blob: 77af1ba00d826af7e7a6f09b525a61c73169ae10 [file] [log] [blame]
// Copyright 2014 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "remoting/base/oauth_token_getter_impl.h"
#include <utility>
#include "base/bind.h"
#include "base/callback.h"
#include "base/containers/queue.h"
#include "base/strings/string_util.h"
#include "google_apis/google_api_keys.h"
#include "remoting/base/logging.h"
#include "services/network/public/cpp/shared_url_loader_factory.h"
namespace remoting {
namespace {
// Maximum number of retries on network/500 errors.
const int kMaxRetries = 3;
// Time when we we try to update OAuth token before its expiration.
const int kTokenUpdateTimeBeforeExpirySeconds = 60;
} // namespace
OAuthTokenGetterImpl::OAuthTokenGetterImpl(
std::unique_ptr<OAuthIntermediateCredentials> intermediate_credentials,
const OAuthTokenGetter::CredentialsUpdatedCallback& on_credentials_update,
scoped_refptr<network::SharedURLLoaderFactory> url_loader_factory,
bool auto_refresh)
: intermediate_credentials_(std::move(intermediate_credentials)),
gaia_oauth_client_(new gaia::GaiaOAuthClient(url_loader_factory)),
credentials_updated_callback_(on_credentials_update) {
if (auto_refresh) {
refresh_timer_.reset(new base::OneShotTimer());
}
}
OAuthTokenGetterImpl::OAuthTokenGetterImpl(
std::unique_ptr<OAuthAuthorizationCredentials> authorization_credentials,
scoped_refptr<network::SharedURLLoaderFactory> url_loader_factory,
bool auto_refresh)
: authorization_credentials_(std::move(authorization_credentials)),
gaia_oauth_client_(new gaia::GaiaOAuthClient(url_loader_factory)) {
if (auto_refresh) {
refresh_timer_.reset(new base::OneShotTimer());
}
}
OAuthTokenGetterImpl::~OAuthTokenGetterImpl() {
DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
}
void OAuthTokenGetterImpl::OnGetTokensResponse(const std::string& refresh_token,
const std::string& access_token,
int expires_seconds) {
DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
DCHECK(intermediate_credentials_);
VLOG(1) << "Received OAuth tokens.";
// Update the access token and any other auto-update timers.
UpdateAccessToken(access_token, expires_seconds);
// Keep the refresh token in the authorization_credentials.
authorization_credentials_.reset(
new OAuthTokenGetter::OAuthAuthorizationCredentials(
std::string(), refresh_token,
intermediate_credentials_->is_service_account));
// Clear out the one time use token.
intermediate_credentials_.reset();
// At this point we don't know the email address so we need to fetch it.
email_discovery_ = true;
gaia_oauth_client_->GetUserEmail(access_token, kMaxRetries, this);
}
void OAuthTokenGetterImpl::OnRefreshTokenResponse(
const std::string& access_token,
int expires_seconds) {
DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
DCHECK(authorization_credentials_);
VLOG(1) << "Received OAuth token.";
// Update the access token and any other auto-update timers.
UpdateAccessToken(access_token, expires_seconds);
if (!authorization_credentials_->is_service_account && !email_verified_) {
gaia_oauth_client_->GetUserEmail(access_token, kMaxRetries, this);
} else {
NotifyTokenCallbacks(OAuthTokenGetterImpl::SUCCESS,
authorization_credentials_->login,
oauth_access_token_);
}
}
void OAuthTokenGetterImpl::OnGetUserEmailResponse(
const std::string& user_email) {
DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
DCHECK(authorization_credentials_);
VLOG(1) << "Received user info.";
if (email_discovery_) {
authorization_credentials_->login = user_email;
email_discovery_ = false;
NotifyUpdatedCallbacks(authorization_credentials_->login,
authorization_credentials_->refresh_token);
} else if (user_email != authorization_credentials_->login) {
LOG(ERROR) << "OAuth token and email address do not refer to "
"the same account.";
OnOAuthError();
return;
}
email_verified_ = true;
NotifyTokenCallbacks(OAuthTokenGetterImpl::SUCCESS,
authorization_credentials_->login, oauth_access_token_);
}
void OAuthTokenGetterImpl::UpdateAccessToken(const std::string& access_token,
int expires_seconds) {
oauth_access_token_ = access_token;
base::TimeDelta token_expiration =
base::TimeDelta::FromSeconds(expires_seconds) -
base::TimeDelta::FromSeconds(kTokenUpdateTimeBeforeExpirySeconds);
access_token_expiry_time_ = base::Time::Now() + token_expiration;
if (refresh_timer_) {
refresh_timer_->Stop();
refresh_timer_->Start(FROM_HERE, token_expiration, this,
&OAuthTokenGetterImpl::RefreshAccessToken);
}
}
void OAuthTokenGetterImpl::NotifyTokenCallbacks(
Status status,
const std::string& user_email,
const std::string& access_token) {
DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
response_pending_ = false;
base::queue<TokenCallback> callbacks;
callbacks.swap(pending_callbacks_);
while (!callbacks.empty()) {
std::move(callbacks.front()).Run(status, user_email, access_token);
callbacks.pop();
}
}
void OAuthTokenGetterImpl::NotifyUpdatedCallbacks(
const std::string& user_email,
const std::string& refresh_token) {
DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
if (credentials_updated_callback_) {
credentials_updated_callback_.Run(user_email, refresh_token);
}
}
void OAuthTokenGetterImpl::OnOAuthError() {
DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
LOG(ERROR) << "OAuth: invalid credentials.";
// Throw away invalid credentials and force a refresh.
