cros: Port SAML support to webview sign-in.

chrome/browser/resources/gaia_auth_host/authenticator.js

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
+<include src="saml_handler.js">
+
 /**
  * @fileoverview An UI component to authenciate to Chrome. The component hosts
  * IdP web pages in a webview. A client who is interested in monitoring
  * authentication events should pass a listener object of type
  * cr.login.GaiaAuthHost.Listener as defined in this file. After initialization,
  * call {@code load} to start the authentication flow.
  */
+
 cr.define('cr.login', function() {
   'use strict';
 
   // TODO(rogerta): should use gaia URL from GaiaUrls::gaia_url() instead
   // of hardcoding the prod URL here.  As is, this does not work with staging
   // environments.
   var IDP_ORIGIN = 'https://accounts.google.com/';
   var IDP_PATH = 'ServiceLogin?skipvpage=true&sarp=1&rm=hide';
   var CONTINUE_URL =
       'chrome-extension://mfffpogegjflfpflabcdkioaeobkgjik/success.html';
@@ skipping 66 matching lines @@
     this.authFlow_ = AuthFlow.DEFAULT;
     this.loaded_ = false;
     this.idpOrigin_ = null;
     this.continueUrl_ = null;
     this.continueUrlWithoutParams_ = null;
     this.initialFrameUrl_ = null;
     this.reloadUrl_ = null;
     this.trusted_ = true;
     this.oauth_code_ = null;
 
+    this.samlHandler_ = new cr.login.SamlHandler(this.webview_);
+    this.confirmPasswordCallback = null;
+    this.noPasswordCallback = null;
+    this.insecureContentBlockedCallback = null;
+    this.samlApiUsedCallback = null;
+    this.needPassword = true;
+    this.samlHandler_.addEventListener(
+        'insecureContentBlocked',
+        this.onInsecureContentBlocked_.bind(this));
+
     this.webview_.addEventListener('droplink', this.onDropLink_.bind(this));
     this.webview_.addEventListener(
         'newwindow', this.onNewWindow_.bind(this));
     this.webview_.addEventListener(
         'contentload', this.onContentLoad_.bind(this));
     this.webview_.addEventListener(
         'loadstop', this.onLoadStop_.bind(this));
     this.webview_.addEventListener(
         'loadcommit', this.onLoadCommit_.bind(this));
     this.webview_.request.onCompleted.addListener(
         this.onRequestCompleted_.bind(this),
         {urls: ['<all_urls>'], types: ['main_frame']},
         ['responseHeaders']);
     this.webview_.request.onHeadersReceived.addListener(
         this.onHeadersReceived_.bind(this),
         {urls: ['<all_urls>'], types: ['main_frame', 'xmlhttprequest']},
         ['responseHeaders']);
     window.addEventListener(
         'message', this.onMessageFromWebview_.bind(this), false);
     window.addEventListener(
         'focus', this.onFocus_.bind(this), false);
     window.addEventListener(
         'popstate', this.onPopState_.bind(this), false);
   }
 
-  // TODO(guohui,xiyuan): no need to inherit EventTarget once we deprecate the
-  // old event-based signin flow.
   Authenticator.prototype = Object.create(cr.EventTarget.prototype);
 
   /**
    * Loads the authenticator component with the given parameters.
    * @param {AuthMode} authMode Authorization mode.
    * @param {Object} data Parameters for the authorization flow.
    */
   Authenticator.prototype.load = function(authMode, data) {
     this.idpOrigin_ = data.gaiaUrl || IDP_ORIGIN;
     this.continueUrl_ = data.continueUrl || CONTINUE_URL;
     this.continueUrlWithoutParams_ =
         this.continueUrl_.substring(0, this.continueUrl_.indexOf('?')) ||
         this.continueUrl_;
     this.isConstrainedWindow_ = data.constrained == '1';
     this.isMinuteMaidChromeOS = data.isMinuteMaidChromeOS;
 
     this.initialFrameUrl_ = this.constructInitialFrameUrl_(data);
     this.reloadUrl_ = data.frameUrl || this.initialFrameUrl_;
     this.authFlow_ = AuthFlow.DEFAULT;
+    this.samlHandler_.reset();
+    // Don't block insecure content for desktop flow because it lands on
+    // http. Otherwise, block insecure content as long as gaia is https.
+    this.samlHandler_.blockInsecureContent = authMode != AuthMode.DESKTOP &&
+        this.idpOrigin_.indexOf('https://') == 0;
 
     this.webview_.src = this.reloadUrl_;
 
     this.loaded_ = false;
   };
 
