Improved GAIA cookie retrieval logic in ChromeOS login

chrome/browser/chromeos/login/login_utils.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/login/login_utils.h"
 
 #include <algorithm>
 #include <vector>
 
 #include "ash/ash_switches.h"
@@ skipping 170 matching lines @@
     : public LoginUtils,
       public OAuth1TokenFetcher::Delegate,
       public OAuthLoginVerifier::Delegate,
       public net::NetworkChangeNotifier::ConnectionTypeObserver,
       public content::NotificationObserver,
       public base::SupportsWeakPtr<LoginUtilsImpl> {
  public:
   LoginUtilsImpl()
       : pending_requests_(false),
         using_oauth_(false),
-        has_cookies_(false),
+        has_web_auth_cookies_(false),
         delegate_(NULL),
         job_restart_request_(NULL),
         should_restore_auth_session_(false),
         url_request_context_getter_(NULL) {
     net::NetworkChangeNotifier::AddConnectionTypeObserver(this);
     // During tests, the browser_process may not be initialized yet causing
     // this to fail.
     if (g_browser_process) {
       registrar_.Add(
           this,
@@ skipping 89 matching lines @@
                         const std::string& secret);
 
   // Fetch enterprise policy OAuth2 given OAuth1 access |token| and |secret|.
   void FetchPolicyToken(Profile* offrecord_profile,
                         const std::string& token,
                         const std::string& secret);
 
   // Check user's profile for kApplicationLocale setting.
   void RespectLocalePreference(Profile* pref);
 
+  // Initializes basic preferences for newly created profile.
+  void InitProfilePreferences(Profile* user_profile);
+
   // Callback for asynchronous profile creation.
   void OnProfileCreated(Profile* profile,
                         Profile::CreateStatus status);
 
+  // Finalized profile preparation.
+  void FinalizePrepareProfile(Profile* user_profile);
+
+  // Restores GAIA auth cookies for the created profile.
+  void RestoreAuthCookies(Profile* user_profile);
+
+  // Kicks off OAuth verification and profile preparation after the initial
+  // cookie jar transfer.
+  void OnCookieJarTransferCompleted(Profile* user_profile);
+
   // Initializes RLZ. If |disabled| is true, financial pings are turned off.
   void InitRlz(Profile* user_profile, bool disabled);
 
   std::string password_;
   bool pending_requests_;
   bool using_oauth_;
-  bool has_cookies_;
+  // True if the authenrication profile's cookie jar should contain
+  // authentication cookies from the authentication extension log in flow.
+  bool has_web_auth_cookies_;
   // Has to be scoped_refptr, see comment for CreateAuthenticator(...).
   scoped_refptr<Authenticator> authenticator_;
   scoped_ptr<PolicyOAuthFetcher> policy_oauth_fetcher_;
   scoped_ptr<OAuth1TokenFetcher> oauth1_token_fetcher_;
   scoped_ptr<OAuthLoginVerifier> oauth_login_verifier_;
 
   // Delegate to be fired when the profile will be prepared.
   LoginUtils::Delegate* delegate_;
 
   // Used to restart Chrome to switch to the guest mode.
@@ skipping 99 matching lines @@
     logging::RedirectChromeLogging(*(CommandLine::ForCurrentProcess()));
 
   // Update user's displayed email.
   if (!display_email.empty())
     user_manager->SaveUserDisplayEmail(username, display_email);
 
   password_ = password;
 
   pending_requests_ = pending_requests;
   using_oauth_ = using_oauth;
-  has_cookies_ = has_cookies;
+  has_web_auth_cookies_ = has_cookies;
   delegate_ = delegate;
 
   policy::BrowserPolicyConnector* connector =
       g_browser_process->browser_policy_connector();
 
   // If this is an enterprise device and the user belongs to the enterprise
   // domain, then wait for a policy fetch before logging the user in. This
   // will delay Profile creation until the policy is fetched, so that features
   // controlled by policy (e.g. Sync, Startup tabs) only start after the
   // PrefService has the right values.
@@ skipping 31 matching lines @@
         new PolicyOAuthFetcher(authenticator_->authentication_profile()));
     policy_oauth_fetcher_->Start();
   }
 }
 
 void LoginUtilsImpl::DelegateDeleted(LoginUtils::Delegate* delegate) {
   if (delegate_ == delegate)
     delegate_ = NULL;
 }
 
