Get enrollment token from DMServer when an Active Directory user uses ARC

chrome/browser/chromeos/arc/arc_auth_service.cc

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/arc/arc_auth_service.h"
 
 #include <utility>
 
 #include "base/command_line.h"
 #include "base/logging.h"
 #include "base/memory/ptr_util.h"
 #include "chrome/browser/chromeos/arc/arc_optin_uma.h"
 #include "chrome/browser/chromeos/arc/arc_session_manager.h"
-#include "chrome/browser/chromeos/arc/auth/arc_auth_code_fetcher.h"
+#include "chrome/browser/chromeos/arc/auth/arc_active_directory_enrollment_token_fetcher.h"
+#include "chrome/browser/chromeos/arc/auth/arc_auth_info_fetcher.h"
 #include "chrome/browser/chromeos/arc/auth/arc_background_auth_code_fetcher.h"
 #include "chrome/browser/chromeos/arc/auth/arc_manual_auth_code_fetcher.h"
 #include "chrome/browser/chromeos/arc/auth/arc_robot_auth_code_fetcher.h"
 #include "chrome/browser/chromeos/arc/policy/arc_policy_util.h"
+#include "chrome/browser/chromeos/profiles/profile_helper.h"
 #include "chrome/browser/lifetime/application_lifetime.h"
 #include "chromeos/chromeos_switches.h"
 #include "components/arc/arc_bridge_service.h"
 #include "components/arc/arc_features.h"
 #include "components/arc/arc_util.h"
+#include "components/user_manager/user_manager.h"
 #include "content/public/browser/browser_thread.h"
 
 namespace arc {
 namespace {
 
 ArcAuthService* g_arc_auth_service = nullptr;
 
 // Convers mojom::ArcSignInFailureReason into ProvisiningResult.
 ProvisioningResult ConvertArcSignInFailureReasonToProvisioningResult(
     mojom::ArcSignInFailureReason reason) {
@@ skipping 45 matching lines @@
   explicit AccountInfoNotifier(
       const GetAuthCodeAndAccountTypeDeprecatedCallback& auth_account_callback)
       : callback_type_(CallbackType::AUTH_CODE_AND_ACCOUNT),
         auth_account_callback_(auth_account_callback) {}
 
   explicit AccountInfoNotifier(const AccountInfoCallback& account_info_callback)
       : callback_type_(CallbackType::ACCOUNT_INFO),
         account_info_callback_(account_info_callback) {}
 
   void Notify(bool is_enforced,
-              const std::string& auth_code,
+              const std::string& auth_info,
               mojom::ChromeAccountType account_type,
               bool is_managed) {
     switch (callback_type_) {
       case CallbackType::AUTH_CODE:
         DCHECK(!auth_callback_.is_null());
-        auth_callback_.Run(auth_code, is_enforced);
+        auth_callback_.Run(auth_info, is_enforced);
         break;
       case CallbackType::AUTH_CODE_AND_ACCOUNT:
         DCHECK(!auth_account_callback_.is_null());
-        auth_account_callback_.Run(auth_code, is_enforced, account_type);
+        auth_account_callback_.Run(auth_info, is_enforced, account_type);
         break;
       case CallbackType::ACCOUNT_INFO:
         DCHECK(!account_info_callback_.is_null());
         mojom::AccountInfoPtr account_info = mojom::AccountInfo::New();
-        if (!is_enforced) {
-          account_info->auth_code = base::nullopt;
+        if (account_type ==
+            mojom::ChromeAccountType::ACTIVE_DIRECTORY_ACCOUNT) {
+          account_info->enrollment_token = auth_info;

[Luis Héctor Chávez, 2017/02/03 16:16:50]

be aware that not setting account_info->auth_code always triggers a "GMS Sign-In
Internal Error" in Android.

How do you plan to work around this? (Keep in mind that .mojom changes must land
in Chrome first to avoid version races)

[Marton Hunyady, 2017/02/03 18:11:11]

Until we make it possible in DMServer to get enrollment tokens (by returning an
enrollment token instead of an HTTP error) the enrollment flow won't work, so I
think it's fine to show an error on the Android side in this case. (Also,
according to my tests, the user is still able to log in and use the Play Store
in this case with a regular GAIA account.) The admin has to explicitly enable
ARC in ActiveDirectory to make the Play Store appear and be able to start this
flow, so it's not likely users will see this error).

