Chromad: Use DM server reply to determine enrollment type

chrome/browser/chromeos/policy/enrollment_handler_chromeos.cc

Index: chrome/browser/chromeos/policy/enrollment_handler_chromeos.cc
diff --git a/chrome/browser/chromeos/policy/enrollment_handler_chromeos.cc b/chrome/browser/chromeos/policy/enrollment_handler_chromeos.cc
index 1596d0af84ed6709f839f94aac13d113b4330849..26717cbf223bd3901226276c40f858fdcbab8011 100644
--- a/chrome/browser/chromeos/policy/enrollment_handler_chromeos.cc
+++ b/chrome/browser/chromeos/policy/enrollment_handler_chromeos.cc
@@ -15,6 +15,7 @@
 #include "chrome/browser/browser_process.h"
 #include "chrome/browser/chromeos/login/enrollment/auto_enrollment_controller.h"
 #include "chrome/browser/chromeos/ownership/owner_settings_service_chromeos.h"
+#include "chrome/browser/chromeos/policy/active_directory_join_delegate.h"
 #include "chrome/browser/chromeos/policy/device_cloud_policy_store_chromeos.h"
 #include "chrome/browser/chromeos/policy/dm_token_storage.h"
 #include "chrome/browser/chromeos/policy/enrollment_status_chromeos.h"
@@ -24,10 +25,13 @@
 #include "chrome/browser/chromeos/settings/device_oauth2_token_service.h"
 #include "chrome/browser/chromeos/settings/device_oauth2_token_service_factory.h"
 #include "chrome/browser/profiles/profile.h"
+#include "chrome/common/channel_info.h"
 #include "chromeos/attestation/attestation_flow.h"
 #include "chromeos/chromeos_switches.h"
 #include "chromeos/dbus/auth_policy_client.h"
 #include "chromeos/dbus/dbus_thread_manager.h"
+#include "chromeos/dbus/upstart_client.h"
+#include "components/version_info/version_info.h"
 #include "google_apis/gaia/gaia_auth_util.h"
 #include "google_apis/gaia/gaia_urls.h"
 #include "net/http/http_status_code.h"
@@ -81,6 +85,7 @@ EnrollmentHandlerChromeOS::EnrollmentHandlerChromeOS(
     chromeos::attestation::AttestationFlow* attestation_flow,
     std::unique_ptr<CloudPolicyClient> client,
     scoped_refptr<base::SequencedTaskRunner> background_task_runner,
+    chromeos::ActiveDirectoryJoinDelegate* ad_join_delegate,
     const EnrollmentConfig& enrollment_config,
     const std::string& auth_token,
     const std::string& client_id,
@@ -92,15 +97,13 @@ EnrollmentHandlerChromeOS::EnrollmentHandlerChromeOS(
       attestation_flow_(attestation_flow),
       client_(std::move(client)),
       background_task_runner_(background_task_runner),
+      ad_join_delegate_(ad_join_delegate),
       enrollment_config_(enrollment_config),
       auth_token_(auth_token),
       client_id_(client_id),
       requisition_(requisition),
       completion_callback_(completion_callback),
-      device_mode_(DEVICE_MODE_NOT_SET),
-      skip_robot_auth_(false),
       enrollment_step_(STEP_PENDING),
-      lockbox_init_duration_(0),
       weak_ptr_factory_(this) {
   CHECK(!client_->is_registered());
   CHECK_EQ(DM_STATUS_SUCCESS, client_->status());
@@ -202,14 +205,28 @@ void EnrollmentHandlerChromeOS::OnRegistrationStateChanged(
   if (enrollment_step_ == STEP_REGISTRATION && client_->is_registered()) {
     SetStep(STEP_POLICY_FETCH);

[Thiemo Nagel, 2017/02/14 16:43:06]

Nit: It would seem more readable to me to move SetStep() below, above
client_->FetchPolicy();

[Roman Sorokin (ftl), 2017/02/15 14:01:45]

Done.

     device_mode_ = client_->device_mode();
-    if (!((device_mode_ == DEVICE_MODE_ENTERPRISE &&
-           enrollment_config_.management_realm.empty()) ||
-          (device_mode_ == DEVICE_MODE_ENTERPRISE_AD &&
-           !enrollment_config_.management_realm.empty()))) {
-      LOG(ERROR) << "Bad device mode " << device_mode_;
-      ReportResult(
-          EnrollmentStatus::ForStatus(EnrollmentStatus::REGISTRATION_BAD_MODE));
-      return;
+    switch (device_mode_) {
+      case DEVICE_MODE_ENTERPRISE_AD:
+        if (chrome::GetChannel() == version_info::Channel::BETA ||
+            chrome::GetChannel() == version_info::Channel::STABLE) {
+          LOG(ERROR) << "Active Directory management is not enabled on the "
+                        "current channel";
+          ReportResult(EnrollmentStatus::ForStatus(
+              EnrollmentStatus::REGISTRATION_BAD_MODE));
+          return;
+        }
+        chromeos::DBusThreadManager::Get()
+            ->GetUpstartClient()
+            ->StartAuthPolicyService();
+        break;
+      case DEVICE_MODE_ENTERPRISE:
+        // Do nothing. Go to FetchPolicy.

