Fetch policy with refresh token.

WildcardLoginChecker and UserCloudPolicyManagerChromeOS now use this mechanism to fetch policy.

BUG=478432,470984,462036,480447
TEST=manual

Review URL: https://codereview.chromium.org/1108983002

Cr-Commit-Position: refs/heads/master@{#327375}

chrome/browser/chromeos/login/auth/chrome_login_performer.cc

@@ -94,6 +94,7 @@ bool ChromeLoginPerformer::IsUserWhitelisted(const std::string& user_id,
 void ChromeLoginPerformer::RunOnlineWhitelistCheck(
     const std::string& user_id,
     bool wildcard_match,
+    const std::string& refresh_token,
     const base::Closure& success_callback,
     const base::Closure& failure_callback) {
   // On enterprise devices, reconfirm login permission with the server.
@@ -102,12 +103,19 @@ void ChromeLoginPerformer::RunOnlineWhitelistCheck(
   if (connector->IsEnterpriseManaged() && wildcard_match &&
       !connector->IsNonEnterpriseUser(user_id)) {
     wildcard_login_checker_.reset(new policy::WildcardLoginChecker());
-    wildcard_login_checker_->Start(
-        ProfileHelper::GetSigninProfile()->GetRequestContext(),
-        base::Bind(&ChromeLoginPerformer::OnlineWildcardLoginCheckCompleted,
-                   weak_factory_.GetWeakPtr(),
-                   success_callback,
-                   failure_callback));
+    if (refresh_token.empty()) {
+      wildcard_login_checker_->Start(
+          ProfileHelper::GetSigninProfile()->GetRequestContext(),
+          base::Bind(&ChromeLoginPerformer::OnlineWildcardLoginCheckCompleted,
+                     weak_factory_.GetWeakPtr(), success_callback,
+                     failure_callback));
+    } else {
+      wildcard_login_checker_->StartWithRefreshToken(
+          refresh_token,
+          base::Bind(&ChromeLoginPerformer::OnlineWildcardLoginCheckCompleted,
+                     weak_factory_.GetWeakPtr(), success_callback,
+                     failure_callback));
+    }
   } else {
     success_callback.Run();
   }

chrome/browser/chromeos/login/auth/chrome_login_performer.h

@@ -42,6 +42,7 @@ class ChromeLoginPerformer : public LoginPerformer {
 
   void RunOnlineWhitelistCheck(const std::string& user_id,
                                bool wildcard_match,
+                               const std::string& refresh_token,
                                const base::Closure& success_callback,
                                const base::Closure& failure_callback) override;
   bool AreSupervisedUsersAllowed() override;

chrome/browser/chromeos/login/session/user_session_manager.h

@@ -230,6 +230,7 @@ class UserSessionManager
   // Removes a profile from the per-user input methods states map.
   void RemoveProfileForTesting(Profile* profile);
 
+  const UserContext& user_context() const { return user_context_; }
   bool has_auth_cookies() const { return has_auth_cookies_; }
 
  private:

chrome/browser/chromeos/policy/policy_oauth2_token_fetcher.cc

@@ -37,8 +37,6 @@ PolicyOAuth2TokenFetcher::PolicyOAuth2TokenFetcher(
     const TokenCallback& callback)
     : auth_context_getter_(auth_context_getter),
       system_context_getter_(system_context_getter),
-      retry_count_(0),
-      failed_(false),
       callback_(callback) {}
 
 PolicyOAuth2TokenFetcher::PolicyOAuth2TokenFetcher(
@@ -47,8 +45,6 @@ PolicyOAuth2TokenFetcher::PolicyOAuth2TokenFetcher(
     const TokenCallback& callback)
     : auth_code_(auth_code),
       system_context_getter_(system_context_getter),
-      retry_count_(0),
-      failed_(false),
       callback_(callback) {
 }
 
@@ -59,6 +55,13 @@ void PolicyOAuth2TokenFetcher::Start() {
   StartFetchingRefreshToken();
 }
 
+void PolicyOAuth2TokenFetcher::StartWithRefreshToken(
+    const std::string& oauth2_refresh_token) {
+  retry_count_ = 0;
+  oauth2_refresh_token_ = oauth2_refresh_token;
+  StartFetchingAccessToken();
+}
+
 void PolicyOAuth2TokenFetcher::StartFetchingRefreshToken() {
   if (auth_code_.empty()) {
     refresh_token_fetcher_.reset(new GaiaAuthFetcher(

chrome/browser/chromeos/policy/policy_oauth2_token_fetcher.h

@@ -53,6 +53,10 @@ class PolicyOAuth2TokenFetcher
   // Starts process of minting device management service OAuth2 access token.
   void Start();
 
+  // Starts minting device management service OAuth2 access token with the given
+  // |oauth2_refresh_token|.
+  void StartWithRefreshToken(const std::string& oauth2_refresh_token);
+
   // Returns true if we have previously attempted to fetch tokens with this
   // class and failed.
   bool failed() const {
@@ -110,10 +114,10 @@ class PolicyOAuth2TokenFetcher
   std::string oauth2_access_token_;
 
