Refactor Active Directory domain join flow

Moved calling to D-Bus service out of EnrollmentScreenHandler into EnrollmentScreen. Needed because EnrollmentScreen implements ActiveDirectoryJoinDelegate. Future CL will use that to provide dm token to D-Bus service and to use configuration seed coming from DM server. BUG=chromium:829361,chromium:809914 Cq-Include-Trybots: master.tryserver.chromium.linux:closure_compilation Change-Id: I606d974e3461c802b37ff88ec0658f910a3953f5 Reviewed-on: https://chromium-review.googlesource.com/1004954 Commit-Queue: Roman Sorokin <rsorokin@chromium.org> Reviewed-by: Alexander Alekseev <alemate@chromium.org> Cr-Commit-Position: refs/heads/master@{#551309}

Refactor Active Directory domain join flow
Moved calling to D-Bus service out of EnrollmentScreenHandler into EnrollmentScreen. Needed because EnrollmentScreen implements ActiveDirectoryJoinDelegate. Future CL will use that to provide dm token to D-Bus service and to use configuration seed coming from DM server. BUG=chromium:829361,chromium:809914 Cq-Include-Trybots: master.tryserver.chromium.linux:closure_compilation Change-Id: I606d974e3461c802b37ff88ec0658f910a3953f5 Reviewed-on: https://chromium-review.googlesource.com/1004954 Commit-Queue: Roman Sorokin <rsorokin@chromium.org> Reviewed-by: Alexander Alekseev <alemate@chromium.org> Cr-Commit-Position: refs/heads/master@{#551309}
c026bc84 · Roman Sorokin · Commit Bot · fc360e99 · c026bc84 · c026bc84
Commit c026bc84 authored Apr 17, 2018 by Roman Sorokin Committed by Commit Bot Apr 17, 2018
7 changed files
--- a/chrome/browser/chromeos/login/enrollment/enrollment_screen.cc
+++ b/chrome/browser/chromeos/login/enrollment/enrollment_screen.cc
@@ -270,6 +270,10 @@ void EnrollmentScreen::OnCancel() {
    return;
  }
+  on_joined_callback_.Reset();
+  if (authpolicy_login_helper_)
+    authpolicy_login_helper_->CancelRequestsAndRestart();
  UMA(policy::kMetricEnrollmentCancelled);
  if (elapsed_timer_)
    UMA_ENROLLMENT_TIME(kMetricEnrollmentTimeCancel, elapsed_timer_);
@@ -296,10 +300,6 @@ void EnrollmentScreen::OnConfirmationClosed() {
  }
 }
-void EnrollmentScreen::OnAdJoined(const std::string& realm) {
-  std::move(on_joined_callback_).Run(realm);
-}
 void EnrollmentScreen::OnAuthError(const GoogleServiceAuthError& error) {
  RecordEnrollmentErrorMetrics();
  view_->ShowAuthError(error);
@@ -343,6 +343,19 @@ void EnrollmentScreen::OnDeviceEnrolled(const std::string& additional_token) {
  enrollment_helper_->GetDeviceAttributeUpdatePermission();
 }
+void EnrollmentScreen::OnActiveDirectoryCredsProvided(
+    const std::string& machine_name,
+    const std::string& distinguished_name,
+    int encryption_types,
+    const std::string& username,
+    const std::string& password) {
+  DCHECK(authpolicy_login_helper_);
+  authpolicy_login_helper_->JoinAdDomain(
+      machine_name, distinguished_name, encryption_types, username, password,
+      base::BindOnce(&EnrollmentScreen::OnActiveDirectoryJoined,
+                     weak_ptr_factory_.GetWeakPtr(), machine_name, username));
+}
 void EnrollmentScreen::OnDeviceAttributeProvided(const std::string& asset_id,
                                                 const std::string& location) {
  enrollment_helper_->UpdateDeviceAttributes(asset_id, location);
@@ -426,8 +439,24 @@ void EnrollmentScreen::RecordEnrollmentErrorMetrics() {
 }
 void EnrollmentScreen::JoinDomain(OnDomainJoinedCallback on_joined_callback) {
+  if (!authpolicy_login_helper_)
+    authpolicy_login_helper_ = std::make_unique<AuthPolicyLoginHelper>();
  on_joined_callback_ = std::move(on_joined_callback);
-  view_->ShowAdJoin();
+  view_->ShowActiveDirectoryScreen(std::string(), std::string(),
+                                   authpolicy::ERROR_NONE);
+}
+void EnrollmentScreen::OnActiveDirectoryJoined(
+    const std::string& machine_name,
+    const std::string& username,
