Add error message for domain mismatch on re-enrollment.

This error shows up if the server indicates to the client that
enrollment got rejected due to the device belonging do a different
domain (as indicated by the client-provided state key).

BUG=chromium:357207
TEST=Manual, check that the error message shows up on domain mismatch.
R=asvitkine@chromium.org, dpolukhin@chromium.org, joaodasilva@chromium.org

Committed: https://src.chromium.org/viewvc/chrome?view=rev&revision=260102

Review URL: https://codereview.chromium.org/214963002

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@260216 0039d316-1c4b-4281-b951-d872f2087c98

11 files changed, 34 insertions, 2 deletions

diff --git a/build/ios/grit_whitelist.txt b/build/ios/grit_whitelist.txt
index 6583829..666af97 100644
--- a/build/ios/grit_whitelist.txt
+++ b/build/ios/grit_whitelist.txt
@@ -700,6 +700,7 @@ IDS_POLICY_DM_STATUS_SERVICE_ACTIVATION_PENDING
 IDS_POLICY_DM_STATUS_SERVICE_DEPROVISIONED
 IDS_POLICY_DM_STATUS_SERVICE_DEVICE_ID_CONFLICT
 IDS_POLICY_DM_STATUS_SERVICE_DEVICE_NOT_FOUND
+IDS_POLICY_DM_STATUS_SERVICE_DOMAIN_MISMATCH
 IDS_POLICY_DM_STATUS_SERVICE_INVALID_SERIAL_NUMBER
 IDS_POLICY_DM_STATUS_SERVICE_MANAGEMENT_NOT_SUPPORTED
 IDS_POLICY_DM_STATUS_SERVICE_MANAGEMENT_TOKEN_INVALID
diff --git a/chrome/app/chromeos_strings.grdp b/chrome/app/chromeos_strings.grdp
index 40d5e94..e2cca2c 100644
--- a/chrome/app/chromeos_strings.grdp
+++ b/chrome/app/chromeos_strings.grdp
@@ -5244,6 +5244,9 @@ All users must sign out to continue.
   <message name="IDS_ENTERPRISE_ENROLLMENT_DEPROVISIONED_ERROR" desc="Error message to show when enrollment fails because the administrator has deprovisioned the device on the server side.">
     This device has been placed into a deprovisioned state by the administrator. To enable it for enrollment, please have your administrator place the device into a pending state.
   </message>
+  <message name="IDS_ENTERPRISE_ENROLLMENT_DOMAIN_MISMATCH_ERROR" desc="Error message shown when the device doesn't belong to the domain the user tried to enroll it to.">
+    This device cannot be enrolled to the domain your account belongs to because the device is marked for management by a different domain.
+  </message>
   <message name="IDS_ENTERPRISE_ENROLLMENT_SCREEN_TITLE" desc="The title on the enterprise enrollment dialog.">
     Enterprise enrollment
   </message>
diff --git a/chrome/browser/chromeos/login/enrollment/enrollment_screen.cc b/chrome/browser/chromeos/login/enrollment/enrollment_screen.cc
index e9f78d5..a4f3f9e 100644
--- a/chrome/browser/chromeos/login/enrollment/enrollment_screen.cc
+++ b/chrome/browser/chromeos/login/enrollment/enrollment_screen.cc
@@ -255,6 +255,9 @@ void EnrollmentScreen::ReportEnrollmentStatus(
         case policy::DM_STATUS_SERVICE_DEPROVISIONED:
           UMAFailure(policy::kMetricEnrollmentDeprovisioned);
           return;
+        case policy::DM_STATUS_SERVICE_DOMAIN_MISMATCH:
+          UMAFailure(policy::kMetricEnrollmentDomainMismatch);
+          return;
       }
       break;
     case policy::EnrollmentStatus::STATUS_REGISTRATION_BAD_MODE:
diff --git a/chrome/browser/ui/webui/chromeos/login/enrollment_screen_handler.cc b/chrome/browser/ui/webui/chromeos/login/enrollment_screen_handler.cc
index 3511638..6af9d52 100644
--- a/chrome/browser/ui/webui/chromeos/login/enrollment_screen_handler.cc
+++ b/chrome/browser/ui/webui/chromeos/login/enrollment_screen_handler.cc
@@ -239,14 +239,17 @@ void EnrollmentScreenHandler::ShowEnrollmentStatus(
     case policy::EnrollmentStatus::STATUS_REGISTRATION_FAILED:
       // Some special cases for generating a nicer message that's more helpful.
       switch (status.client_status()) {
+        case policy::DM_STATUS_SERVICE_MANAGEMENT_NOT_SUPPORTED:
+          ShowError(IDS_ENTERPRISE_ENROLLMENT_ACCOUNT_ERROR, true);
+          break;
         case policy::DM_STATUS_SERVICE_MISSING_LICENSES:
           ShowError(IDS_ENTERPRISE_ENROLLMENT_MISSING_LICENSES_ERROR, true);
           break;
         case policy::DM_STATUS_SERVICE_DEPROVISIONED:
           ShowError(IDS_ENTERPRISE_ENROLLMENT_DEPROVISIONED_ERROR, true);
