Add new version of enrollment screen supporting OAuth.

If switched on via a command line flag, the new version of the
enrollment screen is enabled. It uses the authentication extension,
which will fetch an OAuth token that is then used to register for device
policy.

BUG=chromium-os:18203
TEST=Enable flags and test enrollment.

Review URL: http://codereview.chromium.org/7562008

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@96181 0039d316-1c4b-4281-b951-d872f2087c98

chrome/app/generated_resources.grd

@@ -13159,6 +13159,26 @@ Keep your key file in a safe place. You will need it to create new versions of y
       <message name="IDS_ENTERPRISE_ENROLLMENT_FATAL_ENROLLMENT_ERROR" desc="Error message to show when there is an unrecoverable error while performing enrollment.">
         Oops!  Something went really wrong while enrolling this device.  Please try again or contact your support representative.
       </message>
+
+      <!-- Strings for the new-style OAuth-based enterprise enrollment page -->
+      <message name="IDS_ENTERPRISE_ENROLLMENT_SCREEN_TITLE" desc="The title on the enterprise enrollment dialog.">
+        Enterprise enrollment
+      </message>
+      <message name="IDS_ENTERPRISE_ENROLLMENT_RETRY" desc="Label for the retry button on the error step in the enterprise enrollment dialog.">
+        Try again
+      </message>
+      <message name="IDS_ENTERPRISE_ENROLLMENT_CANCEL" desc="Label for the cancel button on the enterprise enrollment dialog.">
+        Cancel
+      </message>
+      <message name="IDS_ENTERPRISE_ENROLLMENT_DONE" desc="Label for the done button on the success screen in the enterprise enrollment dialog.">
+        Done
+      </message>
+      <message name="IDS_ENTERPRISE_ENROLLMENT_SUCCESS" desc="Success message to be shown once enterprise enrollment completes.">
+        Your device has successfully been enrolled for enterprise management.
+      </message>
+      <message name="IDS_ENTERPRISE_ENROLLMENT_WORKING" desc="Status message to show while enterprise enrollment is underway.">
+        Enrolling the device. Please wait...
+      </message>
     </if>
 
     <!-- Register Protocol Handler Strings -->

chrome/app/theme/theme_resources.grd

@@ -451,6 +451,8 @@
         <include name="IDR_DROPDOWN_TOP_P" file="textbutton_dropdown_t_p.png" type="BINDATA" />
         <include name="IDR_DROPDOWN_TOP_RIGHT_H" file="textbutton_dropdown_tr_h.png" type="BINDATA" />
         <include name="IDR_DROPDOWN_TOP_RIGHT_P" file="textbutton_dropdown_tr_p.png" type="BINDATA" />
+        <include name="IDR_ENROLL_SUCCESS" file="enroll_success.png" type="BINDATA"/>
+        <include name="IDR_ENROLL_FAILURE" file="enroll_failure.png" type="BINDATA"/>
         <include name="IDR_HELP_MENU" file="help_16.png" type="BINDATA" />
         <include name="IDR_INCOGNITO_GUY" file="incognito_guy.png" type="BINDATA" />
         <include name="IDR_ICON_ADD_USER20" file="icon_add_user20.png" type="BINDATA" />

chrome/browser/chromeos/login/enterprise_enrollment_screen.cc

@@ -11,7 +11,6 @@
 #include "chrome/browser/chromeos/cros/cryptohome_library.h"
 #include "chrome/browser/chromeos/login/enterprise_enrollment_screen_actor.h"
 #include "chrome/browser/chromeos/login/screen_observer.h"
-#include "chrome/browser/policy/browser_policy_connector.h"
 #include "chrome/browser/policy/enterprise_metrics.h"
 #include "chrome/common/net/gaia/gaia_constants.h"
 #include "chrome/common/net/gaia/google_service_auth_error.h"
@@ -85,6 +84,14 @@ void EnterpriseEnrollmentScreen::OnAuthSubmitted(
   }
 }
 
+void EnterpriseEnrollmentScreen::OnOAuthTokenAvailable(
+    const std::string& user,
+    const std::string& token) {
+  user_ = user;
+  RegisterForDevicePolicy(token,
+                          policy::BrowserPolicyConnector::TOKEN_TYPE_OAUTH);
+}
+
 void EnterpriseEnrollmentScreen::OnAuthCancelled() {
   UMA_HISTOGRAM_ENUMERATION(policy::kMetricEnrollment,
                             policy::kMetricEnrollmentCancelled,
@@ -150,25 +157,8 @@ void EnterpriseEnrollmentScreen::OnIssueAuthTokenSuccess(
 
   scoped_ptr<GaiaAuthFetcher> auth_fetcher(auth_fetcher_.release());
 
-  policy::BrowserPolicyConnector* connector =
-      g_browser_process->browser_policy_connector();
-  if (!connector->device_cloud_policy_subsystem()) {
-    NOTREACHED() << "Cloud policy subsystem not initialized.";
-    UMA_HISTOGRAM_ENUMERATION(policy::kMetricEnrollment,
-                              policy::kMetricEnrollmentOtherFailed,
-                              policy::kMetricEnrollmentSize);
-    if (is_showing_)
-      actor_->ShowFatalEnrollmentError();
-    return;
-  }
-
-  connector->ScheduleServiceInitialization(0);
-  registrar_.reset(new policy::CloudPolicySubsystem::ObserverRegistrar(
-      connector->device_cloud_policy_subsystem(), this));
-
-  // Push the credentials to the policy infrastructure. It'll start enrollment
-  // and notify us of progress through CloudPolicySubsystem::Observer.
-  connector->SetDeviceCredentials(user_, auth_token);
+  RegisterForDevicePolicy(auth_token,
+                          policy::BrowserPolicyConnector::TOKEN_TYPE_GAIA);
 }
 
 void EnterpriseEnrollmentScreen::OnIssueAuthTokenFailure(
@@ -323,4 +313,28 @@ void EnterpriseEnrollmentScreen::WriteInstallAttributesData() {
   NOTREACHED();
 }
 
