Chromad: Use DM server reply to determine enrollment type

chrome/browser/chromeos/policy/enrollment_handler_chromeos.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/policy/enrollment_handler_chromeos.h"
 
 #include <utility>
 
 #include "base/bind.h"
 #include "base/command_line.h"
 #include "base/location.h"
 #include "base/logging.h"
 #include "base/single_thread_task_runner.h"
 #include "base/threading/thread_task_runner_handle.h"
 #include "chrome/browser/browser_process.h"
 #include "chrome/browser/chromeos/login/enrollment/auto_enrollment_controller.h"
 #include "chrome/browser/chromeos/ownership/owner_settings_service_chromeos.h"
+#include "chrome/browser/chromeos/policy/active_directory_join_delegate.h"
 #include "chrome/browser/chromeos/policy/device_cloud_policy_store_chromeos.h"
 #include "chrome/browser/chromeos/policy/dm_token_storage.h"
 #include "chrome/browser/chromeos/policy/enrollment_status_chromeos.h"
 #include "chrome/browser/chromeos/policy/proto/chrome_device_policy.pb.h"
 #include "chrome/browser/chromeos/policy/server_backed_state_keys_broker.h"
 #include "chrome/browser/chromeos/profiles/profile_helper.h"
 #include "chrome/browser/chromeos/settings/device_oauth2_token_service.h"
 #include "chrome/browser/chromeos/settings/device_oauth2_token_service_factory.h"
 #include "chrome/browser/profiles/profile.h"
+#include "chrome/common/channel_info.h"
 #include "chromeos/attestation/attestation_flow.h"
 #include "chromeos/chromeos_switches.h"
 #include "chromeos/dbus/auth_policy_client.h"
 #include "chromeos/dbus/dbus_thread_manager.h"
+#include "chromeos/dbus/upstart_client.h"
+#include "components/version_info/version_info.h"
 #include "google_apis/gaia/gaia_auth_util.h"
 #include "google_apis/gaia/gaia_urls.h"
 #include "net/http/http_status_code.h"
 
 namespace em = enterprise_management;
 
 namespace policy {
 
 namespace {
 
@@ skipping 33 matching lines @@
 
 }  // namespace
 
 EnrollmentHandlerChromeOS::EnrollmentHandlerChromeOS(
     DeviceCloudPolicyStoreChromeOS* store,
     chromeos::InstallAttributes* install_attributes,
     ServerBackedStateKeysBroker* state_keys_broker,
     chromeos::attestation::AttestationFlow* attestation_flow,
     std::unique_ptr<CloudPolicyClient> client,
     scoped_refptr<base::SequencedTaskRunner> background_task_runner,
+    chromeos::ActiveDirectoryJoinDelegate* ad_join_delegate,
     const EnrollmentConfig& enrollment_config,
     const std::string& auth_token,
     const std::string& client_id,
     const std::string& requisition,
     const EnrollmentCallback& completion_callback)
     : store_(store),
       install_attributes_(install_attributes),
       state_keys_broker_(state_keys_broker),
       attestation_flow_(attestation_flow),
       client_(std::move(client)),
       background_task_runner_(background_task_runner),
+      ad_join_delegate_(ad_join_delegate),
       enrollment_config_(enrollment_config),
       auth_token_(auth_token),
       client_id_(client_id),
       requisition_(requisition),
       completion_callback_(completion_callback),
-      device_mode_(DEVICE_MODE_NOT_SET),
-      skip_robot_auth_(false),
       enrollment_step_(STEP_PENDING),
-      lockbox_init_duration_(0),
       weak_ptr_factory_(this) {
   CHECK(!client_->is_registered());
   CHECK_EQ(DM_STATUS_SUCCESS, client_->status());
   CHECK((enrollment_config_.mode == EnrollmentConfig::MODE_ATTESTATION ||
          enrollment_config_.mode ==
              EnrollmentConfig::MODE_ATTESTATION_FORCED) == auth_token_.empty());
   CHECK(enrollment_config_.auth_mechanism !=
             EnrollmentConfig::AUTH_MECHANISM_ATTESTATION ||
         attestation_flow_);
   store_->AddObserver(this);
@@ skipping 81 matching lines @@
                  weak_ptr_factory_.GetWeakPtr()));
 }
 
 void EnrollmentHandlerChromeOS::OnRegistrationStateChanged(
     CloudPolicyClient* client) {
   DCHECK_EQ(client_.get(), client);
 
   if (enrollment_step_ == STEP_REGISTRATION && client_->is_registered()) {
     SetStep(STEP_POLICY_FETCH);
     device_mode_ = client_->device_mode();
-    if (!((device_mode_ == DEVICE_MODE_ENTERPRISE &&
-           enrollment_config_.management_realm.empty()) ||
-          (device_mode_ == DEVICE_MODE_ENTERPRISE_AD &&
-           !enrollment_config_.management_realm.empty()))) {
-      LOG(ERROR) << "Bad device mode " << device_mode_;
+    if (device_mode_ == DEVICE_MODE_ENTERPRISE_AD) {

