Added the AutoEnrollmentClient and unit tests for it.

BUG=chromium-os:23063 TEST=unit_tests pass on chromeos Review URL: http://codereview.chromium.org/8872032 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@114016 0039d316-1c4b-4281-b951-d872f2087c98

Added the AutoEnrollmentClient and unit tests for it.
BUG=chromium-os:23063 TEST=unit_tests pass on chromeos Review URL: http://codereview.chromium.org/8872032 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@114016 0039d316-1c4b-4281-b951-d872f2087c98
075ee36c · joaodasilva@chromium.org · 1b7a9a22 · 075ee36c · 075ee36c · 075ee36c
Commit 075ee36c authored Dec 12, 2011 by joaodasilva@chromium.org
10 changed files
--- a/chrome/browser/automation/automation_provider_observers.cc
+++ b/chrome/browser/automation/automation_provider_observers.cc
@@ -3058,6 +3058,8 @@ void PolicyUpdatesObserver::Reply() {
    AutomationJSONReply(
        automation_, reply_message_.release()).SendSuccess(NULL);
  }
+  // Reply() is only called from MaybeReply(), which makes the callback own
+  // |this|; so |this| will be deleted once this method returns.
 }
 // static

--- a/chrome/browser/policy/auto_enrollment_client.cc
+++ b/chrome/browser/policy/auto_enrollment_client.cc
+// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+#include "chrome/browser/policy/auto_enrollment_client.h"
+#include "base/command_line.h"
+#include "base/logging.h"
+#include "base/string_number_conversions.h"
+#include "chrome/browser/policy/browser_policy_connector.h"
+#include "chrome/browser/policy/device_management_service.h"
+#include "chrome/common/chrome_switches.h"
+#include "chrome/common/guid.h"
+#include "crypto/sha2.h"
+namespace {
+// The modulus value is sent in an int64 field in the protobuf, whose maximum
+// value is 2^63-1. So 2^64 and 2^63 can't be represented as moduli and the
+// max is 2^62 (when the moduli are restricted to powers-of-2).
+const int kMaximumPower = 62;
+// Returns the int value of the |switch_name| argument, clamped to the [0, 62]
+// interval. Returns 0 if the argument doesn't exist or isn't an int value.
+int GetSanitizedArg(const std::string& switch_name) {
+  CommandLine* command_line = CommandLine::ForCurrentProcess();
+  if (!command_line->HasSwitch(switch_name))
+    return 0;
+  std::string value = command_line->GetSwitchValueASCII(switch_name);
+  int int_value;
+  if (!base::StringToInt(value, &int_value)) {
+    LOG(ERROR) << "Switch \"" << switch_name << "\" is not a valid int. "
+               << "Defaulting to 0.";
+    return 0;
+  }
+  if (int_value < 0) {
+    LOG(ERROR) << "Switch \"" << switch_name << "\" can't be negative. "
+               << "Using 0";
+    return 0;
+  }
+  if (int_value > kMaximumPower) {
+    LOG(ERROR) << "Switch \"" << switch_name << "\" can't be greater than "
+               << kMaximumPower << ". Using " << kMaximumPower;
+    return kMaximumPower;
+  }
+  return int_value;
+}
+// Returns the power of the next power-of-2 starting at |value|.
+int NextPowerOf2(int64 value) {
+  for (int i = 0; i <= kMaximumPower; ++i) {
+    if ((1 << i) >= value)
+      return i;
+  }
+  // No other value can be represented in an int64.
