Fix UserAvatarImage and WallpaperImage for Chromad

Both are 'external'-type policies, i.e. the images are not included in the policy, but downloaded separately. However, the mechanisms to download external user policies were not hooked up. This CL wires them up. Interestingly, DeviceWallpaperImage works fine. BUG=chromium:819561 TEST=out/Release/unit_tests --gtest_filter=ActiveDirectoryPolicyManagerTest.* Set UserAvatarImage and WallpaperImage on Windows Server and verified that it applies on a domain joined Chromebook. Change-Id: I8670a3e1ba0edcee31ed5753be92b021e9553bb0 Reviewed-on: https://chromium-review.googlesource.com/952903 Commit-Queue: Lutz Justen <ljusten@chromium.org> Reviewed-by: Maksim Ivanov <emaxx@chromium.org> Reviewed-by: Xiyuan Xia <xiyuan@chromium.org> Cr-Commit-Position: refs/heads/master@{#543084}

Fix UserAvatarImage and WallpaperImage for Chromad
Both are 'external'-type policies, i.e. the images are not included in the policy, but downloaded separately. However, the mechanisms to download external user policies were not hooked up. This CL wires them up. Interestingly, DeviceWallpaperImage works fine. BUG=chromium:819561 TEST=out/Release/unit_tests --gtest_filter=ActiveDirectoryPolicyManagerTest.* Set UserAvatarImage and WallpaperImage on Windows Server and verified that it applies on a domain joined Chromebook. Change-Id: I8670a3e1ba0edcee31ed5753be92b021e9553bb0 Reviewed-on: https://chromium-review.googlesource.com/952903 Commit-Queue: Lutz Justen <ljusten@chromium.org> Reviewed-by: Maksim Ivanov <emaxx@chromium.org> Reviewed-by: Xiyuan Xia <xiyuan@chromium.org> Cr-Commit-Position: refs/heads/master@{#543084}
a42f0327 · Lutz Justen · Commit Bot · 596138ff · a42f0327 · a42f0327
Commit a42f0327 authored Mar 14, 2018 by Lutz Justen Committed by Commit Bot Mar 14, 2018
7 changed files
--- a/chrome/browser/chromeos/login/users/chrome_user_manager_impl.cc
+++ b/chrome/browser/chromeos/login/users/chrome_user_manager_impl.cc
@@ -268,10 +268,6 @@ ChromeUserManagerImpl::ChromeUserManagerImpl()
    GetMinimumVersionPolicyHandler()->AddObserver(this);
  }

-  if (!device_local_account_policy_service) {
-    return;
-  }
-
  avatar_policy_observer_ =
      std::make_unique<policy::CloudExternalDataPolicyObserver>(
          cros_settings_, device_local_account_policy_service,

--- a/chrome/browser/chromeos/policy/active_directory_policy_manager.cc
+++ b/chrome/browser/chromeos/policy/active_directory_policy_manager.cc
@@ -9,11 +9,14 @@

 #include "base/logging.h"
 #include "base/memory/ptr_util.h"
+#include "chrome/browser/browser_process.h"
 #include "chromeos/dbus/auth_policy_client.h"
 #include "chromeos/dbus/dbus_thread_manager.h"
+#include "components/policy/core/common/cloud/cloud_external_data_manager.h"
 #include "components/policy/core/common/policy_bundle.h"
 #include "components/policy/core/common/policy_types.h"
 #include "components/policy/policy_constants.h"
+#include "net/url_request/url_request_context_getter.h"

 namespace {

@@ -37,9 +40,9 @@ std::unique_ptr<ActiveDirectoryPolicyManager>
 ActiveDirectoryPolicyManager::CreateForDevicePolicy(
    std::unique_ptr<CloudPolicyStore> store) {
  // Can't use MakeUnique<> because the constructor is private.
-  return base::WrapUnique(
-      new ActiveDirectoryPolicyManager(EmptyAccountId(), base::TimeDelta(),
-                                       base::OnceClosure(), std::move(store)));
+  return base::WrapUnique(new ActiveDirectoryPolicyManager(
+      EmptyAccountId(), base::TimeDelta(), base::OnceClosure(),
+      std::move(store), nullptr /* external_data_manager */));
 }

