No longer start up profile if there was an error fetching policy.

Changed UserCloudPolicyManagerChromeOS to no longer complete profile
initialization if there is an error fetching policy. Instead, we shutdown the
user and force a policy load the next time we try to startup that user.

BUG=532317
TBR=vitalybuka

Review URL: https://codereview.chromium.org/1608533002

Cr-Commit-Position: refs/heads/master@{#376484}

18 files changed, 214 insertions, 35 deletions

diff --git a/chrome/browser/chromeos/login/easy_unlock/bootstrap_browsertest.cc b/chrome/browser/chromeos/login/easy_unlock/bootstrap_browsertest.cc
index bc5a9b1..73d194d 100644
--- a/chrome/browser/chromeos/login/easy_unlock/bootstrap_browsertest.cc
+++ b/chrome/browser/chromeos/login/easy_unlock/bootstrap_browsertest.cc
@@ -28,7 +28,7 @@ namespace chromeos {
 namespace {
 
 const char kFakeGaiaId[] = "123456";
-const char kFakeUser[] = "test_user@example.com";
+const char kFakeUser[] = "test_user@consumer.example.com";
 const char kFakeSid[] = "fake-sid";
 const char kFakeLsid[] = "fake-lsid";
 const char kFakeRefreshToken[] = "fake-refresh-token";
diff --git a/chrome/browser/chromeos/login/saml/saml_browsertest.cc b/chrome/browser/chromeos/login/saml/saml_browsertest.cc
index 0e96325..c98c806 100644
--- a/chrome/browser/chromeos/login/saml/saml_browsertest.cc
+++ b/chrome/browser/chromeos/login/saml/saml_browsertest.cc
@@ -317,6 +317,8 @@ class SamlTest : public OobeBaseTest {
 
   void SetUpCommandLine(base::CommandLine* command_line) override {
     command_line->AppendSwitch(switches::kOobeSkipPostLogin);
+    command_line->AppendSwitch(
+        chromeos::switches::kAllowFailedPolicyFetchForTest);
 
     const GURL gaia_url = gaia_https_forwarder_.GetURLForSSLHost("");
     const GURL saml_idp_url = saml_https_forwarder_.GetURLForSSLHost("SAML");
diff --git a/chrome/browser/chromeos/login/users/avatar/user_image_manager_browsertest.cc b/chrome/browser/chromeos/login/users/avatar/user_image_manager_browsertest.cc
index a08a650..44a3bd79 100644
--- a/chrome/browser/chromeos/login/users/avatar/user_image_manager_browsertest.cc
+++ b/chrome/browser/chromeos/login/users/avatar/user_image_manager_browsertest.cc
@@ -8,6 +8,7 @@
 #include <string>
 #include <vector>
 
+#include "base/command_line.h"
 #include "base/compiler_specific.h"
 #include "base/files/file_path.h"
 #include "base/files/file_util.h"
@@ -44,6 +45,7 @@
 #include "chrome/test/base/in_process_browser_test.h"
 #include "chrome/test/base/testing_browser_process.h"
 #include "chromeos/chromeos_paths.h"
+#include "chromeos/chromeos_switches.h"
 #include "chromeos/dbus/cryptohome_client.h"
 #include "chromeos/dbus/dbus_thread_manager.h"
 #include "chromeos/dbus/fake_session_manager_client.h"
@@ -117,6 +119,16 @@ class UserImageManagerTest : public LoginManagerTest,
     ASSERT_TRUE(PathService::Get(chrome::DIR_USER_DATA, &user_data_dir_));
   }
 
