Add unit tests for CertificateProvisioningUiHandler

Add unit tests for CertificateProvisioningUiHandler.
Introduce mock variant of CertProvisioningScheduler
to make unit testing possible.

Bug: 1081396
Test: unit_tests

Change-Id: I66cd3c70bb331de60e192f022d10f751153eefef
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2288792
Commit-Queue: Pavol Marko <pmarko@chromium.org>
Reviewed-by: Michael Ershov <miersh@google.com>
Reviewed-by: Denis Kuznetsov [CET] <antrim@chromium.org>
Cr-Commit-Position: refs/heads/master@{#790234}

chrome/browser/chromeos/BUILD.gn

@@ -2778,6 +2778,8 @@ static_library("test_support") {
     "attestation/mock_enrollment_certificate_uploader.h",
     "attestation/mock_machine_certificate_uploader.cc",
     "attestation/mock_machine_certificate_uploader.h",
+    "cert_provisioning/mock_cert_provisioning_scheduler.cc",
+    "cert_provisioning/mock_cert_provisioning_scheduler.h",
     "certificate_provider/test_certificate_provider_extension.cc",
     "certificate_provider/test_certificate_provider_extension.h",
     "crostini/ansible/ansible_management_test_helper.cc",

chrome/browser/chromeos/cert_provisioning/cert_provisioning_scheduler.h

@@ -56,13 +56,34 @@ struct FailedWorkerInfo {
   base::Time last_update_time;
 };
 
+// Interface for the scheduler for client certificate provisioning using device
+// management.
+class CertProvisioningScheduler {
+ public:
+  virtual ~CertProvisioningScheduler() = default;
+
+  // Intended to be called when a user presses a button in certificate manager
+  // UI. Retries provisioning of a specific certificate.
+  virtual void UpdateOneCert(const CertProfileId& cert_profile_id) = 0;
+  virtual void UpdateAllCerts() = 0;
+
+  // Returns all certificate provisioning workers that are currently active.
+  virtual const WorkerMap& GetWorkers() const = 0;
+
+  // Returns a |FailedWorkerInfo| for certificate provisioning processes that
+  // failed and have not been restarted (yet).
+  virtual const base::flat_map<CertProfileId, FailedWorkerInfo>&
+  GetFailedCertProfileIds() const = 0;
+};
+
 // This class is a part of certificate provisioning feature. It tracks updates
 // of |RequiredClientCertificateForUser|, |RequiredClientCertificateForDevice|
 // policies and creates one CertProvisioningWorker for every policy entry.
 // Should work on the UI thread because it interacts with PlatformKeysService
 // and some methods are called from the UI to populate certificate manager
 // settings page.
-class CertProvisioningScheduler : public NetworkStateHandlerObserver {
+class CertProvisioningSchedulerImpl : public CertProvisioningScheduler,
+                                      public NetworkStateHandlerObserver {
  public:
   static std::unique_ptr<CertProvisioningScheduler>
   CreateUserCertProvisioningScheduler(Profile* profile);
@@ -71,7 +92,7 @@ class CertProvisioningScheduler : public NetworkStateHandlerObserver {
       policy::AffiliatedInvalidationServiceProvider*
           invalidation_service_provider);
 
-  CertProvisioningScheduler(
+  CertProvisioningSchedulerImpl(
       CertScope cert_scope,
       Profile* profile,
       PrefService* pref_service,
@@ -79,22 +100,21 @@ class CertProvisioningScheduler : public NetworkStateHandlerObserver {
       platform_keys::PlatformKeysService* platform_keys_service,
       NetworkStateHandler* network_state_handler,
       std::unique_ptr<CertProvisioningInvalidatorFactory> invalidator_factory);
-  ~CertProvisioningScheduler() override;
+  ~CertProvisioningSchedulerImpl() override;
 
-  CertProvisioningScheduler(const CertProvisioningScheduler&) = delete;
-  CertProvisioningScheduler& operator=(const CertProvisioningScheduler&) =
-      delete;
-  // Intended to be called when a user presses a button in certificate manager
-  // UI. Retries provisioning of a specific certificate.
-  void UpdateOneCert(const CertProfileId& cert_profile_id);
-  void UpdateAllCerts();
-  void OnProfileFinished(const CertProfile& profile,
-                         CertProvisioningWorkerState state);
-
-  const WorkerMap& GetWorkers() const;
+  CertProvisioningSchedulerImpl(const CertProvisioningSchedulerImpl&) = delete;
+  CertProvisioningSchedulerImpl& operator=(
+      const CertProvisioningSchedulerImpl&) = delete;
 
