Refactor Active Directory domain join flow

Moved calling to D-Bus service out of EnrollmentScreenHandler into
EnrollmentScreen. Needed because EnrollmentScreen implements
ActiveDirectoryJoinDelegate. Future CL will use that to provide dm token
to D-Bus service and to use configuration seed coming from DM server.

BUG=chromium:829361,chromium:809914

Cq-Include-Trybots: master.tryserver.chromium.linux:closure_compilation
Change-Id: I606d974e3461c802b37ff88ec0658f910a3953f5
Reviewed-on: https://chromium-review.googlesource.com/1004954
Commit-Queue: Roman Sorokin <rsorokin@chromium.org>
Reviewed-by: Alexander Alekseev <alemate@chromium.org>
Cr-Commit-Position: refs/heads/master@{#551309}

chrome/browser/chromeos/login/enrollment/enrollment_screen.cc

@@ -270,6 +270,10 @@ void EnrollmentScreen::OnCancel() {
     return;
   }
 
+  on_joined_callback_.Reset();
+  if (authpolicy_login_helper_)
+    authpolicy_login_helper_->CancelRequestsAndRestart();
+
   UMA(policy::kMetricEnrollmentCancelled);
   if (elapsed_timer_)
     UMA_ENROLLMENT_TIME(kMetricEnrollmentTimeCancel, elapsed_timer_);
@@ -296,10 +300,6 @@ void EnrollmentScreen::OnConfirmationClosed() {
   }
 }
 
-void EnrollmentScreen::OnAdJoined(const std::string& realm) {
-  std::move(on_joined_callback_).Run(realm);
-}
-
 void EnrollmentScreen::OnAuthError(const GoogleServiceAuthError& error) {
   RecordEnrollmentErrorMetrics();
   view_->ShowAuthError(error);
@@ -343,6 +343,19 @@ void EnrollmentScreen::OnDeviceEnrolled(const std::string& additional_token) {
   enrollment_helper_->GetDeviceAttributeUpdatePermission();
 }
 
+void EnrollmentScreen::OnActiveDirectoryCredsProvided(
+    const std::string& machine_name,
+    const std::string& distinguished_name,
+    int encryption_types,
+    const std::string& username,
+    const std::string& password) {
+  DCHECK(authpolicy_login_helper_);
+  authpolicy_login_helper_->JoinAdDomain(
+      machine_name, distinguished_name, encryption_types, username, password,
+      base::BindOnce(&EnrollmentScreen::OnActiveDirectoryJoined,
+                     weak_ptr_factory_.GetWeakPtr(), machine_name, username));
+}
+
 void EnrollmentScreen::OnDeviceAttributeProvided(const std::string& asset_id,
                                                  const std::string& location) {
   enrollment_helper_->UpdateDeviceAttributes(asset_id, location);
@@ -426,8 +439,24 @@ void EnrollmentScreen::RecordEnrollmentErrorMetrics() {
 }
 
 void EnrollmentScreen::JoinDomain(OnDomainJoinedCallback on_joined_callback) {
+  if (!authpolicy_login_helper_)
+    authpolicy_login_helper_ = std::make_unique<AuthPolicyLoginHelper>();
   on_joined_callback_ = std::move(on_joined_callback);
-  view_->ShowAdJoin();
+  view_->ShowActiveDirectoryScreen(std::string(), std::string(),
+                                   authpolicy::ERROR_NONE);
+}
+
+void EnrollmentScreen::OnActiveDirectoryJoined(
+    const std::string& machine_name,
+    const std::string& username,
+    authpolicy::ErrorType error,
+    const std::string& machine_domain) {
+  if (error == authpolicy::ERROR_NONE) {
+    view_->ShowEnrollmentSpinnerScreen();
+    std::move(on_joined_callback_).Run(machine_domain);
+    return;
+  }
+  view_->ShowActiveDirectoryScreen(machine_name, username, error);
 }
 
 }  // namespace chromeos

chrome/browser/chromeos/login/enrollment/enrollment_screen.h

@@ -19,6 +19,7 @@
 #include "chrome/browser/chromeos/login/screens/base_screen.h"
 #include "chrome/browser/chromeos/policy/active_directory_join_delegate.h"
 #include "chrome/browser/chromeos/policy/enrollment_config.h"
+#include "chromeos/login/auth/authpolicy_login_helper.h"
 #include "components/policy/core/common/cloud/cloud_policy_constants.h"
 #include "components/policy/core/common/cloud/enterprise_metrics.h"
 #include "net/base/backoff_entry.h"
@@ -68,7 +69,11 @@ class EnrollmentScreen
   void OnRetry() override;
   void OnCancel() override;
   void OnConfirmationClosed() override;
-  void OnAdJoined(const std::string& realm) override;
+  void OnActiveDirectoryCredsProvided(const std::string& machine_name,
+                                      const std::string& distinguished_name,
+                                      int encryption_types,
+                                      const std::string& username,
+                                      const std::string& password) override;
   void OnDeviceAttributeProvided(const std::string& asset_id,
                                  const std::string& location) override;
 