+  return kMaximumPower + 1;
+}
+}  // namespace
+namespace policy {
+AutoEnrollmentClient::AutoEnrollmentClient(const base::Closure& callback,
+                                           DeviceManagementService* service,
+                                           const std::string& serial_number,
+                                           int power_initial,
+                                           int power_limit)
+    : completion_callback_(callback),
+      should_auto_enroll_(false),
+      device_id_(guid::GenerateGUID()),
+      power_initial_(power_initial),
+      power_limit_(power_limit),
+      device_management_service_(service) {
+  DCHECK_LE(power_initial_, power_limit_);
+  if (!serial_number.empty())
+    serial_number_hash_ = crypto::SHA256HashString(serial_number);
+}
+AutoEnrollmentClient::~AutoEnrollmentClient() {}
+// static
+AutoEnrollmentClient* AutoEnrollmentClient::Create(
+    const base::Closure& completion_callback) {
+  CommandLine* command_line = CommandLine::ForCurrentProcess();
+  std::string url =
+      command_line->GetSwitchValueASCII(switches::kDeviceManagementUrl);
+  DeviceManagementService* service = NULL;
+  // This client won't do anything if there's no device management service  url.
+  if (!url.empty()) {
+    service = new DeviceManagementService(url);
+    service->ScheduleInitialization(0);
+  }
+  int power_initial = GetSanitizedArg(
+      switches::kEnterpriseEnrollmentInitialModulus);
+  int power_limit = GetSanitizedArg(
+      switches::kEnterpriseEnrollmentModulusLimit);
+  if (power_initial > power_limit) {
+    LOG(ERROR) << "Initial auto-enrollment modulus is larger than the limit, "
+               << "clamping to the limit.";
+    power_initial = power_limit;
+  }
+  return new AutoEnrollmentClient(completion_callback,
+                                  service,
+                                  BrowserPolicyConnector::GetSerialNumber(),
+                                  power_initial,
+                                  power_limit);
+}
+void AutoEnrollmentClient::Start() {
+  // Drop the previous backend and reset state.
+  device_management_backend_.reset();
+  should_auto_enroll_ = false;
+  if (device_management_service_.get()) {
+    if (serial_number_hash_.empty()) {
+      LOG(ERROR) << "Failed to get the hash of the serial number, "
+                 << "will not attempt to auto-enroll.";
+    } else {
+      // Create a new backend and fire the initial request.
+      device_management_backend_.reset(
+          device_management_service_->CreateBackend());
+      SendRequest(power_initial_);
+      // Don't invoke the callback now.
+      return;
+    }
+  }
+  // Auto-enrollment can't even start, so we're done.
+  completion_callback_.Run();
+}
+void AutoEnrollmentClient::SendRequest(int power) {
+  if (power < 0 || power > power_limit_ || serial_number_hash_.empty()) {
+    NOTREACHED();
+    completion_callback_.Run();
+    return;
+  }
+  last_power_used_ = power;
+  // Only power-of-2 moduli are supported for now. These are computed by taking
+  // the lower |power| bits of the hash.
+  uint64 remainder = 0;
+  for (int i = 0; 8 * i < power; ++i) {
+    uint64 byte = serial_number_hash_[31 - i] & 0xff;
+    remainder = remainder | (byte << (8 * i));
+  }
+  remainder = remainder & ((1ULL << power) - 1);
+  em::DeviceAutoEnrollmentRequest request;
+  request.set_remainder(remainder);
+  request.set_modulus((int64) 1 << power);
+  device_management_backend_->ProcessAutoEnrollmentRequest(device_id_,
+                                                           request,
+                                                           this);
+}
+void AutoEnrollmentClient::HandleAutoEnrollmentResponse(
+    const em::DeviceAutoEnrollmentResponse& response) {
+  if (response.has_modulus()) {
+    // Server is asking us to retry with a different modulus.
