blob: f2655601f16cc1dd34db4ca2748013ed8b43d003 [file] [log] [blame] [edit]
// Copyright 2012 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "google_apis/gaia/gaia_auth_fetcher.h"
#include <algorithm>
#include <optional>
#include <string>
#include <utility>
#include <vector>
#include "base/base64url.h"
#include "base/functional/bind.h"
#include "base/json/json_reader.h"
#include "base/json/json_writer.h"
#include "base/metrics/histogram_functions.h"
#include "base/metrics/histogram_macros.h"
#include "base/metrics/user_metrics.h"
#include "base/metrics/user_metrics_action.h"
#include "base/strings/escape.h"
#include "base/strings/strcat.h"
#include "base/strings/string_split.h"
#include "base/strings/string_util.h"
#include "base/strings/stringprintf.h"
#include "base/system/sys_info.h"
#include "base/types/optional_util.h"
#include "base/values.h"
#include "google_apis/credentials_mode.h"
#include "google_apis/gaia/bound_oauth_token.pb.h"
#include "google_apis/gaia/gaia_auth_consumer.h"
#include "google_apis/gaia/gaia_auth_util.h"
#include "google_apis/gaia/gaia_constants.h"
#include "google_apis/gaia/gaia_urls.h"
#include "google_apis/gaia/google_service_auth_error.h"
#include "google_apis/gaia/oauth2_id_token_decoder.h"
#include "google_apis/gaia/oauth_multilogin_result.h"
#include "net/base/isolation_info.h"
#include "net/http/http_response_headers.h"
#include "net/http/http_status_code.h"
#include "services/network/public/cpp/resource_request.h"
#include "services/network/public/cpp/shared_url_loader_factory.h"
#include "services/network/public/cpp/simple_url_loader.h"
#include "services/network/public/mojom/url_response_head.mojom.h"
namespace {
constexpr char kFormEncodedContentType[] = "application/x-www-form-urlencoded";
constexpr char kJsonContentType[] = "application/json;charset=UTF-8";
std::unique_ptr<const GaiaAuthConsumer::ClientOAuthResult>
ExtractOAuth2TokenPairResponse(const std::string& data) {
std::optional<base::Value> value = base::JSONReader::Read(data);
if (!value || !value->is_dict())
return nullptr;
base::Value::Dict& dict = value->GetDict();
std::string* refresh_token = dict.FindString("refresh_token");
std::string* access_token = dict.FindString("access_token");
std::optional<int> expires_in_secs = dict.FindInt("expires_in");
if (!refresh_token || !access_token || !expires_in_secs.has_value())
return nullptr;
// Extract ID token when obtaining refresh token. Do not fail if absent,
// but log to keep track.
std::string* id_token = dict.FindString("id_token");
if (!id_token)
LOG(ERROR) << "Missing ID token on refresh token fetch response.";
gaia::TokenServiceFlags service_flags =
gaia::ParseServiceFlags(id_token ? *id_token : std::string());
bool is_bound_to_key = false;
// If present, indicates special rules of how the token must be used.
std::string* refresh_token_type = dict.FindString("refresh_token_type");
if (refresh_token_type &&
base::EqualsCaseInsensitiveASCII(*refresh_token_type, "bound_to_key")) {
is_bound_to_key = true;
}
return std::make_unique<const GaiaAuthConsumer::ClientOAuthResult>(
*refresh_token, *access_token, expires_in_secs.value(),
service_flags.is_child_account,
service_flags.is_under_advanced_protection, is_bound_to_key);
}
// Parses server responses for token revocation.
