Remove mdm as a prerequisite for escrow service

Bug: 1024404 Change-Id: Icffc3a1e1bea5ed2aa7ae0778161e29fc4ff267a Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1914824 Commit-Queue: Yusuf Sengul <yusufsn@google.com> Reviewed-by: Tien Mai <tienmai@chromium.org> Cr-Commit-Position: refs/heads/master@{#715144}

Remove mdm as a prerequisite for escrow service
Bug: 1024404 Change-Id: Icffc3a1e1bea5ed2aa7ae0778161e29fc4ff267a Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1914824 Commit-Queue: Yusuf Sengul <yusufsn@google.com> Reviewed-by: Tien Mai <tienmai@chromium.org> Cr-Commit-Position: refs/heads/master@{#715144}
f273eef6 · Yusuf Sengul · Commit Bot · 1494641f · f273eef6 · f273eef6
Commit f273eef6 authored Nov 14, 2019 by Yusuf Sengul Committed by Commit Bot Nov 14, 2019
8 changed files
--- a/chrome/credential_provider/gaiacp/associated_user_validator.cc
+++ b/chrome/credential_provider/gaiacp/associated_user_validator.cc
@@ -514,7 +514,7 @@ AssociatedUserValidator::GetAuthEnforceReason(const base::string16& sid) {
  if (NeedsToEnrollWithMdm())
    return AssociatedUserValidator::EnforceAuthReason::NOT_ENROLLED_WITH_MDM;
-  if (MdmPasswordRecoveryEnabled()) {
+  if (PasswordRecoveryEnabled()) {
    base::string16 store_key = GetUserPasswordLsaStoreKey(sid);
    auto policy = ScopedLsaPolicy::Create(POLICY_ALL_ACCESS);
    if (!policy->PrivateDataExists(store_key.c_str())) {

--- a/chrome/credential_provider/gaiacp/associated_user_validator_unittests.cc
+++ b/chrome/credential_provider/gaiacp/associated_user_validator_unittests.cc
@@ -406,7 +406,7 @@ TEST_P(AssociatedUserValidatorUserAccessBlockingTest, BlockUserAccessAsNeeded) {
  }
  if (password_recovery_enabled) {
-    ASSERT_EQ(S_OK, SetGlobalFlagForTesting(kRegMdmEscrowServiceServerUrl,
+    ASSERT_EQ(S_OK, SetGlobalFlagForTesting(kRegEscrowServiceServerUrl,
                                            L"https://escrow.com"));
  }
@@ -471,8 +471,7 @@ TEST_P(AssociatedUserValidatorUserAccessBlockingTest, BlockUserAccessAsNeeded) {
      is_last_login_stale ||
      (internet_available &&
       ((mdm_url_set && !mdm_enrolled) || !token_handle_valid ||
-        (mdm_url_set && password_recovery_enabled &&
+        (password_recovery_enabled && !contains_stored_password)));
-         !contains_stored_password)));
  bool should_user_be_blocked =
      should_user_locking_be_enabled && is_get_auth_enforced;
@@ -558,7 +557,7 @@ TEST_F(AssociatedUserValidatorTest, InvalidTokenHandle_MissingPasswordLsaData) {
                      L"gaia-id", base::string16(), &sid));
  ASSERT_EQ(S_OK, SetUserProperty(OLE2W(sid), kUserTokenHandle, L"th"));
  ASSERT_EQ(S_OK, SetGlobalFlagForTesting(kRegMdmUrl, L"https://mdm.com"));
-  ASSERT_EQ(S_OK, SetGlobalFlagForTesting(kRegMdmEscrowServiceServerUrl,
+  ASSERT_EQ(S_OK, SetGlobalFlagForTesting(kRegEscrowServiceServerUrl,
                                          L"https://escrow.com"));
  GoogleMdmEnrolledStatusForTesting force_success(true);
@@ -587,7 +586,7 @@ TEST_F(AssociatedUserValidatorTest, ValidTokenHandle_PresentPasswordLsaData) {
                      L"gaia-id", base::string16(), &sid));
  ASSERT_EQ(S_OK, SetUserProperty(OLE2W(sid), kUserTokenHandle, L"th"));
  ASSERT_EQ(S_OK, SetGlobalFlagForTesting(kRegMdmUrl, L"https://mdm.com"));
-  ASSERT_EQ(S_OK, SetGlobalFlagForTesting(kRegMdmEscrowServiceServerUrl,
+  ASSERT_EQ(S_OK, SetGlobalFlagForTesting(kRegEscrowServiceServerUrl,
                                          L"https://escrow.com"));
  GoogleMdmEnrolledStatusForTesting force_success(true);

