The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/c03ec0d5497d753f5d28d864452ea93c5a896aa3

commit c03ec0d5497d753f5d28d864452ea93c5a896aa3
Author: Lutz Justen <ljusten@chromium.org>
Date: Sat Aug 04 01:43:50 2018

authpolicy: Check user affiliation

Implements the authpolicyd part to make sure that the user affiliation
flag gets set properly in Chrome. This influences some subsystems, e.g.
whether the user can use client certificates stored on the 'system'
token (for a full list, ask pmarko@ :-).

During user policy fetch, checks whether the user domain is affiliated
with the device domain. This is achieved by testing whether the user can
query device information (with net ads search), which requires that the
device domain trusts the user domain.

In the PolicyData, the device affiliation IDs are always set to
{"ad_affiliation_marker"}. If the user is affiliated, its user
affiliation IDs are also set to {"ad_affiliation_marker"}. Otherwise,
they are left empty. In Chrome, a user is considered affiliated if the
intersection between the two sets is non-empty. This, this gives the
expected result.

BUG= chromium:865969 
TEST=cros_run_unit_tests --board=amd64-generic --packages authpolicy

Change-Id: I9d4cd6f963c04014c67f06b4f5292ff1dc2d9dcd
Reviewed-on: https://chromium-review.googlesource.com/1145380
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Tested-by: Lutz Justen <ljusten@chromium.org>
Reviewed-by: Roman Sorokin <rsorokin@chromium.org>

[modify] https://crrev.com/c03ec0d5497d753f5d28d864452ea93c5a896aa3/authpolicy/authpolicy_unittest.cc
[modify] https://crrev.com/c03ec0d5497d753f5d28d864452ea93c5a896aa3/authpolicy/authpolicy.h
[modify] https://crrev.com/c03ec0d5497d753f5d28d864452ea93c5a896aa3/authpolicy/stub_common.h
[modify] https://crrev.com/c03ec0d5497d753f5d28d864452ea93c5a896aa3/authpolicy/samba_interface.cc
[modify] https://crrev.com/c03ec0d5497d753f5d28d864452ea93c5a896aa3/authpolicy/samba_interface.h
[modify] https://crrev.com/c03ec0d5497d753f5d28d864452ea93c5a896aa3/authpolicy/stub_common.cc
[modify] https://crrev.com/c03ec0d5497d753f5d28d864452ea93c5a896aa3/authpolicy/samba_helper.h
[modify] https://crrev.com/c03ec0d5497d753f5d28d864452ea93c5a896aa3/authpolicy/samba_helper.cc
[modify] https://crrev.com/c03ec0d5497d753f5d28d864452ea93c5a896aa3/authpolicy/authpolicy.cc
[modify] https://crrev.com/c03ec0d5497d753f5d28d864452ea93c5a896aa3/authpolicy/stub_net_main.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3052ff16f0ab6eb868220b0ab1d72bfc35bcd197

commit 3052ff16f0ab6eb868220b0ab1d72bfc35bcd197
Author: Lutz Justen <ljusten@chromium.org>
Date: Wed Aug 08 12:34:28 2018

Hook up user affiliation for AD managed devices

Refactors BrowserPolicyConnectorChromeOS a bit, so that a few methods,
in particular GetDeviceAffiliationIDs(), work for Active Directory
managed devices as well.

Adds code to UserActiveDirectoryPolicyManager, so that it sends user
affiliation IDs to ChromeUserManager.

Together, these two changes make sure user affiliation gets handled
properly for Active Directory managed devices.

