Setup Sync to use OAuth token for managed users.

BUG=226464

Review URL: https://chromiumcodereview.appspot.com/15780020

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@207501 0039d316-1c4b-4281-b951-d872f2087c98

12 files changed, 222 insertions, 52 deletions

diff --git a/chrome/browser/managed_mode/managed_user_refresh_token_fetcher.cc b/chrome/browser/managed_mode/managed_user_refresh_token_fetcher.cc
index de1a0fa..b15f051 100644
--- a/chrome/browser/managed_mode/managed_user_refresh_token_fetcher.cc
+++ b/chrome/browser/managed_mode/managed_user_refresh_token_fetcher.cc
@@ -12,6 +12,7 @@
 #include "base/strings/utf_string_conversions.h"
 #include "base/values.h"
 #include "chrome/browser/signin/oauth2_token_service.h"
+#include "google_apis/gaia/gaia_constants.h"
 #include "google_apis/gaia/gaia_oauth_client.h"
 #include "google_apis/gaia/gaia_urls.h"
 #include "google_apis/gaia/google_service_auth_error.h"
@@ -25,6 +26,7 @@
 
 using base::Time;
 using gaia::GaiaOAuthClient;
+using GaiaConstants::kChromeSyncManagedOAuth2Scope;
 using net::URLFetcher;
 using net::URLFetcherDelegate;
 using net::URLRequestContextGetter;
@@ -33,9 +35,6 @@ namespace {
 
 const int kNumRetries = 1;
 
-static const char kChromeSyncManagedScope[] =
-    "https://www.googleapis.com/auth/chromesync_playpen";
-
 static const char kIssueTokenBodyFormat[] =
     "client_id=%s"
     "&scope=%s"
@@ -161,7 +160,7 @@ void ManagedUserRefreshTokenFetcherImpl::OnGetTokenSuccess(
       kIssueTokenBodyFormat,
       net::EscapeUrlEncodedData(
           GaiaUrls::GetInstance()->oauth2_chrome_client_id(), true).c_str(),
-      net::EscapeUrlEncodedData(kChromeSyncManagedScope, true).c_str(),
+      net::EscapeUrlEncodedData(kChromeSyncManagedOAuth2Scope, true).c_str(),
       net::EscapeUrlEncodedData(managed_user_id_, true).c_str(),
       net::EscapeUrlEncodedData(UTF16ToUTF8(name_), true).c_str(),
       net::EscapeUrlEncodedData(device_name_, true).c_str());
diff --git a/chrome/browser/managed_mode/managed_user_service.cc b/chrome/browser/managed_mode/managed_user_service.cc
index 7ad603a..7601ddd 100644
--- a/chrome/browser/managed_mode/managed_user_service.cc
+++ b/chrome/browser/managed_mode/managed_user_service.cc
@@ -139,10 +139,21 @@ void ManagedUserService::URLFilterContext::SetManualURLs(
 ManagedUserService::ManagedUserService(Profile* profile)
     : weak_ptr_factory_(this),
       profile_(profile),
-      elevated_for_testing_(false) {}
+      waiting_for_sync_initialization_(false),
+      elevated_for_testing_(false) {
+}
 
 ManagedUserService::~ManagedUserService() {}
 
+void ManagedUserService::Shutdown() {
+  if (!waiting_for_sync_initialization_)
+    return;
+
+  ProfileSyncService* sync_service =
+        ProfileSyncServiceFactory::GetForProfile(profile_);
+  sync_service->RemoveObserver(this);
+}
+
 bool ManagedUserService::ProfileIsManaged() const {
   return ProfileIsManaged(profile_);
 }
@@ -269,6 +280,21 @@ bool ManagedUserService::UserMayModifySettings(
       extension ? extension->id() : std::string(), error);
 }
 
