ChromeOS: should send old user GAPS cookie to GAIA on user reauthentication.

chrome/browser/resources/gaia_auth_host/authenticator.js

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 <include src="saml_handler.js">
 
 /**
  * @fileoverview An UI component to authenciate to Chrome. The component hosts
  * IdP web pages in a webview. A client who is interested in monitoring
  * authentication events should pass a listener object of type
  * cr.login.GaiaAuthHost.Listener as defined in this file. After initialization,
  * call {@code load} to start the authentication flow.
  */
 
 cr.define('cr.login', function() {
   'use strict';
 
   // TODO(rogerta): should use gaia URL from GaiaUrls::gaia_url() instead
   // of hardcoding the prod URL here.  As is, this does not work with staging
   // environments.
   var IDP_ORIGIN = 'https://accounts.google.com/';
   var IDP_PATH = 'ServiceLogin?skipvpage=true&sarp=1&rm=hide';
   var CONTINUE_URL =
       'chrome-extension://mfffpogegjflfpflabcdkioaeobkgjik/success.html';
   var SIGN_IN_HEADER = 'google-accounts-signin';
   var EMBEDDED_FORM_HEADER = 'google-accounts-embedded';
   var LOCATION_HEADER = 'location';
+  var COOKIE_HEADER = 'cookie';
   var SET_COOKIE_HEADER = 'set-cookie';
   var OAUTH_CODE_COOKIE = 'oauth_code';
+  var GAPS_COOKIE = 'GAPS';
   var SERVICE_ID = 'chromeoslogin';
   var EMBEDDED_SETUP_CHROMEOS_ENDPOINT = 'embedded/setup/chromeos';
 
   /**
    * The source URL parameter for the constrained signin flow.
    */
   var CONSTRAINED_FLOW_SOURCE = 'chrome';
 
   /**
    * Enum for the authorization mode, must match AuthMode defined in
@@ skipping 40 matching lines @@
                      // not called before dispatching |authCopleted|.
                      // Default is |true|.
     'flow',          // One of 'default', 'enterprise', or 'theftprotection'.
     'enterpriseDomain',    // Domain in which hosting device is (or should be)
                            // enrolled.
     'emailDomain',         // Value used to prefill domain for email.
     'clientVersion',       // Version of the Chrome build.
     'platformVersion',     // Version of the OS build.
     'releaseChannel',      // Installation channel.
     'endpointGen',         // Current endpoint generation.
+    'gapsCookie',          // GAPS cookie
   ];
 
   /**
    * Initializes the authenticator component.
    * @param {webview|string} webview The webview element or its ID to host IdP
    *     web pages.
    * @constructor
    */
   function Authenticator(webview) {
     this.webview_ = typeof webview == 'string' ? $(webview) : webview;
     assert(this.webview_);
 
     this.email_ = null;
     this.password_ = null;
     this.gaiaId_ = null,
     this.sessionIndex_ = null;
     this.chooseWhatToSync_ = false;
     this.skipForNow_ = false;
     this.authFlow = AuthFlow.DEFAULT;
     this.authDomain = '';
     this.loaded_ = false;
     this.idpOrigin_ = null;
     this.continueUrl_ = null;
     this.continueUrlWithoutParams_ = null;
     this.initialFrameUrl_ = null;
     this.reloadUrl_ = null;
     this.trusted_ = true;
     this.oauth_code_ = null;
+    this.gaps_cookie_ = null;

[xiyuan, 2015/07/09 23:08:29]

nit: gaps_cookie_ -> gapsCookie_

JS variable name should be like variableName. The existing |oauth_code_| also
violates the rule and should be fixed.

See http://google-styleguide.googlecode.com/svn/trunk/javascriptguide.xml#Naming

[Alexander Alekseev, 2015/07/09 23:22:40]

Done.

+    this.gaps_cookie_sent_ = false;
+    this.new_gaps_cookie_ = null;
 
     this.useEafe_ = false;
     this.clientId_ = null;
 
     this.samlHandler_ = new cr.login.SamlHandler(this.webview_);
     this.confirmPasswordCallback = null;
     this.noPasswordCallback = null;
     this.insecureContentBlockedCallback = null;
     this.samlApiUsedCallback = null;
     this.missingGaiaInfoCallback = null;
@@ skipping 36 matching lines @@
 