+  // CertProvisioningScheduler:
+  void UpdateOneCert(const CertProfileId& cert_profile_id) override;
+  void UpdateAllCerts() override;
+  const WorkerMap& GetWorkers() const override;
   const base::flat_map<CertProfileId, FailedWorkerInfo>&
-  GetFailedCertProfileIds() const;
+  GetFailedCertProfileIds() const override;
+
+  void OnProfileFinished(const CertProfile& profile,
+                         CertProvisioningWorkerState state);
 
  private:
   void ScheduleInitialUpdate();
@@ -177,7 +197,7 @@ class CertProvisioningScheduler : public NetworkStateHandlerObserver {
   CertDeleter cert_deleter_;
   std::unique_ptr<CertProvisioningInvalidatorFactory> invalidator_factory_;
 
-  base::WeakPtrFactory<CertProvisioningScheduler> weak_factory_{this};
+  base::WeakPtrFactory<CertProvisioningSchedulerImpl> weak_factory_{this};
 };
 
 }  // namespace cert_provisioning

chrome/browser/chromeos/cert_provisioning/cert_provisioning_scheduler_unittest.cc

@@ -135,13 +135,13 @@ TEST_F(CertProvisioningSchedulerTest, Success) {
   MockCertProvisioningInvalidatorFactory* mock_invalidation_factory =
       mock_invalidation_factory_obj.get();
 
-  CertProvisioningScheduler scheduler(
+  CertProvisioningSchedulerImpl scheduler(
       kCertScope, GetProfile(), &pref_service_, &cloud_policy_client_,
       &platform_keys_service_,
       network_state_test_helper_.network_state_handler(),
       std::move(mock_invalidation_factory_obj));
 
-  // From CertProvisioningScheduler::CleanVaKeysIfIdle.
+  // From CertProvisioningSchedulerImpl::CleanVaKeysIfIdle.
   EXPECT_CALL(fake_cryptohome_client_,
               OnTpmAttestationDeleteKeysByPrefix(
                   attestation::AttestationKeyType::KEY_USER, kKeyNamePrefix))
@@ -196,13 +196,13 @@ TEST_F(CertProvisioningSchedulerTest, Success) {
 TEST_F(CertProvisioningSchedulerTest, WorkerFailed) {
   const CertScope kCertScope = CertScope::kDevice;
 
-  CertProvisioningScheduler scheduler(
+  CertProvisioningSchedulerImpl scheduler(
       kCertScope, GetProfile(), &pref_service_, &cloud_policy_client_,
       &platform_keys_service_,
       network_state_test_helper_.network_state_handler(),
       MakeFakeInvalidationFactory());
 
-  // From CertProvisioningScheduler::CleanVaKeysIfIdle.
+  // From CertProvisioningSchedulerImpl::CleanVaKeysIfIdle.
   EXPECT_CALL(fake_cryptohome_client_,
               OnTpmAttestationDeleteKeysByPrefix(
                   attestation::AttestationKeyType::KEY_DEVICE, kKeyNamePrefix))
@@ -264,13 +264,13 @@ TEST_F(CertProvisioningSchedulerTest, InitialAndDailyUpdates) {
            "key_algorithm":"rsa"}])");
   pref_service_.Set(GetPrefNameForCertProfiles(kCertScope), config);
 
-  CertProvisioningScheduler scheduler(
+  CertProvisioningSchedulerImpl scheduler(
       kCertScope, GetProfile(), &pref_service_, &cloud_policy_client_,
       &platform_keys_service_,
       network_state_test_helper_.network_state_handler(),
       MakeFakeInvalidationFactory());
 
-  // From CertProvisioningScheduler::CleanVaKeysIfIdle.
+  // From CertProvisioningSchedulerImpl::CleanVaKeysIfIdle.
   EXPECT_CALL(fake_cryptohome_client_,
               OnTpmAttestationDeleteKeysByPrefix(
                   attestation::AttestationKeyType::KEY_USER, kKeyNamePrefix))
@@ -316,13 +316,13 @@ TEST_F(CertProvisioningSchedulerTest, InitialAndDailyUpdates) {
 TEST_F(CertProvisioningSchedulerTest, MultipleWorkers) {
   const CertScope kCertScope = CertScope::kDevice;
 
-  CertProvisioningScheduler scheduler(
+  CertProvisioningSchedulerImpl scheduler(
       kCertScope, GetProfile(), &pref_service_, &cloud_policy_client_,
       &platform_keys_service_,
       network_state_test_helper_.network_state_handler(),
       MakeFakeInvalidationFactory());
 