+    authpolicy::ErrorType error,
+    const std::string& machine_domain) {
+  if (error == authpolicy::ERROR_NONE) {
+    view_->ShowEnrollmentSpinnerScreen();
+    std::move(on_joined_callback_).Run(machine_domain);
+    return;
+  }
+  view_->ShowActiveDirectoryScreen(machine_name, username, error);
 }
 }  // namespace chromeos
--- a/chrome/browser/chromeos/login/enrollment/enrollment_screen.h
+++ b/chrome/browser/chromeos/login/enrollment/enrollment_screen.h
@@ -19,6 +19,7 @@
 #include "chrome/browser/chromeos/login/screens/base_screen.h"
 #include "chrome/browser/chromeos/policy/active_directory_join_delegate.h"
 #include "chrome/browser/chromeos/policy/enrollment_config.h"
+#include "chromeos/login/auth/authpolicy_login_helper.h"
 #include "components/policy/core/common/cloud/cloud_policy_constants.h"
 #include "components/policy/core/common/cloud/enterprise_metrics.h"
 #include "net/base/backoff_entry.h"
@@ -68,7 +69,11 @@ class EnrollmentScreen
  void OnRetry() override;
  void OnCancel() override;
  void OnConfirmationClosed() override;
-  void OnAdJoined(const std::string& realm) override;
+  void OnActiveDirectoryCredsProvided(const std::string& machine_name,
+                                      const std::string& distinguished_name,
+                                      int encryption_types,
+                                      const std::string& username,
+                                      const std::string& password) override;
  void OnDeviceAttributeProvided(const std::string& asset_id,
                                 const std::string& location) override;
@@ -178,6 +183,12 @@ class EnrollmentScreen
  // Called by OnRetry() and AutomaticRetry().
  void ProcessRetry();
+  // Callback for Active Directory domain join.
+  void OnActiveDirectoryJoined(const std::string& machine_name,
+                               const std::string& username,
+                               authpolicy::ErrorType error,
+                               const std::string& machine_domain);
  pairing_chromeos::ControllerPairingController* shark_controller_ = nullptr;
  EnrollmentScreenView* view_;
@@ -194,8 +205,12 @@ class EnrollmentScreen
  int num_retries_ = 0;
  std::unique_ptr<EnterpriseEnrollmentHelper> enrollment_helper_;
  OnDomainJoinedCallback on_joined_callback_;
-  base::WeakPtrFactory<EnrollmentScreen> weak_ptr_factory_;
+  // Helper to call AuthPolicyClient and cancel calls if needed. Used to join
+  // Active Directory domain.
+  std::unique_ptr<AuthPolicyLoginHelper> authpolicy_login_helper_;
+  base::WeakPtrFactory<EnrollmentScreen> weak_ptr_factory_;
  DISALLOW_COPY_AND_ASSIGN(EnrollmentScreen);
 };

--- a/chrome/browser/chromeos/login/enrollment/enrollment_screen_view.h
+++ b/chrome/browser/chromeos/login/enrollment/enrollment_screen_view.h
@@ -10,6 +10,7 @@
 #include "base/values.h"
 #include "chrome/browser/chromeos/login/enrollment/enterprise_enrollment_helper.h"
 #include "chrome/browser/chromeos/login/oobe_screen.h"
+#include "chromeos/dbus/authpolicy/active_directory_info.pb.h"
 class GoogleServiceAuthError;
@@ -35,7 +36,13 @@ class EnrollmentScreenView {
    virtual void OnRetry() = 0;
    virtual void OnCancel() = 0;
    virtual void OnConfirmationClosed() = 0;
-    virtual void OnAdJoined(const std::string& realm) = 0;
+    virtual void OnActiveDirectoryCredsProvided(
+        const std::string& machine_name,
+        const std::string& distinguished_name,
+        int encryption_types,
+        const std::string& username,
+        const std::string& password) = 0;
    virtual void OnDeviceAttributeProvided(const std::string& asset_id,
                                           const std::string& location) = 0;
  };
@@ -62,7 +69,9 @@ class EnrollmentScreenView {
      const base::DictionaryValue& license_types) = 0;
  // Shows the Active Directory domain joining screen.
