lacros: Add plumbing for device attributes crosapi.

Device attributes are used by the extension API
enterprise.deviceAttributes. This API is in the process of being
replaced by a new Web API. In both cases, we need to add a crosapi to
support this API in Lacros.

This CL adds plumbing for the five methods in
enterprise.deviceAttributes. From a security perspective, the Lacros
implementation checks that the profile is the "main profile" -- which is
to say it's affiliated with the log-in ash-chrome proifle. The ash
implementation of the crosapi then checks that the profile is a regular,
sign-in profile that is affiliated with the device. These security
checks mimic the security checks for the existing ash implementation of
enterprise.deviceAttributes.

Change-Id: Ic4bd2ce88041a3bc7b2af94fa52fef2f0722aac7
Bug: 1164523, 1165882
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2623722
Commit-Queue: Erik Chen <erikchen@chromium.org>
Reviewed-by: Maksim Ivanov <emaxx@chromium.org>
Reviewed-by: James Cook <jamescook@chromium.org>
Reviewed-by: Karan Bhatia <karandeepb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#843127}

chrome/browser/chromeos/BUILD.gn

@@ -1061,6 +1061,8 @@ source_set("chromeos") {
     "crosapi/cert_database_ash.h",
     "crosapi/clipboard_ash.cc",
     "crosapi/clipboard_ash.h",
+    "crosapi/device_attributes_ash.cc",
+    "crosapi/device_attributes_ash.h",
     "crosapi/environment_provider.cc",
     "crosapi/environment_provider.h",
     "crosapi/fake_browser_manager.cc",

chrome/browser/chromeos/crosapi/ash_chrome_service_impl.cc

@@ -15,6 +15,7 @@
 #include "chrome/browser/chromeos/crosapi/browser_manager.h"
 #include "chrome/browser/chromeos/crosapi/cert_database_ash.h"
 #include "chrome/browser/chromeos/crosapi/clipboard_ash.h"
+#include "chrome/browser/chromeos/crosapi/device_attributes_ash.h"
 #include "chrome/browser/chromeos/crosapi/feedback_ash.h"
 #include "chrome/browser/chromeos/crosapi/file_manager_ash.h"
 #include "chrome/browser/chromeos/crosapi/keystore_service_ash.h"
@@ -44,6 +45,7 @@ namespace crosapi {
 AshChromeServiceImpl::AshChromeServiceImpl(
     mojo::PendingReceiver<mojom::AshChromeService> pending_receiver)
     : receiver_(this, std::move(pending_receiver)),
+      device_attributes_ash_(std::make_unique<DeviceAttributesAsh>()),
       metrics_reporting_ash_(std::make_unique<MetricsReportingAsh>(
           g_browser_process->local_state())),
       prefs_ash_(std::make_unique<PrefsAsh>(
@@ -182,6 +184,11 @@ void AshChromeServiceImpl::BindClipboard(
   clipboard_ash_->BindReceiver(std::move(receiver));
 }
 
+void AshChromeServiceImpl::BindDeviceAttributes(
+    mojo::PendingReceiver<mojom::DeviceAttributes> receiver) {
+  device_attributes_ash_->BindReceiver(std::move(receiver));
+}
+
 void AshChromeServiceImpl::BindPrefs(
     mojo::PendingReceiver<mojom::Prefs> receiver) {
   prefs_ash_->BindReceiver(std::move(receiver));

chrome/browser/chromeos/crosapi/ash_chrome_service_impl.h

@@ -16,6 +16,7 @@ namespace crosapi {
 class AccountManagerAsh;
 class CertDatabaseAsh;
 class ClipboardAsh;
+class DeviceAttributesAsh;
 class FeedbackAsh;
 class FileManagerAsh;
 class KeystoreServiceAsh;
@@ -40,6 +41,8 @@ class AshChromeServiceImpl : public mojom::AshChromeService {
   void BindCertDatabase(
       mojo::PendingReceiver<mojom::CertDatabase> receiver) override;
   void BindClipboard(mojo::PendingReceiver<mojom::Clipboard> receiver) override;
+  void BindDeviceAttributes(
+      mojo::PendingReceiver<mojom::DeviceAttributes> receiver) override;
   void BindFileManager(
       mojo::PendingReceiver<mojom::FileManager> receiver) override;
   void BindKeystoreService(
@@ -73,6 +76,7 @@ class AshChromeServiceImpl : public mojom::AshChromeService {
   mojo::Receiver<mojom::AshChromeService> receiver_;
 
   std::unique_ptr<AccountManagerAsh> account_manager_ash_;
+  std::unique_ptr<DeviceAttributesAsh> device_attributes_ash_;
   std::unique_ptr<FileManagerAsh> file_manager_ash_;
   std::unique_ptr<KeystoreServiceAsh> keystore_service_ash_;
   std::unique_ptr<MessageCenterAsh> message_center_ash_;

chrome/browser/chromeos/crosapi/browser_util.cc

@@ -216,13 +216,14 @@ bool IsLacrosWindow(const aura::Window* window) {
 
 base::flat_map<base::Token, uint32_t> GetInterfaceVersions() {
   static_assert(
-      crosapi::mojom::AshChromeService::Version_ == 11,
+      crosapi::mojom::AshChromeService::Version_ == 12,
       "if you add a new crosapi, please add it to the version map here");
   InterfaceVersions versions;
   AddVersion<crosapi::mojom::AccountManager>(&versions);
   AddVersion<crosapi::mojom::AshChromeService>(&versions);
   AddVersion<crosapi::mojom::CertDatabase>(&versions);
   AddVersion<crosapi::mojom::Clipboard>(&versions);
+  AddVersion<crosapi::mojom::DeviceAttributes>(&versions);
   AddVersion<crosapi::mojom::Feedback>(&versions);
   AddVersion<crosapi::mojom::FileManager>(&versions);
   AddVersion<crosapi::mojom::KeystoreService>(&versions);

