ChromeOS: should send old user GAPS cookie to GAIA on user reauthentication.

chrome/browser/resources/gaia_auth_host/authenticator.js

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 <include src="saml_handler.js">
 
 /**
  * @fileoverview An UI component to authenciate to Chrome. The component hosts
  * IdP web pages in a webview. A client who is interested in monitoring
  * authentication events should pass a listener object of type
  * cr.login.GaiaAuthHost.Listener as defined in this file. After initialization,
  * call {@code load} to start the authentication flow.
  */
 
 cr.define('cr.login', function() {
   'use strict';
 
   // TODO(rogerta): should use gaia URL from GaiaUrls::gaia_url() instead
   // of hardcoding the prod URL here.  As is, this does not work with staging
   // environments.
   var IDP_ORIGIN = 'https://accounts.google.com/';
   var IDP_PATH = 'ServiceLogin?skipvpage=true&sarp=1&rm=hide';
   var CONTINUE_URL =
       'chrome-extension://mfffpogegjflfpflabcdkioaeobkgjik/success.html';
   var SIGN_IN_HEADER = 'google-accounts-signin';
   var EMBEDDED_FORM_HEADER = 'google-accounts-embedded';
   var LOCATION_HEADER = 'location';
+  var COOKIE_HEADER = 'cookie';
   var SET_COOKIE_HEADER = 'set-cookie';
   var OAUTH_CODE_COOKIE = 'oauth_code';
+  var GAPS_COOKIE = 'GAPS';
   var SERVICE_ID = 'chromeoslogin';
   var EMBEDDED_SETUP_CHROMEOS_ENDPOINT = 'embedded/setup/chromeos';
 
   /**
    * The source URL parameter for the constrained signin flow.
    */
   var CONSTRAINED_FLOW_SOURCE = 'chrome';
 
   /**
    * Enum for the authorization mode, must match AuthMode defined in
@@ skipping 40 matching lines @@
                      // not called before dispatching |authCopleted|.
                      // Default is |true|.
     'flow',          // One of 'default', 'enterprise', or 'theftprotection'.
     'enterpriseDomain',    // Domain in which hosting device is (or should be)
                            // enrolled.
     'emailDomain',         // Value used to prefill domain for email.
     'clientVersion',       // Version of the Chrome build.
     'platformVersion',     // Version of the OS build.
     'releaseChannel',      // Installation channel.
     'endpointGen',         // Current endpoint generation.
+    'gapsCookie',          // GAPS cookie
   ];
 
   /**
    * Initializes the authenticator component.
    * @param {webview|string} webview The webview element or its ID to host IdP
    *     web pages.
    * @constructor
    */
   function Authenticator(webview) {
     this.webview_ = typeof webview == 'string' ? $(webview) : webview;
     assert(this.webview_);
 
     this.email_ = null;
     this.password_ = null;
     this.gaiaId_ = null,
     this.sessionIndex_ = null;
     this.chooseWhatToSync_ = false;
     this.skipForNow_ = false;
     this.authFlow = AuthFlow.DEFAULT;
     this.authDomain = '';
     this.loaded_ = false;
     this.idpOrigin_ = null;
     this.continueUrl_ = null;
     this.continueUrlWithoutParams_ = null;
     this.initialFrameUrl_ = null;
     this.reloadUrl_ = null;
     this.trusted_ = true;
-    this.oauth_code_ = null;
+    this.oauthCode_ = null;
+    this.gapsCookie_ = null;
+    this.gapsCookieSent_ = false;
+    this.newGapsCookie_ = null;
 
     this.useEafe_ = false;
     this.clientId_ = null;
 
     this.samlHandler_ = new cr.login.SamlHandler(this.webview_);
     this.confirmPasswordCallback = null;
     this.noPasswordCallback = null;
     this.insecureContentBlockedCallback = null;
     this.samlApiUsedCallback = null;
     this.missingGaiaInfoCallback = null;
@@ skipping 35 matching lines @@
   Authenticator.prototype = Object.create(cr.EventTarget.prototype);
 
