SetManagementSettings() is moved to OwnerSettingsServiceChromeOS.

Also, removed SignAndStore() functionality from DeviceSettingsService.

BUG=433840
TEST=unit_tests:DeviceSettingsService*

Review URL: https://codereview.chromium.org/769703003

Cr-Commit-Position: refs/heads/master@{#307017}

chrome/browser/chromeos/login/enrollment/enterprise_enrollment_helper_impl.cc

@@ -167,8 +167,7 @@ void EnterpriseEnrollmentHelperImpl::DoEnrollUsingToken(
   dcp_initializer->StartEnrollment(
       policy::MANAGEMENT_MODE_ENTERPRISE_MANAGED,
       connector->device_management_service(),
-      token,
-      device_modes,
+      nullptr /* owner_settings_service */, token, device_modes,
       base::Bind(&EnterpriseEnrollmentHelperImpl::OnEnrollmentFinished,
                  weak_ptr_factory_.GetWeakPtr()));
 }

chrome/browser/chromeos/ownership/owner_settings_service_chromeos.cc

@@ -22,7 +22,6 @@
 #include "chromeos/dbus/dbus_thread_manager.h"
 #include "chromeos/tpm_token_loader.h"
 #include "components/ownership/owner_key_util.h"
-#include "components/policy/core/common/cloud/cloud_policy_constants.h"
 #include "components/user_manager/user.h"
 #include "content/public/browser/browser_thread.h"
 #include "content/public/browser/notification_details.h"
@@ -148,8 +147,40 @@ void DoesPrivateKeyExistAsync(
       callback);
 }
 
+// Returns true if it is okay to transfer from the current mode to the new
+// mode. This function should be called in SetManagementMode().
+bool CheckManagementModeTransition(policy::ManagementMode current_mode,
+                                   policy::ManagementMode new_mode) {
+  // Mode is not changed.
+  if (current_mode == new_mode)
+    return true;
+
+  switch (current_mode) {
+    case policy::MANAGEMENT_MODE_LOCAL_OWNER:
+      // For consumer management enrollment.
+      return new_mode == policy::MANAGEMENT_MODE_CONSUMER_MANAGED;
+
+    case policy::MANAGEMENT_MODE_ENTERPRISE_MANAGED:
+      // Management mode cannot be set when it is currently ENTERPRISE_MANAGED.
+      return false;
+
+    case policy::MANAGEMENT_MODE_CONSUMER_MANAGED:
+      // For consumer management unenrollment.
+      return new_mode == policy::MANAGEMENT_MODE_LOCAL_OWNER;
+  }
+
+  NOTREACHED();
+  return false;
+}
+
 }  // namespace
 
+OwnerSettingsServiceChromeOS::ManagementSettings::ManagementSettings() {
+}
+
+OwnerSettingsServiceChromeOS::ManagementSettings::~ManagementSettings() {
+}
+
 OwnerSettingsServiceChromeOS::OwnerSettingsServiceChromeOS(
     DeviceSettingsService* device_settings_service,
     Profile* profile,
@@ -159,6 +190,7 @@ OwnerSettingsServiceChromeOS::OwnerSettingsServiceChromeOS(
       profile_(profile),
       waiting_for_profile_creation_(true),
       waiting_for_tpm_token_(true),
+      has_pending_management_settings_(false),
       weak_factory_(this),
       store_settings_factory_(this) {
   if (TPMTokenLoader::IsInitialized()) {
@@ -289,6 +321,38 @@ void OwnerSettingsServiceChromeOS::OnDeviceSettingsServiceShutdown() {
   device_settings_service_ = nullptr;
 }
 
+void OwnerSettingsServiceChromeOS::SetManagementSettings(
+    const ManagementSettings& settings,
+    const OnManagementSettingsSetCallback& callback) {
+  if ((!IsOwner() && !IsOwnerInTests(user_id_))) {
+    if (!callback.is_null())
+      callback.Run(false /* success */);
+    return;
+  }
+
+  policy::ManagementMode current_mode = policy::MANAGEMENT_MODE_LOCAL_OWNER;
+  if (has_pending_management_settings_) {
+    current_mode = pending_management_settings_.management_mode;
+  } else if (device_settings_service_ &&
+             device_settings_service_->policy_data()) {
+    current_mode =
+        policy::GetManagementMode(*device_settings_service_->policy_data());
+  }
+
+  if (!CheckManagementModeTransition(current_mode, settings.management_mode)) {
+    LOG(ERROR) << "Invalid management mode transition: current mode = "
+               << current_mode << ", new mode = " << settings.management_mode;
+    if (!callback.is_null())
+      callback.Run(false /* success */);
+    return;
+  }
+
+  pending_management_settings_ = settings;
+  has_pending_management_settings_ = true;
+  pending_management_settings_callbacks_.push_back(callback);
+  StorePendingChanges();
+}
+
 // static
 void OwnerSettingsServiceChromeOS::IsOwnerForSafeModeAsync(
     const std::string& user_hash,
@@ -617,6 +681,15 @@ void OwnerSettingsServiceChromeOS::StorePendingChanges() {
 
   scoped_ptr<em::PolicyData> policy = AssemblePolicy(
       user_id_, device_settings_service_->policy_data(), &settings);
+
+  if (has_pending_management_settings_) {
+    policy::SetManagementMode(*policy,
+                              pending_management_settings_.management_mode);
+    policy->set_request_token(pending_management_settings_.request_token);
+    policy->set_device_id(pending_management_settings_.device_id);
+  }
+  has_pending_management_settings_ = false;
+
   bool rv = AssembleAndSignPolicyAsync(
       content::BrowserThread::GetBlockingPool(), policy.Pass(),
       base::Bind(&OwnerSettingsServiceChromeOS::OnPolicyAssembledAndSigned,
@@ -641,7 +714,7 @@ void OwnerSettingsServiceChromeOS::OnPolicyAssembledAndSigned(
 void OwnerSettingsServiceChromeOS::OnSignedPolicyStored(bool success) {
   CHECK(device_settings_service_);
   ReportStatusAndContinueStoring(success &&
-                                 device_settings_service_->status() !=
+                                 device_settings_service_->status() ==
                                      DeviceSettingsService::STORE_SUCCESS);
 }
 
@@ -650,6 +723,13 @@ void OwnerSettingsServiceChromeOS::ReportStatusAndContinueStoring(
   store_settings_factory_.InvalidateWeakPtrs();
   FOR_EACH_OBSERVER(OwnerSettingsService::Observer, observers_,
                     OnSignedPolicyStored(success));
+
+  std::vector<OnManagementSettingsSetCallback> callbacks;
+  pending_management_settings_callbacks_.swap(callbacks);
+  for (const auto& callback : callbacks) {
+    if (!callback.is_null())
+      callback.Run(success);
+  }
   StorePendingChanges();
 }
 

chrome/browser/chromeos/ownership/owner_settings_service_chromeos.h

@@ -18,6 +18,7 @@
 #include "components/keyed_service/core/keyed_service.h"
 #include "components/ownership/owner_key_util.h"
 #include "components/ownership/owner_settings_service.h"
+#include "components/policy/core/common/cloud/cloud_policy_constants.h"
 #include "content/public/browser/notification_observer.h"
 #include "content/public/browser/notification_registrar.h"
 
