blob: f580fdf5476411b460eb53113719ac8d9d5539a5 [file] [log] [blame]
// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "google_apis/gaia/gaia_auth_fetcher.h"
#include <string>
#include <utility>
#include <vector>
#include "base/bind.h"
#include "base/json/json_reader.h"
#include "base/json/json_writer.h"
#include "base/macros.h"
#include "base/metrics/histogram_functions.h"
#include "base/metrics/histogram_macros.h"
#include "base/metrics/user_metrics.h"
#include "base/metrics/user_metrics_action.h"
#include "base/process/process.h"
#include "base/strings/string_split.h"
#include "base/strings/string_util.h"
#include "base/strings/stringprintf.h"
#include "base/system/sys_info.h"
#include "base/values.h"
#include "google_apis/gaia/gaia_auth_consumer.h"
#include "google_apis/gaia/gaia_auth_util.h"
#include "google_apis/gaia/gaia_constants.h"
#include "google_apis/gaia/gaia_urls.h"
#include "google_apis/gaia/google_service_auth_error.h"
#include "google_apis/gaia/oauth2_id_token_decoder.h"
#include "google_apis/gaia/oauth_multilogin_result.h"
#include "net/base/escape.h"
#include "net/base/load_flags.h"
#include "net/http/http_response_headers.h"
#include "net/http/http_status_code.h"
#include "net/http/http_util.h"
#include "net/url_request/url_request_status.h"
#include "services/network/public/cpp/resource_request.h"
#include "services/network/public/cpp/resource_response.h"
#include "services/network/public/cpp/shared_url_loader_factory.h"
#include "services/network/public/cpp/simple_url_loader.h"
namespace {
const int kLoadFlagsIgnoreCookies = net::LOAD_DO_NOT_SEND_COOKIES |
net::LOAD_DO_NOT_SAVE_COOKIES;
const size_t kMaxMessageSize = 1024 * 1024; // 1MB
std::unique_ptr<const GaiaAuthConsumer::ClientOAuthResult>
ExtractOAuth2TokenPairResponse(const std::string& data) {
std::unique_ptr<base::Value> value = base::JSONReader::ReadDeprecated(data);
if (!value.get() || value->type() != base::Value::Type::DICTIONARY)
return nullptr;
base::DictionaryValue* dict =
static_cast<base::DictionaryValue*>(value.get());
std::string refresh_token;
std::string access_token;
std::string id_token;
int expires_in_secs;
if (!dict->GetStringWithoutPathExpansion("refresh_token", &refresh_token) ||
!dict->GetStringWithoutPathExpansion("access_token", &access_token) ||
!dict->GetIntegerWithoutPathExpansion("expires_in", &expires_in_secs)) {
return nullptr;
}
// Extract ID token when obtaining refresh token. Do not fail if absent,
// but log to keep track.
if (!dict->GetStringWithoutPathExpansion("id_token", &id_token)) {
LOG(ERROR) << "Missing ID token on refresh token fetch response.";
}
gaia::TokenServiceFlags service_flags = gaia::ParseServiceFlags(id_token);
return std::make_unique<const GaiaAuthConsumer::ClientOAuthResult>(
refresh_token, access_token, expires_in_secs,
service_flags.is_child_account,
service_flags.is_under_advanced_protection);
}
// Parses server responses for token revocation.
GaiaAuthConsumer::TokenRevocationStatus
GetTokenRevocationStatusFromResponseData(const std::string& data,
int response_code) {
if (response_code == net::HTTP_OK)
return GaiaAuthConsumer::TokenRevocationStatus::kSuccess;
if (response_code == net::HTTP_INTERNAL_SERVER_ERROR)
return GaiaAuthConsumer::TokenRevocationStatus::kServerError;
std::unique_ptr<base::Value> value = base::JSONReader::ReadDeprecated(data);
if (!value.get() || value->type() != base::Value::Type::DICTIONARY)
return GaiaAuthConsumer::TokenRevocationStatus::kUnknownError;
base::DictionaryValue* dict =
static_cast<base::DictionaryValue*>(value.get());
std::string error;
if (!dict->GetStringWithoutPathExpansion("error", &error))
return GaiaAuthConsumer::TokenRevocationStatus::kUnknownError;
if (error == "invalid_token")
return GaiaAuthConsumer::TokenRevocationStatus::kInvalidToken;
if (error == "invalid_request")
return GaiaAuthConsumer::TokenRevocationStatus::kInvalidRequest;
return GaiaAuthConsumer::TokenRevocationStatus::kUnknownError;
}
std::string GaiaSourceToString(gaia::GaiaSource source) {
std::string source_string;
switch (source) {
case gaia::GaiaSource::kChrome:
source_string = GaiaConstants::kChromeSource;
break;
case gaia::GaiaSource::kChromeOS:
source_string = GaiaConstants::kChromeOSSource;
break;
case gaia::GaiaSource::kAccountReconcilorDice:
source_string = "ChromiumAccountReconcilorDice";
break;
case gaia::GaiaSource::kAccountReconcilorMirror:
source_string = "ChromiumAccountReconcilor";
break;
case gaia::GaiaSource::kOAuth2LoginVerifier:
source_string = "ChromiumOAuth2LoginVerifier";
break;
case gaia::GaiaSource::kPrimaryAccountManager:
// Even though this string refers to an old name from the Chromium POV, it
// should not be changed as it is passed server-side.
source_string = "ChromiumSigninManager";
break;
}
// All sources should start with Chromium or chromeos for better server logs.