   /**
    * Reinitializes authentication parameters so that a failed login attempt
    * would not result in an infinite loop.
    */
   Authenticator.prototype.clearCredentials_ = function() {
     this.email_ = null;
     this.gaiaId_ = null;
     this.password_ = null;
-    this.oauth_code_ = null;
+    this.oauthCode_ = null;
+    this.gapsCookie_ = null;
+    this.gapsCookieSent_ = false;
+    this.newGapsCookie_ = null;
     this.chooseWhatToSync_ = false;
     this.skipForNow_ = false;
     this.sessionIndex_ = null;
     this.trusted_ = true;
     this.authFlow = AuthFlow.DEFAULT;
     this.samlHandler_.reset();
   };
 
   /**
    * Loads the authenticator component with the given parameters.
    * @param {AuthMode} authMode Authorization mode.
    * @param {Object} data Parameters for the authorization flow.
    */
   Authenticator.prototype.load = function(authMode, data) {
     this.clearCredentials_();
     this.loaded_ = false;
+    // gaiaUrl parameter is used for testing. Once defined, it is never changed.
     this.idpOrigin_ = data.gaiaUrl || IDP_ORIGIN;
     this.continueUrl_ = data.continueUrl || CONTINUE_URL;
     this.continueUrlWithoutParams_ =
         this.continueUrl_.substring(0, this.continueUrl_.indexOf('?')) ||
         this.continueUrl_;
     this.isConstrainedWindow_ = data.constrained == '1';
     this.isNewGaiaFlowChromeOS = data.isNewGaiaFlowChromeOS;
     this.useEafe_ = data.useEafe || false;
     this.clientId_ = data.clientId;
 
     this.initialFrameUrl_ = this.constructInitialFrameUrl_(data);
     this.reloadUrl_ = data.frameUrl || this.initialFrameUrl_;
     // Don't block insecure content for desktop flow because it lands on
     // http. Otherwise, block insecure content as long as gaia is https.
     this.samlHandler_.blockInsecureContent = authMode != AuthMode.DESKTOP &&
         this.idpOrigin_.indexOf('https://') == 0;
     this.needPassword = !('needPassword' in data) || data.needPassword;
 
     if (this.isNewGaiaFlowChromeOS) {
       this.webview_.contextMenus.onShow.addListener(function(e) {
         e.preventDefault();
       });
+
+      var filterPrefix = this.idpOrigin_ + EMBEDDED_SETUP_CHROMEOS_ENDPOINT;

[dzhioev (left Google), 2015/07/10 21:26:31]

nit: Move this line to if-block below.

[Alexander Alekseev, 2015/07/10 23:05:34]

Done.

+      if (!this.onBeforeSetHeadersSet_) {
+        this.onBeforeSetHeadersSet_ = true;
+        // This depends on gaiaUrl parameter, that is why it is here.
+        this.webview_.request.onBeforeSendHeaders.addListener(
+            this.onBeforeSendHeaders_.bind(this),
+            {urls: [filterPrefix + '?*', filterPrefix + '/*']},
+            ['requestHeaders', 'blocking']);
+      }
     }
 
     this.webview_.src = this.reloadUrl_;
   };
 
   /**
    * Reloads the authenticator component.
    */
   Authenticator.prototype.reload = function() {
     this.clearCredentials_();
@@ skipping 17 matching lines @@
       if (data.enterpriseDomain)
         url = appendParam(url, 'manageddomain', data.enterpriseDomain);
       if (data.clientVersion)
         url = appendParam(url, 'client_version', data.clientVersion);
       if (data.platformVersion)
         url = appendParam(url, 'platform_version', data.platformVersion);
       if (data.releaseChannel)
         url = appendParam(url, 'release_channel', data.releaseChannel);
       if (data.endpointGen)
         url = appendParam(url, 'endpoint_gen', data.endpointGen);
+      this.gapsCookie_ = data.gapsCookie;
+      this.gapsCookieSent_ = false;
+      this.newGapsCookie_ = null;

[dzhioev (left Google), 2015/07/10 21:26:31]

nit: why these lines was added here? They have nothing to do with URL, so they
should be moved to Authenticator.prototype.load().

