| // Copyright 2016 The Chromium Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| #include "services/authentication/google_authentication_impl.h" |
| |
| #include "base/json/json_reader.h" |
| #include "base/json/json_writer.h" |
| #include "base/message_loop/message_loop.h" |
| #include "base/strings/string_piece.h" |
| #include "base/strings/string_split.h" |
| #include "base/strings/string_tokenizer.h" |
| #include "base/strings/string_util.h" |
| #include "base/strings/stringprintf.h" |
| #include "base/synchronization/waitable_event.h" |
| #include "base/threading/platform_thread.h" |
| #include "base/trace_event/trace_event.h" |
| #include "base/values.h" |
| #include "mojo/common/binding_set.h" |
| #include "mojo/data_pipe_utils/data_pipe_drainer.h" |
| #include "mojo/data_pipe_utils/data_pipe_utils.h" |
| #include "mojo/public/c/system/main.h" |
| #include "mojo/public/cpp/bindings/strong_binding.h" |
| #include "mojo/public/cpp/system/macros.h" |
| #include "mojo/services/network/interfaces/url_loader.mojom.h" |
| #include "services/authentication/credentials_impl_db.mojom.h" |
| |
| namespace authentication { |
| |
| // Mojo Shell OAuth2 Client configuration. |
| // TODO: These should be retrieved from a secure storage or a configuration file |
| // in the future. |
| char kMojoShellOAuth2ClientId[] = |
| "962611923869-3avg0b4vlisgjhin0l98dgp6d8sd634r.apps.googleusercontent.com"; |
| char kMojoShellOAuth2ClientSecret[] = "41IxvPPAt1HyRoYw2hO84dRI"; |
| |
| // Query params used in Google OAuth2 handshake |
| char kOAuth2ClientIdParamName[] = "client_id"; |
| char kOAuth2ClientSecretParamName[] = "client_secret"; |
| char kOAuth2ScopeParamName[] = "scope"; |
| char kOAuth2GrantTypeParamName[] = "grant_type"; |
| char kOAuth2CodeParamName[] = "code"; |
| char kOAuth2RefreshTokenParamName[] = "refresh_token"; |
| char kOAuth2DeviceFlowGrantType[] = "http://oauth.net/grant_type/device/1.0"; |
| char kOAuth2RefreshTokenGrantType[] = "refresh_token"; |
| |
| // TODO(ukode) : Verify the char list |
| char kEscapableUrlParamChars[] = ".$[]/"; |
| |
| std::string EncodeParam(std::string param) { |
| for (size_t i = 0; i < strlen(kEscapableUrlParamChars); ++i) { |
| base::ReplaceSubstringsAfterOffset( |
| ¶m, 0, std::string(1, kEscapableUrlParamChars[i]), |
| base::StringPrintf("%%%x", kEscapableUrlParamChars[i])); |
| } |
| return param; |
| } |
| |
| mojo::String BuildUrlQuery(mojo::Map<mojo::String, mojo::String> params) { |
| std::string message; |
| for (auto it = params.begin(); it != params.end(); ++it) { |
| message += EncodeParam(it.GetKey()) + "=" + EncodeParam(it.GetValue()); |
| message += "&"; |
| } |
| |
| if (!message.empty()) { |
| message = message.substr(0, message.size() - 1); // Trims extra "&". |
| } |
| return message; |
| } |
| |
| static base::DictionaryValue* ParseOAuth2Response(const std::string& response) { |
| if (response.empty()) { |
| return nullptr; |
| } |
| |
| scoped_ptr<base::Value> root(base::JSONReader::Read(response)); |
| if (!root || !root->IsType(base::Value::TYPE_DICTIONARY)) { |
| LOG(ERROR) << "Unexpected json response:" << std::endl << response; |
| return nullptr; |
| } |
| |
| return static_cast<base::DictionaryValue*>(root.release()); |
| } |
| |
| GoogleAuthenticationServiceImpl::GoogleAuthenticationServiceImpl( |
| mojo::InterfaceRequest<AuthenticationService> request, |
| const mojo::String app_url, |
| mojo::NetworkServicePtr& network_service, |
| mojo::files::DirectoryPtr& directory) |
| : binding_(this, request.Pass()), |
| app_url_(app_url), |
| network_service_(network_service) { |
| accounts_db_manager_ = new AccountsDbManager(directory.Pass()); |
| } |
| |
| GoogleAuthenticationServiceImpl::~GoogleAuthenticationServiceImpl() { |
| delete accounts_db_manager_; |
| } |
| |
| void GoogleAuthenticationServiceImpl::GetOAuth2Token( |
| const mojo::String& username, |
| mojo::Array<mojo::String> scopes, |
| const GetOAuth2TokenCallback& callback) { |
| if (!accounts_db_manager_->isValid()) { |
