Do not use unaffiliated users' connections for device policy pushing

chrome/browser/chromeos/policy/device_cloud_policy_invalidator.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/policy/device_cloud_policy_invalidator.h"
 
 #include <string>
 #include <vector>
 
 #include "base/logging.h"
 #include "base/message_loop/message_loop_proxy.h"
 #include "base/time/clock.h"
 #include "base/time/default_clock.h"
 #include "chrome/browser/browser_process.h"
 #include "chrome/browser/browser_process_platform_part_chromeos.h"
 #include "chrome/browser/chrome_notification_types.h"
 #include "chrome/browser/chromeos/policy/browser_policy_connector_chromeos.h"
 #include "chrome/browser/chromeos/policy/device_cloud_policy_manager_chromeos.h"
 #include "chrome/browser/chromeos/policy/ticl_device_settings_provider.h"
+#include "chrome/browser/chromeos/profiles/profile_helper.h"
 #include "chrome/browser/chromeos/settings/device_identity_provider.h"
 #include "chrome/browser/chromeos/settings/device_oauth2_token_service_factory.h"
 #include "chrome/browser/invalidation/profile_invalidation_provider_factory.h"
 #include "chrome/browser/policy/cloud/cloud_policy_invalidator.h"
 #include "chrome/browser/profiles/profile_manager.h"
 #include "chrome/common/chrome_content_client.h"
 #include "components/invalidation/invalidation_handler.h"
 #include "components/invalidation/invalidation_service.h"
 #include "components/invalidation/invalidation_state_tracker.h"
 #include "components/invalidation/invalidator_state.h"
 #include "components/invalidation/invalidator_storage.h"
 #include "components/invalidation/profile_invalidation_provider.h"
 #include "components/invalidation/ticl_invalidation_service.h"
 #include "components/invalidation/ticl_settings_provider.h"
+#include "components/policy/core/common/cloud/cloud_policy_constants.h"
+#include "components/user_manager/user.h"
 #include "content/public/browser/notification_details.h"
 #include "content/public/browser/notification_service.h"
 #include "google_apis/gaia/identity_provider.h"
 #include "net/url_request/url_request_context_getter.h"
 #include "policy/proto/device_management_backend.pb.h"
 
 class Profile;
 
 namespace policy {
 
@@ skipping 90 matching lines @@
 
 DeviceCloudPolicyInvalidator::~DeviceCloudPolicyInvalidator() {
   DestroyInvalidator();
 }
 
 void DeviceCloudPolicyInvalidator::Observe(
     int type,
     const content::NotificationSource& source,
     const content::NotificationDetails& details) {
   DCHECK_EQ(chrome::NOTIFICATION_LOGIN_USER_PROFILE_PREPARED, type);
+  Profile* profile = content::Details<Profile>(details).ptr();
   invalidation::ProfileInvalidationProvider* invalidation_provider =
-      invalidation::ProfileInvalidationProviderFactory::GetForProfile(
-          content::Details<Profile>(details).ptr());
+      invalidation::ProfileInvalidationProviderFactory::GetForProfile(profile);
   if (!invalidation_provider) {
     // If the Profile does not support invalidation (e.g. guest, incognito),
     // ignore it.
     return;
   }
-
+  user_manager::User* user =
+      chromeos::ProfileHelper::Get()->GetUserByProfile(profile);
+  if (!user ||
+      g_browser_process->platform_part()->browser_policy_connector_chromeos()->
+          GetUserAffiliation(user->email()) != USER_AFFILIATION_MANAGED) {
+    // If the Profile belongs to a user who is not affiliated with the domain
+    // the device is enrolled into, ignore it.
+    return;
+  }
   // Create a state observer for the user's invalidation service.
   profile_invalidation_service_observers_.push_back(
       new InvalidationServiceObserver(
               this,
               invalidation_provider->GetInvalidationService()));
 
   TryToCreateInvalidator();
 }
 
 void DeviceCloudPolicyInvalidator::OnInvalidationServiceConnected(
@@ skipping 39 matching lines @@
 void DeviceCloudPolicyInvalidator::TryToCreateInvalidator() {
   if (invalidator_) {
     // If a |CloudPolicyInvalidator| exists already, return.
     return;
   }
 
   for (ScopedVector<InvalidationServiceObserver>::const_iterator it =
            profile_invalidation_service_observers_.begin();
            it != profile_invalidation_service_observers_.end(); ++it) {
     if ((*it)->IsServiceConnected()) {
-      // If a connected invalidation service belonging to a logged-in user is
-      // found, create a |CloudPolicyInvalidator| backed by that service and
-      // destroy the device-global service, if any.
+      // If a connected invalidation service belonging to an affiliated
+      // logged-in user is found, create a |CloudPolicyInvalidator| backed by
+      // that service and destroy the device-global service, if any.
       DestroyDeviceInvalidationService();
       CreateInvalidator((*it)->GetInvalidationService());
       return;
     }
   }
 
   if (!device_invalidation_service_) {
     // If no other connected invalidation service was found, ensure that a
     // device-global service is running.
     device_invalidation_service_.reset(
@@ skipping 47 matching lines @@
   invalidator_.reset();
   invalidation_service_ = NULL;
 }
 
 void DeviceCloudPolicyInvalidator::DestroyDeviceInvalidationService() {
   device_invalidation_service_observer_.reset();
   device_invalidation_service_.reset();
 }
 
 }  // namespace policy