Refactor CloudPolicyValidator

Refactored CloudPolicyValidator so that the base class doesn't expect
the policy_value() to be a protobuf. This is a preparation for the
support of extension policy for Active Directory managed devices, where
the policy_value() is a JSON blob.

Also removed the static Create methods. There's no reason to have them
as one can use the constructor directly. The rest is clang format.

BUG=chromium:735100
TEST=Trybots

Change-Id: Ic952c2cd00e945910f62d0ad08839282818d1d1e
Reviewed-on: https://chromium-review.googlesource.com/1002654Reviewed-by: Bartosz Fabianowski <bartfab@chromium.org>
Reviewed-by: Maksim Ivanov <emaxx@chromium.org>
Commit-Queue: Lutz Justen <ljusten@chromium.org>
Cr-Commit-Position: refs/heads/master@{#550169}

chrome/browser/chromeos/policy/device_cloud_policy_store_chromeos.cc

@@ -114,10 +114,9 @@ void DeviceCloudPolicyStoreChromeOS::OnDeviceSettingsServiceShutdown() {
 std::unique_ptr<DeviceCloudPolicyValidator>
 DeviceCloudPolicyStoreChromeOS::CreateValidator(
     const em::PolicyFetchResponse& policy) {
-  std::unique_ptr<DeviceCloudPolicyValidator> validator(
-      DeviceCloudPolicyValidator::Create(
-          std::make_unique<em::PolicyFetchResponse>(policy),
-          background_task_runner_));
+  auto validator = std::make_unique<DeviceCloudPolicyValidator>(
+      std::make_unique<em::PolicyFetchResponse>(policy),
+      background_task_runner_);
   validator->ValidateDomain(install_attributes_->GetDomain());
   validator->ValidatePolicyType(dm_protocol::kChromeDevicePolicyType);
   validator->ValidatePayload();

chrome/browser/chromeos/policy/device_local_account_policy_store.cc

@@ -137,8 +137,7 @@ void DeviceLocalAccountPolicyStore::StoreValidatedPolicy(
   }
 
   session_manager_client_->StoreDeviceLocalAccountPolicy(
-      account_id_,
-      policy_blob,
+      account_id_, policy_blob,
       base::Bind(&DeviceLocalAccountPolicyStore::HandleStoreResult,
                  weak_factory_.GetWeakPtr()));
 }
@@ -191,9 +190,8 @@ void DeviceLocalAccountPolicyStore::Validate(
     return;
   }
 
-  std::unique_ptr<UserCloudPolicyValidator> validator(
-      UserCloudPolicyValidator::Create(std::move(policy_response),
-                                       background_task_runner()));
+  auto validator = std::make_unique<UserCloudPolicyValidator>(
+      std::move(policy_response), background_task_runner());
   validator->ValidateUsername(account_id_, false);
   validator->ValidatePolicyType(dm_protocol::kChromePublicAccountPolicyType);
   // The timestamp is verified when storing a new policy downloaded from the

chrome/browser/chromeos/policy/enrollment_handler_chromeos.cc

@@ -177,9 +177,9 @@ void EnrollmentHandlerChromeOS::HandleAvailableLicensesResult(
   if (!success) {
     base::ThreadTaskRunnerHandle::Get()->PostTask(
         FROM_HERE, base::Bind(&EnrollmentHandlerChromeOS::ReportResult,
-            weak_ptr_factory_.GetWeakPtr(),
-            EnrollmentStatus::ForStatus(
-                EnrollmentStatus::LICENSE_REQUEST_FAILED)));
+                              weak_ptr_factory_.GetWeakPtr(),
+                              EnrollmentStatus::ForStatus(
+                                  EnrollmentStatus::LICENSE_REQUEST_FAILED)));
     return;
   }
   if (available_licenses_callback_)
@@ -242,15 +242,14 @@ void EnrollmentHandlerChromeOS::OnPolicyFetched(CloudPolicyClient* client) {
   const em::PolicyFetchResponse* policy = client_->GetPolicyFor(
       dm_protocol::kChromeDevicePolicyType, std::string());
   if (!policy) {
-    ReportResult(EnrollmentStatus::ForFetchError(
-        DM_STATUS_RESPONSE_DECODING_ERROR));
+    ReportResult(
+        EnrollmentStatus::ForFetchError(DM_STATUS_RESPONSE_DECODING_ERROR));
     return;
   }
 