-  // From CertProvisioningScheduler::CleanVaKeysIfIdle.
+  // From CertProvisioningSchedulerImpl::CleanVaKeysIfIdle.
   EXPECT_CALL(fake_cryptohome_client_,
               OnTpmAttestationDeleteKeysByPrefix(
                   attestation::AttestationKeyType::KEY_DEVICE, kKeyNamePrefix))
@@ -420,7 +420,7 @@ TEST_F(CertProvisioningSchedulerTest, RemoveCertWithoutPolicy) {
 
   certificate_helper_->AddCert(kCertScope, kCertProfileId);
 
-  CertProvisioningScheduler scheduler(
+  CertProvisioningSchedulerImpl scheduler(
       kCertScope, GetProfile(), &pref_service_, &cloud_policy_client_,
       &platform_keys_service_,
       network_state_test_helper_.network_state_handler(),
@@ -474,7 +474,7 @@ TEST_F(CertProvisioningSchedulerTest, DeserializeWorkers) {
   worker->SetExpectations(/*do_step_times=*/AtLeast(1),
                           /*is_waiting=*/true, cert_profile);
 
-  CertProvisioningScheduler scheduler(
+  CertProvisioningSchedulerImpl scheduler(
       kCertScope, GetProfile(), &pref_service_, &cloud_policy_client_,
       &platform_keys_service_,
       network_state_test_helper_.network_state_handler(),
@@ -491,13 +491,13 @@ TEST_F(CertProvisioningSchedulerTest, InconsistentDataErrorHandling) {
   const char kCertProfileVersion1[] = "cert_profile_version_1";
   const char kCertProfileVersion2[] = "cert_profile_version_2";
 
-  CertProvisioningScheduler scheduler(
+  CertProvisioningSchedulerImpl scheduler(
       kCertScope, GetProfile(), &pref_service_, &cloud_policy_client_,
       &platform_keys_service_,
       network_state_test_helper_.network_state_handler(),
       MakeFakeInvalidationFactory());
 
-  // From CertProvisioningScheduler::CleanVaKeysIfIdle.
+  // From CertProvisioningSchedulerImpl::CleanVaKeysIfIdle.
   EXPECT_CALL(fake_cryptohome_client_,
               OnTpmAttestationDeleteKeysByPrefix(
                   attestation::AttestationKeyType::KEY_DEVICE, kKeyNamePrefix))
@@ -614,13 +614,13 @@ TEST_F(CertProvisioningSchedulerTest, RetryAfterNoInternetConnection) {
            "key_algorithm":"rsa"}])");
   pref_service_.Set(GetPrefNameForCertProfiles(kCertScope), config);
 
-  CertProvisioningScheduler scheduler(
+  CertProvisioningSchedulerImpl scheduler(
       kCertScope, GetProfile(), &pref_service_, &cloud_policy_client_,
       &platform_keys_service_,
       network_state_test_helper_.network_state_handler(),
       MakeFakeInvalidationFactory());
 
-  // From CertProvisioningScheduler::CleanVaKeysIfIdle.
+  // From CertProvisioningSchedulerImpl::CleanVaKeysIfIdle.
   EXPECT_CALL(fake_cryptohome_client_,
               OnTpmAttestationDeleteKeysByPrefix(
                   attestation::AttestationKeyType::KEY_DEVICE, kKeyNamePrefix))
@@ -653,13 +653,13 @@ TEST_F(CertProvisioningSchedulerTest, DeleteWorkerWithoutPolicy) {
            "policy_version":"cert_profile_version_1",
            "key_algorithm":"rsa"}])");
 
-  CertProvisioningScheduler scheduler(
+  CertProvisioningSchedulerImpl scheduler(
       kCertScope, GetProfile(), &pref_service_, &cloud_policy_client_,
       &platform_keys_service_,
       network_state_test_helper_.network_state_handler(),
       MakeFakeInvalidationFactory());
 
-  // From CertProvisioningScheduler::CleanVaKeysIfIdle.
+  // From CertProvisioningSchedulerImpl::CleanVaKeysIfIdle.
   EXPECT_CALL(fake_cryptohome_client_,
               OnTpmAttestationDeleteKeysByPrefix(
                   attestation::AttestationKeyType::KEY_DEVICE, kKeyNamePrefix))
@@ -696,13 +696,13 @@ TEST_F(CertProvisioningSchedulerTest, DeleteVaKeysOnIdle) {
   const CertScope kCertScope = CertScope::kDevice;
 
   {
-    CertProvisioningScheduler scheduler(
+    CertProvisioningSchedulerImpl scheduler(
         kCertScope, GetProfile(), &pref_service_, &cloud_policy_client_,
         &platform_keys_service_,
         network_state_test_helper_.network_state_handler(),
         MakeFakeInvalidationFactory());
 