chrome/browser/chromeos/crosapi/device_attributes_ash.cc

+// Copyright 2021 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/chromeos/crosapi/device_attributes_ash.h"
+
+#include <utility>
+
+#include "chrome/browser/browser_process.h"
+#include "chrome/browser/browser_process_platform_part.h"
+#include "chrome/browser/chromeos/policy/browser_policy_connector_chromeos.h"
+#include "chrome/browser/chromeos/policy/hostname_handler.h"
+#include "chrome/browser/chromeos/profiles/profile_helper.h"
+#include "chrome/browser/profiles/profile.h"
+#include "chrome/browser/profiles/profile_manager.h"
+#include "chromeos/crosapi/mojom/device_attributes.mojom.h"
+#include "chromeos/system/statistics_provider.h"
+#include "components/user_manager/user.h"
+
+namespace crosapi {
+
+namespace {
+
+const char kAccessDenied[] = "Access denied.";
+
+// Whether device attributes can be accessed for the current profile.
+bool CanGetDeviceAttributes() {
+  const Profile* profile =
+      g_browser_process->profile_manager()->GetPrimaryUserProfile();
+  if (chromeos::ProfileHelper::IsSigninProfile(profile))
+    return true;
+
+  if (!profile->IsRegularProfile())
+    return false;
+
+  const user_manager::User* user =
+      chromeos::ProfileHelper::Get()->GetUserByProfile(profile);
+  return user->IsAffiliated();
+}
+
+}  // namespace
+
+DeviceAttributesAsh::DeviceAttributesAsh() = default;
+DeviceAttributesAsh::~DeviceAttributesAsh() = default;
+
+void DeviceAttributesAsh::BindReceiver(
+    mojo::PendingReceiver<mojom::DeviceAttributes> receiver) {
+  receivers_.Add(this, std::move(receiver));
+}
+
+void DeviceAttributesAsh::GetDirectoryDeviceId(
+    GetDirectoryDeviceIdCallback callback) {
+  if (!CanGetDeviceAttributes()) {
+    std::move(callback).Run(StringResult::NewErrorMessage(kAccessDenied));
+    return;
+  }
+  std::string result = g_browser_process->platform_part()
+                           ->browser_policy_connector_chromeos()
+                           ->GetDirectoryApiID();
+  if (result.empty()) {
+    std::move(callback).Run(StringResult::NewErrorMessage(kAccessDenied));
+  } else {
+    std::move(callback).Run(StringResult::NewContents(result));
+  }
+}
+
+void DeviceAttributesAsh::GetDeviceSerialNumber(
+    GetDeviceSerialNumberCallback callback) {
+  if (!CanGetDeviceAttributes()) {
+    std::move(callback).Run(StringResult::NewErrorMessage(kAccessDenied));
+    return;
+  }
+  std::string result = chromeos::system::StatisticsProvider::GetInstance()
+                           ->GetEnterpriseMachineID();
+  if (result.empty()) {
+    std::move(callback).Run(StringResult::NewErrorMessage(kAccessDenied));
+  } else {
+    std::move(callback).Run(StringResult::NewContents(result));
+  }
+}
+
+void DeviceAttributesAsh::GetDeviceAssetId(GetDeviceAssetIdCallback callback) {
+  if (!CanGetDeviceAttributes()) {
+    std::move(callback).Run(StringResult::NewErrorMessage(kAccessDenied));
+    return;
+  }
+  std::string result = g_browser_process->platform_part()
+                           ->browser_policy_connector_chromeos()
+                           ->GetDeviceAssetID();
+  if (result.empty()) {
+    std::move(callback).Run(StringResult::NewErrorMessage(kAccessDenied));
+  } else {
+    std::move(callback).Run(StringResult::NewContents(result));
+  }
+}
+
+void DeviceAttributesAsh::GetDeviceAnnotatedLocation(
+    GetDeviceAnnotatedLocationCallback callback) {
+  if (!CanGetDeviceAttributes()) {
+    std::move(callback).Run(StringResult::NewErrorMessage(kAccessDenied));
+    return;
+  }
+  std::string result = g_browser_process->platform_part()
+                           ->browser_policy_connector_chromeos()
+                           ->GetDeviceAnnotatedLocation();
+  if (result.empty()) {
+    std::move(callback).Run(StringResult::NewErrorMessage(kAccessDenied));
+  } else {
+    std::move(callback).Run(StringResult::NewContents(result));
+  }
+}
+
+void DeviceAttributesAsh::GetDeviceHostname(
+    GetDeviceHostnameCallback callback) {
+  if (!CanGetDeviceAttributes()) {
+    std::move(callback).Run(StringResult::NewErrorMessage(kAccessDenied));
+    return;
+  }
+  std::string result = g_browser_process->platform_part()
+                           ->browser_policy_connector_chromeos()
+                           ->GetHostnameHandler()
+                           ->GetDeviceHostname();
+  if (result.empty()) {
+    std::move(callback).Run(StringResult::NewErrorMessage(kAccessDenied));
+  } else {
+    std::move(callback).Run(StringResult::NewContents(result));
+  }
+}
+
+}  // namespace crosapi

chrome/browser/chromeos/crosapi/device_attributes_ash.h

+// Copyright 2021 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CHROME_BROWSER_CHROMEOS_CROSAPI_DEVICE_ATTRIBUTES_ASH_H_
+#define CHROME_BROWSER_CHROMEOS_CROSAPI_DEVICE_ATTRIBUTES_ASH_H_
+
+#include "chromeos/crosapi/mojom/device_attributes.mojom.h"
+#include "mojo/public/cpp/bindings/pending_receiver.h"
+#include "mojo/public/cpp/bindings/receiver_set.h"
+
+namespace crosapi {
+
+// The ash-chrome implementation of the DeviceAttributes crosapi interface.
+// This class must only be used from the main thread.
+class DeviceAttributesAsh : public mojom::DeviceAttributes {
+ public:
+  DeviceAttributesAsh();
+  DeviceAttributesAsh(const DeviceAttributesAsh&) = delete;
+  DeviceAttributesAsh& operator=(const DeviceAttributesAsh&) = delete;
+  ~DeviceAttributesAsh() override;
+
+  void BindReceiver(mojo::PendingReceiver<mojom::DeviceAttributes> receiver);
+
+  // crosapi::mojom::DeviceAttributes:
+  void GetDirectoryDeviceId(GetDirectoryDeviceIdCallback callback) override;
+  void GetDeviceSerialNumber(GetDeviceSerialNumberCallback callback) override;
+  void GetDeviceAssetId(GetDeviceAssetIdCallback callback) override;
+  void GetDeviceAnnotatedLocation(
+      GetDeviceAnnotatedLocationCallback callback) override;
+  void GetDeviceHostname(GetDeviceHostnameCallback callback) override;
+
+ private:
+  using StringResult = mojom::DeviceAttributesStringResult;
+
+  // This class supports any number of connections.
+  mojo::ReceiverSet<mojom::DeviceAttributes> receivers_;
+};
+
+}  // namespace crosapi
+
+#endif  // CHROME_BROWSER_CHROMEOS_CROSAPI_DEVICE_ATTRIBUTES_ASH_H_

