Add support for forced initial enrollment check

Add support for the forced initial enrollment check in
AutoEnrollmentClient. This check uses a different identifier set, 8 byte
hashes and a different message for the state download.
The differences are abstracted by using two virtual classes with
different implementations for FRE/initial enrollment checks:
DeviceIdentifierProvider specifies the identifier set and hashes, and
StateDownloadMessageProcessor understands fills state download requests
and parses state download responses.

Bug: 839353
Test: unit_tests --gtest_filter=*AutoEnrollmentClientTest*
Change-Id: I83d041f568d84c42b9b8cf00a1e44955f9d5abe3
Reviewed-on: https://chromium-review.googlesource.com/1049929
Commit-Queue: Pavol Marko <pmarko@chromium.org>
Reviewed-by: Maksim Ivanov <emaxx@chromium.org>
Cr-Commit-Position: refs/heads/master@{#557627}

chrome/browser/chromeos/login/enrollment/auto_enrollment_controller.cc

@@ -267,7 +267,7 @@ void AutoEnrollmentController::StartClient(
     power_initial = power_limit;
   }
 
-  client_ = std::make_unique<policy::AutoEnrollmentClient>(
+  client_ = policy::AutoEnrollmentClient::CreateForFRE(
       base::Bind(&AutoEnrollmentController::UpdateState,
                  weak_ptr_factory_.GetWeakPtr()),
       service, g_browser_process->local_state(),

chrome/browser/chromeos/policy/auto_enrollment_client.h

@@ -13,6 +13,7 @@
 #include "base/callback.h"
 #include "base/compiler_specific.h"
 #include "base/macros.h"
+#include "base/memory/scoped_refptr.h"
 #include "base/time/time.h"
 #include "components/policy/core/common/cloud/cloud_policy_constants.h"
 #include "net/base/network_change_notifier.h"
@@ -31,8 +32,8 @@ class URLRequestContextGetter;
 
 namespace policy {
 
-class DeviceManagementRequestJob;
 class DeviceManagementService;
+class DeviceManagementRequestJob;
 
 // Indicates the current state of the auto-enrollment check.  (Numeric values
 // are just to make reading of log files easier.)
@@ -64,15 +65,24 @@ class AutoEnrollmentClient
   // and the max is 2^62 (when the moduli are restricted to powers-of-2).
   static const int kMaximumPower = 62;
 
+  // Subclasses of this class provide an identifier and specify the identifier
+  // set for the DeviceAutoEnrollmentRequest,
+  class DeviceIdentifierProvider;
+
+  // Subclasses of this class generate the request to download the device state
+  // (after determining that there is server-side device state) and parse the
+  // response.
+  class StateDownloadMessageProcessor;
+
   // Used for signaling progress to a consumer.
-  typedef base::Callback<void(AutoEnrollmentState)> ProgressCallback;
+  typedef base::RepeatingCallback<void(AutoEnrollmentState)> ProgressCallback;
 
   // |progress_callback| will be invoked whenever some significant event happens
   // as part of the protocol, after Start() is invoked.
   // The result of the protocol will be cached in |local_state|.
   // |power_initial| and |power_limit| are exponents of power-of-2 values which
   // will be the initial modulus and the maximum modulus used by this client.
-  AutoEnrollmentClient(
+  static std::unique_ptr<AutoEnrollmentClient> CreateForFRE(
       const ProgressCallback& progress_callback,
       DeviceManagementService* device_management_service,
       PrefService* local_state,
@@ -80,6 +90,22 @@ class AutoEnrollmentClient
       const std::string& server_backed_state_key,
       int power_initial,
       int power_limit);
+
+  // |progress_callback| will be invoked whenever some significant event happens
+  // as part of the protocol, after Start() is invoked.
+  // The result of the protocol will be cached in |local_state|.
+  // |power_initial| and |power_limit| are exponents of power-of-2 values which
+  // will be the initial modulus and the maximum modulus used by this client.
+  static std::unique_ptr<AutoEnrollmentClient> CreateForInitialEnrollment(
+      const ProgressCallback& progress_callback,
+      DeviceManagementService* device_management_service,
+      PrefService* local_state,
+      scoped_refptr<net::URLRequestContextGetter> system_request_context,
+      const std::string& device_serial_number,
+      const std::string& device_brand_code,
+      int power_initial,
+      int power_limit);
+
   ~AutoEnrollmentClient() override;
 
   // Registers preferences in local state.
@@ -116,6 +142,17 @@ class AutoEnrollmentClient
       int,
       const enterprise_management::DeviceManagementResponse&);
 