-  std::unique_ptr<DeviceCloudPolicyValidator> validator(
-      DeviceCloudPolicyValidator::Create(
-          std::make_unique<em::PolicyFetchResponse>(*policy),
-          background_task_runner_));
+  auto validator = std::make_unique<DeviceCloudPolicyValidator>(
+      std::make_unique<em::PolicyFetchResponse>(*policy),
+      background_task_runner_);
 
   validator->ValidateTimestamp(base::Time(),
                                CloudPolicyValidatorBase::TIMESTAMP_VALIDATED);
@@ -312,8 +311,7 @@ void EnrollmentHandlerChromeOS::OnClientError(CloudPolicyClient* client) {
   DCHECK_EQ(client_.get(), client);
 
   if (enrollment_step_ == STEP_ROBOT_AUTH_FETCH) {
-    LOG(ERROR) << "API authentication code fetch failed: "
-               << client_->status();
+    LOG(ERROR) << "API authentication code fetch failed: " << client_->status();
     ReportResult(EnrollmentStatus::ForRobotAuthFetchError(client_->status()));
   } else if (enrollment_step_ < STEP_POLICY_FETCH) {
     ReportResult(EnrollmentStatus::ForRegistrationError(client_->status()));
@@ -452,12 +450,10 @@ void EnrollmentHandlerChromeOS::OnRobotAuthCodesFetched(
   client_info.redirect_uri = "oob";
 
   // Use the system request context to avoid sending user cookies.
-  gaia_oauth_client_.reset(new gaia::GaiaOAuthClient(
-      g_browser_process->system_request_context()));
-  gaia_oauth_client_->GetTokensFromAuthCode(client_info,
-                                            client->robot_api_auth_code(),
-                                            0 /* max_retries */,
-                                            this);
+  gaia_oauth_client_.reset(
+      new gaia::GaiaOAuthClient(g_browser_process->system_request_context()));
+  gaia_oauth_client_->GetTokensFromAuthCode(
+      client_info, client->robot_api_auth_code(), 0 /* max_retries */, this);
 }
 
 // GaiaOAuthClient::Delegate callback for OAuth2 refresh token fetched.
@@ -528,8 +524,7 @@ void EnrollmentHandlerChromeOS::OnNetworkError(int response_code) {
   CHECK_EQ(STEP_ROBOT_AUTH_REFRESH, enrollment_step_);
   LOG(ERROR) << "Network error while fetching API refresh token: "
              << response_code;
-  ReportResult(
-      EnrollmentStatus::ForRobotRefreshFetchError(response_code));
+  ReportResult(EnrollmentStatus::ForRobotRefreshFetchError(response_code));
 }
 
 void EnrollmentHandlerChromeOS::StartJoinAdDomain() {

chrome/browser/chromeos/policy/pre_signin_policy_fetcher.cc

@@ -295,8 +295,8 @@ void PreSigninPolicyFetcher::NotifyCallback(
 std::unique_ptr<UserCloudPolicyValidator>
 PreSigninPolicyFetcher::CreateValidatorForCachedPolicy(
     std::unique_ptr<em::PolicyFetchResponse> policy) {
-  std::unique_ptr<UserCloudPolicyValidator> validator =
-      UserCloudPolicyValidator::Create(std::move(policy), task_runner_);
+  auto validator = std::make_unique<UserCloudPolicyValidator>(std::move(policy),
+                                                              task_runner_);
 
   validator->ValidatePolicyType(dm_protocol::kChromeUserPolicyType);
   validator->ValidatePayload();
@@ -314,8 +314,8 @@ std::unique_ptr<UserCloudPolicyValidator>
 PreSigninPolicyFetcher::CreateValidatorForFetchedPolicy(
     std::unique_ptr<em::PolicyFetchResponse> policy) {
   // Configure the validator to validate based on cached policy.
-  std::unique_ptr<UserCloudPolicyValidator> validator =
-      UserCloudPolicyValidator::Create(std::move(policy), task_runner_);
+  auto validator = std::make_unique<UserCloudPolicyValidator>(std::move(policy),
+                                                              task_runner_);
 