chrome/browser/extensions/BUILD.gn

@@ -939,10 +939,15 @@ static_library("extensions") {
   }
 
   if (is_chromeos_lacros || is_chromeos_ash) {
-    sources += [ "api/enterprise_platform_keys/enterprise_platform_keys_api.h" ]
+    sources += [
+      "api/enterprise_device_attributes/enterprise_device_attributes_api.h",
+      "api/enterprise_platform_keys/enterprise_platform_keys_api.h",
+    ]
     deps += [ "//chromeos/crosapi/mojom" ]
     if (is_chromeos_lacros) {
       sources += [
+        "api/enterprise_device_attributes/enterprise_device_attributes_api_lacros.cc",
+        "api/enterprise_device_attributes/enterprise_device_attributes_api_lacros.h",
         "api/enterprise_platform_keys/enterprise_platform_keys_api_lacros.cc",
         "api/enterprise_platform_keys/enterprise_platform_keys_api_lacros.h",
       ]
@@ -956,8 +961,8 @@ static_library("extensions") {
       "api/certificate_provider/certificate_provider_api.h",
       "api/crash_report_private/crash_report_private_api.cc",
       "api/crash_report_private/crash_report_private_api.h",
-      "api/enterprise_device_attributes/enterprise_device_attributes_api.cc",
-      "api/enterprise_device_attributes/enterprise_device_attributes_api.h",
+      "api/enterprise_device_attributes/enterprise_device_attributes_api_ash.cc",
+      "api/enterprise_device_attributes/enterprise_device_attributes_api_ash.h",
       "api/enterprise_networking_attributes/enterprise_networking_attributes_api.cc",
       "api/enterprise_networking_attributes/enterprise_networking_attributes_api.h",
       "api/enterprise_platform_keys/enterprise_platform_keys_api_ash.cc",

chrome/browser/extensions/api/enterprise_device_attributes/enterprise_device_attributes_api.h

-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
+// This file is included from autogenerated files based on
+// chrome/common/extensions/api/enterprise_device_attributes.idl.
+
 #ifndef CHROME_BROWSER_EXTENSIONS_API_ENTERPRISE_DEVICE_ATTRIBUTES_ENTERPRISE_DEVICE_ATTRIBUTES_API_H_
 #define CHROME_BROWSER_EXTENSIONS_API_ENTERPRISE_DEVICE_ATTRIBUTES_ENTERPRISE_DEVICE_ATTRIBUTES_API_H_
 
-#include "extensions/browser/extension_function.h"
-#include "extensions/browser/extension_function_histogram_value.h"
-
-namespace extensions {
-
-// Note: When updating this function, consider changing the way errors are
-// returned.
-// TODO(https://crbug.com/1056550): Return an error in case of unaffiliated user
-// in enterprise.deviceAttributes API
-class EnterpriseDeviceAttributesGetDirectoryDeviceIdFunction
-    : public ExtensionFunction {
- public:
-  EnterpriseDeviceAttributesGetDirectoryDeviceIdFunction();
-
- protected:
-  ~EnterpriseDeviceAttributesGetDirectoryDeviceIdFunction() override;
-
-  ResponseAction Run() override;
-
- private:
-  DECLARE_EXTENSION_FUNCTION("enterprise.deviceAttributes.getDirectoryDeviceId",
-                             ENTERPRISE_DEVICEATTRIBUTES_GETDIRECTORYDEVICEID)
-};
-
-// Note: When updating this function, consider changing the way errors are
-// returned.
-// TODO(https://crbug.com/1056550): Return an error in case of unaffiliated user
-// in enterprise.deviceAttributes API
-class EnterpriseDeviceAttributesGetDeviceSerialNumberFunction
-    : public ExtensionFunction {
- public:
-  EnterpriseDeviceAttributesGetDeviceSerialNumberFunction();
-
- protected:
-  ~EnterpriseDeviceAttributesGetDeviceSerialNumberFunction() override;
-
-  ResponseAction Run() override;
-
- private:
-  DECLARE_EXTENSION_FUNCTION(
-      "enterprise.deviceAttributes.getDeviceSerialNumber",
-      ENTERPRISE_DEVICEATTRIBUTES_GETDEVICESERIALNUMBER)
-};
-
-// Note: When updating this function, consider changing the way errors are
-// returned.
-// TODO(https://crbug.com/1056550): Return an error in case of unaffiliated user
-// in enterprise.deviceAttributes API
-class EnterpriseDeviceAttributesGetDeviceAssetIdFunction
-    : public ExtensionFunction {
- public:
-  EnterpriseDeviceAttributesGetDeviceAssetIdFunction();
-
- protected:
-  ~EnterpriseDeviceAttributesGetDeviceAssetIdFunction() override;
-
-  ResponseAction Run() override;
-
- private:
-  DECLARE_EXTENSION_FUNCTION("enterprise.deviceAttributes.getDeviceAssetId",
-                             ENTERPRISE_DEVICEATTRIBUTES_GETDEVICEASSETID)
-};
-
-// Note: When updating this function, consider changing the way errors are
-// returned.
-// TODO(https://crbug.com/1056550): Return an error in case of unaffiliated user
-// in enterprise.deviceAttributes API
-class EnterpriseDeviceAttributesGetDeviceAnnotatedLocationFunction
-    : public ExtensionFunction {
- public:
-  EnterpriseDeviceAttributesGetDeviceAnnotatedLocationFunction();
-
- protected:
-  ~EnterpriseDeviceAttributesGetDeviceAnnotatedLocationFunction() override;
-
-  ResponseAction Run() override;
-
- private:
-  DECLARE_EXTENSION_FUNCTION(
-      "enterprise.deviceAttributes.getDeviceAnnotatedLocation",
-      ENTERPRISE_DEVICEATTRIBUTES_GETDEVICEANNOTATEDLOCATION)
-};
-
-// Note: When updating this function, consider changing the way errors are
-// returned.
-// TODO(https://crbug.com/1056550): Return an error in case of unaffiliated user
-// in enterprise.deviceAttributes API
-class EnterpriseDeviceAttributesGetDeviceHostnameFunction
-    : public ExtensionFunction {
- public:
-  EnterpriseDeviceAttributesGetDeviceHostnameFunction();
-
- protected:
-  ~EnterpriseDeviceAttributesGetDeviceHostnameFunction() override;
-
-  ResponseAction Run() override;
+#include "build/chromeos_buildflags.h"
 
- private:
-  DECLARE_EXTENSION_FUNCTION("enterprise.deviceAttributes.getDeviceHostname",
-                             ENTERPRISE_DEVICEATTRIBUTES_GETDEVICEHOSTNAME)
-};
+#if BUILDFLAG(IS_CHROMEOS_LACROS)
+#include "chrome/browser/extensions/api/enterprise_device_attributes/enterprise_device_attributes_api_lacros.h"
+#else
+#include "chrome/browser/extensions/api/enterprise_device_attributes/enterprise_device_attributes_api_ash.h"
+#endif
 
-}  //  namespace extensions
 #endif  // CHROME_BROWSER_EXTENSIONS_API_ENTERPRISE_DEVICE_ATTRIBUTES_ENTERPRISE_DEVICE_ATTRIBUTES_API_H_

chrome/browser/extensions/api/enterprise_device_attributes/enterprise_device_attributes_api.cc → chrome/browser/extensions/api/enterprise_device_attributes/enterprise_device_attributes_api_ash.cc