 // static
@@ -48,11 +51,12 @@ ActiveDirectoryPolicyManager::CreateForUserPolicy(
    const AccountId& account_id,
    base::TimeDelta initial_policy_fetch_timeout,
    base::OnceClosure exit_session,
-    std::unique_ptr<CloudPolicyStore> store) {
+    std::unique_ptr<CloudPolicyStore> store,
+    std::unique_ptr<CloudExternalDataManager> external_data_manager) {
  // Can't use MakeUnique<> because the constructor is private.
  return base::WrapUnique(new ActiveDirectoryPolicyManager(
      account_id, initial_policy_fetch_timeout, std::move(exit_session),
-      std::move(store)));
+      std::move(store), std::move(external_data_manager)));
 }

 void ActiveDirectoryPolicyManager::Init(SchemaRegistry* registry) {
@@ -72,9 +76,20 @@ void ActiveDirectoryPolicyManager::Init(SchemaRegistry* registry) {
      base::BindRepeating(&ActiveDirectoryPolicyManager::OnPolicyFetched,
                          weak_ptr_factory_.GetWeakPtr()),
      kFetchInterval);
+
+  if (external_data_manager_) {
+    // Use the system request context here instead of a context derived from the
+    // Profile because Connect() is called before the profile is fully
+    // initialized (required so we can perform the initial policy load).
+    // Note: The request context can be null for tests and for device policy.
+    external_data_manager_->Connect(
+        g_browser_process->system_request_context());
+  }
 }

 void ActiveDirectoryPolicyManager::Shutdown() {
+  if (external_data_manager_)
+    external_data_manager_->Disconnect();
  store_->RemoveObserver(this);
  ConfigurationPolicyProvider::Shutdown();
 }
@@ -130,13 +145,15 @@ ActiveDirectoryPolicyManager::ActiveDirectoryPolicyManager(
    const AccountId& account_id,
    base::TimeDelta initial_policy_fetch_timeout,
    base::OnceClosure exit_session,
-    std::unique_ptr<CloudPolicyStore> store)
+    std::unique_ptr<CloudPolicyStore> store,
+    std::unique_ptr<CloudExternalDataManager> external_data_manager)
    : account_id_(account_id),
      waiting_for_initial_policy_fetch_(
          !initial_policy_fetch_timeout.is_zero()),
      initial_policy_fetch_may_fail_(!initial_policy_fetch_timeout.is_max()),
      exit_session_(std::move(exit_session)),
-      store_(std::move(store)) {
+      store_(std::move(store)),
+      external_data_manager_(std::move(external_data_manager)) {
  // Delaying initialization complete is intended for user policy only.
  DCHECK(account_id != EmptyAccountId() || !waiting_for_initial_policy_fetch_);
  if (waiting_for_initial_policy_fetch_ && initial_policy_fetch_may_fail_) {

--- a/chrome/browser/chromeos/policy/active_directory_policy_manager.h
+++ b/chrome/browser/chromeos/policy/active_directory_policy_manager.h
@@ -19,6 +19,8 @@

 namespace policy {

+class CloudExternalDataManager;
+
 // ConfigurationPolicyProvider for device or user policy from Active Directory.
 // The choice of constructor determines whether device or user policy is
 // provided.
@@ -40,7 +42,8 @@ class ActiveDirectoryPolicyManager : public ConfigurationPolicyProvider,
      const AccountId& account_id,
      base::TimeDelta initial_policy_fetch_timeout,
      base::OnceClosure exit_session,
-      std::unique_ptr<CloudPolicyStore> store);
+      std::unique_ptr<CloudPolicyStore> store,
+      std::unique_ptr<CloudExternalDataManager> external_data_manager);

  // ConfigurationPolicyProvider:
  void Init(SchemaRegistry* registry) override;
@@ -71,10 +74,12 @@ class ActiveDirectoryPolicyManager : public ConfigurationPolicyProvider,
  // enforce successful policy fetch. In case the conditions for signaling
  // initialization complete are not met, the user session is aborted by calling
  // |exit_session|.
-  ActiveDirectoryPolicyManager(const AccountId& account_id,
-                               base::TimeDelta initial_policy_fetch_timeout,
-                               base::OnceClosure exit_session,
-                               std::unique_ptr<CloudPolicyStore> store);
+  ActiveDirectoryPolicyManager(
+      const AccountId& account_id,
+      base::TimeDelta initial_policy_fetch_timeout,
+      base::OnceClosure exit_session,
+      std::unique_ptr<CloudPolicyStore> store,
+      std::unique_ptr<CloudExternalDataManager> external_data_manager);