[Thiemo Nagel, 2017/02/14 14:45:00]

Nit: That section might be more readable if factored as:

if (device_mode_ == ENTERPRISE) {
  // do nothing
} else if (device_mode_ == ENTERPRISE_AD) {
  // do AD stuff
} else {
  // supplied device mode is not supported
}

Or maybe use a switch statement?

[Roman Sorokin (ftl), 2017/02/14 16:01:33]

Done.

+      if (chrome::GetChannel() == version_info::Channel::BETA ||
+          chrome::GetChannel() == version_info::Channel::STABLE) {
+        LOG(ERROR) << "Active Directory management is not enabled on the "
+                      "current channel";
+        ReportResult(EnrollmentStatus::ForStatus(
+            EnrollmentStatus::REGISTRATION_BAD_MODE));
+        return;
+      }
+      chromeos::DBusThreadManager::Get()
+          ->GetUpstartClient()
+          ->StartAuthPolicyService();
+    }
+    if (device_mode_ != DEVICE_MODE_ENTERPRISE &&
+        device_mode_ != DEVICE_MODE_ENTERPRISE_AD) {
+      LOG(ERROR) << "Supplied device mode is not supported:" << device_mode_;
       ReportResult(
           EnrollmentStatus::ForStatus(EnrollmentStatus::REGISTRATION_BAD_MODE));
       return;
     }
     client_->FetchPolicy();
   } else {
     LOG(FATAL) << "Registration state changed to " << client_->is_registered()
                << " in step " << enrollment_step_ << ".";
   }
 }
@@ skipping 97 matching lines @@
 void EnrollmentHandlerChromeOS::HandlePolicyValidationResult(
     DeviceCloudPolicyValidator* validator) {
   DCHECK_EQ(STEP_VALIDATION, enrollment_step_);
   if (validator->success()) {
     std::string username = validator->policy_data()->username();
     device_id_ = validator->policy_data()->device_id();
     policy_ = std::move(validator->policy());
     if (device_mode_ == DEVICE_MODE_ENTERPRISE_AD) {
       // Don't use robot account for the Active Directory managed devices.
       skip_robot_auth_ = true;
-      SetStep(STEP_LOCK_DEVICE);
-      StartLockDevice();
+      SetStep(STEP_AD_DOMAIN_JOIN);
+      StartJoinAdDomain();
     } else {
       domain_ = gaia::ExtractDomainName(gaia::CanonicalizeEmail(username));
       SetStep(STEP_ROBOT_AUTH_FETCH);
       client_->FetchRobotAuthCodes(auth_token_);
     }
   } else {
     ReportResult(EnrollmentStatus::ForValidationError(validator->status()));
   }
 }
 
 void EnrollmentHandlerChromeOS::OnRobotAuthCodesFetched(
     CloudPolicyClient* client) {
   DCHECK_EQ(client_.get(), client);
   CHECK_EQ(STEP_ROBOT_AUTH_FETCH, enrollment_step_);
 
   if (client->robot_api_auth_code().empty()) {
     // If the server doesn't provide an auth code, skip the robot auth setup.
     // This allows clients running against the test server to transparently skip
     // robot auth.
     skip_robot_auth_ = true;
-    SetStep(STEP_LOCK_DEVICE);
-    StartLockDevice();
+    SetStep(STEP_AD_DOMAIN_JOIN);
+    StartJoinAdDomain();
     return;
   }
 
   SetStep(STEP_ROBOT_AUTH_REFRESH);
   gaia::OAuthClientInfo client_info;
   client_info.client_id = GaiaUrls::GetInstance()->oauth2_chrome_client_id();
   client_info.client_secret =
       GaiaUrls::GetInstance()->oauth2_chrome_client_secret();
   client_info.redirect_uri = "oob";
 