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include "chrome/browser/extensions/api/enterprise_device_attributes/enterprise_device_attributes_api.h"
+#include "chrome/browser/extensions/api/enterprise_device_attributes/enterprise_device_attributes_api_ash.h"
 
 #include "base/values.h"
 #include "chrome/browser/app_mode/app_mode_utils.h"

chrome/browser/extensions/api/enterprise_device_attributes/enterprise_device_attributes_api_ash.h

+// Copyright 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CHROME_BROWSER_EXTENSIONS_API_ENTERPRISE_DEVICE_ATTRIBUTES_ENTERPRISE_DEVICE_ATTRIBUTES_API_ASH_H_
+#define CHROME_BROWSER_EXTENSIONS_API_ENTERPRISE_DEVICE_ATTRIBUTES_ENTERPRISE_DEVICE_ATTRIBUTES_API_ASH_H_
+
+#include "extensions/browser/extension_function.h"
+#include "extensions/browser/extension_function_histogram_value.h"
+
+namespace extensions {
+
+// Note: When updating this function, consider changing the way errors are
+// returned.
+// TODO(https://crbug.com/1056550): Return an error in case of unaffiliated user
+// in enterprise.deviceAttributes API
+class EnterpriseDeviceAttributesGetDirectoryDeviceIdFunction
+    : public ExtensionFunction {
+ public:
+  EnterpriseDeviceAttributesGetDirectoryDeviceIdFunction();
+
+ protected:
+  ~EnterpriseDeviceAttributesGetDirectoryDeviceIdFunction() override;
+
+  ResponseAction Run() override;
+
+ private:
+  DECLARE_EXTENSION_FUNCTION("enterprise.deviceAttributes.getDirectoryDeviceId",
+                             ENTERPRISE_DEVICEATTRIBUTES_GETDIRECTORYDEVICEID)
+};
+
+// Note: When updating this function, consider changing the way errors are
+// returned.
+// TODO(https://crbug.com/1056550): Return an error in case of unaffiliated user
+// in enterprise.deviceAttributes API
+class EnterpriseDeviceAttributesGetDeviceSerialNumberFunction
+    : public ExtensionFunction {
+ public:
+  EnterpriseDeviceAttributesGetDeviceSerialNumberFunction();
+
+ protected:
+  ~EnterpriseDeviceAttributesGetDeviceSerialNumberFunction() override;
+
+  ResponseAction Run() override;
+
+ private:
+  DECLARE_EXTENSION_FUNCTION(
+      "enterprise.deviceAttributes.getDeviceSerialNumber",
+      ENTERPRISE_DEVICEATTRIBUTES_GETDEVICESERIALNUMBER)
+};
+
+// Note: When updating this function, consider changing the way errors are
+// returned.
+// TODO(https://crbug.com/1056550): Return an error in case of unaffiliated user
+// in enterprise.deviceAttributes API
+class EnterpriseDeviceAttributesGetDeviceAssetIdFunction
+    : public ExtensionFunction {
+ public:
+  EnterpriseDeviceAttributesGetDeviceAssetIdFunction();
+
+ protected:
+  ~EnterpriseDeviceAttributesGetDeviceAssetIdFunction() override;
+
+  ResponseAction Run() override;
+
+ private:
+  DECLARE_EXTENSION_FUNCTION("enterprise.deviceAttributes.getDeviceAssetId",
+                             ENTERPRISE_DEVICEATTRIBUTES_GETDEVICEASSETID)
+};
+
+// Note: When updating this function, consider changing the way errors are
+// returned.
+// TODO(https://crbug.com/1056550): Return an error in case of unaffiliated user
+// in enterprise.deviceAttributes API
+class EnterpriseDeviceAttributesGetDeviceAnnotatedLocationFunction
+    : public ExtensionFunction {
+ public:
+  EnterpriseDeviceAttributesGetDeviceAnnotatedLocationFunction();
+
+ protected:
+  ~EnterpriseDeviceAttributesGetDeviceAnnotatedLocationFunction() override;
+
+  ResponseAction Run() override;
+
+ private:
+  DECLARE_EXTENSION_FUNCTION(
+      "enterprise.deviceAttributes.getDeviceAnnotatedLocation",
+      ENTERPRISE_DEVICEATTRIBUTES_GETDEVICEANNOTATEDLOCATION)
+};
+
+// Note: When updating this function, consider changing the way errors are
+// returned.
+// TODO(https://crbug.com/1056550): Return an error in case of unaffiliated user
+// in enterprise.deviceAttributes API
+class EnterpriseDeviceAttributesGetDeviceHostnameFunction
+    : public ExtensionFunction {
+ public:
+  EnterpriseDeviceAttributesGetDeviceHostnameFunction();
+
+ protected:
+  ~EnterpriseDeviceAttributesGetDeviceHostnameFunction() override;
+
+  ResponseAction Run() override;
+
+ private:
+  DECLARE_EXTENSION_FUNCTION("enterprise.deviceAttributes.getDeviceHostname",
+                             ENTERPRISE_DEVICEATTRIBUTES_GETDEVICEHOSTNAME)
+};
+
+}  //  namespace extensions
+#endif  // CHROME_BROWSER_EXTENSIONS_API_ENTERPRISE_DEVICE_ATTRIBUTES_ENTERPRISE_DEVICE_ATTRIBUTES_API_ASH_H_

chrome/browser/extensions/api/enterprise_device_attributes/enterprise_device_attributes_api_lacros.cc

