Network traffic annotation added to google_apis/gaia.

google_apis/gaia/gaia_oauth_client.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "google_apis/gaia/gaia_oauth_client.h"
 
 #include <memory>
 #include <utility>
 
 #include "base/json/json_reader.h"
 #include "base/logging.h"
 #include "base/strings/string_util.h"
 #include "base/values.h"
 #include "google_apis/gaia/gaia_auth_util.h"
 #include "google_apis/gaia/gaia_urls.h"
 #include "net/base/escape.h"
 #include "net/base/load_flags.h"
 #include "net/http/http_status_code.h"
+#include "net/traffic_annotation/network_traffic_annotation.h"
 #include "net/url_request/url_fetcher.h"
 #include "net/url_request/url_fetcher_delegate.h"
 #include "net/url_request/url_request_context_getter.h"
 #include "url/gurl.h"
 
 namespace {
 const char kAccessTokenValue[] = "access_token";
 const char kRefreshTokenValue[] = "refresh_token";
 const char kExpiresInValue[] = "expires_in";
 }
@@ skipping 56 matching lines @@
 
   ~Core() override {}
 
   void GetUserInfoImpl(RequestType type,
                        const std::string& oauth_access_token,
                        int max_retries,
                        Delegate* delegate);
   void MakeGaiaRequest(const GURL& url,
                        const std::string& post_body,
                        int max_retries,
-                       GaiaOAuthClient::Delegate* delegate);
+                       GaiaOAuthClient::Delegate* delegate,
+                       net::NetworkTrafficAnnotationTag& traffic_annotation);
   void HandleResponse(const net::URLFetcher* source,
                       bool* should_retry_request);
 
   int num_retries_;
   scoped_refptr<net::URLRequestContextGetter> request_context_getter_;
   GaiaOAuthClient::Delegate* delegate_;
   std::unique_ptr<net::URLFetcher> request_;
   RequestType request_type_;
 };
 
 void GaiaOAuthClient::Core::GetTokensFromAuthCode(
     const OAuthClientInfo& oauth_client_info,
     const std::string& auth_code,
     int max_retries,
     GaiaOAuthClient::Delegate* delegate) {
   DCHECK_EQ(request_type_, NO_PENDING_REQUEST);
   request_type_ = TOKENS_FROM_AUTH_CODE;
   std::string post_body =
       "code=" + net::EscapeUrlEncodedData(auth_code, true) +
       "&client_id=" + net::EscapeUrlEncodedData(oauth_client_info.client_id,
                                                 true) +
       "&client_secret=" +
       net::EscapeUrlEncodedData(oauth_client_info.client_secret, true) +
       "&redirect_uri=" +
       net::EscapeUrlEncodedData(oauth_client_info.redirect_uri, true) +
       "&grant_type=authorization_code";
-  MakeGaiaRequest(GURL(GaiaUrls::GetInstance()->oauth2_token_url()),
-                  post_body, max_retries, delegate);
+  net::NetworkTrafficAnnotationTag traffic_annotation =
+      net::DefineNetworkTrafficAnnotation("...", R"(
+        semantics {
+          sender: "..."
+          description: "..."

[msarda, 2017/05/22 11:49:35]

This request exchanges an authorization code for an OAuth 2.0 refresh token and
an OAuth 2.0 access token.

[Ramin Halavati, 2017/05/22 12:42:17]

Done.

+          trigger: "..."

[msarda, 2017/05/22 11:49:35]

This request is triggered at when another service of Chrome requires an access
token and a refresh token (e.g. Cloud Print, Chrome Remote Desktop etc.)
See https://developers.google.com/identity/protocols/OAuth2 for more information
about the Google implementation of the OAuth 2.0 protocol.

[Ramin Halavati, 2017/05/22 12:42:17]

Done.

+          data: "..."

[msarda, 2017/05/22 11:49:35]

The Google console client ID and client secret of the caller, the OAuth
authorization code and the redirect URI.

[Ramin Halavati, 2017/05/22 12:42:16]

Done.

