Implement a second version of the credentials passing API

chrome/browser/resources/gaia_auth/main.js

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 /**
  * Authenticator class wraps the communications between Gaia and its host.
  */
 function Authenticator() {
 }
 
 /**
  * Gaia auth extension url origin.
  * @type {string}
  */
 Authenticator.THIS_EXTENSION_ORIGIN =
     'chrome-extension://mfffpogegjflfpflabcdkioaeobkgjik';
 
 /**
+ * The lowest version of the credentials passing API supported.
+ * @type {number}
+ */
+Authenticator.MIN_API_VERSION_VERSION = 1;
+
+/**
+ * The highest version of the credentials passing API supported.
+ * @type {number}
+ */
+Authenticator.MAX_API_VERSION_VERSION = 2;
+
+/**
+ * The key types supported for credentials passing API 2 and higher.
+ * @type {Array} Array of strings.
+ */
+Authenticator.API_KEY_TYPES = [
+  'KEY_TYPE_PASSWORD_PLAIN',

[Jorge Lucangeli Obes, 2014/04/30 22:31:37]

Is this equivalent of what we're doing in v1?

[bartfab (slow), 2014/05/01 22:47:48]

Yes. For now, both v1 and v2 expect the password in plain text. In the future,
v2 will also support other algorithms while v1 will be limited to a plain-text
password forever.

Note that we have not publicly launched this API yet. We are under no obligation
to keep v1 of the API around as nobody depends on it. My plan is to make sure
that v2 works as expected and then to drop support for v1 entirely. Nobody will
miss it because nobody is using it yet. When we launch the feature, we will
launch v2 only.

[Jorge Lucangeli Obes, 2014/05/01 23:00:24]

IIUC the password is transmitted in plaintext, but the transport is secure
(HTTPS), right?

[bartfab (slow), 2014/05/02 06:29:53]

The password is sent to two places:

1) The SAML IdP needs to send the password to its own auth server for
verification. It is the IdP's responsibility that this be done securely. This
has nothing to do with the API being introduced here. You are right that on
Chrome OS, we ensure that the IdP's communication with its own server uses
https. On other plaforms, the IdP could use http. It is their choice, not ours.

2) The IdP can send the password to Chrome / Chrome OS using the API we are
discussing here. That entire communication happens via postMessage(), so there
is no http/https or any other network communication involved. The password is
sent locally on the Chromebook, using HTML5 mechanisms. After the password has
reached the C++ layers of Chrome, it is salted and hashed.

+];
+
+/**
  * Singleton getter of Authenticator.
  * @return {Object} The singleton instance of Authenticator.
  */
 Authenticator.getInstance = function() {
   if (!Authenticator.instance_) {
     Authenticator.instance_ = new Authenticator();
   }
   return Authenticator.instance_;
 };
 
 Authenticator.prototype = {
   email_: null,
-  password_: null,
+  passwordBytes_: null,
   attemptToken_: null,
 
   // Input params from extension initialization URL.
   inputLang_: undefined,
   intputEmail_: undefined,
 
   isSAMLFlow_: false,
   isSAMLEnabled_: false,
   supportChannel_: null,
 
@@ skipping 126 matching lines @@
   },
 
   /**
    * Invoked when the signin flow is complete.
    * @param {Object=} opt_extraMsg Optional extra info to send.
    */
   completeLogin_: function(opt_extraMsg) {
     var msg = {
       'method': 'completeLogin',
       'email': (opt_extraMsg && opt_extraMsg.email) || this.email_,
-      'password': (opt_extraMsg && opt_extraMsg.password) || this.password_,
+      'password': (opt_extraMsg && opt_extraMsg.password) ||
+                  this.passwordBytes_,
       'usingSAML': this.isSAMLFlow_,
       'chooseWhatToSync': this.chooseWhatToSync_ || false,
       'skipForNow': opt_extraMsg && opt_extraMsg.skipForNow,
       'sessionIndex': opt_extraMsg && opt_extraMsg.sessionIndex
     };
     window.parent.postMessage(msg, this.parentPage_);
     if (this.isSAMLEnabled_)
       this.supportChannel_.send({name: 'resetAuth'});
   },
 