@@ -41,6 +42,17 @@ class OwnerSettingsServiceChromeOS : public ownership::OwnerSettingsService,
                                      public SessionManagerClient::Observer,
                                      public DeviceSettingsService::Observer {
  public:
+  typedef base::Callback<void(bool success)> OnManagementSettingsSetCallback;
+
+  struct ManagementSettings {
+    ManagementSettings();
+    ~ManagementSettings();
+
+    policy::ManagementMode management_mode;
+    std::string request_token;
+    std::string device_id;
+  };
+
   virtual ~OwnerSettingsServiceChromeOS();
 
   void OnTPMTokenReady(bool tpm_token_enabled);
@@ -65,6 +77,10 @@ class OwnerSettingsServiceChromeOS : public ownership::OwnerSettingsService,
   virtual void DeviceSettingsUpdated() override;
   virtual void OnDeviceSettingsServiceShutdown() override;
 
+  // Sets the management related settings.
+  void SetManagementSettings(const ManagementSettings& settings,
+                             const OnManagementSettingsSetCallback& callback);
+
   // Checks if the user is the device owner, without the user profile having to
   // been initialized. Should be used only if login state is in safe mode.
   static void IsOwnerForSafeModeAsync(
@@ -86,7 +102,8 @@ class OwnerSettingsServiceChromeOS : public ownership::OwnerSettingsService,
       enterprise_management::ChromeDeviceSettingsProto& settings);
 
   bool has_pending_changes() const {
-    return !pending_changes_.empty() || tentative_settings_.get();
+    return !pending_changes_.empty() || tentative_settings_.get() ||
+           has_pending_management_settings_;
   }
 
  private:
@@ -141,6 +158,17 @@ class OwnerSettingsServiceChromeOS : public ownership::OwnerSettingsService,
   // A set of pending changes to device settings.
   base::ScopedPtrHashMap<std::string, base::Value> pending_changes_;
 
+  // True if there're pending changes to management settings.
+  bool has_pending_management_settings_;
+
+  // A set of pending changes to management settings.
+  ManagementSettings pending_management_settings_;
+
+  // A set of callbacks that need to be run after management settings
+  // are set and policy is stored.
+  std::vector<OnManagementSettingsSetCallback>
+      pending_management_settings_callbacks_;
+
   // A protobuf containing pending changes to device settings.
   scoped_ptr<enterprise_management::ChromeDeviceSettingsProto>
       tentative_settings_;

chrome/browser/chromeos/ownership/owner_settings_service_chromeos_unittest.cc

@@ -22,6 +22,8 @@
 #include "chromeos/settings/cros_settings_names.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
+namespace em = enterprise_management;
+
 namespace chromeos {
 
 namespace {
@@ -83,7 +85,8 @@ class OwnerSettingsServiceChromeOSTest : public DeviceSettingsTestBase {
   OwnerSettingsServiceChromeOSTest()
       : service_(nullptr),
         local_state_(TestingBrowserProcess::GetGlobal()),
-        user_data_dir_override_(chrome::DIR_USER_DATA) {}
+        user_data_dir_override_(chrome::DIR_USER_DATA),
+        management_settings_set_(false) {}
 
   virtual void SetUp() override {
     DeviceSettingsTestBase::SetUp();
@@ -97,6 +100,12 @@ class OwnerSettingsServiceChromeOSTest : public DeviceSettingsTestBase {
         profile_.get());
     ASSERT_TRUE(service_);
     ASSERT_TRUE(service_->IsOwner());
+
+    device_policy_.policy_data().set_management_mode(
+        em::PolicyData::LOCAL_OWNER);
+    device_policy_.Build();
+    device_settings_test_helper_.set_policy_blob(device_policy_.GetBlob());
+    ReloadDeviceSettings();
   }
 
   virtual void TearDown() override { DeviceSettingsTestBase::TearDown(); }
@@ -110,10 +119,15 @@ class OwnerSettingsServiceChromeOSTest : public DeviceSettingsTestBase {
     checker.Wait();
   }
 
+  void OnManagementSettingsSet(bool success) {
+    management_settings_set_ = success;
+  }
+
   OwnerSettingsServiceChromeOS* service_;
   ScopedTestingLocalState local_state_;
   scoped_ptr<DeviceSettingsProvider> provider_;
   base::ScopedPathOverride user_data_dir_override_;
+  bool management_settings_set_;
 
  private:
   DISALLOW_COPY_AND_ASSIGN(OwnerSettingsServiceChromeOSTest);
@@ -158,6 +172,128 @@ TEST_F(OwnerSettingsServiceChromeOSTest, FailedSetRequest) {
                                  .release_channel());
 }
 