+// Copyright 2021 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/extensions/api/enterprise_device_attributes/enterprise_device_attributes_api_lacros.h"
+
+#include <utility>
+
+#include "base/bind.h"
+#include "chrome/browser/profiles/profile.h"
+#include "chrome/common/extensions/api/enterprise_device_attributes.h"
+#include "chromeos/lacros/lacros_chrome_service_impl.h"
+
+namespace {
+
+const char kUnsupportedByAsh[] = "Not implemented.";
+const char kUnsupportedProfile[] = "Not available.";
+
+// Performs common crosapi validation. These errors are not caused by the
+// extension so they are considered recoverable. Returns an error message on
+// error, or empty string on success. |context| is the browser context in which
+// the extension is hosted.
+std::string ValidateCrosapi(content::BrowserContext* context) {
+  if (!chromeos::LacrosChromeServiceImpl::Get()->IsDeviceAttributesAvailable())
+    return kUnsupportedByAsh;
+
+  // These APIs are used in security-sensitive contexts. We need to ensure that
+  // the user for ash is the same as the user for lacros. We do this by
+  // restricting the API to the default profile, which is guaranteed to be the
+  // same user.
+  if (!Profile::FromBrowserContext(context)->IsMainProfile())
+    return kUnsupportedProfile;
+
+  return "";
+}
+
+}  // namespace
+
+namespace extensions {
+
+EnterpriseDeviceAttributesBase::~EnterpriseDeviceAttributesBase() = default;
+
+void EnterpriseDeviceAttributesBase::OnCrosapiResult(
+    crosapi::mojom::DeviceAttributesStringResultPtr result) {
+  using Result = crosapi::mojom::DeviceAttributesStringResult;
+  switch (result->which()) {
+    case Result::Tag::ERROR_MESSAGE:
+      // We intentionally drop the error message here because the extension API
+      // is expected to return "" on validation error.
+      OnResult("");
+      return;
+    case Result::Tag::CONTENTS:
+      OnResult(result->get_contents());
+      return;
+  }
+}
+
+EnterpriseDeviceAttributesGetDirectoryDeviceIdFunction::
+    EnterpriseDeviceAttributesGetDirectoryDeviceIdFunction() = default;
+
+EnterpriseDeviceAttributesGetDirectoryDeviceIdFunction::
+    ~EnterpriseDeviceAttributesGetDirectoryDeviceIdFunction() = default;
+
+ExtensionFunction::ResponseAction
+EnterpriseDeviceAttributesGetDirectoryDeviceIdFunction::Run() {
+  std::string error = ValidateCrosapi(browser_context());
+  if (!error.empty()) {
+    return RespondNow(Error(error));
+  }
+
+  // We don't need Unretained() or WeakPtr because ExtensionFunction is
+  // ref-counted.
+  auto cb = base::BindOnce(
+      &EnterpriseDeviceAttributesGetDirectoryDeviceIdFunction::OnCrosapiResult,
+      this);
+
+  chromeos::LacrosChromeServiceImpl::Get()
+      ->device_attributes_remote()
+      ->GetDirectoryDeviceId(std::move(cb));
+  return RespondLater();
+}
+
+void EnterpriseDeviceAttributesGetDirectoryDeviceIdFunction::OnResult(
+    const std::string& result) {
+  Respond(ArgumentList(
+      api::enterprise_device_attributes::GetDirectoryDeviceId::Results::Create(
+          result)));
+}
+
+EnterpriseDeviceAttributesGetDeviceSerialNumberFunction::
+    EnterpriseDeviceAttributesGetDeviceSerialNumberFunction() = default;
+
+EnterpriseDeviceAttributesGetDeviceSerialNumberFunction::
+    ~EnterpriseDeviceAttributesGetDeviceSerialNumberFunction() = default;
+
+ExtensionFunction::ResponseAction
+EnterpriseDeviceAttributesGetDeviceSerialNumberFunction::Run() {
+  std::string error = ValidateCrosapi(browser_context());
+  if (!error.empty()) {
+    return RespondNow(Error(error));
+  }
+
+  // We don't need Unretained() or WeakPtr because ExtensionFunction is
+  // ref-counted.
+  auto cb = base::BindOnce(
+      &EnterpriseDeviceAttributesGetDeviceSerialNumberFunction::OnCrosapiResult,
+      this);
+
+  chromeos::LacrosChromeServiceImpl::Get()
+      ->device_attributes_remote()
+      ->GetDeviceSerialNumber(std::move(cb));
+  return RespondLater();
+}
+
+void EnterpriseDeviceAttributesGetDeviceSerialNumberFunction::OnResult(
+    const std::string& result) {
+  Respond(ArgumentList(
+      api::enterprise_device_attributes::GetDeviceSerialNumber::Results::Create(
+          result)));
+}
+
+EnterpriseDeviceAttributesGetDeviceAssetIdFunction::
+    EnterpriseDeviceAttributesGetDeviceAssetIdFunction() = default;
+
+EnterpriseDeviceAttributesGetDeviceAssetIdFunction::
+    ~EnterpriseDeviceAttributesGetDeviceAssetIdFunction() = default;
+
+ExtensionFunction::ResponseAction
+EnterpriseDeviceAttributesGetDeviceAssetIdFunction::Run() {
+  std::string error = ValidateCrosapi(browser_context());
+  if (!error.empty()) {
+    return RespondNow(Error(error));
+  }
+
+  // We don't need Unretained() or WeakPtr because ExtensionFunction is
+  // ref-counted.
+  auto cb = base::BindOnce(
+      &EnterpriseDeviceAttributesGetDeviceAssetIdFunction::OnCrosapiResult,
+      this);
+
+  chromeos::LacrosChromeServiceImpl::Get()
+      ->device_attributes_remote()
+      ->GetDeviceAssetId(std::move(cb));
+  return RespondLater();
+}
+
+void EnterpriseDeviceAttributesGetDeviceAssetIdFunction::OnResult(
+    const std::string& result) {
+  Respond(ArgumentList(
+      api::enterprise_device_attributes::GetDeviceAssetId::Results::Create(
+          result)));
+}
+
+EnterpriseDeviceAttributesGetDeviceAnnotatedLocationFunction::
+    EnterpriseDeviceAttributesGetDeviceAnnotatedLocationFunction() = default;
+
+EnterpriseDeviceAttributesGetDeviceAnnotatedLocationFunction::
+    ~EnterpriseDeviceAttributesGetDeviceAnnotatedLocationFunction() = default;
+
+ExtensionFunction::ResponseAction
+EnterpriseDeviceAttributesGetDeviceAnnotatedLocationFunction::Run() {
+  std::string error = ValidateCrosapi(browser_context());
+  if (!error.empty()) {
+    return RespondNow(Error(error));
+  }
+
+  // We don't need Unretained() or WeakPtr because ExtensionFunction is
+  // ref-counted.
+  auto cb = base::BindOnce(
+      &EnterpriseDeviceAttributesGetDeviceAnnotatedLocationFunction::
+          OnCrosapiResult,
+      this);
+
+  chromeos::LacrosChromeServiceImpl::Get()
+      ->device_attributes_remote()
+      ->GetDeviceAnnotatedLocation(std::move(cb));
+  return RespondLater();
+}
+
+void EnterpriseDeviceAttributesGetDeviceAnnotatedLocationFunction::OnResult(
+    const std::string& result) {
+  Respond(
+      ArgumentList(api::enterprise_device_attributes::
+                       GetDeviceAnnotatedLocation::Results::Create(result)));
+}
+
+EnterpriseDeviceAttributesGetDeviceHostnameFunction::
+    EnterpriseDeviceAttributesGetDeviceHostnameFunction() = default;
+
+EnterpriseDeviceAttributesGetDeviceHostnameFunction::
+    ~EnterpriseDeviceAttributesGetDeviceHostnameFunction() = default;
+
+ExtensionFunction::ResponseAction
+EnterpriseDeviceAttributesGetDeviceHostnameFunction::Run() {
+  std::string error = ValidateCrosapi(browser_context());
+  if (!error.empty()) {
+    return RespondNow(Error(error));
+  }
+
+  // We don't need Unretained() or WeakPtr because ExtensionFunction is
+  // ref-counted.
+  auto cb = base::BindOnce(
+      &EnterpriseDeviceAttributesGetDeviceHostnameFunction::OnCrosapiResult,
+      this);
+
+  chromeos::LacrosChromeServiceImpl::Get()
+      ->device_attributes_remote()
+      ->GetDeviceHostname(std::move(cb));
+  return RespondLater();
+}
+
+void EnterpriseDeviceAttributesGetDeviceHostnameFunction::OnResult(
+    const std::string& result) {
+  Respond(ArgumentList(
+      api::enterprise_device_attributes::GetDeviceHostname::Results::Create(
+          result)));
+}
+
+}  // namespace extensions

chrome/browser/extensions/api/enterprise_device_attributes/enterprise_device_attributes_api_lacros.h