+  void SetUpCommandLine(base::CommandLine* command_line) override {
+    LoginManagerTest::SetUpCommandLine(command_line);
+    // These tests create new users and then inject policy after the fact,
+    // to avoid having to set up a mock policy server. UserCloudPolicyManager
+    // will shut down the profile if there's an error loading the initial
+    // policy, so disable this behavior so we can inject policy directly.
+    command_line->AppendSwitch(
+        chromeos::switches::kAllowFailedPolicyFetchForTest);
+  }
+
   void SetUpOnMainThread() override {
     LoginManagerTest::SetUpOnMainThread();
     local_state_ = g_browser_process->local_state();
diff --git a/chrome/browser/chromeos/login/users/wallpaper/wallpaper_manager_policy_browsertest.cc b/chrome/browser/chromeos/login/users/wallpaper/wallpaper_manager_policy_browsertest.cc
index 52e43cf..9e6c82e 100644
--- a/chrome/browser/chromeos/login/users/wallpaper/wallpaper_manager_policy_browsertest.cc
+++ b/chrome/browser/chromeos/login/users/wallpaper/wallpaper_manager_policy_browsertest.cc
@@ -184,6 +184,10 @@ class WallpaperManagerPolicyTest
     command_line->AppendSwitch(switches::kLoginManager);
     command_line->AppendSwitch(switches::kForceLoginManagerInTests);
 
+    // Allow policy fetches to fail - these tests instead invoke InjectPolicy()
+    // to directly inject and modify policy dynamically.
+    command_line->AppendSwitch(switches::kAllowFailedPolicyFetchForTest);
+
     LoginManagerTest::SetUpCommandLine(command_line);
   }
 
diff --git a/chrome/browser/chromeos/policy/affiliation_test_helper.cc b/chrome/browser/chromeos/policy/affiliation_test_helper.cc
index 9a30986..acdba14 100644
--- a/chrome/browser/chromeos/policy/affiliation_test_helper.cc
+++ b/chrome/browser/chromeos/policy/affiliation_test_helper.cc
@@ -133,6 +133,11 @@ void LoginUser(const std::string& user_id) {
 void AppendCommandLineSwitchesForLoginManager(base::CommandLine* command_line) {
   command_line->AppendSwitch(chromeos::switches::kLoginManager);
   command_line->AppendSwitch(chromeos::switches::kForceLoginManagerInTests);
+  // LoginManager tests typically don't stand up a policy test server but
+  // instead inject policies directly through a SessionManagerClient. So allow
+  // policy fetches to fail - this is expected.
+  command_line->AppendSwitch(
+      chromeos::switches::kAllowFailedPolicyFetchForTest);
 }
 
 }  // namespace affiliation_test_helper
diff --git a/chrome/browser/chromeos/policy/blocking_login_browsertest.cc b/chrome/browser/chromeos/policy/blocking_login_browsertest.cc
index a57f3ac..651a926 100644
--- a/chrome/browser/chromeos/policy/blocking_login_browsertest.cc
+++ b/chrome/browser/chromeos/policy/blocking_login_browsertest.cc
@@ -81,6 +81,11 @@ struct BlockingLoginTestParam {
   const bool enroll_device;
 };
 
+// TODO(atwilson): This test is completely broken - it originally was built
+// when we made an entirely different set of network calls on startup. As a
+// result it generates random failures in startup network requests, then waits
+// to see if the profile finishes loading which is not at all what it is
+// intended to test. We need to fix this test or remove it (crbug.com/580537).
 class BlockingLoginTest
     : public OobeBaseTest,
       public content::NotificationObserver,
@@ -95,6 +100,9 @@ class BlockingLoginTest
     command_line->AppendSwitchASCII(
         policy::switches::kDeviceManagementUrl,
         embedded_test_server()->GetURL("/device_management").spec());
+
+    command_line->AppendSwitch(
+        chromeos::switches::kAllowFailedPolicyFetchForTest);
   }
 
   void SetUpOnMainThread() override {
diff --git a/chrome/browser/chromeos/policy/login_policy_test_base.h b/chrome/browser/chromeos/policy/login_policy_test_base.h
index 4c44441..76d836e 100644
--- a/chrome/browser/chromeos/policy/login_policy_test_base.h
+++ b/chrome/browser/chromeos/policy/login_policy_test_base.h
@@ -34,6 +34,10 @@ class LoginPolicyTestBase : public chromeos::OobeBaseTest {
   virtual void GetMandatoryPoliciesValue(base::DictionaryValue* policy) const;
   virtual void GetRecommendedPoliciesValue(base::DictionaryValue* policy) const;
 