+void ManagedUserService::OnStateChanged() {
+  ProfileSyncService* service =
+      ProfileSyncServiceFactory::GetForProfile(profile_);
+  if (waiting_for_sync_initialization_ && service->sync_initialized()) {
+    SetupSync();
+    service->RemoveObserver(this);
+    waiting_for_sync_initialization_ = false;
+    return;
+  }
+
+  DLOG_IF(ERROR, service->GetAuthError().state() ==
+                     GoogleServiceAuthError::INVALID_GAIA_CREDENTIALS)
+      << "Credentials rejected";
+}
+
 void ManagedUserService::Observe(int type,
                           const content::NotificationSource& source,
                           const content::NotificationDetails& details) {
@@ -296,6 +322,21 @@ void ManagedUserService::Observe(int type,
   }
 }
 
+void ManagedUserService::SetupSync() {
+  ProfileSyncService* service =
+      ProfileSyncServiceFactory::GetForProfile(profile_);
+  DCHECK(service->sync_initialized());
+
+  bool sync_everything = false;
+  syncer::ModelTypeSet synced_datatypes;
+  synced_datatypes.Put(syncer::MANAGED_USER_SETTINGS);
+  service->OnUserChoseDatatypes(sync_everything, synced_datatypes);
+
+  // Notify ProfileSyncService that we are done with configuration.
+  service->SetSetupInProgress(false);
+  service->SetSyncSetupCompleted();
+}
+
 bool ManagedUserService::ExtensionManagementPolicyImpl(
     const std::string& extension_id,
     string16* error) const {
@@ -413,25 +454,24 @@ void ManagedUserService::InitForTesting() {
   Init();
 }
 
-void ManagedUserService::InitSync(const std::string& sync_token) {
+void ManagedUserService::InitSync(const std::string& refresh_token) {
   ProfileSyncService* service =
       ProfileSyncServiceFactory::GetForProfile(profile_);
-  DCHECK(!service->sync_initialized());
   // Tell the sync service that setup is in progress so we don't start syncing
   // until we've finished configuration.
   service->SetSetupInProgress(true);
 
   TokenService* token_service = TokenServiceFactory::GetForProfile(profile_);
-  token_service->AddAuthTokenManually(GaiaConstants::kSyncService, sync_token);
-
-  bool sync_everything = false;
-  syncer::ModelTypeSet synced_datatypes;
-  synced_datatypes.Put(syncer::MANAGED_USER_SETTINGS);
-  service->OnUserChoseDatatypes(sync_everything, synced_datatypes);
-
-  // Notify ProfileSyncService that we are done with configuration.
-  service->SetSetupInProgress(false);
-  service->SetSyncSetupCompleted();
+  token_service->UpdateCredentialsWithOAuth2(
+      GaiaAuthConsumer::ClientOAuthResult(refresh_token, std::string(), 0));
+
+  // Continue in SetupSync() once the Sync backend has been initialized.
+  if (service->sync_initialized()) {
+    SetupSync();
+  } else {
+    ProfileSyncServiceFactory::GetForProfile(profile_)->AddObserver(this);
+    waiting_for_sync_initialization_ = true;
+  }
 }
 
 // static
@@ -454,6 +494,11 @@ void ManagedUserService::Init() {
         command_line->GetSwitchValueASCII(switches::kManagedUserSyncToken));
   }
 