  // Publish the policy that's currently cached in the store.
  void PublishPolicy();
@@ -123,7 +128,12 @@ class ActiveDirectoryPolicyManager : public ConfigurationPolicyProvider,
  // Callback to exit the session.
  base::OnceClosure exit_session_;

+  // Store used to serialize policy, usually sends data to Session Manager.
  std::unique_ptr<CloudPolicyStore> store_;
+
+  // Manages external data referenced by policies.
+  std::unique_ptr<CloudExternalDataManager> external_data_manager_;
+
  std::unique_ptr<PolicyScheduler> scheduler_;

  // Must be last member.

--- a/chrome/browser/chromeos/policy/active_directory_policy_manager_unittest.cc
+++ b/chrome/browser/chromeos/policy/active_directory_policy_manager_unittest.cc
@@ -16,9 +16,11 @@
 #include "base/time/time.h"
 #include "chromeos/dbus/auth_policy_client.h"
 #include "chromeos/dbus/dbus_thread_manager.h"
+#include "components/policy/core/common/cloud/mock_cloud_external_data_manager.h"
 #include "components/policy/core/common/cloud/mock_cloud_policy_store.h"
 #include "components/policy/core/common/schema_registry.h"
 #include "components/signin/core/account_id/account_id.h"
+#include "net/url_request/url_request_context_getter.h"
 #include "testing/gtest/include/gtest/gtest.h"

 namespace {
@@ -94,10 +96,63 @@ class ActiveDirectoryPolicyManagerTest : public testing::Test {

  ~ActiveDirectoryPolicyManagerTest() override {
    EXPECT_EQ(session_exit_expected_, session_exited_);
+    if (mock_external_data_manager_)
+      EXPECT_CALL(*mock_external_data_manager_, Disconnect());
    policy_manager_->Shutdown();
  }

 protected:
+  // Creates |mock_store_|, |mock_external_data_manager_| and |policy_manager_|
+  // with fake AD account id and |initial_policy_fetch_timeout| as timeout.
+  void CreateUserPolicyManager(base::TimeDelta initial_policy_fetch_timeout) {
+    auto account_id = AccountId::AdFromUserEmailObjGuid("bla", "ble");
+
+    auto mock_store_unique_ptr = std::make_unique<MockCloudPolicyStore>();
+    mock_store_ = mock_store_unique_ptr.get();
+
+    auto mock_external_data_manager_unique_ptr =
+        std::make_unique<MockCloudExternalDataManager>();
+    mock_external_data_manager_ = mock_external_data_manager_unique_ptr.get();
+
+    base::OnceClosure exit_session = base::BindOnce(
+        &ActiveDirectoryPolicyManagerTest::ExitSession, base::Unretained(this));
+
+    policy_manager_ = ActiveDirectoryPolicyManager::CreateForUserPolicy(
+        account_id, initial_policy_fetch_timeout, std::move(exit_session),
+        std::move(mock_store_unique_ptr),
+        std::move(mock_external_data_manager_unique_ptr));
+
+    ASSERT_TRUE(policy_manager_);
+    EXPECT_FALSE(
+        policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME));
+  }
+
+  // Creates |mock_store_| and |policy_manager_|.
+  void CreateDevicePolicyManager() {
+    auto mock_store_unique_ptr = std::make_unique<MockCloudPolicyStore>();
+    mock_store_ = mock_store_unique_ptr.get();
+
+    policy_manager_ = ActiveDirectoryPolicyManager::CreateForDevicePolicy(
+        std::move(mock_store_unique_ptr));
+
+    ASSERT_TRUE(policy_manager_);
+    EXPECT_FALSE(
+        policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME));
+  }
+
+  // Initializes the policy manager and verifies expectations on mock classes.
+  void InitPolicyManagerAndVerifyExpectations() {
+    EXPECT_CALL(*mock_store_, Load());
+    if (mock_external_data_manager_) {
+      EXPECT_CALL(*mock_external_data_manager_,
+                  Connect(scoped_refptr<net::URLRequestContextGetter>()));
+    }
+    policy_manager_->Init(&schema_registry_);
+    testing::Mock::VerifyAndClearExpectations(mock_store_);
+    if (mock_external_data_manager_)
+      testing::Mock::VerifyAndClearExpectations(mock_external_data_manager_);
+  }
+
  // Expect that session exit will be called below. (Must only be called once.)
  void ExpectSessionExit() {
    ASSERT_FALSE(session_exit_expected_);
@@ -121,20 +176,12 @@ class ActiveDirectoryPolicyManagerTest : public testing::Test {
  bool session_exited_ = false;
  bool session_exit_expected_ = false;