+void EnterpriseEnrollmentScreen::RegisterForDevicePolicy(
+    const std::string& token,
+    policy::BrowserPolicyConnector::TokenType token_type) {
+  policy::BrowserPolicyConnector* connector =
+      g_browser_process->browser_policy_connector();
+  if (!connector->device_cloud_policy_subsystem()) {
+    NOTREACHED() << "Cloud policy subsystem not initialized.";
+    UMA_HISTOGRAM_ENUMERATION(policy::kMetricEnrollment,
+                              policy::kMetricEnrollmentOtherFailed,
+                              policy::kMetricEnrollmentSize);
+    if (is_showing_)
+      actor_->ShowFatalEnrollmentError();
+    return;
+  }
+
+  connector->ScheduleServiceInitialization(0);
+  registrar_.reset(new policy::CloudPolicySubsystem::ObserverRegistrar(
+      connector->device_cloud_policy_subsystem(), this));
+
+  // Push the credentials to the policy infrastructure. It'll start enrollment
+  // and notify us of progress through CloudPolicySubsystem::Observer.
+  connector->SetDeviceCredentials(user_, token, token_type);
+}
+
 }  // namespace chromeos

chrome/browser/chromeos/login/enterprise_enrollment_screen.h

@@ -15,6 +15,7 @@
 #include "chrome/browser/browser_process.h"
 #include "chrome/browser/chromeos/login/enterprise_enrollment_screen_actor.h"
 #include "chrome/browser/chromeos/login/wizard_screen.h"
+#include "chrome/browser/policy/browser_policy_connector.h"
 #include "chrome/browser/policy/cloud_policy_subsystem.h"
 #include "chrome/common/net/gaia/gaia_auth_fetcher.h"
 
@@ -44,6 +45,8 @@ class EnterpriseEnrollmentScreen
                                const std::string& password,
                                const std::string& captcha,
                                const std::string& access_code) OVERRIDE;
+  virtual void OnOAuthTokenAvailable(const std::string& user,
+                                     const std::string& token) OVERRIDE;
   virtual void OnAuthCancelled() OVERRIDE;
   virtual void OnConfirmationClosed() OVERRIDE;
   virtual bool GetInitialUser(std::string* user) OVERRIDE;
@@ -75,6 +78,11 @@ class EnterpriseEnrollmentScreen
   // Starts the Lockbox storage process.
   void WriteInstallAttributesData();
 
+  // Kicks off the policy infrastructure to register with the service.
+  void RegisterForDevicePolicy(
+      const std::string& token,
+      policy::BrowserPolicyConnector::TokenType token_type);
+
   EnterpriseEnrollmentScreenActor* actor_;
   bool is_showing_;
   scoped_ptr<GaiaAuthFetcher> auth_fetcher_;

chrome/browser/chromeos/login/enterprise_enrollment_screen_actor.h

@@ -27,6 +27,8 @@ class EnterpriseEnrollmentScreenActor {
                                  const std::string& password,
                                  const std::string& captcha,
                                  const std::string& access_code) = 0;
+    virtual void OnOAuthTokenAvailable(const std::string& user,
+                                       const std::string& oauth_token) = 0;
     virtual void OnAuthCancelled() = 0;
     virtual void OnConfirmationClosed() = 0;
     virtual bool GetInitialUser(std::string* user) = 0;

chrome/browser/policy/browser_policy_connector.cc

@@ -100,11 +100,21 @@ ConfigurationPolicyProvider*
 
 void BrowserPolicyConnector::SetDeviceCredentials(
     const std::string& owner_email,
-    const std::string& gaia_token) {
+    const std::string& token,
+    TokenType token_type) {
 #if defined(OS_CHROMEOS)
   if (device_data_store_.get()) {
     device_data_store_->set_user_name(owner_email);
-    device_data_store_->SetGaiaToken(gaia_token);
+    switch (token_type) {
+      case TOKEN_TYPE_OAUTH:
+        device_data_store_->SetOAuthToken(token);
+        break;
+      case TOKEN_TYPE_GAIA:
+        device_data_store_->SetGaiaToken(token);
+        break;
+      default:
+        NOTREACHED() << "Invalid token type " << token_type;
+    }
   }
 #endif
 }

chrome/browser/policy/browser_policy_connector.h

@@ -34,6 +34,12 @@ class UserPolicyTokenCache;
 // respective classes.
 class BrowserPolicyConnector : public NotificationObserver {
  public:
+  // Indicates the type of token passed to SetDeviceCredentials.
+  enum TokenType {
+    TOKEN_TYPE_GAIA,  // A gaia service token.
+    TOKEN_TYPE_OAUTH, // An OAuth v2 access token.
+  };
+
   static BrowserPolicyConnector* Create();
   virtual ~BrowserPolicyConnector();
 
@@ -64,7 +70,8 @@ class BrowserPolicyConnector : public NotificationObserver {
   // Used to set the credentials stored in the data store associated
   // with this policy connector.
   void SetDeviceCredentials(const std::string& owner_email,
-                            const std::string& gaia_token);
+                            const std::string& token,
+                            TokenType token_type);
 
   // Returns true if this device is managed by an enterprise (as opposed to
   // a local owner).