--- a/chrome/credential_provider/gaiacp/gaia_credential_base_unittests.cc
+++ b/chrome/credential_provider/gaiacp/gaia_credential_base_unittests.cc
@@ -1476,7 +1476,7 @@ TEST_P(GcpGaiaCredentialBasePasswordRecoveryTest, PasswordRecovery) {
  int generate_public_key_again_result = std::get<2>(GetParam());
  ASSERT_EQ(S_OK, SetGlobalFlagForTesting(kRegMdmUrl, L"https://mdm.com"));
-  ASSERT_EQ(S_OK, SetGlobalFlagForTesting(kRegMdmEscrowServiceServerUrl,
+  ASSERT_EQ(S_OK, SetGlobalFlagForTesting(kRegEscrowServiceServerUrl,
                                          L"https://escrow.com"));
  ASSERT_EQ(S_OK, SetGlobalFlagForTesting(kRegMdmAllowConsumerAccounts, 1));
  ASSERT_EQ(S_OK, SetGlobalFlagForTesting(kRegMdmSupportsMultiUser, 0));
@@ -1712,14 +1712,14 @@ TEST_P(GcpGaiaCredentialBasePasswordRecoveryDisablingTest,
  // SetGlobalFlagForTesting effectively deletes the registry when the provided
  // registry value is empty. That implicitly enables escrow service without a
  // registry override.
-  ASSERT_EQ(S_OK, SetGlobalFlagForTesting(kRegMdmEscrowServiceServerUrl, L""));
+  ASSERT_EQ(S_OK, SetGlobalFlagForTesting(kRegEscrowServiceServerUrl, L""));
  if (escrow_service_url) {
    base::win::RegKey key;
    ASSERT_EQ(ERROR_SUCCESS,
              key.Create(HKEY_LOCAL_MACHINE, kGcpRootKeyName, KEY_WRITE));
-    ASSERT_EQ(ERROR_SUCCESS, key.WriteValue(kRegMdmEscrowServiceServerUrl,
+    ASSERT_EQ(ERROR_SUCCESS,
-                                            escrow_service_url));
+              key.WriteValue(kRegEscrowServiceServerUrl, escrow_service_url));
  }
  GoogleMdmEnrolledStatusForTesting force_success(true);

--- a/chrome/credential_provider/gaiacp/mdm_utils.cc
+++ b/chrome/credential_provider/gaiacp/mdm_utils.cc
@@ -33,7 +33,7 @@ namespace credential_provider {
 constexpr wchar_t kRegMdmUrl[] = L"mdm";
 constexpr wchar_t kRegMdmEnableForcePasswordReset[] =
    L"mdm_enable_force_password";
-constexpr wchar_t kRegMdmEscrowServiceServerUrl[] = L"mdm_ess_url";
+constexpr wchar_t kRegEscrowServiceServerUrl[] = L"mdm_ess_url";
 constexpr wchar_t kRegMdmSupportsMultiUser[] = L"mdm_mu";
 constexpr wchar_t kRegMdmAllowConsumerAccounts[] = L"mdm_aca";
 constexpr wchar_t kUserPasswordLsaStoreKeyPrefix[] =
@@ -364,9 +364,9 @@ bool MdmEnrollmentEnabled() {
  return !mdm_url.empty();
 }
-GURL MdmEscrowServiceUrl() {
+GURL EscrowServiceUrl() {
  base::string16 escrow_service_url = GetGlobalFlagOrDefault(
-      kRegMdmEscrowServiceServerUrl, kDefaultEscrowServiceServerUrl);
+      kRegEscrowServiceServerUrl, kDefaultEscrowServiceServerUrl);
  if (escrow_service_url.empty())
    return GURL();
@@ -374,17 +374,13 @@ GURL MdmEscrowServiceUrl() {
  return GURL(base::UTF16ToUTF8(escrow_service_url));
 }
-bool MdmPasswordRecoveryEnabled() {
+bool PasswordRecoveryEnabled() {
 #if !BUILDFLAG(GOOGLE_CHROME_BRANDING)
  if (g_escrow_service_enabled == EscrowServiceStatus::kDisabled)
    return false;
 #endif
-  // Password recovery is enabled only if MDM is enabled.
+  if (EscrowServiceUrl().is_empty())
-  if (!MdmEnrollmentEnabled())
-    return false;
-  if (MdmEscrowServiceUrl().is_empty())
    return false;
  return true;

