Device robot refresh token integrity validation.

chrome/browser/signin/oauth2_token_service.cc

 // Copyright 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/signin/oauth2_token_service.h"
 
 #include <vector>
 
 #include "base/bind.h"
 #include "base/memory/weak_ptr.h"
 #include "base/message_loop.h"
 #include "base/rand_util.h"
 #include "base/stl_util.h"
 #include "base/time.h"
 #include "base/timer.h"
 #include "content/public/browser/browser_thread.h"
 #include "google_apis/gaia/gaia_urls.h"
 #include "google_apis/gaia/google_service_auth_error.h"
 #include "google_apis/gaia/oauth2_access_token_consumer.h"
 #include "google_apis/gaia/oauth2_access_token_fetcher.h"
 #include "net/url_request/url_request_context_getter.h"
 
-namespace {
-
-// Maximum number of retries in fetching an OAuth2 access token.
-const int kMaxFetchRetryNum = 5;
-
-// Returns an exponential backoff in milliseconds including randomness less than
-// 1000 ms when retrying fetching an OAuth2 access token.
-int64 ComputeExponentialBackOffMilliseconds(int retry_num) {
-  DCHECK(retry_num < kMaxFetchRetryNum);
-  int64 exponential_backoff_in_seconds = 1 << retry_num;
-  // Returns a backoff with randomness < 1000ms
-  return (exponential_backoff_in_seconds + base::RandDouble()) * 1000;
-}
-
-}  // namespace
+int OAuth2TokenService::max_fetch_retry_num_ = 5;
 
 OAuth2TokenService::RequestImpl::RequestImpl(
     OAuth2TokenService::Consumer* consumer)
     : consumer_(consumer) {
   DCHECK(content::BrowserThread::CurrentlyOn(content::BrowserThread::UI));
 }
 
 OAuth2TokenService::RequestImpl::~RequestImpl() {
   DCHECK(content::BrowserThread::CurrentlyOn(content::BrowserThread::UI));
 }
@@ skipping 29 matching lines @@
 // fetching.
 //
 // The waiting requests are taken as weak pointers and they can be deleted. The
 // waiting requests will be called back with fetching results if they are not
 // deleted
 // - when the Fetcher completes fetching, if the Fetcher is not destructed
 //   before it completes fetching, or
 // - when the Fetcher is destructed if the Fetcher is destructed before it
 //   completes fetching (in this case, the waiting requests will be called back
 //   with error).
-class OAuth2TokenService::Fetcher : public OAuth2AccessTokenConsumer {
+class OAuth2TokenService::Fetcher : public RefreshTokenValidationConsumer,
+                                    public OAuth2AccessTokenConsumer {
  public:
   // Creates a Fetcher and starts fetching an OAuth2 access token for
   // |refresh_token| and |scopes| in the request context obtained by |getter|.
   // The given |oauth2_token_service| will be informed when fetching is done.
   static Fetcher* CreateAndStart(OAuth2TokenService* oauth2_token_service,
                                  net::URLRequestContextGetter* getter,
                                  const std::string& refresh_token,
                                  const OAuth2TokenService::ScopeSet& scopes,
                                  base::WeakPtr<RequestImpl> waiting_request);
   virtual ~Fetcher();
 
   // Add a request that is waiting for the result of this Fetcher.
   void AddWaitingRequest(base::WeakPtr<RequestImpl> waiting_request);
 
   const OAuth2TokenService::ScopeSet& GetScopeSet() const;
   const std::string& GetRefreshToken() const;
 
   // The error result from this fetcher.
   const GoogleServiceAuthError& error() const { return error_; }
 
  protected:
    // OAuth2AccessTokenConsumer
   virtual void OnGetTokenSuccess(const std::string& access_token,
                                  const base::Time& expiration_date) OVERRIDE;
   virtual void OnGetTokenFailure(const GoogleServiceAuthError& error) OVERRIDE;
 