GaiaAuthConsumer::TokenRevocationStatus
GetTokenRevocationStatusFromResponseData(const std::string& data,
int response_code) {
if (response_code == net::HTTP_OK)
return GaiaAuthConsumer::TokenRevocationStatus::kSuccess;
if (response_code == net::HTTP_INTERNAL_SERVER_ERROR)
return GaiaAuthConsumer::TokenRevocationStatus::kServerError;
std::optional<base::Value> value = base::JSONReader::Read(data);
if (!value || !value->is_dict())
return GaiaAuthConsumer::TokenRevocationStatus::kUnknownError;
base::Value::Dict& dict = value->GetDict();
std::string* error = dict.FindString("error");
if (!error)
return GaiaAuthConsumer::TokenRevocationStatus::kUnknownError;
if (*error == "invalid_token")
return GaiaAuthConsumer::TokenRevocationStatus::kInvalidToken;
if (*error == "invalid_request")
return GaiaAuthConsumer::TokenRevocationStatus::kInvalidRequest;
return GaiaAuthConsumer::TokenRevocationStatus::kUnknownError;
}
base::Value::Dict ParseJSONDict(const std::string& data) {
base::Value::Dict response_dict;
std::optional<base::Value> message_value = base::JSONReader::Read(data);
if (message_value && message_value->is_dict()) {
response_dict.Merge(std::move(message_value->GetDict()));
}
return response_dict;
}
GaiaAuthConsumer::ReAuthProofTokenStatus ErrorMessageToReAuthProofTokenStatus(
const std::string& message) {
if (message == "INVALID_REQUEST") {
return GaiaAuthConsumer::ReAuthProofTokenStatus::kInvalidRequest;
}
if (message == "INVALID_GRANT") {
return GaiaAuthConsumer::ReAuthProofTokenStatus::kInvalidGrant;
}
if (message == "UNAUTHORIZED_CLIENT") {
return GaiaAuthConsumer::ReAuthProofTokenStatus::kUnauthorizedClient;
}
if (message == "INSUFFICIENT_SCOPE") {
return GaiaAuthConsumer::ReAuthProofTokenStatus::kInsufficientScope;
}
if (message == "CREDENTIAL_NOT_SET") {
return GaiaAuthConsumer::ReAuthProofTokenStatus::kCredentialNotSet;
}
DLOG(ERROR) << "Unrecognized ReauthAPI error message: " + message;
return GaiaAuthConsumer::ReAuthProofTokenStatus::kUnknownError;
}
std::string CreateMultiBearerAuthorizationHeader(
const std::vector<gaia::MultiloginAccountAuthCredentials>& accounts) {
std::vector<std::string> authorization_header_parts;
std::ranges::transform(
accounts, std::back_inserter(authorization_header_parts),
[](const auto& account) {
return base::StrCat({account.token, ":", account.gaia_id.ToString()});
});
return "Authorization: MultiBearer " +
base::JoinString(authorization_header_parts, ",");
}
std::string CreateMultiOAuthAuthorizationHeader(
const std::vector<gaia::MultiloginAccountAuthCredentials>& accounts) {
return "Authorization: MultiOAuth " + gaia::CreateMultiOAuthHeader(accounts);
}
} // namespace
namespace gaia {
GaiaSource::GaiaSource(Type type) : type_(type) {}
GaiaSource::GaiaSource(Type type, const std::string& suffix)
: type_(type), suffix_(suffix) {}
void GaiaSource::SetGaiaSourceSuffix(const std::string& suffix) {
suffix_ = suffix;
}
std::string GaiaSource::ToString() {
std::string source_string;
switch (type_) {
case Type::kChrome:
source_string = GaiaConstants::kChromeSource;
break;
case Type::kChromeOS:
source_string = GaiaConstants::kChromeOSSource;
break;
case Type::kAccountReconcilorDice:
source_string = "ChromiumAccountReconcilorDice";
break;
case Type::kAccountReconcilorMirror:
source_string = "ChromiumAccountReconcilor";
break;
case Type::kPrimaryAccountManager:
// Even though this string refers to an old name from the Chromium POV, it
// should not be changed as it is passed server-side.
source_string = "ChromiumSigninManager";
break;
}
// All sources should start with Chromium or chromeos for better server logs.
