[DeviceSync v2] Check if group private key from CryptAuth is empty

We expect SyncMetadataResponse.hasEncryptedGroupPrivateKey() to be true
if and only if there was a non-empty group private key for CryptAuth to
send. However, this CL guards against an empty group private key string.

See also http://b/145600035.

Bug: 951969
Change-Id: I4bac0f8cbc3ef4c4b55ea7195a08fea28fd52250
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2003799
Auto-Submit: Josh Nohle <nohle@chromium.org>
Commit-Queue: Kyle Horimoto <khorimoto@chromium.org>
Reviewed-by: Kyle Horimoto <khorimoto@chromium.org>
Cr-Commit-Position: refs/heads/master@{#734673}

chromeos/services/device_sync/cryptauth_device_syncer_impl.cc

@@ -427,6 +427,14 @@ void CryptAuthDeviceSyncerImpl::ProcessEncryptedGroupPrivateKey() {
     return;
   }
 
+  if (encrypted_group_private_key_->encrypted_private_key().empty()) {
+    // TODO(https://crbug.com/936273): Log metrics for empty private key.
+    PA_LOG(ERROR) << "Group private key from CryptAuth unexpectedly empty.";
+    did_non_fatal_error_occur_ = true;
+    AttemptNextStep();
+    return;
+  }
+
   const CryptAuthKey* device_sync_better_together_key =
       key_registry_->GetActiveKey(
           CryptAuthKeyBundle::Name::kDeviceSyncBetterTogether);

chromeos/services/device_sync/cryptauth_device_syncer_impl_unittest.cc

@@ -804,6 +804,42 @@ TEST_F(DeviceSyncCryptAuthDeviceSyncerImplTest,
       {GetLocalDeviceForTest()});
 }
 
+TEST_F(
+    DeviceSyncCryptAuthDeviceSyncerImplTest,
+    NonFatalError_InitialGroupKeyStale_GetNewGroupPublicKeyFromCryptAuth_WithEmptyGroupPrivateKey) {
+  AddInitialGroupKeyToRegistry(GetStaleGroupKey());
+
+  CallSync();
+
+  // The initial group key is stale, so CryptAuth provides us with the new
+  // unencrypted group public key but an unexpectedly empty encrypted group
+  // private key string. This is considered a non-fatal error.
+  VerifyMetadataSyncerInput(&GetStaleGroupKey());
+  FinishMetadataSyncerAttempt(
+      GetAllTestDeviceMetadataPackets(),
+      GetGroupKeyWithoutPrivateKey() /* new_group_key */,
+      std::string() /* encrypted_group_private_key */,
+      cryptauthv2::GetClientDirectiveForTest(),
+      CryptAuthDeviceSyncResult::ResultCode::kSuccess);
+
+  VerifyGroupKeyInRegistry(GetGroupKeyWithoutPrivateKey());
+
+  VerifyFeatureStatusGetterInput(GetAllTestDeviceIds());
+  FinishFeatureStatusGetterAttempt(
+      GetAllTestDeviceIds(), CryptAuthDeviceSyncResult::ResultCode::kSuccess);
+
+  // Only the local device has its BetterTogetherDeviceMetadata in the device
+  // registry since the other metadata cannot be decrypted without the group
+  // private key, and because the previous device registry did not have any
+  // existing metadata to draw from.
+  VerifyDeviceSyncResult(
+      CryptAuthDeviceSyncResult(
+          CryptAuthDeviceSyncResult::ResultCode::kFinishedWithNonFatalErrors,
+          true /* device_registry_changed */,
+          cryptauthv2::GetClientDirectiveForTest()),
+      GetAllTestDevicesWithoutRemoteMetadata());
+}
+
 TEST_F(DeviceSyncCryptAuthDeviceSyncerImplTest,
        NonFatalError_FromFeatureStatusGetter_MissingDeviceFeatureStatuses) {
   AddInitialGroupKeyToRegistry(GetGroupKey());