+  UserPolicyTestHelper* user_policy_helper() {
+    return user_policy_helper_.get();
+  }
+
   void SkipToLoginScreen();
   void LogIn(const std::string& user_id, const std::string& password);
 
diff --git a/chrome/browser/chromeos/policy/user_cloud_policy_manager_chromeos.cc b/chrome/browser/chromeos/policy/user_cloud_policy_manager_chromeos.cc
index 7e3610c..8fa1b39 100644
--- a/chrome/browser/chromeos/policy/user_cloud_policy_manager_chromeos.cc
+++ b/chrome/browser/chromeos/policy/user_cloud_policy_manager_chromeos.cc
@@ -9,6 +9,7 @@
 
 #include "base/bind.h"
 #include "base/bind_helpers.h"
+#include "base/command_line.h"
 #include "base/logging.h"
 #include "base/metrics/histogram.h"
 #include "base/metrics/sparse_histogram.h"
@@ -24,6 +25,7 @@
 #include "chrome/browser/chromeos/policy/wildcard_login_checker.h"
 #include "chrome/browser/lifetime/application_lifetime.h"
 #include "chrome/common/chrome_content_client.h"
+#include "chromeos/chromeos_switches.h"
 #include "components/policy/core/common/cloud/cloud_external_data_manager.h"
 #include "components/policy/core/common/cloud/cloud_policy_refresh_scheduler.h"
 #include "components/policy/core/common/cloud/device_management_service.h"
@@ -31,6 +33,7 @@
 #include "components/policy/core/common/policy_map.h"
 #include "components/policy/core/common/policy_pref_names.h"
 #include "components/policy/core/common/policy_types.h"
+#include "components/user_manager/user.h"
 #include "components/user_manager/user_manager.h"
 #include "net/url_request/url_request_context_getter.h"
 #include "policy/policy_constants.h"
@@ -99,7 +102,15 @@ UserCloudPolicyManagerChromeOS::UserCloudPolicyManagerChromeOS(
       wait_for_policy_fetch_(wait_for_policy_fetch),
       policy_fetch_timeout_(false, false) {
   time_init_started_ = base::Time::Now();
-  if (wait_for_policy_fetch_ && !initial_policy_fetch_timeout.is_max()) {
+
+  // Caller should pass a non-zero policy_fetch_timeout iff
+  // |wait_for_policy_fetch| is true.
+  DCHECK_NE(wait_for_policy_fetch_, initial_policy_fetch_timeout.is_zero());
+  allow_failed_policy_fetches_ =
+      base::CommandLine::ForCurrentProcess()->HasSwitch(
+          chromeos::switches::kAllowFailedPolicyFetchForTest) ||
+      !initial_policy_fetch_timeout.is_max();
+  if (wait_for_policy_fetch_ && allow_failed_policy_fetches_) {
     policy_fetch_timeout_.Start(
         FROM_HERE,
         initial_policy_fetch_timeout,
@@ -260,7 +271,7 @@ void UserCloudPolicyManagerChromeOS::OnRegistrationStateChanged(
     } else {
       // If the client has switched to not registered, we bail out as this
       // indicates the cloud policy setup flow has been aborted.
-      CancelWaitForPolicyFetch();
+      CancelWaitForPolicyFetch(true);
     }
   }
 }
@@ -272,7 +283,18 @@ void UserCloudPolicyManagerChromeOS::OnClientError(
     UMA_HISTOGRAM_SPARSE_SLOWLY(kUMAInitialFetchClientError,
                                 cloud_policy_client->status());
   }
-  CancelWaitForPolicyFetch();
+  switch (client()->status()) {
+    case DM_STATUS_SUCCESS:
+    case DM_STATUS_SERVICE_MANAGEMENT_NOT_SUPPORTED:
+      // If management is not supported for this user, then a registration
+      // error is to be expected.
+      CancelWaitForPolicyFetch(true);
+      break;
+    default:
+      // Unexpected error fetching policy.
+      CancelWaitForPolicyFetch(false);
+      break;
+  }
 }
 
