Invalidate DM token on DM_STATUS_SERVICE_DEVICE_NOT_FOUND status

Invalidates the DM token in storage when CloudPolicyClient returns a
410 error code.

Bug: 1020289
Change-Id: I4e6de76e3d04de6c2ffc70def84f59b94b403766
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1934589
Commit-Queue: Dominique Fauteux-Chapleau <domfc@chromium.org>
Reviewed-by: Tien Mai <tienmai@chromium.org>
Reviewed-by: Roger Tawa <rogerta@chromium.org>
Cr-Commit-Position: refs/heads/master@{#719303}

chrome/browser/policy/chrome_browser_cloud_management_controller.cc

@@ -30,6 +30,7 @@
 #include "chrome/common/chrome_paths.h"
 #include "components/policy/core/common/cloud/chrome_browser_cloud_management_metrics.h"
 #include "components/policy/core/common/cloud/cloud_external_data_manager.h"
+#include "components/policy/core/common/cloud/cloud_policy_constants.h"
 #include "components/policy/core/common/cloud/dm_token.h"
 #include "components/policy/core/common/cloud/machine_level_user_cloud_policy_manager.h"
 #include "components/policy/core/common/cloud/machine_level_user_cloud_policy_store.h"
@@ -98,8 +99,14 @@ bool ChromeBrowserCloudManagementController::IsEnabled() {
 
 ChromeBrowserCloudManagementController::
     ChromeBrowserCloudManagementController() {}
+
 ChromeBrowserCloudManagementController::
-    ~ChromeBrowserCloudManagementController() {}
+    ~ChromeBrowserCloudManagementController() {
+  if (policy_fetcher_)
+    policy_fetcher_->RemoveClientObserver(this);
+  if (cloud_policy_client_)
+    cloud_policy_client_->RemoveObserver(this);
+}
 
 // static
 std::unique_ptr<MachineLevelUserCloudPolicyManager>
@@ -201,6 +208,7 @@ void ChromeBrowserCloudManagementController::Init(
     policy_fetcher_ = std::make_unique<MachineLevelUserCloudPolicyFetcher>(
         policy_manager, local_state, device_management_service,
         url_loader_factory);
+    policy_fetcher_->AddClientObserver(this);
     return;
   }
 
@@ -216,6 +224,7 @@ void ChromeBrowserCloudManagementController::Init(
   policy_fetcher_ = std::make_unique<MachineLevelUserCloudPolicyFetcher>(
       policy_manager, local_state, device_management_service,
       url_loader_factory);
+  policy_fetcher_->AddClientObserver(this);
 
   if (dm_token.is_empty()) {
     cloud_management_register_watcher_ =
@@ -283,6 +292,32 @@ bool ChromeBrowserCloudManagementController::
          cloud_management_register_watcher_->IsDialogShowing();
 }
 
+void ChromeBrowserCloudManagementController::OnPolicyFetched(
+    CloudPolicyClient* client) {
+  // Ignored.
+}
+
+void ChromeBrowserCloudManagementController::OnRegistrationStateChanged(
+    CloudPolicyClient* client) {
+  // Ignored.
+}
+
+void ChromeBrowserCloudManagementController::OnClientError(
+    CloudPolicyClient* client) {
+  // DM_STATUS_SERVICE_DEVICE_NOT_FOUND being the last status implies the
+  // browser has been unenrolled.
+  if (client->status() == DM_STATUS_SERVICE_DEVICE_NOT_FOUND) {
+    // Invalidate DM token in storage.
+    BrowserDMTokenStorage::Get()->InvalidateDMToken(
+        base::BindOnce([](bool success) {
+          if (success)
+            DVLOG(1) << "Successfully invalidated the DM token";
+          else
+            DVLOG(1) << "Failed to invalidate the DM token";
+        }));
+  }
+}
+
 void ChromeBrowserCloudManagementController::NotifyPolicyRegisterFinished(
     bool succeeded) {
   for (auto& observer : observers_) {
@@ -377,6 +412,7 @@ void ChromeBrowserCloudManagementController::CreateReportScheduler() {
       g_browser_process->system_network_context_manager()
           ->GetSharedURLLoaderFactory(),
       nullptr, CloudPolicyClient::DeviceDMTokenCallback());
+  cloud_policy_client_->AddObserver(this);
   auto timer = std::make_unique<enterprise_reporting::RequestTimer>();
   auto generator = std::make_unique<enterprise_reporting::ReportGenerator>();
   report_scheduler_ = std::make_unique<enterprise_reporting::ReportScheduler>(