DCHECK(source_string == "chromeos" ||
base::StartsWith(source_string, "Chromium",
base::CompareCase::SENSITIVE));
return source_string;
}
} // namespace
// static
const char GaiaAuthFetcher::kIssueAuthTokenFormat[] =
"SID=%s&"
"LSID=%s&"
"service=%s&"
"Session=%s";
// static
const char GaiaAuthFetcher::kOAuth2CodeToTokenPairBodyFormat[] =
"scope=%s&"
"grant_type=authorization_code&"
"client_id=%s&"
"client_secret=%s&"
"code=%s";
// static
const char GaiaAuthFetcher::kOAuth2CodeToTokenPairDeviceIdParam[] =
"device_id=%s&device_type=chrome";
// static
const char GaiaAuthFetcher::kOAuth2RevokeTokenBodyFormat[] =
"token=%s";
// static
const char GaiaAuthFetcher::kGetUserInfoFormat[] =
"LSID=%s";
// static
const char GaiaAuthFetcher::kMergeSessionFormat[] =
"?uberauth=%s&"
"continue=%s&"
"source=%s";
// static
const char GaiaAuthFetcher::kUberAuthTokenURLFormat[] =
"?source=%s&"
"issueuberauth=1";
const char GaiaAuthFetcher::kOAuthLoginFormat[] = "service=%s&source=%s";
// static
const char GaiaAuthFetcher::kAccountDeletedError[] = "AccountDeleted";
// static
const char GaiaAuthFetcher::kAccountDisabledError[] = "AccountDisabled";
// static
const char GaiaAuthFetcher::kBadAuthenticationError[] = "BadAuthentication";
// static
const char GaiaAuthFetcher::kServiceUnavailableError[] =
"ServiceUnavailable";
// static
const char GaiaAuthFetcher::kErrorParam[] = "Error";
// static
const char GaiaAuthFetcher::kErrorUrlParam[] = "Url";
// static
const char GaiaAuthFetcher::kAuthHeaderFormat[] =
"Authorization: GoogleLogin auth=%s";
// static
const char GaiaAuthFetcher::kOAuthHeaderFormat[] = "Authorization: OAuth %s";
// static
const char GaiaAuthFetcher::kOAuthMultiBearerHeaderFormat[] =
"Authorization: MultiBearer %s";
// static
const char GaiaAuthFetcher::kOAuth2BearerHeaderFormat[] =
"Authorization: Bearer %s";
GaiaAuthFetcher::GaiaAuthFetcher(
GaiaAuthConsumer* consumer,
gaia::GaiaSource source,
scoped_refptr<network::SharedURLLoaderFactory> url_loader_factory)
: url_loader_factory_(url_loader_factory),
consumer_(consumer),
source_(GaiaSourceToString(source)),
oauth2_token_gurl_(GaiaUrls::GetInstance()->oauth2_token_url()),
oauth2_revoke_gurl_(GaiaUrls::GetInstance()->oauth2_revoke_url()),
get_user_info_gurl_(GaiaUrls::GetInstance()->get_user_info_url()),
merge_session_gurl_(GaiaUrls::GetInstance()->merge_session_url()),
uberauth_token_gurl_(GaiaUrls::GetInstance()->oauth1_login_url().Resolve(
base::StringPrintf(kUberAuthTokenURLFormat, source_.c_str()))),
oauth_login_gurl_(GaiaUrls::GetInstance()->oauth1_login_url()),
oauth_multilogin_gurl_(GaiaUrls::GetInstance()->oauth_multilogin_url()),
list_accounts_gurl_(
GaiaUrls::GetInstance()->ListAccountsURLWithSource(source_)),
logout_gurl_(GaiaUrls::GetInstance()->LogOutURLWithSource(source_)),
get_check_connection_info_url_(
GaiaUrls::GetInstance()->GetCheckConnectionInfoURLWithSource(
source_)) {}
GaiaAuthFetcher::~GaiaAuthFetcher() {}
bool GaiaAuthFetcher::HasPendingFetch() {
return fetch_pending_;
}
void GaiaAuthFetcher::SetPendingFetch(bool pending_fetch) {
fetch_pending_ = pending_fetch;
}
void GaiaAuthFetcher::CancelRequest() {
url_loader_.reset();
original_url_ = GURL();
fetch_pending_ = false;
}
bool GaiaAuthFetcher::IsMultiloginUrl(const GURL& url) {
return base::StartsWith(url.spec(), oauth_multilogin_gurl_.spec(),
base::CompareCase::SENSITIVE);
}
void GaiaAuthFetcher::CreateAndStartGaiaFetcher(
const std::string& body,
const std::string& headers,
const GURL& gaia_gurl,
int load_flags,
const net::NetworkTrafficAnnotationTag& traffic_annotation) {
DCHECK(!fetch_pending_) << "Tried to fetch two things at once!";
auto resource_request = std::make_unique<network::ResourceRequest>();
resource_request->url = gaia_gurl;
original_url_ = gaia_gurl;
if (!(load_flags & net::LOAD_DO_NOT_SEND_COOKIES)) {
DCHECK_EQ(GaiaUrls::GetInstance()->gaia_url(), gaia_gurl.GetOrigin())
<< gaia_gurl;
resource_request->site_for_cookies = GaiaUrls::GetInstance()->gaia_url();
}
if (!body.empty())
resource_request->method = "POST";
if (!headers.empty())
resource_request->headers.AddHeadersFromString(headers);
// The Gaia token exchange requests do not require any cookie-based
// identification as part of requests. We suppress sending any cookies to
// maintain a separation between the user's browsing and Chrome's internal
// services. Where such mixing is desired (MergeSession or OAuthLogin), it
// will be done explicitly.