DCHECK(source_string == "chromeos" ||
base::StartsWith(source_string, "Chromium",
base::CompareCase::SENSITIVE));
return source_string + suffix_;
}
} // namespace gaia
GaiaAuthFetcher::GaiaAuthFetcher(
GaiaAuthConsumer* consumer,
gaia::GaiaSource source,
scoped_refptr<network::SharedURLLoaderFactory> url_loader_factory)
: url_loader_factory_(url_loader_factory),
consumer_(consumer),
source_(source.ToString()),
oauth2_token_gurl_(GaiaUrls::GetInstance()->oauth2_token_url()),
oauth2_revoke_gurl_(GaiaUrls::GetInstance()->oauth2_revoke_url()),
oauth_multilogin_gurl_(GaiaUrls::GetInstance()->oauth_multilogin_url()),
list_accounts_gurl_(
GaiaUrls::GetInstance()->ListAccountsURLWithSource(source_)),
logout_gurl_(GaiaUrls::GetInstance()->LogOutURLWithSource(source_)),
get_check_connection_info_url_(
GaiaUrls::GetInstance()->GetCheckConnectionInfoURLWithSource(
source_)),
reauth_api_url_(GaiaUrls::GetInstance()->reauth_api_url()) {}
GaiaAuthFetcher::~GaiaAuthFetcher() = default;
bool GaiaAuthFetcher::HasPendingFetch() {
return fetch_pending_;
}
void GaiaAuthFetcher::SetPendingFetch(bool pending_fetch) {
fetch_pending_ = pending_fetch;
}
bool GaiaAuthFetcher::IsMultiloginUrl(const GURL& url) {
return base::StartsWith(url.spec(), oauth_multilogin_gurl_.spec(),
base::CompareCase::SENSITIVE);
}
bool GaiaAuthFetcher::IsReAuthApiUrl(const GURL& url) {
return base::StartsWith(url.spec(), reauth_api_url_.spec(),
base::CompareCase::SENSITIVE);
}
bool GaiaAuthFetcher::IsListAccountsUrl(const GURL& url) {
return url == list_accounts_gurl_;
}
void GaiaAuthFetcher::CreateAndStartGaiaFetcher(
const std::string& body,
const std::string& body_content_type,
const std::string& headers,
const GURL& gaia_gurl,
network::mojom::CredentialsMode credentials_mode,
const net::NetworkTrafficAnnotationTag& traffic_annotation) {
DCHECK(!fetch_pending_) << "Tried to fetch two things at once!";
auto resource_request = std::make_unique<network::ResourceRequest>();
resource_request->url = gaia_gurl;
original_url_ = gaia_gurl;
if (credentials_mode != network::mojom::CredentialsMode::kOmit &&
credentials_mode !=
network::mojom::CredentialsMode::kOmitBug_775438_Workaround) {
CHECK(gaia::HasGaiaSchemeHostPort(gaia_gurl)) << gaia_gurl;
url::Origin origin = GaiaUrls::GetInstance()->gaia_origin();
resource_request->site_for_cookies =
net::SiteForCookies::FromOrigin(origin);
resource_request->trusted_params =
network::ResourceRequest::TrustedParams();
resource_request->trusted_params->isolation_info =
net::IsolationInfo::CreateForInternalRequest(origin);
}
if (!body.empty())
resource_request->method = "POST";
if (!headers.empty())
resource_request->headers.AddHeadersFromString(headers);
resource_request->credentials_mode = credentials_mode;
url_loader_ = network::SimpleURLLoader::Create(std::move(resource_request),
traffic_annotation);
if (!body.empty()) {
DCHECK(!body_content_type.empty());
url_loader_->AttachStringForUpload(body, body_content_type);
}
url_loader_->SetAllowHttpErrorResults(true);
VLOG(2) << "Gaia fetcher URL: " << gaia_gurl.spec();
VLOG(2) << "Gaia fetcher headers: " << headers;
VLOG(2) << "Gaia fetcher body: " << body;
// Fetchers are sometimes cancelled because a network change was detected,
// especially at startup and after sign-in on ChromeOS. Retrying once should
// be enough in those cases; let the fetcher retry up to 3 times just in case.
// http://crbug.com/163710
url_loader_->SetRetryOptions(
3, network::SimpleURLLoader::RETRY_ON_NETWORK_CHANGE);
fetch_pending_ = true;
// Unretained is OK below as |url_loader_| is owned by this.
url_loader_->DownloadToString(
url_loader_factory_.get(),
base::BindOnce(&GaiaAuthFetcher::OnURLLoadComplete,
base::Unretained(this)),
// Limit to 1 MiB.