   /**
    * Reinitializes authentication parameters so that a failed login attempt
    * would not result in an infinite loop.
    */
   Authenticator.prototype.clearCredentials_ = function() {
     this.email_ = null;
     this.gaiaId_ = null;
     this.password_ = null;
     this.oauth_code_ = null;
+    this.gaps_cookie_ = null;
+    this.gaps_cookie_sent_ = false;
+    this.new_gaps_cookie_ = null;
     this.chooseWhatToSync_ = false;
     this.skipForNow_ = false;
     this.sessionIndex_ = null;
     this.trusted_ = true;
     this.authFlow = AuthFlow.DEFAULT;
     this.samlHandler_.reset();
   };
 
   /**
    * Loads the authenticator component with the given parameters.
@@ skipping 18 matching lines @@
     // Don't block insecure content for desktop flow because it lands on
     // http. Otherwise, block insecure content as long as gaia is https.
     this.samlHandler_.blockInsecureContent = authMode != AuthMode.DESKTOP &&
         this.idpOrigin_.indexOf('https://') == 0;
     this.needPassword = !('needPassword' in data) || data.needPassword;
 
     if (this.isNewGaiaFlowChromeOS) {
       this.webview_.contextMenus.onShow.addListener(function(e) {
         e.preventDefault();
       });
+
+      var filterPrefix = this.idpOrigin_ + EMBEDDED_SETUP_CHROMEOS_ENDPOINT;
+      if (!this.onBeforeSetHeadersSet_) {
+        this.onBeforeSetHeadersSet_ = true;
+        this.webview_.request.onBeforeSendHeaders.addListener(

[xiyuan, 2015/07/09 23:08:29]

Why this code lives here instead of with other request filters in ctor around
line 160?

[Alexander Alekseev, 2015/07/09 23:22:40]

Because it depends on load parameter (line 199):

this.idpOrigin_ = data.gaiaUrl || IDP_ORIGIN;

[xiyuan, 2015/07/09 23:30:05]

I see. Could you add a comment to document why this is here and also mention
that we assume |idpOrigin_| would not change?

[Alexander Alekseev, 2015/07/09 23:43:22]

Done.

+            this.onBeforeSendHeaders_.bind(this),
+            {urls: [filterPrefix + '?*', filterPrefix + '/*']},
+            ['requestHeaders', 'blocking']);
+      }
     }
 
     this.webview_.src = this.reloadUrl_;
   };
 
   /**
    * Reloads the authenticator component.
    */
   Authenticator.prototype.reload = function() {
     this.clearCredentials_();
@@ skipping 17 matching lines @@
       if (data.enterpriseDomain)
         url = appendParam(url, 'manageddomain', data.enterpriseDomain);
       if (data.clientVersion)
         url = appendParam(url, 'client_version', data.clientVersion);
       if (data.platformVersion)
         url = appendParam(url, 'platform_version', data.platformVersion);
       if (data.releaseChannel)
         url = appendParam(url, 'release_channel', data.releaseChannel);
       if (data.endpointGen)
         url = appendParam(url, 'endpoint_gen', data.endpointGen);
+      this.gaps_cookie_ = data.gapsCookie;
+      this.gaps_cookie_sent_ = false;
+      this.new_gaps_cookie_ = null;
     } else {
       url = appendParam(url, 'continue', this.continueUrl_);
       url = appendParam(url, 'service', data.service || SERVICE_ID);
     }
     if (data.hl)
       url = appendParam(url, 'hl', data.hl);
     if (data.gaiaId)
       url = appendParam(url, 'user_id', data.gaiaId);
     if (data.email)
       url = appendParam(url, 'Email', data.email);
@@ skipping 109 matching lines @@
         // URL will contain a source=3 field.
         var location = decodeURIComponent(header.value);
         this.chooseWhatToSync_ = !!location.match(/(\?|&)source=3($|&)/);
       } else if (
           this.isNewGaiaFlowChromeOS && headerName == SET_COOKIE_HEADER) {
         var headerValue = header.value;
         if (headerValue.indexOf(OAUTH_CODE_COOKIE + '=', 0) == 0) {
           this.oauth_code_ =
               headerValue.substring(OAUTH_CODE_COOKIE.length + 1).split(';')[0];
         }
+        if (headerValue.indexOf(GAPS_COOKIE + '=', 0) == 0) {
+          this.new_gaps_cookie_ =
+              headerValue.substring(GAPS_COOKIE.length + 1).split(';')[0];
+        }
       }
     }
   };
 
   /**
+   * This method replaces cookie value in cookie header.
+   * @param@ {header_value} Original string value of Cookie header.

[xiyuan, 2015/07/09 23:08:29]

Wrong JSDoc format here and below.

Should be something like:

@param {string} headerValue Original string value of Cookie header.

[Alexander Alekseev, 2015/07/09 23:22:40]

Done.