+void LoginUtilsImpl::InitProfilePreferences(Profile* user_profile) {
+  if (UserManager::Get()->IsCurrentUserNew())
+    SetFirstLoginPrefs(user_profile->GetPrefs());
+  // Make sure that the google service username is properly set (we do this
+  // on every sign in, not just the first login, to deal with existing
+  // profiles that might not have it set yet).
+  StringPrefMember google_services_username;
+  google_services_username.Init(prefs::kGoogleServicesUsername,
+                                user_profile->GetPrefs());
+  google_services_username.SetValue(
+      UserManager::Get()->GetLoggedInUser()->display_email());
+  // Make sure we flip every profile to not share proxies if the user hasn't
+  // specified so explicitly.
+  const PrefService::Preference* use_shared_proxies_pref =
+      user_profile->GetPrefs()->FindPreference(prefs::kUseSharedProxies);
+  if (use_shared_proxies_pref->IsDefaultValue())
+    user_profile->GetPrefs()->SetBoolean(prefs::kUseSharedProxies, false);
+  policy::NetworkConfigurationUpdater* network_configuration_updater =
+      g_browser_process->browser_policy_connector()->
+      GetNetworkConfigurationUpdater();
+  if (network_configuration_updater)
+    network_configuration_updater->OnUserPolicyInitialized();
+  RespectLocalePreference(user_profile);
+}
+
 void LoginUtilsImpl::OnProfileCreated(
     Profile* user_profile,
     Profile::CreateStatus status) {
   CHECK(user_profile);
   switch (status) {
     case Profile::CREATE_STATUS_INITIALIZED:
       break;
     case Profile::CREATE_STATUS_CREATED: {
-      if (UserManager::Get()->IsCurrentUserNew())
-        SetFirstLoginPrefs(user_profile->GetPrefs());
-      // Make sure that the google service username is properly set (we do this
-      // on every sign in, not just the first login, to deal with existing
-      // profiles that might not have it set yet).
-      StringPrefMember google_services_username;
-      google_services_username.Init(prefs::kGoogleServicesUsername,
-                                    user_profile->GetPrefs());
-      google_services_username.SetValue(
-          UserManager::Get()->GetLoggedInUser()->display_email());
-      // Make sure we flip every profile to not share proxies if the user hasn't
-      // specified so explicitly.
-      const PrefService::Preference* use_shared_proxies_pref =
-          user_profile->GetPrefs()->FindPreference(prefs::kUseSharedProxies);
-      if (use_shared_proxies_pref->IsDefaultValue())
-        user_profile->GetPrefs()->SetBoolean(prefs::kUseSharedProxies, false);
-      policy::NetworkConfigurationUpdater* network_configuration_updater =
-          g_browser_process->browser_policy_connector()->
-          GetNetworkConfigurationUpdater();
-      if (network_configuration_updater)
-        network_configuration_updater->OnUserPolicyInitialized();
-      RespectLocalePreference(user_profile);
+      InitProfilePreferences(user_profile);
       return;
     }
     case Profile::CREATE_STATUS_FAIL:
     default:
       NOTREACHED();
       return;
   }
 
   BootTimesLoader* btl = BootTimesLoader::Get();
   btl->AddLoginTimeMarker("UserProfileGotten", false);
 
   if (using_oauth_) {
     // Reuse the access token fetched by the PolicyOAuthFetcher, if it was
     // used to fetch policies before Profile creation.
     if (policy_oauth_fetcher_.get() &&
         !policy_oauth_fetcher_->oauth1_token().empty()) {
       VLOG(1) << "Resuming profile creation after fetching policy token";
       StoreOAuth1AccessToken(user_profile,
                              policy_oauth_fetcher_->oauth1_token(),
                              policy_oauth_fetcher_->oauth1_secret());
     }
 
-    // Transfer proxy authentication cache and optionally cookies and server
+    // Transfer proxy authentication cache, cookies (optionally) and server
     // bound certs from the profile that was used for authentication.  This
     // profile contains cookies that auth extension should have already put in
     // place that will ensure that the newly created session is authenticated
     // for the websites that work with the used authentication schema.
     ProfileAuthData::Transfer(authenticator_->authentication_profile(),
                               user_profile,
-                              has_cookies_);   // transfer_cookies
-
-    std::string oauth1_token;
-    std::string oauth1_secret;
-    if (ReadOAuth1AccessToken(user_profile, &oauth1_token, &oauth1_secret) ||
-        !has_cookies_) {
-      // Verify OAuth access token when we find it in the profile and always if
-      // if we don't have cookies.
-      // TODO(xiyuan): Change back to use authenticator to verify token when
-      // we support Gaia in lock screen.
-      VerifyOAuth1AccessToken(user_profile, oauth1_token, oauth1_secret);
-    } else {
-      // If we don't have it, fetch OAuth1 access token.
-      // Once we get that, we will kick off individual requests for OAuth2
-      // tokens for all our services.
-      // Use off-the-record profile that was used for this step. It should
-      // already contain all needed cookies that will let us skip GAIA's user
-      // authentication UI.
-      //
-      // TODO(rickcam) We should use an isolated App here.
-      oauth1_token_fetcher_.reset(
-          new OAuth1TokenFetcher(this,
-                                 authenticator_->authentication_profile()));
-      oauth1_token_fetcher_->Start();
-    }
+                              has_web_auth_cookies_,  // transfer_cookies
+                              base::Bind(
+                                  &LoginUtilsImpl::OnCookieJarTransferCompleted,
+                                  AsWeakPtr(),
+                                  user_profile));
+    return;
   }
 