-    // From CertProvisioningScheduler::CleanVaKeysIfIdle.
+    // From CertProvisioningSchedulerImpl::CleanVaKeysIfIdle.
     EXPECT_CALL(
         fake_cryptohome_client_,
         OnTpmAttestationDeleteKeysByPrefix(
@@ -742,7 +742,7 @@ TEST_F(CertProvisioningSchedulerTest, DeleteVaKeysOnIdle) {
     worker->SetExpectations(/*do_step_times=*/Exactly(0),
                             /*is_waiting=*/true, cert_profile);
 
-    CertProvisioningScheduler scheduler(
+    CertProvisioningSchedulerImpl scheduler(
         kCertScope, GetProfile(), &pref_service_, &cloud_policy_client_,
         &platform_keys_service_,
         network_state_test_helper_.network_state_handler(),
@@ -758,7 +758,7 @@ TEST_F(CertProvisioningSchedulerTest, DeleteVaKeysOnIdle) {
 TEST_F(CertProvisioningSchedulerTest, UpdateOneCert) {
   const CertScope kCertScope = CertScope::kUser;
 
-  CertProvisioningScheduler scheduler(
+  CertProvisioningSchedulerImpl scheduler(
       kCertScope, GetProfile(), &pref_service_, &cloud_policy_client_,
       &platform_keys_service_,
       network_state_test_helper_.network_state_handler(),
@@ -767,7 +767,7 @@ TEST_F(CertProvisioningSchedulerTest, UpdateOneCert) {
   CertProfile cert_profile(kCertProfileId, kCertProfileVersion,
                            /*is_va_enabled=*/true, kCertProfileRenewalPeriod);
 
-  // From CertProvisioningScheduler::CleanVaKeysIfIdle.
+  // From CertProvisioningSchedulerImpl::CleanVaKeysIfIdle.
   EXPECT_CALL(fake_cryptohome_client_, OnTpmAttestationDeleteKeysByPrefix);
   FastForwardBy(TimeDelta::FromSeconds(1));
 
@@ -868,7 +868,7 @@ TEST_F(CertProvisioningSchedulerTest, CertRenewal) {
            "renewal_period_seconds": 86400}])");
   pref_service_.Set(GetPrefNameForCertProfiles(kCertScope), config);
 
-  CertProvisioningScheduler scheduler(
+  CertProvisioningSchedulerImpl scheduler(
       kCertScope, GetProfile(), &pref_service_, &cloud_policy_client_,
       &platform_keys_service_,
       network_state_test_helper_.network_state_handler(),

chrome/browser/chromeos/cert_provisioning/cert_provisioning_scheduler_user_service.cc

@@ -18,8 +18,9 @@ namespace cert_provisioning {
 
 CertProvisioningSchedulerUserService::CertProvisioningSchedulerUserService(
     Profile* profile)
-    : scheduler_(CertProvisioningScheduler::CreateUserCertProvisioningScheduler(
-          profile)) {}
+    : scheduler_(
+          CertProvisioningSchedulerImpl::CreateUserCertProvisioningScheduler(
+              profile)) {}
 
 CertProvisioningSchedulerUserService::~CertProvisioningSchedulerUserService() =
     default;

chrome/browser/chromeos/cert_provisioning/cert_provisioning_test_helpers.cc

@@ -125,13 +125,16 @@ const char kTestUserGaiaId[] = "test_gaia_id";
 }  // namespace
 
 ProfileHelperForTesting::ProfileHelperForTesting()
+    : ProfileHelperForTesting(/*user_is_affiilated=*/false) {}
+
+ProfileHelperForTesting::ProfileHelperForTesting(bool user_is_affiliated)
     : testing_profile_manager_(TestingBrowserProcess::GetGlobal()) {
-  Init();
+  Init(user_is_affiliated);
 }
 
 ProfileHelperForTesting::~ProfileHelperForTesting() = default;
 
-void ProfileHelperForTesting::Init() {
+void ProfileHelperForTesting::Init(bool user_is_affiliated) {
   ASSERT_TRUE(testing_profile_manager_.SetUp());
 
   testing_profile_ =
@@ -140,7 +143,8 @@ void ProfileHelperForTesting::Init() {
 
   auto test_account =
       AccountId::FromUserEmailGaiaId(kTestUserEmail, kTestUserGaiaId);
-  fake_user_manager_.AddUser(test_account);
+  user_ = fake_user_manager_.AddUserWithAffiliation(test_account,
+                                                    user_is_affiliated);
 