-  // To be handed over to ActiveDirectoryPolicyManager.
-  base::OnceClosure exit_session_{
-      base::BindOnce(&ActiveDirectoryPolicyManagerTest::ExitSession,
-                     base::Unretained(this))};
-
-  // To be handed over to ActiveDirectoryPolicyManager ...
-  std::unique_ptr<MockCloudPolicyStore> mock_store_unique_ptr_{
-      std::make_unique<MockCloudPolicyStore>()};
-
-  // ... but keeping a non-owned pointer.
-  MockCloudPolicyStore* mock_store_{mock_store_unique_ptr_.get()};
+  // Created by CreateUserPolicyManager().
+  MockCloudPolicyStore* mock_store_ = nullptr;
+  MockCloudExternalDataManager* mock_external_data_manager_ = nullptr;

  // Owned by DBusThreadManager.
-  TestAuthPolicyClient* mock_client_;
+  TestAuthPolicyClient* mock_client_ = nullptr;

  SchemaRegistry schema_registry_;

@@ -146,18 +193,14 @@ class ActiveDirectoryPolicyManagerTest : public testing::Test {
  base::test::ScopedTaskEnvironment scoped_task_environment_;
 };

-TEST_F(ActiveDirectoryPolicyManagerTest, DontWait) {
-  policy_manager_ = ActiveDirectoryPolicyManager::CreateForUserPolicy(
-      AccountId::AdFromUserEmailObjGuid("bla", "ble"), base::TimeDelta(),
-      std::move(exit_session_), std::move(mock_store_unique_ptr_));
-  EXPECT_TRUE(policy_manager_);
-  EXPECT_FALSE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME));
+TEST_F(ActiveDirectoryPolicyManagerTest, UserManager_DontWait) {
+  CreateUserPolicyManager(base::TimeDelta());

  // Configure mock policy fetch to fail.
  mock_client_->SetRefreshUserPolicyCallbackError(authpolicy::ERROR_UNKNOWN);

  // Trigger mock policy fetch from authpolicyd.
-  policy_manager_->Init(&schema_registry_);
+  InitPolicyManagerAndVerifyExpectations();
  EXPECT_FALSE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME));

  // Simulate failed store load. Initialization is reported complete at this
@@ -166,6 +209,7 @@ TEST_F(ActiveDirectoryPolicyManagerTest, DontWait) {
  EXPECT_TRUE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME));

  // Process reply for mock policy fetch.
+  EXPECT_CALL(*mock_store_, Load());
  base::RunLoop().RunUntilIdle();
  EXPECT_TRUE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME));

@@ -177,18 +221,14 @@ TEST_F(ActiveDirectoryPolicyManagerTest, DontWait) {
 // If the initial fetch timeout is infinite, initialization is only complete
 // after policy has been fetched and after that has been loaded.
 TEST_F(ActiveDirectoryPolicyManagerTest,
-       WaitInfinite_LoadSuccess_FetchSuccess) {
-  policy_manager_ = ActiveDirectoryPolicyManager::CreateForUserPolicy(
-      AccountId::AdFromUserEmailObjGuid("bla", "ble"), base::TimeDelta::Max(),
-      std::move(exit_session_), std::move(mock_store_unique_ptr_));
-  ASSERT_TRUE(policy_manager_);
-  EXPECT_FALSE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME));
+       UserManager_WaitInfinite_LoadSuccess_FetchSuccess) {
+  CreateUserPolicyManager(base::TimeDelta::Max());