           break;
-        case policy::DM_STATUS_SERVICE_MANAGEMENT_NOT_SUPPORTED:
-          ShowError(IDS_ENTERPRISE_ENROLLMENT_ACCOUNT_ERROR, true);
+        case policy::DM_STATUS_SERVICE_DOMAIN_MISMATCH:
+          ShowError(IDS_ENTERPRISE_ENROLLMENT_DOMAIN_MISMATCH_ERROR, true);
           break;
         default:
           ShowErrorMessage(
diff --git a/components/policy/core/browser/cloud/message_util.cc b/components/policy/core/browser/cloud/message_util.cc
index f394762..ea9f65e 100644
--- a/components/policy/core/browser/cloud/message_util.cc
+++ b/components/policy/core/browser/cloud/message_util.cc
@@ -42,6 +42,8 @@ int GetIDSForDMStatus(DeviceManagementStatus status) {
       return IDS_POLICY_DM_STATUS_SERVICE_MISSING_LICENSES;
     case DM_STATUS_SERVICE_DEPROVISIONED:
       return IDS_POLICY_DM_STATUS_SERVICE_DEPROVISIONED;
+    case DM_STATUS_SERVICE_DOMAIN_MISMATCH:
+      return IDS_POLICY_DM_STATUS_SERVICE_DOMAIN_MISMATCH;
     case DM_STATUS_SERVICE_POLICY_NOT_FOUND:
       return IDS_POLICY_DM_STATUS_SERVICE_POLICY_NOT_FOUND;
   }
diff --git a/components/policy/core/common/cloud/cloud_policy_constants.h b/components/policy/core/common/cloud/cloud_policy_constants.h
index 4f67f45..350cb42 100644
--- a/components/policy/core/common/cloud/cloud_policy_constants.h
+++ b/components/policy/core/common/cloud/cloud_policy_constants.h
@@ -95,6 +95,8 @@ enum DeviceManagementStatus {
   DM_STATUS_SERVICE_MISSING_LICENSES,
   // Service error: The administrator has deprovisioned this client.
   DM_STATUS_SERVICE_DEPROVISIONED,
+  // Service error: Device registration for the wrong domain.
+  DM_STATUS_SERVICE_DOMAIN_MISMATCH,
   // Service error: Policy not found. Error code defined by the DM folks.
   DM_STATUS_SERVICE_POLICY_NOT_FOUND = 902,
 };
diff --git a/components/policy/core/common/cloud/cloud_policy_refresh_scheduler.cc b/components/policy/core/common/cloud/cloud_policy_refresh_scheduler.cc
index ad221d1..9bc4a32 100644
--- a/components/policy/core/common/cloud/cloud_policy_refresh_scheduler.cc
+++ b/components/policy/core/common/cloud/cloud_policy_refresh_scheduler.cc
@@ -304,6 +304,7 @@ void CloudPolicyRefreshScheduler::ScheduleRefresh() {
     case DM_STATUS_SERVICE_DEVICE_ID_CONFLICT:
     case DM_STATUS_SERVICE_MISSING_LICENSES:
     case DM_STATUS_SERVICE_DEPROVISIONED:
+    case DM_STATUS_SERVICE_DOMAIN_MISMATCH:
       // Need a re-registration, no use in retrying.
       refresh_callback_.Cancel();
       return;
diff --git a/components/policy/core/common/cloud/device_management_service.cc b/components/policy/core/common/cloud/device_management_service.cc
index 95b9c3c..5d01ff8 100644
--- a/components/policy/core/common/cloud/device_management_service.cc
+++ b/components/policy/core/common/cloud/device_management_service.cc
@@ -41,6 +41,7 @@ const int kMissingLicenses = 402;
 const int kDeviceManagementNotAllowed = 403;
 const int kInvalidURL = 404;  // This error is not coming from the GFE.
 const int kInvalidSerialNumber = 405;
+const int kDomainMismatch = 406;
 const int kDeviceIdConflict = 409;
 const int kDeviceNotFound = 410;
 const int kPendingApproval = 412;
@@ -259,6 +260,9 @@ void DeviceManagementRequestJobImpl::HandleResponse(
     case kInvalidSerialNumber:
       ReportError(DM_STATUS_SERVICE_INVALID_SERIAL_NUMBER);
       return;
+    case kDomainMismatch:
+      ReportError(DM_STATUS_SERVICE_DOMAIN_MISMATCH);
+      return;
     case kDeprovisioned:
       ReportError(DM_STATUS_SERVICE_DEPROVISIONED);
       return;
diff --git a/components/policy/core/common/cloud/enterprise_metrics.h b/components/policy/core/common/cloud/enterprise_metrics.h
index 7d5108e..f3af080 100644
--- a/components/policy/core/common/cloud/enterprise_metrics.h
+++ b/components/policy/core/common/cloud/enterprise_metrics.h
@@ -165,6 +165,8 @@ enum MetricEnrollment {
   kMetricEnrollmentRobotRefreshTokenStoreFailed,
   // Enrollment failed because the administrator has deprovisioned the device.
   kMetricEnrollmentDeprovisioned,
+  // Enrollment failed because the device doesn't belong to the domain.
+  kMetricEnrollmentDomainMismatch,
 