   ProfileHelper::Get()->SetUserToProfileMappingForTesting(
       fake_user_manager_.GetPrimaryUser(), testing_profile_);
@@ -150,6 +154,10 @@ Profile* ProfileHelperForTesting::GetProfile() const {
   return testing_profile_;
 }
 
+user_manager::User* ProfileHelperForTesting::GetUser() const {
+  return user_;
+}
+
 //================ SpyingFakeCryptohomeClient ==================================
 
 SpyingFakeCryptohomeClient::SpyingFakeCryptohomeClient() = default;

chrome/browser/chromeos/cert_provisioning/cert_provisioning_test_helpers.h

@@ -14,6 +14,10 @@
 #include "chromeos/dbus/cryptohome/fake_cryptohome_client.h"
 #include "testing/gmock/include/gmock/gmock.h"
 
+namespace user_manager {
+class User;
+}
+
 namespace chromeos {
 namespace cert_provisioning {
 
@@ -70,19 +74,23 @@ struct CertificateHelperForTesting {
 
 class ProfileHelperForTesting {
  public:
+  // Equivalent to ProfileHelperForTesting(/*user_is_affiliated=*/false)
   ProfileHelperForTesting();
+  explicit ProfileHelperForTesting(bool user_is_affiliated);
   ProfileHelperForTesting(const ProfileHelperForTesting&) = delete;
   ProfileHelperForTesting& operator=(const ProfileHelperForTesting&) = delete;
   ~ProfileHelperForTesting();
 
   Profile* GetProfile() const;
+  user_manager::User* GetUser() const;
 
  private:
-  void Init();
+  void Init(bool user_is_affiliated);
 
   TestingProfileManager testing_profile_manager_;
   FakeChromeUserManager fake_user_manager_;
   TestingProfile* testing_profile_ = nullptr;
+  user_manager::User* user_ = nullptr;
 };
 
 //================ SpyingFakeCryptohomeClient ==================================

chrome/browser/chromeos/cert_provisioning/mock_cert_provisioning_scheduler.cc

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/chromeos/cert_provisioning/mock_cert_provisioning_scheduler.h"
+
+namespace chromeos {
+namespace cert_provisioning {
+
+MockCertProvisioningScheduler::MockCertProvisioningScheduler() = default;
+MockCertProvisioningScheduler::~MockCertProvisioningScheduler() = default;
+
+}  // namespace cert_provisioning
+}  // namespace chromeos

chrome/browser/chromeos/cert_provisioning/mock_cert_provisioning_scheduler.h

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CHROME_BROWSER_CHROMEOS_CERT_PROVISIONING_MOCK_CERT_PROVISIONING_SCHEDULER_H_
+#define CHROME_BROWSER_CHROMEOS_CERT_PROVISIONING_MOCK_CERT_PROVISIONING_SCHEDULER_H_
+
+#include "chrome/browser/chromeos/cert_provisioning/cert_provisioning_scheduler.h"
+#include "testing/gmock/include/gmock/gmock.h"
+
+namespace chromeos {
+namespace cert_provisioning {
+
+class MockCertProvisioningScheduler : public CertProvisioningScheduler {
+ public:
+  MockCertProvisioningScheduler();
+  MockCertProvisioningScheduler(const MockCertProvisioningScheduler&) = delete;
+  MockCertProvisioningScheduler& operator=(
+      const MockCertProvisioningScheduler&) = delete;
+  ~MockCertProvisioningScheduler() override;
+
+  MOCK_METHOD(void,
+              UpdateOneCert,
+              (const CertProfileId& cert_profile_id),
+              (override));
+  MOCK_METHOD(void, UpdateAllCerts, (), (override));
+  MOCK_METHOD(const WorkerMap&, GetWorkers, (), (const override));
+
+  MOCK_METHOD((const base::flat_map<CertProfileId, FailedWorkerInfo>&),
+              GetFailedCertProfileIds,
+              (),
+              (const override));
+};
+
+}  // namespace cert_provisioning
+}  // namespace chromeos
+
+#endif  // CHROME_BROWSER_CHROMEOS_CERT_PROVISIONING_MOCK_CERT_PROVISIONING_SCHEDULER_H_

chrome/browser/chromeos/policy/browser_policy_connector_chromeos.cc

@@ -466,7 +466,7 @@ void BrowserPolicyConnectorChromeOS::OnDeviceCloudPolicyManagerConnected() {
   // CertProvisioningScheduler does not depend on SignIn Profile.
   if (!device_cert_provisioning_scheduler_) {
     device_cert_provisioning_scheduler_ = chromeos::cert_provisioning::
-        CertProvisioningScheduler::CreateDeviceCertProvisioningScheduler(
+        CertProvisioningSchedulerImpl::CreateDeviceCertProvisioningScheduler(
             affiliated_invalidation_service_provider_.get());
   }
 }