resource_request->load_flags = load_flags;
url_loader_ = network::SimpleURLLoader::Create(std::move(resource_request),
traffic_annotation);
if (!body.empty())
url_loader_->AttachStringForUpload(body,
"application/x-www-form-urlencoded");
url_loader_->SetAllowHttpErrorResults(true);
VLOG(2) << "Gaia fetcher URL: " << gaia_gurl.spec();
VLOG(2) << "Gaia fetcher headers: " << headers;
VLOG(2) << "Gaia fetcher body: " << body;
// Fetchers are sometimes cancelled because a network change was detected,
// especially at startup and after sign-in on ChromeOS. Retrying once should
// be enough in those cases; let the fetcher retry up to 3 times just in case.
// http://crbug.com/163710
url_loader_->SetRetryOptions(
3, network::SimpleURLLoader::RETRY_ON_NETWORK_CHANGE);
fetch_pending_ = true;
// Unretained is OK below as |url_loader_| is owned by this.
url_loader_->DownloadToString(
url_loader_factory_.get(),
base::BindOnce(&GaiaAuthFetcher::OnURLLoadComplete,
base::Unretained(this)),
kMaxMessageSize);
}
// static
std::string GaiaAuthFetcher::MakeIssueAuthTokenBody(
const std::string& sid,
const std::string& lsid,
const char* const service) {
std::string encoded_sid = net::EscapeUrlEncodedData(sid, true);
std::string encoded_lsid = net::EscapeUrlEncodedData(lsid, true);
// All tokens should be session tokens except the gaia auth token.
bool session = true;
if (!strcmp(service, GaiaConstants::kGaiaService))
session = false;
return base::StringPrintf(kIssueAuthTokenFormat,
encoded_sid.c_str(),
encoded_lsid.c_str(),
service,
session ? "true" : "false");
}
// static
std::string GaiaAuthFetcher::MakeGetTokenPairBody(
const std::string& auth_code,
const std::string& device_id) {
std::string encoded_scope = net::EscapeUrlEncodedData(
GaiaConstants::kOAuth1LoginScope, true);
std::string encoded_client_id = net::EscapeUrlEncodedData(
GaiaUrls::GetInstance()->oauth2_chrome_client_id(), true);
std::string encoded_client_secret = net::EscapeUrlEncodedData(
GaiaUrls::GetInstance()->oauth2_chrome_client_secret(), true);
std::string encoded_auth_code = net::EscapeUrlEncodedData(auth_code, true);
std::string body = base::StringPrintf(
kOAuth2CodeToTokenPairBodyFormat, encoded_scope.c_str(),
encoded_client_id.c_str(), encoded_client_secret.c_str(),
encoded_auth_code.c_str());
if (!device_id.empty()) {
body += "&" + base::StringPrintf(kOAuth2CodeToTokenPairDeviceIdParam,
device_id.c_str());
}
return body;
}
// static
std::string GaiaAuthFetcher::MakeRevokeTokenBody(
const std::string& auth_token) {
return base::StringPrintf(kOAuth2RevokeTokenBodyFormat, auth_token.c_str());
}
// static
std::string GaiaAuthFetcher::MakeGetUserInfoBody(const std::string& lsid) {
std::string encoded_lsid = net::EscapeUrlEncodedData(lsid, true);
return base::StringPrintf(kGetUserInfoFormat, encoded_lsid.c_str());
}
// static
std::string GaiaAuthFetcher::MakeMergeSessionQuery(
const std::string& auth_token,
const std::string& external_cc_result,
const std::string& continue_url,
const std::string& source) {
std::string encoded_auth_token = net::EscapeUrlEncodedData(auth_token, true);
std::string encoded_continue_url = net::EscapeUrlEncodedData(continue_url,
true);
std::string encoded_source = net::EscapeUrlEncodedData(source, true);
std::string result = base::StringPrintf(kMergeSessionFormat,
encoded_auth_token.c_str(),
encoded_continue_url.c_str(),
encoded_source.c_str());
if (!external_cc_result.empty()) {
base::StringAppendF(&result, "&externalCcResult=%s",
net::EscapeUrlEncodedData(
external_cc_result, true).c_str());
}
return result;
}
// static
std::string GaiaAuthFetcher::MakeGetAuthCodeHeader(
const std::string& auth_token) {
return base::StringPrintf(kAuthHeaderFormat, auth_token.c_str());
}
// Helper method that extracts tokens from a successful reply.