BUG= chromium:865969 
TEST=cros_run_unit_tests --board=amd64-generic --packages authpolicy

Change-Id: Ib9e2c844e1da52c5e70e6079d5b67848b1b396ad
Reviewed-on: https://chromium-review.googlesource.com/1145319
Commit-Queue: Lutz Justen <ljusten@chromium.org>
Reviewed-by: Xiyuan Xia <xiyuan@chromium.org>
Reviewed-by: Toni Barzic <tbarzic@chromium.org>
Reviewed-by: Pavol Marko <pmarko@chromium.org>
Reviewed-by: Roman Sorokin <rsorokin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#581531}
[modify] https://crrev.com/3052ff16f0ab6eb868220b0ab1d72bfc35bcd197/chrome/browser/chromeos/login/active_directory_login_browsertest.cc
[add] https://crrev.com/3052ff16f0ab6eb868220b0ab1d72bfc35bcd197/chrome/browser/chromeos/login/active_directory_test_helper.cc
[add] https://crrev.com/3052ff16f0ab6eb868220b0ab1d72bfc35bcd197/chrome/browser/chromeos/login/active_directory_test_helper.h
[modify] https://crrev.com/3052ff16f0ab6eb868220b0ab1d72bfc35bcd197/chrome/browser/chromeos/login/login_browsertest.cc
[modify] https://crrev.com/3052ff16f0ab6eb868220b0ab1d72bfc35bcd197/chrome/browser/chromeos/login/saml/saml_browsertest.cc
[modify] https://crrev.com/3052ff16f0ab6eb868220b0ab1d72bfc35bcd197/chrome/browser/chromeos/policy/active_directory_policy_manager.cc
[modify] https://crrev.com/3052ff16f0ab6eb868220b0ab1d72bfc35bcd197/chrome/browser/chromeos/policy/active_directory_policy_manager.h
[modify] https://crrev.com/3052ff16f0ab6eb868220b0ab1d72bfc35bcd197/chrome/browser/chromeos/policy/active_directory_policy_manager_unittest.cc
[modify] https://crrev.com/3052ff16f0ab6eb868220b0ab1d72bfc35bcd197/chrome/browser/chromeos/policy/affiliation_test_helper.cc
[modify] https://crrev.com/3052ff16f0ab6eb868220b0ab1d72bfc35bcd197/chrome/browser/chromeos/policy/affiliation_test_helper.h
[modify] https://crrev.com/3052ff16f0ab6eb868220b0ab1d72bfc35bcd197/chrome/browser/chromeos/policy/browser_policy_connector_chromeos.cc
[modify] https://crrev.com/3052ff16f0ab6eb868220b0ab1d72bfc35bcd197/chrome/browser/chromeos/policy/browser_policy_connector_chromeos.h
[modify] https://crrev.com/3052ff16f0ab6eb868220b0ab1d72bfc35bcd197/chrome/browser/chromeos/policy/device_policy_cros_browser_test.cc
[modify] https://crrev.com/3052ff16f0ab6eb868220b0ab1d72bfc35bcd197/chrome/browser/chromeos/policy/device_policy_cros_browser_test.h
[modify] https://crrev.com/3052ff16f0ab6eb868220b0ab1d72bfc35bcd197/chrome/browser/chromeos/policy/unaffiliated_arc_allowed_browsertest.cc
[modify] https://crrev.com/3052ff16f0ab6eb868220b0ab1d72bfc35bcd197/chrome/browser/chromeos/policy/user_affiliation_browsertest.cc
[modify] https://crrev.com/3052ff16f0ab6eb868220b0ab1d72bfc35bcd197/chrome/browser/extensions/api/enterprise_device_attributes/enterprise_device_attributes_apitest.cc
[modify] https://crrev.com/3052ff16f0ab6eb868220b0ab1d72bfc35bcd197/chrome/browser/extensions/api/platform_keys/platform_keys_test_base.cc
[modify] https://crrev.com/3052ff16f0ab6eb868220b0ab1d72bfc35bcd197/chrome/test/BUILD.gn
[modify] https://crrev.com/3052ff16f0ab6eb868220b0ab1d72bfc35bcd197/chromeos/dbus/fake_auth_policy_client.cc
[modify] https://crrev.com/3052ff16f0ab6eb868220b0ab1d72bfc35bcd197/chromeos/dbus/fake_auth_policy_client.h
[modify] https://crrev.com/3052ff16f0ab6eb868220b0ab1d72bfc35bcd197/chromeos/dbus/fake_session_manager_client.cc