chrome/browser/ui/webui/certificate_provisioning_ui_handler.cc

@@ -32,12 +32,29 @@ namespace cert_provisioning {
 
 namespace {
 
+// Returns the per-user CertProvisioningScheduler for |user_profile|, if it has
+// any.
+CertProvisioningScheduler* GetCertProvisioningSchedulerForUser(
+    Profile* user_profile) {
+  CertProvisioningSchedulerUserService* user_service =
+      CertProvisioningSchedulerUserServiceFactory::GetForProfile(user_profile);
+  if (!user_service)
+    return nullptr;
+  return user_service->scheduler();
+}
+
+// Returns the per-device CertProvisioningScheduler, if it exists. No
+// affiliation check is done here.
+CertProvisioningScheduler* GetCertProvisioningSchedulerForDevice() {
+  policy::BrowserPolicyConnectorChromeOS* connector =
+      g_browser_process->platform_part()->browser_policy_connector_chromeos();
+  return connector->GetDeviceCertProvisioningScheduler();
+}
+
 // Returns localized representation for the state of a certificate provisioning
 // process.
-base::string16 GetProvisioningProcessStatus(
-    chromeos::cert_provisioning::CertProvisioningWorkerState state) {
-  using CertProvisioningWorkerState =
-      chromeos::cert_provisioning::CertProvisioningWorkerState;
+base::string16 GetProvisioningProcessStatus(CertProvisioningWorkerState state) {
+  using CertProvisioningWorkerState = CertProvisioningWorkerState;
   switch (state) {
     case CertProvisioningWorkerState ::kInitState:
       return l10n_util::GetStringUTF16(
@@ -90,7 +107,7 @@ base::string16 GetTimeSinceLastUpdate(base::Time last_update_time) {
 base::Value CreateProvisioningProcessEntry(
     const std::string& cert_profile_id,
     bool is_device_wide,
-    chromeos::cert_provisioning::CertProvisioningWorkerState state,
+    CertProvisioningWorkerState state,
     base::Time time_since_last_update,
     const std::string& public_key_spki_der) {
   base::Value entry(base::Value::Type::DICTIONARY);
@@ -123,8 +140,7 @@ void CollectProvisioningProcesses(
   }
   for (const auto& failed_worker_entry :
        cert_provisioning_scheduler->GetFailedCertProfileIds()) {
-    const chromeos::cert_provisioning::FailedWorkerInfo& worker =
-        failed_worker_entry.second;
+    const FailedWorkerInfo& worker = failed_worker_entry.second;
     list_to_append_to->Append(CreateProvisioningProcessEntry(
         failed_worker_entry.first, is_device_wide,
         CertProvisioningWorkerState::kFailed, worker.last_update_time,
@@ -134,7 +150,23 @@ void CollectProvisioningProcesses(
 
 }  // namespace
 
-CertificateProvisioningUiHandler::CertificateProvisioningUiHandler() = default;
+// static
+std::unique_ptr<CertificateProvisioningUiHandler>
+CertificateProvisioningUiHandler::CreateForProfile(Profile* user_profile) {
+  return std::make_unique<CertificateProvisioningUiHandler>(
+      user_profile, GetCertProvisioningSchedulerForUser(user_profile),
+      GetCertProvisioningSchedulerForDevice());
+}
+
+CertificateProvisioningUiHandler::CertificateProvisioningUiHandler(
+    Profile* user_profile,
+    CertProvisioningScheduler* scheduler_for_user,
+    CertProvisioningScheduler* scheduler_for_device)
+    : scheduler_for_user_(scheduler_for_user),
+      scheduler_for_device_(ShouldUseDeviceWideProcesses(user_profile)
+                                ? scheduler_for_device
+                                : nullptr) {}
+
 CertificateProvisioningUiHandler::~CertificateProvisioningUiHandler() = default;
 
 void CertificateProvisioningUiHandler::RegisterMessages() {
@@ -153,31 +185,6 @@ void CertificateProvisioningUiHandler::RegisterMessages() {
                           base::Unretained(this)));
 }
 