chrome/browser/policy/chrome_browser_cloud_management_controller.h

@@ -13,6 +13,7 @@
 #include "base/memory/ref_counted.h"
 #include "base/observer_list.h"
 #include "base/time/time.h"
+#include "components/policy/core/common/cloud/cloud_policy_client.h"
 
 class PrefService;
 
@@ -26,14 +27,14 @@ class ReportScheduler;
 
 namespace policy {
 class ChromeBrowserCloudManagementRegistrar;
-class CloudPolicyClient;
 class ConfigurationPolicyProvider;
 class MachineLevelUserCloudPolicyManager;
 class MachineLevelUserCloudPolicyFetcher;
 class ChromeBrowserCloudManagementRegisterWatcher;
 
 // A class that setups and manages all CBCM related features.
-class ChromeBrowserCloudManagementController {
+class ChromeBrowserCloudManagementController
+    : public CloudPolicyClient::Observer {
  public:
   // Chrome browser cloud management enrollment result.
   enum class RegisterResult {
@@ -73,7 +74,7 @@ class ChromeBrowserCloudManagementController {
   static bool IsEnabled();
 
   ChromeBrowserCloudManagementController();
-  virtual ~ChromeBrowserCloudManagementController();
+  ~ChromeBrowserCloudManagementController() override;
 
   static std::unique_ptr<MachineLevelUserCloudPolicyManager>
   CreatePolicyManager(ConfigurationPolicyProvider* platform_provider);
@@ -89,6 +90,11 @@ class ChromeBrowserCloudManagementController {
   // Returns whether the enterprise startup dialog is being diaplayed.
   bool IsEnterpriseStartupDialogShowing();
 
+  // CloudPolicyClient::Observer implementation:
+  void OnPolicyFetched(CloudPolicyClient* client) override;
+  void OnRegistrationStateChanged(CloudPolicyClient* client) override;
+  void OnClientError(CloudPolicyClient* client) override;
+
  protected:
   void NotifyPolicyRegisterFinished(bool succeeded);
 

chrome/browser/policy/cloud/chrome_browser_cloud_management_browsertest.cc

@@ -184,6 +184,11 @@ class PolicyFetchClientObserver : public CloudPolicyClient::Observer {
   void OnRegistrationStateChanged(CloudPolicyClient* client) override {}
 
   void OnClientError(CloudPolicyClient* client) override {
+    // This is called when policy fetching fails and is used in
+    // ChromeBrowserCloudManagementController to unenroll the browser. The
+    // status must be DM_STATUS_SERVICE_DEVICE_NOT_FOUND for this to happen.
+    EXPECT_EQ(client->status(), DM_STATUS_SERVICE_DEVICE_NOT_FOUND);
+
     std::move(quit_closure_).Run();
   }
 
@@ -581,6 +586,8 @@ class MachineLevelUserCloudPolicyPolicyFetchTest
     test_server_->RegisterClient(kDMToken, kClientID, {} /* state_keys */);
   }
 