Test instructions:

- Set up a Chromad device.
- In AD, set UnaffiliatedArcAllowed device policy to disabled/false and make sure it applies on the Chromad device.
- Log in with an affiliated user (e.g. one from the same AD domain as the machine has been joined to). You should see the Play Store icon. Also, /var/log/authpolicy.log should say "User is affiliated".
- Log in with an unaffiliated user (e.g. one from any other AD domain, PM me for credentials). You should NOT see the Play Store icon. Also, /var/log/authpolicy.log should say "User is not affiliated".

Verified fixed, when UnaffiliatedArcAllowed device policy is set to disabled/false, there is no Play Store icon for unaffiliated user (from other AD domain).

If UnaffiliatedArcAllowed device policy is set to enabled/true, Play Store icon is present for unaffiliated user.

Also attached authpolicy.log with "User is affiliated"/"User is not affiliated" messages.

Deleted: authpolicy.log 16.8 KB

authpolicy.log 16.8 KB View Download

Chrome OS: 10975.0.0,
Chrome: 70.0.3524.2
Device: Santa

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4890026c787b7c2b6d3818e8b59878ddd7207c3e

commit 4890026c787b7c2b6d3818e8b59878ddd7207c3e
Author: Lutz Justen <ljusten@chromium.org>
Date: Fri Aug 24 07:01:56 2018

Clean up affiliation test helper

Changes affiliation test helper from a bunch of static methods to a
class with two factory methods, one for cloud management, the other for
Active Directory management. The former implementation was a bit hand-
waving ("pass the same session manager instance into the two
Set*AffiliationIDs functions", "you don't need fake_auth_policy_client
for non-AD accounts"). The class is much cleaner. Internally, it doesn't
rely on side effects ("we're probably in AD mode if the auth policy
client has been started").

BUG= chromium:865969 
TEST=tryjobs

Change-Id: I4ba5e0f9e4b410532cd098cd5ae73f2156a58c83
Reviewed-on: https://chromium-review.googlesource.com/1168496
Reviewed-by: Pavol Marko <pmarko@chromium.org>
Reviewed-by: Xiyuan Xia <xiyuan@chromium.org>
Reviewed-by: Devlin <rdevlin.cronin@chromium.org>
Commit-Queue: Lutz Justen <ljusten@chromium.org>
Cr-Commit-Position: refs/heads/master@{#585733}
[modify] https://crrev.com/4890026c787b7c2b6d3818e8b59878ddd7207c3e/chrome/browser/chromeos/login/saml/saml_browsertest.cc
[modify] https://crrev.com/4890026c787b7c2b6d3818e8b59878ddd7207c3e/chrome/browser/chromeos/policy/affiliation_test_helper.cc
[modify] https://crrev.com/4890026c787b7c2b6d3818e8b59878ddd7207c3e/chrome/browser/chromeos/policy/affiliation_test_helper.h
[modify] https://crrev.com/4890026c787b7c2b6d3818e8b59878ddd7207c3e/chrome/browser/chromeos/policy/unaffiliated_arc_allowed_browsertest.cc
[modify] https://crrev.com/4890026c787b7c2b6d3818e8b59878ddd7207c3e/chrome/browser/chromeos/policy/user_affiliation_browsertest.cc
[modify] https://crrev.com/4890026c787b7c2b6d3818e8b59878ddd7207c3e/chrome/browser/extensions/api/enterprise_device_attributes/enterprise_device_attributes_apitest.cc
[modify] https://crrev.com/4890026c787b7c2b6d3818e8b59878ddd7207c3e/chrome/browser/extensions/api/platform_keys/platform_keys_test_base.cc