1024 * 1024);
}
// static
std::string GaiaAuthFetcher::MakeGetTokenPairBody(
const std::string& auth_code,
const std::string& device_id,
const std::string& binding_registration_token) {
std::string encoded_scope =
base::EscapeUrlEncodedData(GaiaConstants::kOAuth1LoginScope, true);
std::string encoded_client_id = base::EscapeUrlEncodedData(
GaiaUrls::GetInstance()->oauth2_chrome_client_id(), true);
std::string encoded_client_secret = base::EscapeUrlEncodedData(
GaiaUrls::GetInstance()->oauth2_chrome_client_secret(), true);
std::string encoded_auth_code = base::EscapeUrlEncodedData(auth_code, true);
std::string body = base::StrCat(
{"scope=", encoded_scope,
"&grant_type=authorization_code&client_id=", encoded_client_id,
"&client_secret=", encoded_client_secret, "&code=", encoded_auth_code});
if (!device_id.empty()) {
body =
base::StrCat({body, "&device_id=", device_id, "&device_type=chrome"});
}
if (!binding_registration_token.empty()) {
body = base::StrCat(
{body, "&bound_token_registration_jwt=", binding_registration_token});
}
return body;
}
// static
std::string GaiaAuthFetcher::MakeRevokeTokenBody(
const std::string& auth_token) {
return "token=" + auth_token;
}
// static
void GaiaAuthFetcher::ParseFailureResponse(const std::string& data,
std::string* error,
std::string* error_url) {
base::StringPairs tokens;
base::SplitStringIntoKeyValuePairs(data, '=', '\n', &tokens);
for (const auto& token : tokens) {
if (token.first == "Error") {
error->assign(token.second);
} else if (token.first == "Url") {
error_url->assign(token.second);
}
}
}
void GaiaAuthFetcher::StartRevokeOAuth2Token(const std::string& auth_token) {
DCHECK(!fetch_pending_) << "Tried to fetch two things at once!";
VLOG(1) << "Starting OAuth2 token revocation";
request_body_ = MakeRevokeTokenBody(auth_token);
net::NetworkTrafficAnnotationTag traffic_annotation =
net::DefineNetworkTrafficAnnotation("gaia_auth_revoke_token", R"(
semantics {
sender: "Chrome - Google authentication API"
description: "This request revokes an OAuth 2.0 refresh token."
trigger:
"This request is part of Gaia Auth API, and is triggered whenever "
"an OAuth 2.0 refresh token needs to be revoked."
data: "The OAuth 2.0 refresh token that should be revoked."
destination: GOOGLE_OWNED_SERVICE
}
policy {
cookies_allowed: NO
setting:
"This feature cannot be disabled in settings, but if the user "
"signs out of Chrome, this request would not be made."
chrome_policy {
SigninAllowed {
policy_options {mode: MANDATORY}
SigninAllowed: false
}
}
})");
CreateAndStartGaiaFetcher(
request_body_, kFormEncodedContentType, std::string(),
oauth2_revoke_gurl_, google_apis::GetOmitCredentialsModeForGaiaRequests(),
traffic_annotation);
}
void GaiaAuthFetcher::StartAuthCodeForOAuth2TokenExchange(
const std::string& auth_code,
const std::string& user_agent_full_version_list,
const std::string& binding_registration_token) {
StartAuthCodeForOAuth2TokenExchangeWithDeviceId(
auth_code, /*device_id=*/std::string(), user_agent_full_version_list,
binding_registration_token);
}
void GaiaAuthFetcher::StartAuthCodeForOAuth2TokenExchangeWithDeviceId(
const std::string& auth_code,
const std::string& device_id,
const std::string& user_agent_full_version_list,
const std::string& binding_registration_token) {
DCHECK(!fetch_pending_) << "Tried to fetch two things at once!";
VLOG(1) << "Starting OAuth token pair fetch";
std::string user_agent_full_version_list_header;
if (!user_agent_full_version_list.empty()) {
user_agent_full_version_list_header = base::StrCat(
{"Sec-CH-UA-Full-Version-List: ", user_agent_full_version_list});
}
request_body_ =
MakeGetTokenPairBody(auth_code, device_id, binding_registration_token);
net::NetworkTrafficAnnotationTag traffic_annotation =
net::DefineNetworkTrafficAnnotation("gaia_auth_exchange_device_id",
R"(
semantics {
sender: "Chrome - Google authentication API"
description:
"This request exchanges an authorization code for an OAuth 2.0 "
"refresh token."