   /**
    * Reloads the authenticator component.
    */
   Authenticator.prototype.reload = function() {
     this.webview_.src = this.reloadUrl_;
     this.authFlow_ = AuthFlow.DEFAULT;
+    this.samlHandler_.reset();
     this.loaded_ = false;
   };
 
   Authenticator.prototype.constructInitialFrameUrl_ = function(data) {
     var url = this.idpOrigin_ + (data.gaiaPath || IDP_PATH);
 
     if (this.isMinuteMaidChromeOS) {
       if (data.chromeType)
         url = appendParam(url, 'chrometype', data.chromeType);
       if (data.clientId)
@@ skipping 17 matching lines @@
    * Invoked when a main frame request in the webview has completed.
    * @private
    */
   Authenticator.prototype.onRequestCompleted_ = function(details) {
     var currentUrl = details.url;
 
     if (currentUrl.lastIndexOf(this.continueUrlWithoutParams_, 0) == 0) {
       if (currentUrl.indexOf('ntp=1') >= 0)
         this.skipForNow_ = true;
 
-      this.onAuthCompleted_();
+      this.maybeCompleteAuth_();
       return;
     }
 
     if (currentUrl.indexOf('https') != 0)
       this.trusted_ = false;
 
     if (this.isConstrainedWindow_) {
       var isEmbeddedPage = false;
       if (this.idpOrigin_ && currentUrl.lastIndexOf(this.idpOrigin_) == 0) {
         var headers = details.responseHeaders;
         for (var i = 0; headers && i < headers.length; ++i) {
           if (headers[i].name.toLowerCase() == EMBEDDED_FORM_HEADER) {
             isEmbeddedPage = true;
             break;
           }
         }
       }
       if (!isEmbeddedPage) {
         this.dispatchEvent(new CustomEvent('resize', {detail: currentUrl}));
         return;
       }
     }
 
     this.updateHistoryState_(currentUrl);
-
   };
 
   /**
     * Manually updates the history. Invoked upon completion of a webview
     * navigation.
     * @param {string} url Request URL.
     * @private
     */
   Authenticator.prototype.updateHistoryState_ = function(url) {
     if (history.state && history.state.url != url)
@@ skipping 70 matching lines @@
    * Invoked when an HTML5 message is received from the webview element.
    * @param {object} e Payload of the received HTML5 message.
    * @private
    */
   Authenticator.prototype.onMessageFromWebview_ = function(e) {
     // The event origin does not have a trailing slash.
     if (e.origin != this.idpOrigin_.substring(0, this.idpOrigin_.length - 1)) {
       return;
     }
 
+    // Gaia messages must be an object with 'method' property.
+    if (typeof e.data != 'object' || !e.data.hasOwnProperty('method')) {
+      return;
+    }
+
     var msg = e.data;
     if (msg.method == 'attemptLogin') {
       this.email_ = msg.email;
       this.password_ = msg.password;
       this.chooseWhatToSync_ = msg.chooseWhatToSync;
     }
   };
 