 void UserCloudPolicyManagerChromeOS::OnComponentCloudPolicyUpdated() {
@@ -354,9 +376,6 @@ void UserCloudPolicyManagerChromeOS::OnOAuth2PolicyTokenFetched(
                        policy_token, std::string(), std::string(),
                        std::string());
   } else {
-    // Failed to get a token, stop waiting and use an empty policy.
-    CancelWaitForPolicyFetch();
-
     UMA_HISTOGRAM_ENUMERATION(kUMAInitialFetchOAuth2Error,
                               error.state(),
                               GoogleServiceAuthError::NUM_STATES);
@@ -366,6 +385,9 @@ void UserCloudPolicyManagerChromeOS::OnOAuth2PolicyTokenFetched(
       UMA_HISTOGRAM_SPARSE_SLOWLY(kUMAInitialFetchOAuth2NetworkError,
                                   -error.network_error());
     }
+    // Failed to get a token, stop waiting if policy is not required for this
+    // user.
+    CancelWaitForPolicyFetch(false);
   }
 
   token_fetcher_.reset();
@@ -378,23 +400,38 @@ void UserCloudPolicyManagerChromeOS::OnInitialPolicyFetchComplete(
                              now - time_client_registered_);
   UMA_HISTOGRAM_MEDIUM_TIMES(kUMAInitialFetchDelayTotal,
                              now - time_init_started_);
-  CancelWaitForPolicyFetch();
+  CancelWaitForPolicyFetch(success);
 }
 
 void UserCloudPolicyManagerChromeOS::OnBlockingFetchTimeout() {
   if (!wait_for_policy_fetch_)
     return;
-  LOG(WARNING) << "Timed out while waiting for the initial policy fetch. "
-               << "The first session will start without policy.";
-  CancelWaitForPolicyFetch();
+  LOG(WARNING) << "Timed out while waiting for the policy fetch. "
+               << "The session will start with the cached policy.";
+  CancelWaitForPolicyFetch(false);
 }
 
-void UserCloudPolicyManagerChromeOS::CancelWaitForPolicyFetch() {
+void UserCloudPolicyManagerChromeOS::CancelWaitForPolicyFetch(bool success) {
   if (!wait_for_policy_fetch_)
     return;
 
-  wait_for_policy_fetch_ = false;
   policy_fetch_timeout_.Stop();
+
+  // If there was an error, and we don't want to allow profile initialization
+  // to go forward after a failed policy fetch, then just return (profile
+  // initialization will not complete).
+  // TODO(atwilson): Add code to retry policy fetching.
+  if (!success && !allow_failed_policy_fetches_) {
+    LOG(ERROR) << "Policy fetch failed for "
+               << user_manager::UserManager::Get()->GetActiveUser()->email()
+               << " - aborting profile initialization";
+    // Need to exit the current user, because we've already started this user's
+    // session.
+    chrome::AttemptUserExit();
+    return;
+  }
+
+  wait_for_policy_fetch_ = false;
   CheckAndPublishPolicy();
   // Now that |wait_for_policy_fetch_| is guaranteed to be false, the scheduler
   // can be started.
diff --git a/chrome/browser/chromeos/policy/user_cloud_policy_manager_chromeos.h b/chrome/browser/chromeos/policy/user_cloud_policy_manager_chromeos.h
index a0eb497..c19588d 100644
--- a/chrome/browser/chromeos/policy/user_cloud_policy_manager_chromeos.h
+++ b/chrome/browser/chromeos/policy/user_cloud_policy_manager_chromeos.h
@@ -132,8 +132,10 @@ class UserCloudPolicyManagerChromeOS : public CloudPolicyManager,
 
   // Cancels waiting for the policy fetch and flags the
   // ConfigurationPolicyProvider ready (assuming all other initialization tasks
-  // have completed).
-  void CancelWaitForPolicyFetch();
+  // have completed). Pass |true| if policy fetch was successful (either
+  // because policy was successfully fetched, or if DMServer has notified us
+  // that the user is not managed).
+  void CancelWaitForPolicyFetch(bool success);
 
   void StartRefreshSchedulerIfReady();
 