   validator->ValidatePolicyType(dm_protocol::kChromeUserPolicyType);
   validator->ValidateAgainstCurrentPolicy(

chrome/browser/chromeos/settings/session_manager_operation.cc

@@ -167,8 +167,8 @@ void SessionManagerOperation::ValidateDeviceSettings(
            base::TaskShutdownBehavior::SKIP_ON_SHUTDOWN});
 
   std::unique_ptr<policy::DeviceCloudPolicyValidator> validator =
-      policy::DeviceCloudPolicyValidator::Create(std::move(policy),
-                                                 background_task_runner);
+      std::make_unique<policy::DeviceCloudPolicyValidator>(
+          std::move(policy), background_task_runner);
 
   if (cloud_validations_) {
     // Policy auto-generated by session manager doesn't include a timestamp, so

components/policy/core/common/cloud/cloud_policy_validator.cc

@@ -128,7 +128,6 @@ void CloudPolicyValidatorBase::ValidatePayload() {
   validation_flags_ |= VALIDATE_PAYLOAD;
 }
 
-
 void CloudPolicyValidatorBase::ValidateCachedKey(
     const std::string& cached_key,
     const std::string& cached_key_signature,
@@ -181,11 +180,9 @@ void CloudPolicyValidatorBase::ValidateAgainstCurrentPolicy(
 
 CloudPolicyValidatorBase::CloudPolicyValidatorBase(
     std::unique_ptr<em::PolicyFetchResponse> policy_response,
-    google::protobuf::MessageLite* payload,
     scoped_refptr<base::SequencedTaskRunner> background_task_runner)
     : status_(VALIDATION_OK),
       policy_(std::move(policy_response)),
-      payload_(payload),
       validation_flags_(0),
       timestamp_not_before_(0),
       timestamp_option_(TIMESTAMP_VALIDATED),
@@ -236,6 +233,18 @@ void CloudPolicyValidatorBase::RunValidation() {
   RunChecks();
 }
 
+CloudPolicyValidatorBase::Status CloudPolicyValidatorBase::CheckProtoPayload(
+    google::protobuf::MessageLite* payload) {
+  DCHECK(payload);
+  if (!policy_data_ || !policy_data_->has_policy_value() ||
+      !payload->ParseFromString(policy_data_->policy_value()) ||
+      !payload->IsInitialized()) {
+    LOG(ERROR) << "Failed to decode policy payload protobuf";
+    return VALIDATION_POLICY_PARSE_ERROR;
+  }
+  return VALIDATION_OK;
+}
+
 void CloudPolicyValidatorBase::RunChecks() {
   status_ = VALIDATION_OK;
   if ((policy_->has_error_code() && policy_->error_code() != 200) ||
@@ -259,19 +268,19 @@ void CloudPolicyValidatorBase::RunChecks() {
   // error, s.t. the most severe check will determine the validation status.
   static const struct {
     int flag;
-    Status (CloudPolicyValidatorBase::* checkFunction)();
+    Status (CloudPolicyValidatorBase::*checkFunction)();
   } kCheckFunctions[] = {
-      { VALIDATE_SIGNATURE,   &CloudPolicyValidatorBase::CheckSignature },
-      { VALIDATE_INITIAL_KEY, &CloudPolicyValidatorBase::CheckInitialKey },
-      { VALIDATE_CACHED_KEY,  &CloudPolicyValidatorBase::CheckCachedKey },
-      { VALIDATE_POLICY_TYPE, &CloudPolicyValidatorBase::CheckPolicyType },
-      { VALIDATE_ENTITY_ID,   &CloudPolicyValidatorBase::CheckEntityId },
-      { VALIDATE_DM_TOKEN,    &CloudPolicyValidatorBase::CheckDMToken },
-      { VALIDATE_DEVICE_ID,   &CloudPolicyValidatorBase::CheckDeviceId },
-      { VALIDATE_USER,        &CloudPolicyValidatorBase::CheckUser },
-      { VALIDATE_DOMAIN,      &CloudPolicyValidatorBase::CheckDomain },
-      { VALIDATE_TIMESTAMP,   &CloudPolicyValidatorBase::CheckTimestamp },
-      { VALIDATE_PAYLOAD,     &CloudPolicyValidatorBase::CheckPayload },
+      {VALIDATE_SIGNATURE, &CloudPolicyValidatorBase::CheckSignature},
+      {VALIDATE_INITIAL_KEY, &CloudPolicyValidatorBase::CheckInitialKey},
+      {VALIDATE_CACHED_KEY, &CloudPolicyValidatorBase::CheckCachedKey},
+      {VALIDATE_POLICY_TYPE, &CloudPolicyValidatorBase::CheckPolicyType},
+      {VALIDATE_ENTITY_ID, &CloudPolicyValidatorBase::CheckEntityId},
+      {VALIDATE_DM_TOKEN, &CloudPolicyValidatorBase::CheckDMToken},
+      {VALIDATE_DEVICE_ID, &CloudPolicyValidatorBase::CheckDeviceId},
+      {VALIDATE_USER, &CloudPolicyValidatorBase::CheckUser},
+      {VALIDATE_DOMAIN, &CloudPolicyValidatorBase::CheckDomain},
+      {VALIDATE_TIMESTAMP, &CloudPolicyValidatorBase::CheckTimestamp},
+      {VALIDATE_PAYLOAD, &CloudPolicyValidatorBase::CheckPayload},
   };
 
