Remove mdm as a prerequisite for escrow service

Bug: 1024404
Change-Id: Icffc3a1e1bea5ed2aa7ae0778161e29fc4ff267a
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1914824
Commit-Queue: Yusuf Sengul <yusufsn@google.com>
Reviewed-by: Tien Mai <tienmai@chromium.org>
Cr-Commit-Position: refs/heads/master@{#715144}

chrome/credential_provider/gaiacp/associated_user_validator.cc

@@ -514,7 +514,7 @@ AssociatedUserValidator::GetAuthEnforceReason(const base::string16& sid) {
   if (NeedsToEnrollWithMdm())
     return AssociatedUserValidator::EnforceAuthReason::NOT_ENROLLED_WITH_MDM;
 
-  if (MdmPasswordRecoveryEnabled()) {
+  if (PasswordRecoveryEnabled()) {
     base::string16 store_key = GetUserPasswordLsaStoreKey(sid);
     auto policy = ScopedLsaPolicy::Create(POLICY_ALL_ACCESS);
     if (!policy->PrivateDataExists(store_key.c_str())) {

chrome/credential_provider/gaiacp/associated_user_validator_unittests.cc

@@ -406,7 +406,7 @@ TEST_P(AssociatedUserValidatorUserAccessBlockingTest, BlockUserAccessAsNeeded) {
   }
 
   if (password_recovery_enabled) {
-    ASSERT_EQ(S_OK, SetGlobalFlagForTesting(kRegMdmEscrowServiceServerUrl,
+    ASSERT_EQ(S_OK, SetGlobalFlagForTesting(kRegEscrowServiceServerUrl,
                                             L"https://escrow.com"));
   }
 
@@ -471,8 +471,7 @@ TEST_P(AssociatedUserValidatorUserAccessBlockingTest, BlockUserAccessAsNeeded) {
       is_last_login_stale ||
       (internet_available &&
        ((mdm_url_set && !mdm_enrolled) || !token_handle_valid ||
-        (mdm_url_set && password_recovery_enabled &&
-         !contains_stored_password)));
+        (password_recovery_enabled && !contains_stored_password)));
 
   bool should_user_be_blocked =
       should_user_locking_be_enabled && is_get_auth_enforced;
@@ -558,7 +557,7 @@ TEST_F(AssociatedUserValidatorTest, InvalidTokenHandle_MissingPasswordLsaData) {
                       L"gaia-id", base::string16(), &sid));
   ASSERT_EQ(S_OK, SetUserProperty(OLE2W(sid), kUserTokenHandle, L"th"));
   ASSERT_EQ(S_OK, SetGlobalFlagForTesting(kRegMdmUrl, L"https://mdm.com"));
-  ASSERT_EQ(S_OK, SetGlobalFlagForTesting(kRegMdmEscrowServiceServerUrl,
+  ASSERT_EQ(S_OK, SetGlobalFlagForTesting(kRegEscrowServiceServerUrl,
                                           L"https://escrow.com"));
   GoogleMdmEnrolledStatusForTesting force_success(true);
 
@@ -587,7 +586,7 @@ TEST_F(AssociatedUserValidatorTest, ValidTokenHandle_PresentPasswordLsaData) {
                       L"gaia-id", base::string16(), &sid));
   ASSERT_EQ(S_OK, SetUserProperty(OLE2W(sid), kUserTokenHandle, L"th"));
   ASSERT_EQ(S_OK, SetGlobalFlagForTesting(kRegMdmUrl, L"https://mdm.com"));
-  ASSERT_EQ(S_OK, SetGlobalFlagForTesting(kRegMdmEscrowServiceServerUrl,
+  ASSERT_EQ(S_OK, SetGlobalFlagForTesting(kRegEscrowServiceServerUrl,
                                           L"https://escrow.com"));
   GoogleMdmEnrolledStatusForTesting force_success(true);
 

chrome/credential_provider/gaiacp/gaia_credential_base_unittests.cc

@@ -1476,7 +1476,7 @@ TEST_P(GcpGaiaCredentialBasePasswordRecoveryTest, PasswordRecovery) {
   int generate_public_key_again_result = std::get<2>(GetParam());
 