+          destination: WEBSITE/GOOGLE_OWNED_SERVICE/OTHER

[msarda, 2017/05/22 11:49:36]

GOOGLE_OWNED_SERVICE

[Ramin Halavati, 2017/05/22 12:42:17]

Done.

+        }
+        policy {
+          cookies_allowed: false
+          setting: "..."

[msarda, 2017/05/22 11:49:36]

This feature cannot be disabled in settings.

However I am not 100% certain about the statement: "but if user signs out of
Chrome, this request would not be made."

+          chrome_policy {

[msarda, 2017/05/22 11:49:36]

I have no idea if this is gated on any policy. It may be gated on SigninAllowed,
but I think that is an artifact today (basically, you need to be signed in today
as otherwise there is no account that you may use in Chrome). But I am not sure.

Maybe rogerta@ knows.

+            [POLICY_NAME] {
+              policy_options {mode: MANDATORY/RECOMMENDED/UNSET}
+              [POLICY_NAME]: ... //(value to disable it)
+            }
+          }
+          policy_exception_justification: "..."
+        })");
+  MakeGaiaRequest(GURL(GaiaUrls::GetInstance()->oauth2_token_url()), post_body,
+                  max_retries, delegate, traffic_annotation);
 }
 
 void GaiaOAuthClient::Core::RefreshToken(
     const OAuthClientInfo& oauth_client_info,
     const std::string& refresh_token,
     const std::vector<std::string>& scopes,
     int max_retries,
     GaiaOAuthClient::Delegate* delegate) {
   DCHECK_EQ(request_type_, NO_PENDING_REQUEST);
   request_type_ = REFRESH_TOKEN;
   std::string post_body =
       "refresh_token=" + net::EscapeUrlEncodedData(refresh_token, true) +
       "&client_id=" + net::EscapeUrlEncodedData(oauth_client_info.client_id,
                                                 true) +
       "&client_secret=" +
       net::EscapeUrlEncodedData(oauth_client_info.client_secret, true) +
       "&grant_type=refresh_token";
 
   if (!scopes.empty()) {
     std::string scopes_string = base::JoinString(scopes, " ");
     post_body += "&scope=" + net::EscapeUrlEncodedData(scopes_string, true);
   }
 
-  MakeGaiaRequest(GURL(GaiaUrls::GetInstance()->oauth2_token_url()),
-                  post_body, max_retries, delegate);
+  net::NetworkTrafficAnnotationTag traffic_annotation =
+      net::DefineNetworkTrafficAnnotation("...", R"(
+        semantics {
+          sender: "..."

[msarda, 2017/05/22 11:49:35]

Same as above

[Ramin Halavati, 2017/05/22 12:42:17]

Done.

+          description: "..."

[msarda, 2017/05/22 11:49:36]

This request fetches a fresh access token that can be used to authenticate an
API call to a Google web endpoint.

[Ramin Halavati, 2017/05/22 12:42:16]

Done.

+          trigger: "..."

[msarda, 2017/05/22 11:49:36]

This is called whenever the caller needs a fresh OAuth 2.0 access token.

[Ramin Halavati, 2017/05/22 12:42:17]

Done.

+          data: "..."

[msarda, 2017/05/22 11:49:36]

The OAuth 2.0 refresh token, the Google console client ID and client secret of
the caller, and optionally the scopes of the API for which the access token
should be authorized.

[Ramin Halavati, 2017/05/22 12:42:17]

Done.

+          destination: WEBSITE/GOOGLE_OWNED_SERVICE/OTHER

[msarda, 2017/05/22 11:49:35]

GOOGLE_OWNED_SERVICE

[Ramin Halavati, 2017/05/22 12:42:16]

Done.

+        }
+        policy {
+          cookies_allowed: false
+          setting: "..."

[msarda, 2017/05/22 11:49:36]

Same as above.

[Ramin Halavati, 2017/05/22 12:42:16]

Done.

