Chromad: Use DM server reply to determine enrollment type

chrome/browser/chromeos/policy/enrollment_handler_chromeos.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/policy/enrollment_handler_chromeos.h"
 
 #include <utility>
 
 #include "base/bind.h"
 #include "base/command_line.h"
 #include "base/location.h"
 #include "base/logging.h"
 #include "base/single_thread_task_runner.h"
 #include "base/threading/thread_task_runner_handle.h"
 #include "chrome/browser/browser_process.h"
 #include "chrome/browser/chromeos/login/enrollment/auto_enrollment_controller.h"
+#include "chrome/browser/chromeos/login/enrollment/enrollment_screen_actor.h"
+#include "chrome/browser/chromeos/login/ui/login_display_host.h"
 #include "chrome/browser/chromeos/ownership/owner_settings_service_chromeos.h"
 #include "chrome/browser/chromeos/policy/device_cloud_policy_store_chromeos.h"
 #include "chrome/browser/chromeos/policy/dm_token_storage.h"
 #include "chrome/browser/chromeos/policy/enrollment_status_chromeos.h"
 #include "chrome/browser/chromeos/policy/proto/chrome_device_policy.pb.h"
 #include "chrome/browser/chromeos/policy/server_backed_state_keys_broker.h"
 #include "chrome/browser/chromeos/profiles/profile_helper.h"
 #include "chrome/browser/chromeos/settings/device_oauth2_token_service.h"
 #include "chrome/browser/chromeos/settings/device_oauth2_token_service_factory.h"
 #include "chrome/browser/profiles/profile.h"
+#include "chrome/browser/ui/webui/chromeos/login/oobe_ui.h"
+#include "chrome/common/channel_info.h"
 #include "chromeos/attestation/attestation_flow.h"
 #include "chromeos/chromeos_switches.h"
 #include "chromeos/dbus/auth_policy_client.h"
 #include "chromeos/dbus/dbus_thread_manager.h"
+#include "chromeos/dbus/upstart_client.h"
+#include "components/version_info/version_info.h"
 #include "google_apis/gaia/gaia_auth_util.h"
 #include "google_apis/gaia/gaia_urls.h"
 #include "net/http/http_status_code.h"
 
 namespace em = enterprise_management;
 
 namespace policy {
 
 namespace {
 
@@ skipping 154 matching lines @@
                  weak_ptr_factory_.GetWeakPtr()));
 }
 
 void EnrollmentHandlerChromeOS::OnRegistrationStateChanged(
     CloudPolicyClient* client) {
   DCHECK_EQ(client_.get(), client);
 
   if (enrollment_step_ == STEP_REGISTRATION && client_->is_registered()) {
     SetStep(STEP_POLICY_FETCH);
     device_mode_ = client_->device_mode();
-    if (!((device_mode_ == DEVICE_MODE_ENTERPRISE &&
-           enrollment_config_.management_realm.empty()) ||
-          (device_mode_ == DEVICE_MODE_ENTERPRISE_AD &&
-           !enrollment_config_.management_realm.empty()))) {
+    if (device_mode_ == DEVICE_MODE_ENTERPRISE_AD) {
+      if (chrome::GetChannel() == version_info::Channel::BETA ||
+          chrome::GetChannel() == version_info::Channel::STABLE) {
+        LOG(ERROR) << "Bad device mode " << device_mode_;

[achuithb, 2017/02/07 20:27:16]

This error message is unclear. This device mode should not be seen in beta and
stable channel, right?

[Roman Sorokin (ftl), 2017/02/10 14:57:10]

Done.

+        ReportResult(EnrollmentStatus::ForStatus(
+            EnrollmentStatus::REGISTRATION_BAD_MODE));
+        return;
+      }
+      chromeos::DBusThreadManager::Get()
+          ->GetUpstartClient()
+          ->StartAuthPolicyService();
+    }
+    if (device_mode_ != DEVICE_MODE_ENTERPRISE &&
+        device_mode_ != DEVICE_MODE_ENTERPRISE_AD) {
       LOG(ERROR) << "Bad device mode " << device_mode_;

[achuithb, 2017/02/07 20:27:16]

Make this more explicit/clear too.