+    int64 modulus = response.modulus();
+    int64 last_modulus_used = 1 << last_power_used_;
+    int power = NextPowerOf2(modulus);
+    if ((1 << power) != modulus) {
+      LOG(WARNING) << "Auto enrollment: the server didn't ask for a power-of-2 "
+                   << "modulus. Using the closest power-of-2 instead "
+                   << "(" << modulus << " vs 2^" << power << ")";
+    }
+    if (modulus < last_modulus_used) {
+      LOG(ERROR) << "Auto enrollment error: the server asked for a smaller "
+                 << "modulus than we used.";
+    } else if (modulus == last_modulus_used) {
+      LOG(ERROR) << "Auto enrollment error: the server asked for the same "
+                 << "modulus that was already used.";
+    } else if (last_power_used_ != power_initial_) {
+      LOG(ERROR) << "Auto enrollment error: already retried with an updated "
+                 << "modulus but the server asked for a new one.";
+    } else if (power > power_limit_) {
+      LOG(ERROR) << "Auto enrollment error: the server asked for a larger "
+                 << "modulus than the client accepts (" << power << " vs "
+                 << power_limit_ << ").";
+    } else {
+      // Retry with a larger modulus.
+      SendRequest(power);
+      // Don't invoke the callback yet.
+      return;
+    }
+  } else {
+    // Server should have sent down a list of hashes to try.
+    should_auto_enroll_ = IsSerialInProtobuf(response.hashes());
+    LOG(INFO) << "Auto enrollment complete, should_auto_enroll = "
+              << should_auto_enroll_;
+  }
+  // Auto-enrollment done.
+  completion_callback_.Run();
+}
+void AutoEnrollmentClient::OnError(DeviceManagementBackend::ErrorCode code) {
+  LOG(ERROR) << "Auto enrollment backend error: " << code;
+  completion_callback_.Run();
+}
+bool AutoEnrollmentClient::IsSerialInProtobuf(
+      const google::protobuf::RepeatedPtrField<std::string>& hashes) {
+  for (int i = 0; i < hashes.size(); ++i) {
+    if (hashes.Get(i) == serial_number_hash_)
+      return true;
+  }
+  return false;
+}
+}  // namespace policy
--- a/chrome/browser/policy/auto_enrollment_client.h
+++ b/chrome/browser/policy/auto_enrollment_client.h
+// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+#ifndef CHROME_BROWSER_POLICY_AUTO_ENROLLMENT_CLIENT_H_
+#define CHROME_BROWSER_POLICY_AUTO_ENROLLMENT_CLIENT_H_
+#pragma once
+#include <string>
+#include "base/basictypes.h"
+#include "base/callback.h"
+#include "base/compiler_specific.h"
+#include "base/memory/scoped_ptr.h"
+#include "chrome/browser/policy/device_management_backend.h"
+#include "third_party/protobuf/src/google/protobuf/repeated_field.h"
+namespace policy {
+class DeviceManagementService;
+// Interacts with the device management service and determines whether this
+// machine should automatically enter the Enterprise Enrollment screen during
+// OOBE.
+class AutoEnrollmentClient
+    : public DeviceManagementBackend::DeviceAutoEnrollmentResponseDelegate {
+ public:
+  // |completion_callback| will be invoked on completion of the protocol, after
+  // Start() is invoked.
+  // Takes ownership of |device_management_service|.
+  // |power_initial| and |power_limit| are exponents of power-of-2 values which
+  // will be the initial modulus and the maximum modulus used by this client.
+  AutoEnrollmentClient(const base::Closure& completion_callback,
+                       DeviceManagementService* device_management_service,
+                       const std::string& serial_number,
+                       int power_initial,
+                       int power_limit);
+  virtual ~AutoEnrollmentClient();
+  // Convenience method to create instances of this class.
+  static AutoEnrollmentClient* Create(const base::Closure& completion_callback);
+  // Starts the auto-enrollment check protocol with the device management
+  // service. Subsequent calls drop any previous requests. Notice that this
+  // call can invoke the |completion_callback_| if errors occur.
+  void Start();
+  // Returns true if the protocol completed successfully and determined that
+  // this device should do enterprise enrollment.
+  bool should_auto_enroll() const { return should_auto_enroll_; }
+  // Returns the device_id randomly generated for the auto-enrollment requests.