| callback.Run(nullptr, "Accounts db validation failed."); |
| return; |
| } |
| |
| authentication::CredentialsPtr creds = |
| accounts_db_manager_->GetCredentials(username); |
| |
| if (!creds->token) { |
| callback.Run(nullptr, "User grant not found"); |
| return; |
| } |
| |
| // TODO: Scopes are not used with the scoped refresh tokens. When we start |
| // supporting full login scoped tokens, then the scopes here gets used for |
| // Sidescoping. |
| mojo::Map<mojo::String, mojo::String> params; |
| params[kOAuth2ClientIdParamName] = kMojoShellOAuth2ClientId; |
| params[kOAuth2ClientSecretParamName] = kMojoShellOAuth2ClientSecret; |
| params[kOAuth2GrantTypeParamName] = kOAuth2RefreshTokenGrantType; |
| params[kOAuth2RefreshTokenParamName] = creds->token; |
| |
| Request("https://www.googleapis.com/oauth2/v3/token", "POST", |
| BuildUrlQuery(params.Pass()), |
| base::Bind(&GoogleAuthenticationServiceImpl::OnGetOAuth2Token, |
| base::Unretained(this), callback)); |
| } |
| |
| void GoogleAuthenticationServiceImpl::SelectAccount( |
| bool returnLastSelected, |
| const SelectAccountCallback& callback) { |
| if (!accounts_db_manager_->isValid()) { |
| callback.Run(nullptr, "Accounts db validation failed."); |
| return; |
| } |
| |
| mojo::String username; |
| if (returnLastSelected) { |
| username = accounts_db_manager_->GetAuthorizedUserForApp(app_url_); |
| if (!username.is_null()) { |
| callback.Run(username, nullptr); |
| return; |
| } |
| } |
| |
| // TODO(ukode): Select one among the list of accounts using an AccountPicker |
| // UI instead of the first account always. |
| mojo::Array<mojo::String> users = accounts_db_manager_->GetAllUsers(); |
| if (!users.size()) { |
| callback.Run(nullptr, "No user accounts found."); |
| return; |
| } |
| |
| username = users[0]; |
| accounts_db_manager_->UpdateAuthorization(app_url_, username); |
| callback.Run(username, nullptr); |
| } |
| |
| void GoogleAuthenticationServiceImpl::ClearOAuth2Token( |
| const mojo::String& token) {} |
| |
| void GoogleAuthenticationServiceImpl::GetOAuth2DeviceCode( |
| mojo::Array<mojo::String> scopes, |
| const GetOAuth2DeviceCodeCallback& callback) { |
| std::string scopes_str("email"); |
| for (size_t i = 0; i < scopes.size(); i++) { |
| scopes_str += " "; |
| scopes_str += std::string(scopes[i].data()); |
| } |
| |
| mojo::Map<mojo::String, mojo::String> params; |
| params[kOAuth2ClientIdParamName] = kMojoShellOAuth2ClientId; |
| params[kOAuth2ScopeParamName] = scopes_str; |
| |
| Request("https://accounts.google.com/o/oauth2/device/code", "POST", |
| BuildUrlQuery(params.Pass()), |
| base::Bind(&GoogleAuthenticationServiceImpl::OnGetOAuth2DeviceCode, |
| base::Unretained(this), callback)); |
| } |
| |
| void GoogleAuthenticationServiceImpl::AddAccount( |
| const mojo::String& device_code, |
| const AddAccountCallback& callback) { |
| // Resets the poll count to "1" |
| AddAccountInternal(device_code, 1, callback); |
| } |
| |
| void GoogleAuthenticationServiceImpl::AddAccountInternal( |
| const mojo::String& device_code, |
| const uint32_t num_poll_attempts, |
| const AddAccountCallback& callback) { |
| mojo::Map<mojo::String, mojo::String> params; |
| params[kOAuth2ClientIdParamName] = kMojoShellOAuth2ClientId; |
| params[kOAuth2ClientSecretParamName] = kMojoShellOAuth2ClientSecret; |
| params[kOAuth2GrantTypeParamName] = kOAuth2DeviceFlowGrantType; |
| params[kOAuth2CodeParamName] = device_code; |
| |
| Request("https://www.googleapis.com/oauth2/v3/token", "POST", |
| BuildUrlQuery(params.Pass()), |
| base::Bind(&GoogleAuthenticationServiceImpl::OnAddAccount, |
| base::Unretained(this), callback, device_code, |
| num_poll_attempts)); |
| } |
| |
| void GoogleAuthenticationServiceImpl::OnGetOAuth2Token( |
| const GetOAuth2TokenCallback& callback, |
| const std::string& response, |
| const std::string& error) { |
| if (response.empty()) { |
| callback.Run(nullptr, "Error from server:" + error); |
| return; |
| } |
| |
