Chromad: Do not force online signin on TGT problems

Now users are blocked on online signin when authpolicyd failed to get
kerberos credentials

BUG=chromium:824204
TEST=AuthPolicyCredentialsManagerTest.*

Change-Id: Iae490a5615842aaae356e29501667453d86cd11c
Reviewed-on: https://chromium-review.googlesource.com/983917
Commit-Queue: Roman Sorokin <rsorokin@chromium.org>
Reviewed-by: Lutz Justen <ljusten@chromium.org>
Reviewed-by: Alexander Alekseev <alemate@chromium.org>
Cr-Commit-Position: refs/heads/master@{#547687}

chrome/browser/chromeos/authpolicy/auth_policy_credentials_manager.cc

@@ -202,28 +202,28 @@ void AuthPolicyCredentialsManager::OnGetUserStatusCallback(
     UpdateDisplayAndGivenName(user_status.account_info());
   }
 
-  // user_status.password_status() is missing if the TGT is invalid.
-  bool password_ok = false;
+  // user_status.password_status() is missing if the TGT is invalid or device is
+  // offline.
+  bool force_online_signin = false;
   if (user_status.has_password_status()) {
     switch (user_status.password_status()) {
       case authpolicy::ActiveDirectoryUserStatus::PASSWORD_VALID:
-        password_ok = true;
         break;
       case authpolicy::ActiveDirectoryUserStatus::PASSWORD_EXPIRED:
         ShowNotification(IDS_ACTIVE_DIRECTORY_PASSWORD_EXPIRED);
+        force_online_signin = true;
         break;
       case authpolicy::ActiveDirectoryUserStatus::PASSWORD_CHANGED:
         ShowNotification(IDS_ACTIVE_DIRECTORY_PASSWORD_CHANGED);
+        force_online_signin = true;
         break;
     }
   }
 
   // user_status.tgt_status() is always present.
-  bool tgt_ok = false;
   DCHECK(user_status.has_tgt_status());
   switch (user_status.tgt_status()) {
     case authpolicy::ActiveDirectoryUserStatus::TGT_VALID:
-      tgt_ok = true;
       break;
     case authpolicy::ActiveDirectoryUserStatus::TGT_EXPIRED:
     case authpolicy::ActiveDirectoryUserStatus::TGT_NOT_FOUND:
@@ -231,8 +231,8 @@ void AuthPolicyCredentialsManager::OnGetUserStatusCallback(
       break;
   }
 
-  const bool ok = password_ok && tgt_ok;
-  user_manager::UserManager::Get()->SaveForceOnlineSignin(account_id_, !ok);
+  user_manager::UserManager::Get()->SaveForceOnlineSignin(account_id_,
+                                                          force_online_signin);
 }
 
 void AuthPolicyCredentialsManager::GetUserKerberosFiles() {

chrome/browser/chromeos/authpolicy/auth_policy_credentials_manager_unittest.cc

@@ -184,4 +184,24 @@ TEST_F(AuthPolicyCredentialsManagerTest, ShowDifferentNotifications) {
   EXPECT_EQ(0, GetNumberOfNotifications());
 }
 
+// Tests invalid TGT status does not force online signin but still shows
+// a notification.
+TEST_F(AuthPolicyCredentialsManagerTest, InvalidTGTDoesntForceOnlineSignin) {
+  fake_auth_policy_client()->set_tgt_status(
+      authpolicy::ActiveDirectoryUserStatus::TGT_EXPIRED);
+  EXPECT_CALL(*mock_user_manager(), SaveForceOnlineSignin(account_id(), false));
+  CallGetUserStatusAndWait();
+  EXPECT_EQ(1, GetNumberOfNotifications());
+  CancelNotificationById(IDS_ACTIVE_DIRECTORY_REFRESH_AUTH_TOKEN);
+  EXPECT_EQ(0, GetNumberOfNotifications());
+}
+
+// Tests successfull case does not show any notification and does not force
+// online signin.
+TEST_F(AuthPolicyCredentialsManagerTest, Success_NoNotifications) {
+  EXPECT_CALL(*mock_user_manager(), SaveForceOnlineSignin(account_id(), false));
+  CallGetUserStatusAndWait();
+  EXPECT_EQ(0, GetNumberOfNotifications());
+}
+
 }  // namespace chromeos