+TEST_F(OwnerSettingsServiceChromeOSTest, SetManagementSettingsModeTransition) {
+  ReloadDeviceSettings();
+  EXPECT_EQ(DeviceSettingsService::STORE_SUCCESS,
+            device_settings_service_.status());
+
+  // The initial management mode should be LOCAL_OWNER.
+  EXPECT_TRUE(device_settings_service_.policy_data()->has_management_mode());
+  EXPECT_EQ(em::PolicyData::LOCAL_OWNER,
+            device_settings_service_.policy_data()->management_mode());
+
+  OwnerSettingsServiceChromeOS::ManagementSettings management_settings;
+  management_settings.management_mode =
+      policy::MANAGEMENT_MODE_CONSUMER_MANAGED;
+  management_settings.request_token = "fake_request_token";
+  management_settings.device_id = "fake_device_id";
+  OwnerSettingsServiceChromeOS::OnManagementSettingsSetCallback
+      on_management_settings_set_callback =
+          base::Bind(&OwnerSettingsServiceChromeOSTest::OnManagementSettingsSet,
+                     base::Unretained(this));
+
+  // LOCAL_OWNER -> CONSUMER_MANAGED: Okay.
+  service_->SetManagementSettings(management_settings,
+                                  on_management_settings_set_callback);
+  FlushDeviceSettings();
+
+  EXPECT_TRUE(management_settings_set_);
+  EXPECT_EQ(em::PolicyData::CONSUMER_MANAGED,
+            device_settings_service_.policy_data()->management_mode());
+
+  // CONSUMER_MANAGED -> ENTERPRISE_MANAGED: Invalid.
+  management_settings.management_mode =
+      policy::MANAGEMENT_MODE_ENTERPRISE_MANAGED;
+  service_->SetManagementSettings(management_settings,
+                                  on_management_settings_set_callback);
+  FlushDeviceSettings();
+
+  EXPECT_FALSE(management_settings_set_);
+  EXPECT_EQ(em::PolicyData::CONSUMER_MANAGED,
+            device_settings_service_.policy_data()->management_mode());
+
+  // CONSUMER_MANAGED -> LOCAL_OWNER: Okay.
+  management_settings.management_mode = policy::MANAGEMENT_MODE_LOCAL_OWNER;
+  service_->SetManagementSettings(management_settings,
+                                  on_management_settings_set_callback);
+  FlushDeviceSettings();
+
+  EXPECT_TRUE(management_settings_set_);
+  EXPECT_EQ(em::PolicyData::LOCAL_OWNER,
+            device_settings_service_.policy_data()->management_mode());
+
+  // LOCAL_OWNER -> ENTERPRISE_MANAGED: Invalid.
+  management_settings.management_mode =
+      policy::MANAGEMENT_MODE_ENTERPRISE_MANAGED;
+  service_->SetManagementSettings(management_settings,
+                                  on_management_settings_set_callback);
+  FlushDeviceSettings();
+
+  EXPECT_FALSE(management_settings_set_);
+  EXPECT_EQ(em::PolicyData::LOCAL_OWNER,
+            device_settings_service_.policy_data()->management_mode());
+
+  // Inject a policy data with management mode set to ENTERPRISE_MANAGED.
+  device_policy_.policy_data().set_management_mode(
+      em::PolicyData::ENTERPRISE_MANAGED);
+  device_policy_.Build();
+  device_settings_test_helper_.set_policy_blob(device_policy_.GetBlob());
+  ReloadDeviceSettings();
+  EXPECT_EQ(em::PolicyData::ENTERPRISE_MANAGED,
+            device_settings_service_.policy_data()->management_mode());
+
+  // ENTERPRISE_MANAGED -> LOCAL_OWNER: Invalid.
+  management_settings.management_mode = policy::MANAGEMENT_MODE_LOCAL_OWNER;
+  service_->SetManagementSettings(management_settings,
+                                  on_management_settings_set_callback);
+  FlushDeviceSettings();
+
+  EXPECT_FALSE(management_settings_set_);
+  EXPECT_EQ(em::PolicyData::ENTERPRISE_MANAGED,
+            device_settings_service_.policy_data()->management_mode());
+
+  // ENTERPRISE_MANAGED -> CONSUMER_MANAGED: Invalid.
+  management_settings.management_mode =
+      policy::MANAGEMENT_MODE_CONSUMER_MANAGED;
+  service_->SetManagementSettings(management_settings,
+                                  on_management_settings_set_callback);
+  FlushDeviceSettings();
+
+  EXPECT_FALSE(management_settings_set_);
+  EXPECT_EQ(em::PolicyData::ENTERPRISE_MANAGED,
+            device_settings_service_.policy_data()->management_mode());
+}
+
+TEST_F(OwnerSettingsServiceChromeOSTest, SetManagementSettingsSuccess) {
+  ReloadDeviceSettings();
+  EXPECT_EQ(DeviceSettingsService::STORE_SUCCESS,
+            device_settings_service_.status());
+
+  OwnerSettingsServiceChromeOS::ManagementSettings management_settings;
+  management_settings.management_mode =
+      policy::MANAGEMENT_MODE_CONSUMER_MANAGED;
+  management_settings.request_token = "fake_request_token";
+  management_settings.device_id = "fake_device_id";
+  service_->SetManagementSettings(
+      management_settings,
+      base::Bind(&OwnerSettingsServiceChromeOSTest::OnManagementSettingsSet,
+                 base::Unretained(this)));
+  FlushDeviceSettings();
+
+  EXPECT_EQ(DeviceSettingsService::STORE_SUCCESS,
+            device_settings_service_.status());
+  ASSERT_TRUE(device_settings_service_.device_settings());
+
+  // Check that the loaded policy_data contains the expected values.
+  const em::PolicyData* policy_data = device_settings_service_.policy_data();
+  EXPECT_EQ(policy::dm_protocol::kChromeDevicePolicyType,
+            policy_data->policy_type());
+  EXPECT_EQ(device_settings_service_.GetUsername(), policy_data->username());
+  EXPECT_EQ(em::PolicyData::CONSUMER_MANAGED, policy_data->management_mode());
+  EXPECT_EQ("fake_request_token", policy_data->request_token());
+  EXPECT_EQ("fake_device_id", policy_data->device_id());
+}
+
 class OwnerSettingsServiceChromeOSNoOwnerTest
     : public OwnerSettingsServiceChromeOSTest {
  public:

chrome/browser/chromeos/policy/consumer_enrollment_handler.cc

@@ -10,11 +10,13 @@
 #include "base/message_loop/message_loop.h"
 #include "chrome/browser/browser_process.h"
 #include "chrome/browser/browser_process_platform_part.h"
+#include "chrome/browser/chromeos/ownership/owner_settings_service_chromeos_factory.h"
 #include "chrome/browser/chromeos/policy/browser_policy_connector_chromeos.h"
 #include "chrome/browser/chromeos/policy/consumer_management_service.h"
 #include "chrome/browser/chromeos/policy/consumer_management_stage.h"
 #include "chrome/browser/chromeos/policy/device_cloud_policy_initializer.h"
 #include "chrome/browser/chromeos/policy/enrollment_status_chromeos.h"
+#include "chrome/browser/profiles/profile.h"
 #include "chrome/browser/signin/profile_oauth2_token_service_factory.h"
 #include "chrome/browser/signin/signin_manager_factory.h"
 #include "components/policy/core/common/cloud/cloud_policy_constants.h"
@@ -110,8 +112,9 @@ void ConsumerEnrollmentHandler::OnOwnerAccessTokenAvailable(
   device_modes[policy::DEVICE_MODE_ENTERPRISE] = true;
 
   initializer->StartEnrollment(
-      MANAGEMENT_MODE_CONSUMER_MANAGED,
-      device_management_service_,
+      MANAGEMENT_MODE_CONSUMER_MANAGED, device_management_service_,
+      chromeos::OwnerSettingsServiceChromeOSFactory::GetForBrowserContext(
+          profile_),
       access_token,
       device_modes,
       base::Bind(&ConsumerEnrollmentHandler::OnEnrollmentCompleted,

chrome/browser/chromeos/policy/device_cloud_policy_initializer.cc

@@ -96,6 +96,7 @@ void DeviceCloudPolicyInitializer::Shutdown() {
 void DeviceCloudPolicyInitializer::StartEnrollment(
     ManagementMode management_mode,
     DeviceManagementService* device_management_service,
+    chromeos::OwnerSettingsServiceChromeOS* owner_settings_service,
     const std::string& auth_token,
     const AllowedDeviceModes& allowed_device_modes,
     const EnrollmentCallback& enrollment_callback) {
@@ -104,20 +105,13 @@ void DeviceCloudPolicyInitializer::StartEnrollment(
 
   manager_->core()->Disconnect();
   enrollment_handler_.reset(new EnrollmentHandlerChromeOS(
-      device_store_,
-      install_attributes_,
-      state_keys_broker_,
-      device_settings_service_,
-      CreateClient(device_management_service),
-      background_task_runner_,
-      auth_token,
-      install_attributes_->GetDeviceId(),
-      manager_->GetDeviceRequisition(),
-      allowed_device_modes,
-      management_mode,
+      device_store_, install_attributes_, state_keys_broker_,
+      device_settings_service_, owner_settings_service,
+      CreateClient(device_management_service), background_task_runner_,
+      auth_token, install_attributes_->GetDeviceId(),
+      manager_->GetDeviceRequisition(), allowed_device_modes, management_mode,
       base::Bind(&DeviceCloudPolicyInitializer::EnrollmentCompleted,
-                 base::Unretained(this),
-                 enrollment_callback)));
+                 base::Unretained(this), enrollment_callback)));
   enrollment_handler_->StartEnrollment();
 }
 

chrome/browser/chromeos/policy/device_cloud_policy_initializer.h

@@ -27,6 +27,7 @@ class SequencedTaskRunner;
 
 namespace chromeos {
 class DeviceSettingsService;
+class OwnerSettingsServiceChromeOS;
 }
 
 namespace policy {
@@ -72,6 +73,7 @@ class DeviceCloudPolicyInitializer : public CloudPolicyStore::Observer {
   virtual void StartEnrollment(
       ManagementMode management_mode,
       DeviceManagementService* device_management_service,
+      chromeos::OwnerSettingsServiceChromeOS* owner_settings_service,
       const std::string& auth_token,
       const AllowedDeviceModes& allowed_modes,
       const EnrollmentCallback& enrollment_callback);