+          chrome_policy {
+            [POLICY_NAME] {
+              policy_options {mode: MANDATORY/RECOMMENDED/UNSET}
+              [POLICY_NAME]: ... //(value to disable it)
+            }
+          }
+          policy_exception_justification: "..."
+        })");
+  MakeGaiaRequest(GURL(GaiaUrls::GetInstance()->oauth2_token_url()), post_body,
+                  max_retries, delegate, traffic_annotation);
 }
 
 void GaiaOAuthClient::Core::GetUserEmail(const std::string& oauth_access_token,
                                          int max_retries,
                                          Delegate* delegate) {
   GetUserInfoImpl(USER_EMAIL, oauth_access_token, max_retries, delegate);
 }
 
 void GaiaOAuthClient::Core::GetUserId(const std::string& oauth_access_token,
                                       int max_retries,
@@ skipping 10 matching lines @@
 void GaiaOAuthClient::Core::GetUserInfoImpl(
     RequestType type,
     const std::string& oauth_access_token,
     int max_retries,
     Delegate* delegate) {
   DCHECK_EQ(request_type_, NO_PENDING_REQUEST);
   DCHECK(!request_.get());
   request_type_ = type;
   delegate_ = delegate;
   num_retries_ = 0;
+  net::NetworkTrafficAnnotationTag traffic_annotation =
+      net::DefineNetworkTrafficAnnotation("gaia_core_get_user_info", R"(
+        semantics {
+          sender: "OAuth2 Client"

[msarda, 2017/05/22 11:49:35]

I am a bit split about the sender. In the other changes in gaia_auth_fetcher, we
used the sender "Chrome - Google authentication API".

The files in here also make calls to GAIA, however they are more related to
OAuth 2.0 calls. Should we use  "Chrome - Google authentication API" or "OAuth
2.0 Client" in this file?

[Ramin Halavati, 2017/05/22 12:42:16]

I am not sure, I used the latter, but if you have more feelings about the
former, I will change it.

+          description: "This request is used to fetch user information."
+          trigger:
+            "The main trigger for this request in the AccountTrackerService "
+            "that fetches the user info soon after the user signs in."
+          data:
+            "The OAUth2 access token of the account."

[msarda, 2017/05/22 11:49:35]

s/OAUth2/OAuth 2.0

[Ramin Halavati, 2017/05/22 12:42:17]

Done.

+          destination: GOOGLE_OWNED_SERVICE
+        }
+        policy {
+          cookies_allowed: false
+          setting: "This feature cannot be disabled in settings."
+          policy_exception_justification:
+            "Not implemented. Disabling this fetcher would break features that "
+            "require user information about of the account that is signed in ("
+            "e.g. the profile switcher UI, the settings UI etc)."
+        })");
   request_ = net::URLFetcher::Create(
       kUrlFetcherId, GURL(GaiaUrls::GetInstance()->oauth_user_info_url()),
-      net::URLFetcher::GET, this);
+      net::URLFetcher::GET, this, traffic_annotation);
   request_->SetRequestContext(request_context_getter_.get());
   request_->AddExtraRequestHeader("Authorization: OAuth " + oauth_access_token);
   request_->SetMaxRetriesOn5xx(max_retries);
   request_->SetLoadFlags(net::LOAD_DO_NOT_SEND_COOKIES |
                          net::LOAD_DO_NOT_SAVE_COOKIES);
   MarkURLFetcherAsGaia(request_.get());
 
   // Fetchers are sometimes cancelled because a network change was detected,
   // especially at startup and after sign-in on ChromeOS. Retrying once should
   // be enough in those cases; let the fetcher retry up to 3 times just in case.
   // http://crbug.com/163710
   request_->SetAutomaticallyRetryOnNetworkChanges(3);
   request_->Start();
 }
 
 void GaiaOAuthClient::Core::GetTokenInfo(const std::string& qualifier,
                                          const std::string& query,
                                          int max_retries,
                                          Delegate* delegate) {
   DCHECK_EQ(request_type_, NO_PENDING_REQUEST);
   DCHECK(!request_.get());
   request_type_ = TOKEN_INFO;
   std::string post_body =
       qualifier + "=" + net::EscapeUrlEncodedData(query, true);
+  net::NetworkTrafficAnnotationTag traffic_annotation =
+      net::DefineNetworkTrafficAnnotation("...", R"(
+        semantics {
+          sender: "..."