-CertProvisioningScheduler*
-CertificateProvisioningUiHandler::GetCertProvisioningSchedulerForUser(
-    Profile* user_profile) {
-  chromeos::cert_provisioning::CertProvisioningSchedulerUserService*
-      user_service = chromeos::cert_provisioning::
-          CertProvisioningSchedulerUserServiceFactory::GetForProfile(
-              user_profile);
-  if (!user_service)
-    return nullptr;
-  return user_service->scheduler();
-}
-
-CertProvisioningScheduler*
-CertificateProvisioningUiHandler::GetCertProvisioningSchedulerForDevice(
-    Profile* user_profile) {
-  const user_manager::User* user =
-      chromeos::ProfileHelper::Get()->GetUserByProfile(user_profile);
-  if (!user || !user->IsAffiliated())
-    return nullptr;
-
-  policy::BrowserPolicyConnectorChromeOS* connector =
-      g_browser_process->platform_part()->browser_policy_connector_chromeos();
-  return connector->GetDeviceCertProvisioningScheduler();
-}
-
 void CertificateProvisioningUiHandler::
     HandleRefreshCertificateProvisioningProcesses(const base::ListValue* args) {
   CHECK_EQ(0U, args->GetSize());
@@ -198,10 +205,11 @@ void CertificateProvisioningUiHandler::
   if (!device_wide.is_bool())
     return;
 
-  Profile* profile = Profile::FromWebUI(web_ui());
+  if (device_wide.GetBool() && !scheduler_for_device_)
+    return;
+
   CertProvisioningScheduler* scheduler =
-      device_wide.GetBool() ? GetCertProvisioningSchedulerForDevice(profile)
-                            : GetCertProvisioningSchedulerForUser(profile);
+      device_wide.GetBool() ? scheduler_for_device_ : scheduler_for_user_;
   if (!scheduler)
     return;
 
@@ -225,24 +233,28 @@ void CertificateProvisioningUiHandler::
 
 void CertificateProvisioningUiHandler::
     RefreshCertificateProvisioningProcesses() {
-  Profile* profile = Profile::FromWebUI(web_ui());
-
   base::ListValue all_processes;
-  CertProvisioningScheduler* scheduler_for_user =
-      GetCertProvisioningSchedulerForUser(profile);
-  if (scheduler_for_user)
-    CollectProvisioningProcesses(&all_processes, scheduler_for_user,
+  if (scheduler_for_user_) {
+    CollectProvisioningProcesses(&all_processes, scheduler_for_user_,
                                  /*is_device_wide=*/false);
+  }
 
-  CertProvisioningScheduler* scheduler_for_device =
-      GetCertProvisioningSchedulerForDevice(profile);
-  if (scheduler_for_device)
-    CollectProvisioningProcesses(&all_processes, scheduler_for_device,
+  if (scheduler_for_device_) {
+    CollectProvisioningProcesses(&all_processes, scheduler_for_device_,
                                  /*is_device_wide=*/true);
+  }
 
   FireWebUIListener("certificate-provisioning-processes-changed",
                     std::move(all_processes));
 }
 
+// static
+bool CertificateProvisioningUiHandler::ShouldUseDeviceWideProcesses(
+    Profile* user_profile) {
+  const user_manager::User* user =
+      chromeos::ProfileHelper::Get()->GetUserByProfile(user_profile);
+  return user && user->IsAffiliated();
+}
+
 }  // namespace cert_provisioning
 }  // namespace chromeos

chrome/browser/ui/webui/certificate_provisioning_ui_handler.h

@@ -5,6 +5,8 @@
 #ifndef CHROME_BROWSER_UI_WEBUI_CERTIFICATE_PROVISIONING_UI_HANDLER_H_
 #define CHROME_BROWSER_UI_WEBUI_CERTIFICATE_PROVISIONING_UI_HANDLER_H_
 
+#include <utility>
+
 #include "base/memory/weak_ptr.h"
 #include "base/values.h"
 #include "content/public/browser/web_ui_message_handler.h"
@@ -18,7 +20,26 @@ class CertProvisioningScheduler;
 
 class CertificateProvisioningUiHandler : public content::WebUIMessageHandler {
  public:
-  CertificateProvisioningUiHandler();
+  // Creates a CertificateProvisioningUiHandler for |user_profile|, which uses:
+  // (*) The CertProvisioningScheduler associated with |user_profile|, if any.
+  // (*) The device-wide CertProvisioningScheduler, if it exists and the
+  //     |user_profile| is affiliated.
+  static std::unique_ptr<CertificateProvisioningUiHandler> CreateForProfile(
+      Profile* user_profile);
+
+  // The constructed CertificateProvisioningUiHandler will use
+  // |scheduler_for_user| to list certificate provisioning processes that belong
+  // to the user, and |scheduler_for_device|, to list certificatge provisioning
+  // processes that are device-wide. Both can be nullptr. Note: Intended to be
+  // called directly for testing. Use CreateForProfile in production code
+  // instead.
+  // |user_profile| is used to determine if the current user is affiliated and
+  // decide if |scheduler_for_device| should be used based on that. This pattern
+  // is useful for unit-testing the affiliation detection logic.
+  CertificateProvisioningUiHandler(
+      Profile* user_profile,
+      CertProvisioningScheduler* scheduler_for_user,
+      CertProvisioningScheduler* scheduler_for_device);
 