| scoped_ptr<base::DictionaryValue> dict(ParseOAuth2Response(response.c_str())); |
| if (!dict.get() || dict->HasKey("error")) { |
| callback.Run(nullptr, "Error in parsing response:" + response); |
| return; |
| } |
| |
| std::string access_token; |
| dict->GetString("access_token", &access_token); |
| |
| callback.Run(access_token, nullptr); |
| } |
| |
| void GoogleAuthenticationServiceImpl::OnGetOAuth2DeviceCode( |
| const GetOAuth2DeviceCodeCallback& callback, |
| const std::string& response, |
| const std::string& error) { |
| if (response.empty()) { |
| callback.Run(nullptr, nullptr, nullptr, "Error from server:" + error); |
| return; |
| } |
| |
| scoped_ptr<base::DictionaryValue> dict(ParseOAuth2Response(response.c_str())); |
| if (!dict.get() || dict->HasKey("error")) { |
| callback.Run(nullptr, nullptr, nullptr, |
| "Error in parsing response:" + response); |
| return; |
| } |
| |
| std::string url; |
| std::string device_code; |
| std::string user_code; |
| dict->GetString("verification_url", &url); |
| dict->GetString("device_code", &device_code); |
| dict->GetString("user_code", &user_code); |
| |
| callback.Run(url, device_code, user_code, nullptr); |
| } |
| |
| void GoogleAuthenticationServiceImpl::GetTokenInfo( |
| const std::string& access_token) { |
| std::string url("https://www.googleapis.com/oauth2/v1/tokeninfo"); |
| url += "?access_token=" + EncodeParam(access_token); |
| |
| Request(url, "GET", "", |
| base::Bind(&GoogleAuthenticationServiceImpl::OnGetTokenInfo, |
| base::Unretained(this))); |
| } |
| |
| void GoogleAuthenticationServiceImpl::OnGetTokenInfo( |
| const std::string& response, |
| const std::string& error) { |
| if (response.empty()) { |
| return; |
| } |
| |
| scoped_ptr<base::DictionaryValue> dict(ParseOAuth2Response(response.c_str())); |
| if (!dict.get() || dict->HasKey("error")) { |
| return; |
| } |
| |
| // This field is only present if the profile scope was present in the |
| // request. The value of this field is an immutable identifier for the |
| // logged-in user, and may be used when creating and managing user |
| // sessions in your application. |
| dict->GetString("user_id", &user_id_); |
| dict->GetString("email", &email_); |
| // The space-delimited set of scopes that the user consented to. |
| dict->GetString("scope", &scope_); |
| return; |
| } |
| |
| void GoogleAuthenticationServiceImpl::GetUserInfo(const std::string& id_token) { |
| std::string url("https://www.googleapis.com/oauth2/v1/tokeninfo"); |
| url += "?id_token=" + EncodeParam(id_token); |
| |
| Request(url, "GET", "", |
| base::Bind(&GoogleAuthenticationServiceImpl::OnGetUserInfo, |
| base::Unretained(this))); |
| } |
| |
| void GoogleAuthenticationServiceImpl::OnGetUserInfo(const std::string& response, |
| const std::string& error) { |
| if (response.empty()) { |
| return; |
| } |
| |
| scoped_ptr<base::DictionaryValue> dict(ParseOAuth2Response(response.c_str())); |
| if (!dict.get() || dict->HasKey("error")) { |
| return; |
| } |
| |
| // This field is only present if the email scope was requested |
| dict->GetString("email", &email_); |
| } |
| |
| void GoogleAuthenticationServiceImpl::OnAddAccount( |
| const AddAccountCallback& callback, |
| const mojo::String& device_code, |
| const uint32_t num_poll_attempts, |
| const std::string& response, |
| const std::string& error) { |
| if (response.empty()) { |
| callback.Run(nullptr, "Error from server:" + error); |
| return; |
| } |
| |
| if (!response.empty() && error.empty()) { |
| scoped_ptr<base::Value> root(base::JSONReader::Read(response)); |
| if (!root || !root->IsType(base::Value::TYPE_DICTIONARY)) { |
| callback.Run(response, nullptr); |
| return; |
| } |
| } |
| |
| // Parse response and fetch refresh, access and idtokens |
| scoped_ptr<base::DictionaryValue> dict(ParseOAuth2Response(response.c_str())); |
| std::string error_code; |
| if (!dict.get()) { |
| callback.Run(nullptr, "Error in parsing response:" + response); |
| return; |
| } else if (dict->HasKey("error") && dict->GetString("error", &error_code)) { |