   ASSERT_EQ(S_OK, SetGlobalFlagForTesting(kRegMdmUrl, L"https://mdm.com"));
-  ASSERT_EQ(S_OK, SetGlobalFlagForTesting(kRegMdmEscrowServiceServerUrl,
+  ASSERT_EQ(S_OK, SetGlobalFlagForTesting(kRegEscrowServiceServerUrl,
                                           L"https://escrow.com"));
   ASSERT_EQ(S_OK, SetGlobalFlagForTesting(kRegMdmAllowConsumerAccounts, 1));
   ASSERT_EQ(S_OK, SetGlobalFlagForTesting(kRegMdmSupportsMultiUser, 0));
@@ -1712,14 +1712,14 @@ TEST_P(GcpGaiaCredentialBasePasswordRecoveryDisablingTest,
   // SetGlobalFlagForTesting effectively deletes the registry when the provided
   // registry value is empty. That implicitly enables escrow service without a
   // registry override.
-  ASSERT_EQ(S_OK, SetGlobalFlagForTesting(kRegMdmEscrowServiceServerUrl, L""));
+  ASSERT_EQ(S_OK, SetGlobalFlagForTesting(kRegEscrowServiceServerUrl, L""));
 
   if (escrow_service_url) {
     base::win::RegKey key;
     ASSERT_EQ(ERROR_SUCCESS,
               key.Create(HKEY_LOCAL_MACHINE, kGcpRootKeyName, KEY_WRITE));
-    ASSERT_EQ(ERROR_SUCCESS, key.WriteValue(kRegMdmEscrowServiceServerUrl,
-                                            escrow_service_url));
+    ASSERT_EQ(ERROR_SUCCESS,
+              key.WriteValue(kRegEscrowServiceServerUrl, escrow_service_url));
   }
 
   GoogleMdmEnrolledStatusForTesting force_success(true);

chrome/credential_provider/gaiacp/mdm_utils.cc

@@ -33,7 +33,7 @@ namespace credential_provider {
 constexpr wchar_t kRegMdmUrl[] = L"mdm";
 constexpr wchar_t kRegMdmEnableForcePasswordReset[] =
     L"mdm_enable_force_password";
-constexpr wchar_t kRegMdmEscrowServiceServerUrl[] = L"mdm_ess_url";
+constexpr wchar_t kRegEscrowServiceServerUrl[] = L"mdm_ess_url";
 constexpr wchar_t kRegMdmSupportsMultiUser[] = L"mdm_mu";
 constexpr wchar_t kRegMdmAllowConsumerAccounts[] = L"mdm_aca";
 constexpr wchar_t kUserPasswordLsaStoreKeyPrefix[] =
@@ -364,9 +364,9 @@ bool MdmEnrollmentEnabled() {
   return !mdm_url.empty();
 }
 
-GURL MdmEscrowServiceUrl() {
+GURL EscrowServiceUrl() {
   base::string16 escrow_service_url = GetGlobalFlagOrDefault(
-      kRegMdmEscrowServiceServerUrl, kDefaultEscrowServiceServerUrl);
+      kRegEscrowServiceServerUrl, kDefaultEscrowServiceServerUrl);
 
   if (escrow_service_url.empty())
     return GURL();
@@ -374,17 +374,13 @@ GURL MdmEscrowServiceUrl() {
   return GURL(base::UTF16ToUTF8(escrow_service_url));
 }
 
-bool MdmPasswordRecoveryEnabled() {
+bool PasswordRecoveryEnabled() {
 #if !BUILDFLAG(GOOGLE_CHROME_BRANDING)
   if (g_escrow_service_enabled == EscrowServiceStatus::kDisabled)
     return false;
 #endif
 
-  // Password recovery is enabled only if MDM is enabled.
-  if (!MdmEnrollmentEnabled())
-    return false;
-
-  if (MdmEscrowServiceUrl().is_empty())
+  if (EscrowServiceUrl().is_empty())
     return false;
 
   return true;

chrome/credential_provider/gaiacp/mdm_utils.h

@@ -23,7 +23,7 @@ namespace credential_provider {
 extern const wchar_t kRegMdmUrl[];
 
 // Base server url for the password recovery escrow service.
-extern const wchar_t kRegMdmEscrowServiceServerUrl[];
+extern const wchar_t kRegEscrowServiceServerUrl[];
 
 // Determines if multiple users can be added to a system managed by MDM.
 extern const wchar_t kRegMdmSupportsMultiUser[];
@@ -76,13 +76,13 @@ bool NeedsToEnrollWithMdm();
 // to a valid URL. Returns false otherwise.
 bool MdmEnrollmentEnabled();
 
