Implement a second version of the credentials passing API

chrome/browser/resources/gaia_auth/main.js

Index: chrome/browser/resources/gaia_auth/main.js
diff --git a/chrome/browser/resources/gaia_auth/main.js b/chrome/browser/resources/gaia_auth/main.js
index e1daff6e7ffc0450573b2302ddd2f61c9e40ec14..59430ad9362344575812846f61702a07aeff4e41 100644
--- a/chrome/browser/resources/gaia_auth/main.js
+++ b/chrome/browser/resources/gaia_auth/main.js
@@ -16,6 +16,26 @@ Authenticator.THIS_EXTENSION_ORIGIN =
     'chrome-extension://mfffpogegjflfpflabcdkioaeobkgjik';
 
 /**
+ * The lowest version of the credentials passing API supported.
+ * @type {number}
+ */
+Authenticator.MIN_API_VERSION_VERSION = 1;
+
+/**
+ * The highest version of the credentials passing API supported.
+ * @type {number}
+ */
+Authenticator.MAX_API_VERSION_VERSION = 2;
+
+/**
+ * The key types supported for credentials passing API 2 and higher.
+ * @type {Array} Array of strings.
+ */
+Authenticator.API_KEY_TYPES = [
+  'KEY_TYPE_PASSWORD_PLAIN',

[Jorge Lucangeli Obes, 2014/04/30 22:31:37]

Is this equivalent of what we're doing in v1?

[bartfab (slow), 2014/05/01 22:47:48]

Yes. For now, both v1 and v2 expect the password in plain text. In the future,
v2 will also support other algorithms while v1 will be limited to a plain-text
password forever.

Note that we have not publicly launched this API yet. We are under no obligation
to keep v1 of the API around as nobody depends on it. My plan is to make sure
that v2 works as expected and then to drop support for v1 entirely. Nobody will
miss it because nobody is using it yet. When we launch the feature, we will
launch v2 only.

[Jorge Lucangeli Obes, 2014/05/01 23:00:24]

IIUC the password is transmitted in plaintext, but the transport is secure
(HTTPS), right?

[bartfab (slow), 2014/05/02 06:29:53]

The password is sent to two places:

1) The SAML IdP needs to send the password to its own auth server for
verification. It is the IdP's responsibility that this be done securely. This
has nothing to do with the API being introduced here. You are right that on
Chrome OS, we ensure that the IdP's communication with its own server uses
https. On other plaforms, the IdP could use http. It is their choice, not ours.

2) The IdP can send the password to Chrome / Chrome OS using the API we are
discussing here. That entire communication happens via postMessage(), so there
is no http/https or any other network communication involved. The password is
sent locally on the Chromebook, using HTML5 mechanisms. After the password has
reached the C++ layers of Chrome, it is salted and hashed.

+];
+
+/**
  * Singleton getter of Authenticator.
  * @return {Object} The singleton instance of Authenticator.
  */
@@ -28,7 +48,7 @@ Authenticator.getInstance = function() {
 
 Authenticator.prototype = {
   email_: null,
-  password_: null,
+  passwordBytes_: null,
   attemptToken_: null,
 
   // Input params from extension initialization URL.
@@ -175,7 +195,8 @@ Authenticator.prototype = {
     var msg = {
       'method': 'completeLogin',
       'email': (opt_extraMsg && opt_extraMsg.email) || this.email_,
-      'password': (opt_extraMsg && opt_extraMsg.password) || this.password_,
+      'password': (opt_extraMsg && opt_extraMsg.password) ||
+                  this.passwordBytes_,
       'usingSAML': this.isSAMLFlow_,
       'chooseWhatToSync': this.chooseWhatToSync_ || false,
       'skipForNow': opt_extraMsg && opt_extraMsg.skipForNow,
@@ -231,10 +252,10 @@ Authenticator.prototype = {
     if (isSAMLPage && !this.isSAMLFlow_) {
       // GAIA redirected to a SAML login page. The credentials provided to this
       // page will determine what user gets logged in. The credentials obtained
-      // from the GAIA login from are no longer relevant and can be discarded.
+      // from the GAIA login form are no longer relevant and can be discarded.
       this.isSAMLFlow_ = true;
       this.email_ = null;
-      this.password_ = null;
+      this.passwordBytes_ = null;
     }
 