@@ -178,6 +183,12 @@ class EnrollmentScreen
   // Called by OnRetry() and AutomaticRetry().
   void ProcessRetry();
 
+  // Callback for Active Directory domain join.
+  void OnActiveDirectoryJoined(const std::string& machine_name,
+                               const std::string& username,
+                               authpolicy::ErrorType error,
+                               const std::string& machine_domain);
+
   pairing_chromeos::ControllerPairingController* shark_controller_ = nullptr;
 
   EnrollmentScreenView* view_;
@@ -194,8 +205,12 @@ class EnrollmentScreen
   int num_retries_ = 0;
   std::unique_ptr<EnterpriseEnrollmentHelper> enrollment_helper_;
   OnDomainJoinedCallback on_joined_callback_;
-  base::WeakPtrFactory<EnrollmentScreen> weak_ptr_factory_;
 
+  // Helper to call AuthPolicyClient and cancel calls if needed. Used to join
+  // Active Directory domain.
+  std::unique_ptr<AuthPolicyLoginHelper> authpolicy_login_helper_;
+
+  base::WeakPtrFactory<EnrollmentScreen> weak_ptr_factory_;
   DISALLOW_COPY_AND_ASSIGN(EnrollmentScreen);
 };
 

chrome/browser/chromeos/login/enrollment/enrollment_screen_view.h

@@ -10,6 +10,7 @@
 #include "base/values.h"
 #include "chrome/browser/chromeos/login/enrollment/enterprise_enrollment_helper.h"
 #include "chrome/browser/chromeos/login/oobe_screen.h"
+#include "chromeos/dbus/authpolicy/active_directory_info.pb.h"
 
 class GoogleServiceAuthError;
 
@@ -35,7 +36,13 @@ class EnrollmentScreenView {
     virtual void OnRetry() = 0;
     virtual void OnCancel() = 0;
     virtual void OnConfirmationClosed() = 0;
-    virtual void OnAdJoined(const std::string& realm) = 0;
+    virtual void OnActiveDirectoryCredsProvided(
+        const std::string& machine_name,
+        const std::string& distinguished_name,
+        int encryption_types,
+        const std::string& username,
+        const std::string& password) = 0;
+
     virtual void OnDeviceAttributeProvided(const std::string& asset_id,
                                            const std::string& location) = 0;
   };
@@ -62,7 +69,9 @@ class EnrollmentScreenView {
       const base::DictionaryValue& license_types) = 0;
 
   // Shows the Active Directory domain joining screen.
-  virtual void ShowAdJoin() = 0;
+  virtual void ShowActiveDirectoryScreen(const std::string& machine_name,
+                                         const std::string& username,
+                                         authpolicy::ErrorType error) = 0;
 
   // Shows the device attribute prompt screen.
   virtual void ShowAttributePromptScreen(const std::string& asset_id,

chrome/browser/chromeos/login/enrollment/mock_enrollment_screen.h

@@ -33,7 +33,10 @@ class MockEnrollmentScreenView : public EnrollmentScreenView {
   MOCK_METHOD0(ShowSigninScreen, void());
   MOCK_METHOD1(ShowLicenseTypeSelectionScreen,
                void(const base::DictionaryValue&));
-  MOCK_METHOD0(ShowAdJoin, void());
+  MOCK_METHOD3(ShowActiveDirectoryScreen,
+               void(const std::string& machine_name,
+                    const std::string& username,
+                    authpolicy::ErrorType error));
   MOCK_METHOD2(ShowAttributePromptScreen,
                void(const std::string& asset_id, const std::string& location));
   MOCK_METHOD1(ShowAttestationBasedEnrollmentSuccessScreen,

chrome/browser/resources/chromeos/login/oobe_screen_oauth_enrollment.js

@@ -78,18 +78,6 @@ login.createScreen('OAuthEnrollmentScreen', 'oauth-enrollment', function() {
      * @private
      */
     offlineAdUi_: undefined,
-    /**
-     * Typed machine name on the Active Directory join screen.
-     * @type {string}
-     * @private
-     */
-    activeDirectoryMachine_: null,
-    /**
-     * Typed username on the Active Directory join screen.
-     * @type {string}
-     * @private
-     */
-    activeDirectoryUsername_: null,
 