[Alexander Alekseev, 2015/07/10 23:05:34]

Done.

     } else {
       url = appendParam(url, 'continue', this.continueUrl_);
       url = appendParam(url, 'service', data.service || SERVICE_ID);
     }
     if (data.hl)
       url = appendParam(url, 'hl', data.hl);
     if (data.gaiaId)
       url = appendParam(url, 'user_id', data.gaiaId);
     if (data.email)
       url = appendParam(url, 'Email', data.email);
@@ skipping 106 matching lines @@
         this.sessionIndex_ = signinDetails['sessionindex'];
       } else if (headerName == LOCATION_HEADER) {
         // If the "choose what to sync" checkbox was clicked, then the continue
         // URL will contain a source=3 field.
         var location = decodeURIComponent(header.value);
         this.chooseWhatToSync_ = !!location.match(/(\?|&)source=3($|&)/);
       } else if (
           this.isNewGaiaFlowChromeOS && headerName == SET_COOKIE_HEADER) {
         var headerValue = header.value;
         if (headerValue.indexOf(OAUTH_CODE_COOKIE + '=', 0) == 0) {
-          this.oauth_code_ =
+          this.oauthCode_ =
               headerValue.substring(OAUTH_CODE_COOKIE.length + 1).split(';')[0];
         }
+        if (headerValue.indexOf(GAPS_COOKIE + '=', 0) == 0) {
+          this.newGapsCookie_ =
+              headerValue.substring(GAPS_COOKIE.length + 1).split(';')[0];
+        }
       }
     }
   };
 
   /**
+   * This method replaces cookie value in cookie header.
+   * @param@ {string} header_value Original string value of Cookie header.
+   * @param@ {string} cookie_name Name of cookie to be replaced.
+   * @param@ {string} cookie_value New cookie value.
+   * @return {string} New Cookie header value.
+   * @private
+   */
+  Authenticator.prototype.updateCookieValue_ = function(
+      header_value, cookie_name, cookie_value) {
+    var cookies = header_value.split(/\s*;\s*/);
+    var found = false;
+    for (var i = 0; i < cookies.length; ++i) {
+      if (cookies[i].indexOf(cookie_name + '=', 0) == 0) {
+        found = true;
+        cookies[i] = cookie_name + '=' + cookie_value;
+        break;
+      }
+    }
+    if (!found) {
+      cookies.push(cookie_name + '=' + cookie_value);
+    }
+    return cookies.join('; ');
+  };
+
+  /**
+   * Handler for webView.request.onBeforeSendHeaders .
+   * @return {!Object} Modified request headers.
+   * @private
+   */
+  Authenticator.prototype.onBeforeSendHeaders_ = function(details) {
+    if (this.isNewGaiaFlowChromeOS && this.gapsCookie_ &&
+        !this.gapsCookieSent_) {
+      var headers = details.requestHeaders;
+      var found = false;
+      var gapsCookie = this.gapsCookie_;
+
+      for (var i = 0, l = headers.length; i < l; ++i) {
+        if (headers[i].name == COOKIE_HEADER) {
+          headers[i].value = this.updateCookieValue_(headers[i].value,
+                                                     GAPS_COOKIE, gapsCookie);
+          found = true;
+          break;
+        }
+      }
+      if (!found) {
+        details.requestHeaders.push(
+            {name: COOKIE_HEADER, value: GAPS_COOKIE + '=' + gapsCookie});
+      }
+      this.gapsCookieSent_ = true;
+    }
+    return {
+      requestHeaders: details.requestHeaders
+    };
+  };
+
+  /**
    * Returns true if given HTML5 message is received from the webview element.
    * @param {object} e Payload of the received HTML5 message.
    */
   Authenticator.prototype.isGaiaMessage = function(e) {
     if (!this.isWebviewEvent_(e))
       return false;
 
     // The event origin does not have a trailing slash.
     if (e.origin != this.idpOrigin_.substring(0, this.idpOrigin_.length - 1)) {
       return false;
     }
 