trigger:
"This request is part of Gaia Auth API, and may be triggered at "
"the end of the Chrome sign-in flow."
data:
"The Google console client ID and client secret of the Chrome "
"application, the OAuth 2.0 authorization code, the ID of the "
"device, and the public binding key."
destination: GOOGLE_OWNED_SERVICE
}
policy {
cookies_allowed: NO
setting:
"This feature cannot be disabled in settings, but if the user "
"signs out of Chrome, this request would not be made."
chrome_policy {
SigninAllowed {
policy_options {mode: MANDATORY}
SigninAllowed: false
}
}
})");
CreateAndStartGaiaFetcher(
request_body_, kFormEncodedContentType,
user_agent_full_version_list_header, oauth2_token_gurl_,
google_apis::GetOmitCredentialsModeForGaiaRequests(), traffic_annotation);
}
void GaiaAuthFetcher::StartListAccounts() {
DCHECK(!fetch_pending_) << "Tried to fetch two things at once!";
net::NetworkTrafficAnnotationTag traffic_annotation =
net::DefineNetworkTrafficAnnotation("gaia_auth_list_accounts", R"(
semantics {
sender: "Chrome - Google authentication API"
description:
"This request is used to list the accounts in the Google "
"authentication cookies."
trigger:
"This request is part of Gaia Auth API, and is triggered whenever "
"the list of all available accounts in the Google authentication "
"cookies is required."
data: "None."
destination: GOOGLE_OWNED_SERVICE
}
policy {
cookies_allowed: YES
cookies_store: "user"
setting:
"This feature cannot be disabled in settings, but if the user "
"signs out of Chrome, this request would not be made."
chrome_policy {
SigninAllowed {
policy_options {mode: MANDATORY}
SigninAllowed: false
}
}
})");
CreateAndStartGaiaFetcher(
" ", // To force an HTTP POST.
kFormEncodedContentType, "Origin: https://www.google.com",
list_accounts_gurl_, network::mojom::CredentialsMode::kInclude,
traffic_annotation);
}
void GaiaAuthFetcher::StartOAuthMultilogin(
gaia::MultiloginMode mode,
const std::vector<gaia::MultiloginAccountAuthCredentials>& accounts,
const std::string& external_cc_result,
OAuthMultiloginResult::CookieDecryptor cookie_decryptor) {
DCHECK(!fetch_pending_) << "Tried to fetch two things at once!";
UMA_HISTOGRAM_COUNTS_100("Signin.Multilogin.NumberOfAccounts",
accounts.size());
bool has_binding_assertion = std::ranges::any_of(
accounts, [](const gaia::MultiloginAccountAuthCredentials& account) {
return !account.token_binding_assertion.empty();
});
std::string authorization_header =
has_binding_assertion ? CreateMultiOAuthAuthorizationHeader(accounts)
: CreateMultiBearerAuthorizationHeader(accounts);
std::string source_string = base::EscapeUrlEncodedData(source_, true);
std::string parameters = base::StringPrintf(
"?source=%s&reuseCookies=%i", source_string.c_str(),
mode == gaia::MultiloginMode::MULTILOGIN_PRESERVE_COOKIE_ACCOUNTS_ORDER
? 1
: 0);
if (!external_cc_result.empty()) {
base::StringAppendF(
&parameters, "&externalCcResult=%s",
base::EscapeUrlEncodedData(external_cc_result, true).c_str());
}
oauth_multilogin_cookie_decryptor_ = std::move(cookie_decryptor);
net::NetworkTrafficAnnotationTag traffic_annotation =
net::DefineNetworkTrafficAnnotation("gaia_auth_multilogin", R"(
semantics {
sender: "Chrome - Google authentication API"
description:
"This request is used to set chrome accounts in browser in the "
"Google authentication cookies for several google websites "
"(e.g. youtube)."
trigger:
"This request is part of Gaia Auth API, and is triggered whenever "
"accounts in cookies are not consistent with accounts in browser."
data:
"This request includes the vector of account ids and auth-login "
"tokens."