   /**
+   * Invoked by the hosting page to verify the Saml password.
+   */
+  Authenticator.prototype.verifyConfirmedPassword = function(password) {
+    if (!this.samlHandler_.verifyConfirmedPassword(password)) {
+      // Invoke confirm password callback asynchronously because the
+      // verification was based on messages and caller (GaiaSigninScreen)
+      // does not expect it to be called immediately.
+      // TODO(xiyuan): Change to synchronous call when iframe based code
+      // is removed.
+      var invokeConfirmPassword = (function() {
+        this.confirmPasswordCallback(this.samlHandler_.scrapedPasswordCount);
+      }).bind(this);
+      window.setTimeout(invokeConfirmPassword, 0);
+      return;
+    }
+
+    this.password_ = password;
+    this.onAuthCompleted_();
+  };
+
+  /**
+   * Check Saml flow and start password confirmation flow if needed. Otherwise,
+   * continue with auto completion.
+   * @private
+   */
+  Authenticator.prototype.maybeCompleteAuth_ = function() {
+    if (this.authFlow_ != AuthFlow.SAML) {
+      this.onAuthCompleted_();
+      return;
+    }
+
+    if (this.samlHandler_.samlApiUsed) {
+      if (this.samlApiUsedCallback) {
+        this.samlApiUsedCallback();
+      }
+      this.password_ = this.samlHandler_.apiPasswordBytes;
+    } else if (this.samlHandler_.scrapedPasswordCount == 0) {
+      if (this.noPasswordCallback) {
+        this.noPasswordCallback(this.email_);
+      } else {
+        console.error('Authenticator: No password scraped for SAML.');
+        return;
+      }
+    } else if (this.needPassword) {
+      if (this.confirmPasswordCallback) {
+        // Confirm scraped password. The flow follows in
+        // verifyConfirmedPassword.
+        this.confirmPasswordCallback(this.samlHandler_.scrapedPasswordCount);
+        return;
+      }
+    }
+
+    this.onAuthCompleted_();
+  };
+
+  /**
    * Invoked to process authentication completion.
    * @private
    */
   Authenticator.prototype.onAuthCompleted_ = function() {
     if (!this.email_ && !this.skipForNow_) {
       this.webview_.src = this.initialFrameUrl_;
       return;
     }
 
     this.dispatchEvent(
         new CustomEvent('authCompleted',
           // TODO(rsorokin): get rid of the stub values.
                         {detail: {email: this.email_ || '',
                                   gaiaId: this.gaiaId_ || '',
                                   password: this.password_ || '',
                                   authCode: this.oauth_code_,
                                   usingSAML: this.authFlow_ == AuthFlow.SAML,
                                   chooseWhatToSync: this.chooseWhatToSync_,
                                   skipForNow: this.skipForNow_,
                                   sessionIndex: this.sessionIndex_ || '',
                                   trusted: this.trusted_}}));
   };
 
   /**
+   * Invoked when |samlHandler_| fires 'insecureContentBlocked' event.
+   * @private
+   */
+  Authenticator.prototype.onInsecureContentBlocked_ = function(e) {
+    if (this.insecureContentBlockedCallback) {
+      this.insecureContentBlockedCallback(e.details.url);
+    } else {
+      console.error('Authenticator: Insecure content blocked.');
+    }
+  };
+
+  /**
    * Invoked when a link is dropped on the webview.
    * @private
    */
   Authenticator.prototype.onDropLink_ = function(e) {
     this.dispatchEvent(new CustomEvent('dropLink', {detail: e.url}));
   };
 
   /**
    * Invoked when the webview attempts to open a new window.
    * @private
@@ skipping 28 matching lines @@
       // Focus webview after dispatching event when webview is already visible.
       this.webview_.focus();
     }
   };
 
   /**
    * Invoked when the webview navigates withing the current document.
    * @private
    */
   Authenticator.prototype.onLoadCommit_ = function(e) {
     // TODO(rsorokin): Investigate whether this breaks SAML.

[Dmitry Polukhin, 2015/03/13 11:56:19]

nit, it seems this todo can be removed now.

[xiyuan, 2015/03/17 22:00:15]

Done.

     if (this.oauth_code_) {
       this.skipForNow_ = true;
-      this.onAuthCompleted_();
+      this.maybeCompleteAuth_();
     }
   };
 
   Authenticator.AuthFlow = AuthFlow;
   Authenticator.AuthMode = AuthMode;
   Authenticator.SUPPORTED_PARAMS = SUPPORTED_PARAMS;
 
   return {
     // TODO(guohui, xiyuan): Rename GaiaAuthHost to Authenticator once the old
     // iframe-based flow is deprecated.
     GaiaAuthHost: Authenticator
   };
 });