-  virtual void ShowAdJoin() = 0;
+  virtual void ShowActiveDirectoryScreen(const std::string& machine_name,
+                                         const std::string& username,
+                                         authpolicy::ErrorType error) = 0;
  // Shows the device attribute prompt screen.
  virtual void ShowAttributePromptScreen(const std::string& asset_id,

--- a/chrome/browser/chromeos/login/enrollment/mock_enrollment_screen.h
+++ b/chrome/browser/chromeos/login/enrollment/mock_enrollment_screen.h
@@ -33,7 +33,10 @@ class MockEnrollmentScreenView : public EnrollmentScreenView {
  MOCK_METHOD0(ShowSigninScreen, void());
  MOCK_METHOD1(ShowLicenseTypeSelectionScreen,
               void(const base::DictionaryValue&));
-  MOCK_METHOD0(ShowAdJoin, void());
+  MOCK_METHOD3(ShowActiveDirectoryScreen,
+               void(const std::string& machine_name,
+                    const std::string& username,
+                    authpolicy::ErrorType error));
  MOCK_METHOD2(ShowAttributePromptScreen,
               void(const std::string& asset_id, const std::string& location));
  MOCK_METHOD1(ShowAttestationBasedEnrollmentSuccessScreen,

--- a/chrome/browser/resources/chromeos/login/oobe_screen_oauth_enrollment.js
+++ b/chrome/browser/resources/chromeos/login/oobe_screen_oauth_enrollment.js
@@ -78,18 +78,6 @@ login.createScreen('OAuthEnrollmentScreen', 'oauth-enrollment', function() {
     * @private
     */
    offlineAdUi_: undefined,
-    /**
-     * Typed machine name on the Active Directory join screen.
-     * @type {string}
-     * @private
-     */
-    activeDirectoryMachine_: null,
-    /**
-     * Typed username on the Active Directory join screen.
-     * @type {string}
-     * @private
-     */
-    activeDirectoryUsername_: null,
    /**
     * Value contained in the last received 'backButton' event.
@@ -146,8 +134,6 @@ login.createScreen('OAuthEnrollmentScreen', 'oauth-enrollment', function() {
      this.offlineAdUi_.addEventListener('authCompleted', function(e) {
        this.offlineAdUi_.disabled = true;
-        this.activeDirectoryMachine_ = e.detail.machinename;
-        this.activeDirectoryUsername_ = e.detail.username;
        chrome.send('oauthEnrollAdCompleteLogin', [
          e.detail.machinename, e.detail.distinguished_name,
          e.detail.encryption_types, e.detail.username, e.detail.password
@@ -305,8 +291,6 @@ login.createScreen('OAuthEnrollmentScreen', 'oauth-enrollment', function() {
    },
    onBeforeHide: function() {
-      this.activeDirectoryMachine_ = null;
-      this.activeDirectoryUsername_ = null;
      $('login-header-bar').signinUIState = SIGNIN_UI_STATE.HIDDEN;
    },
@@ -406,9 +390,7 @@ login.createScreen('OAuthEnrollmentScreen', 'oauth-enrollment', function() {
        $('oauth-enroll-active-directory-join-error-card').submitButton.focus();
      } else if (step == STEP_AD_JOIN) {
        this.offlineAdUi_.disabled = false;
-        this.offlineAdUi_.setUser(
+        this.offlineAdUi_.focus();
-            this.activeDirectoryUsername_, this.activeDirectoryMachine_);