   kMetricEnrollmentSize  // Must be the last.
 };
diff --git a/components/policy_strings.grdp b/components/policy_strings.grdp
index c7a667c..bca17e8 100644
--- a/components/policy_strings.grdp
+++ b/components/policy_strings.grdp
@@ -309,4 +309,12 @@
     </message>
   </if>
 
+  <!-- TODO(mnissler): Move this message up to the other IDS_POLICY_DM_STATUS
+       messages in the file. It's here because there's a problem with the
+       Android build failing component_unittests due to string constant
+       mismatches between the code and the resources. -->
+  <message name="IDS_POLICY_DM_STATUS_SERVICE_DOMAIN_MISMATCH" desc="Message indicating this client cannot be registered with the specified domain.">
+    Domain mismatch
+  </message>
+
 </grit-part>
diff --git a/tools/metrics/histograms/histograms.xml b/tools/metrics/histograms/histograms.xml
index 2972396..006e55e 100644
--- a/tools/metrics/histograms/histograms.xml
+++ b/tools/metrics/histograms/histograms.xml
@@ -31185,6 +31185,9 @@ other types of suffix sets.
   <int value="22" label="Deprovisioned device">
     Enrollment failed because the administrator has deprovisioned the device.
   </int>
+  <int value="23" label="Domain mismatch">
+    Enrollment failed because the device belongs to a different domain.
+  </int>
 </enum>
 
 <enum name="EnterprisePolicies" type="int">