     window.parent.postMessage({
@@ -260,10 +281,46 @@ Authenticator.prototype = {
    */
   onAPICall_: function(msg) {
     var call = msg.call;
+    if (call.method == 'initialize') {
+      // TODO(bartfab): There was no |requestedVersion| parameter in version 1
+      // of the API. Remove this code once all consumers have switched to
+      // version 2 or higher.
+      if (!call.hasOwnProperty('requestedVersion')) {
+        if (Authenticator.MIN_API_VERSION_VERSION == 1) {
+          this.apiVersion_ = 1;
+          this.initialized_ = true;
+          this.sendInitializationSuccess_();
+        }
+        // The glue code for API version 1 interprets all responses as success.
+        // Instead of reporting failure, do not send any response at all.
+        return;
+      }
+
+      if (!Number.isInteger(call.requestedVersion) ||
+          call.requestedVersion < Authenticator.MIN_API_VERSION_VERSION) {
+        this.sendInitializationFailure_();
+        return;
+      }
+
+      this.apiVersion_ = Math.min(call.requested_version,
+                                  Authenticator.MAX_API_VERSION_VERSION);
+      this.initialized_ = true;
+      this.sendInitializationSuccess_();
+      return;
+    }
+
     if (call.method == 'add') {
+      if (this.apiVersion_ > 1 &&
+          Authenticator.API_KEY_TYPES.indexOf(call.keyType) == -1) {
+        console.error('Authenticator.onAPICall_: unsupported key type');
+        return;
+      }
       this.apiToken_ = call.token;
       this.email_ = call.user;
-      this.password_ = call.password;
+      if (this.apiVersion_ == 1)
+        this.passwordBytes_ = call.password;
+      else
+        this.passwordBytes_ = call.passwordBytes;
     } else if (call.method == 'confirm') {
       if (call.token != this.apiToken_)
         console.error('Authenticator.onAPICall_: token mismatch');
@@ -272,13 +329,31 @@ Authenticator.prototype = {
     }
   },
 
+  sendInitializationSuccess_: function() {
+    var response = {
+      result: 'initialized',
+      version: this.apiVersion_
+    };
+    if (this.apiVersion_ >= 2)
+      response['keyTypes'] = Authenticator.API_KEY_TYPES;
+
+    this.supportChannel_.send({name: 'apiResponse', response: response});
+  },
+
+  sendInitializationFailure_: function() {
+    this.supportChannel_.send({
+      name: 'apiResponse',
+      response: {result: 'initialization_failed'}
+    });
+  },
+
   onConfirmLogin_: function() {
     if (!this.isSAMLFlow_) {
       this.completeLogin_();
       return;
     }
 
-    var apiUsed = !!this.password_;
+    var apiUsed = !!this.passwordBytes_;
 
     // Retrieve the e-mail address of the user who just authenticated from GAIA.
     window.parent.postMessage({method: 'retrieveAuthenticatedUserEmail',
@@ -307,7 +382,7 @@ Authenticator.prototype = {
   maybeCompleteSAMLLogin_: function() {
     // SAML login is complete when the user's e-mail address has been retrieved
     // from GAIA and the user has successfully confirmed the password.
-    if (this.email_ !== null && this.password_ !== null)
+    if (this.email_ !== null && this.passwordBytes_ !== null)
       this.completeLogin_();
   },
 
@@ -317,7 +392,7 @@ Authenticator.prototype = {
         function(passwords) {
           for (var i = 0; i < passwords.length; ++i) {
             if (passwords[i] == password) {
-              this.password_ = passwords[i];
+              this.passwordBytes_ = passwords[i];
               this.maybeCompleteSAMLLogin_();
               return;
             }
@@ -332,7 +407,7 @@ Authenticator.prototype = {
     var msg = e.data;
     if (msg.method == 'attemptLogin' && this.isGaiaMessage_(e)) {
       this.email_ = msg.email;
-      this.password_ = msg.password;
+      this.passwordBytes_ = msg.password;
       this.attemptToken_ = msg.attemptToken;
       this.chooseWhatToSync_ = msg.chooseWhatToSync;
       this.isSAMLFlow_ = false;
@@ -340,7 +415,7 @@ Authenticator.prototype = {
         this.supportChannel_.send({name: 'startAuth'});
     } else if (msg.method == 'clearOldAttempts' && this.isGaiaMessage_(e)) {
       this.email_ = null;
-      this.password_ = null;
+      this.passwordBytes_ = null;
       this.attemptToken_ = null;
       this.isSAMLFlow_ = false;
       this.onLoginUILoaded_();