Public Sessions: fetch device robot api token during enterprise enrollment.

chrome/browser/chromeos/policy/enrollment_handler_chromeos.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/policy/enrollment_handler_chromeos.h"
 
 #include "base/bind.h"
 #include "base/logging.h"
 #include "base/message_loop.h"
+#include "chrome/browser/browser_process.h"
 #include "chrome/browser/chromeos/policy/device_cloud_policy_store_chromeos.h"
+#include "chrome/browser/chromeos/settings/device_oauth2_token_service.h"
+#include "chrome/browser/chromeos/settings/device_oauth2_token_service_factory.h"
 #include "chrome/browser/policy/cloud/cloud_policy_constants.h"
 #include "chrome/browser/policy/proto/chromeos/chrome_device_policy.pb.h"
 #include "chrome/browser/policy/proto/cloud/device_management_backend.pb.h"
+#include "google_apis/gaia/gaia_urls.h"
 
 namespace em = enterprise_management;
 
 namespace policy {
 
 namespace {
 
 // Retry for InstallAttrs initialization every 500ms.
 const int kLockRetryIntervalMs = 500;
 // Maximum time to retry InstallAttrs initialization before we give up.
@@ skipping 98 matching lines @@
     client_->FetchPolicy();
   } else {
     LOG(FATAL) << "Registration state changed to " << client_->is_registered()
                << " in step " << enrollment_step_;
   }
 }
 
 void EnrollmentHandlerChromeOS::OnClientError(CloudPolicyClient* client) {
   DCHECK_EQ(client_.get(), client);
 
-  if (enrollment_step_ < STEP_POLICY_FETCH)
+  if (enrollment_step_ == STEP_ROBOT_AUTH_FETCH) {
+    LOG(WARNING) << "API authentication code fetch failed: "
+                 << client_->status();
+    // Robot auth tokens are currently optional.  Skip fetching the refresh
+    // token and jump directly to the lock device step.
+    robot_refresh_token_.clear();
+    DoLockDeviceStep();
+  } else if (enrollment_step_ < STEP_POLICY_FETCH) {
     ReportResult(EnrollmentStatus::ForRegistrationError(client_->status()));
-  else
+  } else {
     ReportResult(EnrollmentStatus::ForFetchError(client_->status()));
+  }
 }
 
 void EnrollmentHandlerChromeOS::OnStoreLoaded(CloudPolicyStore* store) {
   DCHECK_EQ(store_, store);
 
   if (enrollment_step_ == STEP_LOADING_STORE) {
+    // If the |store_| wasn't initialized when StartEnrollment() was
+    // called, then AttemptRegistration() bails silently.  This gets
+    // registration rolling again after the store finishes loading.
     AttemptRegistration();
   } else if (enrollment_step_ == STEP_STORE_POLICY) {
+    // Store the robot API auth refresh token.
+    // Currently optional, so always return success.
+    chromeos::DeviceOAuth2TokenService* token_service =
+        chromeos::DeviceOAuth2TokenServiceFactory::Get();
+    if (token_service && !robot_refresh_token_.empty()) {
+      token_service->SetAndSaveRefreshToken(robot_refresh_token_);
+
+    }
     ReportResult(EnrollmentStatus::ForStatus(EnrollmentStatus::STATUS_SUCCESS));
   }
 }
 
 void EnrollmentHandlerChromeOS::OnStoreError(CloudPolicyStore* store) {
   DCHECK_EQ(store_, store);
   ReportResult(EnrollmentStatus::ForStoreError(store_->status(),
                                                store_->validation_status()));
 }
 
 void EnrollmentHandlerChromeOS::AttemptRegistration() {
   CHECK_EQ(STEP_LOADING_STORE, enrollment_step_);
   if (store_->is_initialized()) {
     enrollment_step_ = STEP_REGISTRATION;
     client_->Register(em::DeviceRegisterRequest::DEVICE,
                       auth_token_, client_id_, is_auto_enrollment_);
   }
 }
 
 void EnrollmentHandlerChromeOS::PolicyValidated(
     DeviceCloudPolicyValidator* validator) {
   CHECK_EQ(STEP_VALIDATION, enrollment_step_);
   if (validator->success()) {
     policy_ = validator->policy().Pass();
-    enrollment_step_ = STEP_LOCK_DEVICE;
-    WriteInstallAttributes(validator->policy_data()->username(), device_mode_,
-                           validator->policy_data()->device_id());
+    username_ = validator->policy_data()->username();
+    device_id_ = validator->policy_data()->device_id();
+
+    enrollment_step_ = STEP_ROBOT_AUTH_FETCH;
+    client_->FetchRobotAuthCodes(auth_token_);
   } else {
     ReportResult(EnrollmentStatus::ForValidationError(validator->status()));
   }
 }
 