+  // It can be reused for subsequent requests to the device management service.
+  std::string device_id() const { return device_id_; }
+ private:
+  // Sends an auto-enrollment check request to the device management service.
+  // |power| is the power of the power-of-2 to use as a modulus for this
+  // request.
+  void SendRequest(int power);
+  // Implementation of DeviceAutoEnrollmentResponseDelegate:
+  virtual void HandleAutoEnrollmentResponse(
+      const em::DeviceAutoEnrollmentResponse& response) OVERRIDE;
+  virtual void OnError(DeviceManagementBackend::ErrorCode code) OVERRIDE;
+  // Returns true if |serial_number_hash_| is contained in |hashes|.
+  bool IsSerialInProtobuf(
+      const google::protobuf::RepeatedPtrField<std::string>& hashes);
+  // Callback to invoke when the protocol completes.
+  base::Closure completion_callback_;
+  // Whether to auto-enroll or not. This is reset by calls to Start(), and only
+  // turns true if the protocol and the serial number check succeed.
+  bool should_auto_enroll_;
+  // Randomly generated device id for the auto-enrollment requests.
+  std::string device_id_;
+  // SHA256 hash of the device's serial number. Empty if the serial couldn't be
+  // retrieved.
+  std::string serial_number_hash_;
+  // Power of the power-of-2 modulus used in the initial auto-enrollment
+  // request.
+  int power_initial_;
+  // Power of the maximum power-of-2 modulus that this client will accept from
+  // a retry response from the server.
+  int power_limit_;
+  // Modulus used in the last request sent to the server.
+  // Used to determine if the server is asking for the same modulus.
+  int last_power_used_;
+  // Used to communicate with the device management service.
+  scoped_ptr<DeviceManagementService> device_management_service_;
+  scoped_ptr<DeviceManagementBackend> device_management_backend_;
+  DISALLOW_COPY_AND_ASSIGN(AutoEnrollmentClient);
+};
+}  // namespace policy
+#endif  // CHROME_BROWSER_POLICY_AUTO_ENROLLMENT_CLIENT_H_
--- a/chrome/browser/policy/auto_enrollment_client_unittest.cc
+++ b/chrome/browser/policy/auto_enrollment_client_unittest.cc
+// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+#include "chrome/browser/policy/auto_enrollment_client.h"
+#include "base/bind.h"
+#include "base/bind_helpers.h"
+#include "base/rand_util.h"
+#include "chrome/browser/policy/mock_device_management_backend.h"
+#include "chrome/browser/policy/mock_device_management_service.h"
+#include "crypto/sha2.h"
+#include "testing/gmock/include/gmock/gmock.h"
+#include "testing/gtest/include/gtest/gtest.h"
+namespace policy {
+namespace {
+const char* kSerial = "serial";
+const char* kSerialHash =
+    "\x01\x44\xb1\xde\xfc\xf7\x56\x10\x87\x01\x5f\x8d\x83\x0d\x65\xb1"
+    "\x6f\x02\x4a\xd7\xeb\x92\x45\xfc\xd4\xe4\x37\xa1\x55\x2b\x13\x8a";
+using ::testing::AnyNumber;
+using ::testing::DoAll;
+using ::testing::InSequence;
+using ::testing::Invoke;
+using ::testing::Unused;
+using ::testing::_;
+ACTION_P(MockDeviceManagementBackendFailAutoEnrollment, error) {
+  arg2->OnError(error);
+}
+ACTION_P(MockDeviceManagementBackendSucceedAutoEnrollment, response) {
+  arg2->HandleAutoEnrollmentResponse(response);
+}
+class AutoEnrollmentClientTest : public testing::Test {