chrome/browser/chromeos/policy/device_cloud_policy_manager_chromeos_unittest.cc

@@ -15,6 +15,8 @@
 #include "base/prefs/pref_registry_simple.h"
 #include "base/prefs/testing_pref_service.h"
 #include "base/run_loop.h"
+#include "chrome/browser/chromeos/ownership/owner_settings_service_chromeos.h"
+#include "chrome/browser/chromeos/ownership/owner_settings_service_chromeos_factory.h"
 #include "chrome/browser/chromeos/policy/device_cloud_policy_initializer.h"
 #include "chrome/browser/chromeos/policy/device_cloud_policy_store_chromeos.h"
 #include "chrome/browser/chromeos/policy/enterprise_install_attributes.h"
@@ -26,6 +28,7 @@
 #include "chrome/browser/chromeos/settings/device_settings_test_helper.h"
 #include "chrome/browser/prefs/browser_prefs.h"
 #include "chrome/test/base/testing_browser_process.h"
+#include "chrome/test/base/testing_profile.h"
 #include "chromeos/cryptohome/system_salt_getter.h"
 #include "chromeos/dbus/dbus_client_implementation_type.h"
 #include "chromeos/dbus/dbus_thread_manager.h"
@@ -106,6 +109,7 @@ class DeviceCloudPolicyManagerChromeOSTest
 
   void SetUp() override {
     DeviceSettingsTestBase::SetUp();
+
     dbus_setter_->SetCryptohomeClient(
         scoped_ptr<chromeos::CryptohomeClient>(fake_cryptohome_client_));
 
@@ -236,7 +240,6 @@ TEST_F(DeviceCloudPolicyManagerChromeOSTest, EnrolledDevice) {
   EXPECT_TRUE(manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME));
   VerifyPolicyPopulated();
 
-
   // Trigger a policy refresh - this triggers a policy update.
   MockDeviceManagementJob* policy_fetch_job = NULL;
   EXPECT_CALL(device_management_service_,
@@ -417,9 +420,14 @@ class DeviceCloudPolicyManagerChromeOSEnrollmentTest
                         SaveArg<6>(&register_request_)));
     DeviceCloudPolicyInitializer::AllowedDeviceModes modes;
     modes[DEVICE_MODE_ENTERPRISE] = true;
+
+    chromeos::OwnerSettingsServiceChromeOS* owner_settings_service =
+        chromeos::OwnerSettingsServiceChromeOSFactory::GetForBrowserContext(
+            profile_.get());
+    ASSERT_TRUE(owner_settings_service);
+
     initializer_->StartEnrollment(
-        management_mode_,
-        &device_management_service_,
+        management_mode_, &device_management_service_, owner_settings_service,
         "auth token", modes,
         base::Bind(&DeviceCloudPolicyManagerChromeOSEnrollmentTest::Done,
                    base::Unretained(this)));
@@ -638,10 +646,15 @@ TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest, LoadError) {
 TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest,
        SuccessfulConsumerManagementEnrollment) {
   management_mode_ = MANAGEMENT_MODE_CONSUMER_MANAGED;
-  owner_key_util_->SetPrivateKey(device_policy_.GetSigningKey());
+  owner_key_util_->SetPrivateKey(device_policy_.GetNewSigningKey());
   InitOwner(device_policy_.policy_data().username(), true);
   FlushDeviceSettings();
 
+  device_policy_.policy_data().set_management_mode(em::PolicyData::LOCAL_OWNER);
+  device_policy_.Build();
+  device_settings_test_helper_.set_policy_blob(device_policy_.GetBlob());
+  ReloadDeviceSettings();
+
   RunTest();
   ExpectSuccessfulEnrollment();
 }

chrome/browser/chromeos/policy/enrollment_handler_chromeos.cc

@@ -10,12 +10,15 @@
 #include "base/message_loop/message_loop.h"
 #include "chrome/browser/browser_process.h"
 #include "chrome/browser/chromeos/login/enrollment/auto_enrollment_controller.h"
+#include "chrome/browser/chromeos/ownership/owner_settings_service_chromeos.h"
 #include "chrome/browser/chromeos/policy/device_cloud_policy_store_chromeos.h"
 #include "chrome/browser/chromeos/policy/proto/chrome_device_policy.pb.h"
 #include "chrome/browser/chromeos/policy/server_backed_state_keys_broker.h"
+#include "chrome/browser/chromeos/profiles/profile_helper.h"
 #include "chrome/browser/chromeos/settings/device_oauth2_token_service.h"
 #include "chrome/browser/chromeos/settings/device_oauth2_token_service_factory.h"
 #include "chrome/browser/chromeos/settings/device_settings_service.h"
+#include "chrome/browser/profiles/profile.h"
 #include "chromeos/chromeos_switches.h"
 #include "google_apis/gaia/gaia_urls.h"
 #include "net/http/http_status_code.h"
@@ -43,6 +46,7 @@ EnrollmentHandlerChromeOS::EnrollmentHandlerChromeOS(
     EnterpriseInstallAttributes* install_attributes,
     ServerBackedStateKeysBroker* state_keys_broker,
     chromeos::DeviceSettingsService* device_settings_service,
+    chromeos::OwnerSettingsServiceChromeOS* owner_settings_service,
     scoped_ptr<CloudPolicyClient> client,
     scoped_refptr<base::SequencedTaskRunner> background_task_runner,
     const std::string& auth_token,
@@ -55,6 +59,7 @@ EnrollmentHandlerChromeOS::EnrollmentHandlerChromeOS(
       install_attributes_(install_attributes),
       state_keys_broker_(state_keys_broker),
       device_settings_service_(device_settings_service),
+      owner_settings_service_(owner_settings_service),
       client_(client.Pass()),
       background_task_runner_(background_task_runner),
       auth_token_(auth_token),
@@ -204,10 +209,11 @@ void EnrollmentHandlerChromeOS::OnStoreLoaded(CloudPolicyStore* store) {
 void EnrollmentHandlerChromeOS::OnStoreError(CloudPolicyStore* store) {
   DCHECK_EQ(store_, store);
   if (enrollment_step_ == STEP_STORE_TOKEN_AND_ID) {
-    // Calling DeviceSettingsService::SetManagementSettings() on a non-
-    // enterprise-managed device will trigger OnStoreError(), as
-    // DeviceCloudPolicyStore listens to all changes on DeviceSettingsService,
-    // and it calls OnStoreError() when the device is not enterprise-managed.
+    // Calling OwnerSettingsServiceChromeOS::SetManagementSettings()
+    // on a non- enterprise-managed device will fail as
+    // DeviceCloudPolicyStore listens to all changes on device
+    // settings, and it calls OnStoreError() when the device is not
+    // enterprise-managed.
     return;
   }
   ReportResult(EnrollmentStatus::ForStoreError(store_->status(),
@@ -340,11 +346,17 @@ void EnrollmentHandlerChromeOS::StartLockDevice() {
   weak_ptr_factory_.InvalidateWeakPtrs();
 
   if (management_mode_ == MANAGEMENT_MODE_CONSUMER_MANAGED) {
+    CHECK(owner_settings_service_);
+
     // Consumer device enrollment doesn't use install attributes. Instead,
     // we put the information in the owners settings.
     enrollment_step_ = STEP_STORE_TOKEN_AND_ID;
-    device_settings_service_->SetManagementSettings(
-        em::PolicyData::CONSUMER_MANAGED, request_token_, device_id_,
+    chromeos::OwnerSettingsServiceChromeOS::ManagementSettings settings;
+    settings.management_mode = management_mode_;
+    settings.request_token = request_token_;
+    settings.device_id = device_id_;
+    owner_settings_service_->SetManagementSettings(
+        settings,
         base::Bind(&EnrollmentHandlerChromeOS::HandleSetManagementSettingsDone,
                    weak_ptr_factory_.GetWeakPtr()));
   } else {
@@ -355,10 +367,9 @@ void EnrollmentHandlerChromeOS::StartLockDevice() {
   }
 }
 