+  // RefreshTokenValidationConsumer
+  virtual void OnRefreshTokenValidationComplete(
+      const std::string& refresh_token,
+      bool is_valid) OVERRIDE;
+
  private:
   Fetcher(OAuth2TokenService* oauth2_token_service,
           net::URLRequestContextGetter* getter,
           const std::string& refresh_token,
           const OAuth2TokenService::ScopeSet& scopes,
           base::WeakPtr<RequestImpl> waiting_request);
   void Start();
+  void StartAccessTokenFetch();
   void InformWaitingRequests();
+  void InformWaitingRequestsAndQuit();
   static bool ShouldRetry(const GoogleServiceAuthError& error);
+  int64 ComputeExponentialBackOffMilliseconds(int retry_num);
 
   // |oauth2_token_service_| remains valid for the life of this Fetcher, since
   // this Fetcher is destructed in the dtor of the OAuth2TokenService or is
   // scheduled for deletion at the end of OnGetTokenFailure/OnGetTokenSuccess
   // (whichever comes first).
   OAuth2TokenService* const oauth2_token_service_;
   scoped_refptr<net::URLRequestContextGetter> getter_;
   const std::string refresh_token_;
   const OAuth2TokenService::ScopeSet scopes_;
   std::vector<base::WeakPtr<RequestImpl> > waiting_requests_;
@@ skipping 43 matching lines @@
   waiting_requests_.push_back(waiting_request);
 }
 
 OAuth2TokenService::Fetcher::~Fetcher() {
   // Inform the waiting requests if it has not done so.
   if (waiting_requests_.size())
     InformWaitingRequests();
 }
 
 void OAuth2TokenService::Fetcher::Start() {
+  if (!oauth2_token_service_->StartRefreshTokenValidation(refresh_token_,
+                                                          this)) {
+    StartAccessTokenFetch();
+  }
+}
+
+void OAuth2TokenService::Fetcher::OnRefreshTokenValidationComplete(
+        const std::string& refresh_token,

[Mattias Nissler (ping if slow), 2013/06/19 17:53:17]

nit: indentation

[David Roche, 2013/06/20 17:49:29]

Removed.

+        bool is_valid) {
+  DCHECK(refresh_token_ == refresh_token);
+  if (is_valid) {
+    StartAccessTokenFetch();
+  } else {
+    error_ = GoogleServiceAuthError(
+        GoogleServiceAuthError::INVALID_GAIA_CREDENTIALS);
+    InformWaitingRequestsAndQuit();
+  }
+}
+
+void OAuth2TokenService::Fetcher::StartAccessTokenFetch() {
   fetcher_.reset(new OAuth2AccessTokenFetcher(this, getter_.get()));
   fetcher_->Start(GaiaUrls::GetInstance()->oauth2_chrome_client_id(),
                   GaiaUrls::GetInstance()->oauth2_chrome_client_secret(),
                   refresh_token_,
                   std::vector<std::string>(scopes_.begin(), scopes_.end()));
   retry_timer_.Stop();
 }
 
 void OAuth2TokenService::Fetcher::OnGetTokenSuccess(
     const std::string& access_token,
     const base::Time& expiration_date) {
   fetcher_.reset();
 
   // Fetch completes.
   error_ = GoogleServiceAuthError::AuthErrorNone();
   access_token_ = access_token;
   expiration_date_ = expiration_date;
 
   // Subclasses may override this method to skip caching in some cases, but
   // we still inform all waiting Consumers of a successful token fetch below.
   // This is intentional -- some consumers may need the token for cleanup
   // tasks. https://chromiumcodereview.appspot.com/11312124/
   oauth2_token_service_->RegisterCacheEntry(refresh_token_,
                                             scopes_,
                                             access_token_,
                                             expiration_date_);
-  // Deregisters itself from the service to prevent more waiting requests to
-  // be added when it calls back the waiting requests.
-  oauth2_token_service_->OnFetchComplete(this);
-  InformWaitingRequests();
-  base::MessageLoop::current()->DeleteSoon(FROM_HERE, this);
+  InformWaitingRequestsAndQuit();
 }
 
 void OAuth2TokenService::Fetcher::OnGetTokenFailure(
     const GoogleServiceAuthError& error) {
   fetcher_.reset();
 