   for (size_t i = 0; i < arraysize(kCheckFunctions); ++i) {
@@ -296,8 +305,7 @@ bool CloudPolicyValidatorBase::CheckNewPublicKeyVerificationSignature() {
   }
 
   if (!CheckVerificationKeySignature(
-          policy_->new_public_key(),
-          verification_key_,
+          policy_->new_public_key(), verification_key_,
           policy_->new_public_key_verification_signature_deprecated())) {
     LOG(ERROR) << "Signature verification failed";
     UMA_HISTOGRAM_ENUMERATION(kMetricPolicyKeyVerification,
@@ -324,8 +332,8 @@ bool CloudPolicyValidatorBase::CheckVerificationKeySignature(
   // If no owning_domain_ supplied, try extracting the domain from the policy
   // itself (this happens on certain platforms during startup, when we validate
   // cached policy before prefs are loaded).
-  std::string domain = owning_domain_.empty() ?
-      ExtractDomainFromPolicy() : owning_domain_;
+  std::string domain =
+      owning_domain_.empty() ? ExtractDomainFromPolicy() : owning_domain_;
   if (domain.empty()) {
     LOG(ERROR) << "Policy does not contain a domain";
     return false;
@@ -344,8 +352,7 @@ std::string CloudPolicyValidatorBase::ExtractDomainFromPolicy() {
   std::string domain;
   if (policy_data_->has_username()) {
     domain = gaia::ExtractDomainName(
-        gaia::CanonicalizeEmail(
-            gaia::SanitizeEmail(policy_data_->username())));
+        gaia::CanonicalizeEmail(gaia::SanitizeEmail(policy_data_->username())));
   }
   return domain;
 }
@@ -385,8 +392,7 @@ CloudPolicyValidatorBase::Status CloudPolicyValidatorBase::CheckSignature() {
 }
 
 CloudPolicyValidatorBase::Status CloudPolicyValidatorBase::CheckInitialKey() {
-  if (!policy_->has_new_public_key() ||
-      !policy_->has_policy_data_signature() ||
+  if (!policy_->has_new_public_key() || !policy_->has_policy_data_signature() ||
       !VerifySignature(policy_->policy_data(), policy_->new_public_key(),
                        policy_->policy_data_signature(), SHA1)) {
     LOG(ERROR) << "Initial policy signature validation failed";
@@ -413,7 +419,7 @@ CloudPolicyValidatorBase::Status CloudPolicyValidatorBase::CheckCachedKey() {
 
 CloudPolicyValidatorBase::Status CloudPolicyValidatorBase::CheckPolicyType() {
   if (!policy_data_->has_policy_type() ||
-       policy_data_->policy_type() != policy_type_) {
+      policy_data_->policy_type() != policy_type_) {
     LOG(ERROR) << "Wrong policy type " << policy_data_->policy_type();
     return VALIDATION_WRONG_POLICY_TYPE;
   }
@@ -468,8 +474,7 @@ CloudPolicyValidatorBase::Status CloudPolicyValidatorBase::CheckDMToken() {
 