+// Copyright 2021 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CHROME_BROWSER_EXTENSIONS_API_ENTERPRISE_DEVICE_ATTRIBUTES_ENTERPRISE_DEVICE_ATTRIBUTES_API_LACROS_H_
+#define CHROME_BROWSER_EXTENSIONS_API_ENTERPRISE_DEVICE_ATTRIBUTES_ENTERPRISE_DEVICE_ATTRIBUTES_API_LACROS_H_
+
+#include <string>
+
+#include "chromeos/crosapi/mojom/device_attributes.mojom.h"
+#include "extensions/browser/extension_function.h"
+#include "extensions/browser/extension_function_histogram_value.h"
+
+namespace extensions {
+
+// The Lacros implementation requires forwarding to ash via croapi. This
+// subclass is used to reduce redundant code.
+class EnterpriseDeviceAttributesBase : public ExtensionFunction {
+ protected:
+  ~EnterpriseDeviceAttributesBase() override;
+
+  // Called asynchronously when crosapi returns the result.
+  void OnCrosapiResult(crosapi::mojom::DeviceAttributesStringResultPtr result);
+
+  // Overridden by subclasses to handle a result from crosapi.
+  virtual void OnResult(const std::string& result) = 0;
+};
+
+// Note: When updating this function, consider changing the way errors are
+// returned.
+// TODO(https://crbug.com/1056550): Return an error in case of unaffiliated user
+// in enterprise.deviceAttributes API
+class EnterpriseDeviceAttributesGetDirectoryDeviceIdFunction
+    : public EnterpriseDeviceAttributesBase {
+ public:
+  EnterpriseDeviceAttributesGetDirectoryDeviceIdFunction();
+
+ protected:
+  ~EnterpriseDeviceAttributesGetDirectoryDeviceIdFunction() override;
+
+  ResponseAction Run() override;
+
+ private:
+  void OnResult(const std::string& result) override;
+  DECLARE_EXTENSION_FUNCTION("enterprise.deviceAttributes.getDirectoryDeviceId",
+                             ENTERPRISE_DEVICEATTRIBUTES_GETDIRECTORYDEVICEID)
+};
+
+// Note: When updating this function, consider changing the way errors are
+// returned.
+// TODO(https://crbug.com/1056550): Return an error in case of unaffiliated user
+// in enterprise.deviceAttributes API
+class EnterpriseDeviceAttributesGetDeviceSerialNumberFunction
+    : public EnterpriseDeviceAttributesBase {
+ public:
+  EnterpriseDeviceAttributesGetDeviceSerialNumberFunction();
+
+ protected:
+  ~EnterpriseDeviceAttributesGetDeviceSerialNumberFunction() override;
+
+  ResponseAction Run() override;
+
+ private:
+  void OnResult(const std::string& result) override;
+  DECLARE_EXTENSION_FUNCTION(
+      "enterprise.deviceAttributes.getDeviceSerialNumber",
+      ENTERPRISE_DEVICEATTRIBUTES_GETDEVICESERIALNUMBER)
+};
+
+// Note: When updating this function, consider changing the way errors are
+// returned.
+// TODO(https://crbug.com/1056550): Return an error in case of unaffiliated user
+// in enterprise.deviceAttributes API
+class EnterpriseDeviceAttributesGetDeviceAssetIdFunction
+    : public EnterpriseDeviceAttributesBase {
+ public:
+  EnterpriseDeviceAttributesGetDeviceAssetIdFunction();
+
+ protected:
+  ~EnterpriseDeviceAttributesGetDeviceAssetIdFunction() override;
+
+  ResponseAction Run() override;
+
+ private:
+  void OnResult(const std::string& result) override;
+  DECLARE_EXTENSION_FUNCTION("enterprise.deviceAttributes.getDeviceAssetId",
+                             ENTERPRISE_DEVICEATTRIBUTES_GETDEVICEASSETID)
+};
+
+// Note: When updating this function, consider changing the way errors are
+// returned.
+// TODO(https://crbug.com/1056550): Return an error in case of unaffiliated user
+// in enterprise.deviceAttributes API
+class EnterpriseDeviceAttributesGetDeviceAnnotatedLocationFunction
+    : public EnterpriseDeviceAttributesBase {
+ public:
+  EnterpriseDeviceAttributesGetDeviceAnnotatedLocationFunction();
+
+ protected:
+  ~EnterpriseDeviceAttributesGetDeviceAnnotatedLocationFunction() override;
+
+  ResponseAction Run() override;
+
+ private:
+  void OnResult(const std::string& result) override;
+  DECLARE_EXTENSION_FUNCTION(
+      "enterprise.deviceAttributes.getDeviceAnnotatedLocation",
+      ENTERPRISE_DEVICEATTRIBUTES_GETDEVICEANNOTATEDLOCATION)
+};
+
+// Note: When updating this function, consider changing the way errors are
+// returned.
+// TODO(https://crbug.com/1056550): Return an error in case of unaffiliated user
+// in enterprise.deviceAttributes API
+class EnterpriseDeviceAttributesGetDeviceHostnameFunction
+    : public EnterpriseDeviceAttributesBase {
+ public:
+  EnterpriseDeviceAttributesGetDeviceHostnameFunction();
+
+ protected:
+  ~EnterpriseDeviceAttributesGetDeviceHostnameFunction() override;
+
+  ResponseAction Run() override;
+
+ private:
+  void OnResult(const std::string& result) override;
+  DECLARE_EXTENSION_FUNCTION("enterprise.deviceAttributes.getDeviceHostname",
+                             ENTERPRISE_DEVICEATTRIBUTES_GETDEVICEHOSTNAME)
+};
+
+}  //  namespace extensions
+
+#endif  // CHROME_BROWSER_EXTENSIONS_API_ENTERPRISE_DEVICE_ATTRIBUTES_ENTERPRISE_DEVICE_ATTRIBUTES_API_LACROS_H_