destination: GOOGLE_OWNED_SERVICE
}
policy {
cookies_allowed: YES
cookies_store: "user"
setting:
"This feature cannot be disabled in settings, but if the user "
"signs out of Chrome, this request would not be made."
chrome_policy {
SigninAllowed {
SigninAllowed: false
}
}
})");
CreateAndStartGaiaFetcher(" ", // Non-empty to force a POST
kFormEncodedContentType, authorization_header,
oauth_multilogin_gurl_.Resolve(parameters),
network::mojom::CredentialsMode::kInclude,
traffic_annotation);
}
void GaiaAuthFetcher::StartLogOut() {
DCHECK(!fetch_pending_) << "Tried to fetch two things at once!";
net::NetworkTrafficAnnotationTag traffic_annotation =
net::DefineNetworkTrafficAnnotation("gaia_auth_log_out", R"(
semantics {
sender: "Chrome - Google authentication API"
description:
"This request is part of the Chrome - Google authentication API "
"and allows its callers to sign out all Google accounts from the "
"content area."
trigger:
"This request is part of Gaia Auth API, and is triggered whenever "
"signing out of all Google accounts is required."
data: "None."
destination: GOOGLE_OWNED_SERVICE
}
policy {
cookies_allowed: YES
cookies_store: "user"
setting:
"This feature cannot be disabled in settings, but if the user "
"signs out of Chrome, this request would not be made."
chrome_policy {
SigninAllowed {
policy_options {mode: MANDATORY}
SigninAllowed: false
}
}
})");
CreateAndStartGaiaFetcher(
std::string(), std::string(), std::string(), logout_gurl_,
network::mojom::CredentialsMode::kInclude, traffic_annotation);
}
void GaiaAuthFetcher::StartCreateReAuthProofTokenForParent(
const std::string& child_oauth_access_token,
const std::string& parent_obfuscated_gaia_id,
const std::string& parent_credential) {
// Create the post body.
base::Value::Dict post_body_value;
post_body_value.Set("credentialType", "password");
post_body_value.Set("credential", parent_credential);
std::string post_body;
bool write_success = base::JSONWriter::Write(post_body_value, &post_body);
DCHECK(write_success);
// Create the Authorization header.
std::string auth_header = "Bearer " + child_oauth_access_token;
std::string headers = "Authorization: " + auth_header + "\r\n" +
"Content-Type: " + kJsonContentType;
// Create the traffic annotation.
net::NetworkTrafficAnnotationTag traffic_annotation(
net::DefineNetworkTrafficAnnotation(
"gaia_create_reauth_proof_token_for_parent", R"(
semantics {
sender: "Chrome - Google authentication API"
description:
"This request exchanges a set of credentials for a parent-type "
"Google Family Link user for a ReAuth Proof Token (RAPT), "
"the successful receipt of which re-authorizes (but explicitly "
"does not authenticate) the parent user."
trigger:
"This request is triggered when a Chrome service needs to "
"re-authorize a parent-type Google Family Link user given the "
"parent's login credential."
data:
"The obfuscated GAIA id of the parent, the Google OAuth access "
"token of the child account, and the credential to be used to "
"reauthorize the user."
destination: GOOGLE_OWNED_SERVICE
}
policy {
cookies_allowed: NO
setting:
"This feature cannot be disabled in settings, but if the user "
"signs out of Chrome, this request would not be made."
chrome_policy {
SigninAllowed {
policy_options {mode: MANDATORY}
SigninAllowed: false
}
}
})"));
// Create the ReAuth URL.
GURL reauth_url = GaiaUrls::GetInstance()->reauth_api_url().Resolve(
parent_obfuscated_gaia_id + "/reauthProofTokens?delegationType=unicorn");
DCHECK(reauth_url.is_valid());
// Start the request.