[Thiemo Nagel, 2017/02/14 16:43:06]

Nit: I'd suggest to drop the "Go to FetchPolicy" part from the comment because
it could become out of date easily.  Also, I'd suggest to sort the cases by
their numeric value and thus have ENTERPRISE above ENTERPRISE_AD.

[Roman Sorokin (ftl), 2017/02/15 14:01:45]

Done.

+        break;
+      default:
+        LOG(ERROR) << "Supplied device mode is not supported:" << device_mode_;
+        ReportResult(EnrollmentStatus::ForStatus(
+            EnrollmentStatus::REGISTRATION_BAD_MODE));
+        return;
     }
     client_->FetchPolicy();
   } else {
@@ -324,8 +341,8 @@ void EnrollmentHandlerChromeOS::HandlePolicyValidationResult(
     if (device_mode_ == DEVICE_MODE_ENTERPRISE_AD) {
       // Don't use robot account for the Active Directory managed devices.
       skip_robot_auth_ = true;
-      SetStep(STEP_LOCK_DEVICE);
-      StartLockDevice();
+      SetStep(STEP_AD_DOMAIN_JOIN);
+      StartJoinAdDomain();
     } else {
       domain_ = gaia::ExtractDomainName(gaia::CanonicalizeEmail(username));
       SetStep(STEP_ROBOT_AUTH_FETCH);
@@ -346,8 +363,8 @@ void EnrollmentHandlerChromeOS::OnRobotAuthCodesFetched(
     // This allows clients running against the test server to transparently skip
     // robot auth.
     skip_robot_auth_ = true;
-    SetStep(STEP_LOCK_DEVICE);
-    StartLockDevice();
+    SetStep(STEP_AD_DOMAIN_JOIN);
+    StartJoinAdDomain();
     return;
   }
 
@@ -376,8 +393,8 @@ void EnrollmentHandlerChromeOS::OnGetTokensResponse(
 
   robot_refresh_token_ = refresh_token;
 
-  SetStep(STEP_LOCK_DEVICE);
-  StartLockDevice();
+  SetStep(STEP_AD_DOMAIN_JOIN);
+  StartJoinAdDomain();
 }
 
 // GaiaOAuthClient::Delegate
@@ -407,13 +424,33 @@ void EnrollmentHandlerChromeOS::OnNetworkError(int response_code) {
       EnrollmentStatus::ForRobotRefreshFetchError(response_code));
 }
 
+void EnrollmentHandlerChromeOS::StartJoinAdDomain() {
+  DCHECK_EQ(STEP_AD_DOMAIN_JOIN, enrollment_step_);
+  if (device_mode_ != DEVICE_MODE_ENTERPRISE_AD) {
+    SetStep(STEP_LOCK_DEVICE);
+    StartLockDevice();
+    return;
+  }
+  ad_join_delegate_->JoinDomain(
+      base::BindOnce(&EnrollmentHandlerChromeOS::OnAdDomainJoined,
+                     weak_ptr_factory_.GetWeakPtr()));
+}
+
+void EnrollmentHandlerChromeOS::OnAdDomainJoined(const std::string& realm) {
+  DCHECK_EQ(STEP_AD_DOMAIN_JOIN, enrollment_step_);
+  CHECK(!realm.empty());
+  realm_ = realm;
+  SetStep(STEP_LOCK_DEVICE);
+  StartLockDevice();
+}
+
 void EnrollmentHandlerChromeOS::StartLockDevice() {
   DCHECK_EQ(STEP_LOCK_DEVICE, enrollment_step_);
   // Since this method is also called directly.
   weak_ptr_factory_.InvalidateWeakPtrs();
 
   install_attributes_->LockDevice(
-      device_mode_, domain_, enrollment_config_.management_realm, device_id_,
+      device_mode_, domain_, realm_, device_id_,
       base::Bind(&EnrollmentHandlerChromeOS::HandleLockDeviceResult,
                  weak_ptr_factory_.GetWeakPtr()));
 }