     /**
      * Value contained in the last received 'backButton' event.
@@ -146,8 +134,6 @@ login.createScreen('OAuthEnrollmentScreen', 'oauth-enrollment', function() {
 
       this.offlineAdUi_.addEventListener('authCompleted', function(e) {
         this.offlineAdUi_.disabled = true;
-        this.activeDirectoryMachine_ = e.detail.machinename;
-        this.activeDirectoryUsername_ = e.detail.username;
         chrome.send('oauthEnrollAdCompleteLogin', [
           e.detail.machinename, e.detail.distinguished_name,
           e.detail.encryption_types, e.detail.username, e.detail.password
@@ -305,8 +291,6 @@ login.createScreen('OAuthEnrollmentScreen', 'oauth-enrollment', function() {
     },
 
     onBeforeHide: function() {
-      this.activeDirectoryMachine_ = null;
-      this.activeDirectoryUsername_ = null;
       $('login-header-bar').signinUIState = SIGNIN_UI_STATE.HIDDEN;
     },
 
@@ -406,9 +390,7 @@ login.createScreen('OAuthEnrollmentScreen', 'oauth-enrollment', function() {
         $('oauth-enroll-active-directory-join-error-card').submitButton.focus();
       } else if (step == STEP_AD_JOIN) {
         this.offlineAdUi_.disabled = false;
-        this.offlineAdUi_.setUser(
-            this.activeDirectoryUsername_, this.activeDirectoryMachine_);
-        this.offlineAdUi_.setInvalid(ACTIVE_DIRECTORY_ERROR_STATE.NONE);
+        this.offlineAdUi_.focus();
       }
 
       this.currentStep_ = step;

chrome/browser/ui/webui/chromeos/login/enrollment_screen_handler.cc

@@ -221,11 +221,80 @@ void EnrollmentScreenHandler::ShowLicenseTypeSelectionScreen(
   ShowStep(kEnrollmentStepPickLicense);
 }
 
-void EnrollmentScreenHandler::ShowAdJoin() {
+void EnrollmentScreenHandler::ShowActiveDirectoryScreen(
+    const std::string& machine_name,
+    const std::string& username,
+    authpolicy::ErrorType error) {
   observe_network_failure_ = false;
-  if (!authpolicy_login_helper_)
-    authpolicy_login_helper_ = std::make_unique<AuthPolicyLoginHelper>();
+  switch (error) {
+    case authpolicy::ERROR_NONE: {
+      CallJS("invalidateAd", machine_name, username,
+             static_cast<int>(ActiveDirectoryErrorState::NONE));
+      ShowStep(kEnrollmentStepAdJoin);
+      return;
+    }
+    case authpolicy::ERROR_NETWORK_PROBLEM:
+      // Could be a network problem, but could also be a misspelled domain name.
+      ShowError(IDS_AD_AUTH_NETWORK_ERROR, true);
+      return;
+    case authpolicy::ERROR_PARSE_UPN_FAILED:
+    case authpolicy::ERROR_BAD_USER_NAME:
+      CallJS("invalidateAd", machine_name, username,
+             static_cast<int>(ActiveDirectoryErrorState::BAD_USERNAME));
       ShowStep(kEnrollmentStepAdJoin);
+      return;
+    case authpolicy::ERROR_BAD_PASSWORD:
+      CallJS("invalidateAd", machine_name, username,
+             static_cast<int>(ActiveDirectoryErrorState::BAD_PASSWORD));
+      ShowStep(kEnrollmentStepAdJoin);
+      return;
+    case authpolicy::ERROR_MACHINE_NAME_TOO_LONG:
+      CallJS(
+          "invalidateAd", machine_name, username,
+          static_cast<int>(ActiveDirectoryErrorState::MACHINE_NAME_TOO_LONG));
+      ShowStep(kEnrollmentStepAdJoin);
+      return;
+    case authpolicy::ERROR_INVALID_MACHINE_NAME:
+      CallJS("invalidateAd", machine_name, username,
+             static_cast<int>(ActiveDirectoryErrorState::MACHINE_NAME_INVALID));
+      ShowStep(kEnrollmentStepAdJoin);
+      return;
+    case authpolicy::ERROR_PASSWORD_EXPIRED:
+      ShowError(IDS_AD_PASSWORD_EXPIRED, true);
+      return;
+    case authpolicy::ERROR_JOIN_ACCESS_DENIED:
+      ShowError(IDS_AD_USER_DENIED_TO_JOIN_MACHINE, true);
+      return;
+    case authpolicy::ERROR_USER_HIT_JOIN_QUOTA:
+      ShowError(IDS_AD_USER_HIT_JOIN_QUOTA, true);
+      return;
+    case authpolicy::ERROR_OU_DOES_NOT_EXIST:
+      ShowError(IDS_AD_OU_DOES_NOT_EXIST, true);
+      return;
+    case authpolicy::ERROR_INVALID_OU:
+      ShowError(IDS_AD_OU_INVALID, true);
+      return;
+    case authpolicy::ERROR_OU_ACCESS_DENIED:
+      ShowError(IDS_AD_OU_ACCESS_DENIED, true);
+      return;
+    case authpolicy::ERROR_SETTING_OU_FAILED:
+      ShowError(IDS_AD_OU_SETTING_FAILED, true);
+      return;
+    case authpolicy::ERROR_KDC_DOES_NOT_SUPPORT_ENCRYPTION_TYPE:
+      ShowError(IDS_AD_NOT_SUPPORTED_ENCRYPTION, true);
+      return;
+#if !defined(ARCH_CPU_X86_64)
+    // Currently, the Active Directory integration is only supported on x86_64
+    // systems. (see https://crbug.com/676602)
+    case authpolicy::ERROR_DBUS_FAILURE:
+      ShowError(IDS_AD_BOARD_NOT_SUPPORTED, true);
+      return;
+#endif
+    default:
+      LOG(ERROR) << "Unhandled error code: " << error;
+      ShowError(IDS_AD_DOMAIN_JOIN_UNKNOWN_ERROR, true);
+      return;
+  }
 }
 
