Improve determination of managed state in DeviceSettingsProvider

Use PolicyData::management_mode to determine whether the device has a local owner and only fall back to DM token in case management_mode is unset. That way, the correct determination is guaranteed for both cloud and Active Directory management. (Currently, the code is not broken because AD policy doesn't include a user name, but that might change in the future.) Also update the PolicyData::management_mode documentation to include Active Directory. BUG=722799 Review-Url: https://codereview.chromium.org/2902183002 Cr-Commit-Position: refs/heads/master@{#476239}

Improve determination of managed state in DeviceSettingsProvider
Use PolicyData::management_mode to determine whether the device has a local owner and only fall back to DM token in case management_mode is unset. That way, the correct determination is guaranteed for both cloud and Active Directory management. (Currently, the code is not broken because AD policy doesn't include a user name, but that might change in the future.) Also update the PolicyData::management_mode documentation to include Active Directory. BUG=722799 Review-Url: https://codereview.chromium.org/2902183002 Cr-Commit-Position: refs/heads/master@{#476239}
92db6b2c · tnagel · Commit Bot · 2c935aff · 92db6b2c · 92db6b2c
Commit 92db6b2c authored Jun 01, 2017 by tnagel Committed by Commit Bot Jun 01, 2017
2 changed files
--- a/chrome/browser/chromeos/settings/device_settings_provider.cc
+++ b/chrome/browser/chromeos/settings/device_settings_provider.cc
@@ -742,8 +742,18 @@ void DeviceSettingsProvider::UpdateValuesCache(
    TrustedStatus trusted_status) {
  PrefValueMap new_values_cache;
+  // Determine whether device is managed. See PolicyData::management_mode docs
+  // for details.
+  bool managed = false;
+  if (policy_data.has_management_mode()) {
+    managed =
+        (policy_data.management_mode() == em::PolicyData::ENTERPRISE_MANAGED);
+  } else {
+    managed = policy_data.has_request_token();
+  }
  // If the device is not managed, we set the device owner value.
-  if (policy_data.has_username() && !policy_data.has_request_token())
+  if (policy_data.has_username() && !managed)
    new_values_cache.SetString(kDeviceOwner, policy_data.username());
  if (policy_data.has_service_account_identity()) {

--- a/components/policy/proto/device_management_backend.proto
+++ b/components/policy/proto/device_management_backend.proto
@@ -292,10 +292,13 @@ message PolicyData {
  // anything like that.
  optional int64 timestamp = 2;
-  // The DM token that was used by the client in the HTTP POST header
+  // The DM token that was used by the client in the HTTP POST header for
-  // for authenticating the request. It is included here again so that
+  // authenticating the request. It is included here again so that the client
-  // the client can verify that the response is meant for them (and not
+  // can verify that the response is meant for them (and not issued by a replay
-  // issued by a replay or man-in-the-middle attack).
+  // or man-in-the-middle attack).
+  // Note that the existence or non-existence of the DM token is not the correct
+  // way to determine whether the device is managed. Cf. |management_mode| below
+  // for details.
  optional string request_token = 3;
  // The serialized value of the actual policy protobuf.  This can be
@@ -370,8 +373,8 @@ message PolicyData {
    // The device is owned locally. The policies are set by the local owner of
    // the device.
    LOCAL_OWNER = 0;
-    // The device is enterprise-managed. The policies come from the enterprise
+    // The device is enterprise-managed (either via DM server or through Active
-    // server. See the comment above for backward compatibility.
+    // Directory). See the comment above for backward compatibility.
    ENTERPRISE_MANAGED = 1;
    // Obsolete. Don't use.
    OBSOLETE_CONSUMER_MANAGED = 2;