         } else {
-          account_info->auth_code = auth_code;
+          if (!is_enforced)
+            account_info->auth_code = base::nullopt;
+          else
+            account_info->auth_code = auth_info;
         }
         account_info->account_type = account_type;
         account_info->is_managed = is_managed;
         account_info_callback_.Run(std::move(account_info));
         break;
     }
   }
 
  private:
   enum class CallbackType { AUTH_CODE, AUTH_CODE_AND_ACCOUNT, ACCOUNT_INFO };
@@ skipping 98 matching lines @@
   if (IsArcOptInVerificationDisabled()) {
     notifier->Notify(
         false /* = is_enforced */, std::string(), GetAccountType(),
         policy_util::IsAccountManaged(ArcSessionManager::Get()->profile()));
     return;
   }
 
   // Hereafter asynchronous operation. Remember the notifier.
   notifier_ = std::move(notifier);
 
+  Profile* profile = ArcSessionManager::Get()->profile();
+  const user_manager::User* user = nullptr;
+  if (profile)
+    user = chromeos::ProfileHelper::Get()->GetUserByProfile(profile);
+  if (user && user->IsActiveDirectoryUser()) {
+    // For Active Directory enrolled devices, we get an enrollment token for a
+    // managed Google Play account from DMServer.
+    fetcher_ = base::MakeUnique<ArcActiveDirectoryEnrollmentTokenFetcher>();
+    fetcher_->Fetch(base::Bind(&ArcAuthService::OnEnrollmentTokenFetched,
+                               weak_ptr_factory_.GetWeakPtr()));
+    return;
+  }
+  // For non-AD enrolled devices an auth code is fetched.
   if (IsArcKioskMode()) {
     // In Kiosk mode, use Robot auth code fetching.
     fetcher_ = base::MakeUnique<ArcRobotAuthCodeFetcher>();
   } else if (base::FeatureList::IsEnabled(arc::kArcUseAuthEndpointFeature)) {
     // Optionally retrieve auth code in silent mode.
+    DCHECK(profile);
     fetcher_ = base::MakeUnique<ArcBackgroundAuthCodeFetcher>(
-        ArcSessionManager::Get()->profile(),
-        ArcSessionManager::Get()->auth_context());
+        profile, ArcSessionManager::Get()->auth_context());
   } else {
     // Report that silent auth code is not activated. All other states are
     // reported in ArcBackgroundAuthCodeFetcher.
     UpdateSilentAuthCodeUMA(OptInSilentAuthCode::DISABLED);
     // Otherwise, show LSO page and let user click "Sign in" button.
     // Here, support_host should be available always. The case support_host is
     // not created is when 1) IsArcOptInVerificationDisabled() is true or 2)
     // IsArcKioskMode() is true. Both cases are handled above.
     fetcher_ = base::MakeUnique<ArcManualAuthCodeFetcher>(
         ArcSessionManager::Get()->auth_context(),
@@ skipping 12 matching lines @@
         ProvisioningResult::CHROME_SERVER_COMMUNICATION_ERROR);
     return;
   }
 
   notifier_->Notify(
       !IsArcOptInVerificationDisabled(), auth_code, GetAccountType(),
       policy_util::IsAccountManaged(ArcSessionManager::Get()->profile()));
   notifier_.reset();
 }
 
+void ArcAuthService::OnEnrollmentTokenFetched(

[Luis Héctor Chávez, 2017/02/03 16:16:50]

nit: can this be before OnAuthCodeFetched so it better matches the order in
which they are mentioned in ArcAuthService::RequestAccountInfoInternal? Same in
the .h

[Marton Hunyady, 2017/02/03 18:11:11]

Done.

+    const std::string& enrollment_token) {
+  DCHECK_CURRENTLY_ON(content::BrowserThread::UI);
+  fetcher_.reset();
+
+  if (enrollment_token.empty()) {
+    ArcSessionManager::Get()->OnProvisioningFinished(
+        ProvisioningResult::CHROME_SERVER_COMMUNICATION_ERROR);
+    return;
+  }
+
+  notifier_->Notify(true, enrollment_token,

[Luis Héctor Chávez, 2017/02/03 16:16:50]

nit: use named constants (e.g. constexpr bool kIsEnforced = true) or add a
comment with the name of the param after the param (e.g. true /*is_enforced*/)

[Marton Hunyady, 2017/02/03 18:11:11]

Done.

+                    mojom::ChromeAccountType::ACTIVE_DIRECTORY_ACCOUNT, true);
+  notifier_.reset();
+}
+
 }  // namespace arc