// static
void GaiaAuthFetcher::ParseClientLoginResponse(const std::string& data,
std::string* sid,
std::string* lsid,
std::string* token) {
using std::vector;
using std::pair;
using std::string;
sid->clear();
lsid->clear();
token->clear();
base::StringPairs tokens;
base::SplitStringIntoKeyValuePairs(data, '=', '\n', &tokens);
for (base::StringPairs::iterator i = tokens.begin();
i != tokens.end(); ++i) {
if (i->first == "SID") {
sid->assign(i->second);
} else if (i->first == "LSID") {
lsid->assign(i->second);
} else if (i->first == "Auth") {
token->assign(i->second);
}
}
// If this was a request for uberauth token, then that's all we've got in
// data.
if (sid->empty() && lsid->empty() && token->empty())
token->assign(data);
}
// static
std::string GaiaAuthFetcher::MakeOAuthLoginBody(const std::string& service,
const std::string& source) {
std::string encoded_service = net::EscapeUrlEncodedData(service, true);
std::string encoded_source = net::EscapeUrlEncodedData(source, true);
return base::StringPrintf(kOAuthLoginFormat,
encoded_service.c_str(),
encoded_source.c_str());
}
// static
void GaiaAuthFetcher::ParseClientLoginFailure(const std::string& data,
std::string* error,
std::string* error_url) {
using std::vector;
using std::pair;
using std::string;
base::StringPairs tokens;
base::SplitStringIntoKeyValuePairs(data, '=', '\n', &tokens);
for (base::StringPairs::iterator i = tokens.begin();
i != tokens.end(); ++i) {
if (i->first == kErrorParam) {
error->assign(i->second);
} else if (i->first == kErrorUrlParam) {
error_url->assign(i->second);
}
}
}
void GaiaAuthFetcher::StartRevokeOAuth2Token(const std::string& auth_token) {
DCHECK(!fetch_pending_) << "Tried to fetch two things at once!";
VLOG(1) << "Starting OAuth2 token revocation";
request_body_ = MakeRevokeTokenBody(auth_token);
net::NetworkTrafficAnnotationTag traffic_annotation =
net::DefineNetworkTrafficAnnotation("gaia_auth_revoke_token", R"(
semantics {
sender: "Chrome - Google authentication API"
description: "This request revokes an OAuth 2.0 refresh token."
trigger:
"This request is part of Gaia Auth API, and is triggered whenever "
"an OAuth 2.0 refresh token needs to be revoked."
data: "The OAuth 2.0 refresh token that should be revoked."
destination: GOOGLE_OWNED_SERVICE
}
policy {
cookies_allowed: NO
setting:
"This feature cannot be disabled in settings, but if the user "
"signs out of Chrome, this request would not be made."
chrome_policy {
SigninAllowed {
policy_options {mode: MANDATORY}
SigninAllowed: false
}
}
})");
CreateAndStartGaiaFetcher(request_body_, std::string(), oauth2_revoke_gurl_,
kLoadFlagsIgnoreCookies, traffic_annotation);
}
void GaiaAuthFetcher::StartAuthCodeForOAuth2TokenExchange(
const std::string& auth_code) {
StartAuthCodeForOAuth2TokenExchangeWithDeviceId(auth_code, std::string());
}
void GaiaAuthFetcher::StartAuthCodeForOAuth2TokenExchangeWithDeviceId(
const std::string& auth_code,
const std::string& device_id) {
DCHECK(!fetch_pending_) << "Tried to fetch two things at once!";
VLOG(1) << "Starting OAuth token pair fetch";
request_body_ = MakeGetTokenPairBody(auth_code, device_id);
net::NetworkTrafficAnnotationTag traffic_annotation =
net::DefineNetworkTrafficAnnotation("gaia_auth_exchange_device_id", R"(
semantics {
sender: "Chrome - Google authentication API"
description:
"This request exchanges an authorization code for an OAuth 2.0 "
"refresh token."
trigger:
"This request is part of Gaia Auth API, and may be triggered at "
"the end of the Chrome sign-in flow."
data:
"The Google console client ID and client secret of the Chrome "
"application, the OAuth 2.0 authorization code, and the ID of the "
"device."
destination: GOOGLE_OWNED_SERVICE
}
policy {
cookies_allowed: NO
setting:
"This feature cannot be disabled in settings, but if the user "
"signs out of Chrome, this request would not be made."
chrome_policy {
SigninAllowed {
policy_options {mode: MANDATORY}
SigninAllowed: false
}
}
})");
CreateAndStartGaiaFetcher(request_body_, std::string(), oauth2_token_gurl_,
kLoadFlagsIgnoreCookies, traffic_annotation);
}
void GaiaAuthFetcher::StartGetUserInfo(const std::string& lsid) {
DCHECK(!fetch_pending_) << "Tried to fetch two things at once!";
VLOG(1) << "Starting GetUserInfo for lsid=" << lsid;
request_body_ = MakeGetUserInfoBody(lsid);
net::NetworkTrafficAnnotationTag traffic_annotation =
net::DefineNetworkTrafficAnnotation("gaia_auth_get_user_info", R"(
semantics {
sender: "Chrome - Google authentication API"
description:
"This request fetches user information of a Google account."
trigger:
"This fetcher is only used after signing in with a child account."
data: "The value of the Google authentication LSID cookie."