-        this.offlineAdUi_.setInvalid(ACTIVE_DIRECTORY_ERROR_STATE.NONE);
      }
      this.currentStep_ = step;

--- a/chrome/browser/ui/webui/chromeos/login/enrollment_screen_handler.cc
+++ b/chrome/browser/ui/webui/chromeos/login/enrollment_screen_handler.cc
@@ -221,11 +221,80 @@ void EnrollmentScreenHandler::ShowLicenseTypeSelectionScreen(
  ShowStep(kEnrollmentStepPickLicense);
 }
-void EnrollmentScreenHandler::ShowAdJoin() {
+void EnrollmentScreenHandler::ShowActiveDirectoryScreen(
+    const std::string& machine_name,
+    const std::string& username,
+    authpolicy::ErrorType error) {
  observe_network_failure_ = false;
-  if (!authpolicy_login_helper_)
+  switch (error) {
-    authpolicy_login_helper_ = std::make_unique<AuthPolicyLoginHelper>();
+    case authpolicy::ERROR_NONE: {
-  ShowStep(kEnrollmentStepAdJoin);
+      CallJS("invalidateAd", machine_name, username,
+             static_cast<int>(ActiveDirectoryErrorState::NONE));
+      ShowStep(kEnrollmentStepAdJoin);
+      return;
+    }
+    case authpolicy::ERROR_NETWORK_PROBLEM:
+      // Could be a network problem, but could also be a misspelled domain name.
+      ShowError(IDS_AD_AUTH_NETWORK_ERROR, true);
+      return;
+    case authpolicy::ERROR_PARSE_UPN_FAILED:
+    case authpolicy::ERROR_BAD_USER_NAME:
+      CallJS("invalidateAd", machine_name, username,
+             static_cast<int>(ActiveDirectoryErrorState::BAD_USERNAME));
+      ShowStep(kEnrollmentStepAdJoin);
+      return;
+    case authpolicy::ERROR_BAD_PASSWORD:
+      CallJS("invalidateAd", machine_name, username,
+             static_cast<int>(ActiveDirectoryErrorState::BAD_PASSWORD));
+      ShowStep(kEnrollmentStepAdJoin);
+      return;
+    case authpolicy::ERROR_MACHINE_NAME_TOO_LONG:
+      CallJS(
+          "invalidateAd", machine_name, username,
+          static_cast<int>(ActiveDirectoryErrorState::MACHINE_NAME_TOO_LONG));
+      ShowStep(kEnrollmentStepAdJoin);
+      return;
+    case authpolicy::ERROR_INVALID_MACHINE_NAME:
+      CallJS("invalidateAd", machine_name, username,
+             static_cast<int>(ActiveDirectoryErrorState::MACHINE_NAME_INVALID));
+      ShowStep(kEnrollmentStepAdJoin);
+      return;
+    case authpolicy::ERROR_PASSWORD_EXPIRED:
+      ShowError(IDS_AD_PASSWORD_EXPIRED, true);
+      return;
+    case authpolicy::ERROR_JOIN_ACCESS_DENIED:
+      ShowError(IDS_AD_USER_DENIED_TO_JOIN_MACHINE, true);
+      return;
+    case authpolicy::ERROR_USER_HIT_JOIN_QUOTA:
+      ShowError(IDS_AD_USER_HIT_JOIN_QUOTA, true);
+      return;
+    case authpolicy::ERROR_OU_DOES_NOT_EXIST:
+      ShowError(IDS_AD_OU_DOES_NOT_EXIST, true);
+      return;
+    case authpolicy::ERROR_INVALID_OU:
+      ShowError(IDS_AD_OU_INVALID, true);
+      return;
+    case authpolicy::ERROR_OU_ACCESS_DENIED:
+      ShowError(IDS_AD_OU_ACCESS_DENIED, true);
+      return;
+    case authpolicy::ERROR_SETTING_OU_FAILED:
+      ShowError(IDS_AD_OU_SETTING_FAILED, true);
+      return;
+    case authpolicy::ERROR_KDC_DOES_NOT_SUPPORT_ENCRYPTION_TYPE:
+      ShowError(IDS_AD_NOT_SUPPORTED_ENCRYPTION, true);
+      return;
+#if !defined(ARCH_CPU_X86_64)