 void EnrollmentScreenHandler::ShowAttributePromptScreen(
@@ -589,8 +658,6 @@ void EnrollmentScreenHandler::HandleClose(const std::string& reason) {
   DCHECK(controller_);
 
   if (reason == "cancel") {
-    if (authpolicy_login_helper_)
-      authpolicy_login_helper_->CancelRequestsAndRestart();
     controller_->OnCancel();
   } else if (reason == "done") {
     controller_->OnConfirmationClosed();
@@ -616,82 +683,8 @@ void EnrollmentScreenHandler::HandleAdCompleteLogin(
     const std::string& password) {
   observe_network_failure_ = false;
   DCHECK(controller_);
-  DCHECK(authpolicy_login_helper_);
-  authpolicy_login_helper_->JoinAdDomain(
-      machine_name, distinguished_name, encryption_types, user_name, password,
-      base::BindOnce(&EnrollmentScreenHandler::HandleAdDomainJoin,
-                     weak_ptr_factory_.GetWeakPtr(), machine_name, user_name));
-}
-
-void EnrollmentScreenHandler::HandleAdDomainJoin(
-    const std::string& machine_name,
-    const std::string& user_name,
-    authpolicy::ErrorType code,
-    const std::string& machine_domain) {
-  switch (code) {
-    case authpolicy::ERROR_NONE: {
-      ShowEnrollmentSpinnerScreen();
-      controller_->OnAdJoined(machine_domain);
-      return;
-    }
-    case authpolicy::ERROR_NETWORK_PROBLEM:
-      // Could be a network problem, but could also be a misspelled domain name.
-      ShowError(IDS_AD_AUTH_NETWORK_ERROR, true);
-      return;
-    case authpolicy::ERROR_PARSE_UPN_FAILED:
-    case authpolicy::ERROR_BAD_USER_NAME:
-      CallJS("invalidateAd", machine_name, user_name,
-             static_cast<int>(ActiveDirectoryErrorState::BAD_USERNAME));
-      return;
-    case authpolicy::ERROR_BAD_PASSWORD:
-      CallJS("invalidateAd", machine_name, user_name,
-             static_cast<int>(ActiveDirectoryErrorState::BAD_PASSWORD));
-      return;
-    case authpolicy::ERROR_MACHINE_NAME_TOO_LONG:
-      CallJS(
-          "invalidateAd", machine_name, user_name,
-          static_cast<int>(ActiveDirectoryErrorState::MACHINE_NAME_TOO_LONG));
-      return;
-    case authpolicy::ERROR_INVALID_MACHINE_NAME:
-      CallJS("invalidateAd", machine_name, user_name,
-             static_cast<int>(ActiveDirectoryErrorState::MACHINE_NAME_INVALID));
-      return;
-    case authpolicy::ERROR_PASSWORD_EXPIRED:
-      ShowError(IDS_AD_PASSWORD_EXPIRED, true);
-      return;
-    case authpolicy::ERROR_JOIN_ACCESS_DENIED:
-      ShowError(IDS_AD_USER_DENIED_TO_JOIN_MACHINE, true);
-      return;
-    case authpolicy::ERROR_USER_HIT_JOIN_QUOTA:
-      ShowError(IDS_AD_USER_HIT_JOIN_QUOTA, true);
-      return;
-    case authpolicy::ERROR_OU_DOES_NOT_EXIST:
-      ShowError(IDS_AD_OU_DOES_NOT_EXIST, true);
-      return;
-    case authpolicy::ERROR_INVALID_OU:
-      ShowError(IDS_AD_OU_INVALID, true);
-      return;
-    case authpolicy::ERROR_OU_ACCESS_DENIED:
-      ShowError(IDS_AD_OU_ACCESS_DENIED, true);
-      return;
-    case authpolicy::ERROR_SETTING_OU_FAILED:
-      ShowError(IDS_AD_OU_SETTING_FAILED, true);
-      return;
-    case authpolicy::ERROR_KDC_DOES_NOT_SUPPORT_ENCRYPTION_TYPE:
-      ShowError(IDS_AD_NOT_SUPPORTED_ENCRYPTION, true);
-      return;
-#if !defined(ARCH_CPU_X86_64)
-    // Currently, the Active Directory integration is only supported on x86_64
-    // systems. (see https://crbug.com/676602)
-    case authpolicy::ERROR_DBUS_FAILURE:
-      ShowError(IDS_AD_BOARD_NOT_SUPPORTED, true);
-      return;
-#endif
-    default:
-      LOG(WARNING) << "Unhandled error code: " << code;
-      ShowError(IDS_AD_DOMAIN_JOIN_UNKNOWN_ERROR, true);
-      return;
-  }
+  controller_->OnActiveDirectoryCredsProvided(
+      machine_name, distinguished_name, encryption_types, user_name, password);
 }
 
