Support for remote enrollment.

chrome/browser/chromeos/login/enrollment/enrollment_screen.cc

Index: chrome/browser/chromeos/login/enrollment/enrollment_screen.cc
diff --git a/chrome/browser/chromeos/login/enrollment/enrollment_screen.cc b/chrome/browser/chromeos/login/enrollment/enrollment_screen.cc
index f68556c931ce96ae56f35803a2cd425ea3a54895..52ae93b5e35af95dd5521fd17769459abd00ed52 100644
--- a/chrome/browser/chromeos/login/enrollment/enrollment_screen.cc
+++ b/chrome/browser/chromeos/login/enrollment/enrollment_screen.cc
@@ -17,6 +17,7 @@
 #include "chrome/browser/chromeos/policy/auto_enrollment_client.h"
 #include "chrome/browser/chromeos/policy/browser_policy_connector_chromeos.h"
 #include "chrome/browser/chromeos/policy/device_cloud_policy_initializer.h"
+#include "chrome/browser/chromeos/policy/device_cloud_policy_manager_chromeos.h"
 #include "chromeos/dbus/cryptohome_client.h"
 #include "chromeos/dbus/dbus_method_call_status.h"
 #include "chromeos/dbus/dbus_thread_manager.h"
@@ -57,9 +58,11 @@ EnrollmentScreen::~EnrollmentScreen() {}
 void EnrollmentScreen::SetParameters(
     EnrollmentScreenActor::EnrollmentMode enrollment_mode,
     const std::string& management_domain,
-    const std::string& user) {
+    const std::string& user,
+    const std::string& auth_token) {
   enrollment_mode_ = enrollment_mode;
   user_ = user.empty() ? user : gaia::CanonicalizeEmail(user);
+  auth_token_ = auth_token;
   actor_->SetParameters(this, enrollment_mode_, management_domain);
 }
 
@@ -73,9 +76,13 @@ void EnrollmentScreen::Show() {
     UMA(policy::kMetricEnrollmentAutoStarted);
     actor_->ShowEnrollmentSpinnerScreen();
     actor_->FetchOAuthToken();
-  } else {
+  } else if (auth_token_.empty()) {
     actor_->ResetAuth(base::Bind(&EnrollmentScreen::ShowSigninScreen,
                                  weak_ptr_factory_.GetWeakPtr()));
+  } else {
+    actor_->Show();
+    actor_->ShowEnrollmentSpinnerScreen();
+    OnOAuthTokenAvailable(auth_token_);
   }
 }
 
@@ -136,7 +143,19 @@ void EnrollmentScreen::OnAuthError(
 
 void EnrollmentScreen::OnOAuthTokenAvailable(
     const std::string& token) {
-  RegisterForDevicePolicy(token);
+  VLOG(1) << "OnOAuthTokenAvailable " << token;
+  const bool is_shark =
+      g_browser_process->platform_part()->browser_policy_connector_chromeos()->
+      GetDeviceCloudPolicyManager()->IsSharkRequisition();

[bartfab (slow), 2014/07/16 10:09:15]

Nit: IsSharkRequisition() should not be a part of the
DeviceCloudPolicyManagerChromeOS. It is used during enrollment only and should
be moved to a class that handles enrollment, e.g. EnrollmentHandlerChromeOS.

[achuithb, 2014/08/13 01:57:42]

I tried doing this here:
https://codereview.chromium.org/408013003/

It doesn't work because EnrollmentHandlerChromeOS is created too late for our
needs. I've taken over the bug and am happy to implement a solution that would
be satisfactory to the enterprise team.

[bartfab (slow), 2014/08/13 14:20:14]

Yes, we can discuss this further in crbug.com/383695. I am fine with
IsSharkRequisition() living alongside the existing IsRemoraRequisition() until
we figure out a better home for both.

[achuithb, 2014/08/13 23:48:39]

Acknowledged.

+
+  if (is_shark && auth_token_.empty()) {
+    // Fetch a second token for shark devices.
+    auth_token_ = token;

[bartfab (slow), 2014/07/16 10:09:15]

|auth_token_| plays a dual role that makes it difficult to follow the code:

* On a shark device, |auth_token_| is used as Boolean indicator that tells us
whether we are currently fetching the first or the second token. The shark
device must never read and process |auth_token_| itself because that token was
sent to another device and will be used by it.

* On a device that receives a token from a shark, |auth_token_| holds the token
that will actually be used during enrollment.

How about introducing a Boolean |sent_token_| that is used on shark only to keep
track of whether a token was retrieved and sent to another device already?

[achuithb, 2014/08/13 01:57:42]

What you say is true. However, in the current implementation of the test code,
we use an asynchronous call to base::WriteFile to write the auth_token to a
file, and that function very inconveniently does not allow us to use base::Owned
or any other mechanism to delete the auth_token storage after we're done writing
it. Two options here are to simply leak the string, or use PostTaskAndReply
instead.

I've added a comment and opened a bug to track this for now.

[bartfab (slow), 2014/08/13 14:20:14]

Just make a wrapper around base::WriteFile that takes a |const std::string&|
instead of a |const char*|. You can then change CL 395983002 to do:

namespace {

void WriteStringToFile(const FilePath& filename, const std::string& data) {
  base::WriteFile(filename, data.c_str(), data.size());
}

}

void EnrollmentScreen::SendEnrollmentAuthToken(const std::string& token) {
  content::BrowserThread::GetBlockingPool()->PostTask(
      FROM_HERE,
      base::Bind(&WriteStringToFile,
                 base::FilePath::FromUTF8Unsafe("/var/tmp/auth_token"),
                 token));
}

Et voilà, no more need to keep the |auth_token_| around on shark.

On 2014/08/13 01:57:42, achuithb wrote:

[achuithb, 2014/08/13 23:48:39]

Done.

+    actor_->FetchOAuthToken();
+    SendEnrollmentAuthToken(token);
+  } else {
+    RegisterForDevicePolicy(token);
+  }
 }
 
 void EnrollmentScreen::OnRetry() {
@@ -218,6 +237,9 @@ void EnrollmentScreen::RegisterForDevicePolicy(
                  weak_ptr_factory_.GetWeakPtr()));
 }
 
+void EnrollmentScreen::SendEnrollmentAuthToken(const std::string& token) {
+}

[bartfab (slow), 2014/07/16 10:09:15]

Nit: Add a TODO that briefly explains what this method will do in the future.

[achuithb, 2014/08/13 01:57:42]

Done. I'd like to keep this brief since this isn't public yet.

+
 void EnrollmentScreen::ShowEnrollmentStatusOnSuccess(
     const policy::EnrollmentStatus& status) {
   actor_->ShowEnrollmentStatus(status);