   CertificateProvisioningUiHandler(
       const CertificateProvisioningUiHandler& other) = delete;
@@ -31,16 +52,6 @@ class CertificateProvisioningUiHandler : public content::WebUIMessageHandler {
   void RegisterMessages() override;
 
  private:
-  // Returns the per-user CertProvisioningScheduler for |user_profile|, if it
-  // has any.
-  chromeos::cert_provisioning::CertProvisioningScheduler*
-  GetCertProvisioningSchedulerForUser(Profile* user_profile);
-
-  // Returns the per-device CertProvisioningScheduler, if |user_profile| is
-  // associated with a user that has access to device-wide client certificates.
-  chromeos::cert_provisioning::CertProvisioningScheduler*
-  GetCertProvisioningSchedulerForDevice(Profile* user_profile);
-
   // Send the list of certificate provisioning processes to the UI, triggered by
   // the UI when it loads.
   // |args| is expected to be empty.
@@ -59,6 +70,18 @@ class CertificateProvisioningUiHandler : public content::WebUIMessageHandler {
   // Send the list of certificate provisioning processes to the UI.
   void RefreshCertificateProvisioningProcesses();
 
+  // Returns true if device-wide certificate provisioning processes should be
+  // displayed, i.e. if the |user_profile| is affiliated.
+  static bool ShouldUseDeviceWideProcesses(Profile* user_profile);
+
+  // The user-specific CertProvisioningScheduler. Can be nullptr.
+  // Unowned.
+  CertProvisioningScheduler* const scheduler_for_user_;
+
+  // The device-wide CertProvisioningScheduler. Can be nullptr.
+  // Unowned.
+  CertProvisioningScheduler* const scheduler_for_device_;
+
   base::WeakPtrFactory<CertificateProvisioningUiHandler> weak_ptr_factory_{
       this};
 };

chrome/browser/ui/webui/chromeos/certificate_manager_dialog_ui.cc

@@ -45,6 +45,7 @@ CertificateManagerDialogUI::CertificateManagerDialogUI(content::WebUI* web_ui)
     : WebDialogUI(web_ui) {
   content::WebUIDataSource* source =
       content::WebUIDataSource::Create(chrome::kChromeUICertificateManagerHost);
+  Profile* profile = Profile::FromWebUI(web_ui);
 
   AddCertificateManagerStrings(source);
   source->AddBoolean(
@@ -61,10 +62,10 @@ CertificateManagerDialogUI::CertificateManagerDialogUI(content::WebUI* web_ui)
   web_ui->AddMessageHandler(
       std::make_unique<certificate_manager::CertificatesHandler>());
   web_ui->AddMessageHandler(
-      std::make_unique<
-          chromeos::cert_provisioning::CertificateProvisioningUiHandler>());
+      chromeos::cert_provisioning::CertificateProvisioningUiHandler::
+          CreateForProfile(profile));
 
-  content::WebUIDataSource::Add(Profile::FromWebUI(web_ui), source);
+  content::WebUIDataSource::Add(profile, source);
 }
 
 CertificateManagerDialogUI::~CertificateManagerDialogUI() {}

chrome/browser/ui/webui/settings/settings_ui.cc

@@ -174,8 +174,8 @@ SettingsUI::SettingsUI(content::WebUI* web_ui)
 #endif  // defined(USE_NSS_CERTS)
 #if defined(OS_CHROMEOS)
   AddSettingsPageUIHandler(
-      std::make_unique<
-          chromeos::cert_provisioning::CertificateProvisioningUiHandler>());
+      chromeos::cert_provisioning::CertificateProvisioningUiHandler::
+          CreateForProfile(profile));
 #endif
 
   AddSettingsPageUIHandler(std::make_unique<AccessibilityMainHandler>());

chrome/test/BUILD.gn

@@ -3681,6 +3681,7 @@ test("unit_tests") {
   if (is_chromeos) {
     sources += [
       "../browser/device_identity/chromeos/device_oauth2_token_store_chromeos_unittest.cc",
+      "../browser/ui/webui/certificate_provisioning_ui_handler_unittest.cc",
       "../browser/ui/webui/chromeos/add_supervision/add_supervision_handler_utils_unittest.cc",
       "../browser/ui/webui/chromeos/edu_account_login_handler_unittest.cc",
       "../renderer/chromeos_delayed_callback_group_unittest.cc",