chrome/browser/lacros/device_attributes_lacros_browsertest.cc

+// Copyright 2021 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <string>
+
+#include "chrome/test/base/in_process_browser_test.h"
+#include "chromeos/crosapi/mojom/device_attributes.mojom-test-utils.h"
+#include "chromeos/crosapi/mojom/device_attributes.mojom.h"
+#include "chromeos/lacros/lacros_chrome_service_impl.h"
+#include "content/public/test/browser_test.h"
+
+// This class provides integration testing for the device attributes crosapi.
+// TODO(https://crbug.com/1134340): The logic being tested does not rely on
+// //chrome or //content so it would be helpful if this lived in a lower-level
+// test suite.
+using DeviceAttributesLacrosBrowserTest = InProcessBrowserTest;
+
+IN_PROC_BROWSER_TEST_F(DeviceAttributesLacrosBrowserTest,
+                       GetDirectoryDeviceId) {
+  crosapi::mojom::DeviceAttributesStringResultPtr result;
+  crosapi::mojom::DeviceAttributesAsyncWaiter async_waiter(
+      chromeos::LacrosChromeServiceImpl::Get()
+          ->device_attributes_remote()
+          .get());
+  async_waiter.GetDirectoryDeviceId(&result);
+
+  // TODO(https://crbug.com/1165882): Write more robust tests. These APIs all
+  // fail because the ash user is not affiliated with the device.
+  ASSERT_TRUE(result->is_error_message());
+}
+
+IN_PROC_BROWSER_TEST_F(DeviceAttributesLacrosBrowserTest,
+                       GetDeviceSerialNumber) {
+  crosapi::mojom::DeviceAttributesStringResultPtr result;
+  crosapi::mojom::DeviceAttributesAsyncWaiter async_waiter(
+      chromeos::LacrosChromeServiceImpl::Get()
+          ->device_attributes_remote()
+          .get());
+  async_waiter.GetDeviceSerialNumber(&result);
+
+  // TODO(https://crbug.com/1165882): Write more robust tests. These APIs all
+  // fail because the ash user is not affiliated with the device.
+  ASSERT_TRUE(result->is_error_message());
+}
+
+IN_PROC_BROWSER_TEST_F(DeviceAttributesLacrosBrowserTest, GetDeviceAssetId) {
+  crosapi::mojom::DeviceAttributesStringResultPtr result;
+  crosapi::mojom::DeviceAttributesAsyncWaiter async_waiter(
+      chromeos::LacrosChromeServiceImpl::Get()
+          ->device_attributes_remote()
+          .get());
+  async_waiter.GetDeviceAssetId(&result);
+
+  // TODO(https://crbug.com/1165882): Write more robust tests. These APIs all
+  // fail because the ash user is not affiliated with the device.
+  ASSERT_TRUE(result->is_error_message());
+}
+
+IN_PROC_BROWSER_TEST_F(DeviceAttributesLacrosBrowserTest,
+                       GetDeviceAnnotatedLocation) {
+  crosapi::mojom::DeviceAttributesStringResultPtr result;
+  crosapi::mojom::DeviceAttributesAsyncWaiter async_waiter(
+      chromeos::LacrosChromeServiceImpl::Get()
+          ->device_attributes_remote()
+          .get());
+  async_waiter.GetDeviceAnnotatedLocation(&result);
+
+  // TODO(https://crbug.com/1165882): Write more robust tests. These APIs all
+  // fail because the ash user is not affiliated with the device.
+  ASSERT_TRUE(result->is_error_message());
+}
+
+IN_PROC_BROWSER_TEST_F(DeviceAttributesLacrosBrowserTest, GetDeviceHostname) {
+  crosapi::mojom::DeviceAttributesStringResultPtr result;
+  crosapi::mojom::DeviceAttributesAsyncWaiter async_waiter(
+      chromeos::LacrosChromeServiceImpl::Get()
+          ->device_attributes_remote()
+          .get());
+  async_waiter.GetDeviceHostname(&result);
+
+  // TODO(https://crbug.com/1165882): Write more robust tests. These APIs all
+  // fail because the ash user is not affiliated with the device.
+  ASSERT_TRUE(result->is_error_message());
+}

chrome/common/extensions/api/_permission_features.json

@@ -256,7 +256,7 @@
     "channel": "stable",
     "extension_types": ["extension", "platform_app"],
     "location": "policy",
-    "platforms": ["chromeos"]
+    "platforms": ["chromeos", "lacros"]
   }, {
     "channel": "stable",
     "dependencies": ["behavior:imprivata_login_screen_extension"],

chrome/common/extensions/api/api_sources.gni

@@ -81,6 +81,7 @@ if (is_chromeos_ash || is_mac || is_win) {
 
 if (is_chromeos_ash || is_chromeos_lacros) {
   schema_sources_ += [
+    "enterprise_device_attributes.idl",
     "enterprise_platform_keys.idl",
     "enterprise_platform_keys_internal.idl",
   ]
@@ -92,7 +93,6 @@ if (is_chromeos_ash) {
     "certificate_provider_internal.idl",
     "document_scan.idl",
     "echo_private.json",
-    "enterprise_device_attributes.idl",
     "enterprise_networking_attributes.idl",
     "enterprise_platform_keys_private.json",
     "file_browser_handler_internal.json",

chrome/test/BUILD.gn

@@ -3241,6 +3241,7 @@ if (is_chromeos_lacros) {
       "../browser/lacros/browser_test_util.h",
       "../browser/lacros/clipboard_lacros_browsertest.cc",
       "../browser/lacros/crosapi_pref_observer_lacros_browsertest.cc",
+      "../browser/lacros/device_attributes_lacros_browsertest.cc",
       "../browser/lacros/file_manager_lacros_browsertest.cc",
       "../browser/lacros/keystore_service_lacros_browsertest.cc",
       "../browser/lacros/media_session_lacros_browsertest.cc",

chromeos/crosapi/mojom/BUILD.gn

@@ -11,6 +11,7 @@ mojom("mojom") {
     "cert_database.mojom",
     "clipboard.mojom",
     "crosapi.mojom",
+    "device_attributes.mojom",
     "feedback.mojom",
     "file_manager.mojom",
     "keystore_service.mojom",

chromeos/crosapi/mojom/crosapi.mojom

@@ -7,6 +7,7 @@ module crosapi.mojom;
 import "chromeos/crosapi/mojom/account_manager.mojom";
 import "chromeos/crosapi/mojom/cert_database.mojom";
 import "chromeos/crosapi/mojom/clipboard.mojom";
+import "chromeos/crosapi/mojom/device_attributes.mojom";
 import "chromeos/crosapi/mojom/feedback.mojom";
 import "chromeos/crosapi/mojom/file_manager.mojom";
 import "chromeos/crosapi/mojom/keystore_service.mojom";
@@ -44,8 +45,8 @@ struct LacrosInfo {
 // milestone when you added it, to help us reason about compatibility between
 // lacros-chrome and older ash-chrome binaries.
 //
-// Next version: 12
-// Next method id: 17
+// Next version: 13
+// Next method id: 18
 [Stable, Uuid="8b79c34f-2bf8-4499-979a-b17cac522c1e"]
 interface AshChromeService {
   // Binds Chrome OS Account Manager for Identity management.
@@ -62,6 +63,12 @@ interface AshChromeService {
   // system clipboard.
   [MinVersion=10] BindClipboard@15(pending_receiver<Clipboard> receiver);
 