+  AutoEnrollmentClient(
+      const ProgressCallback& progress_callback,
+      DeviceManagementService* device_management_service,
+      PrefService* local_state,
+      scoped_refptr<net::URLRequestContextGetter> system_request_context,
+      std::unique_ptr<DeviceIdentifierProvider> device_identifier_provider,
+      std::unique_ptr<StateDownloadMessageProcessor>
+          state_download_message_processor,
+      int power_initial,
+      int power_limit);
+
   // Tries to load the result of a previous execution of the protocol from
   // local state. Returns true if that decision has been made and is valid.
   bool GetCachedDecision();
@@ -157,7 +194,8 @@ class AutoEnrollmentClient
       int net_error,
       const enterprise_management::DeviceManagementResponse& response);
 
-  // Returns true if |server_backed_state_key_hash_| is contained in |hashes|.
+  // Returns true if the identifier hash provided by
+  // |device_identifier_provider_| is contained in |hashes|.
   bool IsIdHashInProtobuf(
       const google::protobuf::RepeatedPtrField<std::string>& hashes);
 
@@ -181,10 +219,6 @@ class AutoEnrollmentClient
   // Randomly generated device id for the auto-enrollment requests.
   std::string device_id_;
 
-  // Stable state key and its SHA-256 digest.
-  std::string server_backed_state_key_;
-  std::string server_backed_state_key_hash_;
-
   // Power-of-2 modulus to try next.
   int current_power_;
 
@@ -206,6 +240,14 @@ class AutoEnrollmentClient
   // The request context to use to perform the auto enrollment request.
   scoped_refptr<net::URLRequestContextGetter> request_context_;
 
+  // Specifies the identifier set and the hash of the device's current
+  // identifier.
+  std::unique_ptr<DeviceIdentifierProvider> device_identifier_provider_;
+
+  // Fills and parses state retrieval request / response.
+  std::unique_ptr<StateDownloadMessageProcessor>
+      state_download_message_processor_;
+
   // Times used to determine the duration of the protocol, and the extra time
   // needed to complete after the signin was complete.
   // If |time_start_| is not null, the protocol is still running.

components/policy/core/common/cloud/cloud_policy_constants.cc

@@ -57,6 +57,8 @@ const char kValueRequestCheckDeviceLicense[] = "check_device_license";
 const char kValueRequestAppInstallReport[] = "app_install_report";
 const char kValueRequestTokenEnrollment[] = "register_browser";
 const char kValueRequestChromeDesktopReport[] = "chrome_desktop_report";
+const char kValueRequestInitialEnrollmentStateRetrieval[] =
+    "device_initial_enrollment_state";
 
 const char kChromeDevicePolicyType[] = "google/chromeos/device";
 #if defined(OS_CHROMEOS)

components/policy/core/common/cloud/cloud_policy_constants.h

@@ -49,6 +49,7 @@ POLICY_EXPORT extern const char kValueRequestCheckDeviceLicense[];
 POLICY_EXPORT extern const char kValueRequestAppInstallReport[];
 POLICY_EXPORT extern const char kValueRequestTokenEnrollment[];
 POLICY_EXPORT extern const char kValueRequestChromeDesktopReport[];
+POLICY_EXPORT extern const char kValueRequestInitialEnrollmentStateRetrieval[];
 
 // Policy type strings for the policy_type field in PolicyFetchRequest.
 POLICY_EXPORT extern const char kChromeDevicePolicyType[];

components/policy/core/common/cloud/device_management_service.cc

@@ -166,6 +166,8 @@ const char* JobTypeToRequestType(DeviceManagementRequestJob::JobType type) {
       return dm_protocol::kValueRequestTokenEnrollment;
     case DeviceManagementRequestJob::TYPE_CHROME_DESKTOP_REPORT:
       return dm_protocol::kValueRequestChromeDesktopReport;
+    case DeviceManagementRequestJob::TYPE_INITIAL_ENROLLMENT_STATE_RETRIEVAL:
+      return dm_protocol::kValueRequestInitialEnrollmentStateRetrieval;
   }
   NOTREACHED() << "Invalid job type " << type;
   return "";

components/policy/core/common/cloud/device_management_service.h

@@ -66,6 +66,7 @@ class POLICY_EXPORT DeviceManagementRequestJob {
     TYPE_UPLOAD_APP_INSTALL_REPORT = 17,
     TYPE_TOKEN_ENROLLMENT = 18,
     TYPE_CHROME_DESKTOP_REPORT = 19,
+    TYPE_INITIAL_ENROLLMENT_STATE_RETRIEVAL = 20,
   };
 
   typedef base::Callback<