Force online sign-in after fatal policy init error

Store the online sign-in enforcement flag before terminating the
browser when a fatal policy initialization error happens.

This should fix the inability to sign into existing managed profiles
in the case when the policy files got corrupted. In such case the
user session is immediately terminated, because there's currently no
mechanism to fetch the missing policy without going through an
online sign-in flow. The problem was that the next sign-in attempts are
likely to go through the same steps and fail again.

This CL addresses this by enforcing the online authentication for the
next sign-in attempt of that user.

BUG=chromium:830654
TEST=Manual: delete user policy files from existing profile, try to
     sign in - the session should immediately terminate, then try to
     sign in again - the online sign-in should take place, and the
     session should start.

Change-Id: I1ff4c555999b4063a118c751598ecb0515839b3c
Reviewed-on: https://chromium-review.googlesource.com/1000867Reviewed-by: Pavol Marko <pmarko@chromium.org>
Reviewed-by: Drew Wilson <atwilson@chromium.org>
Commit-Queue: Maksim Ivanov <emaxx@chromium.org>
Cr-Commit-Position: refs/heads/master@{#550154}

chrome/browser/chromeos/policy/user_policy_manager_factory_chromeos.cc

@@ -74,6 +74,12 @@ constexpr base::TimeDelta kPolicyRefreshTimeout =
 const char kUMAHasPolicyPrefNotMigrated[] =
     "Enterprise.UserPolicyChromeOS.HasPolicyPrefNotMigrated";
 
+void OnUserPolicyFatalError(const AccountId& account_id) {
+  // TODO(emaxx): Add a UMA metric.
+  user_manager::UserManager::Get()->SaveForceOnlineSignin(account_id, true);
+  chrome::AttemptUserExit();
+}
+
 }  // namespace
 
 // static
@@ -358,7 +364,7 @@ UserPolicyManagerFactoryChromeOS::CreateManagerForProfile(
   if (is_active_directory) {
     auto manager = std::make_unique<UserActiveDirectoryPolicyManager>(
         account_id, policy_refresh_timeout,
-        base::BindOnce(&chrome::AttemptUserExit), std::move(store),
+        base::BindOnce(&OnUserPolicyFatalError, account_id), std::move(store),
         std::move(external_data_manager));
     manager->Init(
         SchemaRegistryServiceFactory::GetForContext(profile)->registry());
@@ -371,8 +377,8 @@ UserPolicyManagerFactoryChromeOS::CreateManagerForProfile(
             std::move(store), std::move(external_data_manager),
             component_policy_cache_dir, enforcement_type,
             policy_refresh_timeout,
-            base::BindOnce(&chrome::AttemptUserExit) /* fatal_error_callback */,
-            account_id, base::ThreadTaskRunnerHandle::Get(), io_task_runner);
+            base::BindOnce(&OnUserPolicyFatalError, account_id), account_id,
+            base::ThreadTaskRunnerHandle::Get(), io_task_runner);
 
     bool wildcard_match = false;
     if (connector->IsEnterpriseManaged() &&