chrome/browser/resources/chromeos/login/oobe.css

@@ -228,19 +228,26 @@ hr.bottom {
 #oobe.eula #back-button,
 #oobe.eula #accept-button,
 #oobe.signin #signin-button,
-#oobe.user-image #ok-button {
+#oobe.user-image #ok-button,
+#oobe.oauth-enrollment #oauth-enroll-cancel-button,
+#oobe.oauth-enrollment #oauth-enroll-done-button {
   display: inline-block;
 }
 
 #oobe.connect #connect-dot,
 #oobe.eula #eula-dot,
 #oobe.signin #signin-dot,
+#oobe.gaia-signin #gaia-signin-dot,
 #oobe.enrollment #signin-dot,
+#oobe.enrollment #gaia-signin-dot,
+#oobe.oauth-enrollment #signin-dot,
+#oobe.oauth-enrollment #gaia-signin-dot,
 #oobe.user-image #user-image-dot {
   opacity: 0.4;
 }
 
-#enrollment-dot {
+#enrollment-dot,
+#oauth-enrollment-dot {
   display: none;
 }
 
@@ -442,6 +449,95 @@ button {
   width: 100%;
 }
 
+/* Styling for OAuth enrollment screen. */
+
+#oauth-enroll-container {
+  bottom: 0;
+  display: -webkit-box;
+  left: 0;
+  position: absolute;
+  right: 0;
+  top: 0;
+}
+
+#oauth-enroll-signin-frame {
+  bottom: 0;
+  display: -webkit-box;
+  height: 100%;
+  left: 0;
+  position: absolute;
+  right: 0;
+  top: 0;
+  width: 100%;
+}
+
+.oauth-enroll-step-center {
+  display: table;
+  height: 100%;
+  margin: 0 auto;
+}
+
+.oauth-enroll-step-content {
+  display: table-cell;
+  vertical-align: middle;
+}
+
+.oauth-enroll-step-icon {
+  display: inline-block;
+  position: relative;
+  top: 0.5em;
+  vertical-align: top;
+}
+
+.oauth-enroll-step-icon > * {
+  display: inline-block;
+  height: 22px;
+  margin-right: .4em;
+  position: relative;
+  top: -11px;
+  width: 22px;
+}
+
+.oauth-enroll-step-message {
+  display: inline-block;
+  max-width: 400px;
+  text-align: left;
+  vertical-align: top;
+}
+
+#oauth-enroll-error-retry {
+  color: -webkit-link;
+  cursor: pointer;
+  text-decoration: underline;
+}
+
+@-webkit-keyframes oauth-enroll-spinner {
+  /* There are 13 animation steps, the numbers below space them evenly. Note
+   * that a steps(13) declaration produces off-by-one offsets for some frames,
+   * so for best results we specify positions explicity and use step-end. */
+  0%           { background-position: 286px 0px; }
+  7.6923076%   { background-position: 264px 0px; }
+  15.3846153%  { background-position: 242px 0px; }
+  23.0769230%  { background-position: 220px 0px; }
+  30.7692307%  { background-position: 198px 0px; }
+  38.4615384%  { background-position: 176px 0px; }
+  46.1538461%  { background-position: 154px 0px; }
+  53.8461538%  { background-position: 132px 0px; }
+  61.5384615%  { background-position: 110px 0px; }
+  69.2307692%  { background-position: 88px  0px; }
+  76.9230769%  { background-position: 66px  0px; }
+  84.6153846%  { background-position: 44px  0px; }
+  92.3076923%  { background-position: 22px  0px; }
+  100.0000000% { background-position: 0px   0px; }
+}
+
+.oauth-enroll-spinner {
+  -webkit-animation: oauth-enroll-spinner 1s step-end infinite;
+  background-image: url('chrome://theme/IDR_SPINNER');
+  height: 22px;
+  width: 22px;
+}
+
 #close-button.visible {
   display: inline-block;
 }

chrome/browser/resources/chromeos/login/oobe.html

@@ -23,6 +23,7 @@
 <script src="oobe_screen_update.js"></script>
 <script src="oobe_screen_user_image.js"></script>
 <script src="oobe_screen_enrollment.js"></script>
+<script src="oobe_screen_oauth_enrollment.js"></script>
 <script src="screen_account_picker.js"></script>
 <script src="screen_gaia_signin.js"></script>
 <script src="screen_offline_message.js"></script>
@@ -47,6 +48,7 @@
         <include src="oobe_screen_eula.html">
         <include src="oobe_screen_update.html">
         <include src="oobe_screen_enrollment.html">
+        <include src="oobe_screen_oauth_enrollment.html">
         <include src="oobe_screen_user_image.html">
         <include src="screen_signin.html">
         <include src="screen_gaia_signin.html">

chrome/browser/resources/chromeos/login/oobe.js

@@ -272,6 +272,7 @@ cr.define('cr.ui', function() {
     oobe.EulaScreen.register();
     oobe.UpdateScreen.register();
     oobe.EnrollmentScreen.register();
+    oobe.OAuthEnrollmentScreen.register();
     login.AccountPickerScreen.register();
     if (localStrings.getString('authType') == 'webui')
       login.SigninScreen.register();