 CloudPolicyValidatorBase::Status CloudPolicyValidatorBase::CheckDeviceId() {
   if (device_id_option_ == DEVICE_ID_REQUIRED &&
-      (!policy_data_->has_device_id() ||
-       policy_data_->device_id().empty())) {
+      (!policy_data_->has_device_id() || policy_data_->device_id().empty())) {
     LOG(ERROR) << "Empty device id encountered - expected: " << device_id_;
     return VALIDATION_BAD_DEVICE_ID;
   }
@@ -545,17 +550,6 @@ CloudPolicyValidatorBase::Status CloudPolicyValidatorBase::CheckDomain() {
   return VALIDATION_OK;
 }
 
-CloudPolicyValidatorBase::Status CloudPolicyValidatorBase::CheckPayload() {
-  if (!policy_data_->has_policy_value() ||
-      !payload_->ParseFromString(policy_data_->policy_value()) ||
-      !payload_->IsInitialized()) {
-    LOG(ERROR) << "Failed to decode policy payload protobuf";
-    return VALIDATION_POLICY_PARSE_ERROR;
-  }
-
-  return VALIDATION_OK;
-}
-
 // static
 bool CloudPolicyValidatorBase::VerifySignature(const std::string& data,
                                                const std::string& key,

components/policy/core/common/cloud/cloud_policy_validator.h

@@ -36,12 +36,12 @@ namespace google {
 namespace protobuf {
 class MessageLite;
 }
-}
+}  // namespace google
 
 namespace enterprise_management {
 class PolicyData;
 class PolicyFetchResponse;
-}
+}  // namespace enterprise_management
 
 namespace policy {
 
@@ -225,13 +225,10 @@ class POLICY_EXPORT CloudPolicyValidatorBase {
   void RunValidation();
 
  protected:
-  // Create a new validator that checks |policy_response|. |payload| is the
-  // message that the policy payload will be parsed to, and it needs to stay
-  // valid for the lifetime of the validator.
+  // Create a new validator that checks |policy_response|.
   CloudPolicyValidatorBase(
       std::unique_ptr<enterprise_management::PolicyFetchResponse>
           policy_response,
-      google::protobuf::MessageLite* payload,
       scoped_refptr<base::SequencedTaskRunner> background_task_runner);
 
   // Posts an asynchronous call to PerformValidation of the passed |validator|,
@@ -240,26 +237,28 @@ class POLICY_EXPORT CloudPolicyValidatorBase {
       std::unique_ptr<CloudPolicyValidatorBase> validator,
       const base::Closure& completion_callback);
 
+  // Helper to check MessageLite-type payloads. It exists so the implementation
+  // can be moved to the .cc (PolicyValidators with protobuf payloads are
+  // templated).
+  Status CheckProtoPayload(google::protobuf::MessageLite* payload);
+
  private:
   // Internal flags indicating what to check.
   enum ValidationFlags {
-    VALIDATE_TIMESTAMP   = 1 << 0,
-    VALIDATE_USER        = 1 << 1,
-    VALIDATE_DOMAIN      = 1 << 2,
-    VALIDATE_DM_TOKEN    = 1 << 3,
+    VALIDATE_TIMESTAMP = 1 << 0,
+    VALIDATE_USER = 1 << 1,
+    VALIDATE_DOMAIN = 1 << 2,
+    VALIDATE_DM_TOKEN = 1 << 3,
     VALIDATE_POLICY_TYPE = 1 << 4,
-    VALIDATE_ENTITY_ID   = 1 << 5,
-    VALIDATE_PAYLOAD     = 1 << 6,
-    VALIDATE_SIGNATURE   = 1 << 7,
+    VALIDATE_ENTITY_ID = 1 << 5,
+    VALIDATE_PAYLOAD = 1 << 6,
+    VALIDATE_SIGNATURE = 1 << 7,
     VALIDATE_INITIAL_KEY = 1 << 8,
-    VALIDATE_CACHED_KEY  = 1 << 9,
-    VALIDATE_DEVICE_ID   = 1 << 10,
+    VALIDATE_CACHED_KEY = 1 << 9,
+    VALIDATE_DEVICE_ID = 1 << 10,
   };
 
-  enum SignatureType {
-    SHA1,
-    SHA256
-  };
+  enum SignatureType { SHA1, SHA256 };
 
