> background_task_runner,
       const AccountId& account_id,
-      const base::FilePath& user_policy_key_dir);
+      const base::FilePath& user_policy_key_dir,

[emaxx, 2016/12/28 19:09:20]

This argument is probably unused for the Active Directory case. Same is for a
bunch of private stuff related to the policy key.

I know it's not the best time currently to suggest a bigger refactoring (like
separating AD and non-AD cases into two different classes, with a separate one
containing the shared functionality).
But if you agree that this interface is more like a temporary solution, then at
least a TODO may be added for now.

[Thiemo Nagel, 2016/12/29 15:08:27]

I've added this thought to the TODO above.  (I haven't thought deeply about that
yet thus I'm not sure what would be the best approach.)

+      bool is_active_directory);
   ~UserCloudPolicyStoreChromeOS() override;
 
   // CloudPolicyStore:
@@ -100,6 +104,7 @@ class UserCloudPolicyStoreChromeOS : public UserCloudPolicyStoreBase {
   chromeos::SessionManagerClient* session_manager_client_;
   const AccountId account_id_;
   base::FilePath user_policy_key_dir_;
+  bool is_active_directory_;
 
   // The current key used to verify signatures of policy. This value is loaded
   // from the key cache file (which is owned and kept up to date by the Chrome