@@ skipping 35 matching lines @@
   /**
    * Invoked when the background page sends 'onHostedPageLoaded' message.
    * @param {!Object} msg Details sent with the message.
    */
   onAuthPageLoaded_: function(msg) {
     var isSAMLPage = msg.url.indexOf(this.gaiaUrl_) != 0;
 
     if (isSAMLPage && !this.isSAMLFlow_) {
       // GAIA redirected to a SAML login page. The credentials provided to this
       // page will determine what user gets logged in. The credentials obtained
-      // from the GAIA login from are no longer relevant and can be discarded.
+      // from the GAIA login form are no longer relevant and can be discarded.
       this.isSAMLFlow_ = true;
       this.email_ = null;
-      this.password_ = null;
+      this.passwordBytes_ = null;
     }
 
     window.parent.postMessage({
       'method': 'authPageLoaded',
       'isSAML': this.isSAMLFlow_,
       'domain': extractDomain(msg.url)
     }, this.parentPage_);
   },
 
   /**
    * Invoked when the background page sends an 'onInsecureContentBlocked'
    * message.
    */
   onInsecureContentBlocked_: function() {
     window.parent.postMessage({'method': 'insecureContentBlocked'},
                               this.parentPage_);
   },
 
   /**
    * Invoked when one of the credential passing API methods is called by a SAML
    * provider.
    * @param {!Object} msg Details of the API call.
    */
   onAPICall_: function(msg) {
     var call = msg.call;
+    if (call.method == 'initialize') {
+      // TODO(bartfab): There was no |requestedVersion| parameter in version 1
+      // of the API. Remove this code once all consumers have switched to
+      // version 2 or higher.
+      if (!call.hasOwnProperty('requestedVersion')) {
+        if (Authenticator.MIN_API_VERSION_VERSION == 1) {
+          this.apiVersion_ = 1;
+          this.initialized_ = true;
+          this.sendInitializationSuccess_();
+        }
+        // The glue code for API version 1 interprets all responses as success.
+        // Instead of reporting failure, do not send any response at all.
+        return;
+      }
+
+      if (!Number.isInteger(call.requestedVersion) ||
+          call.requestedVersion < Authenticator.MIN_API_VERSION_VERSION) {
+        this.sendInitializationFailure_();
+        return;
+      }
+
+      this.apiVersion_ = Math.min(call.requested_version,
+                                  Authenticator.MAX_API_VERSION_VERSION);
+      this.initialized_ = true;
+      this.sendInitializationSuccess_();
+      return;
+    }
+
     if (call.method == 'add') {
+      if (this.apiVersion_ > 1 &&
+          Authenticator.API_KEY_TYPES.indexOf(call.keyType) == -1) {
+        console.error('Authenticator.onAPICall_: unsupported key type');
+        return;
+      }
       this.apiToken_ = call.token;
       this.email_ = call.user;
-      this.password_ = call.password;
+      if (this.apiVersion_ == 1)
+        this.passwordBytes_ = call.password;
+      else
+        this.passwordBytes_ = call.passwordBytes;
     } else if (call.method == 'confirm') {
       if (call.token != this.apiToken_)
         console.error('Authenticator.onAPICall_: token mismatch');
     } else {
       console.error('Authenticator.onAPICall_: unknown message');
     }
   },
 
+  sendInitializationSuccess_: function() {
+    var response = {
+      result: 'initialized',
+      version: this.apiVersion_
+    };
+    if (this.apiVersion_ >= 2)
+      response['keyTypes'] = Authenticator.API_KEY_TYPES;
+
+    this.supportChannel_.send({name: 'apiResponse', response: response});
+  },
+
+  sendInitializationFailure_: function() {
+    this.supportChannel_.send({
+      name: 'apiResponse',
+      response: {result: 'initialization_failed'}
+    });
+  },
+
   onConfirmLogin_: function() {
     if (!this.isSAMLFlow_) {
       this.completeLogin_();
       return;
     }
 