+  // TokenService only loads tokens automatically if we're signed in, so we have
+  // to nudge it ourselves.
+  TokenService* token_service = TokenServiceFactory::GetForProfile(profile_);
+  token_service->LoadTokensFromDB();
+
   extensions::ExtensionSystem* extension_system =
       extensions::ExtensionSystem::Get(profile_);
   extensions::ManagementPolicy* management_policy =
diff --git a/chrome/browser/managed_mode/managed_user_service.h b/chrome/browser/managed_mode/managed_user_service.h
index 43677d9..a82a2ec 100644
--- a/chrome/browser/managed_mode/managed_user_service.h
+++ b/chrome/browser/managed_mode/managed_user_service.h
@@ -14,6 +14,7 @@
 #include "chrome/browser/extensions/management_policy.h"
 #include "chrome/browser/managed_mode/managed_mode_url_filter.h"
 #include "chrome/browser/profiles/profile_manager.h"
+#include "chrome/browser/sync/profile_sync_service_observer.h"
 #include "components/browser_context_keyed_service/browser_context_keyed_service.h"
 #include "content/public/browser/notification_observer.h"
 #include "content/public/browser/notification_registrar.h"
@@ -39,6 +40,7 @@ class PrefRegistrySyncable;
 // manual whitelist/blacklist overrides).
 class ManagedUserService : public BrowserContextKeyedService,
                            public extensions::ManagementPolicy::Provider,
+                           public ProfileSyncServiceObserver,
                            public content::NotificationObserver {
  public:
   typedef std::vector<string16> CategoryList;
@@ -52,6 +54,9 @@ class ManagedUserService : public BrowserContextKeyedService,
   explicit ManagedUserService(Profile* profile);
   virtual ~ManagedUserService();
 
+  // ProfileKeyedService override:
+  virtual void Shutdown() OVERRIDE;
+
   bool ProfileIsManaged() const;
 
   // Checks whether the given profile is managed without constructing a
@@ -109,9 +114,9 @@ class ManagedUserService : public BrowserContextKeyedService,
   // Marks the profile as managed and initializes it.
   void InitForTesting();
 
-  // Initializes this profile for syncing, using the provided |token| to
-  // authenticate requests.
-  void InitSync(const std::string& token);
+  // Initializes this profile for syncing, using the provided |refresh_token| to
+  // mint access tokens for Sync.
+  void InitSync(const std::string& refresh_token);
 
   // Convenience method that registers this managed user with
   // |registration_service| and initializes sync with the returned token.
@@ -138,6 +143,9 @@ class ManagedUserService : public BrowserContextKeyedService,
   virtual bool UserMayModifySettings(const extensions::Extension* extension,
                                      string16* error) const OVERRIDE;
 
+  // ProfileSyncServiceObserver implementation:
+  virtual void OnStateChanged() OVERRIDE;
+
   // content::NotificationObserver implementation:
   virtual void Observe(int type,
                        const content::NotificationSource& source,
@@ -181,6 +189,8 @@ class ManagedUserService : public BrowserContextKeyedService,
                                const GoogleServiceAuthError& auth_error,
                                const std::string& token);
 
+  void SetupSync();
+
   // Internal implementation for ExtensionManagementPolicy::Delegate methods.
   // If |error| is not NULL, it will be filled with an error message if the
   // requested extension action (install, modify status, etc.) is not permitted.
@@ -213,6 +223,9 @@ class ManagedUserService : public BrowserContextKeyedService,
   content::NotificationRegistrar registrar_;
   PrefChangeRegistrar pref_change_registrar_;
 
+  // True iff we're waiting for the Sync service to be initialized.
+  bool waiting_for_sync_initialization_;
+
   // Sets a profile in elevated state for testing if set to true.
   bool elevated_for_testing_;
 
diff --git a/chrome/browser/policy/cloud/user_policy_signin_service.cc b/chrome/browser/policy/cloud/user_policy_signin_service.cc
index 46b60ca5..008a26c 100644
--- a/chrome/browser/policy/cloud/user_policy_signin_service.cc
+++ b/chrome/browser/policy/cloud/user_policy_signin_service.cc
@@ -32,6 +32,10 @@
 #include "google_apis/gaia/oauth2_access_token_consumer.h"
 #include "google_apis/gaia/oauth2_access_token_fetcher.h"
 
+#if defined(ENABLE_MANAGED_USERS)
+#include "chrome/browser/managed_mode/managed_user_service.h"
+#endif
+
 namespace em = enterprise_management;
 
 namespace {
@@ -364,6 +368,13 @@ void UserPolicySigninService::Observe(
     return;
   }
 
