FR: SAML Sign In - Interstitial page to send users directly to IdP login screen

chrome/browser/resources/gaia_auth_host/authenticator.js

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 <include src="saml_handler.js">
 
 /**
  * @fileoverview An UI component to authenciate to Chrome. The component hosts
  * IdP web pages in a webview. A client who is interested in monitoring
  * authentication events should pass a listener object of type
@@ skipping 13 matching lines @@
       'chrome-extension://mfffpogegjflfpflabcdkioaeobkgjik/success.html';
   var SIGN_IN_HEADER = 'google-accounts-signin';
   var EMBEDDED_FORM_HEADER = 'google-accounts-embedded';
   var LOCATION_HEADER = 'location';
   var COOKIE_HEADER = 'cookie';
   var SET_COOKIE_HEADER = 'set-cookie';
   var OAUTH_CODE_COOKIE = 'oauth_code';
   var GAPS_COOKIE = 'GAPS';
   var SERVICE_ID = 'chromeoslogin';
   var EMBEDDED_SETUP_CHROMEOS_ENDPOINT = 'embedded/setup/chromeos';
+  var SAML_REDIRECTION_PATH = 'samlredirect';
 
   /**
    * The source URL parameter for the constrained signin flow.
    */
   var CONSTRAINED_FLOW_SOURCE = 'chrome';
 
   /**
    * Enum for the authorization mode, must match AuthMode defined in
    * chrome/browser/ui/webui/inline_login_ui.cc.
    * @enum {number}
@@ skipping 87 matching lines @@
     this.idpOrigin_ = null;
     this.continueUrl_ = null;
     this.continueUrlWithoutParams_ = null;
     this.initialFrameUrl_ = null;
     this.reloadUrl_ = null;
     this.trusted_ = true;
     this.oauthCode_ = null;
     this.gapsCookie_ = null;
     this.gapsCookieSent_ = false;
     this.newGapsCookie_ = null;
+    this.readyFired_ = false;
 
     this.useEafe_ = false;
     this.clientId_ = null;
 
     this.samlHandler_ = new cr.login.SamlHandler(this.webview_);
     this.confirmPasswordCallback = null;
     this.noPasswordCallback = null;
     this.insecureContentBlockedCallback = null;
     this.samlApiUsedCallback = null;
     this.missingGaiaInfoCallback = null;
@@ skipping 31 matching lines @@
     window.addEventListener(
         'popstate', this.onPopState_.bind(this), false);
   }
 
   Authenticator.prototype = Object.create(cr.EventTarget.prototype);
 
   /**
    * Reinitializes authentication parameters so that a failed login attempt
    * would not result in an infinite loop.
    */
-  Authenticator.prototype.clearCredentials_ = function() {
+  Authenticator.prototype.resetStates_ = function() {
     this.email_ = null;
     this.gaiaId_ = null;
     this.password_ = null;
     this.oauthCode_ = null;
     this.gapsCookie_ = null;
     this.gapsCookieSent_ = false;
     this.newGapsCookie_ = null;
+    this.readyFired_ = false;
     this.chooseWhatToSync_ = false;
     this.skipForNow_ = false;
     this.sessionIndex_ = null;
     this.trusted_ = true;
     this.authFlow = AuthFlow.DEFAULT;
     this.samlHandler_.reset();
   };
 
   /**
    * Loads the authenticator component with the given parameters.
    * @param {AuthMode} authMode Authorization mode.
    * @param {Object} data Parameters for the authorization flow.
    */
   Authenticator.prototype.load = function(authMode, data) {
     this.authMode = authMode;
-    this.clearCredentials_();
+    this.resetStates_();
     // gaiaUrl parameter is used for testing. Once defined, it is never changed.
     this.idpOrigin_ = data.gaiaUrl || IDP_ORIGIN;
     this.continueUrl_ = data.continueUrl || CONTINUE_URL;
     this.continueUrlWithoutParams_ =
         this.continueUrl_.substring(0, this.continueUrl_.indexOf('?')) ||
         this.continueUrl_;
     this.isConstrainedWindow_ = data.constrained == '1';
     this.isNewGaiaFlow = data.isNewGaiaFlow;
     this.useEafe_ = data.useEafe || false;
     this.clientId_ = data.clientId;
@@ skipping 26 matching lines @@
       }
     }
 
     this.webview_.src = this.reloadUrl_;
   };
 
   /**
    * Reloads the authenticator component.
    */
   Authenticator.prototype.reload = function() {
-    this.clearCredentials_();
+    this.resetStates_();
     this.webview_.src = this.reloadUrl_;
   };
 