destination: GOOGLE_OWNED_SERVICE
}
policy {
cookies_allowed: NO
setting:
"This feature cannot be disabled in settings, but if the user "
"signs out of Chrome, this request would not be made."
chrome_policy {
SigninAllowed {
policy_options {mode: MANDATORY}
SigninAllowed: false
}
}
})");
CreateAndStartGaiaFetcher(request_body_, std::string(), get_user_info_gurl_,
kLoadFlagsIgnoreCookies, traffic_annotation);
}
void GaiaAuthFetcher::StartMergeSession(const std::string& uber_token,
const std::string& external_cc_result) {
DCHECK(!fetch_pending_) << "Tried to fetch two things at once!";
VLOG(1) << "Starting MergeSession with uber_token=" << uber_token;
// The continue URL is a required parameter of the MergeSession API, but in
// this case we don't actually need or want to navigate to it. Setting it to
// an arbitrary Google URL.
//
// In order for the new session to be merged correctly, the server needs to
// know what sessions already exist in the browser. The fetcher needs to be
// created such that it sends the cookies with the request, which is
// different from all other requests the fetcher can make.
std::string continue_url("http://www.google.com");
std::string query = MakeMergeSessionQuery(uber_token, external_cc_result,
continue_url, source_);
net::NetworkTrafficAnnotationTag traffic_annotation =
net::DefineNetworkTrafficAnnotation("gaia_auth_merge_sessions", R"(
semantics {
sender: "Chrome - Google authentication API"
description:
"This request adds an account to the Google authentication cookies."
trigger:
"This request is part of Gaia Auth API, and is triggered whenever "
"a new Google account is added to the browser."
data:
"This request includes the user-auth token and sometimes a string "
"containing the result of connection checks for various Google web "
"properties."
destination: GOOGLE_OWNED_SERVICE
}
policy {
cookies_allowed: YES
cookies_store: "user"
setting:
"This feature cannot be disabled in settings, but if the user "
"signs out of Chrome, this request would not be made."
chrome_policy {
SigninAllowed {
policy_options {mode: MANDATORY}
SigninAllowed: false
}
}
})");
CreateAndStartGaiaFetcher(std::string(), std::string(),
merge_session_gurl_.Resolve(query),
net::LOAD_NORMAL, traffic_annotation);
}
void GaiaAuthFetcher::StartTokenFetchForUberAuthExchange(
const std::string& access_token,
bool is_bound_to_channel_id) {
DCHECK(!fetch_pending_) << "Tried to fetch two things at once!";
VLOG(1) << "Starting StartTokenFetchForUberAuthExchange with access_token="
<< access_token;
std::string authentication_header =
base::StringPrintf(kOAuthHeaderFormat, access_token.c_str());
int load_flags =
is_bound_to_channel_id ? net::LOAD_NORMAL : kLoadFlagsIgnoreCookies;
net::NetworkTrafficAnnotationTag traffic_annotation =
net::DefineNetworkTrafficAnnotation("gaia_auth_fetch_for_uber", R"(
semantics {
sender: "Chrome - Google authentication API"
description:
"This request exchanges an Oauth2 access token for an uber-auth "
"token. This token may be used to add an account to the Google "
"authentication cookies."
trigger:
"This request is part of Gaia Auth API, and is triggered whenever "
"a new Google account is added to the browser."
data: "This request contains an OAuth 2.0 access token. "
destination: GOOGLE_OWNED_SERVICE
}
policy {
cookies_allowed: YES
cookies_store: "user"
setting:
"This feature cannot be disabled in settings, but if the user "
"signs out of Chrome, this request would not be made."
chrome_policy {
SigninAllowed {
policy_options {mode: MANDATORY}
SigninAllowed: false
}
}
})");
CreateAndStartGaiaFetcher(std::string(), authentication_header,
uberauth_token_gurl_, load_flags,
traffic_annotation);
}
void GaiaAuthFetcher::StartOAuthLogin(const std::string& access_token,
const std::string& service) {
DCHECK(!fetch_pending_) << "Tried to fetch two things at once!";
request_body_ = MakeOAuthLoginBody(service, source_);
std::string authentication_header =
base::StringPrintf(kOAuth2BearerHeaderFormat, access_token.c_str());
net::NetworkTrafficAnnotationTag traffic_annotation =
net::DefineNetworkTrafficAnnotation("gaia_auth_login", R"(
semantics {
sender: "Chrome - Google authentication API"
description:
"This request exchanges an OAuthLogin-scoped OAuth 2.0 access "
"token for a ClientLogin-style service tokens. The response to "
"this request is the same as the response to a ClientLogin "
"request, except that captcha challenges are never issued."
trigger:
"This request is part of Gaia Auth API, and is triggered after "
"signing in with a child account."
data:
"This request contains an OAuth 2.0 access token and the service "
"for which a ClientLogin-style should be delivered."
destination: GOOGLE_OWNED_SERVICE
}
policy {
cookies_allowed: YES
cookies_store: "user"
setting:
"This feature cannot be disabled in settings, but if the user "
"signs out of Chrome, this request would not be made."