+#if defined(ENABLE_MANAGED_USERS)
+  if (ManagedUserService::ProfileIsManaged(profile_)) {
+    registrar_.RemoveAll();
+    return;
+  }
+#endif
+
   // If using a TestingProfile with no SigninManager or UserCloudPolicyManager,
   // skip initialization.
   if (!GetManager() || !SigninManagerFactory::GetForProfile(profile_)) {
@@ -399,7 +410,7 @@ void UserPolicySigninService::Observe(
           *(content::Details<const TokenService::TokenAvailableDetails>(
               details).ptr());
       if (token_details.service() ==
-          GaiaConstants::kGaiaOAuth2LoginRefreshToken) {
+              GaiaConstants::kGaiaOAuth2LoginRefreshToken) {
         SigninManager* signin_manager =
             SigninManagerFactory::GetForProfile(profile_);
         std::string username = signin_manager->GetAuthenticatedUsername();
diff --git a/chrome/browser/sync/glue/dummy_invalidator.cc b/chrome/browser/sync/glue/dummy_invalidator.cc
new file mode 100644
index 0000000..4ed0689
--- /dev/null
+++ b/chrome/browser/sync/glue/dummy_invalidator.cc
@@ -0,0 +1,30 @@
+// Copyright 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/sync/glue/dummy_invalidator.h"
+
+DummyInvalidator::DummyInvalidator() {}
+DummyInvalidator::~DummyInvalidator() {}
+
+void DummyInvalidator::RegisterHandler(syncer::InvalidationHandler* handler) {}
+
+void DummyInvalidator::UpdateRegisteredIds(
+    syncer::InvalidationHandler* handler,
+    const syncer::ObjectIdSet& ids) {}
+
+void DummyInvalidator::UnregisterHandler(
+    syncer::InvalidationHandler* handler) {}
+
+void DummyInvalidator::Acknowledge(const invalidation::ObjectId& id,
+                                   const syncer::AckHandle& ack_handle) {}
+
+syncer::InvalidatorState DummyInvalidator::GetInvalidatorState() const {
+  return syncer::TRANSIENT_INVALIDATION_ERROR;
+}
+
+void DummyInvalidator::UpdateCredentials(
+    const std::string& email, const std::string& token) {}
+
+void DummyInvalidator::SendInvalidation(
+    const syncer::ObjectIdInvalidationMap& invalidation_map) {}
diff --git a/chrome/browser/sync/glue/dummy_invalidator.h b/chrome/browser/sync/glue/dummy_invalidator.h
new file mode 100644
index 0000000..19c4fca
--- /dev/null
+++ b/chrome/browser/sync/glue/dummy_invalidator.h
@@ -0,0 +1,34 @@
+// Copyright 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CHROME_BROWSER_SYNC_GLUE_DUMMY_INVALIDATOR_H_
+#define CHROME_BROWSER_SYNC_GLUE_DUMMY_INVALIDATOR_H_
+
+#include "sync/notifier/invalidator.h"
+
+// A fake invalidator that does nothing, and stays in a "transient" error state.
+// This is useful for cases where we know that invalidations won't work, but
+// still want to keep Sync running without them
+class DummyInvalidator : public syncer::Invalidator {
+ public:
+  DummyInvalidator();
+  virtual ~DummyInvalidator();
+
+  virtual void RegisterHandler(syncer::InvalidationHandler* handler) OVERRIDE;
+  virtual void UpdateRegisteredIds(syncer::InvalidationHandler* handler,
+                                   const syncer::ObjectIdSet& ids) OVERRIDE;
+  virtual void UnregisterHandler(syncer::InvalidationHandler* handler) OVERRIDE;
+  virtual void Acknowledge(const invalidation::ObjectId& id,
+                           const syncer::AckHandle& ack_handle) OVERRIDE;
+  virtual syncer::InvalidatorState GetInvalidatorState() const OVERRIDE;
+  virtual void UpdateCredentials(
+      const std::string& email, const std::string& token) OVERRIDE;
+  virtual void SendInvalidation(
+      const syncer::ObjectIdInvalidationMap& invalidation_map) OVERRIDE;
+
+ private:
+  DISALLOW_COPY_AND_ASSIGN(DummyInvalidator);
+};
+
+#endif  // CHROME_BROWSER_SYNC_GLUE_DUMMY_INVALIDATOR_H_
diff --git a/chrome/browser/sync/glue/sync_backend_host.cc b/chrome/browser/sync/glue/sync_backend_host.cc
index 907b176..85ac63c 100644
--- a/chrome/browser/sync/glue/sync_backend_host.cc
+++ b/chrome/browser/sync/glue/sync_backend_host.cc
@@ -31,6 +31,7 @@
 #include "chrome/browser/sync/glue/change_processor.h"
 #include "chrome/browser/sync/glue/chrome_encryptor.h"
 #include "chrome/browser/sync/glue/device_info.h"
+#include "chrome/browser/sync/glue/dummy_invalidator.h"
 #include "chrome/browser/sync/glue/sync_backend_registrar.h"
 #include "chrome/browser/sync/glue/synced_device_tracker.h"
 #include "chrome/browser/sync/sync_prefs.h"
@@ -61,6 +62,10 @@
 #include "sync/protocol/sync.pb.h"
 #include "sync/util/nigori.h"
 