-void EnrollmentHandlerChromeOS::HandleSetManagementSettingsDone() {
+void EnrollmentHandlerChromeOS::HandleSetManagementSettingsDone(bool success) {
   CHECK_EQ(STEP_STORE_TOKEN_AND_ID, enrollment_step_);
-  if (device_settings_service_->status() !=
-      chromeos::DeviceSettingsService::STORE_SUCCESS) {
+  if (!success) {
     ReportResult(EnrollmentStatus::ForStatus(
         EnrollmentStatus::STATUS_STORE_TOKEN_AND_ID_FAILED));
     return;

chrome/browser/chromeos/policy/enrollment_handler_chromeos.h

@@ -27,6 +27,7 @@ class SequencedTaskRunner;
 
 namespace chromeos {
 class DeviceSettingsService;
+class OwnerSettingsServiceChromeOS;
 }
 
 namespace policy {
@@ -65,6 +66,7 @@ class EnrollmentHandlerChromeOS : public CloudPolicyClient::Observer,
       EnterpriseInstallAttributes* install_attributes,
       ServerBackedStateKeysBroker* state_keys_broker,
       chromeos::DeviceSettingsService* device_settings_service,
+      chromeos::OwnerSettingsServiceChromeOS* owner_settings_service,
       scoped_ptr<CloudPolicyClient> client,
       scoped_refptr<base::SequencedTaskRunner> background_task_runner,
       const std::string& auth_token,
@@ -135,9 +137,9 @@ class EnrollmentHandlerChromeOS : public CloudPolicyClient::Observer,
   // enrollment.
   void StartLockDevice();
 
-  // Checks the status after SetManagementSettings() is done. Proceeds to
-  // robot auth code storing if successful.
-  void HandleSetManagementSettingsDone();
+  // Called after SetManagementSettings() is done. Proceeds to robot
+  // auth code storing if successful.
+  void HandleSetManagementSettingsDone(bool success);
 
   // Handle callback from InstallAttributes::LockDevice() and retry on failure.
   void HandleLockDeviceResult(
@@ -159,6 +161,7 @@ class EnrollmentHandlerChromeOS : public CloudPolicyClient::Observer,
   EnterpriseInstallAttributes* install_attributes_;
   ServerBackedStateKeysBroker* state_keys_broker_;
   chromeos::DeviceSettingsService* device_settings_service_;
+  chromeos::OwnerSettingsServiceChromeOS* owner_settings_service_;
   scoped_ptr<CloudPolicyClient> client_;
   scoped_refptr<base::SequencedTaskRunner> background_task_runner_;
   scoped_ptr<gaia::GaiaOAuthClient> gaia_oauth_client_;

chrome/browser/chromeos/policy/fake_device_cloud_policy_initializer.cc

@@ -36,6 +36,7 @@ void FakeDeviceCloudPolicyInitializer::Shutdown() {
 void FakeDeviceCloudPolicyInitializer::StartEnrollment(
     ManagementMode management_mode,
     DeviceManagementService* device_management_service,
+    chromeos::OwnerSettingsServiceChromeOS* owner_settings_service,
     const std::string& auth_token,
     const AllowedDeviceModes& allowed_modes,
     const EnrollmentCallback& enrollment_callback) {

chrome/browser/chromeos/policy/fake_device_cloud_policy_initializer.h

@@ -27,6 +27,7 @@ class FakeDeviceCloudPolicyInitializer : public DeviceCloudPolicyInitializer {
   virtual void StartEnrollment(
       ManagementMode management_mode,
       DeviceManagementService* device_management_service,
+      chromeos::OwnerSettingsServiceChromeOS* owner_settings_service,
       const std::string& auth_token,
       const AllowedDeviceModes& allowed_modes,
       const EnrollmentCallback& enrollment_callback) override;

chrome/browser/chromeos/settings/device_settings_service.cc

@@ -36,32 +36,6 @@ int kLoadRetryDelayMs = 1000 * 5;
 // of retry time.
 int kMaxLoadRetries = (1000 * 60 * 10) / kLoadRetryDelayMs;
 
-// Returns true if it is okay to transfer from the current mode to the new
-// mode. This function should be called in SetManagementMode().
-bool CheckManagementModeTransition(em::PolicyData::ManagementMode current_mode,
-                                   em::PolicyData::ManagementMode new_mode) {
-  // Mode is not changed.
-  if (current_mode == new_mode)
-    return true;
-
-  switch (current_mode) {
-    case em::PolicyData::LOCAL_OWNER:
-      // For consumer management enrollment.
-      return new_mode == em::PolicyData::CONSUMER_MANAGED;
-
-    case em::PolicyData::ENTERPRISE_MANAGED:
-      // Management mode cannot be set when it is currently ENTERPRISE_MANAGED.
-      return false;
-
-    case em::PolicyData::CONSUMER_MANAGED:
-      // For consumer management unenrollment.
-      return new_mode == em::PolicyData::LOCAL_OWNER;
-  }
-
-  NOTREACHED();
-  return false;
-}
-
 }  // namespace
 
 namespace chromeos {
@@ -139,42 +113,6 @@ void DeviceSettingsService::Load() {
   EnqueueLoad(false);
 }
 
-void DeviceSettingsService::SetManagementSettings(
-    em::PolicyData::ManagementMode management_mode,
-    const std::string& request_token,
-    const std::string& device_id,
-    const base::Closure& callback) {
-  if (!owner_settings_service_) {
-    HandleError(STORE_KEY_UNAVAILABLE, callback);
-    return;
-  }
-
-  em::PolicyData::ManagementMode current_mode = em::PolicyData::LOCAL_OWNER;
-  if (policy_data() && policy_data()->has_management_mode())
-    current_mode = policy_data()->management_mode();
-
-  if (!CheckManagementModeTransition(current_mode, management_mode)) {
-    LOG(ERROR) << "Invalid management mode transition: current mode = "
-               << current_mode << ", new mode = " << management_mode;
-    HandleError(DeviceSettingsService::STORE_POLICY_ERROR, callback);
-    return;
-  }
-
-  scoped_ptr<em::PolicyData> policy =
-      OwnerSettingsServiceChromeOS::AssemblePolicy(
-          GetUsername(), policy_data(), device_settings());
-  if (!policy) {
-    HandleError(DeviceSettingsService::STORE_POLICY_ERROR, callback);
-    return;
-  }
-
-  policy->set_management_mode(management_mode);
-  policy->set_request_token(request_token);
-  policy->set_device_id(device_id);
-
-  EnqueueSignAndStore(policy.Pass(), callback);
-}
-
 void DeviceSettingsService::Store(scoped_ptr<em::PolicyFetchResponse> policy,
                                   const base::Closure& callback) {
   Enqueue(linked_ptr<SessionManagerOperation>(new StoreSettingsOperation(
@@ -274,33 +212,14 @@ void DeviceSettingsService::EnqueueLoad(bool force_key_load) {
                  weak_factory_.GetWeakPtr(),
                  base::Closure())));
   operation->set_force_key_load(force_key_load);
-  operation->set_username(username_);
-  operation->set_owner_settings_service(owner_settings_service_);
-  Enqueue(operation);
-}
-
-void DeviceSettingsService::EnqueueSignAndStore(
-    scoped_ptr<enterprise_management::PolicyData> policy,
-    const base::Closure& callback) {
-  linked_ptr<SessionManagerOperation> operation(
-      new SignAndStoreSettingsOperation(
-          base::Bind(&DeviceSettingsService::HandleCompletedOperation,
-                     weak_factory_.GetWeakPtr(),
-                     callback),
-          policy.Pass()));
-  operation->set_owner_settings_service(owner_settings_service_);
   Enqueue(operation);
 }
 