CreateAndStartGaiaFetcher(
post_body, kJsonContentType, headers, reauth_url,
google_apis::GetOmitCredentialsModeForGaiaRequests(), traffic_annotation);
}
void GaiaAuthFetcher::StartGetCheckConnectionInfo() {
DCHECK(!fetch_pending_) << "Tried to fetch two things at once!";
net::NetworkTrafficAnnotationTag traffic_annotation =
net::DefineNetworkTrafficAnnotation("gaia_auth_check_connection_info", R"(
semantics {
sender: "Chrome - Google authentication API"
description:
"This request is used to fetch from the Google authentication "
"server the the list of URLs to check its connection info."
trigger:
"This request is part of Gaia Auth API, and is triggered once "
"after a Google account is added to the browser."
data: "None."
destination: GOOGLE_OWNED_SERVICE
}
policy {
cookies_allowed: NO
setting:
"This feature cannot be disabled in settings, but if the user "
"signs out of Chrome, this request would not be made."
chrome_policy {
SigninAllowed {
policy_options {mode: MANDATORY}
SigninAllowed: false
}
}
})");
CreateAndStartGaiaFetcher(
std::string(), std::string(), std::string(),
get_check_connection_info_url_,
google_apis::GetOmitCredentialsModeForGaiaRequests(), traffic_annotation);
}
// static
GoogleServiceAuthError GaiaAuthFetcher::GenerateAuthError(
const std::string& data,
net::Error net_error) {
VLOG(1) << "Got authentication error";
VLOG(1) << "net_error: " << net::ErrorToString(net_error);
VLOG(1) << "response body: " << data;
if (net_error != net::OK) {
if (net_error == net::ERR_ABORTED) {
return GoogleServiceAuthError(GoogleServiceAuthError::REQUEST_CANCELED);
}
DVLOG(1) << "Could not reach Google Accounts servers: errno " << net_error;
return GoogleServiceAuthError::FromConnectionError(net_error);
}
std::string error;
std::string url;
ParseFailureResponse(data, &error, &url);
DLOG(WARNING) << "Authentication request failed"
<< (error.empty() ? std::string() : (" with error: " + error));
if (error == "badauth" || error == "BadAuthentication") {
return GoogleServiceAuthError::FromInvalidGaiaCredentialsReason(
GoogleServiceAuthError::InvalidGaiaCredentialsReason::
CREDENTIALS_REJECTED_BY_SERVER);
}
return GoogleServiceAuthError(GoogleServiceAuthError::SERVICE_UNAVAILABLE);
}
void GaiaAuthFetcher::OnOAuth2TokenPairFetched(const std::string& data,
net::Error net_error,
int response_code) {
std::unique_ptr<const GaiaAuthConsumer::ClientOAuthResult> result;
if (net_error == net::OK && response_code == net::HTTP_OK) {
result = ExtractOAuth2TokenPairResponse(data);
}
if (result) {
consumer_->OnClientOAuthSuccess(*result);
} else {
consumer_->OnClientOAuthFailure(GenerateAuthError(data, net_error));
}
}
void GaiaAuthFetcher::OnOAuth2RevokeTokenFetched(const std::string& data,
net::Error net_error,
int response_code) {
GaiaAuthConsumer::TokenRevocationStatus revocation_status =
GaiaAuthConsumer::TokenRevocationStatus::kUnknownError;
switch (net_error) {
case net::OK:
revocation_status =
GetTokenRevocationStatusFromResponseData(data, response_code);
break;
case net::ERR_IO_PENDING:
NOTREACHED();
case net::ERR_ABORTED:
revocation_status =
GaiaAuthConsumer::TokenRevocationStatus::kConnectionCanceled;
break;
default:
revocation_status =
(net_error == net::ERR_TIMED_OUT)
? GaiaAuthConsumer::TokenRevocationStatus::kConnectionTimeout
: GaiaAuthConsumer::TokenRevocationStatus::kConnectionFailed;
break;
}
consumer_->OnOAuth2RevokeTokenCompleted(revocation_status);
}
void GaiaAuthFetcher::OnListAccountsFetched(const std::string& data,
net::Error net_error,
int response_code) {
base::UmaHistogramSparse("Gaia.AuthFetcher.ListAccounts.NetErrorCodes",
-net_error);
if (net_error == net::OK && response_code == net::HTTP_OK)
consumer_->OnListAccountsSuccess(data);
else
consumer_->OnListAccountsFailure(GenerateAuthError(data, net_error));
}
void GaiaAuthFetcher::OnLogOutFetched(const std::string& data,
net::Error net_error,
int response_code) {
if (net_error == net::OK && response_code == net::HTTP_OK) {
consumer_->OnLogOutSuccess();
} else {
consumer_->OnLogOutFailure(GenerateAuthError(data, net_error));
}
}
void GaiaAuthFetcher::OnReAuthApiInfoFetched(const std::string& data,
net::Error net_error,
int response_code) {
if (net_error == net::OK) {
base::Value::Dict response_dict = ParseJSONDict(data);
if (response_code == net::HTTP_OK) {
std::string* rapt_token = response_dict.FindString("encodedRapt");
if (!rapt_token) {
// This should not happen unless there is a bug on the server,
// since if we get HTTP_OK response, we should get a RAPT token.
