chrome/browser/chromeos/settings/device_oauth2_token_service.cc - Issue 17109006: Device robot refresh token integrity validation.

Side by Side Diff: chrome/browser/chromeos/settings/device_oauth2_token_service.cc

Issue 17109006: Device robot refresh token integrity validation. (Closed) Base URL: http://git.chromium.org/chromium/src.git@master

Patch Set: Extend device_oauth2_token_service_unittest.cc to cover refresh token validation cases. Created 7 years, 6 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

« chrome/browser/chromeos/settings/device_oauth2_token_service.h ('K') | « chrome/browser/chromeos/settings/device_oauth2_token_service.h ('k') | chrome/browser/chromeos/settings/device_oauth2_token_service_unittest.cc » ('j') | chrome/browser/chromeos/settings/device_oauth2_token_service_unittest.cc » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
1 // Copyright 2013 The Chromium Authors. All rights reserved.	1 // Copyright 2013 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "chrome/browser/chromeos/settings/device_oauth2_token_service.h"	5 #include "chrome/browser/chromeos/settings/device_oauth2_token_service.h"

6	6

	7 #include <string>

	8 #include <vector>

	9

7 #include "base/prefs/pref_registry_simple.h"	10 #include "base/prefs/pref_registry_simple.h"

8 #include "base/prefs/pref_service.h"	11 #include "base/prefs/pref_service.h"

	12 #include "chrome/browser/browser_process.h"

	13 #include "chrome/browser/chromeos/policy/device_cloud_policy_manager_chromeos.h"

	14 #include "chrome/browser/policy/browser_policy_connector.h"

	15 #include "chrome/browser/policy/proto/cloud/device_management_backend.pb.h"

9 #include "chrome/common/pref_names.h"	16 #include "chrome/common/pref_names.h"

10 #include "chromeos/cryptohome/cryptohome_library.h"	17 #include "chromeos/cryptohome/cryptohome_library.h"

11 #include "content/public/browser/browser_thread.h"	18 #include "content/public/browser/browser_thread.h"

	19 #include "google_apis/gaia/gaia_urls.h"

12	20

13 namespace chromeos {	21 namespace chromeos {

14	22

15 DeviceOAuth2TokenService::DeviceOAuth2TokenService(	23 DeviceOAuth2TokenService::DeviceOAuth2TokenService(

16 net::URLRequestContextGetter* getter,	24 net::URLRequestContextGetter* getter,

17 PrefService* local_state)	25 PrefService* local_state)

18 : OAuth2TokenService(getter),	26 : OAuth2TokenService(getter),

	27 refresh_token_is_valid_(false),

	28 max_refresh_token_validation_retries_(3),

19 local_state_(local_state) {	29 local_state_(local_state) {

20 }	30 }

21	31

22 DeviceOAuth2TokenService::~DeviceOAuth2TokenService() {	32 DeviceOAuth2TokenService::~DeviceOAuth2TokenService() {

23 }	33 }

24	34

25 // static	35 // static

26 void DeviceOAuth2TokenService::RegisterPrefs(PrefRegistrySimple* registry) {	36 void DeviceOAuth2TokenService::RegisterPrefs(PrefRegistrySimple* registry) {

27 registry->RegisterStringPref(prefs::kDeviceRobotAnyApiRefreshToken,	37 registry->RegisterStringPref(prefs::kDeviceRobotAnyApiRefreshToken,

28 std::string());	38 std::string());

(...skipping 13 matching lines...) Expand all Loading...
42 if (refresh_token_.empty()) {	52 if (refresh_token_.empty()) {

43 std::string encrypted_refresh_token =	53 std::string encrypted_refresh_token =

44 local_state_->GetString(prefs::kDeviceRobotAnyApiRefreshToken);	54 local_state_->GetString(prefs::kDeviceRobotAnyApiRefreshToken);

45	55

46 refresh_token_ = CryptohomeLibrary::Get()->DecryptWithSystemSalt(	56 refresh_token_ = CryptohomeLibrary::Get()->DecryptWithSystemSalt(

47 encrypted_refresh_token);	57 encrypted_refresh_token);

48 }	58 }

49 return refresh_token_;	59 return refresh_token_;

50 }	60 }

51	61

	62 bool DeviceOAuth2TokenService::StartRefreshTokenValidation(

	63 const std::string refresh_token,

	64 RefreshTokenValidationConsumer* consumer) {

	65 DCHECK(GetRefreshToken() == refresh_token);

	66 if (refresh_token_is_valid_) {

	67 // The cached token never changes, so the previous validation is still good.