 void DeviceSettingsService::EnsureReload(bool force_key_load) {
-  if (!pending_operations_.empty()) {
-    pending_operations_.front()->set_username(username_);
-    pending_operations_.front()->set_owner_settings_service(
-        owner_settings_service_);
+  if (!pending_operations_.empty())
     pending_operations_.front()->RestartLoad(force_key_load);
-  } else {
+  else
     EnqueueLoad(force_key_load);
-  }
 }
 
 void DeviceSettingsService::StartNextOperation() {

chrome/browser/chromeos/settings/device_settings_service.h

@@ -131,16 +131,6 @@ class DeviceSettingsService : public SessionManagerClient::Observer {
   // load the device settings.
   void Load();
 
-  // Sets the management related settings in PolicyData.
-  //
-  // TODO (ygorshenin@, crbug.com/230018): move this to the
-  // OwnerSettingsService.
-  void SetManagementSettings(
-      enterprise_management::PolicyData::ManagementMode management_mode,
-      const std::string& request_token,
-      const std::string& device_id,
-      const base::Closure& callback);
-
   // Stores a policy blob to session_manager. The result of the operation is
   // reported through |callback|. If successful, the updated device settings are
   // present in policy_data() and device_settings() when the callback runs.
@@ -156,10 +146,20 @@ class DeviceSettingsService : public SessionManagerClient::Observer {
   void GetOwnershipStatusAsync(const OwnershipStatusCallback& callback);
 
   // Checks whether we have the private owner key.
+  //
+  // DEPRECATED (ygorshenin@, crbug.com/433840): this method should
+  // not be used since private key is a profile-specific resource and
+  // should be checked and used in a profile-aware manner, through
+  // OwnerSettingsService.
   bool HasPrivateOwnerKey();
 
   // Sets the identity of the user that's interacting with the service. This is
   // relevant only for writing settings through SignAndStore().
+  //
+  // TODO (ygorshenin@, crbug.com/433840): get rid of the method when
+  // write path for device settings will be removed from
+  // DeviceSettingsProvider and all existing clients will be switched
+  // to OwnerSettingsServiceChromeOS.
   void InitOwner(const std::string& username,
                  const base::WeakPtr<ownership::OwnerSettingsService>&
                      owner_settings_service);
@@ -187,13 +187,6 @@ class DeviceSettingsService : public SessionManagerClient::Observer {
   // Enqueues a load operation.
   void EnqueueLoad(bool force_key_load);
 
-  // Enqueues a sign and store operation.
-  //
-  // TODO (ygorshenin@, crbug.com/433840): extract SetManagementSettings() out
-  // of DeviceSettingsService and get rid of the method.
-  void EnqueueSignAndStore(scoped_ptr<enterprise_management::PolicyData> policy,
-                           const base::Closure& callback);
-
   // Makes sure there's a reload operation so changes to the settings (and key,
   // in case force_key_load is set) are getting picked up.
   void EnsureReload(bool force_key_load);

chrome/browser/chromeos/settings/device_settings_service_unittest.cc

@@ -10,6 +10,8 @@
 #include "base/compiler_specific.h"
 #include "base/time/time.h"
 #include "chrome/browser/chromeos/ownership/owner_settings_service_chromeos.h"
+#include "chrome/browser/chromeos/ownership/owner_settings_service_chromeos.h"
+#include "chrome/browser/chromeos/ownership/owner_settings_service_chromeos_factory.h"
 #include "chrome/browser/chromeos/ownership/owner_settings_service_chromeos_factory.h"
 #include "chrome/browser/chromeos/policy/proto/chrome_device_policy.pb.h"
 #include "chrome/browser/chromeos/settings/device_settings_test_helper.h"
@@ -142,153 +144,6 @@ TEST_F(DeviceSettingsServiceTest, LoadSuccess) {
   CheckPolicy();
 }
 