     // EAFE passes back auth code via message.
     if (this.useEafe_ &&
         typeof e.data == 'object' &&
         e.data.hasOwnProperty('authorizationCode')) {
-      assert(!this.oauth_code_);
-      this.oauth_code_ = e.data.authorizationCode;
+      assert(!this.oauthCode_);
+      this.oauthCode_ = e.data.authorizationCode;
       this.dispatchEvent(
           new CustomEvent('authCompleted',
                           {
                             detail: {
                               authCodeOnly: true,
-                              authCode: this.oauth_code_
+                              authCode: this.oauthCode_
                             }
                           }));
       return;
     }
 
     // Gaia messages must be an object with 'method' property.
     if (typeof e.data != 'object' || !e.data.hasOwnProperty('method')) {
       return false;
     }
     return true;
@@ skipping 98 matching lines @@
     this.onAuthCompleted_();
   };
 
   /**
    * Invoked to process authentication completion.
    * @private
    */
   Authenticator.prototype.onAuthCompleted_ = function() {
     assert(this.skipForNow_ ||
            (this.email_ && this.gaiaId_ && this.sessionIndex_));
-    this.dispatchEvent(
-        new CustomEvent('authCompleted',
-                        // TODO(rsorokin): get rid of the stub values.
-                        {
-                          detail: {
-                            email: this.email_ || '',
-                            gaiaId: this.gaiaId_ || '',
-                            password: this.password_ || '',
-                            authCode: this.oauth_code_,
-                            usingSAML: this.authFlow == AuthFlow.SAML,
-                            chooseWhatToSync: this.chooseWhatToSync_,
-                            skipForNow: this.skipForNow_,
-                            sessionIndex: this.sessionIndex_ || '',
-                            trusted: this.trusted_
-                          }
-                        }));
+    this.dispatchEvent(new CustomEvent(
+        'authCompleted',
+        // TODO(rsorokin): get rid of the stub values.
+        {
+          detail: {
+            email: this.email_ || '',
+            gaiaId: this.gaiaId_ || '',
+            password: this.password_ || '',
+            authCode: this.oauthCode_,
+            usingSAML: this.authFlow == AuthFlow.SAML,
+            chooseWhatToSync: this.chooseWhatToSync_,
+            skipForNow: this.skipForNow_,
+            sessionIndex: this.sessionIndex_ || '',
+            trusted: this.trusted_,
+            gapsCookie: this.newGapsCookie_ || this.gapsCookie_ || '',
+          }
+        }));
     this.clearCredentials_();
   };
 
   /**
    * Invoked when |samlHandler_| fires 'insecureContentBlocked' event.
    * @private
    */
   Authenticator.prototype.onInsecureContentBlocked_ = function(e) {
     if (this.insecureContentBlockedCallback) {
       this.insecureContentBlockedCallback(e.detail.url);
@@ skipping 90 matching lines @@
         this.webview_.contentWindow.postMessage(msg, this.idpOrigin_);
       }).bind(this), EAFE_INITIAL_MESSAGE_DELAY_IN_MS);
     }
   };
 
   /**
    * Invoked when the webview navigates withing the current document.
    * @private
    */
   Authenticator.prototype.onLoadCommit_ = function(e) {
-    if (this.oauth_code_) {
+    if (this.oauthCode_) {
       this.skipForNow_ = true;
       this.maybeCompleteAuth_();
     }
   };
 
   /**
    * Returns |true| if event |e| was sent from the hosted webview.
    * @private
    */
   Authenticator.prototype.isWebviewEvent_ = function(e) {
@@ skipping 20 matching lines @@
   Authenticator.AuthMode = AuthMode;
   Authenticator.SUPPORTED_PARAMS = SUPPORTED_PARAMS;
 
   return {
     // TODO(guohui, xiyuan): Rename GaiaAuthHost to Authenticator once the old
     // iframe-based flow is deprecated.
     GaiaAuthHost: Authenticator,
     Authenticator: Authenticator
   };
 });