Network traffic annotation added to google_apis/gaia.

google_apis/gaia/gaia_oauth_client.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "google_apis/gaia/gaia_oauth_client.h"
 
 #include <memory>
 #include <utility>
 
 #include "base/json/json_reader.h"
 #include "base/logging.h"
 #include "base/strings/string_util.h"
 #include "base/values.h"
 #include "google_apis/gaia/gaia_auth_util.h"
 #include "google_apis/gaia/gaia_urls.h"
 #include "net/base/escape.h"
 #include "net/base/load_flags.h"
 #include "net/http/http_status_code.h"
+#include "net/traffic_annotation/network_traffic_annotation.h"
 #include "net/url_request/url_fetcher.h"
 #include "net/url_request/url_fetcher_delegate.h"
 #include "net/url_request/url_request_context_getter.h"
 #include "url/gurl.h"
 
 namespace {
 const char kAccessTokenValue[] = "access_token";
 const char kRefreshTokenValue[] = "refresh_token";
 const char kExpiresInValue[] = "expires_in";
 }
@@ skipping 53 matching lines @@
     USER_ID,
     USER_INFO,
   };
 
   ~Core() override {}
 
   void GetUserInfoImpl(RequestType type,
                        const std::string& oauth_access_token,
                        int max_retries,
                        Delegate* delegate);
-  void MakeGaiaRequest(const GURL& url,
-                       const std::string& post_body,
-                       int max_retries,
-                       GaiaOAuthClient::Delegate* delegate);
+  void MakeGaiaRequest(
+      const GURL& url,
+      const std::string& post_body,
+      int max_retries,
+      GaiaOAuthClient::Delegate* delegate,
+      const net::NetworkTrafficAnnotationTag& traffic_annotation);
   void HandleResponse(const net::URLFetcher* source,
                       bool* should_retry_request);
 
   int num_retries_;
   scoped_refptr<net::URLRequestContextGetter> request_context_getter_;
   GaiaOAuthClient::Delegate* delegate_;
   std::unique_ptr<net::URLFetcher> request_;
   RequestType request_type_;
 };
 
 void GaiaOAuthClient::Core::GetTokensFromAuthCode(
     const OAuthClientInfo& oauth_client_info,
     const std::string& auth_code,
     int max_retries,
     GaiaOAuthClient::Delegate* delegate) {
   DCHECK_EQ(request_type_, NO_PENDING_REQUEST);
   request_type_ = TOKENS_FROM_AUTH_CODE;
   std::string post_body =
       "code=" + net::EscapeUrlEncodedData(auth_code, true) +
       "&client_id=" + net::EscapeUrlEncodedData(oauth_client_info.client_id,
                                                 true) +
       "&client_secret=" +
       net::EscapeUrlEncodedData(oauth_client_info.client_secret, true) +
       "&redirect_uri=" +
       net::EscapeUrlEncodedData(oauth_client_info.redirect_uri, true) +
       "&grant_type=authorization_code";
-  MakeGaiaRequest(GURL(GaiaUrls::GetInstance()->oauth2_token_url()),
-                  post_body, max_retries, delegate);
+  net::NetworkTrafficAnnotationTag traffic_annotation =
+      net::DefineNetworkTrafficAnnotation("gaia_oauth_client_get_tokens", R"(
+        semantics {
+          sender: "OAuth 2.0 calls"
+          description:
+            "This request exchanges an authorization code for an OAuth 2.0 "
+            "refresh token and an OAuth 2.0 access token."
+          trigger:
+            "This request is triggered when a Chrome service requires an "
+            "access token and a refresh token (e.g. Cloud Print, Chrome Remote "
+            "Desktop etc.) See https://developers.google.com/identity/protocols"
+            "/OAuth2 for more information about the Google implementation of "
+            "the OAuth 2.0 protocol."
+          data:
+            "The Google console client ID and client secret of the caller, the "
+            "OAuth authorization code and the redirect URI."
+          destination: GOOGLE_OWNED_SERVICE
+        }
+        policy {
+          cookies_allowed: false
+          setting:
+            "This feature cannot be disabled in settings, but if user signs "

[msramek, 2017/05/26 13:44:20]

nit: the user (as in the other CL)

[Ramin Halavati, 2017/05/29 05:36:53]

Done.