-  if (ShouldRetry(error) && retry_number_ < kMaxFetchRetryNum) {
+  if (ShouldRetry(error) && retry_number_ < max_fetch_retry_num_) {
     int64 backoff = ComputeExponentialBackOffMilliseconds(retry_number_);
     ++retry_number_;
     retry_timer_.Stop();
     retry_timer_.Start(FROM_HERE,
                        base::TimeDelta::FromMilliseconds(backoff),
                        this,
                        &OAuth2TokenService::Fetcher::Start);
     return;
   }
 
-  // Fetch completes.
   error_ = error;
+  InformWaitingRequestsAndQuit();
+}
 
-  // Deregisters itself from the service to prevent more waiting requests to be
-  // added when it calls back the waiting requests.
-  oauth2_token_service_->OnFetchComplete(this);
-  InformWaitingRequests();
-  base::MessageLoop::current()->DeleteSoon(FROM_HERE, this);
+// Returns an exponential backoff in milliseconds including randomness less than
+// 1000 ms when retrying fetching an OAuth2 access token.
+int64 OAuth2TokenService::Fetcher::ComputeExponentialBackOffMilliseconds(
+    int retry_num) {
+  DCHECK(retry_num < max_fetch_retry_num_);
+  int64 exponential_backoff_in_seconds = 1 << retry_num;
+  // Returns a backoff with randomness < 1000ms
+  return (exponential_backoff_in_seconds + base::RandDouble()) * 1000;
 }
 
 // static
 bool OAuth2TokenService::Fetcher::ShouldRetry(
     const GoogleServiceAuthError& error) {
   GoogleServiceAuthError::State error_state = error.state();
   return error_state == GoogleServiceAuthError::CONNECTION_FAILED ||
          error_state == GoogleServiceAuthError::REQUEST_CANCELED ||
          error_state == GoogleServiceAuthError::SERVICE_UNAVAILABLE;
 }
 
 void OAuth2TokenService::Fetcher::InformWaitingRequests() {
   std::vector<base::WeakPtr<RequestImpl> >::const_iterator iter =
       waiting_requests_.begin();
   for (; iter != waiting_requests_.end(); ++iter) {
     base::WeakPtr<RequestImpl> waiting_request = *iter;
     if (waiting_request.get())
       waiting_request->InformConsumer(error_, access_token_, expiration_date_);
   }
   waiting_requests_.clear();
 }
 
+void OAuth2TokenService::Fetcher::InformWaitingRequestsAndQuit() {
+  // Deregisters itself from the service to prevent more waiting requests to
+  // be added when it calls back the waiting requests.
+  oauth2_token_service_->OnFetchComplete(this);
+  InformWaitingRequests();
+  base::MessageLoop::current()->DeleteSoon(FROM_HERE, this);
+}
+
 void OAuth2TokenService::Fetcher::AddWaitingRequest(
     base::WeakPtr<OAuth2TokenService::RequestImpl> waiting_request) {
   waiting_requests_.push_back(waiting_request);
 }
 
 const OAuth2TokenService::ScopeSet& OAuth2TokenService::Fetcher::GetScopeSet()
     const {
   return scopes_;
 }
 
@@ skipping 17 matching lines @@
     : request_context_getter_(getter) {
 }
 
 OAuth2TokenService::~OAuth2TokenService() {
   DCHECK(content::BrowserThread::CurrentlyOn(content::BrowserThread::UI));
   // Release all the pending fetchers.
   STLDeleteContainerPairSecondPointers(
       pending_fetchers_.begin(), pending_fetchers_.end());
 }
 