chrome_policy {
SigninAllowed {
policy_options {mode: MANDATORY}
SigninAllowed: false
}
}
})");
CreateAndStartGaiaFetcher(request_body_, authentication_header,
oauth_login_gurl_, net::LOAD_NORMAL,
traffic_annotation);
}
void GaiaAuthFetcher::StartListAccounts() {
DCHECK(!fetch_pending_) << "Tried to fetch two things at once!";
list_accounts_system_uptime_ = base::SysInfo::Uptime();
#if !defined(OS_IOS) && !defined(OS_ANDROID)
list_accounts_process_uptime_ =
base::Time::Now() - base::Process::Current().CreationTime();
#endif
net::NetworkTrafficAnnotationTag traffic_annotation =
net::DefineNetworkTrafficAnnotation("gaia_auth_list_accounts", R"(
semantics {
sender: "Chrome - Google authentication API"
description:
"This request is used to list the accounts in the Google "
"authentication cookies."
trigger:
"This request is part of Gaia Auth API, and is triggered whenever "
"the list of all available accounts in the Google authentication "
"cookies is required."
data: "None."
destination: GOOGLE_OWNED_SERVICE
}
policy {
cookies_allowed: YES
cookies_store: "user"
setting:
"This feature cannot be disabled in settings, but if the user "
"signs out of Chrome, this request would not be made."
chrome_policy {
SigninAllowed {
policy_options {mode: MANDATORY}
SigninAllowed: false
}
}
})");
CreateAndStartGaiaFetcher(" ", // To force an HTTP POST.
"Origin: https://www.google.com",
list_accounts_gurl_, net::LOAD_NORMAL,
traffic_annotation);
}
void GaiaAuthFetcher::StartOAuthMultilogin(
const std::vector<MultiloginTokenIDPair>& accounts,
const std::string& external_cc_result) {
DCHECK(!fetch_pending_) << "Tried to fetch two things at once!";
UMA_HISTOGRAM_COUNTS_100("Signin.Multilogin.NumberOfAccounts",
accounts.size());
std::vector<std::string> authorization_header_parts;
for (const MultiloginTokenIDPair& account : accounts) {
authorization_header_parts.push_back(base::StringPrintf(
"%s:%s", account.token_.c_str(), account.gaia_id_.c_str()));
}
std::string authorization_header = base::StringPrintf(
kOAuthMultiBearerHeaderFormat,
base::JoinString(authorization_header_parts, ",").c_str());
std::string source_string = net::EscapeUrlEncodedData(source_, true);
std::string parameters =
external_cc_result.empty()
? base::StringPrintf("?source=%s", source_string.c_str())
: base::StringPrintf(
"?source=%s&externalCcResult=%s", source_string.c_str(),
net::EscapeUrlEncodedData(external_cc_result, true).c_str());
net::NetworkTrafficAnnotationTag traffic_annotation =
net::DefineNetworkTrafficAnnotation("gaia_auth_multilogin", R"(
semantics {
sender: "Chrome - Google authentication API"
description:
"This request is used to set chrome accounts in browser in the "
"Google authentication cookies for several google websites "
"(e.g. youtube)."
trigger:
"This request is part of Gaia Auth API, and is triggered whenever "
"accounts in cookies are not consistent with accounts in browser."
data:
"This request includes the vector of account ids and auth-login "
"tokens."
destination: GOOGLE_OWNED_SERVICE
}
policy {
cookies_allowed: YES
cookies_store: "user"
setting:
"This feature cannot be disabled in settings, but if the user "
"signs out of Chrome, this request would not be made."
chrome_policy {
SigninAllowed {
SigninAllowed: false
}
}
})");
CreateAndStartGaiaFetcher(" ", // Non-empty to force a POST
authorization_header,
oauth_multilogin_gurl_.Resolve(parameters),
net::LOAD_NORMAL, traffic_annotation);
}
void GaiaAuthFetcher::StartLogOut() {
DCHECK(!fetch_pending_) << "Tried to fetch two things at once!";
net::NetworkTrafficAnnotationTag traffic_annotation =
net::DefineNetworkTrafficAnnotation("gaia_auth_log_out", R"(
semantics {
sender: "Chrome - Google authentication API"
description:
"This request is part of the Chrome - Google authentication API "
"and allows its callers to sign out all Google accounts from the "
"content area."
trigger:
"This request is part of Gaia Auth API, and is triggered whenever "
"signing out of all Google accounts is required."
data: "None."
destination: GOOGLE_OWNED_SERVICE
}
policy {
cookies_allowed: YES
cookies_store: "user"
setting:
"This feature cannot be disabled in settings, but if the user "
"signs out of Chrome, this request would not be made."
chrome_policy {
SigninAllowed {
policy_options {mode: MANDATORY}
SigninAllowed: false
}
}
})");
CreateAndStartGaiaFetcher(std::string(), std::string(), logout_gurl_,
net::LOAD_NORMAL, traffic_annotation);
}
void GaiaAuthFetcher::StartGetCheckConnectionInfo() {
DCHECK(!fetch_pending_) << "Tried to fetch two things at once!";
net::NetworkTrafficAnnotationTag traffic_annotation =
net::DefineNetworkTrafficAnnotation("gaia_auth_check_connection_info", R"(
semantics {
sender: "Chrome - Google authentication API"
description:
"This request is used to fetch from the Google authentication "
"server the the list of URLs to check its connection info."
