Fix equality check of enrollment domains

During re-enrollment, if install attributes are present, we check that
the domain to re-enroll to matches the one in install attributes.

Only compare install attributes domain to the login-given domain if
it is non-empty, i.e. if a gaia login took place.

If no login happened, e.g. during auto re-enrollment, the domain is
provided by the server and stored in the enrollment config. Policy
validation will fail if the server provided domain is different from
the one in install attributes. The check edited in this CL is not
necessary in this case.

Bug: 1158573
Change-Id: I4c65c5d91f237a24d02edfac6aec6c5f31a6eeb2
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2598852Reviewed-by: Maksim Ivanov <emaxx@chromium.org>
Reviewed-by: Pavol Marko <pmarko@chromium.org>
Commit-Queue: Miriam Polzer <mpolzer@google.com>
Cr-Commit-Position: refs/heads/master@{#842452}

chrome/browser/chromeos/login/enrollment/enterprise_enrollment_helper_impl.cc

@@ -259,7 +259,13 @@ void EnterpriseEnrollmentHelperImpl::DoEnroll(policy::DMAuth auth_data) {
   policy::BrowserPolicyConnectorChromeOS* connector =
       g_browser_process->platform_part()->browser_policy_connector_chromeos();
   // Re-enrollment is not implemented for Active Directory.
-  if (connector->IsCloudManaged() &&
+  // If an enrollment domain is already fixed in install attributes and
+  // re-enrollment happens via login, domains need to be equal.
+  // If there is a mismatch between domain set in install attributes and
+  // auto re-enrollment domain provided by the server, policy validation will
+  // fail later in the process.
+  if (connector->IsCloudManaged() && !enrolling_user_domain_.empty() &&
+      !enrollment_config_.is_mode_attestation() &&
       connector->GetEnterpriseEnrollmentDomain() != enrolling_user_domain_) {
     LOG(ERROR) << "Trying to re-enroll to a different domain than "
                << connector->GetEnterpriseEnrollmentDomain();