   // Performs validation, called on a background thread.
   static void PerformValidation(
@@ -301,11 +300,13 @@ class POLICY_EXPORT CloudPolicyValidatorBase {
   Status CheckDeviceId();
   Status CheckPolicyType();
   Status CheckEntityId();
-  Status CheckPayload();
   Status CheckSignature();
   Status CheckInitialKey();
   Status CheckCachedKey();
 
+  // Payload type depends on the validator, checking is part of derived classes.
+  virtual Status CheckPayload() = 0;
+
   // Verifies the SHA1/ or SHA256/RSA |signature| on |data| against |key|.
   // |signature_type| specifies the type of signature (SHA1 or SHA256).
   static bool VerifySignature(const std::string& data,
@@ -316,7 +317,6 @@ class POLICY_EXPORT CloudPolicyValidatorBase {
   Status status_;
   std::unique_ptr<enterprise_management::PolicyFetchResponse> policy_;
   std::unique_ptr<enterprise_management::PolicyData> policy_data_;
-  google::protobuf::MessageLite* payload_;
 
   int validation_flags_;
   int64_t timestamp_not_before_;
@@ -343,24 +343,21 @@ class POLICY_EXPORT CloudPolicyValidatorBase {
 
 // A simple type-parameterized extension of CloudPolicyValidator that
 // facilitates working with the actual protobuf payload type.
-template<typename PayloadProto>
-class POLICY_EXPORT CloudPolicyValidator : public CloudPolicyValidatorBase {
+template <typename PayloadProto>
+class POLICY_EXPORT CloudPolicyValidator final
+    : public CloudPolicyValidatorBase {
  public:
   using CompletionCallback = base::Callback<void(CloudPolicyValidator*)>;
 
-  virtual ~CloudPolicyValidator() {}
-
   // Creates a new validator.
   // |background_task_runner| is optional; if RunValidation() is used directly
   // and StartValidation() is not used then it can be nullptr.
-  static std::unique_ptr<CloudPolicyValidator> Create(
+  CloudPolicyValidator(
       std::unique_ptr<enterprise_management::PolicyFetchResponse>
           policy_response,
-      scoped_refptr<base::SequencedTaskRunner> background_task_runner) {
-    return base::WrapUnique<CloudPolicyValidator>(new CloudPolicyValidator(
-        std::move(policy_response), std::make_unique<PayloadProto>(),
-        background_task_runner));
-  }
+      scoped_refptr<base::SequencedTaskRunner> background_task_runner)
+      : CloudPolicyValidatorBase(std::move(policy_response),
+                                 background_task_runner) {}
 
   std::unique_ptr<PayloadProto>& payload() { return payload_; }
 
@@ -375,17 +372,10 @@ class POLICY_EXPORT CloudPolicyValidator : public CloudPolicyValidatorBase {
   }
 
  private:
-  CloudPolicyValidator(
-      std::unique_ptr<enterprise_management::PolicyFetchResponse>
-          policy_response,
-      std::unique_ptr<PayloadProto> payload,
-      scoped_refptr<base::SequencedTaskRunner> background_task_runner)
-      : CloudPolicyValidatorBase(std::move(policy_response),
-                                 payload.get(),
-                                 background_task_runner),
-        payload_(std::move(payload)) {}
+  // CloudPolicyValidatorBase:
+  Status CheckPayload() override { return CheckProtoPayload(payload_.get()); }
 
-  std::unique_ptr<PayloadProto> payload_;
+  std::unique_ptr<PayloadProto> payload_ = std::make_unique<PayloadProto>();
 
   DISALLOW_COPY_AND_ASSIGN(CloudPolicyValidator);
 };

components/policy/core/common/cloud/cloud_policy_validator_unittest.cc

@@ -70,8 +70,8 @@ class CloudPolicyValidatorTest : public testing::Test {
         CreateValidator(std::move(policy_response));
 