+    // Currently, the Active Directory integration is only supported on x86_64
+    // systems. (see https://crbug.com/676602)
+    case authpolicy::ERROR_DBUS_FAILURE:
+      ShowError(IDS_AD_BOARD_NOT_SUPPORTED, true);
+      return;
+#endif
+    default:
+      LOG(ERROR) << "Unhandled error code: " << error;
+      ShowError(IDS_AD_DOMAIN_JOIN_UNKNOWN_ERROR, true);
+      return;
+  }
 }
 void EnrollmentScreenHandler::ShowAttributePromptScreen(
@@ -589,8 +658,6 @@ void EnrollmentScreenHandler::HandleClose(const std::string& reason) {
  DCHECK(controller_);
  if (reason == "cancel") {
-    if (authpolicy_login_helper_)
-      authpolicy_login_helper_->CancelRequestsAndRestart();
    controller_->OnCancel();
  } else if (reason == "done") {
    controller_->OnConfirmationClosed();
@@ -616,82 +683,8 @@ void EnrollmentScreenHandler::HandleAdCompleteLogin(
    const std::string& password) {
  observe_network_failure_ = false;
  DCHECK(controller_);
-  DCHECK(authpolicy_login_helper_);
+  controller_->OnActiveDirectoryCredsProvided(
-  authpolicy_login_helper_->JoinAdDomain(
+      machine_name, distinguished_name, encryption_types, user_name, password);
-      machine_name, distinguished_name, encryption_types, user_name, password,
-      base::BindOnce(&EnrollmentScreenHandler::HandleAdDomainJoin,
-                     weak_ptr_factory_.GetWeakPtr(), machine_name, user_name));
-}
-void EnrollmentScreenHandler::HandleAdDomainJoin(
-    const std::string& machine_name,
-    const std::string& user_name,
-    authpolicy::ErrorType code,
-    const std::string& machine_domain) {
-  switch (code) {
-    case authpolicy::ERROR_NONE: {
-      ShowEnrollmentSpinnerScreen();
-      controller_->OnAdJoined(machine_domain);
-      return;
-    }
-    case authpolicy::ERROR_NETWORK_PROBLEM:
-      // Could be a network problem, but could also be a misspelled domain name.
-      ShowError(IDS_AD_AUTH_NETWORK_ERROR, true);
-      return;
-    case authpolicy::ERROR_PARSE_UPN_FAILED:
-    case authpolicy::ERROR_BAD_USER_NAME:
-      CallJS("invalidateAd", machine_name, user_name,
-             static_cast<int>(ActiveDirectoryErrorState::BAD_USERNAME));
-      return;
-    case authpolicy::ERROR_BAD_PASSWORD:
-      CallJS("invalidateAd", machine_name, user_name,
-             static_cast<int>(ActiveDirectoryErrorState::BAD_PASSWORD));
-      return;
-    case authpolicy::ERROR_MACHINE_NAME_TOO_LONG:
-      CallJS(
-          "invalidateAd", machine_name, user_name,
-          static_cast<int>(ActiveDirectoryErrorState::MACHINE_NAME_TOO_LONG));
-      return;
-    case authpolicy::ERROR_INVALID_MACHINE_NAME:
-      CallJS("invalidateAd", machine_name, user_name,
-             static_cast<int>(ActiveDirectoryErrorState::MACHINE_NAME_INVALID));
-      return;
-    case authpolicy::ERROR_PASSWORD_EXPIRED:
-      ShowError(IDS_AD_PASSWORD_EXPIRED, true);
-      return;
-    case authpolicy::ERROR_JOIN_ACCESS_DENIED:
-      ShowError(IDS_AD_USER_DENIED_TO_JOIN_MACHINE, true);
-      return;
-    case authpolicy::ERROR_USER_HIT_JOIN_QUOTA:
-      ShowError(IDS_AD_USER_HIT_JOIN_QUOTA, true);