@@ -153,6 +155,11 @@ class UserCloudPolicyManagerChromeOS : public CloudPolicyManager,
   // IsInitializationComplete().
   bool wait_for_policy_fetch_;
 
+  // Whether we should allow policy fetches to fail, or wait forever until they
+  // succeed (typically we won't allow them to fail until we have loaded policy
+  // at least once).
+  bool allow_failed_policy_fetches_;
+
   // A timer that puts a hard limit on the maximum time to wait for the initial
   // policy fetch.
   base::Timer policy_fetch_timeout_;
diff --git a/chrome/browser/chromeos/policy/user_cloud_policy_manager_chromeos_browsertest.cc b/chrome/browser/chromeos/policy/user_cloud_policy_manager_chromeos_browsertest.cc
index 6ae59a6..f8d91e7 100644
--- a/chrome/browser/chromeos/policy/user_cloud_policy_manager_chromeos_browsertest.cc
+++ b/chrome/browser/chromeos/policy/user_cloud_policy_manager_chromeos_browsertest.cc
@@ -7,14 +7,54 @@
 
 #include "base/macros.h"
 #include "base/memory/scoped_ptr.h"
+#include "base/run_loop.h"
 #include "base/values.h"
+#include "chrome/browser/chrome_notification_types.h"
+#include "chrome/browser/chromeos/login/ui/webui_login_display.h"
 #include "chrome/browser/chromeos/policy/login_policy_test_base.h"
+#include "chrome/browser/chromeos/policy/user_policy_test_helper.h"
 #include "chrome/browser/prefs/session_startup_pref.h"
 #include "chrome/browser/ui/browser.h"
 #include "chrome/browser/ui/browser_list.h"
 #include "chrome/browser/ui/host_desktop.h"
 #include "chrome/browser/ui/tabs/tab_strip_model.h"
+#include "components/user_manager/user.h"
+#include "components/user_manager/user_manager.h"
+#include "content/public/browser/notification_observer.h"
+#include "content/public/browser/notification_registrar.h"
+#include "content/public/browser/notification_service.h"
 #include "policy/policy_constants.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+namespace {
+// Helper class that counts the number of notifications of the specified
+// type that have been received.
+class CountNotificationObserver : public content::NotificationObserver {
+ public:
+  CountNotificationObserver(int notification_type_to_count,
+                            const content::NotificationSource& source)
+      : notification_count_(0) {
+    registrar_.Add(this, notification_type_to_count, source);
+  }
+
+  // NotificationObserver:
+  void Observe(int type,
+               const content::NotificationSource& source,
+               const content::NotificationDetails& details) override {
+    // Count the number of notifications seen.
+    notification_count_++;
+  }
+
+  int notification_count() const { return notification_count_; }
+
+ private:
+  int notification_count_;
+  content::NotificationRegistrar registrar_;
+
+  DISALLOW_COPY_AND_ASSIGN(CountNotificationObserver);
+};
+
+}  // namespace
 
 namespace policy {
 
@@ -42,6 +82,12 @@ IN_PROC_BROWSER_TEST_F(UserCloudPolicyManagerTest, StartSession) {
   SkipToLoginScreen();
   LogIn(kAccountId, kAccountPassword);
 
+  // User should be marked as having a valid OAuth token.
+  const user_manager::UserManager* const user_manager =
+      user_manager::UserManager::Get();
+  EXPECT_EQ(user_manager::User::OAUTH2_TOKEN_STATUS_VALID,
+            user_manager->GetActiveUser()->oauth_token_status());
+
   // Check that the startup pages specified in policy were opened.
   BrowserList* browser_list = BrowserList::GetInstance();
   EXPECT_EQ(1U, browser_list->size());
@@ -58,4 +104,24 @@ IN_PROC_BROWSER_TEST_F(UserCloudPolicyManagerTest, StartSession) {
   }
 }
 
