arc: Pass auth token from Chrome to ARC instance.

chrome/browser/chromeos/arc/arc_auth_service.cc

Index: chrome/browser/chromeos/arc/arc_auth_service.cc
diff --git a/chrome/browser/chromeos/arc/arc_auth_service.cc b/chrome/browser/chromeos/arc/arc_auth_service.cc
index 5068550da19750ab584f498922c639929b9fd906..2b1b1589f594bf6c6e610a1f79fd1e59ec9c3269 100644
--- a/chrome/browser/chromeos/arc/arc_auth_service.cc
+++ b/chrome/browser/chromeos/arc/arc_auth_service.cc
@@ -6,15 +6,62 @@
 
 #include <utility>
 
+#include "base/strings/string_split.h"
+#include "base/strings/string_util.h"
+#include "base/strings/stringprintf.h"
+#include "chrome/browser/profiles/profile.h"
+#include "components/arc/arc_bridge_service.h"
+#include "google_apis/gaia/gaia_constants.h"
+#include "google_apis/gaia/gaia_urls.h"
+#include "net/http/http_status_code.h"
+#include "net/url_request/url_fetcher.h"
+
 namespace arc {
 
+namespace {
+
+const char kClientId[] =
+    "1070009224336-sdh77n7uot3oc99ais00jmuft6sk2fg9.apps.googleusercontent.com";

[elijahtaylor1, 2016/01/26 01:02:14]

what client ID is this?

[khmel, 2016/01/26 01:42:04]

This is GMS Core Client id. I renamed for better reading

+const char kCookiePartSecure[] = "secure";
+const char kCookiePartHttpOnly[] = "httponly";
+const char kCookiePartCodePrefix[] = "oauth_code=";
+const int kCookiePartCodePrefixLength = arraysize(kCookiePartCodePrefix) - 1;
+
+// Weak pointer.  This class is owned by ArcServiceManager.
+ArcAuthService* g_arc_auth_service = nullptr;
+
+static bool CookiePartsContains(const std::vector<std::string>& parts,
+                                const char* part) {
+  for (std::vector<std::string>::const_iterator it = parts.begin();
+       it != parts.end(); ++it) {
+    if (base::LowerCaseEqualsASCII(*it, part))

[elijahtaylor1, 2016/01/26 01:02:14]

I'm no expert, but there is disagreement on whether cookie names are
case-sensitive or not: http://stackoverflow.com/a/11312272

[khmel, 2016/01/26 01:42:04]

I mentioned earlier that some code is taken from
https://code.google.com/p/chromium/codesearch#chromium/src/google_apis/gaia/g...
There cookies are case-insensetive

+      return true;
+  }
+  return false;
+}
+
+}  // namespace
+
 ArcAuthService::ArcAuthService(ArcBridgeService* bridge_service)
     : ArcService(bridge_service), binding_(this) {
+  DCHECK(!g_arc_auth_service);
+  g_arc_auth_service = this;
+
   arc_bridge_service()->AddObserver(this);
 }
 
 ArcAuthService::~ArcAuthService() {
   arc_bridge_service()->RemoveObserver(this);
+
+  DCHECK(g_arc_auth_service == this);
+  g_arc_auth_service = nullptr;
+}
+
+// static
+ArcAuthService* ArcAuthService::Get() {
+  DCHECK(g_arc_auth_service);
+  DCHECK(g_arc_auth_service->thread_checker_.CalledOnValidThread());

[elijahtaylor1, 2016/01/26 01:02:14]

I wonder if this pointer should be managed by ArcAuthService at all.  Since this
class is owned by the ArcServiceManager, can we maybe just make a call to
ArcServiceMAnager here and avoid holding this weak reference?

[khmel, 2016/01/26 01:42:04]

After recent ArcServiceManager refactoring, it contains only ArcService
interfaces array. It is impossible now to get from ArcService ArcAuthService.
Luis, could you please confirm.

+  return g_arc_auth_service;
 }
 
 void ArcAuthService::OnAuthInstanceReady() {
@@ -23,9 +70,132 @@ void ArcAuthService::OnAuthInstanceReady() {
   arc_bridge_service()->auth_instance()->Init(std::move(host));
 }
 
+std::string ArcAuthService::GetAuthToken() {
+  DCHECK(thread_checker_.CalledOnValidThread());
+  std::string auth_token;
+  auth_token_.swap(auth_token);
+  return auth_token;
+}
+
 void ArcAuthService::GetAuthCode(const GetAuthCodeCallback& callback) {
-  // TODO(victorhsieh): request auth code from LSO (crbug.com/571146).
-  callback.Run(mojo::String("fake auth code from ArcAuthService in Chrome"));
+  DCHECK(thread_checker_.CalledOnValidThread());
+  callback.Run(mojo::String(GetAuthToken()));
+}
+
+void ArcAuthService::SetProfile(Profile* profile) {
+  DCHECK(profile == nullptr || profile != profile_);
+  DCHECK(thread_checker_.CalledOnValidThread());
+
+  ArcBridgeService::Get()->Shutdown();
+  if (state_ != State::DISABLE) {
+    auth_fetcher_.reset();
+    state_ = State::DISABLE;
+    FOR_EACH_OBSERVER(Observer, observer_list_, OnOptInChanged(state_));
+  }
+
+  profile_ = profile;
+
+  // TODO(khmel). At this moment UI to handle ARC OptIn is not ready yet. Assume
+  // we opted in by default. When UI is ready, this should be synced with
+  // user's prefs.
+  if (profile_ != nullptr)
+    FetchToken();
+}
+
+void ArcAuthService::AddObserver(Observer* observer) {
+  DCHECK(thread_checker_.CalledOnValidThread());
+  observer_list_.AddObserver(observer);
+}
+
+void ArcAuthService::RemoveObserver(Observer* observer) {
+  DCHECK(thread_checker_.CalledOnValidThread());
+  observer_list_.RemoveObserver(observer);
+}
+
+void ArcAuthService::SetAuthTokenAndStartArc(const std::string auth_token) {
+  DCHECK(thread_checker_.CalledOnValidThread());
+  DCHECK(!auth_token.empty());
+  DCHECK(state_ != State::ENABLE);
+
+  auth_fetcher_.reset();
+  auth_token_ = auth_token;
+  state_ = State::ENABLE;
+
+  ArcBridgeService::Get()->HandleStartup();
+  FOR_EACH_OBSERVER(Observer, observer_list_, OnOptInChanged(state_));
+}
+
+// static
+GURL ArcAuthService::CreateURL(Profile* profile) {
+  DCHECK(profile != nullptr);
+
+  std::string query_string = base::StringPrintf(
+      "?scope=%s&client_id=%s&email=%s", GaiaConstants::kOAuth1LoginScope,

[elijahtaylor1, 2016/01/26 01:02:14]

please make sure to get approval from an OWNER from where this scope constant
and GaiaUrls comes from

[khmel, 2016/01/26 01:42:04]

Ok, I will add someone.

+      kClientId, profile->GetProfileUserName().c_str());
+
+  return GaiaUrls::GetInstance()->client_login_to_oauth2_url().Resolve(
+      query_string);
+}
+
+void ArcAuthService::FetchToken() {
+  DCHECK(thread_checker_.CalledOnValidThread());
+  DCHECK(state_ == State::DISABLE);
+
+  auth_token_ = "";
+  state_ = State::FETCHING_TOKEN;
+  FOR_EACH_OBSERVER(Observer, observer_list_, OnOptInChanged(state_));
+
+  auth_fetcher_ =
+      net::URLFetcher::Create(CreateURL(profile_), net::URLFetcher::GET, this);

[elijahtaylor1, 2016/01/26 01:02:14]

is it ok to have this code enabled in Chromium?  Is this API and client ID 
specific to Chrome?

[khmel, 2016/01/26 01:42:04]

There is a tons of usage URLFetcher under chrome/browser folder. There is also
usage of GaiaAuthFetcher that does similar but for Chrome client id. It seems I
do nothing unusual here.

+  auth_fetcher_->SetRequestContext(profile_->GetRequestContext());
+  // Executed asynchronously.
+  auth_fetcher_->Start();
+}
+
+// static
+bool ArcAuthService::ParseAuthToken(const net::URLFetcher* source,
+                                    std::string* token) {
+  DCHECK(source != nullptr && token != nullptr);
+  net::ResponseCookies::const_iterator iter;
+  const net::ResponseCookies& cookies = source->GetCookies();
+  for (iter = cookies.begin(); iter != cookies.end(); ++iter) {
+    std::vector<std::string> parts = base::SplitString(
+        *iter, ";", base::TRIM_WHITESPACE, base::SPLIT_WANT_ALL);
+    // Per documentation, the cookie should have Secure and HttpOnly.
+    if (!CookiePartsContains(parts, kCookiePartSecure) ||
+        !CookiePartsContains(parts, kCookiePartHttpOnly)) {
+      continue;
+    }
+
+    std::vector<std::string>::const_iterator iter;
+    for (iter = parts.begin(); iter != parts.end(); ++iter) {
+      const std::string& part = *iter;
+      if (base::StartsWith(part, kCookiePartCodePrefix,
+                           base::CompareCase::INSENSITIVE_ASCII)) {
+        *token = part.substr(kCookiePartCodePrefixLength);
+        return true;
+      }
+    }
+  }
+
+  return false;
+}
+
+void ArcAuthService::OnURLFetchComplete(const net::URLFetcher* source) {
+  DCHECK(thread_checker_.CalledOnValidThread());
+
+  std::string auth_token;
+  if (!source->GetStatus().is_success() ||
+      source->GetResponseCode() != net::HTTP_OK ||
+      !ParseAuthToken(source, &auth_token)) {
+    state_ = State::NO_TOKEN;
+    // TODO(khmel). There is no UI currently available. So start bridge anyway.
+    // GMS won't be signed in automatically.
+    ArcBridgeService::Get()->HandleStartup();

[elijahtaylor1, 2016/01/26 01:02:14]

I think we shouldn't start the bridge in this case, and just log an error

[khmel, 2016/01/26 01:42:04]

This is done temporarily, until we have UI that shows LSO page to user to enter
a password (comes as separate CL). For example with fresh image and first login,
current google api does not return cookies and asks user to enter password
additionally.

+    FOR_EACH_OBSERVER(Observer, observer_list_, OnOptInChanged(state_));
+  } else {
+    SetAuthTokenAndStartArc(auth_token);
+  }
 }
 
 }  // namespace arc