-bool OAuth2TokenService::RefreshTokenIsAvailable() {
-  DCHECK(content::BrowserThread::CurrentlyOn(content::BrowserThread::UI));
-  return !GetRefreshToken().empty();
-}
-
 scoped_ptr<OAuth2TokenService::Request> OAuth2TokenService::StartRequest(
     const OAuth2TokenService::ScopeSet& scopes,
     OAuth2TokenService::Consumer* consumer) {
   DCHECK(content::BrowserThread::CurrentlyOn(content::BrowserThread::UI));
 
   scoped_ptr<RequestImpl> request(new RequestImpl(consumer));
 
   std::string refresh_token = GetRefreshToken();
   if (refresh_token.empty()) {
     base::MessageLoop::current()->PostTask(FROM_HERE, base::Bind(
         &RequestImpl::InformConsumer,
         request->AsWeakPtr(),
         GoogleServiceAuthError(
             GoogleServiceAuthError::USER_NOT_SIGNED_UP),
         std::string(),
         base::Time()));
     return request.PassAs<Request>();
   }
 
   if (HasCacheEntry(scopes))
-    return StartCacheLookupRequest(scopes, consumer);
+    return StartCacheLookupRequest(scopes, request.Pass());
 
-  // Makes sure there is a pending fetcher for |scopes| and |refresh_token|.
-  // Adds |request| to the waiting request list of this fetcher so |request|
-  // will be called back when this fetcher finishes fetching.
+  // If there is already a pending fetcher for |scopes| and |refresh_token|,
+  // simply register this |request| for those results rather than starting
+  // a new fetcher.
   FetchParameters fetch_parameters = std::make_pair(refresh_token, scopes);
   std::map<FetchParameters, Fetcher*>::iterator iter =
       pending_fetchers_.find(fetch_parameters);
   if (iter != pending_fetchers_.end()) {
     iter->second->AddWaitingRequest(request->AsWeakPtr());
     return request.PassAs<Request>();
   }
+
   pending_fetchers_[fetch_parameters] =
       Fetcher::CreateAndStart(this,
                               request_context_getter_.get(),
                               refresh_token,
                               scopes,
                               request->AsWeakPtr());
   return request.PassAs<Request>();
 }
 
 scoped_ptr<OAuth2TokenService::Request>
     OAuth2TokenService::StartCacheLookupRequest(
         const OAuth2TokenService::ScopeSet& scopes,
-        OAuth2TokenService::Consumer* consumer) {
+        scoped_ptr<RequestImpl> request) {
   CHECK(HasCacheEntry(scopes));
   const CacheEntry* cache_entry = GetCacheEntry(scopes);
-  scoped_ptr<RequestImpl> request(new RequestImpl(consumer));
   base::MessageLoop::current()->PostTask(FROM_HERE, base::Bind(
       &RequestImpl::InformConsumer,
       request->AsWeakPtr(),
       GoogleServiceAuthError(GoogleServiceAuthError::NONE),
       cache_entry->access_token,
       cache_entry->expiration_date));
   return request.PassAs<Request>();
 }
 
 void OAuth2TokenService::InvalidateToken(const ScopeSet& scopes,
@@ skipping 80 matching lines @@
     const OAuth2TokenService::ScopeSet& scopes,
     const std::string& access_token,
     const base::Time& expiration_date) {
   DCHECK(content::BrowserThread::CurrentlyOn(content::BrowserThread::UI));
 
   CacheEntry& token = token_cache_[scopes];
   token.access_token = access_token;
   token.expiration_date = expiration_date;
 }
 
+bool OAuth2TokenService::StartRefreshTokenValidation(
+      const std::string refresh_token,

[Mattias Nissler (ping if slow), 2013/06/19 17:53:17]

nit: indentation

[David Roche, 2013/06/20 17:49:29]

Removed.

+      RefreshTokenValidationConsumer* consumer) {
+  return false;  // No validation needed; use token directly.
+}
+
 void OAuth2TokenService::UpdateAuthError(const GoogleServiceAuthError& error) {
   // Default implementation does nothing.
 }
 
 void OAuth2TokenService::ClearCache() {
   DCHECK(content::BrowserThread::CurrentlyOn(content::BrowserThread::UI));
   token_cache_.clear();
 }
 
 int OAuth2TokenService::cache_size_for_testing() const {
   return token_cache_.size();
 }
+
+void OAuth2TokenService::set_max_authorization_token_fetch_retries_for_testing(
+    int max_retries) {
+  DCHECK(content::BrowserThread::CurrentlyOn(content::BrowserThread::UI));
+  max_fetch_retry_num_ = max_retries;
+}