+  // Binds the device attributes service which is used by enterprise extension
+  // APIs to query information about the device.
+  // Added in M89.
+  [MinVersion=12] BindDeviceAttributes@17(
+      pending_receiver<DeviceAttributes> receiver);
+
   // Binds the FileManager interface for showing files, folders, etc.
   // Added in M88.
   [MinVersion=5]

chromeos/crosapi/mojom/device_attributes.mojom

+// Copyright 2021 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+module crosapi.mojom;
+
+// Returned by methods that either return a string or an error.
+[Stable]
+union DeviceAttributesStringResult {
+  // Implies failure.
+  string error_message;
+
+  // Implies success.
+  string contents;
+};
+
+// This API provides Lacros with access to device attributes. These methods will
+// all return an error if the user is not affiliated with the device, which is
+// an enterprise policy concept.
+[Stable, Uuid="117591ac-5d9e-481c-936f-842b64e790c0"]
+interface DeviceAttributes {
+  // Fetches the value of the device identifier of the directory API that is
+  // generated by the server and identifies the cloud record of the device for
+  // querying in the cloud directory API. See
+  // https://developers.google.com/admin-sdk/directory/v1/guides/manage-chrome-devices.
+  GetDirectoryDeviceId@0() => (DeviceAttributesStringResult result);
+
+  // Fetches the device's serial number.
+  GetDeviceSerialNumber@1() => (DeviceAttributesStringResult result);
+
+  // Fetches the administrator-annotated Asset Id.
+  GetDeviceAssetId@2() => (DeviceAttributesStringResult result);
+
+  // Fetches the administrator-annotated Location.
+  GetDeviceAnnotatedLocation@3() => (DeviceAttributesStringResult result);
+
+  // Fetches the device's hostname as set by DeviceHostnameTemplate policy.
+  GetDeviceHostname@4() => (DeviceAttributesStringResult result);
+};

chromeos/lacros/lacros_chrome_service_impl.cc

@@ -190,6 +190,13 @@ class LacrosChromeServiceNeverBlockingState
     ash_chrome_service_->BindCertDatabase(std::move(pending_receiver));
   }
 
+  void BindDeviceAttributesReceiver(
+      mojo::PendingReceiver<crosapi::mojom::DeviceAttributes>
+          pending_receiver) {
+    DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+    ash_chrome_service_->BindDeviceAttributes(std::move(pending_receiver));
+  }
+
   void OnLacrosStartup(crosapi::mojom::LacrosInfoPtr lacros_info) {
     DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
     ash_chrome_service_->OnLacrosStartup(std::move(lacros_info));
@@ -423,6 +430,15 @@ void LacrosChromeServiceImpl::BindReceiver(
             cert_database_remote_.BindNewPipeAndPassReceiver()));
   }
 
+  if (IsDeviceAttributesAvailable()) {
+    never_blocking_sequence_->PostTask(
+        FROM_HERE,
+        base::BindOnce(&LacrosChromeServiceNeverBlockingState::
+                           BindDeviceAttributesReceiver,
+                       weak_sequenced_state_,
+                       device_attributes_remote_.BindNewPipeAndPassReceiver()));
+  }
+
   if (IsOnLacrosStartupAvailable()) {
     never_blocking_sequence_->PostTask(
         FROM_HERE,
@@ -641,6 +657,12 @@ bool LacrosChromeServiceImpl::IsCertDbAvailable() {
              AshChromeService::MethodMinVersions::kBindCertDatabaseMinVersion;
 }
 
+bool LacrosChromeServiceImpl::IsDeviceAttributesAvailable() {
+  base::Optional<uint32_t> version = AshChromeServiceVersion();
+  return version && version.value() >= AshChromeService::MethodMinVersions::
+                                           kBindDeviceAttributesMinVersion;
+}
+
 bool LacrosChromeServiceImpl::IsPrefsAvailable() {
   base::Optional<uint32_t> version = AshChromeServiceVersion();
   return version &&

chromeos/lacros/lacros_chrome_service_impl.h

@@ -16,6 +16,7 @@
 #include "chromeos/crosapi/mojom/account_manager.mojom.h"
 #include "chromeos/crosapi/mojom/cert_database.mojom.h"
 #include "chromeos/crosapi/mojom/crosapi.mojom.h"
+#include "chromeos/crosapi/mojom/device_attributes.mojom.h"
 #include "chromeos/crosapi/mojom/feedback.mojom.h"
 #include "chromeos/crosapi/mojom/keystore_service.mojom.h"
 #include "chromeos/crosapi/mojom/message_center.mojom.h"
@@ -183,6 +184,17 @@ class COMPONENT_EXPORT(CHROMEOS_LACROS) LacrosChromeServiceImpl {
     return cert_database_remote_;
   }
 
+  // Whether the DeviceAttributes API is available.
+  bool IsDeviceAttributesAvailable();
+
+  // This must be called on the affine sequence. It exposes a remote that can
+  // be used to interface with DeviceAttributes.
+  mojo::Remote<crosapi::mojom::DeviceAttributes>& device_attributes_remote() {
+    DCHECK_CALLED_ON_VALID_SEQUENCE(affine_sequence_checker_);
+    DCHECK(IsDeviceAttributesAvailable());
+    return device_attributes_remote_;
+  }
+
   // file_manager_remote() can only be used if this method returns true.
   bool IsFileManagerAvailable();
 
@@ -315,6 +327,7 @@ class COMPONENT_EXPORT(CHROMEOS_LACROS) LacrosChromeServiceImpl {
   mojo::Remote<device::mojom::HidManager> hid_manager_remote_;
   mojo::Remote<crosapi::mojom::Feedback> feedback_remote_;
   mojo::Remote<crosapi::mojom::CertDatabase> cert_database_remote_;
+  mojo::Remote<crosapi::mojom::DeviceAttributes> device_attributes_remote_;
   mojo::Remote<crosapi::mojom::KeystoreService> keystore_service_remote_;
   mojo::Remote<crosapi::mojom::FileManager> file_manager_remote_;
   mojo::Remote<crosapi::mojom::TestController> test_controller_remote_;