+#if defined(ENABLE_MANAGED_USERS)
+#include "chrome/browser/managed_mode/managed_user_service.h"
+#endif
+
 static const int kSaveChangesIntervalSeconds = 10;
 static const base::FilePath::CharType kSyncDataFolderName[] =
     FILE_PATH_LITERAL("Sync Data");
@@ -461,6 +466,12 @@ void SyncBackendHost::Initialize(
         InternalComponentsFactoryImpl::BACKOFF_SHORT_INITIAL_RETRY_OVERRIDE;
   }
 
+  bool create_invalidator = true;
+#if defined(ENABLE_MANAGED_USERS)
+  if (ManagedUserService::ProfileIsManaged(profile_))
+    create_invalidator = false;
+#endif
+
   initialization_state_ = CREATING_SYNC_MANAGER;
   InitCore(DoInitializeOptions(
       sync_thread_.message_loop(),
@@ -483,7 +494,8 @@ void SyncBackendHost::Initialize(
       new InternalComponentsFactoryImpl(factory_switches),
       unrecoverable_error_handler,
       report_unrecoverable_error_function,
-      !cl->HasSwitch(switches::kSyncDisableOAuth2Token)));
+      !cl->HasSwitch(switches::kSyncDisableOAuth2Token),
+      create_invalidator));
 }
 
 void SyncBackendHost::UpdateCredentials(const SyncCredentials& credentials) {
@@ -968,7 +980,8 @@ SyncBackendHost::DoInitializeOptions::DoInitializeOptions(
     syncer::UnrecoverableErrorHandler* unrecoverable_error_handler,
     syncer::ReportUnrecoverableErrorFunction
         report_unrecoverable_error_function,
-    bool use_oauth2_token)
+    bool use_oauth2_token,
+    bool create_invalidator)
     : sync_loop(sync_loop),
       registrar(registrar),
       routing_info(routing_info),
@@ -989,7 +1002,8 @@ SyncBackendHost::DoInitializeOptions::DoInitializeOptions(
       unrecoverable_error_handler(unrecoverable_error_handler),
       report_unrecoverable_error_function(
           report_unrecoverable_error_function),
-      use_oauth2_token(use_oauth2_token) {
+      use_oauth2_token(use_oauth2_token),
+      create_invalidator(create_invalidator) {
 }
 