-      return;
-    case authpolicy::ERROR_OU_DOES_NOT_EXIST:
-      ShowError(IDS_AD_OU_DOES_NOT_EXIST, true);
-      return;
-    case authpolicy::ERROR_INVALID_OU:
-      ShowError(IDS_AD_OU_INVALID, true);
-      return;
-    case authpolicy::ERROR_OU_ACCESS_DENIED:
-      ShowError(IDS_AD_OU_ACCESS_DENIED, true);
-      return;
-    case authpolicy::ERROR_SETTING_OU_FAILED:
-      ShowError(IDS_AD_OU_SETTING_FAILED, true);
-      return;
-    case authpolicy::ERROR_KDC_DOES_NOT_SUPPORT_ENCRYPTION_TYPE:
-      ShowError(IDS_AD_NOT_SUPPORTED_ENCRYPTION, true);
-      return;
-#if !defined(ARCH_CPU_X86_64)
-    // Currently, the Active Directory integration is only supported on x86_64
-    // systems. (see https://crbug.com/676602)
-    case authpolicy::ERROR_DBUS_FAILURE:
-      ShowError(IDS_AD_BOARD_NOT_SUPPORTED, true);
-      return;
-#endif
-    default:
-      LOG(WARNING) << "Unhandled error code: " << code;
-      ShowError(IDS_AD_DOMAIN_JOIN_UNKNOWN_ERROR, true);
-      return;
-  }
 }
 void EnrollmentScreenHandler::HandleRetry() {

--- a/chrome/browser/ui/webui/chromeos/login/enrollment_screen_handler.h
+++ b/chrome/browser/ui/webui/chromeos/login/enrollment_screen_handler.h
@@ -15,12 +15,10 @@
 #include "chrome/browser/chromeos/policy/enrollment_config.h"
 #include "chrome/browser/ui/webui/chromeos/login/base_screen_handler.h"
 #include "chrome/browser/ui/webui/chromeos/login/network_state_informer.h"
-#include "chromeos/dbus/auth_policy_client.h"
 #include "net/base/net_errors.h"
 namespace chromeos {
-class AuthPolicyLoginHelper;
 class ErrorScreensHistogramHelper;
 class HelpAppLauncher;
@@ -57,7 +55,9 @@ class EnrollmentScreenHandler
  void ShowSigninScreen() override;
  void ShowLicenseTypeSelectionScreen(
      const base::DictionaryValue& license_types) override;
-  void ShowAdJoin() override;
+  void ShowActiveDirectoryScreen(const std::string& machine_name,
+                                 const std::string& username,
+                                 authpolicy::ErrorType error) override;
  void ShowAttributePromptScreen(const std::string& asset_id,
                                 const std::string& location) override;
  void ShowAttestationBasedEnrollmentSuccessScreen(
@@ -130,12 +130,6 @@ class EnrollmentScreenHandler
  // enrollment sign-in page.
  bool IsEnrollmentScreenHiddenByError() const;
-  // Handler callback from AuthPolicyClient.
-  void HandleAdDomainJoin(const std::string& machine_name,
-                          const std::string& user_name,
-                          authpolicy::ErrorType code,
-                          const std::string& machine_domain);
  // Keeps the controller for this view.
  Controller* controller_ = nullptr;
@@ -161,9 +155,6 @@ class EnrollmentScreenHandler
  // Help application used for help dialogs.
  scoped_refptr<HelpAppLauncher> help_app_;
-  // Helper to call AuthPolicyClient and cancel calls if needed. Used to join
-  // Active Directory domain.
-  std::unique_ptr<AuthPolicyLoginHelper> authpolicy_login_helper_;
  base::WeakPtrFactory<EnrollmentScreenHandler> weak_ptr_factory_;