-    var apiUsed = !!this.password_;
+    var apiUsed = !!this.passwordBytes_;
 
     // Retrieve the e-mail address of the user who just authenticated from GAIA.
     window.parent.postMessage({method: 'retrieveAuthenticatedUserEmail',
                                attemptToken: this.attemptToken_,
                                apiUsed: apiUsed},
                               this.parentPage_);
 
     if (!apiUsed) {
       this.supportChannel_.sendWithCallback(
           {name: 'getScrapedPasswords'},
           function(passwords) {
             if (passwords.length == 0) {
               window.parent.postMessage(
                   {method: 'noPassword', email: this.email_},
                   this.parentPage_);
             } else {
               window.parent.postMessage({method: 'confirmPassword',
                                          email: this.email_,
                                          passwordCount: passwords.length},
                                         this.parentPage_);
             }
           }.bind(this));
     }
   },
 
   maybeCompleteSAMLLogin_: function() {
     // SAML login is complete when the user's e-mail address has been retrieved
     // from GAIA and the user has successfully confirmed the password.
-    if (this.email_ !== null && this.password_ !== null)
+    if (this.email_ !== null && this.passwordBytes_ !== null)
       this.completeLogin_();
   },
 
   onVerifyConfirmedPassword_: function(password) {
     this.supportChannel_.sendWithCallback(
         {name: 'getScrapedPasswords'},
         function(passwords) {
           for (var i = 0; i < passwords.length; ++i) {
             if (passwords[i] == password) {
-              this.password_ = passwords[i];
+              this.passwordBytes_ = passwords[i];
               this.maybeCompleteSAMLLogin_();
               return;
             }
           }
           window.parent.postMessage(
               {method: 'confirmPassword', email: this.email_},
               this.parentPage_);
         }.bind(this));
   },
 
   onMessage: function(e) {
     var msg = e.data;
     if (msg.method == 'attemptLogin' && this.isGaiaMessage_(e)) {
       this.email_ = msg.email;
-      this.password_ = msg.password;
+      this.passwordBytes_ = msg.password;
       this.attemptToken_ = msg.attemptToken;
       this.chooseWhatToSync_ = msg.chooseWhatToSync;
       this.isSAMLFlow_ = false;
       if (this.isSAMLEnabled_)
         this.supportChannel_.send({name: 'startAuth'});
     } else if (msg.method == 'clearOldAttempts' && this.isGaiaMessage_(e)) {
       this.email_ = null;
-      this.password_ = null;
+      this.passwordBytes_ = null;
       this.attemptToken_ = null;
       this.isSAMLFlow_ = false;
       this.onLoginUILoaded_();
       if (this.isSAMLEnabled_)
         this.supportChannel_.send({name: 'resetAuth'});
     } else if (msg.method == 'setAuthenticatedUserEmail' &&
                this.isParentMessage_(e)) {
       if (this.attemptToken_ == msg.attemptToken) {
         this.email_ = msg.email;
         this.maybeCompleteSAMLLogin_();
       }
     } else if (msg.method == 'confirmLogin' && this.isInternalMessage_(e)) {
       if (this.attemptToken_ == msg.attemptToken)
         this.onConfirmLogin_();
       else
         console.error('Authenticator.onMessage: unexpected attemptToken!?');
     } else if (msg.method == 'verifyConfirmedPassword' &&
                this.isParentMessage_(e)) {
       this.onVerifyConfirmedPassword_(msg.password);
     } else if (msg.method == 'redirectToSignin' &&
                this.isParentMessage_(e)) {
       $('gaia-frame').src = this.constructInitialFrameUrl_();
     } else {
        console.error('Authenticator.onMessage: unknown message + origin!?');
     }
   }
 };
 
 Authenticator.getInstance().initialize();