  // Configure mock policy fetch to succeed.
  mock_client_->SetRefreshUserPolicyCallbackError(authpolicy::ERROR_NONE);

  // Trigger mock policy fetch from authpolicyd.
-  policy_manager_->Init(&schema_registry_);
+  InitPolicyManagerAndVerifyExpectations();

  // Simulate successful store load.
  mock_store_->policy_ = std::make_unique<enterprise_management::PolicyData>();
@@ -196,6 +236,7 @@ TEST_F(ActiveDirectoryPolicyManagerTest,
  EXPECT_FALSE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME));

  // Process reply for mock policy fetch.
+  EXPECT_CALL(*mock_store_, Load());
  base::RunLoop().RunUntilIdle();
  EXPECT_FALSE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME));

@@ -207,18 +248,14 @@ TEST_F(ActiveDirectoryPolicyManagerTest,
 // If the initial fetch timeout is infinite, initialization does not complete if
 // load after fetch fails.
 TEST_F(ActiveDirectoryPolicyManagerTest,
-       WaitInfinite_LoadSuccess_FetchSuccess_LoadFail) {
-  policy_manager_ = ActiveDirectoryPolicyManager::CreateForUserPolicy(
-      AccountId::AdFromUserEmailObjGuid("bla", "ble"), base::TimeDelta::Max(),
-      std::move(exit_session_), std::move(mock_store_unique_ptr_));
-  ASSERT_TRUE(policy_manager_);
-  EXPECT_FALSE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME));
+       UserManager_WaitInfinite_LoadSuccess_FetchSuccess_LoadFail) {
+  CreateUserPolicyManager(base::TimeDelta::Max());

  // Configure mock policy fetch to succeed.
  mock_client_->SetRefreshUserPolicyCallbackError(authpolicy::ERROR_NONE);

  // Trigger mock policy fetch from authpolicyd.
-  policy_manager_->Init(&schema_registry_);
+  InitPolicyManagerAndVerifyExpectations();

  // Simulate successful store load.
  mock_store_->policy_ = std::make_unique<enterprise_management::PolicyData>();
@@ -226,6 +263,7 @@ TEST_F(ActiveDirectoryPolicyManagerTest,
  EXPECT_FALSE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME));

  // Process reply for mock policy fetch.
+  EXPECT_CALL(*mock_store_, Load());
  base::RunLoop().RunUntilIdle();
  EXPECT_FALSE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME));

@@ -244,18 +282,15 @@ TEST_F(ActiveDirectoryPolicyManagerTest,

 // If the initial fetch timeout is infinite, failure in policy fetch prevents
 // initialization from finishing, ever.
-TEST_F(ActiveDirectoryPolicyManagerTest, WaitInfinite_LoadSuccess_FetchFail) {
-  policy_manager_ = ActiveDirectoryPolicyManager::CreateForUserPolicy(
-      AccountId::AdFromUserEmailObjGuid("bla", "ble"), base::TimeDelta::Max(),
-      std::move(exit_session_), std::move(mock_store_unique_ptr_));
-  ASSERT_TRUE(policy_manager_);
-  EXPECT_FALSE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME));
+TEST_F(ActiveDirectoryPolicyManagerTest,
+       UserManager_WaitInfinite_LoadSuccess_FetchFail) {
+  CreateUserPolicyManager(base::TimeDelta::Max());

  // Configure mock policy fetch to fail.
  mock_client_->SetRefreshUserPolicyCallbackError(authpolicy::ERROR_UNKNOWN);

  // Trigger mock policy fetch from authpolicyd.
-  policy_manager_->Init(&schema_registry_);
+  InitPolicyManagerAndVerifyExpectations();

  // Simulate successful store load.
  mock_store_->policy_ = std::make_unique<enterprise_management::PolicyData>();
@@ -265,6 +300,7 @@ TEST_F(ActiveDirectoryPolicyManagerTest, WaitInfinite_LoadSuccess_FetchFail) {
  ExpectSessionExit();