oauth_access_token_.clear();
access_token_expiry_time_ = base::Time();
email_verified_ = false;
NotifyTokenCallbacks(OAuthTokenGetterImpl::AUTH_ERROR, std::string(),
std::string());
}
void OAuthTokenGetterImpl::OnNetworkError(int response_code) {
DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
LOG(ERROR) << "Network error when trying to update OAuth token: "
<< response_code;
NotifyTokenCallbacks(OAuthTokenGetterImpl::NETWORK_ERROR, std::string(),
std::string());
}
void OAuthTokenGetterImpl::CallWithToken(TokenCallback on_access_token) {
DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
pending_callbacks_.push(std::move(on_access_token));
if (intermediate_credentials_) {
if (!response_pending_) {
GetOauthTokensFromAuthCode();
}
} else {
bool need_new_auth_token =
access_token_expiry_time_.is_null() ||
base::Time::Now() >= access_token_expiry_time_ ||
(!authorization_credentials_->is_service_account && !email_verified_);
if (need_new_auth_token) {
if (!response_pending_) {
RefreshAccessToken();
}
} else {
// If |response_pending_| is true here, |oauth_access_token_| is
// up-to-date but not yet exchanged (it might not have the needed scopes).
// In that case, wait for token-exchange to complete before returning the
// token.
if (!response_pending_) {
NotifyTokenCallbacks(OAuthTokenGetterImpl::SUCCESS,
authorization_credentials_->login,
oauth_access_token_);
}
}
}
}
void OAuthTokenGetterImpl::InvalidateCache() {
DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
access_token_expiry_time_ = base::Time();
}
base::WeakPtr<OAuthTokenGetterImpl> OAuthTokenGetterImpl::GetWeakPtr() {
return weak_factory_.GetWeakPtr();
}
void OAuthTokenGetterImpl::GetOauthTokensFromAuthCode() {
DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
VLOG(1) << "Fetching OAuth token from Auth Code.";
DCHECK(!response_pending_);
// Service accounts use different API keys, as they use the client app flow.
google_apis::OAuth2Client oauth2_client =
intermediate_credentials_->is_service_account
? google_apis::CLIENT_REMOTING_HOST
: google_apis::CLIENT_REMOTING;
// For the case of fetching an OAuth token from a one-time-use code, the
// caller should provide a redirect URI.
std::string redirect_uri = intermediate_credentials_->oauth_redirect_uri;
DCHECK(!redirect_uri.empty());
gaia::OAuthClientInfo client_info = {
google_apis::GetOAuth2ClientID(oauth2_client),
google_apis::GetOAuth2ClientSecret(oauth2_client), redirect_uri};
response_pending_ = true;
gaia_oauth_client_->GetTokensFromAuthCode(
client_info, intermediate_credentials_->authorization_code, kMaxRetries,
this);
}
void OAuthTokenGetterImpl::RefreshAccessToken() {
DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
VLOG(1) << "Refreshing OAuth Access token.";
DCHECK(!response_pending_);
// Service accounts use different API keys, as they use the client app flow.
google_apis::OAuth2Client oauth2_client =
authorization_credentials_->is_service_account
? google_apis::CLIENT_REMOTING_HOST
: google_apis::CLIENT_REMOTING;
gaia::OAuthClientInfo client_info = {
google_apis::GetOAuth2ClientID(oauth2_client),
google_apis::GetOAuth2ClientSecret(oauth2_client),
// Redirect URL is only used when getting tokens from auth code. It
// is not required when getting access tokens from refresh tokens.
""};
response_pending_ = true;
std::vector<std::string> empty_scope_list; // Use scope from refresh token.
gaia_oauth_client_->RefreshToken(client_info,
authorization_credentials_->refresh_token,
empty_scope_list, kMaxRetries, this);
}
} // namespace remoting