-TEST_F(DeviceSettingsServiceTest, SetManagementSettingsModeTransition) {
-  ReloadDeviceSettings();
-  EXPECT_EQ(DeviceSettingsService::STORE_SUCCESS,
-            device_settings_service_.status());
-
-  owner_key_util_->SetPrivateKey(device_policy_.GetSigningKey());
-  InitOwner(device_policy_.policy_data().username(), true);
-  FlushDeviceSettings();
-
-  // The initial management mode should be LOCAL_OWNER.
-  EXPECT_EQ(em::PolicyData::LOCAL_OWNER,
-            device_settings_service_.policy_data()->management_mode());
-
-  // LOCAL_OWNER -> CONSUMER_MANAGED: Okay.
-  device_settings_service_.SetManagementSettings(
-      em::PolicyData::CONSUMER_MANAGED,
-      "fake_request_token",
-      "fake_device_id",
-      base::Bind(&DeviceSettingsServiceTest::SetOperationCompleted,
-                 base::Unretained(this)));
-  FlushDeviceSettings();
-
-  EXPECT_TRUE(operation_completed_);
-  EXPECT_EQ(DeviceSettingsService::STORE_SUCCESS,
-            device_settings_service_.status());
-  EXPECT_EQ(em::PolicyData::CONSUMER_MANAGED,
-            device_settings_service_.policy_data()->management_mode());
-
-  // CONSUMER_MANAGED -> ENTERPRISE_MANAGED: Invalid.
-  device_settings_service_.SetManagementSettings(
-      em::PolicyData::ENTERPRISE_MANAGED,
-      "fake_request_token",
-      "fake_device_id",
-      base::Bind(&DeviceSettingsServiceTest::SetOperationCompleted,
-                 base::Unretained(this)));
-  FlushDeviceSettings();
-
-  EXPECT_TRUE(operation_completed_);
-  EXPECT_EQ(DeviceSettingsService::STORE_POLICY_ERROR,
-            device_settings_service_.status());
-  EXPECT_EQ(em::PolicyData::CONSUMER_MANAGED,
-            device_settings_service_.policy_data()->management_mode());
-
-  // CONSUMER_MANAGED -> LOCAL_OWNER: Okay.
-  device_settings_service_.SetManagementSettings(
-      em::PolicyData::LOCAL_OWNER,
-      "fake_request_token",
-      "fake_device_id",
-      base::Bind(&DeviceSettingsServiceTest::SetOperationCompleted,
-                 base::Unretained(this)));
-  FlushDeviceSettings();
-
-  EXPECT_TRUE(operation_completed_);
-  EXPECT_EQ(DeviceSettingsService::STORE_SUCCESS,
-            device_settings_service_.status());
-  EXPECT_EQ(em::PolicyData::LOCAL_OWNER,
-            device_settings_service_.policy_data()->management_mode());
-
-  // LOCAL_OWNER -> ENTERPRISE_MANAGED: Invalid.
-  device_settings_service_.SetManagementSettings(
-      em::PolicyData::ENTERPRISE_MANAGED,
-      "fake_request_token",
-      "fake_device_id",
-      base::Bind(&DeviceSettingsServiceTest::SetOperationCompleted,
-                 base::Unretained(this)));
-  FlushDeviceSettings();
-
-  EXPECT_TRUE(operation_completed_);
-  EXPECT_EQ(DeviceSettingsService::STORE_POLICY_ERROR,
-            device_settings_service_.status());
-  EXPECT_EQ(em::PolicyData::LOCAL_OWNER,
-            device_settings_service_.policy_data()->management_mode());
-
-  // Inject a policy data with management mode set to ENTERPRISE_MANAGED.
-  device_policy_.policy_data().set_management_mode(
-      em::PolicyData::ENTERPRISE_MANAGED);
-  device_policy_.Build();
-  device_settings_test_helper_.set_policy_blob(device_policy_.GetBlob());
-  ReloadDeviceSettings();
-  EXPECT_EQ(em::PolicyData::ENTERPRISE_MANAGED,
-            device_settings_service_.policy_data()->management_mode());
-
-  // ENTERPRISE_MANAGED -> LOCAL_OWNER: Invalid.
-  device_settings_service_.SetManagementSettings(
-      em::PolicyData::LOCAL_OWNER,
-      "fake_request_token",
-      "fake_device_id",
-      base::Bind(&DeviceSettingsServiceTest::SetOperationCompleted,
-                 base::Unretained(this)));
-  FlushDeviceSettings();
-
-  EXPECT_TRUE(operation_completed_);
-  EXPECT_EQ(DeviceSettingsService::STORE_POLICY_ERROR,
-            device_settings_service_.status());
-  EXPECT_EQ(em::PolicyData::ENTERPRISE_MANAGED,
-            device_settings_service_.policy_data()->management_mode());
-
-  // ENTERPRISE_MANAGED -> CONSUMER_MANAGED: Invalid.
-  device_settings_service_.SetManagementSettings(
-      em::PolicyData::CONSUMER_MANAGED,
-      "fake_request_token",
-      "fake_device_id",
-      base::Bind(&DeviceSettingsServiceTest::SetOperationCompleted,
-                 base::Unretained(this)));
-  FlushDeviceSettings();
-
-  EXPECT_TRUE(operation_completed_);
-  EXPECT_EQ(DeviceSettingsService::STORE_POLICY_ERROR,
-            device_settings_service_.status());
-  EXPECT_EQ(em::PolicyData::ENTERPRISE_MANAGED,
-            device_settings_service_.policy_data()->management_mode());
-
-}
-
-TEST_F(DeviceSettingsServiceTest, SetManagementSettingsSuccess) {
-  ReloadDeviceSettings();
-  EXPECT_EQ(DeviceSettingsService::STORE_SUCCESS,
-            device_settings_service_.status());
-
-  owner_key_util_->SetPrivateKey(device_policy_.GetSigningKey());
-  InitOwner(device_policy_.policy_data().username(), true);
-  FlushDeviceSettings();
-
-  device_settings_service_.SetManagementSettings(
-      em::PolicyData::CONSUMER_MANAGED,
-      "fake_request_token",
-      "fake_device_id",
-      base::Bind(&DeviceSettingsServiceTest::SetOperationCompleted,
-                 base::Unretained(this)));
-  FlushDeviceSettings();
-
-  EXPECT_TRUE(operation_completed_);
-  EXPECT_EQ(DeviceSettingsService::STORE_SUCCESS,
-            device_settings_service_.status());
-  ASSERT_TRUE(device_settings_service_.device_settings());
-
-  // Check that the loaded policy_data contains the expected values.
-  const em::PolicyData* policy_data = device_settings_service_.policy_data();
-  EXPECT_EQ(policy::dm_protocol::kChromeDevicePolicyType,
-            policy_data->policy_type());
-  EXPECT_EQ(device_settings_service_.GetUsername(),
-            policy_data->username());
-  EXPECT_EQ(em::PolicyData::CONSUMER_MANAGED, policy_data->management_mode());
-  EXPECT_EQ("fake_request_token", policy_data->request_token());
-  EXPECT_EQ("fake_device_id", policy_data->device_id());
-}
-
 TEST_F(DeviceSettingsServiceTest, StoreFailure) {
   owner_key_util_->Clear();
   device_settings_test_helper_.set_policy_blob(std::string());

chrome/browser/chromeos/settings/session_manager_operation.cc

@@ -239,65 +239,4 @@ void StoreSettingsOperation::HandleStoreResult(bool success) {
     StartLoading();
 }
 
-SignAndStoreSettingsOperation::SignAndStoreSettingsOperation(
-    const Callback& callback,
-    scoped_ptr<em::PolicyData> new_policy)
-    : SessionManagerOperation(callback),
-      new_policy_(new_policy.Pass()),
-      weak_factory_(this) {
-}
-
-SignAndStoreSettingsOperation::~SignAndStoreSettingsOperation() {}
-
-void SignAndStoreSettingsOperation::Run() {
-  if (!new_policy_) {
-    ReportResult(DeviceSettingsService::STORE_POLICY_ERROR);
-    return;
-  }
-  if (!owner_settings_service_) {
-    ReportResult(DeviceSettingsService::STORE_KEY_UNAVAILABLE);
-    return;
-  }
-  owner_settings_service_->IsOwnerAsync(
-      base::Bind(&SignAndStoreSettingsOperation::StartSigning,
-                 weak_factory_.GetWeakPtr()));
-}
-
-void SignAndStoreSettingsOperation::StartSigning(bool is_owner) {
-  if (!owner_settings_service_ || !is_owner) {
-    ReportResult(DeviceSettingsService::STORE_KEY_UNAVAILABLE);
-    return;
-  }
-
-  bool rv = owner_settings_service_->AssembleAndSignPolicyAsync(
-      content::BrowserThread::GetBlockingPool(),
-      new_policy_.Pass(),
-      base::Bind(&SignAndStoreSettingsOperation::StoreDeviceSettings,
-                 weak_factory_.GetWeakPtr()));
-  if (!rv) {
-    ReportResult(DeviceSettingsService::STORE_KEY_UNAVAILABLE);
-    return;
-  }
-}
-
-void SignAndStoreSettingsOperation::StoreDeviceSettings(
-    scoped_ptr<em::PolicyFetchResponse> policy_response) {
-  if (!policy_response.get()) {
-    ReportResult(DeviceSettingsService::STORE_POLICY_ERROR);
-    return;
-  }
-
-  session_manager_client()->StoreDevicePolicy(
-      policy_response->SerializeAsString(),
-      base::Bind(&SignAndStoreSettingsOperation::HandleStoreResult,
-                 weak_factory_.GetWeakPtr()));
-}
-
-void SignAndStoreSettingsOperation::HandleStoreResult(bool success) {
-  if (!success)
-    ReportResult(DeviceSettingsService::STORE_OPERATION_FAILED);
-  else
-    StartLoading();
-}
-
 }  // namespace chromeos

chrome/browser/chromeos/settings/session_manager_operation.h

@@ -11,7 +11,6 @@
 #include "base/memory/scoped_ptr.h"
 #include "chrome/browser/chromeos/policy/device_cloud_policy_validator.h"
 #include "chrome/browser/chromeos/settings/device_settings_service.h"
-#include "components/ownership/owner_settings_service.h"
 #include "net/cert/x509_util_nss.h"
 
 namespace enterprise_management {
@@ -68,13 +67,6 @@ class SessionManagerOperation {
     force_key_load_ = force_key_load;
   }
 