chrome/browser/resources/chromeos/login/oobe_screen_oauth_enrollment.html

+<div id="oauth-enrollment" class="step right hidden">
+  <div id="oauth-enroll-container">
+    <div id="oauth-enroll-step-signin">
+      <iframe id="oauth-enroll-signin-frame" src="about:blank" marginwidth="0"
+          marginheight="0" frameborder="0" scrolling="no"></iframe>
+    </div>
+    <div id="oauth-enroll-step-working" class="oauth-enroll-step-center" hidden>
+      <div class="oauth-enroll-step-content">
+        <span class="oauth-enroll-step-icon">
+          <span class="oauth-enroll-spinner"></span>
+        </span>
+        <span class="oauth-enroll-step-message"
+            i18n-content="oauthEnrollWorking">
+        </span>
+      </div>
+    </div>
+    <div id="oauth-enroll-step-error" class="oauth-enroll-step-center" hidden>
+      <div class="oauth-enroll-step-content">
+        <span class="oauth-enroll-step-icon">
+          <img src="chrome://theme/IDR_ENROLL_FAILURE">
+        </span>
+        <span class="oauth-enroll-step-message">
+          <div id="oauth-enroll-error-message"></div>
+          <a id='oauth-enroll-error-retry' i18n-content="oauthEnrollRetry"></a>
+        </span>
+      </div>
+    </div>
+    <div id="oauth-enroll-step-success" class="oauth-enroll-step-center" hidden>
+      <div class="oauth-enroll-step-content">
+        <span class="oauth-enroll-step-icon">
+          <img src="chrome://theme/IDR_ENROLL_SUCCESS">
+        </span>
+        <span class="oauth-enroll-step-message"
+            i18n-content="oauthEnrollSuccess">
+        </span>
+      </div>
+    </div>
+  </div>
+</div>

chrome/browser/resources/chromeos/login/oobe_screen_oauth_enrollment.js

+// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+cr.define('oobe', function() {
+  /**
+   * Creates a new oobe screen div.
+   * @constructor
+   * @extends {HTMLDivElement}
+   */
+  var OAuthEnrollmentScreen = cr.ui.define('div');
+
+  /**
+   * Registers with Oobe.
+   */
+  OAuthEnrollmentScreen.register = function() {
+    var screen = $('oauth-enrollment');
+    OAuthEnrollmentScreen.decorate(screen);
+    Oobe.getInstance().registerScreen(screen);
+    window.addEventListener('message',
+                            screen.onMessage_.bind(screen), false);
+  };
+
+  /**
+   * Switches between the different steps in the enrollment flow.
+   * @param screen {string} the steps to show, one of "signin", "working",
+   * "error", "success".
+   */
+  OAuthEnrollmentScreen.showStep = function(step) {
+    $('oauth-enrollment').showStep(step);
+  };
+
+  /**
+   * Sets an error message and switches to the error screen.
+   * @param message {string} the error message.
+   * @param retry {bool} whether the retry link should be shown.
+   */
+  OAuthEnrollmentScreen.showError = function(message, retry) {
+    $('oauth-enrollment').showError(message, retry);
+  };
+
+  OAuthEnrollmentScreen.prototype = {
+    __proto__: HTMLDivElement.prototype,
+
+    /**
+     * URL to load in the sign in frame.
+     */
+    signin_url_ : null,
+
+    /**
+     * Enrollment steps with names and buttons to show.
+     */
+    steps_ : [
+      { name: 'signin',
+        button: 'cancel' },
+      { name: 'working',
+        button: 'cancel' },
+      { name: 'error',
+        button: 'cancel' },
+      { name: 'success',
+        button: 'done' }
+    ],
+
+    /** @inheritDoc */
+    decorate: function() {
+      $('oauth-enroll-error-retry').addEventListener('click', function() {
+        chrome.send('oauthEnrollRetry', []);
+      });
+    },
+
+    /**
+     * Header text of the screen.
+     * @type {string}
+     */
+    get header() {
+      return localStrings.getString('oauthEnrollScreenTitle');
+    },
+
+    /**
+     * Buttons in oobe wizard's button strip.
+     * @type {array} Array of Buttons.
+     */
+    get buttons() {
+      var buttons = [];
+
+      var cancelButton = this.ownerDocument.createElement('button');
+      cancelButton.id = 'oauth-enroll-cancel-button';
+      cancelButton.textContent =
+          localStrings.getString('oauthEnrollCancel');
+      cancelButton.addEventListener('click', function(e) {
+        chrome.send('oauthEnrollClose', []);
+      });
+      buttons.push(cancelButton);
+
+      var doneButton = this.ownerDocument.createElement('button');
+      doneButton.id = 'oauth-enroll-done-button';
+      doneButton.hidden = true;
+      doneButton.textContent =
+          localStrings.getString('oauthEnrollDone');
+      doneButton.addEventListener('click', function(e) {
+        chrome.send('oauthEnrollClose', []);
+      });
+      buttons.push(doneButton);
+
+      return buttons;
+    },
+
+    /**
+     * Event handler that is invoked just before the frame is shown.
+     * @param data {dictionary} Screen init payload, contains the signin frame
+     * URL.
+     */
+    onBeforeShow: function(data) {
+      this.signin_url_ = data.signin_url;
+      $('oauth-enroll-signin-frame').contentWindow.location.href =
+          this.signin_url_;
+      this.showStep('signin');
+    },
+
+    /**
+     * Switches between the different steps in the enrollment flow.
+     * @param screen {string} the steps to show, one of "signin", "working",
+     * "error", "success".
+     */
+    showStep: function(step) {
+      $('oauth-enroll-cancel-button').hidden = true;
+      $('oauth-enroll-done-button').hidden = true;
+      for (var i = 0; i < this.steps_.length; i++) {
+        var the_step = this.steps_[i];
+        var active = (the_step.name == step);
+        $('oauth-enroll-step-' + the_step.name).hidden = !active;
+        if (active)
+          $('oauth-enroll-' + the_step.button + '-button').hidden = false;
+      }
+    },
+
+    /**
+     * Sets an error message and switches to the error screen.
+     * @param message {string} the error message.
+     * @param retry {bool} whether the retry link should be shown.
+     */
+    showError: function(message, retry) {
+      $('oauth-enroll-error-message').textContent = message;
+      $('oauth-enroll-error-retry').hidden = !retry;
+      this.showStep('error');
+    },
+
+    /**
+     * Checks if a given HTML5 message comes from the URL loaded into the signin
+     * frame.
+     * @param m {object} HTML5 message.
+     * @type {bool} whether the message comes from the signin frame.
+     */
+    isSigninMessage_: function(m) {
+      return this.signin_url_ != null &&
+          this.signin_url_.indexOf(m.origin) == 0 &&
+          m.source == $('oauth-enroll-signin-frame').contentWindow;
+    },
+
+    /**
+     * Event handler for HTML5 messages.
+     * @param m {object} HTML5 message.
+     */
+    onMessage_: function(m) {
+      var msg = m.data;
+      if (msg.method == 'completeLogin' && this.isSigninMessage_(m))
+        chrome.send('oauthEnrollCompleteLogin', [ msg.email, msg.password ]);
+    }
+  };
+
+  return {
+    OAuthEnrollmentScreen: OAuthEnrollmentScreen
+  };
+});