   // The retry counter. Increment this only when failure happened.
-  int retry_count_;
+  int retry_count_ = 0;
 
   // True if we have already failed to fetch the policy.
-  bool failed_;
+  bool failed_ = false;
 
   // The callback to invoke when done.
   TokenCallback callback_;

chrome/browser/chromeos/policy/user_cloud_policy_manager_chromeos.cc

@@ -13,6 +13,7 @@
 #include "base/values.h"
 #include "chrome/browser/browser_process.h"
 #include "chrome/browser/chromeos/login/helper.h"
+#include "chrome/browser/chromeos/login/session/user_session_manager.h"
 #include "chrome/browser/chromeos/policy/policy_oauth2_token_fetcher.h"
 #include "chrome/browser/chromeos/policy/user_cloud_policy_manager_factory_chromeos.h"
 #include "chrome/browser/chromeos/policy/wildcard_login_checker.h"
@@ -212,7 +213,7 @@ void UserCloudPolicyManagerChromeOS::OnInitializationCompleted(
   // access token is already available.
   if (!client()->is_registered()) {
     if (wait_for_policy_fetch_) {
-      FetchPolicyOAuthTokenUsingSigninContext();
+      FetchPolicyOAuthToken();
     } else if (!access_token_.empty()) {
       OnAccessTokenAvailable(access_token_);
     }
@@ -286,7 +287,19 @@ void UserCloudPolicyManagerChromeOS::GetChromePolicy(PolicyMap* policy_map) {
   SetEnterpriseUsersDefaults(policy_map);
 }
 
-void UserCloudPolicyManagerChromeOS::FetchPolicyOAuthTokenUsingSigninContext() {
+void UserCloudPolicyManagerChromeOS::FetchPolicyOAuthToken() {
+  const std::string& refresh_token = chromeos::UserSessionManager::GetInstance()
+                                         ->user_context()
+                                         .GetRefreshToken();
+  if (!refresh_token.empty()) {
+    token_fetcher_.reset(new PolicyOAuth2TokenFetcher(
+        std::string(), g_browser_process->system_request_context(),
+        base::Bind(&UserCloudPolicyManagerChromeOS::OnOAuth2PolicyTokenFetched,
+                   base::Unretained(this))));
+    token_fetcher_->StartWithRefreshToken(refresh_token);
+    return;
+  }
+
   scoped_refptr<net::URLRequestContextGetter> signin_context =
       chromeos::login::GetSigninContext();
   if (!signin_context.get()) {

chrome/browser/chromeos/policy/user_cloud_policy_manager_chromeos.h

@@ -109,9 +109,10 @@ class UserCloudPolicyManagerChromeOS : public CloudPolicyManager,
   void GetChromePolicy(PolicyMap* policy_map) override;
 
  private:
-  // Fetches a policy token using the authentication context of the signin
-  // context, and calls back to OnOAuth2PolicyTokenFetched when done.
-  void FetchPolicyOAuthTokenUsingSigninContext();
+  // Fetches a policy token using the refresh token if available, or the
+  // authentication context of the signin context, and calls back
+  // OnOAuth2PolicyTokenFetched when done.
+  void FetchPolicyOAuthToken();
 
   // Called once the policy access token is available, and starts the
   // registration with the policy server if the token was successfully fetched.

chrome/browser/chromeos/policy/user_cloud_policy_manager_chromeos_unittest.cc

@@ -15,6 +15,7 @@
 #include "base/strings/string_util.h"
 #include "base/strings/utf_string_conversions.h"
 #include "base/test/test_simple_task_runner.h"
+#include "chrome/browser/chromeos/login/users/scoped_user_manager_enabler.h"
 #include "chrome/browser/chromeos/policy/user_cloud_policy_token_forwarder.h"
 #include "chrome/browser/chromeos/profiles/profile_helper.h"
 #include "chrome/browser/prefs/browser_prefs.h"
@@ -36,6 +37,7 @@
 #include "components/policy/core/common/schema_registry.h"
 #include "components/signin/core/browser/profile_oauth2_token_service.h"
 #include "components/signin/core/browser/signin_manager.h"
+#include "components/user_manager/fake_user_manager.h"
 #include "content/public/test/test_browser_thread_bundle.h"
 #include "google_apis/gaia/gaia_auth_consumer.h"
 #include "google_apis/gaia/gaia_constants.h"
@@ -80,7 +82,9 @@ class UserCloudPolicyManagerChromeOSTest : public testing::Test {
         external_data_manager_(NULL),
         task_runner_(new base::TestSimpleTaskRunner()),
         profile_(NULL),
-        signin_profile_(NULL) {}
+        signin_profile_(NULL),
+        user_manager_(new user_manager::FakeUserManager()),
+        user_manager_enabler_(user_manager_) {}
 
   void SetUp() override {
     // The initialization path that blocks on the initial policy fetch requires
@@ -342,6 +346,9 @@ class UserCloudPolicyManagerChromeOSTest : public testing::Test {
   TestingProfile* profile_;
   TestingProfile* signin_profile_;
 