-  void set_username(const std::string& username) { username_ = username; }
-
-  void set_owner_settings_service(const base::WeakPtr<
-      ownership::OwnerSettingsService>& owner_settings_service) {
-    owner_settings_service_ = owner_settings_service;
-  }
-
  protected:
   // Runs the operation. The result is reported through |callback_|.
   virtual void Run() = 0;
@@ -93,8 +85,6 @@ class SessionManagerOperation {
     return session_manager_client_;
   }
 
-  base::WeakPtr<ownership::OwnerSettingsService> owner_settings_service_;
-
  private:
   // Loads the owner key from disk. Must be run on a thread that can do I/O.
   static scoped_refptr<ownership::PublicKey> LoadPublicKey(
@@ -121,7 +111,6 @@ class SessionManagerOperation {
 
   scoped_refptr<ownership::PublicKey> public_key_;
   bool force_key_load_;
-  std::string username_;
 
   bool is_loading_;
   scoped_ptr<enterprise_management::PolicyData> policy_data_;
@@ -173,35 +162,6 @@ class StoreSettingsOperation : public SessionManagerOperation {
   DISALLOW_COPY_AND_ASSIGN(StoreSettingsOperation);
 };
 
-// Signs device settings and stores the resulting blob to session_manager.
-class SignAndStoreSettingsOperation : public SessionManagerOperation {
- public:
-  // Creates a new sign-and-store operation.
-  SignAndStoreSettingsOperation(
-      const Callback& callback,
-      scoped_ptr<enterprise_management::PolicyData> new_policy);
-  virtual ~SignAndStoreSettingsOperation();
-
-  // SessionManagerOperation:
-  virtual void Run() override;
-
- private:
-  void StartSigning(bool has_private_key);
-
-  // Stores the signed device settings blob.
-  void StoreDeviceSettings(
-      scoped_ptr<enterprise_management::PolicyFetchResponse> policy_response);
-
-  // Handles the result of the store operation and triggers the load.
-  void HandleStoreResult(bool success);
-
-  scoped_ptr<enterprise_management::PolicyData> new_policy_;
-
-  base::WeakPtrFactory<SignAndStoreSettingsOperation> weak_factory_;
-
-  DISALLOW_COPY_AND_ASSIGN(SignAndStoreSettingsOperation);
-};
-
 }  // namespace chromeos
 
 #endif  // CHROME_BROWSER_CHROMEOS_SETTINGS_SESSION_MANAGER_OPERATION_H_

chrome/browser/chromeos/settings/session_manager_operation_unittest.cc

@@ -223,65 +223,4 @@ TEST_F(SessionManagerOperationTest, StoreSettings) {
             op.device_settings()->SerializeAsString());
 }
 
-TEST_F(SessionManagerOperationTest, SignAndStoreSettings) {
-  owner_key_util_->SetPrivateKey(policy_.GetSigningKey());
-  service_->OnTPMTokenReady(true /* is ready */);
-
-  scoped_ptr<em::PolicyData> policy(new em::PolicyData(policy_.policy_data()));
-  SignAndStoreSettingsOperation op(
-      base::Bind(&SessionManagerOperationTest::OnOperationCompleted,
-                 base::Unretained(this)),
-      policy.Pass());
-  op.set_owner_settings_service(service_->as_weak_ptr());
-
-  EXPECT_CALL(*this,
-              OnOperationCompleted(
-                  &op, DeviceSettingsService::STORE_SUCCESS));
-  op.Start(&device_settings_test_helper_, owner_key_util_, NULL);
-  device_settings_test_helper_.Flush();
-  Mock::VerifyAndClearExpectations(this);
-
-  // The blob should validate.
-  scoped_ptr<em::PolicyFetchResponse> policy_response(
-      new em::PolicyFetchResponse());
-  ASSERT_TRUE(
-      policy_response->ParseFromString(
-          device_settings_test_helper_.policy_blob()));
-  policy::DeviceCloudPolicyValidator* validator =
-      policy::DeviceCloudPolicyValidator::Create(
-          policy_response.Pass(), message_loop_.message_loop_proxy());
-  validator->ValidateUsername(policy_.policy_data().username(), true);
-  const base::Time expected_time = base::Time::UnixEpoch() +
-      base::TimeDelta::FromMilliseconds(policy::PolicyBuilder::kFakeTimestamp);
-  validator->ValidateTimestamp(
-      expected_time,
-      expected_time,
-      policy::CloudPolicyValidatorBase::TIMESTAMP_REQUIRED);
-  validator->ValidatePolicyType(policy::dm_protocol::kChromeDevicePolicyType);
-  validator->ValidatePayload();
-  std::vector<uint8> public_key;
-  policy_.GetSigningKey()->ExportPublicKey(&public_key);
-  // Convert from bytes to string format (which is what ValidateSignature()
-  // takes).
-  std::string public_key_as_string = std::string(
-      reinterpret_cast<const char*>(vector_as_array(&public_key)),
-      public_key.size());
-  validator->ValidateSignature(
-      public_key_as_string,
-      policy::GetPolicyVerificationKey(),
-      policy::PolicyBuilder::kFakeDomain,
-      false);
-  validator->StartValidation(
-      base::Bind(&SessionManagerOperationTest::CheckSuccessfulValidation,
-                 base::Unretained(this)));
-
-  message_loop_.RunUntilIdle();
-  EXPECT_TRUE(validated_);
-
-  // Loaded device settings should match what the operation received.
-  ASSERT_TRUE(op.device_settings().get());
-  EXPECT_EQ(policy_.payload().SerializeAsString(),
-            op.device_settings()->SerializeAsString());
-}
-
 }  // namespace chromeos

components/policy/core/common/cloud/cloud_policy_constants.cc

@@ -106,6 +106,23 @@ const char* GetChromeUserPolicyType() {
   return dm_protocol::kChromeUserPolicyType;
 }
 
+void SetManagementMode(em::PolicyData& policy_data, ManagementMode mode) {
+  switch (mode) {
+    case MANAGEMENT_MODE_LOCAL_OWNER:
+      policy_data.set_management_mode(em::PolicyData::LOCAL_OWNER);
+      return;
+
+    case MANAGEMENT_MODE_ENTERPRISE_MANAGED:
+      policy_data.set_management_mode(em::PolicyData::ENTERPRISE_MANAGED);
+      return;
+
+    case MANAGEMENT_MODE_CONSUMER_MANAGED:
+      policy_data.set_management_mode(em::PolicyData::CONSUMER_MANAGED);
+      return;
+  }
+  NOTREACHED();
+}
+
 ManagementMode GetManagementMode(const em::PolicyData& policy_data) {
   if (policy_data.has_management_mode()) {
     switch (policy_data.management_mode()) {

components/policy/core/common/cloud/cloud_policy_constants.h

@@ -141,6 +141,11 @@ enum ManagementMode {
   MANAGEMENT_MODE_CONSUMER_MANAGED = 2,
 };
 
+// Sets management mode field in the |policy_data|.
+POLICY_EXPORT void SetManagementMode(
+    enterprise_management::PolicyData& policy_data,
+    ManagementMode mode);
+
 // Returns the management mode of |policy_data|. You should use this function
 // instead of using |management_mode| in |policy_data| to handle legacy
 // |policy_data| that doesn't have |management_mode| set.