+ protected:
+  AutoEnrollmentClientTest()
+      : completion_callback_count_(0) {}
+  virtual void SetUp() OVERRIDE {
+    CreateClient(kSerial, 4, 8);
+  }
+  void CreateClient(const std::string& serial,
+                    int power_initial,
+                    int power_limit) {
+    MockDeviceManagementService* service = new MockDeviceManagementService;
+    EXPECT_CALL(*service, CreateBackend())
+      .Times(AnyNumber())
+      .WillRepeatedly(MockDeviceManagementServiceProxyBackend(&backend_));
+    base::Closure callback =
+        base::Bind(&AutoEnrollmentClientTest::CompletionCallback,
+                   base::Unretained(this));
+    client_.reset(new AutoEnrollmentClient(callback,
+                                           service,
+                                           serial,
+                                           power_initial,
+                                           power_limit));
+  }
+  void CompletionCallback() {
+    completion_callback_count_++;
+  }
+  void ServerWillFail(DeviceManagementBackend::ErrorCode error) {
+    EXPECT_CALL(backend_, ProcessAutoEnrollmentRequest(_, _, _))
+        .WillOnce(
+            DoAll(Invoke(this, &AutoEnrollmentClientTest::CaptureRequest),
+                  MockDeviceManagementBackendFailAutoEnrollment(error)));
+  }
+  void ServerWillReply(int64 modulus, bool with_hashes, bool with_serial_hash) {
+    em::DeviceAutoEnrollmentResponse response;
+    if (modulus >= 0)
+      response.set_modulus(modulus);
+    if (with_hashes) {
+      for (size_t i = 0; i < 10; ++i) {
+        std::string serial = "serial X";
+        serial[7] = '0' + i;
+        std::string hash = crypto::SHA256HashString(serial);
+        response.mutable_hashes()->Add()->assign(hash);
+      }
+    }
+    if (with_serial_hash) {
+      response.mutable_hashes()->Add()->assign(kSerialHash,
+                                               crypto::kSHA256Length);
+    }
+    EXPECT_CALL(backend_, ProcessAutoEnrollmentRequest(_, _, _))
+        .WillOnce(
+            DoAll(Invoke(this, &AutoEnrollmentClientTest::CaptureRequest),
+                  MockDeviceManagementBackendSucceedAutoEnrollment(response)));
+  }
+  MockDeviceManagementBackend backend_;
+  scoped_ptr<AutoEnrollmentClient> client_;
+  em::DeviceAutoEnrollmentRequest last_request_;
+  int completion_callback_count_;
+ private:
+  void CaptureRequest(
+      Unused,
+      const em::DeviceAutoEnrollmentRequest& request,
+      Unused) {
+    last_request_ = request;
+  }
+  DISALLOW_COPY_AND_ASSIGN(AutoEnrollmentClientTest);
+};
+TEST_F(AutoEnrollmentClientTest, NetworkFailure) {
+  ServerWillFail(DeviceManagementBackend::kErrorTemporaryUnavailable);
+  client_->Start();
+  EXPECT_FALSE(client_->should_auto_enroll());
+  EXPECT_EQ(1, completion_callback_count_);
+}
+TEST_F(AutoEnrollmentClientTest, EmptyReply) {
+  ServerWillReply(-1, false, false);
+  client_->Start();
+  EXPECT_FALSE(client_->should_auto_enroll());
+  EXPECT_EQ(1, completion_callback_count_);
+}
+TEST_F(AutoEnrollmentClientTest, ClientUploadsRightBits) {
+  ServerWillReply(-1, false, false);
+  client_->Start();
+  EXPECT_FALSE(client_->should_auto_enroll());
+  EXPECT_EQ(1, completion_callback_count_);