+            "out of Chrome, this request would not be made."
+          chrome_policy {
+            SigninAllowed {
+              policy_options {mode: MANDATORY}
+              SigninAllowed: false
+            }
+          }
+        })");
+  MakeGaiaRequest(GURL(GaiaUrls::GetInstance()->oauth2_token_url()), post_body,
+                  max_retries, delegate, traffic_annotation);
 }
 
 void GaiaOAuthClient::Core::RefreshToken(
     const OAuthClientInfo& oauth_client_info,
     const std::string& refresh_token,
     const std::vector<std::string>& scopes,
     int max_retries,
     GaiaOAuthClient::Delegate* delegate) {
   DCHECK_EQ(request_type_, NO_PENDING_REQUEST);
   request_type_ = REFRESH_TOKEN;
   std::string post_body =
       "refresh_token=" + net::EscapeUrlEncodedData(refresh_token, true) +
       "&client_id=" + net::EscapeUrlEncodedData(oauth_client_info.client_id,
                                                 true) +
       "&client_secret=" +
       net::EscapeUrlEncodedData(oauth_client_info.client_secret, true) +
       "&grant_type=refresh_token";
 
   if (!scopes.empty()) {
     std::string scopes_string = base::JoinString(scopes, " ");
     post_body += "&scope=" + net::EscapeUrlEncodedData(scopes_string, true);
   }
 
-  MakeGaiaRequest(GURL(GaiaUrls::GetInstance()->oauth2_token_url()),
-                  post_body, max_retries, delegate);
+  net::NetworkTrafficAnnotationTag traffic_annotation =
+      net::DefineNetworkTrafficAnnotation("gaia_oauth_client_refresh_token", R"(
+        semantics {
+          sender: "OAuth 2.0 calls"
+          description:
+            "This request fetches a fresh access token that can be used to "
+            "authenticate an API call to a Google web endpoint."
+          trigger:
+            "This is called whenever the caller needs a fresh OAuth 2.0 access "
+            "token."
+          data:
+            "The OAuth 2.0 refresh token, the Google console client ID and "
+            "client secret of the caller, and optionally the scopes of the API "
+            "for which the access token should be authorized."
+          destination: GOOGLE_OWNED_SERVICE
+        }
+        policy {
+          cookies_allowed: false
+          setting:
+            "This feature cannot be disabled in settings, but if user signs "
+            "out of Chrome, this request would not be made."
+          chrome_policy {
+            SigninAllowed {
+              policy_options {mode: MANDATORY}
+              SigninAllowed: false
+            }
+          }
+        })");
+  MakeGaiaRequest(GURL(GaiaUrls::GetInstance()->oauth2_token_url()), post_body,
+                  max_retries, delegate, traffic_annotation);
 }
 
 void GaiaOAuthClient::Core::GetUserEmail(const std::string& oauth_access_token,
                                          int max_retries,
                                          Delegate* delegate) {
   GetUserInfoImpl(USER_EMAIL, oauth_access_token, max_retries, delegate);
 }
 
 void GaiaOAuthClient::Core::GetUserId(const std::string& oauth_access_token,
                                       int max_retries,
@@ skipping 10 matching lines @@
 void GaiaOAuthClient::Core::GetUserInfoImpl(
     RequestType type,
     const std::string& oauth_access_token,
     int max_retries,
     Delegate* delegate) {
   DCHECK_EQ(request_type_, NO_PENDING_REQUEST);
   DCHECK(!request_.get());
   request_type_ = type;
   delegate_ = delegate;
   num_retries_ = 0;
+  net::NetworkTrafficAnnotationTag traffic_annotation =
+      net::DefineNetworkTrafficAnnotation("gaia_core_get_user_info", R"(
+        semantics {
+          sender: "OAuth 2.0 calls"
+          description: "This request is used to fetch user information."

[msramek, 2017/05/26 13:44:20]

What kind of information?

Some basic information from the user's Google Account? Or from the service to
which the token is scoped to? Etc. I get that this is probably a generic
function, but the current description is valid for pretty much any request :)

[msarda, 2017/05/31 07:44:25]

Let's rephrase this to something like:
"This request is used to fetch profile information about the user (e.g. the
email, the ID of the account, the full name, the profile picture)."

[Ramin Halavati, 2017/05/31 07:50:53]

By "e.g." you mean other items may also be fetched? If yes, can we name them as
well?

[msarda, 2017/05/31 08:32:14]

The data we get is a dictionary. I do not know the entire fields on this
dictionary (this is also something controller by the server, so new fields may
be added in the future without Chrome actually processing them). Chrome
processes them in various places - take a look at the classes that override the
method OnGetUserInfoResponse:
https://cs.chromium.org/chromium/src/google_apis/gaia/gaia_oauth_client.h?rcl...

The one that I think extracts most of this data is here:
https://cs.chromium.org/chromium/src/components/signin/core/browser/account_t...

[Ramin Halavati, 2017/05/31 09:09:43]

Thank you. I think as here we mostly care about what is sent, we can keep it at
this level.

+          trigger:
+            "The main trigger for this request in the AccountTrackerService "

[msramek, 2017/05/26 13:44:20]

typo: is in

[Ramin Halavati, 2017/05/29 05:36:53]

Done.

