Network traffic annotation added to google_apis/gaia.

google_apis/gaia/gaia_oauth_client.cc

Index: google_apis/gaia/gaia_oauth_client.cc
diff --git a/google_apis/gaia/gaia_oauth_client.cc b/google_apis/gaia/gaia_oauth_client.cc
index 8947febbc4dc270bed73f7d7ed2bf00e2be9bfd1..465f4123cb1df8b917c08ae24026e97324872f62 100644
--- a/google_apis/gaia/gaia_oauth_client.cc
+++ b/google_apis/gaia/gaia_oauth_client.cc
@@ -16,6 +16,7 @@
 #include "net/base/escape.h"
 #include "net/base/load_flags.h"
 #include "net/http/http_status_code.h"
+#include "net/traffic_annotation/network_traffic_annotation.h"
 #include "net/url_request/url_fetcher.h"
 #include "net/url_request/url_fetcher_delegate.h"
 #include "net/url_request/url_request_context_getter.h"
@@ -92,7 +93,8 @@ class GaiaOAuthClient::Core
   void MakeGaiaRequest(const GURL& url,
                        const std::string& post_body,
                        int max_retries,
-                       GaiaOAuthClient::Delegate* delegate);
+                       GaiaOAuthClient::Delegate* delegate,
+                       net::NetworkTrafficAnnotationTag& traffic_annotation);
   void HandleResponse(const net::URLFetcher* source,
                       bool* should_retry_request);
 
@@ -119,8 +121,28 @@ void GaiaOAuthClient::Core::GetTokensFromAuthCode(
       "&redirect_uri=" +
       net::EscapeUrlEncodedData(oauth_client_info.redirect_uri, true) +
       "&grant_type=authorization_code";
-  MakeGaiaRequest(GURL(GaiaUrls::GetInstance()->oauth2_token_url()),
-                  post_body, max_retries, delegate);
+  net::NetworkTrafficAnnotationTag traffic_annotation =
+      net::DefineNetworkTrafficAnnotation("...", R"(
+        semantics {
+          sender: "..."
+          description: "..."

[msarda, 2017/05/22 11:49:35]

This request exchanges an authorization code for an OAuth 2.0 refresh token and
an OAuth 2.0 access token.

[Ramin Halavati, 2017/05/22 12:42:17]

Done.

+          trigger: "..."

[msarda, 2017/05/22 11:49:35]

This request is triggered at when another service of Chrome requires an access
token and a refresh token (e.g. Cloud Print, Chrome Remote Desktop etc.)
See https://developers.google.com/identity/protocols/OAuth2 for more information
about the Google implementation of the OAuth 2.0 protocol.

[Ramin Halavati, 2017/05/22 12:42:17]

Done.

+          data: "..."

[msarda, 2017/05/22 11:49:35]

The Google console client ID and client secret of the caller, the OAuth
authorization code and the redirect URI.

[Ramin Halavati, 2017/05/22 12:42:16]

Done.

+          destination: WEBSITE/GOOGLE_OWNED_SERVICE/OTHER

[msarda, 2017/05/22 11:49:36]

GOOGLE_OWNED_SERVICE

[Ramin Halavati, 2017/05/22 12:42:17]

Done.

+        }
+        policy {
+          cookies_allowed: false
+          setting: "..."

[msarda, 2017/05/22 11:49:36]

This feature cannot be disabled in settings.

However I am not 100% certain about the statement: "but if user signs out of
Chrome, this request would not be made."

+          chrome_policy {

[msarda, 2017/05/22 11:49:36]

I have no idea if this is gated on any policy. It may be gated on SigninAllowed,
but I think that is an artifact today (basically, you need to be signed in today
as otherwise there is no account that you may use in Chrome). But I am not sure.

Maybe rogerta@ knows.