+  EXPECT_TRUE(last_request_.has_remainder());
+  EXPECT_TRUE(last_request_.has_modulus());
+  EXPECT_EQ(16, last_request_.modulus());
+  EXPECT_EQ(kSerialHash[31] & 0xf, last_request_.remainder());
+}
+TEST_F(AutoEnrollmentClientTest, AskForMoreThenFail) {
+  InSequence sequence;
+  ServerWillReply(32, false, false);
+  ServerWillFail(DeviceManagementBackend::kErrorTemporaryUnavailable);
+  client_->Start();
+  EXPECT_FALSE(client_->should_auto_enroll());
+  EXPECT_EQ(1, completion_callback_count_);
+}
+TEST_F(AutoEnrollmentClientTest, AskForMoreThenEvenMore) {
+  InSequence sequence;
+  ServerWillReply(32, false, false);
+  ServerWillReply(64, false, false);
+  client_->Start();
+  EXPECT_FALSE(client_->should_auto_enroll());
+  EXPECT_EQ(1, completion_callback_count_);
+}
+TEST_F(AutoEnrollmentClientTest, AskForLess) {
+  ServerWillReply(8, false, false);
+  client_->Start();
+  EXPECT_FALSE(client_->should_auto_enroll());
+  EXPECT_EQ(1, completion_callback_count_);
+}
+TEST_F(AutoEnrollmentClientTest, AskForSame) {
+  ServerWillReply(16, false, false);
+  client_->Start();
+  EXPECT_FALSE(client_->should_auto_enroll());
+  EXPECT_EQ(1, completion_callback_count_);
+}
+TEST_F(AutoEnrollmentClientTest, AskForTooMuch) {
+  ServerWillReply(512, false, false);
+  client_->Start();
+  EXPECT_FALSE(client_->should_auto_enroll());
+  EXPECT_EQ(1, completion_callback_count_);
+}
+TEST_F(AutoEnrollmentClientTest, AskNonPowerOf2) {
+  InSequence sequence;
+  ServerWillReply(100, false, false);
+  ServerWillReply(-1, false, false);
+  client_->Start();
+  EXPECT_FALSE(client_->should_auto_enroll());
+  EXPECT_EQ(1, completion_callback_count_);
+  EXPECT_TRUE(last_request_.has_remainder());
+  EXPECT_TRUE(last_request_.has_modulus());
+  EXPECT_EQ(128, last_request_.modulus());
+  EXPECT_EQ(kSerialHash[31] & 0x7f, last_request_.remainder());
+}
+TEST_F(AutoEnrollmentClientTest, ConsumerDevice) {
+  ServerWillReply(-1, true, false);
+  client_->Start();
+  EXPECT_FALSE(client_->should_auto_enroll());
+  EXPECT_EQ(1, completion_callback_count_);
+}
+TEST_F(AutoEnrollmentClientTest, EnterpriseDevice) {
+  ServerWillReply(-1, true, true);
+  client_->Start();
+  EXPECT_TRUE(client_->should_auto_enroll());
+  EXPECT_EQ(1, completion_callback_count_);
+}
+TEST_F(AutoEnrollmentClientTest, NoSerial) {
+  CreateClient("", 4, 8);
+  client_->Start();
+  EXPECT_FALSE(client_->should_auto_enroll());
+  EXPECT_EQ(1, completion_callback_count_);
+}
+TEST_F(AutoEnrollmentClientTest, NoBitsUploaded) {
+  CreateClient(kSerial, 0, 0);
+  ServerWillReply(-1, false, false);
+  client_->Start();
+  EXPECT_FALSE(client_->should_auto_enroll());
+  EXPECT_EQ(1, completion_callback_count_);
+  EXPECT_TRUE(last_request_.has_remainder());
+  EXPECT_TRUE(last_request_.has_modulus());
+  EXPECT_EQ(1, last_request_.modulus());
+  EXPECT_EQ(0, last_request_.remainder());
+}
+TEST_F(AutoEnrollmentClientTest, ManyBitsUploaded) {
+  int64 bottom62 = GG_LONGLONG(0x14e437a1552b138a);
+  for (int i = 0; i <= 62; ++i) {
+    completion_callback_count_ = 0;
+    CreateClient(kSerial, i, i);
+    ServerWillReply(-1, false, false);
+    client_->Start();
+    EXPECT_FALSE(client_->should_auto_enroll());
+    EXPECT_EQ(1, completion_callback_count_);