[Roman Sorokin (ftl), 2017/02/10 14:57:10]

Done.

       ReportResult(
           EnrollmentStatus::ForStatus(EnrollmentStatus::REGISTRATION_BAD_MODE));
       return;
     }
     client_->FetchPolicy();
   } else {
     LOG(FATAL) << "Registration state changed to " << client_->is_registered()
                << " in step " << enrollment_step_ << ".";
   }
 }
@@ skipping 97 matching lines @@
 void EnrollmentHandlerChromeOS::HandlePolicyValidationResult(
     DeviceCloudPolicyValidator* validator) {
   DCHECK_EQ(STEP_VALIDATION, enrollment_step_);
   if (validator->success()) {
     std::string username = validator->policy_data()->username();
     device_id_ = validator->policy_data()->device_id();
     policy_ = std::move(validator->policy());
     if (device_mode_ == DEVICE_MODE_ENTERPRISE_AD) {
       // Don't use robot account for the Active Directory managed devices.
       skip_robot_auth_ = true;
-      SetStep(STEP_LOCK_DEVICE);
-      StartLockDevice();
+      SetStep(STEP_AD_DOMAIN_JOIN);
+      StartJoinAdDomain();
     } else {
       domain_ = gaia::ExtractDomainName(gaia::CanonicalizeEmail(username));
       SetStep(STEP_ROBOT_AUTH_FETCH);
       client_->FetchRobotAuthCodes(auth_token_);
     }
   } else {
     ReportResult(EnrollmentStatus::ForValidationError(validator->status()));
   }
 }
 
 void EnrollmentHandlerChromeOS::OnRobotAuthCodesFetched(
     CloudPolicyClient* client) {
   DCHECK_EQ(client_.get(), client);
   CHECK_EQ(STEP_ROBOT_AUTH_FETCH, enrollment_step_);
 
   if (client->robot_api_auth_code().empty()) {
     // If the server doesn't provide an auth code, skip the robot auth setup.
     // This allows clients running against the test server to transparently skip
     // robot auth.
     skip_robot_auth_ = true;
-    SetStep(STEP_LOCK_DEVICE);
-    StartLockDevice();
+    SetStep(STEP_AD_DOMAIN_JOIN);
+    StartJoinAdDomain();
     return;
   }
 
   SetStep(STEP_ROBOT_AUTH_REFRESH);
   gaia::OAuthClientInfo client_info;
   client_info.client_id = GaiaUrls::GetInstance()->oauth2_chrome_client_id();
   client_info.client_secret =
       GaiaUrls::GetInstance()->oauth2_chrome_client_secret();
   client_info.redirect_uri = "oob";
 
   // Use the system request context to avoid sending user cookies.
   gaia_oauth_client_.reset(new gaia::GaiaOAuthClient(
       g_browser_process->system_request_context()));
   gaia_oauth_client_->GetTokensFromAuthCode(client_info,
                                             client->robot_api_auth_code(),
                                             0 /* max_retries */,
                                             this);
 }
 
 // GaiaOAuthClient::Delegate callback for OAuth2 refresh token fetched.
 void EnrollmentHandlerChromeOS::OnGetTokensResponse(
     const std::string& refresh_token,
     const std::string& access_token,
     int expires_in_seconds) {
   CHECK_EQ(STEP_ROBOT_AUTH_REFRESH, enrollment_step_);
 
   robot_refresh_token_ = refresh_token;
 
-  SetStep(STEP_LOCK_DEVICE);
-  StartLockDevice();
+  SetStep(STEP_AD_DOMAIN_JOIN);
+  StartJoinAdDomain();
 }
 
 // GaiaOAuthClient::Delegate
 void EnrollmentHandlerChromeOS::OnRefreshTokenResponse(
     const std::string& access_token,
     int expires_in_seconds) {
   // We never use the code that should trigger this callback.
   LOG(FATAL) << "Unexpected callback invoked.";
 }
 