--- a/chrome/credential_provider/gaiacp/mdm_utils.h
+++ b/chrome/credential_provider/gaiacp/mdm_utils.h
@@ -23,7 +23,7 @@ namespace credential_provider {
 extern const wchar_t kRegMdmUrl[];
 // Base server url for the password recovery escrow service.
-extern const wchar_t kRegMdmEscrowServiceServerUrl[];
+extern const wchar_t kRegEscrowServiceServerUrl[];
 // Determines if multiple users can be added to a system managed by MDM.
 extern const wchar_t kRegMdmSupportsMultiUser[];
@@ -76,13 +76,13 @@ bool NeedsToEnrollWithMdm();
 // to a valid URL. Returns false otherwise.
 bool MdmEnrollmentEnabled();
-// Checks whether the |kRegMdmEscrowServiceServerUrl| is not empty on this
+// Checks whether the |kRegEscrowServiceServerUrl| is not empty on this
 // machine.
-bool MdmPasswordRecoveryEnabled();
+bool PasswordRecoveryEnabled();
 // Gets the escrow service URL as defined in the registry or a default value if
 // nothing is set.
-GURL MdmEscrowServiceUrl();
+GURL EscrowServiceUrl();
 // Enrolls the machine to with the Google MDM server if not already.
 HRESULT EnrollToGoogleMdmIfNeeded(const base::Value& properties);

--- a/chrome/credential_provider/gaiacp/password_recovery_manager.cc
+++ b/chrome/credential_provider/gaiacp/password_recovery_manager.cc
@@ -666,7 +666,7 @@ HRESULT PasswordRecoveryManager::StoreWindowsPasswordIfNeeded(
    const base::string16& sid,
    const std::string& access_token,
    const base::string16& password) {
-  if (!MdmPasswordRecoveryEnabled())
+  if (!PasswordRecoveryEnabled())
    return E_NOTIMPL;
  base::string16 machine_guid;
@@ -730,7 +730,7 @@ HRESULT PasswordRecoveryManager::RecoverWindowsPasswordIfPossible(
    const base::string16& sid,
    const std::string& access_token,
    base::string16* recovered_password) {
-  if (!MdmPasswordRecoveryEnabled())
+  if (!PasswordRecoveryEnabled())
    return E_NOTIMPL;
  DCHECK(recovered_password);
@@ -778,10 +778,10 @@ HRESULT PasswordRecoveryManager::RecoverWindowsPasswordIfPossible(
 }
 GURL PasswordRecoveryManager::GetEscrowServiceGenerateKeyPairUrl() {
-  if (!MdmPasswordRecoveryEnabled())
+  if (!PasswordRecoveryEnabled())
    return GURL();
-  GURL escrow_service_server = MdmEscrowServiceUrl();
+  GURL escrow_service_server = EscrowServiceUrl();
  if (escrow_service_server.is_empty()) {
    LOGFN(ERROR) << "No escrow service server specified";
@@ -793,10 +793,10 @@ GURL PasswordRecoveryManager::GetEscrowServiceGenerateKeyPairUrl() {
 GURL PasswordRecoveryManager::GetEscrowServiceGetPrivateKeyUrl(
    const std::string& resource_id) {
-  if (!MdmPasswordRecoveryEnabled())
+  if (!PasswordRecoveryEnabled())
    return GURL();
-  GURL escrow_service_server = MdmEscrowServiceUrl();
+  GURL escrow_service_server = EscrowServiceUrl();
  if (escrow_service_server.is_empty()) {
    LOGFN(ERROR) << "No escrow service server specified";

--- a/chrome/credential_provider/gaiacp/reauth_credential_unittests.cc
+++ b/chrome/credential_provider/gaiacp/reauth_credential_unittests.cc
@@ -191,7 +191,7 @@ TEST_P(GcpReauthCredentialEnforceAuthReasonGetStringValueTest, FidDescription) {
  const bool is_stale_login = std::get<2>(GetParam());
  ASSERT_EQ(S_OK, SetGlobalFlagForTesting(kRegMdmUrl, L"https://mdm.com"));
-  ASSERT_EQ(S_OK, SetGlobalFlagForTesting(kRegMdmEscrowServiceServerUrl,
+  ASSERT_EQ(S_OK, SetGlobalFlagForTesting(kRegEscrowServiceServerUrl,
                                          L"https://escrow.com"));
  GoogleMdmEnrolledStatusForTesting forced_enrolled_status(enrolled_mdm);

--- a/chrome/credential_provider/test/gcp_fakes.cc
+++ b/chrome/credential_provider/test/gcp_fakes.cc
@@ -53,7 +53,7 @@ void InitializeRegistryOverrideForTesting(
  ASSERT_EQ(ERROR_SUCCESS, key.WriteValue(kRegMdmUrl, L""));
  ASSERT_EQ(ERROR_SUCCESS,
            SetMachineGuidForTesting(L"f418a124-4d92-469b-afa5-0f8af537b965"));
-  ASSERT_EQ(ERROR_SUCCESS, key.WriteValue(kRegMdmEscrowServiceServerUrl, L""));
+  ASSERT_EQ(ERROR_SUCCESS, key.WriteValue(kRegEscrowServiceServerUrl, L""));
 }
 ///////////////////////////////////////////////////////////////////////////////