-void EnrollmentHandlerChromeOS::WriteInstallAttributes(
+void EnrollmentHandlerChromeOS::OnRobotAuthCodesFetched(
+    CloudPolicyClient* client) {
+  DCHECK_EQ(client_.get(), client);
+  CHECK_EQ(STEP_ROBOT_AUTH_FETCH, enrollment_step_);
+
+  enrollment_step_ = STEP_ROBOT_AUTH_REFRESH;
+
+  gaia::OAuthClientInfo client_info;
+  client_info.client_id = GaiaUrls::GetInstance()->oauth2_chrome_client_id();
+  client_info.client_secret =
+      GaiaUrls::GetInstance()->oauth2_chrome_client_secret();
+
+  // Use the system request context to avoid sending user cookies.
+  gaia_oauth_client_.reset(new gaia::GaiaOAuthClient(
+      GaiaUrls::GetInstance()->oauth2_token_url(),
+      g_browser_process->system_request_context()));
+  gaia_oauth_client_->GetTokensFromAuthCode(client_info,
+                                            client->robot_api_auth_code(),
+                                            0 /* max_retries */,
+                                            this);
+}
+
+// GaiaOAuthClient::Delegate callback for OAuth2 refresh token fetched.
+void EnrollmentHandlerChromeOS::OnGetTokensResponse(
+    const std::string& refresh_token,
+    const std::string& access_token,
+    int expires_in_seconds) {
+  CHECK_EQ(STEP_ROBOT_AUTH_REFRESH, enrollment_step_);
+
+  robot_refresh_token_ = refresh_token;
+
+  DoLockDeviceStep();
+}
+
+void EnrollmentHandlerChromeOS::DoLockDeviceStep() {
+  enrollment_step_ = STEP_LOCK_DEVICE,
+  StartLockDevice(username_, device_mode_, device_id_);
+}
+
+// GaiaOAuthClient::Delegate
+void EnrollmentHandlerChromeOS::OnRefreshTokenResponse(
+    const std::string& access_token,
+    int expires_in_seconds) {
+  // We never use the code that should trigger this callback.
+  LOG(FATAL) << "Unexpected callback invoked";
+}
+
+// GaiaOAuthClient::Delegate OAuth2 error when fetching refresh token request.
+void EnrollmentHandlerChromeOS::OnOAuthError() {
+  CHECK_EQ(STEP_ROBOT_AUTH_REFRESH, enrollment_step_);
+  DoLockDeviceStep();
+}
+
+// GaiaOAuthClient::Delegate network error when fetching refresh token.
+void EnrollmentHandlerChromeOS::OnNetworkError(int response_code) {
+  LOG(ERROR) << "Network error while fetching API refresh token: "
+             << response_code;
+  CHECK_EQ(STEP_ROBOT_AUTH_REFRESH, enrollment_step_);
+  DoLockDeviceStep();
+}
+
+void EnrollmentHandlerChromeOS::StartLockDevice(
     const std::string& user,
     DeviceMode device_mode,
     const std::string& device_id) {
   CHECK_EQ(STEP_LOCK_DEVICE, enrollment_step_);
   // Since this method is also called directly.
   weak_factory_.InvalidateWeakPtrs();
 
   install_attributes_->LockDevice(
       user, device_mode, device_id,
       base::Bind(&EnrollmentHandlerChromeOS::HandleLockDeviceResult,
                  weak_factory_.GetWeakPtr(),
                  user,
                  device_mode,
                  device_id));
 }
 
 void EnrollmentHandlerChromeOS::HandleLockDeviceResult(
     const std::string& user,
     DeviceMode device_mode,
     const std::string& device_id,
     EnterpriseInstallAttributes::LockResult lock_result) {
+  CHECK_EQ(STEP_LOCK_DEVICE, enrollment_step_);
   switch (lock_result) {
     case EnterpriseInstallAttributes::LOCK_SUCCESS:
       enrollment_step_ = STEP_STORE_POLICY;
       store_->InstallInitialPolicy(*policy_);
       return;
     case EnterpriseInstallAttributes::LOCK_NOT_READY:
       // We wait up to |kLockRetryTimeoutMs| milliseconds and if it hasn't
       // succeeded by then show an error to the user and stop the enrollment.
       if (lockbox_init_duration_ < kLockRetryTimeoutMs) {
         // InstallAttributes not ready yet, retry later.
         LOG(WARNING) << "Install Attributes not ready yet will retry in "
                      << kLockRetryIntervalMs << "ms.";
         MessageLoop::current()->PostDelayedTask(
             FROM_HERE,
-            base::Bind(&EnrollmentHandlerChromeOS::WriteInstallAttributes,
+            base::Bind(&EnrollmentHandlerChromeOS::StartLockDevice,
                        weak_factory_.GetWeakPtr(),
                        user, device_mode, device_id),
             base::TimeDelta::FromMilliseconds(kLockRetryIntervalMs));
         lockbox_init_duration_ += kLockRetryIntervalMs;
       } else {
         ReportResult(EnrollmentStatus::ForStatus(
             EnrollmentStatus::STATUS_LOCK_TIMEOUT));
       }
       return;
     case EnterpriseInstallAttributes::LOCK_BACKEND_ERROR:
@@ skipping 30 matching lines @@
                  << " " << status.client_status()
                  << " " << status.validation_status()
                  << " " << status.store_status();
   }
 
   if (!callback.is_null())
     callback.Run(status);
 }
 
 }  // namespace policy