chrome/browser/resources/chromeos/login/screen_gaia_signin.js

@@ -67,7 +67,9 @@ cr.define('login', function() {
      * @type {bool}
      */
     isAuthExtMessage_: function(e) {
-      return this.extension_url_.indexOf(e.origin) == 0;
+      return this.extension_url_ != null &&
+          this.extension_url_.indexOf(e.origin) == 0 &&
+          e.source == $('signin-frame').contentWindow;
     },
 
     /**

chrome/browser/ui/webui/chromeos/login/enterprise_oauth_enrollment_screen_handler.cc

+// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/ui/webui/chromeos/login/enterprise_oauth_enrollment_screen_handler.h"
+
+#include "base/callback.h"
+#include "base/command_line.h"
+#include "base/json/json_reader.h"
+#include "base/json/json_writer.h"
+#include "base/utf_string_conversions.h"
+#include "base/values.h"
+#include "chrome/browser/browsing_data_remover.h"
+#include "chrome/browser/net/gaia/gaia_oauth_fetcher.h"
+#include "chrome/browser/profiles/profile.h"
+#include "chrome/common/chrome_switches.h"
+#include "chrome/common/net/gaia/gaia_constants.h"
+#include "chrome/common/net/gaia/google_service_auth_error.h"
+#include "chrome/common/url_constants.h"
+#include "content/browser/renderer_host/render_view_host.h"
+#include "content/browser/tab_contents/tab_contents.h"
+#include "grit/chromium_strings.h"
+#include "grit/generated_resources.h"
+#include "ui/base/l10n/l10n_util.h"
+
+namespace {
+
+// Start page of GAIA authentication extension.
+const char kGaiaExtStartPage[] =
+    "chrome-extension://mfffpogegjflfpflabcdkioaeobkgjik/main.html";
+
+// OAuth V2 service scope for device management.
+const char kServiceScopeChromeOSDeviceManagement[] =
+    "https://www.googleapis.com/auth/chromeosdevicemanagement";
+
+// Enrollment step names.
+const char kEnrollmentStepSignin[] = "signin";
+const char kEnrollmentStepWorking[] = "working";
+const char kEnrollmentStepError[] = "error";
+const char kEnrollmentStepSuccess[] = "success";
+
+}  // namespace
+
+namespace chromeos {
+
+// EnterpriseOAuthEnrollmentScreenHandler, public ------------------------------
+
+EnterpriseOAuthEnrollmentScreenHandler::EnterpriseOAuthEnrollmentScreenHandler()
+    : controller_(NULL), editable_user_(true), show_on_init_(false) {
+}
+
+EnterpriseOAuthEnrollmentScreenHandler::
+    ~EnterpriseOAuthEnrollmentScreenHandler() {}
+
+// EnterpriseOAuthEnrollmentScreenHandler, WebUIMessageHandler implementation --
+
+void EnterpriseOAuthEnrollmentScreenHandler::RegisterMessages() {
+  web_ui_->RegisterMessageCallback(
+      "oauthEnrollClose",
+      NewCallback(
+          this,
+          &EnterpriseOAuthEnrollmentScreenHandler::HandleClose));
+  web_ui_->RegisterMessageCallback(
+      "oauthEnrollCompleteLogin",
+      NewCallback(
+          this,
+          &EnterpriseOAuthEnrollmentScreenHandler::HandleCompleteLogin));
+  web_ui_->RegisterMessageCallback(
+      "oauthEnrollRetry",
+      NewCallback(
+          this,
+          &EnterpriseOAuthEnrollmentScreenHandler::HandleRetry));
+}
+
+// EnterpriseOAuthEnrollmentScreenHandler
+//      EnterpriseEnrollmentScreenActor implementation -------------------------
+
+void EnterpriseOAuthEnrollmentScreenHandler::SetController(
+    Controller* controller) {
+  controller_ = controller;
+}
+
+void EnterpriseOAuthEnrollmentScreenHandler::PrepareToShow() {
+}
+
+void EnterpriseOAuthEnrollmentScreenHandler::Show() {
+  if (!page_is_ready()) {
+    show_on_init_ = true;
+    return;
+  }
+
+  DictionaryValue screen_data;
+  screen_data.SetString("signin_url", kGaiaExtStartPage);
+  ShowScreen("oauth-enrollment", &screen_data);
+}
+
+void EnterpriseOAuthEnrollmentScreenHandler::Hide() {
+}
+
+void EnterpriseOAuthEnrollmentScreenHandler::SetEditableUser(bool editable) {
+  editable_user_ = editable;
+}
+
+void EnterpriseOAuthEnrollmentScreenHandler::ShowConfirmationScreen() {
+  ShowStep(kEnrollmentStepSuccess);
+  NotifyObservers(true);
+}
+
+void EnterpriseOAuthEnrollmentScreenHandler::ShowAuthError(
+    const GoogleServiceAuthError& error) {
+  switch (error.state()) {
+    case GoogleServiceAuthError::NONE:
+    case GoogleServiceAuthError::CAPTCHA_REQUIRED:
+    case GoogleServiceAuthError::TWO_FACTOR:
+    case GoogleServiceAuthError::HOSTED_NOT_ALLOWED:
+    case GoogleServiceAuthError::INVALID_GAIA_CREDENTIALS:
+    case GoogleServiceAuthError::REQUEST_CANCELED:
+      LOG(ERROR) << "Auth error " << error.state();
+      ShowFatalAuthError();
+      break;
+    case GoogleServiceAuthError::USER_NOT_SIGNED_UP:
+    case GoogleServiceAuthError::ACCOUNT_DELETED:
+    case GoogleServiceAuthError::ACCOUNT_DISABLED:
+      LOG(ERROR) << "Account error " << error.state();
+      ShowAccountError();
+      break;
+    case GoogleServiceAuthError::CONNECTION_FAILED:
+    case GoogleServiceAuthError::SERVICE_UNAVAILABLE:
+      LOG(WARNING) << "Network error " << error.state();
+      ShowNetworkEnrollmentError();
+      break;
+  }
+  NotifyObservers(false);
+}
+
+void EnterpriseOAuthEnrollmentScreenHandler::ShowAccountError() {
+  ShowError(IDS_ENTERPRISE_ENROLLMENT_ACCOUNT_ERROR, true);
+  NotifyObservers(false);
+}
+
+void EnterpriseOAuthEnrollmentScreenHandler::ShowFatalAuthError() {