+            [POLICY_NAME] {
+              policy_options {mode: MANDATORY/RECOMMENDED/UNSET}
+              [POLICY_NAME]: ... //(value to disable it)
+            }
+          }
+          policy_exception_justification: "..."
+        })");
+  MakeGaiaRequest(GURL(GaiaUrls::GetInstance()->oauth2_token_url()), post_body,
+                  max_retries, delegate, traffic_annotation);
 }
 
 void GaiaOAuthClient::Core::RefreshToken(
@@ -144,8 +166,28 @@ void GaiaOAuthClient::Core::RefreshToken(
     post_body += "&scope=" + net::EscapeUrlEncodedData(scopes_string, true);
   }
 
-  MakeGaiaRequest(GURL(GaiaUrls::GetInstance()->oauth2_token_url()),
-                  post_body, max_retries, delegate);
+  net::NetworkTrafficAnnotationTag traffic_annotation =
+      net::DefineNetworkTrafficAnnotation("...", R"(
+        semantics {
+          sender: "..."

[msarda, 2017/05/22 11:49:35]

Same as above

[Ramin Halavati, 2017/05/22 12:42:17]

Done.

+          description: "..."

[msarda, 2017/05/22 11:49:36]

This request fetches a fresh access token that can be used to authenticate an
API call to a Google web endpoint.

[Ramin Halavati, 2017/05/22 12:42:16]

Done.

+          trigger: "..."

[msarda, 2017/05/22 11:49:36]

This is called whenever the caller needs a fresh OAuth 2.0 access token.

[Ramin Halavati, 2017/05/22 12:42:17]

Done.

+          data: "..."

[msarda, 2017/05/22 11:49:36]

The OAuth 2.0 refresh token, the Google console client ID and client secret of
the caller, and optionally the scopes of the API for which the access token
should be authorized.

[Ramin Halavati, 2017/05/22 12:42:17]

Done.

+          destination: WEBSITE/GOOGLE_OWNED_SERVICE/OTHER

[msarda, 2017/05/22 11:49:35]

GOOGLE_OWNED_SERVICE

[Ramin Halavati, 2017/05/22 12:42:16]

Done.

+        }
+        policy {
+          cookies_allowed: false
+          setting: "..."

[msarda, 2017/05/22 11:49:36]

Same as above.

[Ramin Halavati, 2017/05/22 12:42:16]

Done.

+          chrome_policy {
+            [POLICY_NAME] {
+              policy_options {mode: MANDATORY/RECOMMENDED/UNSET}
+              [POLICY_NAME]: ... //(value to disable it)
+            }
+          }
+          policy_exception_justification: "..."
+        })");
+  MakeGaiaRequest(GURL(GaiaUrls::GetInstance()->oauth2_token_url()), post_body,
+                  max_retries, delegate, traffic_annotation);
 }
 
 void GaiaOAuthClient::Core::GetUserEmail(const std::string& oauth_access_token,
@@ -176,9 +218,29 @@ void GaiaOAuthClient::Core::GetUserInfoImpl(
   request_type_ = type;
   delegate_ = delegate;
   num_retries_ = 0;
+  net::NetworkTrafficAnnotationTag traffic_annotation =
+      net::DefineNetworkTrafficAnnotation("gaia_core_get_user_info", R"(
+        semantics {
+          sender: "OAuth2 Client"

[msarda, 2017/05/22 11:49:35]

I am a bit split about the sender. In the other changes in gaia_auth_fetcher, we
used the sender "Chrome - Google authentication API".

The files in here also make calls to GAIA, however they are more related to
OAuth 2.0 calls. Should we use  "Chrome - Google authentication API" or "OAuth
2.0 Client" in this file?

[Ramin Halavati, 2017/05/22 12:42:16]

I am not sure, I used the latter, but if you have more feelings about the
former, I will change it.

+          description: "This request is used to fetch user information."
+          trigger:
+            "The main trigger for this request in the AccountTrackerService "
+            "that fetches the user info soon after the user signs in."
+          data:
+            "The OAUth2 access token of the account."

[msarda, 2017/05/22 11:49:35]

s/OAUth2/OAuth 2.0

[Ramin Halavati, 2017/05/22 12:42:17]

Done.