+   * @param@ {cookie_name} Name of cookie to be replaced.
+   * @param@ {cookie_value} New cookie value.
+   * @return {string} New Cookie header value.
+   * @private
+   */
+  Authenticator.prototype.updateCookieValue_ = function(
+      header_value, cookie_name, cookie_value) {
+    var cookies = header_value.split(/\s*;\s*/);
+    var found = false;
+    for (var i = 0; i < cookies.length; ++i) {
+      if (cookies[i].indexOf(cookie_name + '=', 0) == 0) {
+        found = true;
+        cookies[i] = cookie_name + '=' + cookie_value;
+        break;
+      }
+    }
+    if (!found) {
+      cookies.push(cookie_name + '=' + cookie_value);
+    }
+    return cookies.join('; ');
+  };
+
+  /**
+   * Handler for webView.request.onBeforeSendHeaders .
+   * @return {!Object} Modified request headers.
+   * @private
+   */
+  Authenticator.prototype.onBeforeSendHeaders_ = function(details) {
+    if (this.isNewGaiaFlowChromeOS && this.gaps_cookie_ &&
+        !this.gaps_cookie_sent_) {
+      var headers = details.requestHeaders;
+      var found = false;
+      var gapsCookie = this.gaps_cookie_;
+
+      for (var i = 0, l = headers.length; i < l; ++i) {
+        if (headers[i].name == COOKIE_HEADER) {
+          headers[i].value = this.updateCookieValue_(headers[i].value,
+                                                     GAPS_COOKIE, gapsCookie);
+          found = true;
+          break;
+        }
+      }
+      if (!found) {
+        details.requestHeaders.push(
+            {name: COOKIE_HEADER, value: GAPS_COOKIE + '=' + gapsCookie});
+      }
+      this.gaps_cookie_sent_ = true;
+    }
+    return {
+      requestHeaders: details.requestHeaders
+    };
+  };
+
+  /**
    * Returns true if given HTML5 message is received from the webview element.
    * @param {object} e Payload of the received HTML5 message.
    */
   Authenticator.prototype.isGaiaMessage = function(e) {
     if (!this.isWebviewEvent_(e))
       return false;
 
     // The event origin does not have a trailing slash.
     if (e.origin != this.idpOrigin_.substring(0, this.idpOrigin_.length - 1)) {
       return false;
@@ skipping 122 matching lines @@
     this.onAuthCompleted_();
   };
 
   /**
    * Invoked to process authentication completion.
    * @private
    */
   Authenticator.prototype.onAuthCompleted_ = function() {
     assert(this.skipForNow_ ||
            (this.email_ && this.gaiaId_ && this.sessionIndex_));
-    this.dispatchEvent(
-        new CustomEvent('authCompleted',
-                        // TODO(rsorokin): get rid of the stub values.
-                        {
-                          detail: {
-                            email: this.email_ || '',
-                            gaiaId: this.gaiaId_ || '',
-                            password: this.password_ || '',
-                            authCode: this.oauth_code_,
-                            usingSAML: this.authFlow == AuthFlow.SAML,
-                            chooseWhatToSync: this.chooseWhatToSync_,
-                            skipForNow: this.skipForNow_,
-                            sessionIndex: this.sessionIndex_ || '',
-                            trusted: this.trusted_
-                          }
-                        }));
+    this.dispatchEvent(new CustomEvent(
+        'authCompleted',
+        // TODO(rsorokin): get rid of the stub values.
+        {
+          detail: {
+            email: this.email_ || '',
+            gaiaId: this.gaiaId_ || '',
+            password: this.password_ || '',
+            authCode: this.oauth_code_,
+            usingSAML: this.authFlow == AuthFlow.SAML,
+            chooseWhatToSync: this.chooseWhatToSync_,
+            skipForNow: this.skipForNow_,
+            sessionIndex: this.sessionIndex_ || '',
+            trusted: this.trusted_,
+            gapsCookie: this.new_gaps_cookie_ || this.gaps_cookie_ || '',
+          }
+        }));
     this.clearCredentials_();
   };
 
   /**
    * Invoked when |samlHandler_| fires 'insecureContentBlocked' event.
    * @private
    */
   Authenticator.prototype.onInsecureContentBlocked_ = function(e) {
     if (this.insecureContentBlockedCallback) {
       this.insecureContentBlockedCallback(e.detail.url);
@@ skipping 131 matching lines @@
   Authenticator.AuthMode = AuthMode;
   Authenticator.SUPPORTED_PARAMS = SUPPORTED_PARAMS;
 
   return {
     // TODO(guohui, xiyuan): Rename GaiaAuthHost to Authenticator once the old
     // iframe-based flow is deprecated.
     GaiaAuthHost: Authenticator,
     Authenticator: Authenticator
   };
 });