+    EXPECT_TRUE(last_request_.has_remainder());
+    EXPECT_TRUE(last_request_.has_modulus());
+    EXPECT_EQ((int64) 1 << i, last_request_.modulus());
+    EXPECT_EQ(bottom62 % ((int64) 1 << i), last_request_.remainder());
+  }
+}
+}  // namespace
+}  // namespace policy
--- a/chrome/browser/policy/browser_policy_connector.cc
+++ b/chrome/browser/policy/browser_policy_connector.cc
@@ -69,7 +69,7 @@ const char kMachineInfoSystemHwqual[] = "hardware_class";
 // in the "serial_number" key for v2+ VPDs. However, we cannot check this first,
 // since we'd get the "serial_number" value from the SMBIOS (yes, there's a name
 // clash here!), which is different from the serial number we want and not
-// actually per-device. So, we check the the legacy keys first. If we find a
+// actually per-device. So, we check the legacy keys first. If we find a
 // serial number for these, we use it, otherwise we must be on a newer device
 // that provides the correct data in "serial_number".
 const char* kMachineInfoSerialNumberKeys[] = {
@@ -155,22 +155,16 @@ void BrowserPolicyConnector::RegisterForDevicePolicy(
  if (device_data_store_.get()) {
    if (device_data_store_->machine_id().empty() ||
        device_data_store_->machine_model().empty()) {
-      std::string machine_id;
-      std::string machine_model;
      chromeos::system::StatisticsProvider* provider =
          chromeos::system::StatisticsProvider::GetInstance();
+      std::string machine_model;
      if (!provider->GetMachineStatistic(kMachineInfoSystemHwqual,
                                         &machine_model)) {
        LOG(ERROR) << "Failed to get machine model.";
      }
-      for (size_t i = 0; i < arraysize(kMachineInfoSerialNumberKeys); i++) {
-        if (provider->GetMachineStatistic(kMachineInfoSerialNumberKeys[i],
-                                          &machine_id) &&
-            !machine_id.empty()) {
-          break;
-        }
-      }
+      std::string machine_id = GetSerialNumber();
      if (machine_id.empty())
        LOG(ERROR) << "Failed to get machine serial number.";
@@ -210,6 +204,23 @@ EnterpriseInstallAttributes::LockResult
  return EnterpriseInstallAttributes::LOCK_BACKEND_ERROR;
 }
+// static
+std::string BrowserPolicyConnector::GetSerialNumber() {
+  std::string serial_number;
+#if defined(OS_CHROMEOS)
+  chromeos::system::StatisticsProvider* provider =
+      chromeos::system::StatisticsProvider::GetInstance();
+  for (size_t i = 0; i < arraysize(kMachineInfoSerialNumberKeys); i++) {
+    if (provider->GetMachineStatistic(kMachineInfoSerialNumberKeys[i],
+                                      &serial_number) &&
+        !serial_number.empty()) {
+      break;
+    }
+  }
+#endif
+  return serial_number;
+}
 std::string BrowserPolicyConnector::GetEnterpriseDomain() {
 #if defined(OS_CHROMEOS)
  if (install_attributes_.get())

--- a/chrome/browser/policy/browser_policy_connector.h
+++ b/chrome/browser/policy/browser_policy_connector.h
@@ -86,6 +86,9 @@ class BrowserPolicyConnector : public content::NotificationObserver {
  // Locks the device to an enterprise domain.
  EnterpriseInstallAttributes::LockResult LockDevice(const std::string& user);
+  // Returns the device serial number, or an empty string if not available.