 SyncBackendHost::DoInitializeOptions::~DoInitializeOptions() {}
@@ -1240,34 +1254,37 @@ void SyncBackendHost::Core::DoInitialize(const DoInitializeOptions& options) {
 
   sync_manager_ = options.sync_manager_factory->CreateSyncManager(name_);
   sync_manager_->AddObserver(this);
-  sync_manager_->Init(
-      sync_data_folder_path_,
-      options.event_handler,
-      options.service_url.host() + options.service_url.path(),
-      options.service_url.EffectiveIntPort(),
-      options.service_url.SchemeIsSecure(),
-      options.make_http_bridge_factory_fn.Run().Pass(),
-      options.workers,
-      options.extensions_activity_monitor,
-      options.registrar /* as SyncManager::ChangeDelegate */,
-      options.credentials,
+  scoped_ptr<syncer::Invalidator> invalidator;
+  if (options.create_invalidator) {
 #if defined(OS_ANDROID)
-      scoped_ptr<syncer::Invalidator>(
-          new AndroidInvalidatorBridgeProxy(
-              options.android_invalidator_bridge)),
+    invalidator.reset(
+        new AndroidInvalidatorBridgeProxy(options.android_invalidator_bridge));
 #else
-      scoped_ptr<syncer::Invalidator>(
-          options.invalidator_factory->CreateInvalidator()),
+    invalidator.reset(options.invalidator_factory->CreateInvalidator());
 #endif
-      options.invalidator_factory->GetInvalidatorClientId(),
-      options.restored_key_for_bootstrapping,
-      options.restored_keystore_key_for_bootstrapping,
-      scoped_ptr<InternalComponentsFactory>(
-          options.internal_components_factory),
-      &encryptor_,
-      options.unrecoverable_error_handler,
-      options.report_unrecoverable_error_function,
-      options.use_oauth2_token);
+  } else {
+    invalidator.reset(new DummyInvalidator());
+  }
+  sync_manager_->Init(sync_data_folder_path_,
+                      options.event_handler,
+                      options.service_url.host() + options.service_url.path(),
+                      options.service_url.EffectiveIntPort(),
+                      options.service_url.SchemeIsSecure(),
+                      options.make_http_bridge_factory_fn.Run().Pass(),
+                      options.workers,
+                      options.extensions_activity_monitor,
+                      options.registrar /* as SyncManager::ChangeDelegate */,
+                      options.credentials,
+                      invalidator.Pass(),
+                      options.invalidator_factory->GetInvalidatorClientId(),
+                      options.restored_key_for_bootstrapping,
+                      options.restored_keystore_key_for_bootstrapping,
+                      scoped_ptr<InternalComponentsFactory>(
+                          options.internal_components_factory),
+                      &encryptor_,
+                      options.unrecoverable_error_handler,
+                      options.report_unrecoverable_error_function,
+                      options.use_oauth2_token);
 
   // |sync_manager_| may end up being NULL here in tests (in
   // synchronous initialization mode).
diff --git a/chrome/browser/sync/glue/sync_backend_host.h b/chrome/browser/sync/glue/sync_backend_host.h
index fa5a46c..2b59d86 100644
--- a/chrome/browser/sync/glue/sync_backend_host.h
+++ b/chrome/browser/sync/glue/sync_backend_host.h
@@ -335,7 +335,8 @@ class SyncBackendHost
         syncer::UnrecoverableErrorHandler* unrecoverable_error_handler,
         syncer::ReportUnrecoverableErrorFunction
             report_unrecoverable_error_function,
-        bool use_oauth2_token);
+        bool use_oauth2_token,
+        bool create_invalidator);
     ~DoInitializeOptions();
 
     base::MessageLoop* sync_loop;
@@ -360,6 +361,7 @@ class SyncBackendHost
     syncer::ReportUnrecoverableErrorFunction
         report_unrecoverable_error_function;
     bool use_oauth2_token;
+    bool create_invalidator;
   };
 
   // Allows tests to perform alternate core initialization work.
diff --git a/chrome/browser/sync/profile_sync_service.cc b/chrome/browser/sync/profile_sync_service.cc
index bbc69cf..31c35d6 100644
--- a/chrome/browser/sync/profile_sync_service.cc
+++ b/chrome/browser/sync/profile_sync_service.cc
@@ -120,6 +120,9 @@ static const char* kOAuth2Scopes[] = {
   GaiaConstants::kGoogleTalkOAuth2Scope
 };
 