	68 // Return false to indicate that the validation process wasn't started, and

	69 // the token can be used directly.

	70 return false;

	71 } else {

	72 refresh_token_validation_consumers_.push_back(consumer);

	73 if (refresh_token_validation_consumers_.size() > 1) {

	74 // A validation is already in flight, and its results will be sent to

	75 // all consumers.

	76 DCHECK(gaia_oauth_client_.get());

	77 return true;

	78 }

	79

	80 GaiaUrls* gaia_urls = GaiaUrls::GetInstance();

	81 gaia_oauth_client_.reset(new gaia::GaiaOAuthClient(

	82 g_browser_process->system_request_context()));

	83

	84 gaia::OAuthClientInfo client_info;

	85 client_info.client_id = gaia_urls->oauth2_chrome_client_id();

	86 client_info.client_secret = gaia_urls->oauth2_chrome_client_secret();

	87

	88 gaia_oauth_client_->RefreshToken(

	89 client_info,

	90 refresh_token,

	91 std::vector<std::string>(1, gaia_urls->oauth2_token_info_url()),

	92 max_refresh_token_validation_retries_,

	93 this);

	94 return true;

	95 }

	96 }

	97

	98 void DeviceOAuth2TokenService::OnRefreshTokenResponse(

	99 const std::string& access_token,

	100 int expires_in_seconds) {

	101 gaia_oauth_client_->GetTokenInfo(access_token,

	102 max_refresh_token_validation_retries_,

	103 this);

	104 }

	105

	106 std::string DeviceOAuth2TokenService::GetRobotAccountId() {

	107 policy::BrowserPolicyConnector* connector =

	108 g_browser_process->browser_policy_connector();

	109 if (connector) {
	Mattias Nissler (ping if slow) 2013/06/19 17:53:17 nit: no curlies nit: no curlies David Roche 2013/06/20 17:49:29 Done. Show quoted text On 2013/06/19 17:53:17, Mattias Nissler wrote: > nit: no curlies Done.
	110 return connector->GetDeviceCloudPolicyManager()->GetRobotAccountId();

	111 }

	112 return std::string();

	113 }

	114

	115 void DeviceOAuth2TokenService::OnGetTokenInfoResponse(

	116 scoped_ptr<DictionaryValue> token_info) {

	117 std::string gaia_robot_id;

	118 token_info->GetString("issued_to", &gaia_robot_id);

	119

	120 std::string policy_robot_id = GetRobotAccountId();

	121

	122 if (policy_robot_id == gaia_robot_id) {

	123 refresh_token_is_valid_ = true;

	124 } else {

	125 if (gaia_robot_id.empty()) {

	126 LOG(WARNING) << "Device service account owner in policy is empty.";

	127 } else {
	Mattias Nissler (ping if slow) 2013/06/19 17:53:17 should we clear the local state pref here for cons should we clear the local state pref here for consistency? David Roche 2013/06/20 17:49:29 I figured we'd just leave it since this class refu Show quoted text On 2013/06/19 17:53:17, Mattias Nissler wrote: > should we clear the local state pref here for consistency? I figured we'd just leave it since this class refuses to use it. Then it's there for analysis, and also if there's a hiccup in fetching the owner from tokeninfo, we don't nuke the refresh token on all devices.
	128 LOG(INFO) << "Device service account owner in policy does not match "

	129 << "refresh token.";

	130 }

	131 }

	132 InformAllConsumers();

	133 }

	134

	135 void DeviceOAuth2TokenService::OnOAuthError() {

	136 InformAllConsumers();

	137 }

	138

	139 void DeviceOAuth2TokenService::OnNetworkError(int response_code) {

	140 InformAllConsumers();

	141 }

	142

	143 void DeviceOAuth2TokenService::InformAllConsumers() {

	144 for (size_t i = 0; i < refresh_token_validation_consumers_.size(); ++i) {

	145 refresh_token_validation_consumers_[i]->OnRefreshTokenValidationComplete(

	146 GetRefreshToken(), refresh_token_is_valid_);

	147 }

	148 refresh_token_validation_consumers_.empty();

	149 }

	150

52 } // namespace chromeos	151 } // namespace chromeos

OLD	NEW