+  FinalizePrepareProfile(user_profile);
+}
+
+void LoginUtilsImpl::RestoreAuthCookies(Profile* user_profile) {
+  std::string oauth1_token;
+  std::string oauth1_secret;
+  if (ReadOAuth1AccessToken(user_profile, &oauth1_token, &oauth1_secret) ||
+      !has_web_auth_cookies_) {
+    // Verify OAuth access token when we find it in the profile and always if
+    // if we don't have cookies.
+    // TODO(xiyuan): Change back to use authenticator to verify token when
+    // we support Gaia in lock screen.
+    VerifyOAuth1AccessToken(user_profile, oauth1_token, oauth1_secret);
+  } else {
+    // If we don't have it, fetch OAuth1 access token.
+    // Once we get that, we will kick off individual requests for OAuth2
+    // tokens for all our services.
+    // Use off-the-record profile that was used for this step. It should
+    // already contain all needed cookies that will let us skip GAIA's user
+    // authentication UI.
+    //
+    // TODO(rickcam) We should use an isolated App here.
+    oauth1_token_fetcher_.reset(
+        new OAuth1TokenFetcher(this,
+                               authenticator_->authentication_profile()));
+    oauth1_token_fetcher_->Start();
+  }
+}
+
+void LoginUtilsImpl::OnCookieJarTransferCompleted(Profile* user_profile) {
+  RestoreAuthCookies(user_profile);
+  FinalizePrepareProfile(user_profile);
+}
+
+void LoginUtilsImpl::FinalizePrepareProfile(Profile* user_profile) {
+  BootTimesLoader* btl = BootTimesLoader::Get();
   // Own TPM device if, for any reason, it has not been done in EULA
   // wizard screen.
   CryptohomeLibrary* cryptohome = CrosLibrary::Get()->GetCryptohomeLibrary();
   btl->AddLoginTimeMarker("TPMOwn-Start", false);
   if (cryptohome->TpmIsEnabled() && !cryptohome->TpmIsBeingOwned()) {
     if (cryptohome->TpmIsOwned()) {
       cryptohome->TpmClearStoredPassword();
     } else {
       cryptohome->TpmCanAttemptOwnership();
     }
@@ skipping 549 matching lines @@
 void LoginUtilsImpl::OnOAuthVerificationFailed(const std::string& user_name) {
   UserManager::Get()->SaveUserOAuthStatus(user_name,
                                           User::OAUTH_TOKEN_STATUS_INVALID);
 }
 
 void LoginUtilsImpl::OnOAuth1AccessTokenAvailable(const std::string& token,
                                                   const std::string& secret) {
   Profile* user_profile = ProfileManager::GetDefaultProfile();
   StoreOAuth1AccessToken(user_profile, token, secret);
 
-  // Verify OAuth1 token by doing OAuthLogin and fetching credentials.
+  // Verify OAuth1 token by doing OAuthLogin and fetching credentials. If we
+  // have just transfered auth cookies out of authenticated cookie jar, there
+  // is no need to try to mint them from OAuth token again.
   VerifyOAuth1AccessToken(user_profile, token, secret);
 }
 
 void LoginUtilsImpl::OnOAuth1AccessTokenFetchFailed() {
   // TODO(kochi): Show failure notification UI here?
   LOG(ERROR) << "Failed to fetch OAuth1 access token.";
   g_browser_process->browser_policy_connector()->RegisterForUserPolicy(
       EmptyString());
 }
 
@@ skipping 56 matching lines @@
 bool LoginUtils::IsWhitelisted(const std::string& username) {
   CrosSettings* cros_settings = CrosSettings::Get();
   bool allow_new_user = false;
   cros_settings->GetBoolean(kAccountsPrefAllowNewUser, &allow_new_user);
   if (allow_new_user)
     return true;
   return cros_settings->FindEmailInList(kAccountsPrefUsers, username);
 }
 
 }  // namespace chromeos