 void EnrollmentScreenHandler::HandleRetry() {

chrome/browser/ui/webui/chromeos/login/enrollment_screen_handler.h

@@ -15,12 +15,10 @@
 #include "chrome/browser/chromeos/policy/enrollment_config.h"
 #include "chrome/browser/ui/webui/chromeos/login/base_screen_handler.h"
 #include "chrome/browser/ui/webui/chromeos/login/network_state_informer.h"
-#include "chromeos/dbus/auth_policy_client.h"
 #include "net/base/net_errors.h"
 
 namespace chromeos {
 
-class AuthPolicyLoginHelper;
 class ErrorScreensHistogramHelper;
 class HelpAppLauncher;
 
@@ -57,7 +55,9 @@ class EnrollmentScreenHandler
   void ShowSigninScreen() override;
   void ShowLicenseTypeSelectionScreen(
       const base::DictionaryValue& license_types) override;
-  void ShowAdJoin() override;
+  void ShowActiveDirectoryScreen(const std::string& machine_name,
+                                 const std::string& username,
+                                 authpolicy::ErrorType error) override;
   void ShowAttributePromptScreen(const std::string& asset_id,
                                  const std::string& location) override;
   void ShowAttestationBasedEnrollmentSuccessScreen(
@@ -130,12 +130,6 @@ class EnrollmentScreenHandler
   // enrollment sign-in page.
   bool IsEnrollmentScreenHiddenByError() const;
 
-  // Handler callback from AuthPolicyClient.
-  void HandleAdDomainJoin(const std::string& machine_name,
-                          const std::string& user_name,
-                          authpolicy::ErrorType code,
-                          const std::string& machine_domain);
-
   // Keeps the controller for this view.
   Controller* controller_ = nullptr;
 
@@ -161,9 +155,6 @@ class EnrollmentScreenHandler
   // Help application used for help dialogs.
   scoped_refptr<HelpAppLauncher> help_app_;
 
-  // Helper to call AuthPolicyClient and cancel calls if needed. Used to join
-  // Active Directory domain.
-  std::unique_ptr<AuthPolicyLoginHelper> authpolicy_login_helper_;
 
   base::WeakPtrFactory<EnrollmentScreenHandler> weak_ptr_factory_;