  // Process reply for mock policy fetch.
+  EXPECT_CALL(*mock_store_, Load());
  base::RunLoop().RunUntilIdle();
  EXPECT_FALSE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME));

@@ -278,19 +314,15 @@ TEST_F(ActiveDirectoryPolicyManagerTest, WaitInfinite_LoadSuccess_FetchFail) {
 // If the initial fetch timeout is not infinite, we're in best-effort mode but
 // still require the policy load to succeed so that there's *some* policy
 // present (though possibly outdated).
-TEST_F(ActiveDirectoryPolicyManagerTest, WaitFinite_LoadSuccess_FetchFail) {
-  policy_manager_ = ActiveDirectoryPolicyManager::CreateForUserPolicy(
-      AccountId::AdFromUserEmailObjGuid("bla", "ble"),
-      base::TimeDelta::FromDays(365), std::move(exit_session_),
-      std::move(mock_store_unique_ptr_));
-  ASSERT_TRUE(policy_manager_);
-  EXPECT_FALSE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME));
+TEST_F(ActiveDirectoryPolicyManagerTest,
+       UserManager_WaitFinite_LoadSuccess_FetchFail) {
+  CreateUserPolicyManager(base::TimeDelta::FromDays(365));

  // Configure mock policy fetch to fail.
  mock_client_->SetRefreshUserPolicyCallbackError(authpolicy::ERROR_UNKNOWN);

  // Trigger mock policy fetch from authpolicyd.
-  policy_manager_->Init(&schema_registry_);
+  InitPolicyManagerAndVerifyExpectations();

  // Simulate successful store load.
  mock_store_->policy_ = std::make_unique<enterprise_management::PolicyData>();
@@ -300,6 +332,7 @@ TEST_F(ActiveDirectoryPolicyManagerTest, WaitFinite_LoadSuccess_FetchFail) {
  // Process reply for mock policy fetch. At this point initialization is
  // complete (we have waited for the fetch but now that we know it has failed
  // we continue).
+  EXPECT_CALL(*mock_store_, Load());
  base::RunLoop().RunUntilIdle();
  EXPECT_TRUE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME));

@@ -312,21 +345,18 @@ TEST_F(ActiveDirectoryPolicyManagerTest, WaitFinite_LoadSuccess_FetchFail) {
 // still require the policy load to succeed so that there's *some* policy
 // present (though possibly outdated). Here the sequence is inverted: Fetch
 // returns before load.
-TEST_F(ActiveDirectoryPolicyManagerTest, WaitFinite_FetchFail_LoadSuccess) {
-  policy_manager_ = ActiveDirectoryPolicyManager::CreateForUserPolicy(
-      AccountId::AdFromUserEmailObjGuid("bla", "ble"),
-      base::TimeDelta::FromDays(365), std::move(exit_session_),
-      std::move(mock_store_unique_ptr_));
-  ASSERT_TRUE(policy_manager_);
-  EXPECT_FALSE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME));
+TEST_F(ActiveDirectoryPolicyManagerTest,
+       UserManager_WaitFinite_FetchFail_LoadSuccess) {
+  CreateUserPolicyManager(base::TimeDelta::FromDays(365));

  // Configure mock policy fetch to fail.
  mock_client_->SetRefreshUserPolicyCallbackError(authpolicy::ERROR_UNKNOWN);

  // Trigger mock policy fetch from authpolicyd.
-  policy_manager_->Init(&schema_registry_);
+  InitPolicyManagerAndVerifyExpectations();

  // Process reply for mock policy fetch.
+  EXPECT_CALL(*mock_store_, Load());
  base::RunLoop().RunUntilIdle();
  EXPECT_FALSE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME));

@@ -338,19 +368,15 @@ TEST_F(ActiveDirectoryPolicyManagerTest, WaitFinite_FetchFail_LoadSuccess) {

 // If the initial fetch timeout is not infinite, we're in best-effort mode but
 // if we can't load existing policy from disk we have to give up.
-TEST_F(ActiveDirectoryPolicyManagerTest, WaitFinite_LoadFail_FetchFail) {
-  policy_manager_ = ActiveDirectoryPolicyManager::CreateForUserPolicy(
-      AccountId::AdFromUserEmailObjGuid("bla", "ble"),
-      base::TimeDelta::FromDays(365), std::move(exit_session_),
-      std::move(mock_store_unique_ptr_));
-  ASSERT_TRUE(policy_manager_);
-  EXPECT_FALSE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME));
+TEST_F(ActiveDirectoryPolicyManagerTest,
+       UserManager_WaitFinite_LoadFail_FetchFail) {
+  CreateUserPolicyManager(base::TimeDelta::FromDays(365));

