Abandon user sign in when policy is retrieved before session started

chrome/browser/chromeos/policy/device_local_account_policy_store.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/policy/device_local_account_policy_store.h"
 
 #include <utility>
 
 #include "base/bind.h"
 #include "base/callback.h"
 #include "base/memory/ptr_util.h"
-#include "chromeos/dbus/session_manager_client.h"
 #include "components/ownership/owner_key_util.h"
 #include "components/policy/core/common/cloud/device_management_service.h"
 #include "components/policy/core/common/external_data_fetcher.h"
 #include "components/policy/core/common/policy_map.h"
 #include "components/policy/core/common/policy_types.h"
 #include "components/policy/proto/cloud_policy.pb.h"
 #include "components/policy/proto/device_management_backend.pb.h"
 
 namespace em = enterprise_management;
 
@@ skipping 26 matching lines @@
   // on Chrome OS happens whenever the browser is restarted into the same
   // session, that is when the browser crashes, or right after signin if
   // the user has flags configured in about:flags.
   // However, on those paths we must load policy synchronously so that the
   // Profile initialization never sees unmanaged prefs, which would lead to
   // data loss. http://crbug.com/263061
 
   // Cancel all running async loads.
   weak_factory_.InvalidateWeakPtrs();
 
-  const std::string policy_blob =
+  std::string policy_blob;
+  chromeos::SessionManagerClient::RetrievePolicyResponseType response =
       session_manager_client_->BlockingRetrieveDeviceLocalAccountPolicy(
-          account_id_);
-  ValidateLoadedPolicyBlob(false /*validate_in_background*/, policy_blob);
+          account_id_, &policy_blob);
+  ValidateLoadedPolicyBlob(false /*validate_in_background*/, policy_blob,
+                           response);
 }
 
 void DeviceLocalAccountPolicyStore::Store(
     const em::PolicyFetchResponse& policy) {
   weak_factory_.InvalidateWeakPtrs();
   CheckKeyAndValidate(
       true, base::MakeUnique<em::PolicyFetchResponse>(policy),
       true /*validate_in_background*/,
       base::Bind(&DeviceLocalAccountPolicyStore::StoreValidatedPolicy,
                  weak_factory_.GetWeakPtr()));
 }
 
 void DeviceLocalAccountPolicyStore::ValidateLoadedPolicyBlob(
     bool validate_in_background,
-    const std::string& policy_blob) {
-  if (policy_blob.empty()) {
+    const std::string& policy_blob,
+    chromeos::SessionManagerClient::RetrievePolicyResponseType response_type) {
+  if (response_type !=
+          chromeos::SessionManagerClient::RetrievePolicyResponseType::SUCCESS ||
+      policy_blob.empty()) {
     status_ = CloudPolicyStore::STATUS_LOAD_ERROR;
     NotifyStoreError();
   } else {
     std::unique_ptr<em::PolicyFetchResponse> policy(
         new em::PolicyFetchResponse());
     if (policy->ParseFromString(policy_blob)) {
       CheckKeyAndValidate(
           false, std::move(policy), validate_in_background,
           base::Bind(&DeviceLocalAccountPolicyStore::UpdatePolicy,
                      weak_factory_.GetWeakPtr()));
@@ skipping 128 matching lines @@
     validator.release()->StartValidation(
         base::Bind(callback, key->as_string()));
   } else {
     validator->RunValidation();
 
     UpdatePolicy(key->as_string(), validator.get());
   }
 }
 
 }  // namespace policy