 // GaiaOAuthClient::Delegate OAuth2 error when fetching refresh token request.
 void EnrollmentHandlerChromeOS::OnOAuthError() {
   CHECK_EQ(STEP_ROBOT_AUTH_REFRESH, enrollment_step_);
   // OnOAuthError is only called if the request is bad (malformed) or the
   // response is bad (empty access token returned).
   LOG(ERROR) << "OAuth protocol error while fetching API refresh token.";
   ReportResult(
       EnrollmentStatus::ForRobotRefreshFetchError(net::HTTP_BAD_REQUEST));
 }
 
 // GaiaOAuthClient::Delegate network error when fetching refresh token.
 void EnrollmentHandlerChromeOS::OnNetworkError(int response_code) {
   CHECK_EQ(STEP_ROBOT_AUTH_REFRESH, enrollment_step_);
   LOG(ERROR) << "Network error while fetching API refresh token: "
              << response_code;
   ReportResult(
       EnrollmentStatus::ForRobotRefreshFetchError(response_code));
 }
 
+void EnrollmentHandlerChromeOS::StartJoinAdDomain() {
+  DCHECK_EQ(STEP_AD_DOMAIN_JOIN, enrollment_step_);
+  if (device_mode_ != DEVICE_MODE_ENTERPRISE_AD) {
+    SetStep(STEP_LOCK_DEVICE);
+    StartLockDevice();
+    return;
+  }
+  chromeos::LoginDisplayHost::default_host()
+      ->GetOobeUI()
+      ->GetEnrollmentScreenActor()

[Roman Sorokin (ftl), 2017/02/03 15:02:43]

Not sure if it's a good way to start showing AD ui.

[achuithb, 2017/02/07 20:27:16]

Pretty sure it's not.

[Roman Sorokin (ftl), 2017/02/07 21:41:05]

You got any idea of a proper way to do that? Should we pass the screen actor
inside enrollmenthandler somehow?

[achuithb, 2017/02/07 21:50:50]

Off the top of my head, I don't; I'd have to research this. Could you look
through the code base for perhaps another example of how this is done?

[Roman Sorokin (ftl), 2017/02/10 14:57:10]

Created ActiveDirectoryJoinDelegate

[achuithb, 2017/02/13 13:39:02]

Acknowledged.

+      ->ShowAdJoin(base::BindOnce(&EnrollmentHandlerChromeOS::OnAdDomainJoined,
+                                  weak_ptr_factory_.GetWeakPtr()));
+}
+
+void EnrollmentHandlerChromeOS::OnAdDomainJoined(std::string realm) {
+  DCHECK_EQ(STEP_AD_DOMAIN_JOIN, enrollment_step_);
+  CHECK(!realm.empty());
+  realm_ = std::move(realm);

[achuithb, 2017/02/07 20:27:16]

Why not realm_ = realm;

[Roman Sorokin (ftl), 2017/02/10 14:57:10]

Done.

+  SetStep(STEP_LOCK_DEVICE);
+  StartLockDevice();
+}
+
 void EnrollmentHandlerChromeOS::StartLockDevice() {
   DCHECK_EQ(STEP_LOCK_DEVICE, enrollment_step_);
   // Since this method is also called directly.
   weak_ptr_factory_.InvalidateWeakPtrs();
 
   install_attributes_->LockDevice(
-      device_mode_, domain_, enrollment_config_.management_realm, device_id_,
+      device_mode_, domain_, realm_, device_id_,
       base::Bind(&EnrollmentHandlerChromeOS::HandleLockDeviceResult,
                  weak_ptr_factory_.GetWeakPtr()));
 }
 
 void EnrollmentHandlerChromeOS::HandleDMTokenStoreResult(bool success) {
   CHECK_EQ(STEP_STORE_TOKEN, enrollment_step_);
   if (!success) {
     ReportResult(
         EnrollmentStatus::ForStatus(EnrollmentStatus::DM_TOKEN_STORE_FAILED));
     return;
@@ skipping 134 matching lines @@
     callback.Run(status);
 }
 
 void EnrollmentHandlerChromeOS::SetStep(EnrollmentStep step) {
   DCHECK_LE(enrollment_step_, step);
   VLOG(1) << "Step: " << step;
   enrollment_step_ = step;
 }
 
 }  // namespace policy