DLOG(ERROR) << "Got HTTP-OK ReauthAPI response with empty RAPT token";
consumer_->OnReAuthProofTokenFailure(
GaiaAuthConsumer::ReAuthProofTokenStatus::kUnknownError);
return;
}
consumer_->OnReAuthProofTokenSuccess(*rapt_token);
} else {
const std::string* error_message =
response_dict.FindStringByDottedPath("error.message");
CHECK(error_message);
consumer_->OnReAuthProofTokenFailure(
ErrorMessageToReAuthProofTokenStatus(*error_message));
}
} else {
consumer_->OnReAuthProofTokenFailure(
GaiaAuthConsumer::ReAuthProofTokenStatus::kNetworkError);
}
}
void GaiaAuthFetcher::OnGetCheckConnectionInfoFetched(const std::string& data,
net::Error net_error,
int response_code) {
if (net_error == net::Error::OK && response_code == net::HTTP_OK) {
consumer_->OnGetCheckConnectionInfoSuccess(data);
} else {
consumer_->OnGetCheckConnectionInfoError(
GenerateAuthError(data, net_error));
}
}
void GaiaAuthFetcher::OnOAuthMultiloginFetched(const std::string& data,
net::Error net_error,
int response_code) {
OAuthMultiloginResult result =
(net_error == net::Error::OK)
? OAuthMultiloginResult(data, response_code,
oauth_multilogin_cookie_decryptor_)
: OAuthMultiloginResult(OAuthMultiloginResponseStatus::kRetry);
consumer_->OnOAuthMultiloginFinished(result);
}
void GaiaAuthFetcher::OnURLLoadComplete(
std::unique_ptr<std::string> response_body) {
net::Error net_error = static_cast<net::Error>(url_loader_->NetError());
std::string data = response_body ? std::move(*response_body) : "";
int response_code = 0;
if (url_loader_->ResponseInfo()) {
if (url_loader_->ResponseInfo()->headers)
response_code = url_loader_->ResponseInfo()->headers->response_code();
}
OnURLLoadCompleteInternal(net_error, response_code, data);
}
void GaiaAuthFetcher::OnURLLoadCompleteInternal(net::Error net_error,
int response_code,
std::string data) {
fetch_pending_ = false;
// Some of the GAIA requests perform redirects, which results in the final URL
// of the fetcher not being the original URL requested. Therefore use the
// original URL when determining which OnXXX function to call.
GURL url = std::move(original_url_);
original_url_ = GURL();
DispatchFetchedRequest(url, data, net_error, response_code);
}
void GaiaAuthFetcher::DispatchFetchedRequest(const GURL& url,
const std::string& data,
net::Error net_error,
int response_code) {
if (url == oauth2_token_gurl_) {
OnOAuth2TokenPairFetched(data, net_error, response_code);
} else if (IsMultiloginUrl(url)) {
OnOAuthMultiloginFetched(data, net_error, response_code);
} else if (url == oauth2_revoke_gurl_) {
OnOAuth2RevokeTokenFetched(data, net_error, response_code);
} else if (IsListAccountsUrl(url)) {
OnListAccountsFetched(data, net_error, response_code);
} else if (url == logout_gurl_) {
OnLogOutFetched(data, net_error, response_code);
} else if (url == get_check_connection_info_url_) {
OnGetCheckConnectionInfoFetched(data, net_error, response_code);
} else if (IsReAuthApiUrl(url)) {
OnReAuthApiInfoFetched(data, net_error, response_code);
} else {
NOTREACHED() << "Unknown url: '" << url << "'";
}
}