+          destination: GOOGLE_OWNED_SERVICE
+        }
+        policy {
+          cookies_allowed: false
+          setting: "This feature cannot be disabled in settings."
+          policy_exception_justification:
+            "Not implemented. Disabling this fetcher would break features that "
+            "require user information about of the account that is signed in ("
+            "e.g. the profile switcher UI, the settings UI etc)."
+        })");
   request_ = net::URLFetcher::Create(
       kUrlFetcherId, GURL(GaiaUrls::GetInstance()->oauth_user_info_url()),
-      net::URLFetcher::GET, this);
+      net::URLFetcher::GET, this, traffic_annotation);
   request_->SetRequestContext(request_context_getter_.get());
   request_->AddExtraRequestHeader("Authorization: OAuth " + oauth_access_token);
   request_->SetMaxRetriesOn5xx(max_retries);
@@ -203,22 +265,41 @@ void GaiaOAuthClient::Core::GetTokenInfo(const std::string& qualifier,
   request_type_ = TOKEN_INFO;
   std::string post_body =
       qualifier + "=" + net::EscapeUrlEncodedData(query, true);
+  net::NetworkTrafficAnnotationTag traffic_annotation =
+      net::DefineNetworkTrafficAnnotation("...", R"(
+        semantics {
+          sender: "..."

[msarda, 2017/05/22 11:49:35]

Same as above.

[Ramin Halavati, 2017/05/22 12:42:17]

Done.

+          description: "..."

[msarda, 2017/05/22 11:49:36]

This request fetches information about an OAuth 2.0 access token - the response
is a dictionary of response values. The provided access token may have any
scope, and basic results will be returned: issued_to, audience, scope,
expires_in, access_type. In addition, if the
https://www.googleapis.com/auth/userinfo.email scope is present, the email and
verified_email fields will be returned. If the
https://www.googleapis.com/auth/userinfo.profile scope is present, the
user_id field will be returned.

[Ramin Halavati, 2017/05/22 12:42:16]

Done.

+          trigger: "..."

[msarda, 2017/05/22 11:49:36]

This is triggered after a Google account is added to the browser. It it also
triggered after each successful fetch of an OAuth 2.0 access token.

[Ramin Halavati, 2017/05/22 12:42:17]

Done.

+          data: "..."

[msarda, 2017/05/22 11:49:35]

The OAuth 2.0 access token.

[Ramin Halavati, 2017/05/22 12:42:17]

Done.

+          destination: WEBSITE/GOOGLE_OWNED_SERVICE/OTHER

[msarda, 2017/05/22 11:49:36]

GOOGLE_OWNED_SERVICE

[Ramin Halavati, 2017/05/22 12:42:16]

Done.

+        }
+        policy {
+          cookies_allowed: false
+          setting: "..."

[msarda, 2017/05/22 11:49:35]

"This feature cannot be disabled in settings."

[Ramin Halavati, 2017/05/22 12:42:16]

Done.

+          chrome_policy {
+            [POLICY_NAME] {
+              policy_options {mode: MANDATORY/RECOMMENDED/UNSET}
+              [POLICY_NAME]: ... //(value to disable it)
+            }
+          }
+          policy_exception_justification: "..."
+        })");
   MakeGaiaRequest(GURL(GaiaUrls::GetInstance()->oauth2_token_info_url()),
-                  post_body,
-                  max_retries,
-                  delegate);
+                  post_body, max_retries, delegate, traffic_annotation);
 }
 
 void GaiaOAuthClient::Core::MakeGaiaRequest(
     const GURL& url,
     const std::string& post_body,
     int max_retries,
-    GaiaOAuthClient::Delegate* delegate) {
+    GaiaOAuthClient::Delegate* delegate,
+    const net::NetworkTrafficAnnotationTag& traffic_annotation) {
   DCHECK(!request_.get()) << "Tried to fetch two things at once!";
   delegate_ = delegate;
   num_retries_ = 0;
-  request_ =
-      net::URLFetcher::Create(kUrlFetcherId, url, net::URLFetcher::POST, this);
+  request_ = net::URLFetcher::Create(kUrlFetcherId, url, net::URLFetcher::POST,
+                                     this, traffic_annotation);
   request_->SetRequestContext(request_context_getter_.get());
   request_->SetUploadData("application/x-www-form-urlencoded", post_body);
   request_->SetMaxRetriesOn5xx(max_retries);