+  ShowError(IDS_ENTERPRISE_ENROLLMENT_FATAL_AUTH_ERROR, false);
+  NotifyObservers(false);
+}
+
+void EnterpriseOAuthEnrollmentScreenHandler::ShowFatalEnrollmentError() {
+  ShowError(IDS_ENTERPRISE_ENROLLMENT_FATAL_ENROLLMENT_ERROR, false);
+  NotifyObservers(false);
+}
+
+void EnterpriseOAuthEnrollmentScreenHandler::ShowNetworkEnrollmentError() {
+  ShowError(IDS_ENTERPRISE_ENROLLMENT_NETWORK_ENROLLMENT_ERROR, true);
+  NotifyObservers(false);
+}
+
+// EnterpriseOAuthEnrollmentScreenHandler BaseScreenHandler implementation -----
+
+void EnterpriseOAuthEnrollmentScreenHandler::GetLocalizedStrings(
+    base::DictionaryValue *localized_strings) {
+  localized_strings->SetString(
+      "oauthEnrollScreenTitle",
+      l10n_util::GetStringUTF16(IDS_ENTERPRISE_ENROLLMENT_SCREEN_TITLE));
+  localized_strings->SetString(
+      "oauthEnrollRetry",
+      l10n_util::GetStringUTF16(IDS_ENTERPRISE_ENROLLMENT_RETRY));
+  localized_strings->SetString(
+      "oauthEnrollCancel",
+      l10n_util::GetStringUTF16(IDS_ENTERPRISE_ENROLLMENT_CANCEL));
+  localized_strings->SetString(
+      "oauthEnrollDone",
+      l10n_util::GetStringUTF16(IDS_ENTERPRISE_ENROLLMENT_DONE));
+  localized_strings->SetString(
+      "oauthEnrollSuccess",
+      l10n_util::GetStringUTF16(IDS_ENTERPRISE_ENROLLMENT_SUCCESS));
+  localized_strings->SetString(
+      "oauthEnrollWorking",
+      l10n_util::GetStringUTF16(IDS_ENTERPRISE_ENROLLMENT_WORKING));
+}
+
+void EnterpriseOAuthEnrollmentScreenHandler::OnGetOAuthTokenFailure() {
+  ResetAuth();
+  ShowFatalAuthError();
+}
+
+void EnterpriseOAuthEnrollmentScreenHandler::OnOAuthGetAccessTokenFailure(
+    const GoogleServiceAuthError& error) {
+  ResetAuth();
+  ShowAuthError(error);
+}
+
+void EnterpriseOAuthEnrollmentScreenHandler::OnOAuthWrapBridgeSuccess(
+    const std::string& service_scope,
+    const std::string& token,
+    const std::string& expires_in) {
+  DCHECK_EQ(service_scope, GaiaConstants::kDeviceManagementServiceOAuth);
+  ResetAuth();
+
+  if (!controller_ || user_.empty()) {
+    NOTREACHED();
+    return;
+  }
+
+  controller_->OnOAuthTokenAvailable(user_, token);
+}
+
+void EnterpriseOAuthEnrollmentScreenHandler::OnOAuthWrapBridgeFailure(
+    const std::string& service_scope,
+    const GoogleServiceAuthError& error) {
+  ResetAuth();
+  ShowAuthError(error);
+}
+
+void EnterpriseOAuthEnrollmentScreenHandler::OnUserInfoSuccess(
+    const std::string& email) {
+  ResetAuth();
+  NOTREACHED();
+}
+
+void EnterpriseOAuthEnrollmentScreenHandler::OnUserInfoFailure(
+    const GoogleServiceAuthError& error) {
+  ResetAuth();
+  NOTREACHED();
+}
+
+void EnterpriseOAuthEnrollmentScreenHandler::Initialize() {
+  if (show_on_init_) {
+    Show();
+    show_on_init_ = false;
+  }
+}
+
+// EnterpriseOAuthEnrollmentScreenHandler, private -----------------------------
+
+void EnterpriseOAuthEnrollmentScreenHandler::HandleClose(
+    const base::ListValue* value) {
+  ResetAuth();
+
+  if (!controller_) {
+    NOTREACHED();
+    return;
+  }
+
+  controller_->OnConfirmationClosed();
+}
+
+void EnterpriseOAuthEnrollmentScreenHandler::HandleCompleteLogin(
+    const base::ListValue* value) {
+  if (!controller_) {
+    NOTREACHED();
+    return;
+  }
+
+  if (!value->GetString(0, &user_)) {
+    NOTREACHED() << "Invalid user parameter from UI.";
+    return;
+  }
+
+  Profile* profile =
+      Profile::FromBrowserContext(web_ui_->tab_contents()->browser_context());
+  oauth_fetcher_.reset(
+      new GaiaOAuthFetcher(this,
+                           profile->GetRequestContext(),
+                           profile,
+                           GaiaConstants::kDeviceManagementServiceOAuth));
+  oauth_fetcher_->SetAutoFetchLimit(
+      GaiaOAuthFetcher::OAUTH2_SERVICE_ACCESS_TOKEN);
+  oauth_fetcher_->StartGetOAuthTokenRequest();
+
+  ShowStep(kEnrollmentStepWorking);
+}
+
+void EnterpriseOAuthEnrollmentScreenHandler::HandleRetry(
+    const base::ListValue* value) {
+  Show();
+}
+
+void EnterpriseOAuthEnrollmentScreenHandler::ShowStep(const char* step) {
+  base::StringValue step_value(step);
+  web_ui_->CallJavascriptFunction("oobe.OAuthEnrollmentScreen.showStep",
+                                  step_value);
+}
+
+void EnterpriseOAuthEnrollmentScreenHandler::ShowError(int message_id,
+                                                       bool retry) {
+  const std::string message(l10n_util::GetStringUTF8(message_id));
+  base::StringValue message_value(message);
+  base::FundamentalValue retry_value(retry);
+  web_ui_->CallJavascriptFunction("oobe.OAuthEnrollmentScreen.showError",
+                                  message_value,
+                                  retry_value);
+}
+
+void EnterpriseOAuthEnrollmentScreenHandler::ResetAuth() {
+  oauth_fetcher_.reset();
+
+  // Clear page state.
+  int remove_mask =
+      BrowsingDataRemover::REMOVE_COOKIES |
+      BrowsingDataRemover::REMOVE_LSO_DATA;
+  (new BrowsingDataRemover(
+      Profile::FromBrowserContext(web_ui_->tab_contents()->browser_context()),
+      BrowsingDataRemover::EVERYTHING,
+      base::Time()))->Remove(remove_mask);
+}
+
+
+}  // namespace chromeos