     // Run validation and check the result.
-    EXPECT_CALL(*this, ValidationCompletion(validator.get())).WillOnce(
-        check_action);
+    EXPECT_CALL(*this, ValidationCompletion(validator.get()))
+        .WillOnce(check_action);
     UserCloudPolicyValidator::StartValidation(
         std::move(validator),
         base::Bind(&CloudPolicyValidatorTest::ValidationCompletion,
@@ -85,9 +85,8 @@ class CloudPolicyValidatorTest : public testing::Test {
     std::string public_key = PolicyBuilder::GetPublicTestKeyAsString();
     EXPECT_FALSE(public_key.empty());
 
-    std::unique_ptr<UserCloudPolicyValidator> validator =
-        UserCloudPolicyValidator::Create(std::move(policy_response),
-                                         base::ThreadTaskRunnerHandle::Get());
+    auto validator = std::make_unique<UserCloudPolicyValidator>(
+        std::move(policy_response), base::ThreadTaskRunnerHandle::Get());
     validator->ValidateTimestamp(timestamp_, timestamp_option_);
     if (validate_by_gaia_id_) {
       validator->ValidateUser(
@@ -101,8 +100,7 @@ class CloudPolicyValidatorTest : public testing::Test {
     validator->ValidateDeviceId(existing_device_id_, device_id_option_);
     validator->ValidatePolicyType(dm_protocol::kChromeUserPolicyType);
     validator->ValidatePayload();
-    validator->ValidateCachedKey(public_key,
-                                 cached_key_signature_,
+    validator->ValidateCachedKey(public_key, cached_key_signature_,
                                  owning_domain_);
     if (allow_key_rotation_) {
       validator->ValidateSignatureAllowingRotation(public_key, owning_domain_);
@@ -113,7 +111,6 @@ class CloudPolicyValidatorTest : public testing::Test {
     return validator;
   }
 
-
   void CheckSuccessfulValidation(UserCloudPolicyValidator* validator) {
     EXPECT_TRUE(validator->success());
     EXPECT_EQ(policy_.policy().SerializeAsString(),
@@ -378,9 +375,10 @@ TEST_F(CloudPolicyValidatorTest, ErrorInvalidPublicKeyVerificationSignature) {
   policy_.Build();
   policy_.policy().set_new_public_key_verification_signature_deprecated(
       "invalid");
-  ValidatePolicy(CheckStatus(
-      CloudPolicyValidatorBase::VALIDATION_BAD_KEY_VERIFICATION_SIGNATURE),
-                 policy_.GetCopy());
+  ValidatePolicy(
+      CheckStatus(
+          CloudPolicyValidatorBase::VALIDATION_BAD_KEY_VERIFICATION_SIGNATURE),
+      policy_.GetCopy());
 }
 
 TEST_F(CloudPolicyValidatorTest, ErrorDomainMismatchForKeyVerification) {
@@ -388,9 +386,10 @@ TEST_F(CloudPolicyValidatorTest, ErrorDomainMismatchForKeyVerification) {
   // Generate a non-matching owning_domain, which should cause a validation
   // failure.
   owning_domain_ = "invalid.com";
-  ValidatePolicy(CheckStatus(
-      CloudPolicyValidatorBase::VALIDATION_BAD_KEY_VERIFICATION_SIGNATURE),
-                 policy_.GetCopy());
+  ValidatePolicy(
+      CheckStatus(
+          CloudPolicyValidatorBase::VALIDATION_BAD_KEY_VERIFICATION_SIGNATURE),
+      policy_.GetCopy());
 }
 
 TEST_F(CloudPolicyValidatorTest, ErrorDomainExtractedFromUsernameMismatch) {
@@ -401,9 +400,10 @@ TEST_F(CloudPolicyValidatorTest, ErrorDomainExtractedFromUsernameMismatch) {
   // Pass an empty domain to tell validator to extract the domain from the
   // policy's |username| field.
   owning_domain_ = "";
-  ValidatePolicy(CheckStatus(
-      CloudPolicyValidatorBase::VALIDATION_BAD_KEY_VERIFICATION_SIGNATURE),
-                 policy_.GetCopy());
+  ValidatePolicy(
+      CheckStatus(
+          CloudPolicyValidatorBase::VALIDATION_BAD_KEY_VERIFICATION_SIGNATURE),
+      policy_.GetCopy());
 }
 
