Make the policy fetch for first time login blocking

chrome/browser/chromeos/policy/user_cloud_policy_manager_factory_chromeos.cc

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/policy/user_cloud_policy_manager_factory_chromeos.h"
 
 #include "base/bind.h"
 #include "base/command_line.h"
 #include "base/files/file_path.h"
 #include "base/logging.h"
@@ skipping 120 matching lines @@
   // USER_TYPE_RETAIL_MODE, USER_TYPE_KIOSK_APP, USER_TYPE_GUEST and
   // USER_TYPE_LOCALLY_MANAGED are not signed in and can't authenticate the
   // policy registration.
   // USER_TYPE_PUBLIC_ACCOUNT gets its policy from the
   // DeviceLocalAccountPolicyService.
   const std::string& username = user->email();
   if (user->GetType() != user_manager::USER_TYPE_REGULAR ||
       BrowserPolicyConnector::IsNonEnterpriseUser(username)) {
     return scoped_ptr<UserCloudPolicyManagerChromeOS>();
   }
+  // If the user is known to be a non enterprise user, we don't reach this code.
+  DCHECK(!BrowserPolicyConnector::IsNonEnterpriseUser(username));

[bartfab (slow), 2014/07/07 17:40:13]

Nit: #include "components/policy/core/browser/browser_policy_connector.h"

 
   policy::BrowserPolicyConnectorChromeOS* connector =
       g_browser_process->platform_part()->browser_policy_connector_chromeos();
   UserAffiliation affiliation = connector->GetUserAffiliation(username);
-  const bool is_managed_user = affiliation == USER_AFFILIATION_MANAGED;
   const bool is_browser_restart =
       command_line->HasSwitch(chromeos::switches::kLoginUser);
-  const bool wait_for_initial_policy = is_managed_user && !is_browser_restart;
+  const bool wait_for_initial_policy = !is_browser_restart;

[bartfab (slow), 2014/07/07 17:40:13]

This changes the logic more than you intended - it makes the policy fetch
blocking even for subsequent logins of non-affiliated users.

+
+  base::TimeDelta initial_policy_fetch_timeout =

[bartfab (slow), 2014/07/07 17:40:13]

Nit 1: const.
Nit 2: s/initial_policy_fetch_timeout/policy_fetch_timeout/

+      chromeos::UserManager::Get()->IsCurrentUserNew()

[bartfab (slow), 2014/07/07 17:40:13]

1: Nit: #include "chrome/browser/chromeos/login/users/user_manager.h"
2: The resulting code would still allow an enterprise user to evade policy:

* Enterprise user starts first login.
* After authenticating against GAIA, user immediately yanks the network cable.
* User reboots device.
* User logs in as existing user.

At this point, the |kInitialPolicyFetchTimeoutSeconds| timeout is in force and
the user can skip the policy fetch by keeping the network cable disconnected
until the timeout hits.

+          ? base::TimeDelta::Max()
+          : base::TimeDelta::FromSeconds(kInitialPolicyFetchTimeoutSeconds);
 
   DeviceManagementService* device_management_service =
       connector->device_management_service();
   if (wait_for_initial_policy)
     device_management_service->ScheduleInitialization(0);
 
   base::FilePath profile_dir = profile->GetPath();
   const base::FilePath legacy_dir = profile_dir.Append(kDeviceManagementDir);
   const base::FilePath policy_cache_file = legacy_dir.Append(kPolicy);
   const base::FilePath token_cache_file = legacy_dir.Append(kToken);
@@ skipping 29 matching lines @@
   scoped_refptr<base::SequencedTaskRunner> file_task_runner =
       content::BrowserThread::GetMessageLoopProxyForThread(
           content::BrowserThread::FILE);
 
   scoped_ptr<UserCloudPolicyManagerChromeOS> manager(
       new UserCloudPolicyManagerChromeOS(
           store.PassAs<CloudPolicyStore>(),
           external_data_manager.Pass(),
           component_policy_cache_dir,
           wait_for_initial_policy,
-          base::TimeDelta::FromSeconds(kInitialPolicyFetchTimeoutSeconds),
+          initial_policy_fetch_timeout,
           base::MessageLoopProxy::current(),
           file_task_runner,
           io_task_runner));
 
   bool wildcard_match = false;
   if (connector->IsEnterpriseManaged() &&
       chromeos::LoginUtils::IsWhitelisted(username, &wildcard_match) &&
       wildcard_match &&
       !connector->IsNonEnterpriseUser(username)) {
     manager->EnableWildcardLoginCheck(username);
@@ skipping 33 matching lines @@
 
 bool UserCloudPolicyManagerFactoryChromeOS::HasTestingFactory(
     content::BrowserContext* context) {
   return false;
 }
 
 void UserCloudPolicyManagerFactoryChromeOS::CreateServiceNow(
     content::BrowserContext* context) {}
 
 }  // namespace policy