   // Use the system request context to avoid sending user cookies.
   gaia_oauth_client_.reset(new gaia::GaiaOAuthClient(
       g_browser_process->system_request_context()));
   gaia_oauth_client_->GetTokensFromAuthCode(client_info,
                                             client->robot_api_auth_code(),
                                             0 /* max_retries */,
                                             this);
 }
 
 // GaiaOAuthClient::Delegate callback for OAuth2 refresh token fetched.
 void EnrollmentHandlerChromeOS::OnGetTokensResponse(
     const std::string& refresh_token,
     const std::string& access_token,
     int expires_in_seconds) {
   CHECK_EQ(STEP_ROBOT_AUTH_REFRESH, enrollment_step_);
 
   robot_refresh_token_ = refresh_token;
 
-  SetStep(STEP_LOCK_DEVICE);
-  StartLockDevice();
+  SetStep(STEP_AD_DOMAIN_JOIN);
+  StartJoinAdDomain();
 }
 
 // GaiaOAuthClient::Delegate
 void EnrollmentHandlerChromeOS::OnRefreshTokenResponse(
     const std::string& access_token,
     int expires_in_seconds) {
   // We never use the code that should trigger this callback.
   LOG(FATAL) << "Unexpected callback invoked.";
 }
 
 // GaiaOAuthClient::Delegate OAuth2 error when fetching refresh token request.
 void EnrollmentHandlerChromeOS::OnOAuthError() {
   CHECK_EQ(STEP_ROBOT_AUTH_REFRESH, enrollment_step_);
   // OnOAuthError is only called if the request is bad (malformed) or the
   // response is bad (empty access token returned).
   LOG(ERROR) << "OAuth protocol error while fetching API refresh token.";
   ReportResult(
       EnrollmentStatus::ForRobotRefreshFetchError(net::HTTP_BAD_REQUEST));
 }
 
 // GaiaOAuthClient::Delegate network error when fetching refresh token.
 void EnrollmentHandlerChromeOS::OnNetworkError(int response_code) {
   CHECK_EQ(STEP_ROBOT_AUTH_REFRESH, enrollment_step_);
   LOG(ERROR) << "Network error while fetching API refresh token: "
              << response_code;
   ReportResult(
       EnrollmentStatus::ForRobotRefreshFetchError(response_code));
 }
 
+void EnrollmentHandlerChromeOS::StartJoinAdDomain() {
+  DCHECK_EQ(STEP_AD_DOMAIN_JOIN, enrollment_step_);
+  if (device_mode_ != DEVICE_MODE_ENTERPRISE_AD) {
+    SetStep(STEP_LOCK_DEVICE);
+    StartLockDevice();
+    return;
+  }
+  ad_join_delegate_->JoinDomain(
+      base::BindOnce(&EnrollmentHandlerChromeOS::OnAdDomainJoined,
+                     weak_ptr_factory_.GetWeakPtr()));
+}
+
+void EnrollmentHandlerChromeOS::OnAdDomainJoined(const std::string& realm) {
+  DCHECK_EQ(STEP_AD_DOMAIN_JOIN, enrollment_step_);
+  CHECK(!realm.empty());
+  realm_ = realm;
+  SetStep(STEP_LOCK_DEVICE);
+  StartLockDevice();
+}
+
 void EnrollmentHandlerChromeOS::StartLockDevice() {
   DCHECK_EQ(STEP_LOCK_DEVICE, enrollment_step_);
   // Since this method is also called directly.
   weak_ptr_factory_.InvalidateWeakPtrs();
 
   install_attributes_->LockDevice(
-      device_mode_, domain_, enrollment_config_.management_realm, device_id_,
+      device_mode_, domain_, realm_, device_id_,
       base::Bind(&EnrollmentHandlerChromeOS::HandleLockDeviceResult,
                  weak_ptr_factory_.GetWeakPtr()));
 }
 
 void EnrollmentHandlerChromeOS::HandleDMTokenStoreResult(bool success) {
   CHECK_EQ(STEP_STORE_TOKEN, enrollment_step_);
   if (!success) {
     ReportResult(
         EnrollmentStatus::ForStatus(EnrollmentStatus::DM_TOKEN_STORE_FAILED));
     return;
@@ skipping 134 matching lines @@
     callback.Run(status);
 }
 
 void EnrollmentHandlerChromeOS::SetStep(EnrollmentStep step) {
   DCHECK_LE(enrollment_step_, step);
   VLOG(1) << "Step: " << step;
   enrollment_step_ = step;
 }
 
 }  // namespace policy