+IN_PROC_BROWSER_TEST_F(UserCloudPolicyManagerTest, ErrorLoadingPolicy) {
+  // Delete the policy file - this will cause a 500 error on policy requests.
+  user_policy_helper()->DeletePolicyFile();
+  SkipToLoginScreen();
+  CountNotificationObserver observer(
+      chrome::NOTIFICATION_SESSION_STARTED,
+      content::NotificationService::AllSources());
+  GetLoginDisplay()->ShowSigninScreenForCreds(kAccountId, kAccountPassword);
+  base::RunLoop().Run();
+  // Should not receive a SESSION_STARTED notification.
+  ASSERT_EQ(0, observer.notification_count());
+
+  // User should not be marked as having a valid OAuth token. That way, if we
+  // try to load the user in the future, we will attempt to load policy again.
+  const user_manager::UserManager* user_manager =
+      user_manager::UserManager::Get();
+  EXPECT_NE(user_manager::User::OAUTH2_TOKEN_STATUS_VALID,
+            user_manager->GetActiveUser()->oauth_token_status());
+}
+
 }  // namespace policy
diff --git a/chrome/browser/chromeos/policy/user_cloud_policy_manager_factory_chromeos.cc b/chrome/browser/chromeos/policy/user_cloud_policy_manager_factory_chromeos.cc
index 3fad89c..7695acf 100644
--- a/chrome/browser/chromeos/policy/user_cloud_policy_manager_factory_chromeos.cc
+++ b/chrome/browser/chromeos/policy/user_cloud_policy_manager_factory_chromeos.cc
@@ -149,16 +149,35 @@ scoped_ptr<UserCloudPolicyManagerChromeOS>
       g_browser_process->platform_part()->browser_policy_connector_chromeos();
   const bool is_browser_restart =
       command_line->HasSwitch(chromeos::switches::kLoginUser);
-  const bool wait_for_initial_policy = !is_browser_restart;
-
-  const base::TimeDelta initial_policy_fetch_timeout =
-      user_manager::UserManager::Get()->IsCurrentUserNew()
-          ? base::TimeDelta::Max()
-          : base::TimeDelta::FromSeconds(kInitialPolicyFetchTimeoutSeconds);
+  const user_manager::UserManager* const user_manager =
+      user_manager::UserManager::Get();
+
+  // We want to block for policy in a few situations: if the user is new, or
+  // if we are forcing an online signin. An online signin will be forced if
+  // there has been a credential error, or if the initial session creation
+  // was not completed (the oauth_token_status is not set to valid by
+  // OAuth2LoginManager until profile creation/session restore is complete).
+  const bool block_forever_for_policy =
+      !user_manager->IsLoggedInAsStub() &&
+      (user_manager->IsCurrentUserNew() ||
+       user_manager->GetActiveUser()->force_online_signin() ||
+       user_manager->GetActiveUser()->oauth_token_status() !=
+           user_manager::User::OAUTH2_TOKEN_STATUS_VALID);
+
+  const bool wait_for_policy_fetch =
+      block_forever_for_policy || !is_browser_restart;
+
+  base::TimeDelta initial_policy_fetch_timeout;
+  if (block_forever_for_policy) {
+    initial_policy_fetch_timeout = base::TimeDelta::Max();
+  } else if (wait_for_policy_fetch) {
+    initial_policy_fetch_timeout =
+        base::TimeDelta::FromSeconds(kInitialPolicyFetchTimeoutSeconds);
+  }
 
   DeviceManagementService* device_management_service =
       connector->device_management_service();
-  if (wait_for_initial_policy)
+  if (wait_for_policy_fetch)
     device_management_service->ScheduleInitialization(0);
 
   base::FilePath profile_dir = profile->GetPath();
@@ -201,7 +220,7 @@ scoped_ptr<UserCloudPolicyManagerChromeOS>
   scoped_ptr<UserCloudPolicyManagerChromeOS> manager(
       new UserCloudPolicyManagerChromeOS(
           std::move(store), std::move(external_data_manager),
-          component_policy_cache_dir, wait_for_initial_policy,
+          component_policy_cache_dir, wait_for_policy_fetch,
           initial_policy_fetch_timeout, base::ThreadTaskRunnerHandle::Get(),
           file_task_runner, io_task_runner));
 
diff --git a/chrome/browser/chromeos/policy/user_policy_test_helper.cc b/chrome/browser/chromeos/policy/user_policy_test_helper.cc
index b439621..5f6d28f 100644
--- a/chrome/browser/chromeos/policy/user_policy_test_helper.cc
+++ b/chrome/browser/chromeos/policy/user_policy_test_helper.cc
@@ -128,6 +128,10 @@ void UserPolicyTestHelper::UpdatePolicy(
   run_loop.Run();
 }
 