| if (error_code != "authorization_pending") { |
| callback.Run(nullptr, "Server error:" + response); |
| return; |
| } |
| |
| if (num_poll_attempts > 15) { |
| callback.Run(nullptr, "Timed out after max number of polling attempts"); |
| return; |
| } |
| |
| // Rate limit by waiting 7 seconds before polling for a new grant |
| base::MessageLoop::current()->PostDelayedTask( |
| FROM_HERE, |
| base::Bind(&GoogleAuthenticationServiceImpl::AddAccountInternal, |
| base::Unretained(this), device_code, num_poll_attempts + 1, |
| callback), |
| base::TimeDelta::FromMilliseconds(7000)); |
| return; |
| } |
| |
| // Poll success, after detecting user grant. |
| std::string access_token; |
| dict->GetString("access_token", &access_token); |
| GetTokenInfo(access_token); // gets scope, email and user_id |
| |
| if (email_.empty()) { |
| std::string id_token; |
| dict->GetString("id_token", &id_token); |
| GetUserInfo(id_token); // gets user's email |
| } |
| |
| // TODO(ukode): Store access token in cache for the duration set in |
| // response |
| if (!accounts_db_manager_->isValid()) { |
| callback.Run(nullptr, "Accounts db validation failed."); |
| return; |
| } |
| |
| std::string refresh_token; |
| dict->GetString("refresh_token", &refresh_token); |
| authentication::CredentialsPtr creds = authentication::Credentials::New(); |
| creds->token = refresh_token; |
| creds->scopes = scope_; |
| creds->auth_provider = AuthProvider::GOOGLE; |
| creds->credential_type = CredentialType::DOWNSCOPED_OAUTH_REFRESH_TOKEN; |
| std::string username = email_.empty() ? user_id_ : email_; |
| accounts_db_manager_->UpdateCredentials(username, creds.Pass()); |
| |
| callback.Run(username, nullptr); |
| } |
| |
| void GoogleAuthenticationServiceImpl::Request( |
| const std::string& url, |
| const std::string& method, |
| const std::string& message, |
| const mojo::Callback<void(std::string, std::string)>& callback) { |
| Request(url, method, message, callback, nullptr, 0); |
| } |
| |
| void GoogleAuthenticationServiceImpl::Request( |
| const std::string& url, |
| const std::string& method, |
| const std::string& message, |
| const mojo::Callback<void(std::string, std::string)>& callback, |
| const mojo::String& device_code, |
| const uint32_t num_poll_attempts) { |
| mojo::URLRequestPtr request(mojo::URLRequest::New()); |
| request->url = url; |
| request->method = method; |
| request->auto_follow_redirects = true; |
| |
| // Add headers |
| auto content_type_header = mojo::HttpHeader::New(); |
| content_type_header->name = "Content-Type"; |
| content_type_header->value = "application/x-www-form-urlencoded"; |
| request->headers.push_back(content_type_header.Pass()); |
| |
| if (!message.empty()) { |
| request->body.push_back( |
| mojo::common::WriteStringToConsumerHandle(message).Pass()); |
| } |
| |
| mojo::URLLoaderPtr url_loader; |
| network_service_->CreateURLLoader(GetProxy(&url_loader)); |
| |
| url_loader->Start( |
| request.Pass(), |
| base::Bind(&GoogleAuthenticationServiceImpl::HandleServerResponse, |
| base::Unretained(this), callback, device_code, |
| num_poll_attempts)); |
| |
| url_loader.WaitForIncomingResponse(); |
| } |
| |
| void GoogleAuthenticationServiceImpl::HandleServerResponse( |
| const mojo::Callback<void(std::string, std::string)>& callback, |
| const mojo::String& device_code, |
| const uint32_t num_poll_attempts, |
| mojo::URLResponsePtr response) { |
| if (response.is_null()) { |
| LOG(WARNING) << "Something went horribly wrong...exiting!!"; |
| callback.Run("", "Empty response"); |
| return; |
| } |
| |
| if (response->error) { |
| LOG(ERROR) << "Got error (" << response->error->code |
| << "), reason: " << response->error->description.get().c_str(); |
| callback.Run("", response->error->description.get().c_str()); |
| return; |
| } |
| |
| std::string response_body; |
| mojo::common::BlockingCopyToString(response->body.Pass(), &response_body); |
| |
| callback.Run(response_body, ""); |
| } |
| |
| } // authentication namespace |