+  user_manager::FakeUserManager* user_manager_;
+  chromeos::ScopedUserManagerEnabler user_manager_enabler_;
+
  private:
   DISALLOW_COPY_AND_ASSIGN(UserCloudPolicyManagerChromeOSTest);
 };

chrome/browser/chromeos/policy/user_cloud_policy_manager_factory_chromeos.cc

@@ -15,7 +15,6 @@
 #include "base/threading/sequenced_worker_pool.h"
 #include "base/time/time.h"
 #include "chrome/browser/browser_process.h"
-#include "chrome/browser/chromeos/login/session/user_session_manager.h"
 #include "chrome/browser/chromeos/policy/browser_policy_connector_chromeos.h"
 #include "chrome/browser/chromeos/policy/user_cloud_external_data_manager.h"
 #include "chrome/browser/chromeos/policy/user_cloud_policy_manager_chromeos.h"
@@ -149,10 +148,8 @@ scoped_ptr<UserCloudPolicyManagerChromeOS>
   const bool is_affiliated_user = affiliation == USER_AFFILIATION_MANAGED;
   const bool is_browser_restart =
       command_line->HasSwitch(chromeos::switches::kLoginUser);
-  // TODO(xiyuan): Update the code below after http://crbug.com/462036.
   const bool wait_for_initial_policy =
       !is_browser_restart &&
-      chromeos::UserSessionManager::GetInstance()->has_auth_cookies() &&
       (user_manager::UserManager::Get()->IsCurrentUserNew() ||
        is_affiliated_user);
 
@@ -204,14 +201,11 @@ scoped_ptr<UserCloudPolicyManagerChromeOS>
           content::BrowserThread::FILE);
 
   scoped_ptr<UserCloudPolicyManagerChromeOS> manager(
-      new UserCloudPolicyManagerChromeOS(store.Pass(),
-                                         external_data_manager.Pass(),
-                                         component_policy_cache_dir,
-                                         wait_for_initial_policy,
-                                         initial_policy_fetch_timeout,
-                                         base::MessageLoopProxy::current(),
-                                         file_task_runner,
-                                         io_task_runner));
+      new UserCloudPolicyManagerChromeOS(
+          store.Pass(), external_data_manager.Pass(),
+          component_policy_cache_dir, wait_for_initial_policy,
+          initial_policy_fetch_timeout, base::MessageLoopProxy::current(),
+          file_task_runner, io_task_runner));
 
   bool wildcard_match = false;
   if (connector->IsEnterpriseManaged() &&

chrome/browser/chromeos/policy/wildcard_login_checker.cc

@@ -51,6 +51,22 @@ void WildcardLoginChecker::Start(
   token_fetcher_->Start();
 }
 
+void WildcardLoginChecker::StartWithRefreshToken(
+    const std::string& refresh_token,
+    const StatusCallback& callback) {
+  CHECK(!token_fetcher_);
+  CHECK(!user_info_fetcher_);
+
+  start_timestamp_ = base::Time::Now();
+
+  callback_ = callback;
+  token_fetcher_.reset(new PolicyOAuth2TokenFetcher(
+      std::string(), g_browser_process->system_request_context(),
+      base::Bind(&WildcardLoginChecker::OnPolicyTokenFetched,
+                 base::Unretained(this))));
+  token_fetcher_->StartWithRefreshToken(refresh_token);
+}
+
 void WildcardLoginChecker::StartWithAccessToken(
     const std::string& access_token,
     const StatusCallback& callback) {

chrome/browser/chromeos/policy/wildcard_login_checker.h

@@ -41,6 +41,10 @@ class WildcardLoginChecker : public UserInfoFetcher::Delegate {
   void Start(scoped_refptr<net::URLRequestContextGetter> signin_context,
              const StatusCallback& callback);
 
+  // Starts checking with a provided refresh token.
+  void StartWithRefreshToken(const std::string& refresh_token,
+                             const StatusCallback& callback);
+
   // Starts checking with a provided access token.
   void StartWithAccessToken(const std::string& access_token,
                             const StatusCallback& callback);

chromeos/login/auth/login_performer.cc

@@ -157,8 +157,7 @@ void LoginPerformer::DoPerformLogin(const UserContext& user_context,
   switch (auth_mode_) {
     case AUTH_MODE_EXTENSION: {
       RunOnlineWhitelistCheck(
-          email,
-          wildcard_match,
+          email, wildcard_match, user_context.GetRefreshToken(),
           base::Bind(&LoginPerformer::StartLoginCompletion,
                      weak_factory_.GetWeakPtr()),
           base::Bind(&LoginPerformer::NotifyWhitelistCheckFailure,

chromeos/login/auth/login_performer.h

@@ -140,6 +140,7 @@ class CHROMEOS_EXPORT LoginPerformer : public AuthStatusConsumer,
   virtual void RunOnlineWhitelistCheck(
       const std::string& user_id,
       bool wildcard_match,
+      const std::string& refresh_token,
       const base::Closure& success_callback,
       const base::Closure& failure_callback) = 0;