  // Configure mock policy fetch to fail.
  mock_client_->SetRefreshUserPolicyCallbackError(authpolicy::ERROR_UNKNOWN);

  // Trigger mock policy fetch from authpolicyd.
-  policy_manager_->Init(&schema_registry_);
+  InitPolicyManagerAndVerifyExpectations();

  // Simulate failed store load.
  mock_store_->NotifyStoreError();
@@ -359,6 +385,7 @@ TEST_F(ActiveDirectoryPolicyManagerTest, WaitFinite_LoadFail_FetchFail) {
  ExpectSessionExit();

  // Process reply for mock policy fetch.
+  EXPECT_CALL(*mock_store_, Load());
  base::RunLoop().RunUntilIdle();
  EXPECT_FALSE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME));

@@ -373,19 +400,15 @@ TEST_F(ActiveDirectoryPolicyManagerTest, WaitFinite_LoadFail_FetchFail) {
 // If the initial fetch timeout is not infinite, we're in best-effort mode and
 // upon timeout initialization is complete if any policy could be loaded from
 // disk.
-TEST_F(ActiveDirectoryPolicyManagerTest, WaitFinite_LoadSuccess_FetchTimeout) {
-  policy_manager_ = ActiveDirectoryPolicyManager::CreateForUserPolicy(
-      AccountId::AdFromUserEmailObjGuid("bla", "ble"),
-      base::TimeDelta::FromDays(365), std::move(exit_session_),
-      std::move(mock_store_unique_ptr_));
-  ASSERT_TRUE(policy_manager_);
-  EXPECT_FALSE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME));
+TEST_F(ActiveDirectoryPolicyManagerTest,
+       UserManager_WaitFinite_LoadSuccess_FetchTimeout) {
+  CreateUserPolicyManager(base::TimeDelta::FromDays(365));

  // Configure mock policy fetch to fail.
  mock_client_->SetRefreshUserPolicyCallbackError(authpolicy::ERROR_UNKNOWN);

  // Trigger mock policy fetch from authpolicyd.
-  policy_manager_->Init(&schema_registry_);
+  InitPolicyManagerAndVerifyExpectations();

  // Simulate successful store load.
  mock_store_->policy_ = std::make_unique<enterprise_management::PolicyData>();
@@ -397,6 +420,7 @@ TEST_F(ActiveDirectoryPolicyManagerTest, WaitFinite_LoadSuccess_FetchTimeout) {
  EXPECT_TRUE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME));

  // Process reply for mock policy fetch.
+  EXPECT_CALL(*mock_store_, Load());
  base::RunLoop().RunUntilIdle();
  EXPECT_TRUE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME));

@@ -407,19 +431,15 @@ TEST_F(ActiveDirectoryPolicyManagerTest, WaitFinite_LoadSuccess_FetchTimeout) {

 // If the initial fetch timeout is not infinite, we're in best-effort mode but
 // without a successful policy load we still can't continue.
-TEST_F(ActiveDirectoryPolicyManagerTest, WaitFinite_LoadTimeout_FetchTimeout) {
-  policy_manager_ = ActiveDirectoryPolicyManager::CreateForUserPolicy(
-      AccountId::AdFromUserEmailObjGuid("bla", "ble"),
-      base::TimeDelta::FromDays(365), std::move(exit_session_),
-      std::move(mock_store_unique_ptr_));
-  ASSERT_TRUE(policy_manager_);
-  EXPECT_FALSE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME));
+TEST_F(ActiveDirectoryPolicyManagerTest,
+       UserManager_WaitFinite_LoadTimeout_FetchTimeout) {
+  CreateUserPolicyManager(base::TimeDelta::FromDays(365));

  // Configure mock policy fetch to fail.
  mock_client_->SetRefreshUserPolicyCallbackError(authpolicy::ERROR_UNKNOWN);