trigger:
"This request is part of Gaia Auth API, and is triggered once "
"after a Google account is added to the browser."
data: "None."
destination: GOOGLE_OWNED_SERVICE
}
policy {
cookies_allowed: NO
setting:
"This feature cannot be disabled in settings, but if the user "
"signs out of Chrome, this request would not be made."
chrome_policy {
SigninAllowed {
policy_options {mode: MANDATORY}
SigninAllowed: false
}
}
})");
CreateAndStartGaiaFetcher(std::string(), std::string(),
get_check_connection_info_url_,
kLoadFlagsIgnoreCookies, traffic_annotation);
}
// static
GoogleServiceAuthError GaiaAuthFetcher::GenerateAuthError(
const std::string& data,
net::Error net_error) {
if (net_error != net::OK) {
if (net_error == net::ERR_ABORTED) {
return GoogleServiceAuthError(GoogleServiceAuthError::REQUEST_CANCELED);
}
DLOG(WARNING) << "Could not reach Google Accounts servers: errno "
<< net_error;
return GoogleServiceAuthError::FromConnectionError(net_error);
}
std::string error;
std::string url;
ParseClientLoginFailure(data, &error, &url);
DLOG(WARNING) << "ClientLogin failed with " << error;
if (error == kAccountDeletedError)
return GoogleServiceAuthError(GoogleServiceAuthError::ACCOUNT_DELETED);
if (error == kAccountDisabledError)
return GoogleServiceAuthError(GoogleServiceAuthError::ACCOUNT_DISABLED);
if (error == kBadAuthenticationError) {
return GoogleServiceAuthError(
GoogleServiceAuthError::FromInvalidGaiaCredentialsReason(
GoogleServiceAuthError::InvalidGaiaCredentialsReason::
CREDENTIALS_REJECTED_BY_SERVER));
}
if (error == kServiceUnavailableError) {
return GoogleServiceAuthError(
GoogleServiceAuthError::SERVICE_UNAVAILABLE);
}
DLOG(WARNING) << "Incomprehensible response from Google Accounts servers.";
return GoogleServiceAuthError(GoogleServiceAuthError::SERVICE_UNAVAILABLE);
}
void GaiaAuthFetcher::OnOAuth2TokenPairFetched(const std::string& data,
net::Error net_error,
int response_code) {
std::unique_ptr<const GaiaAuthConsumer::ClientOAuthResult> result;
if (net_error == net::OK && response_code == net::HTTP_OK) {
result = ExtractOAuth2TokenPairResponse(data);
}
if (result) {
consumer_->OnClientOAuthSuccess(*result);
} else {
consumer_->OnClientOAuthFailure(GenerateAuthError(data, net_error));
}
}
void GaiaAuthFetcher::OnOAuth2RevokeTokenFetched(const std::string& data,
net::Error net_error,
int response_code) {
GaiaAuthConsumer::TokenRevocationStatus revocation_status =
GaiaAuthConsumer::TokenRevocationStatus::kUnknownError;
switch (net_error) {
case net::OK:
revocation_status =
GetTokenRevocationStatusFromResponseData(data, response_code);
break;
case net::ERR_IO_PENDING:
NOTREACHED();
break;
case net::ERR_ABORTED:
revocation_status =
GaiaAuthConsumer::TokenRevocationStatus::kConnectionCanceled;
break;
default:
revocation_status =
(net_error == net::ERR_TIMED_OUT)
? GaiaAuthConsumer::TokenRevocationStatus::kConnectionTimeout
: GaiaAuthConsumer::TokenRevocationStatus::kConnectionFailed;
break;
}
consumer_->OnOAuth2RevokeTokenCompleted(revocation_status);
}
void GaiaAuthFetcher::OnListAccountsFetched(const std::string& data,
net::Error net_error,
int response_code) {
// Log error rates and details for ListAccounts, for investigation of
// https://crbug.com/876306.