chrome/browser/ui/webui/chromeos/login/enterprise_oauth_enrollment_screen_handler.h

+// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CHROME_BROWSER_UI_WEBUI_CHROMEOS_LOGIN_ENTERPRISE_OAUTH_ENROLLMENT_SCREEN_HANDLER_H_
+#define CHROME_BROWSER_UI_WEBUI_CHROMEOS_LOGIN_ENTERPRISE_OAUTH_ENROLLMENT_SCREEN_HANDLER_H_
+#pragma once
+
+#include <string>
+
+#include "base/basictypes.h"
+#include "base/scoped_ptr.h"
+#include "base/values.h"
+#include "chrome/browser/chromeos/login/enterprise_enrollment_screen_actor.h"
+#include "chrome/browser/net/gaia/gaia_oauth_consumer.h"
+#include "chrome/browser/ui/webui/chromeos/login/base_screen_handler.h"
+#include "chrome/browser/ui/webui/chromeos/login/oobe_ui.h"
+
+class GaiaOAuthFetcher;
+
+namespace chromeos {
+
+// WebUIMessageHandler implementation which handles events occurring on the
+// page, such as the user pressing the signin button.
+class EnterpriseOAuthEnrollmentScreenHandler
+    : public BaseScreenHandler,
+      public EnterpriseEnrollmentScreenActor,
+      public GaiaOAuthConsumer {
+ public:
+  EnterpriseOAuthEnrollmentScreenHandler();
+  virtual ~EnterpriseOAuthEnrollmentScreenHandler();
+
+  // Implements WebUIMessageHandler:
+  virtual void RegisterMessages() OVERRIDE;
+
+  // Implements EnterpriseEnrollmentScreenActor:
+  virtual void SetController(Controller* controller);
+  virtual void PrepareToShow() OVERRIDE;
+  virtual void Show() OVERRIDE;
+  virtual void Hide() OVERRIDE;
+  virtual void SetEditableUser(bool editable) OVERRIDE;
+  virtual void ShowConfirmationScreen() OVERRIDE;
+  virtual void ShowAuthError(const GoogleServiceAuthError& error) OVERRIDE;
+  virtual void ShowAccountError() OVERRIDE;
+  virtual void ShowFatalAuthError() OVERRIDE;
+  virtual void ShowFatalEnrollmentError() OVERRIDE;
+  virtual void ShowNetworkEnrollmentError() OVERRIDE;
+
+  // Implements BaseScreenHandler:
+  virtual void GetLocalizedStrings(
+      base::DictionaryValue* localized_strings) OVERRIDE;
+
+  // Implements GaiaOAuthConsumer:
+  virtual void OnGetOAuthTokenFailure() OVERRIDE;
+  virtual void OnOAuthGetAccessTokenFailure(
+      const GoogleServiceAuthError& error) OVERRIDE;
+  virtual void OnOAuthWrapBridgeSuccess(const std::string& service_scope,
+                                        const std::string& token,
+                                        const std::string& expires_in) OVERRIDE;
+  virtual void OnOAuthWrapBridgeFailure(
+      const std::string& service_scope,
+      const GoogleServiceAuthError& error) OVERRIDE;
+  virtual void OnUserInfoSuccess(const std::string& email) OVERRIDE;
+  virtual void OnUserInfoFailure(const GoogleServiceAuthError& error) OVERRIDE;
+
+ protected:
+  // Implements BaseScreenHandler:
+  virtual void Initialize() OVERRIDE;
+
+  // Keeps the controller for this actor.
+  Controller* controller_;
+
+ private:
+  // Handlers for WebUI messages.
+  void HandleClose(const base::ListValue* args);
+  void HandleCompleteLogin(const base::ListValue* args);
+  void HandleRetry(const base::ListValue* args);
+
+  // Shows a given enrollment step.
+  void ShowStep(const char* step);
+
+  // Display the given i18n string as error message.
+  void ShowError(int message_id, bool retry);
+
+  // Resets the authentication machinery and clears cookies, so other screens
+  // (like the actual login screen) find a clean slate and don't pick up our
+  // auth state.
+  void ResetAuth();
+
+  bool editable_user_;
+  bool show_on_init_;
+
+  // Username of the user signing in.
+  std::string user_;
+
+  // This intentionally lives here and not in the controller, since it needs to
+  // execute requests in the context of the profile that displays the webui.
+  scoped_ptr<GaiaOAuthFetcher> oauth_fetcher_;
+
+  DISALLOW_COPY_AND_ASSIGN(EnterpriseOAuthEnrollmentScreenHandler);
+};
+
+}  // namespace chromeos
+
+#endif  // CHROME_BROWSER_UI_WEBUI_CHROMEOS_LOGIN_ENTERPRISE_OAUTH_ENROLLMENT_SCREEN_HANDLER_H_