  // Trigger mock policy fetch from authpolicyd.
-  policy_manager_->Init(&schema_registry_);
+  InitPolicyManagerAndVerifyExpectations();

  ExpectSessionExit();

@@ -430,6 +450,7 @@ TEST_F(ActiveDirectoryPolicyManagerTest, WaitFinite_LoadTimeout_FetchTimeout) {
  ExpectSessionExited();

  // Process reply for mock policy fetch.
+  EXPECT_CALL(*mock_store_, Load());
  base::RunLoop().RunUntilIdle();
  EXPECT_FALSE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME));

@@ -439,4 +460,9 @@ TEST_F(ActiveDirectoryPolicyManagerTest, WaitFinite_LoadTimeout_FetchTimeout) {
  EXPECT_TRUE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME));
 }

+TEST_F(ActiveDirectoryPolicyManagerTest, DeviceManager_Initialization) {
+  CreateDevicePolicyManager();
+  InitPolicyManagerAndVerifyExpectations();
+}
+
 }  // namespace policy
--- a/chrome/browser/chromeos/policy/cloud_external_data_policy_observer.cc
+++ b/chrome/browser/chromeos/policy/cloud_external_data_policy_observer.cc
@@ -192,7 +192,7 @@ void CloudExternalDataPolicyObserver::OnPolicyUpdated(
  }

  if (!device_local_account_policy_service_) {
-    NOTREACHED();
+    // May happen in tests.
    return;
  }
  DeviceLocalAccountPolicyBroker* broker =

--- a/chrome/browser/chromeos/policy/cloud_external_data_policy_observer.h
+++ b/chrome/browser/chromeos/policy/cloud_external_data_policy_observer.h
@@ -57,6 +57,8 @@ class CloudExternalDataPolicyObserver
    virtual ~Delegate();
  };

+  // |device_local_account_policy_service| may be nullptr if unavailable (e.g.
+  // Active Directory management mode).
  CloudExternalDataPolicyObserver(
      chromeos::CrosSettings* cros_settings,
      DeviceLocalAccountPolicyService* device_local_account_policy_service,
@@ -98,7 +100,7 @@ class CloudExternalDataPolicyObserver

  // A map from each logged-in user to the helper that observes |policy_| in the
  // user's PolicyService.
-  typedef std::map<std::string, linked_ptr<PolicyServiceObserver> >
+  typedef std::map<std::string, linked_ptr<PolicyServiceObserver>>
      LoggedInUserObserverMap;
  LoggedInUserObserverMap logged_in_user_observers_;

@@ -117,9 +119,8 @@ class CloudExternalDataPolicyObserver
  // A map from user ID to a base::WeakPtr for each external data fetch
  // currently in progress. This allows fetches to be effectively be canceled by
  // invalidating the pointers.
-  typedef base::WeakPtrFactory<CloudExternalDataPolicyObserver>
-      WeakPtrFactory;
-  typedef std::map<std::string, linked_ptr<WeakPtrFactory> > FetchWeakPtrMap;
+  using WeakPtrFactory = base::WeakPtrFactory<CloudExternalDataPolicyObserver>;
+  using FetchWeakPtrMap = std::map<std::string, linked_ptr<WeakPtrFactory>>;
  FetchWeakPtrMap fetch_weak_ptrs_;

  base::WeakPtrFactory<CloudExternalDataPolicyObserver> weak_factory_;

--- a/chrome/browser/chromeos/policy/user_policy_manager_factory_chromeos.cc
+++ b/chrome/browser/chromeos/policy/user_policy_manager_factory_chromeos.cc
@@ -355,7 +355,8 @@ UserPolicyManagerFactoryChromeOS::CreateManagerForProfile(
    std::unique_ptr<ActiveDirectoryPolicyManager> manager =
        ActiveDirectoryPolicyManager::CreateForUserPolicy(
            account_id, policy_refresh_timeout,
-            base::BindOnce(&chrome::AttemptUserExit), std::move(store));
+            base::BindOnce(&chrome::AttemptUserExit), std::move(store),
+            std::move(external_data_manager));
    manager->Init(
        SchemaRegistryServiceFactory::GetForContext(profile)->registry());