+void UserPolicyTestHelper::DeletePolicyFile() {
+  base::DeleteFile(PolicyFilePath(), false);
+}
+
 void UserPolicyTestHelper::WritePolicyFile(
     const base::DictionaryValue& mandatory,
     const base::DictionaryValue& recommended) {
diff --git a/chrome/browser/chromeos/policy/user_policy_test_helper.h b/chrome/browser/chromeos/policy/user_policy_test_helper.h
index 941a067..a59fc91 100644
--- a/chrome/browser/chromeos/policy/user_policy_test_helper.h
+++ b/chrome/browser/chromeos/policy/user_policy_test_helper.h
@@ -49,6 +49,8 @@ class UserPolicyTestHelper {
                     const base::DictionaryValue& recommended_policy,
                     Profile* profile);
 
+  void DeletePolicyFile();
+
  private:
   void WritePolicyFile(const base::DictionaryValue& mandatory,
                        const base::DictionaryValue& recommended);
diff --git a/chrome/browser/policy/test/policy_testserver.py b/chrome/browser/policy/test/policy_testserver.py
index 480124c..c7f933d 100644
--- a/chrome/browser/policy/test/policy_testserver.py
+++ b/chrome/browser/policy/test/policy_testserver.py
@@ -376,6 +376,8 @@ class PolicyRequestHandler(BaseHTTPServer.BaseHTTPRequestHandler):
       return (403, 'No authorization')
 
     policy = self.server.GetPolicies()
+    if ('managed_users' not in policy):
+      return (500, 'error in config - no managed users')
     username = self.server.ResolveUser(auth)
     if ('*' not in policy['managed_users'] and
         username not in policy['managed_users']):
@@ -990,7 +992,7 @@ class PolicyTestServer(testserver_base.BrokenPipeHandlerMixIn,
         pass
 
   def GetPolicies(self):
-    """Returns the policies to be used, reloaded form the backend file every
+    """Returns the policies to be used, reloaded from the backend file every
        time this is called.
     """
     policy = {}
diff --git a/chrome/browser/ui/webui/local_discovery/local_discovery_ui_browsertest.cc b/chrome/browser/ui/webui/local_discovery/local_discovery_ui_browsertest.cc
index 6289045..a223179 100644
--- a/chrome/browser/ui/webui/local_discovery/local_discovery_ui_browsertest.cc
+++ b/chrome/browser/ui/webui/local_discovery/local_discovery_ui_browsertest.cc
@@ -226,19 +226,19 @@ const char kResponseInfoWithID[] = "{"
 
 const char kResponseRegisterStart[] = "{"
     "     \"action\": \"start\","
-    "     \"user\": \"user@host.com\""
+    "     \"user\": \"user@consumer.example.com\""
     "}";
 
 const char kResponseRegisterClaimTokenNoConfirm[] = "{"
     "    \"action\": \"getClaimToken\","
-    "    \"user\": \"user@host.com\","
+    "    \"user\": \"user@consumer.example.com\","
     "    \"error\": \"pending_user_action\","
     "    \"timeout\": 1"
     "}";
 
 const char kResponseRegisterClaimTokenConfirm[] = "{"
     "    \"action\": \"getClaimToken\","
-    "    \"user\": \"user@host.com\","
+    "    \"user\": \"user@consumer.example.com\","
     "    \"token\": \"MySampleToken\","
     "    \"claim_url\": \"http://someurl.com/\""
     "}";
@@ -247,7 +247,7 @@ const char kResponseCloudPrintConfirm[] = "{ \"success\": true }";
 
 const char kResponseRegisterComplete[] = "{"
     "    \"action\": \"complete\","
-    "    \"user\": \"user@host.com\","
+    "    \"user\": \"user@consumer.example.com\","
     "    \"device_id\": \"my_id\""
     "}";
 