chrome/browser/ui/webui/chromeos/login/oobe_ui.cc

@@ -6,6 +6,7 @@
 
 #include <string>
 
+#include "base/command_line.h"
 #include "base/logging.h"
 #include "base/memory/ref_counted_memory.h"
 #include "base/values.h"
@@ -17,6 +18,7 @@
 #include "chrome/browser/ui/webui/chromeos/login/base_screen_handler.h"
 #include "chrome/browser/ui/webui/chromeos/login/core_oobe_handler.h"
 #include "chrome/browser/ui/webui/chromeos/login/enterprise_enrollment_screen_handler.h"
+#include "chrome/browser/ui/webui/chromeos/login/enterprise_oauth_enrollment_screen_handler.h"
 #include "chrome/browser/ui/webui/chromeos/login/eula_screen_handler.h"
 #include "chrome/browser/ui/webui/chromeos/login/network_screen_handler.h"
 #include "chrome/browser/ui/webui/chromeos/login/signin_screen_handler.h"
@@ -24,6 +26,7 @@
 #include "chrome/browser/ui/webui/chromeos/login/user_image_screen_handler.h"
 #include "chrome/browser/ui/webui/options/chromeos/user_image_source.h"
 #include "chrome/browser/ui/webui/theme_source.h"
+#include "chrome/common/chrome_switches.h"
 #include "chrome/common/jstemplate_builder.h"
 #include "chrome/common/url_constants.h"
 #include "content/browser/tab_contents/tab_contents.h"
@@ -110,10 +113,19 @@ OobeUI::OobeUI(TabContents* contents)
   update_screen_actor_ = update_screen_handler;
   AddScreenHandler(update_screen_handler);
 
-  EnterpriseEnrollmentScreenHandler* enterprise_enrollment_screen_handler =
-      new EnterpriseEnrollmentScreenHandler;
-  enterprise_enrollment_screen_actor_ = enterprise_enrollment_screen_handler;
-  AddScreenHandler(enterprise_enrollment_screen_handler);
+  if (CommandLine::ForCurrentProcess()->HasSwitch(switches::kWebUILogin)) {
+    EnterpriseOAuthEnrollmentScreenHandler*
+        enterprise_oauth_enrollment_screen_handler =
+            new EnterpriseOAuthEnrollmentScreenHandler;
+    enterprise_enrollment_screen_actor_ =
+        enterprise_oauth_enrollment_screen_handler;
+    AddScreenHandler(enterprise_oauth_enrollment_screen_handler);
+  } else {
+    EnterpriseEnrollmentScreenHandler* enterprise_enrollment_screen_handler =
+        new EnterpriseEnrollmentScreenHandler;
+    enterprise_enrollment_screen_actor_ = enterprise_enrollment_screen_handler;
+    AddScreenHandler(enterprise_enrollment_screen_handler);
+  }
 
   UserImageScreenHandler* user_image_screen_handler =
       new UserImageScreenHandler();

chrome/chrome_browser.gypi

@@ -3458,6 +3458,8 @@
         'browser/ui/webui/chromeos/login/core_oobe_handler.h',
         'browser/ui/webui/chromeos/login/enterprise_enrollment_screen_handler.cc',
         'browser/ui/webui/chromeos/login/enterprise_enrollment_screen_handler.h',
+        'browser/ui/webui/chromeos/login/enterprise_oauth_enrollment_screen_handler.cc',
+        'browser/ui/webui/chromeos/login/enterprise_oauth_enrollment_screen_handler.h',
         'browser/ui/webui/chromeos/login/eula_screen_handler.cc',
         'browser/ui/webui/chromeos/login/eula_screen_handler.h',
         'browser/ui/webui/chromeos/login/login_ui.cc',