-// Checks whether the |kRegMdmEscrowServiceServerUrl| is not empty on this
+// Checks whether the |kRegEscrowServiceServerUrl| is not empty on this
 // machine.
-bool MdmPasswordRecoveryEnabled();
+bool PasswordRecoveryEnabled();
 
 // Gets the escrow service URL as defined in the registry or a default value if
 // nothing is set.
-GURL MdmEscrowServiceUrl();
+GURL EscrowServiceUrl();
 
 // Enrolls the machine to with the Google MDM server if not already.
 HRESULT EnrollToGoogleMdmIfNeeded(const base::Value& properties);

chrome/credential_provider/gaiacp/password_recovery_manager.cc

@@ -666,7 +666,7 @@ HRESULT PasswordRecoveryManager::StoreWindowsPasswordIfNeeded(
     const base::string16& sid,
     const std::string& access_token,
     const base::string16& password) {
-  if (!MdmPasswordRecoveryEnabled())
+  if (!PasswordRecoveryEnabled())
     return E_NOTIMPL;
 
   base::string16 machine_guid;
@@ -730,7 +730,7 @@ HRESULT PasswordRecoveryManager::RecoverWindowsPasswordIfPossible(
     const base::string16& sid,
     const std::string& access_token,
     base::string16* recovered_password) {
-  if (!MdmPasswordRecoveryEnabled())
+  if (!PasswordRecoveryEnabled())
     return E_NOTIMPL;
 
   DCHECK(recovered_password);
@@ -778,10 +778,10 @@ HRESULT PasswordRecoveryManager::RecoverWindowsPasswordIfPossible(
 }
 
 GURL PasswordRecoveryManager::GetEscrowServiceGenerateKeyPairUrl() {
-  if (!MdmPasswordRecoveryEnabled())
+  if (!PasswordRecoveryEnabled())
     return GURL();
 
-  GURL escrow_service_server = MdmEscrowServiceUrl();
+  GURL escrow_service_server = EscrowServiceUrl();
 
   if (escrow_service_server.is_empty()) {
     LOGFN(ERROR) << "No escrow service server specified";
@@ -793,10 +793,10 @@ GURL PasswordRecoveryManager::GetEscrowServiceGenerateKeyPairUrl() {
 
 GURL PasswordRecoveryManager::GetEscrowServiceGetPrivateKeyUrl(
     const std::string& resource_id) {
-  if (!MdmPasswordRecoveryEnabled())
+  if (!PasswordRecoveryEnabled())
     return GURL();
 
-  GURL escrow_service_server = MdmEscrowServiceUrl();
+  GURL escrow_service_server = EscrowServiceUrl();
 
   if (escrow_service_server.is_empty()) {
     LOGFN(ERROR) << "No escrow service server specified";

chrome/credential_provider/gaiacp/reauth_credential_unittests.cc

@@ -191,7 +191,7 @@ TEST_P(GcpReauthCredentialEnforceAuthReasonGetStringValueTest, FidDescription) {
   const bool is_stale_login = std::get<2>(GetParam());
 
   ASSERT_EQ(S_OK, SetGlobalFlagForTesting(kRegMdmUrl, L"https://mdm.com"));
-  ASSERT_EQ(S_OK, SetGlobalFlagForTesting(kRegMdmEscrowServiceServerUrl,
+  ASSERT_EQ(S_OK, SetGlobalFlagForTesting(kRegEscrowServiceServerUrl,
                                           L"https://escrow.com"));
 
   GoogleMdmEnrolledStatusForTesting forced_enrolled_status(enrolled_mdm);

chrome/credential_provider/test/gcp_fakes.cc

@@ -53,7 +53,7 @@ void InitializeRegistryOverrideForTesting(
   ASSERT_EQ(ERROR_SUCCESS, key.WriteValue(kRegMdmUrl, L""));
   ASSERT_EQ(ERROR_SUCCESS,
             SetMachineGuidForTesting(L"f418a124-4d92-469b-afa5-0f8af537b965"));
-  ASSERT_EQ(ERROR_SUCCESS, key.WriteValue(kRegMdmEscrowServiceServerUrl, L""));
+  ASSERT_EQ(ERROR_SUCCESS, key.WriteValue(kRegEscrowServiceServerUrl, L""));
 }
 
 ///////////////////////////////////////////////////////////////////////////////