 TEST_F(CloudPolicyValidatorTest, ErrorNoCachedKeySignature) {

components/policy/core/common/cloud/component_cloud_policy_store.cc

@@ -261,8 +261,7 @@ void ComponentCloudPolicyStore::Purge(
   bool purged_current_policies = false;
   for (PolicyBundle::const_iterator it = policy_bundle_.begin();
        it != policy_bundle_.end(); ++it) {
-    if (it->first.domain == domain &&
-        filter.Run(it->first.component_id) &&
+    if (it->first.domain == domain && filter.Run(it->first.component_id) &&
         !policy_bundle_.Get(it->first).empty()) {
       policy_bundle_.Get(it->first).Clear();
       purged_current_policies = true;
@@ -334,9 +333,8 @@ bool ComponentCloudPolicyStore::ValidatePolicy(
   if (stored_policy_times_iter != stored_policy_times_.end())
     time_not_before = stored_policy_times_iter->second;
 
-  std::unique_ptr<ComponentCloudPolicyValidator> validator(
-      ComponentCloudPolicyValidator::Create(
-          std::move(proto), scoped_refptr<base::SequencedTaskRunner>()));
+  auto validator = std::make_unique<ComponentCloudPolicyValidator>(
+      std::move(proto), scoped_refptr<base::SequencedTaskRunner>());
   validator->ValidateTimestamp(time_not_before,
                                CloudPolicyValidatorBase::TIMESTAMP_VALIDATED);
   validator->ValidateUser(account_id_);
@@ -388,10 +386,9 @@ bool ComponentCloudPolicyStore::ValidatePolicy(
   return true;
 }
 
-bool ComponentCloudPolicyStore::ValidateData(
-    const std::string& data,
-    const std::string& secure_hash,
-    PolicyMap* policy) {
+bool ComponentCloudPolicyStore::ValidateData(const std::string& data,
+                                             const std::string& secure_hash,
+                                             PolicyMap* policy) {
   if (crypto::SHA256HashString(data) != secure_hash) {
     LOG(ERROR) << "The received data doesn't match the expected hash.";
     return false;

components/policy/core/common/cloud/machine_level_user_cloud_policy_store.cc

@@ -71,9 +71,8 @@ std::unique_ptr<UserCloudPolicyValidator>
 MachineLevelUserCloudPolicyStore::CreateValidator(
     std::unique_ptr<enterprise_management::PolicyFetchResponse> policy,
     CloudPolicyValidatorBase::ValidateTimestampOption option) {
-  std::unique_ptr<UserCloudPolicyValidator> validator =
-      UserCloudPolicyValidator::Create(std::move(policy),
-                                       background_task_runner());
+  auto validator = std::make_unique<UserCloudPolicyValidator>(
+      std::move(policy), background_task_runner());
   validator->ValidatePolicyType(
       dm_protocol::kChromeMachineLevelUserCloudPolicyType);
   validator->ValidateDMToken(machine_dm_token_,

components/policy/core/common/cloud/user_cloud_policy_store_base.cc

@@ -27,21 +27,18 @@ UserCloudPolicyStoreBase::UserCloudPolicyStoreBase(
     : background_task_runner_(background_task_runner),
       policy_scope_(policy_scope) {}
 
-UserCloudPolicyStoreBase::~UserCloudPolicyStoreBase() {
-}
+UserCloudPolicyStoreBase::~UserCloudPolicyStoreBase() {}
 
 std::unique_ptr<UserCloudPolicyValidator>
 UserCloudPolicyStoreBase::CreateValidator(
     std::unique_ptr<enterprise_management::PolicyFetchResponse> policy,
     CloudPolicyValidatorBase::ValidateTimestampOption timestamp_option) {
   // Configure the validator.
-  std::unique_ptr<UserCloudPolicyValidator> validator =
-      UserCloudPolicyValidator::Create(std::move(policy),
-                                       background_task_runner_);
+  auto validator = std::make_unique<UserCloudPolicyValidator>(
+      std::move(policy), background_task_runner_);
   validator->ValidatePolicyType(dm_protocol::kChromeUserPolicyType);
   validator->ValidateAgainstCurrentPolicy(
-      policy_.get(),
-      timestamp_option,
+      policy_.get(), timestamp_option,
       CloudPolicyValidatorBase::DM_TOKEN_REQUIRED,
       CloudPolicyValidatorBase::DEVICE_ID_REQUIRED);
   validator->ValidatePayload();