+static const char* kManagedOAuth2Scopes[] = {
+  GaiaConstants::kChromeSyncManagedOAuth2Scope
+};
 
 static const char* kSyncUnrecoverableErrorHistogram =
     "Sync.UnrecoverableErrors";
@@ -1923,8 +1926,18 @@ void ProfileSyncService::RequestAccessToken() {
     return;
   request_access_token_retry_timer_.Stop();
   OAuth2TokenService::ScopeSet oauth2_scopes;
-  for (size_t i = 0; i < arraysize(kOAuth2Scopes); i++)
-    oauth2_scopes.insert(kOAuth2Scopes[i]);
+  bool is_managed = false;
+#if defined(ENABLE_MANAGED_USERS)
+  is_managed = ManagedUserService::ProfileIsManaged(profile_);
+#endif
+  if (is_managed) {
+    for (size_t i = 0; i < arraysize(kManagedOAuth2Scopes); i++)
+      oauth2_scopes.insert(kManagedOAuth2Scopes[i]);
+  } else {
+    for (size_t i = 0; i < arraysize(kOAuth2Scopes); i++)
+      oauth2_scopes.insert(kOAuth2Scopes[i]);
+  }
+
   OAuth2TokenService* token_service =
       ProfileOAuth2TokenServiceFactory::GetForProfile(profile_);
   // Invalidate previous token, otherwise token service will return the same
diff --git a/chrome/chrome_browser.gypi b/chrome/chrome_browser.gypi
index 96f8f77..8b424c6 100644
--- a/chrome/chrome_browser.gypi
+++ b/chrome/chrome_browser.gypi
@@ -2021,6 +2021,8 @@
         'browser/sync/glue/data_type_manager_observer.h',
         'browser/sync/glue/device_info.cc',
         'browser/sync/glue/device_info.h',
+        'browser/sync/glue/dummy_invalidator.cc',
+        'browser/sync/glue/dummy_invalidator.h',
         'browser/sync/glue/extension_data_type_controller.cc',
         'browser/sync/glue/extension_data_type_controller.h',
         'browser/sync/glue/extension_setting_data_type_controller.cc',
diff --git a/google_apis/gaia/gaia_constants.cc b/google_apis/gaia/gaia_constants.cc
index fed899a..d1d932f 100644
--- a/google_apis/gaia/gaia_constants.cc
+++ b/google_apis/gaia/gaia_constants.cc
@@ -33,6 +33,9 @@ const char kAnyApiOAuth2Scope[] = "https://www.googleapis.com/auth/any-api";
 // OAuth2 scope for access to Chrome sync APIs
 const char kChromeSyncOAuth2Scope[] =
     "https://www.googleapis.com/auth/chromesync";
+// OAuth2 scope for access to the Chrome Sync APIs for managed profiles.
+const char kChromeSyncManagedOAuth2Scope[] =
+    "https://www.googleapis.com/auth/chromesync_playpen";
 // OAuth2 scope for access to Google Talk APIs (XMPP).
 const char kGoogleTalkOAuth2Scope[] =
     "https://www.googleapis.com/auth/googletalk";
diff --git a/google_apis/gaia/gaia_constants.h b/google_apis/gaia/gaia_constants.h
index ad469c2..72cae74 100644
--- a/google_apis/gaia/gaia_constants.h
+++ b/google_apis/gaia/gaia_constants.h
@@ -21,6 +21,7 @@ extern const char kRemotingService[];
 extern const char kDeviceManagementServiceOAuth[];
 extern const char kAnyApiOAuth2Scope[];
 extern const char kChromeSyncOAuth2Scope[];
+extern const char kChromeSyncManagedOAuth2Scope[];
 extern const char kGoogleTalkOAuth2Scope[];
 extern const char kLSOService[];