+  DMToken retrieve_dm_token() { return storage_.RetrieveDMToken(); }
+
   const std::string dm_token() const { return GetParam(); }
 
  private:
@@ -623,8 +630,23 @@ IN_PROC_BROWSER_TEST_P(MachineLevelUserCloudPolicyPolicyFetchTest, Test) {
   if (dm_token() != kInvalidDMToken) {
     EXPECT_EQ(1u, policy_map.size());
     EXPECT_EQ(base::Value(true), *(policy_map.Get("ShowHomeButton")->value));
+
+    // The token in storage should be valid.
+    DMToken token = retrieve_dm_token();
+    EXPECT_TRUE(token.is_valid());
+
+    // The test server will register with "fake_device_management_token" if
+    // Chrome is started without a DM token.
+    if (dm_token().empty())
+      EXPECT_EQ(token.value(), "fake_device_management_token");
+    else
+      EXPECT_EQ(token.value(), kDMToken);
   } else {
     EXPECT_EQ(0u, policy_map.size());
+
+    // The token in storage should be invalid.
+    DMToken token = retrieve_dm_token();
+    EXPECT_TRUE(token.is_invalid());
   }
 }
 

chrome/browser/policy/cloud/chrome_browser_cloud_management_helper.cc

@@ -130,6 +130,18 @@ void MachineLevelUserCloudPolicyFetcher::SetupRegistrationAndFetchPolicy(
       base::BindOnce(&OnPolicyFetchCompleted));
 }
 
+void MachineLevelUserCloudPolicyFetcher::AddClientObserver(
+    CloudPolicyClient::Observer* observer) {
+  if (policy_manager_)
+    policy_manager_->AddClientObserver(observer);
+}
+
+void MachineLevelUserCloudPolicyFetcher::RemoveClientObserver(
+    CloudPolicyClient::Observer* observer) {
+  if (policy_manager_)
+    policy_manager_->RemoveClientObserver(observer);
+}
+
 void MachineLevelUserCloudPolicyFetcher::
     OnCloudPolicyServiceInitializationCompleted() {
   // Client will be registered before policy fetch. A non-registered client

chrome/browser/policy/cloud/chrome_browser_cloud_management_helper.h

@@ -77,6 +77,11 @@ class MachineLevelUserCloudPolicyFetcher : public CloudPolicyService::Observer {
   void SetupRegistrationAndFetchPolicy(const DMToken& dm_token,
                                        const std::string& client_id);
 
+  // Add or remove |observer| to/from the CloudPolicyClient embedded in
+  // |policy_manager_|.
+  void AddClientObserver(CloudPolicyClient::Observer* observer);
+  void RemoveClientObserver(CloudPolicyClient::Observer* observer);
+
   // CloudPolicyService::Observer:
   void OnCloudPolicyServiceInitializationCompleted() override;
 

components/policy/core/common/cloud/machine_level_user_cloud_policy_manager.cc

@@ -65,6 +65,18 @@ bool MachineLevelUserCloudPolicyManager::IsClientRegistered() {
   return client() && client()->is_registered();
 }
 
+void MachineLevelUserCloudPolicyManager::AddClientObserver(
+    CloudPolicyClient::Observer* observer) {
+  if (client())
+    client()->AddObserver(observer);
+}
+
+void MachineLevelUserCloudPolicyManager::RemoveClientObserver(
+    CloudPolicyClient::Observer* observer) {
+  if (client())
+    client()->RemoveObserver(observer);
+}
+
 void MachineLevelUserCloudPolicyManager::Init(SchemaRegistry* registry) {
   DVLOG(1) << "Machine level cloud policy manager initialized";
   // Call to grand-parent's Init() instead of parent's is intentional.

components/policy/core/common/cloud/machine_level_user_cloud_policy_manager.h

@@ -39,6 +39,10 @@ class POLICY_EXPORT MachineLevelUserCloudPolicyManager
   // Returns true if the underlying CloudPolicyClient is already registered.
   bool IsClientRegistered();
 
+  // Add or remove |observer| to/from the CloudPolicyClient embedded in |core_|.
+  void AddClientObserver(CloudPolicyClient::Observer* observer);
+  void RemoveClientObserver(CloudPolicyClient::Observer* observer);
+
   MachineLevelUserCloudPolicyStore* store() { return store_.get(); }
 
   // ConfigurationPolicyProvider: