Chromium Code Reviews Chromium Code Reviews
Issue 17109006:
Device robot refresh token integrity validation. (Closed)
Base URL: http://git.chromium.org/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome/browser/chromeos/settings/device_oauth2_token_service.h" | 5 #include "chrome/browser/chromeos/settings/device_oauth2_token_service.h" |
| 6 | 6 |
| 7 #include <string> | |
| 8 #include <vector> | |
| 9 | |
| 7 #include "base/prefs/pref_registry_simple.h" | 10 #include "base/prefs/pref_registry_simple.h" |
| 8 #include "base/prefs/pref_service.h" | 11 #include "base/prefs/pref_service.h" |
| 12 #include "chrome/browser/browser_process.h" | |
| 13 #include "chrome/browser/chromeos/policy/device_cloud_policy_manager_chromeos.h" | |
| 14 #include "chrome/browser/policy/browser_policy_connector.h" | |
| 15 #include "chrome/browser/policy/proto/cloud/device_management_backend.pb.h" | |
| 9 #include "chrome/common/pref_names.h" | 16 #include "chrome/common/pref_names.h" |
| 10 #include "chromeos/cryptohome/cryptohome_library.h" | 17 #include "chromeos/cryptohome/cryptohome_library.h" |
| 11 #include "content/public/browser/browser_thread.h" | 18 #include "content/public/browser/browser_thread.h" |
| 19 #include "google_apis/gaia/gaia_urls.h" | |
| 12 | 20 |
| 13 namespace chromeos { | 21 namespace chromeos { |
| 14 | 22 |
| 23 const int kMaxRefreshTokenValidationRetries = 3; | |
| 24 | |
| 15 DeviceOAuth2TokenService::DeviceOAuth2TokenService( | 25 DeviceOAuth2TokenService::DeviceOAuth2TokenService( |
| 16 net::URLRequestContextGetter* getter, | 26 net::URLRequestContextGetter* getter, |
| 17 PrefService* local_state) | 27 PrefService* local_state) |
| 18 : OAuth2TokenService(getter), | 28 : OAuth2TokenService(getter), |
| 29 refresh_token_is_valid_(false), | |
| 19 local_state_(local_state) { | 30 local_state_(local_state) { |
| 20 } | 31 } |
| 21 | 32 |
| 22 DeviceOAuth2TokenService::~DeviceOAuth2TokenService() { | 33 DeviceOAuth2TokenService::~DeviceOAuth2TokenService() { |
| 23 } | 34 } |
| 24 | 35 |
| 25 // static | 36 // static |
| 26 void DeviceOAuth2TokenService::RegisterPrefs(PrefRegistrySimple* registry) { | 37 void DeviceOAuth2TokenService::RegisterPrefs(PrefRegistrySimple* registry) { |
| 27 registry->RegisterStringPref(prefs::kDeviceRobotAnyApiRefreshToken, | 38 registry->RegisterStringPref(prefs::kDeviceRobotAnyApiRefreshToken, |
| 28 std::string()); | 39 std::string()); |
| (...skipping 13 matching lines...) Expand all Loading... | |
| 42 if (refresh_token_.empty()) { | 53 if (refresh_token_.empty()) { |
| 43 std::string encrypted_refresh_token = | 54 std::string encrypted_refresh_token = |
| 44 local_state_->GetString(prefs::kDeviceRobotAnyApiRefreshToken); | 55 local_state_->GetString(prefs::kDeviceRobotAnyApiRefreshToken); |
| 45 | 56 |
| 46 refresh_token_ = CryptohomeLibrary::Get()->DecryptWithSystemSalt( | 57 refresh_token_ = CryptohomeLibrary::Get()->DecryptWithSystemSalt( |
| 47 encrypted_refresh_token); | 58 encrypted_refresh_token); |
| 48 } | 59 } |
| 49 return refresh_token_; | 60 return refresh_token_; |
| 50 } | 61 } |
| 51 | 62 |
| 63 bool DeviceOAuth2TokenService::StartRefreshTokenValidation( | |
| 64 const std::string refresh_token, | |
| 65 RefreshTokenValidationConsumer* consumer) { | |
| 66 DCHECK(GetRefreshToken() == refresh_token); | |
| 67 if (refresh_token_is_valid_) { | |
| 68 // The cached token never changes, so the previous validation is still good. | |
| 69 // Return false to indicate that the validation process wasn't started, and | |
| 70 // the token can be used directly. | |
| 71 return false; | |
| 72 } else { | |
| 73 refresh_token_validation_consumers_.push_back(consumer); | |
| 74 if (refresh_token_validation_consumers_.size() > 1) { | |
| 75 // A validation is already in flight, and its results will be sent to | |
| 76 // all consumers. | |
| 77 DCHECK(gaia_oauth_client_.get()); | |
| 78 return true; | |
| 79 } | |
| 80 | |
| 81 GaiaUrls* gaia_urls = GaiaUrls::GetInstance(); | |
| 82 gaia_oauth_client_.reset(new gaia::GaiaOAuthClient( | |
| 83 gaia_urls->oauth2_token_url(), | |
| 84 g_browser_process->system_request_context())); | |
| 85 | |
| 86 gaia::OAuthClientInfo client_info; | |
| 87 client_info.client_id = gaia_urls->oauth2_chrome_client_id(); | |
| 88 client_info.client_secret = gaia_urls->oauth2_chrome_client_secret(); | |
| 89 | |
| 90 gaia_oauth_client_->RefreshToken( | |
| 91 client_info, | |
| 92 refresh_token, | |
| 93 std::vector<std::string>(1, gaia_urls->oauth2_token_info_url()), | |
| 94 kMaxRefreshTokenValidationRetries, | |
| 95 this); | |
| 96 return true; | |
| 97 } | |
| 98 } | |
| 99 | |
| 100 void DeviceOAuth2TokenService::OnRefreshTokenResponse( | |
| 101 const std::string& access_token, | |
| 102 int expires_in_seconds) { | |
| 103 gaia_oauth_client_->GetTokenInfo(access_token, | |
| 104 kMaxRefreshTokenValidationRetries, | |
| 105 this); | |
| 106 } | |
| 107 | |
| 108 void DeviceOAuth2TokenService::OnGetTokenInfoResponse( | |
| 109 scoped_ptr<DictionaryValue> token_info) { | |
| 110 std::string gaia_robot_id;; | |
| 111 token_info->GetString("issued_to", &gaia_robot_id); | |
| 112 | |
| 113 policy::BrowserPolicyConnector* connector = | |
| 114 g_browser_process->browser_policy_connector(); | |
| 115 if (connector) { | |
| 116 std::string policy_robot_id = | |
| 117 connector->GetDeviceCloudPolicyManager()->GetRobotAccountID(); | |
| 118 | |
| 119 if (policy_robot_id == gaia_robot_id) { | |
| 120 refresh_token_is_valid_ = true; | |
| 121 } else { | |
| 122 if (gaia_robot_id.empty()) { | |
| 123 LOG(INFO) << "Device service account owner in policy is empty."; | |
|
Mattias Nissler (ping if slow)
2013/06/17 05:34:17
I guess this should be at least WARN, if not ERROR
David Roche
2013/06/18 04:12:08
Done.
| |
| 124 } else { | |
| 125 LOG(INFO) << "Device service account owner in policy does not match " | |
| 126 << "refresh token."; | |
| 127 } | |
| 128 } | |
| 129 } | |
| 130 InformAllConsumers(); | |
| 131 } | |
| 132 | |
| 133 void DeviceOAuth2TokenService::OnOAuthError() { | |
| 134 InformAllConsumers(); | |
| 135 } | |
| 136 | |
| 137 void DeviceOAuth2TokenService::OnNetworkError(int response_code) { | |
| 138 InformAllConsumers(); | |
| 139 } | |
| 140 | |
| 141 void DeviceOAuth2TokenService::InformAllConsumers() { | |
| 142 for (size_t i = 0; i < refresh_token_validation_consumers_.size(); ++i) { | |
| 143 refresh_token_validation_consumers_[i]->OnRefreshTokenValidationComplete( | |
| 144 GetRefreshToken(), refresh_token_is_valid_); | |
| 145 } | |
| 146 refresh_token_validation_consumers_.empty(); | |
| 147 } | |
| 148 | |
| 52 } // namespace chromeos | 149 } // namespace chromeos |
| OLD | NEW |