[msarda, 2017/05/22 11:49:35]

Same as above.

[Ramin Halavati, 2017/05/22 12:42:17]

Done.

+          description: "..."

[msarda, 2017/05/22 11:49:36]

This request fetches information about an OAuth 2.0 access token - the response
is a dictionary of response values. The provided access token may have any
scope, and basic results will be returned: issued_to, audience, scope,
expires_in, access_type. In addition, if the
https://www.googleapis.com/auth/userinfo.email scope is present, the email and
verified_email fields will be returned. If the
https://www.googleapis.com/auth/userinfo.profile scope is present, the
user_id field will be returned.

[Ramin Halavati, 2017/05/22 12:42:16]

Done.

+          trigger: "..."

[msarda, 2017/05/22 11:49:36]

This is triggered after a Google account is added to the browser. It it also
triggered after each successful fetch of an OAuth 2.0 access token.

[Ramin Halavati, 2017/05/22 12:42:17]

Done.

+          data: "..."

[msarda, 2017/05/22 11:49:35]

The OAuth 2.0 access token.

[Ramin Halavati, 2017/05/22 12:42:17]

Done.

+          destination: WEBSITE/GOOGLE_OWNED_SERVICE/OTHER

[msarda, 2017/05/22 11:49:36]

GOOGLE_OWNED_SERVICE

[Ramin Halavati, 2017/05/22 12:42:16]

Done.

+        }
+        policy {
+          cookies_allowed: false
+          setting: "..."

[msarda, 2017/05/22 11:49:35]

"This feature cannot be disabled in settings."

[Ramin Halavati, 2017/05/22 12:42:16]

Done.

+          chrome_policy {
+            [POLICY_NAME] {
+              policy_options {mode: MANDATORY/RECOMMENDED/UNSET}
+              [POLICY_NAME]: ... //(value to disable it)
+            }
+          }
+          policy_exception_justification: "..."
+        })");
   MakeGaiaRequest(GURL(GaiaUrls::GetInstance()->oauth2_token_info_url()),
-                  post_body,
-                  max_retries,
-                  delegate);
+                  post_body, max_retries, delegate, traffic_annotation);
 }
 
 void GaiaOAuthClient::Core::MakeGaiaRequest(
     const GURL& url,
     const std::string& post_body,
     int max_retries,
-    GaiaOAuthClient::Delegate* delegate) {
+    GaiaOAuthClient::Delegate* delegate,
+    const net::NetworkTrafficAnnotationTag& traffic_annotation) {
   DCHECK(!request_.get()) << "Tried to fetch two things at once!";
   delegate_ = delegate;
   num_retries_ = 0;
-  request_ =
-      net::URLFetcher::Create(kUrlFetcherId, url, net::URLFetcher::POST, this);
+  request_ = net::URLFetcher::Create(kUrlFetcherId, url, net::URLFetcher::POST,
+                                     this, traffic_annotation);
   request_->SetRequestContext(request_context_getter_.get());
   request_->SetUploadData("application/x-www-form-urlencoded", post_body);
   request_->SetMaxRetriesOn5xx(max_retries);
   request_->SetLoadFlags(net::LOAD_DO_NOT_SEND_COOKIES |
                          net::LOAD_DO_NOT_SAVE_COOKIES);
   MarkURLFetcherAsGaia(request_.get());
   // See comment on SetAutomaticallyRetryOnNetworkChanges() above.
   request_->SetAutomaticallyRetryOnNetworkChanges(3);
   request_->Start();
 }
@@ skipping 177 matching lines @@
 }
 
 void GaiaOAuthClient::GetTokenHandleInfo(const std::string& token_handle,
                                          int max_retries,
                                          Delegate* delegate) {
   return core_->GetTokenInfo("token_handle", token_handle, max_retries,
                              delegate);
 }
 
 }  // namespace gaia