+  static std::string GetSerialNumber();
  // Returns the enterprise domain if device is managed.
  std::string GetEnterpriseDomain();

--- a/chrome/chrome_browser.gypi
+++ b/chrome/chrome_browser.gypi
@@ -1760,6 +1760,8 @@
        'browser/policy/asynchronous_policy_loader.h',
        'browser/policy/asynchronous_policy_provider.cc',
        'browser/policy/asynchronous_policy_provider.h',
+        'browser/policy/auto_enrollment_client.cc',
+        'browser/policy/auto_enrollment_client.h',
        'browser/policy/browser_policy_connector.cc',
        'browser/policy/browser_policy_connector.h',
        'browser/policy/cloud_policy_cache_base.cc',
@@ -4090,6 +4092,8 @@
            ['exclude', 'browser/extensions/extension_tts_api_chromeos.cc'],
            ['exclude', 'browser/oom_priority_manager.cc'],
            ['exclude', 'browser/oom_priority_manager.h'],
+            ['exclude', 'browser/policy/auto_enrollment_client.cc'],
+            ['exclude', 'browser/policy/auto_enrollment_client.h'],
            ['exclude', 'browser/policy/device_policy_cache.cc'],
            ['exclude', 'browser/policy/device_policy_cache.h'],
            ['exclude', 'browser/policy/enterprise_install_attributes.cc'],

--- a/chrome/chrome_tests.gypi
+++ b/chrome/chrome_tests.gypi
@@ -1519,6 +1519,7 @@
        'browser/policy/asynchronous_policy_provider_unittest.cc',
        'browser/policy/asynchronous_policy_test_base.cc',
        'browser/policy/asynchronous_policy_test_base.h',
+        'browser/policy/auto_enrollment_client_unittest.cc',
        'browser/policy/cloud_policy_controller_unittest.cc',
        'browser/policy/cloud_policy_provider_unittest.cc',
        'browser/policy/cloud_policy_subsystem_unittest.cc',
@@ -2123,6 +2124,7 @@
          'sources/': [
            ['exclude', '^browser/chromeos/'],
            ['exclude', '^browser/oom_priority_manager_unittest.cc'],
+            ['exclude', '^browser/policy/auto_enrollment_client_unittest.cc' ],
            ['exclude', '^browser/policy/configuration_policy_handler_chromeos_unittest.cc' ],
            ['exclude', '^browser/policy/device_policy_cache_unittest.cc'],
            ['exclude', '^browser/policy/enterprise_install_attributes_unittest.cc' ],

--- a/chrome/common/chrome_switches.cc
+++ b/chrome/common/chrome_switches.cc
@@ -1204,6 +1204,16 @@ const char kCompressSystemFeedback[]        = "compress-sys-feedback";
 // Enables overriding the path for the default authentication extension.
 const char kAuthExtensionPath[]             = "auth-ext-path";
+// Power of the power-of-2 initial modulus that will be used by the
+// auto-enrollment client. E.g. "4" means the modulus will be 2^4 = 16.
+const char kEnterpriseEnrollmentInitialModulus[]  =
+    "enterprise-enrollment-initial-modulus";
+// Power of the power-of-2 maximum modulus that will be used by the
+// auto-enrollment client.
+const char kEnterpriseEnrollmentModulusLimit[]    =
+    "enterprise-enrollment-modulus-limit";
 #ifndef NDEBUG
 // Skips all other OOBE pages after user login.
 const char kOobeSkipPostLogin[]             = "oobe-skip-postlogin";

--- a/chrome/common/chrome_switches.h
+++ b/chrome/common/chrome_switches.h
@@ -333,6 +333,8 @@ extern const char kStubCros[];
 extern const char kScreenSaverUrl[];
 extern const char kCompressSystemFeedback[];
 extern const char kAuthExtensionPath[];
+extern const char kEnterpriseEnrollmentInitialModulus[];
+extern const char kEnterpriseEnrollmentModulusLimit[];
 #ifndef NDEBUG
 extern const char kOobeSkipPostLogin[];
 #endif