   Authenticator.prototype.constructInitialFrameUrl_ = function(data) {
+    if (data.doSamlRedirect) {
+      var url = this.idpOrigin_ + SAML_REDIRECTION_PATH;
+      url = appendParam(url, 'domain', data.enterpriseDomain);
+      url = appendParam(url, 'continue', data.gaiaUrl +
+          'o/oauth2/programmatic_auth?hl=' + data.hl +
+          '&scope=https%3A%2F%2Fwww.google.com%2Faccounts%2FOAuthLogin&' +
+          'client_id=' + encodeURIComponent(data.clientId) +
+          '&access_type=offline');
+
+      return url;
+    }
+
     var path = data.gaiaPath;
     if (!path && this.isNewGaiaFlow)
       path = EMBEDDED_SETUP_CHROMEOS_ENDPOINT;
     if (!path)
       path = IDP_PATH;
     var url = this.idpOrigin_ + path;
 
     if (this.isNewGaiaFlow) {
       if (data.chromeType)
         url = appendParam(url, 'chrometype', data.chromeType);
@@ skipping 27 matching lines @@
     if (this.isConstrainedWindow_)
       url = appendParam(url, 'source', CONSTRAINED_FLOW_SOURCE);
     if (data.flow)
       url = appendParam(url, 'flow', data.flow);
     if (data.emailDomain)
       url = appendParam(url, 'emaildomain', data.emailDomain);
     return url;
   };
 
   /**
+   * Dispatches the 'ready' event if it hasn't been dispatched already for the
+   * current content.
+   * @private
+   */
+  Authenticator.prototype.fireReadyEvent_ = function() {
+    if (!this.readyFired_) {
+      this.dispatchEvent(new Event('ready'));
+      this.readyFired_ = true;
+    }
+  };
+
+  /**
    * Invoked when a main frame request in the webview has completed.
    * @private
    */
   Authenticator.prototype.onRequestCompleted_ = function(details) {
     var currentUrl = details.url;
 
     if (!this.isNewGaiaFlow &&
         currentUrl.lastIndexOf(this.continueUrlWithoutParams_, 0) == 0) {
       if (currentUrl.indexOf('ntp=1') >= 0)
         this.skipForNow_ = true;
@@ skipping 328 matching lines @@
             password: this.password_ || '',
             authCode: this.oauthCode_,
             usingSAML: this.authFlow == AuthFlow.SAML,
             chooseWhatToSync: this.chooseWhatToSync_,
             skipForNow: this.skipForNow_,
             sessionIndex: this.sessionIndex_ || '',
             trusted: this.trusted_,
             gapsCookie: this.newGapsCookie_ || this.gapsCookie_ || '',
           }
         }));
-    this.clearCredentials_();
+    this.resetStates_();
   };
 
   /**
    * Invoked when |samlHandler_| fires 'insecureContentBlocked' event.
    * @private
    */
   Authenticator.prototype.onInsecureContentBlocked_ = function(e) {
     if (this.insecureContentBlockedCallback) {
       this.insecureContentBlockedCallback(e.detail.url);
     } else {
       console.error('Authenticator: Insecure content blocked.');
     }
   };
 
   /**
    * Invoked when |samlHandler_| fires 'authPageLoaded' event.
    * @private
    */
   Authenticator.prototype.onAuthPageLoaded_ = function(e) {
     if (!e.detail.isSAMLPage)
       return;
 
     this.authDomain = this.samlHandler_.authDomain;
     this.authFlow = AuthFlow.SAML;
+
+    this.fireReadyEvent_();
   };
 
   /**
    * Invoked when a link is dropped on the webview.
    * @private
    */
   Authenticator.prototype.onDropLink_ = function(e) {
     this.dispatchEvent(new CustomEvent('dropLink', {detail: e.url}));
   };
 
@@ skipping 20 matching lines @@
 
     // Posts a message to IdP pages to initiate communication.
     var currentUrl = this.webview_.src;
     if (currentUrl.lastIndexOf(this.idpOrigin_) == 0) {
       var msg = {
         'method': 'handshake',
       };
 
       this.webview_.contentWindow.postMessage(msg, currentUrl);
 
-      this.dispatchEvent(new Event('ready'));
+      this.fireReadyEvent_();
       // Focus webview after dispatching event when webview is already visible.
       this.webview_.focus();
     }
   };
 
   /**
    * Invoked when the webview fails loading a page.
    * @private
    */
   Authenticator.prototype.onLoadAbort_ = function(e) {
@@ skipping 60 matching lines @@
   Authenticator.AuthMode = AuthMode;
   Authenticator.SUPPORTED_PARAMS = SUPPORTED_PARAMS;
 
   return {
     // TODO(guohui, xiyuan): Rename GaiaAuthHost to Authenticator once the old
     // iframe-based flow is deprecated.
     GaiaAuthHost: Authenticator,
     Authenticator: Authenticator
   };
 });