@@ -264,20 +264,22 @@ const char kResponseGaiaId[] = "{"
 const char kURLInfo[] = "http://1.2.3.4:8888/privet/info";
 
 const char kURLRegisterStart[] =
-    "http://1.2.3.4:8888/privet/register?action=start&user=user%40host.com";
+    "http://1.2.3.4:8888/privet/register?action=start&"
+    "user=user%40consumer.example.com";
 
 const char kURLRegisterClaimToken[] =
     "http://1.2.3.4:8888/privet/register?action=getClaimToken&"
-    "user=user%40host.com";
+    "user=user%40consumer.example.com";
 
 const char kURLCloudPrintConfirm[] =
     "https://www.google.com/cloudprint/confirm?token=MySampleToken";
 
 const char kURLRegisterComplete[] =
-    "http://1.2.3.4:8888/privet/register?action=complete&user=user%40host.com";
+    "http://1.2.3.4:8888/privet/register?action=complete&"
+    "user=user%40consumer.example.com";
 
 const char kSampleGaiaId[] = "12345";
-const char kSampleUser[] = "user@host.com";
+const char kSampleUser[] = "user@consumer.example.com";
 
 class TestMessageLoopCondition {
  public:
diff --git a/chromeos/chromeos_switches.cc b/chromeos/chromeos_switches.cc
index 7958d31..b148ac7 100644
--- a/chromeos/chromeos_switches.cc
+++ b/chromeos/chromeos_switches.cc
@@ -12,6 +12,11 @@
 
 namespace chromeos {
 namespace switches {
+// If this flag is passed, failed policy fetches will not cause profile
+// initialization to fail. This is useful for tests because it means that
+// tests don't have to mock out the policy infrastructure.
+const char kAllowFailedPolicyFetchForTest[] =
+    "allow-failed-policy-fetch-for-test";
 
 // Allows remote attestation (RA) in dev mode for testing purpose. Usually RA
 // is disabled in dev mode because it will always fail. However, there are cases
diff --git a/chromeos/chromeos_switches.h b/chromeos/chromeos_switches.h
index b4782ec..87e7a4c 100644
--- a/chromeos/chromeos_switches.h
+++ b/chromeos/chromeos_switches.h
@@ -21,6 +21,7 @@ namespace switches {
 // see chromeos::LoginUtil::GetOffTheRecordCommandLine().)
 
 // Please keep alphabetized.
+CHROMEOS_EXPORT extern const char kAllowFailedPolicyFetchForTest[];
 CHROMEOS_EXPORT extern const char kAllowRAInDevMode[];
 CHROMEOS_EXPORT extern const char kAppOemManifestFile[];
 CHROMEOS_EXPORT extern const char kArtifactsDir[];
diff --git a/components/policy/core/browser/browser_policy_connector.cc b/components/policy/core/browser/browser_policy_connector.cc
index f4908c0..a680fc5 100644
--- a/components/policy/core/browser/browser_policy_connector.cc
+++ b/components/policy/core/browser/browser_policy_connector.cc
@@ -42,9 +42,7 @@ void ReportRegexSuccessMetric(bool success) {
 }
 
 // Regexes that match many of the larger public email providers as we know
-// these users are not from hosted enterprise domains. Keep this list in sync
-// with the EnterpriseDomainRegex enum in histograms.xml (i.e. only add things
-// at the end).
+// these users are not from hosted enterprise domains.
 const wchar_t* const kNonManagedDomainPatterns[] = {
   L"aol\\.com",
   L"googlemail\\.com",
@@ -56,6 +54,7 @@ const wchar_t* const kNonManagedDomainPatterns[] = {
   L"qq\\.com",
   L"yahoo(\\.co|\\.com|)\\.[^.]+",  // yahoo.com, yahoo.co.uk, yahoo.com.tw
   L"yandex\\.ru",
+  L"consumer\\.example\\.com",
 };
 
 // Returns true if |domain| matches the regex |pattern|.