base::UmaHistogramSparse("Gaia.AuthFetcher.ListAccounts.NetErrorCodes",
-net_error);
if (net_error == net::OK) {
UMA_HISTOGRAM_LONG_TIMES(
"Gaia.AuthFetcher.ListAccounts.SystemUptime.Success",
list_accounts_system_uptime_);
#if !defined(OS_IOS) && !defined(OS_ANDROID)
UMA_HISTOGRAM_LONG_TIMES(
"Gaia.AuthFetcher.ListAccounts.ProcessUptime.Success",
list_accounts_process_uptime_);
#endif
} else {
UMA_HISTOGRAM_LONG_TIMES("Gaia.AuthFetcher.ListAccounts.SystemUptime.Error",
list_accounts_system_uptime_);
#if !defined(OS_IOS) && !defined(OS_ANDROID)
UMA_HISTOGRAM_LONG_TIMES(
"Gaia.AuthFetcher.ListAccounts.ProcessUptime.Error",
list_accounts_process_uptime_);
#endif
}
if (net_error == net::OK && response_code == net::HTTP_OK)
consumer_->OnListAccountsSuccess(data);
else
consumer_->OnListAccountsFailure(GenerateAuthError(data, net_error));
}
void GaiaAuthFetcher::OnLogOutFetched(const std::string& data,
net::Error net_error,
int response_code) {
if (net_error == net::OK && response_code == net::HTTP_OK) {
consumer_->OnLogOutSuccess();
} else {
consumer_->OnLogOutFailure(GenerateAuthError(data, net_error));
}
}
void GaiaAuthFetcher::OnGetUserInfoFetched(const std::string& data,
net::Error net_error,
int response_code) {
if (net_error == net::OK && response_code == net::HTTP_OK) {
base::StringPairs tokens;
UserInfoMap matches;
base::SplitStringIntoKeyValuePairs(data, '=', '\n', &tokens);
base::StringPairs::iterator i;
for (i = tokens.begin(); i != tokens.end(); ++i) {
matches[i->first] = i->second;
}
consumer_->OnGetUserInfoSuccess(matches);
} else {
consumer_->OnGetUserInfoFailure(GenerateAuthError(data, net_error));
}
}
void GaiaAuthFetcher::OnMergeSessionFetched(const std::string& data,
net::Error net_error,
int response_code) {
if (net_error == net::OK && response_code == net::HTTP_OK) {
consumer_->OnMergeSessionSuccess(data);
} else {
consumer_->OnMergeSessionFailure(GenerateAuthError(data, net_error));
}
}
void GaiaAuthFetcher::OnUberAuthTokenFetch(const std::string& data,
net::Error net_error,
int response_code) {
if (net_error == net::OK && response_code == net::HTTP_OK) {
consumer_->OnUberAuthTokenSuccess(data);
} else {
consumer_->OnUberAuthTokenFailure(GenerateAuthError(data, net_error));
}
}
void GaiaAuthFetcher::OnOAuthLoginFetched(const std::string& data,
net::Error net_error,
int response_code) {
if (net_error == net::OK && response_code == net::HTTP_OK) {
VLOG(1) << "ClientLogin successful!";
std::string sid;
std::string lsid;
std::string token;
ParseClientLoginResponse(data, &sid, &lsid, &token);
consumer_->OnClientLoginSuccess(
GaiaAuthConsumer::ClientLoginResult(sid, lsid, token, data));
} else {
consumer_->OnClientLoginFailure(GenerateAuthError(data, net_error));
}
}
void GaiaAuthFetcher::OnGetCheckConnectionInfoFetched(const std::string& data,
net::Error net_error,
int response_code) {
if (net_error == net::Error::OK && response_code == net::HTTP_OK) {
consumer_->OnGetCheckConnectionInfoSuccess(data);
} else {
consumer_->OnGetCheckConnectionInfoError(
GenerateAuthError(data, net_error));
}
}
void GaiaAuthFetcher::OnOAuthMultiloginFetched(const std::string& data,
net::Error net_error,
int response_code) {
OAuthMultiloginResult result =
(net_error == net::Error::OK)
? OAuthMultiloginResult(data)
: OAuthMultiloginResult(OAuthMultiloginResponseStatus::kRetry);
consumer_->OnOAuthMultiloginFinished(result);
}
void GaiaAuthFetcher::OnURLLoadComplete(
std::unique_ptr<std::string> response_body) {
net::Error net_error = static_cast<net::Error>(url_loader_->NetError());
std::string data = response_body ? std::move(*response_body) : "";
int response_code = 0;
if (url_loader_->ResponseInfo()) {
if (url_loader_->ResponseInfo()->headers)
response_code = url_loader_->ResponseInfo()->headers->response_code();
}
OnURLLoadCompleteInternal(net_error, response_code, data);
}
void GaiaAuthFetcher::OnURLLoadCompleteInternal(
net::Error net_error,
int response_code,
std::string data) {
fetch_pending_ = false;
// Some of the GAIA requests perform redirects, which results in the final URL
// of the fetcher not being the original URL requested. Therefore use the
// original URL when determining which OnXXX function to call.
GURL url = original_url_;
original_url_ = GURL();
DispatchFetchedRequest(url, data, net_error, response_code);
}
void GaiaAuthFetcher::DispatchFetchedRequest(
const GURL& url,
const std::string& data,
net::Error net_error,
int response_code) {
if (url == oauth2_token_gurl_) {
OnOAuth2TokenPairFetched(data, net_error, response_code);
} else if (url == get_user_info_gurl_) {
OnGetUserInfoFetched(data, net_error, response_code);
} else if (base::StartsWith(url.spec(), merge_session_gurl_.spec(),
base::CompareCase::SENSITIVE)) {
OnMergeSessionFetched(data, net_error, response_code);
} else if (url == uberauth_token_gurl_) {
OnUberAuthTokenFetch(data, net_error, response_code);
} else if (url == oauth_login_gurl_) {
OnOAuthLoginFetched(data, net_error, response_code);
} else if (IsMultiloginUrl(url)) {
OnOAuthMultiloginFetched(data, net_error, response_code);
} else if (url == oauth2_revoke_gurl_) {
OnOAuth2RevokeTokenFetched(data, net_error, response_code);
} else if (url == list_accounts_gurl_) {
OnListAccountsFetched(data, net_error, response_code);
} else if (url == logout_gurl_) {
OnLogOutFetched(data, net_error, response_code);
} else if (url == get_check_connection_info_url_) {
OnGetCheckConnectionInfoFetched(data, net_error, response_code);
} else {
NOTREACHED() << "Unknown url: '" << url << "'";
}
}