+            "that fetches the user info soon after the user signs in."
+          data:
+            "The OAuth 2.0 access token of the account."
+          destination: GOOGLE_OWNED_SERVICE
+        }
+        policy {
+          cookies_allowed: false
+          setting:
+            "This feature cannot be disabled in settings, but if user signs "
+            "out of Chrome, this request would not be made."
+          chrome_policy {
+            SigninAllowed {
+              policy_options {mode: MANDATORY}
+              SigninAllowed: false
+            }
+          }
+        })");
   request_ = net::URLFetcher::Create(
       kUrlFetcherId, GURL(GaiaUrls::GetInstance()->oauth_user_info_url()),
-      net::URLFetcher::GET, this);
+      net::URLFetcher::GET, this, traffic_annotation);
   request_->SetRequestContext(request_context_getter_.get());
   request_->AddExtraRequestHeader("Authorization: OAuth " + oauth_access_token);
   request_->SetMaxRetriesOn5xx(max_retries);
   request_->SetLoadFlags(net::LOAD_DO_NOT_SEND_COOKIES |
                          net::LOAD_DO_NOT_SAVE_COOKIES);
   MarkURLFetcherAsGaia(request_.get());
 
   // Fetchers are sometimes cancelled because a network change was detected,
   // especially at startup and after sign-in on ChromeOS. Retrying once should
   // be enough in those cases; let the fetcher retry up to 3 times just in case.
   // http://crbug.com/163710
   request_->SetAutomaticallyRetryOnNetworkChanges(3);
   request_->Start();
 }
 
 void GaiaOAuthClient::Core::GetTokenInfo(const std::string& qualifier,
                                          const std::string& query,
                                          int max_retries,
                                          Delegate* delegate) {
   DCHECK_EQ(request_type_, NO_PENDING_REQUEST);
   DCHECK(!request_.get());
   request_type_ = TOKEN_INFO;
   std::string post_body =
       qualifier + "=" + net::EscapeUrlEncodedData(query, true);
+  net::NetworkTrafficAnnotationTag traffic_annotation =
+      net::DefineNetworkTrafficAnnotation("...", R"(
+        semantics {
+          sender: "OAuth 2.0 calls"
+          description:
+            "This request fetches information about an OAuth 2.0 access token. "
+            "The response is a dictionary of response values. The provided "
+            "access token may have any scope, and basic results will be "
+            "returned: issued_to, audience, scope, expires_in, access_type. In "
+            "addition, if the https://www.googleapis.com/auth/userinfo.email "
+            "scope is present, the email and verified_email fields will be "
+            "returned. If the https://www.googleapis.com/auth/userinfo.profile "
+            "scope is present, the user_id field will be returned."
+          trigger:
+            "This is triggered after a Google account is added to the browser. "
+            "It it also triggered after each successful fetch of an OAuth 2.0 "
+            "access token."
+          data: "The OAuth 2.0 access token."
+          destination: GOOGLE_OWNED_SERVICE
+        }
+        policy {
+          cookies_allowed: false
+          setting:
+            "This feature cannot be disabled in settings, but if user signs "
+            "out of Chrome, this request would not be made."
+          chrome_policy {
+            SigninAllowed {
+              policy_options {mode: MANDATORY}
+              SigninAllowed: false
+            }
+          }
+        })");
   MakeGaiaRequest(GURL(GaiaUrls::GetInstance()->oauth2_token_info_url()),
-                  post_body,
-                  max_retries,
-                  delegate);
+                  post_body, max_retries, delegate, traffic_annotation);
 }
 
 void GaiaOAuthClient::Core::MakeGaiaRequest(
     const GURL& url,
     const std::string& post_body,
     int max_retries,
-    GaiaOAuthClient::Delegate* delegate) {
+    GaiaOAuthClient::Delegate* delegate,
+    const net::NetworkTrafficAnnotationTag& traffic_annotation) {
   DCHECK(!request_.get()) << "Tried to fetch two things at once!";
   delegate_ = delegate;
   num_retries_ = 0;
-  request_ =
-      net::URLFetcher::Create(kUrlFetcherId, url, net::URLFetcher::POST, this);
+  request_ = net::URLFetcher::Create(kUrlFetcherId, url, net::URLFetcher::POST,
+                                     this, traffic_annotation);
   request_->SetRequestContext(request_context_getter_.get());
   request_->SetUploadData("application/x-www-form-urlencoded", post_body);
   request_->SetMaxRetriesOn5xx(max_retries);
   request_->SetLoadFlags(net::LOAD_DO_NOT_SEND_COOKIES |
                          net::LOAD_DO_NOT_SAVE_COOKIES);
   MarkURLFetcherAsGaia(request_.get());
   // See comment on SetAutomaticallyRetryOnNetworkChanges() above.
   request_->SetAutomaticallyRetryOnNetworkChanges(3);
   request_->Start();
 }
@@ skipping 177 matching lines @@
 }
 
 void GaiaOAuthClient::GetTokenHandleInfo(const std::string& token_handle,
                                          int max_retries,
                                          Delegate* delegate) {
   return core_->GetTokenInfo("token_handle", token_handle, max_retries,
                              delegate);
 }
 
 }  // namespace gaia