White-listing Chrome Remote Desktop to use the identity API in Public Session

chrome/browser/extensions/api/identity/identity_api.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/extensions/api/identity/identity_api.h"
 
 #include <set>
 #include <string>
 #include <utility>
 #include <vector>
@@ skipping 54 matching lines @@
 const char kCanceled[] = "canceled";
 
 const int kCachedIssueAdviceTTLSeconds = 1;
 }  // namespace identity_constants
 
 namespace {
 
 static const char kChromiumDomainRedirectUrlPattern[] =
     "https://%s.chromiumapp.org/";
 
+// The list of apps that are allowed to use the Identity API to retrieve the
+// token from the device robot account in a public session.
+const char* const kPublicSessionAllowedOrigins[] = {
+    // Chrome Remote Desktop - Chromium branding.
+    "chrome-extension://ljacajndfccfgnfohlgkdphmbnpkjflk/",
+    // Chrome Remote Desktop - Official branding.
+    "chrome-extension://gbchcmhmhahfdphkhkmpfmihenigjmpp/"};
+
 std::string GetPrimaryAccountId(content::BrowserContext* context) {
   SigninManagerBase* signin_manager =
       SigninManagerFactory::GetForProfile(Profile::FromBrowserContext(context));
   return signin_manager->GetAuthenticatedAccountId();
 }
 
 }  // namespace
 
 namespace identity = api::identity;
 
@@ skipping 279 matching lines @@
 
   token_key_.reset(
       new ExtensionTokenKey(extension()->id(), account_key, scopes));
 
   // From here on out, results must be returned asynchronously.
   StartAsyncRun();
 
 #if defined(OS_CHROMEOS)
   policy::BrowserPolicyConnectorChromeOS* connector =
       g_browser_process->platform_part()->browser_policy_connector_chromeos();
-  if (user_manager::UserManager::Get()->IsLoggedInAsKioskApp() &&
+  if ((user_manager::UserManager::Get()->IsLoggedInAsKioskApp() ||
+       IsOriginWhitelistedInPublicSession()) &&

[bartfab (slow), 2015/09/18 12:24:57]

You should first check whether this is a public session. Otherwise, you are
short-cutting the flow in lines 390 onward for the whitelisted apps when run in
a regular session.

[kelvinp, 2015/09/22 00:50:37]

Good point.  IsOriginWhitelistedInPublicSession() returns false when we are not
in a public session.  See line 768.
I did a quick check and the API does return the user's identity in a non-public
session so I think we are covered in this scenario.

[Michael Courage, 2015/09/22 03:09:02]

The Kiosk path is already kind of convoluted. It would be nice if it the code
could be more obviously correct. It's hard to follow because of the large
conditional here, almost but not quite replicated in StartMintToken, plus the
fact that IsOriginWhitelistedInPublicSession checks two things (1. is it a
public session, and 2. is this app allowed to operate in a public session).

A possible improvement:
Are non-whitelisted apps running in a public session ever supposed to get a
useful result out of getAuthToken? If not, I think it would be good to error out
right up top as we do for incognito on 315. With the whitelist taken care of up
front, you don't have to worry about it through the rest of the flow.

[bartfab (slow), 2015/09/23 12:37:42]

The order needs to be the opposite: Check whether we are in a public session
first and only if so, consult the whitelist. Otherwise, we would start refusing
non-whitelisted apps in non-public-sessions as well.

I guess we can collapse the kiosk and public session cases somewhat if we want
to:

if (enterprise_managed && (is_kiosk || is_public_session)) {
  if (is_public_session && !is_origin_whitelisted())
    return false;
  StartMintTokenFlow();
  return true;
}
     

[kelvinp, 2015/09/23 21:08:54]

I don't think there is a concern.  For regular sessions (non-public session),
IsOrginWhiteListedInPublicSession will return false. And it will go through the
normal flow in line 390.

       connector->IsEnterpriseManaged()) {
     StartMintTokenFlow(IdentityMintRequestQueue::MINT_TYPE_NONINTERACTIVE);
     return true;
   }
 #endif
 
   if (!HasLoginToken()) {
     if (!should_prompt_for_signin_) {
       CompleteFunctionWithError(identity_constants::kUserNotSignedIn);
       return true;
@@ skipping 103 matching lines @@
   IdentityAPI* id_api = IdentityAPI::GetFactoryInstance()->Get(GetProfile());
   IdentityTokenCacheValue cache_entry = id_api->GetCachedToken(*token_key_);
   IdentityTokenCacheValue::CacheValueStatus cache_status =
       cache_entry.status();
 
   if (type == IdentityMintRequestQueue::MINT_TYPE_NONINTERACTIVE) {
     switch (cache_status) {
       case IdentityTokenCacheValue::CACHE_STATUS_NOTFOUND:
 #if defined(OS_CHROMEOS)
         // Always force minting token for ChromeOS kiosk app.
-        if (user_manager::UserManager::Get()->IsLoggedInAsKioskApp()) {
+        if (user_manager::UserManager::Get()->IsLoggedInAsKioskApp() ||
+            IsOriginWhitelistedInPublicSession()) {
           gaia_mint_token_mode_ = OAuth2MintTokenFlow::MODE_MINT_TOKEN_FORCE;
           policy::BrowserPolicyConnectorChromeOS* connector =
               g_browser_process->platform_part()
                   ->browser_policy_connector_chromeos();
           if (connector->IsEnterpriseManaged()) {
             StartDeviceLoginAccessTokenRequest();
           } else {
             StartLoginAccessTokenRequest();
           }
           return;
@@ skipping 237 matching lines @@
       chromeos::DeviceOAuth2TokenServiceFactory::Get();
   // Since robot account refresh tokens are scoped down to [any-api] only,
   // request access token for [any-api] instead of login.
   OAuth2TokenService::ScopeSet scopes;
   scopes.insert(GaiaConstants::kAnyApiOAuth2Scope);
   login_token_request_ =
       service->StartRequest(service->GetRobotAccountId(),
                             scopes,
                             this);
 }
+
+bool IdentityGetAuthTokenFunction::IsOriginWhitelistedInPublicSession() {
+  if (!user_manager::UserManager::Get()->IsLoggedInAsPublicAccount()) {
+    return false;
+  }
+
+  for (unsigned int i = 0; i < arraysize(kPublicSessionAllowedOrigins); i++) {
+    URLPattern allowed_origin(URLPattern::SCHEME_ALL,
+                              kPublicSessionAllowedOrigins[i]);
+    DCHECK(extension());
+    if (allowed_origin.MatchesSecurityOrigin(extension()->url())) {
+      return true;
+    }
+  }
+  return false;
+}
 #endif
 
 void IdentityGetAuthTokenFunction::StartLoginAccessTokenRequest() {
   ProfileOAuth2TokenService* service =
       ProfileOAuth2TokenServiceFactory::GetForProfile(GetProfile());
 #if defined(OS_CHROMEOS)
   if (chrome::IsRunningInForcedAppMode()) {
     std::string app_client_id;
     std::string app_client_secret;
     if (chromeos::UserSessionManager::GetInstance()->
@@ skipping 203 matching lines @@
   if (redirect_url.GetWithEmptyPath() == final_url_prefix_) {
     SetResult(new base::StringValue(redirect_url.spec()));
     SendResponse(true);
     if (auth_flow_)
       auth_flow_.release()->DetachDelegateAndDelete();
     Release();  // Balanced in RunAsync.
   }
 }
 
 }  // namespace extensions