Network traffic annotation added to gaia_auth_fetcher.

google_apis/gaia/gaia_auth_fetcher.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "google_apis/gaia/gaia_auth_fetcher.h"
 
 #include <string>
 #include <utility>
 #include <vector>
 
@@ skipping 201 matching lines @@
 
 void GaiaAuthFetcher::SetLogoutHeaders(const std::string& headers) {
   logout_headers_ = headers;
 }
 
 void GaiaAuthFetcher::CancelRequest() {
   fetcher_.reset();
   fetch_pending_ = false;
 }
 
-void GaiaAuthFetcher::CreateAndStartGaiaFetcher(const std::string& body,
-                                                const std::string& headers,
-                                                const GURL& gaia_gurl,
-                                                int load_flags) {
+void GaiaAuthFetcher::CreateAndStartGaiaFetcher(
+    const std::string& body,
+    const std::string& headers,
+    const GURL& gaia_gurl,
+    int load_flags,
+    const net::NetworkTrafficAnnotationTag& traffic_annotation) {
   DCHECK(!fetch_pending_) << "Tried to fetch two things at once!";
   fetcher_ = net::URLFetcher::Create(
       0, gaia_gurl, body.empty() ? net::URLFetcher::GET : net::URLFetcher::POST,
-      this);
+      this, traffic_annotation);
   fetcher_->SetRequestContext(getter_);
   fetcher_->SetUploadData("application/x-www-form-urlencoded", body);
   gaia::MarkURLFetcherAsGaia(fetcher_.get());
 
   VLOG(2) << "Gaia fetcher URL: " << gaia_gurl.spec();
   VLOG(2) << "Gaia fetcher headers: " << headers;
   VLOG(2) << "Gaia fetcher body: " << body;
 
   // The Gaia token exchange requests do not require any cookie-based
   // identification as part of requests.  We suppress sending any cookies to
@@ skipping 264 matching lines @@
 
     if (sessionDictionary->GetString("login_hint", login_hint))
       break;
   }
 
   if (login_hint->empty())
     return false;
   return true;
 }
 
-void GaiaAuthFetcher::StartIssueAuthToken(const std::string& sid,
-                                          const std::string& lsid,
-                                          const char* const service) {
-  DCHECK(!fetch_pending_) << "Tried to fetch two things at once!";
-
-  VLOG(1) << "Starting IssueAuthToken for: " << service;
-  requested_service_ = service;
-  request_body_ = MakeIssueAuthTokenBody(sid, lsid, service);
-  CreateAndStartGaiaFetcher(request_body_, std::string(),
-                            issue_auth_token_gurl_, kLoadFlagsIgnoreCookies);
-}
 
 void GaiaAuthFetcher::StartRevokeOAuth2Token(const std::string& auth_token) {
   DCHECK(!fetch_pending_) << "Tried to fetch two things at once!";
 
   VLOG(1) << "Starting OAuth2 token revocation";
   request_body_ = MakeRevokeTokenBody(auth_token);
+  net::NetworkTrafficAnnotationTag traffic_annotation =
+      net::DefineNetworkTrafficAnnotation("gaia_auth_revoke_token", R"(
+        semantics {
+          sender: "Chrome - Google authentication API"
+          description: "This request revokes an OAuth 2.0 refresh token."
+          trigger:
+            "This request is part of Gaia Auth API, and is triggered whenever "
+            "an OAuth 2.0 refresh token needs to be revoked."
+          data: "The OAuth 2.0 refresh token that should be revoked."
+          destination: GOOGLE_OWNED_SERVICE
+        }
+        policy {
+          cookies_allowed: false
+          setting:
+            "This feature cannot be disabled in settings, but if user signs "

[msramek, 2017/05/26 12:24:52]

nit: Not a native speaker, but should this be "the user"? (here and elsewhere)

[Ramin Halavati, 2017/05/29 08:00:49]

Done.

+            "out of Chrome, this request would not be made."
+          chrome_policy {
+            SigninAllowed {
+              policy_options {mode: MANDATORY}
+              SigninAllowed: false
+            }
+          }
+        })");
   CreateAndStartGaiaFetcher(request_body_, std::string(), oauth2_revoke_gurl_,
-                            kLoadFlagsIgnoreCookies);
+                            kLoadFlagsIgnoreCookies, traffic_annotation);
 }
 
 void GaiaAuthFetcher::StartCookieForOAuthLoginTokenExchange(
     const std::string& session_index) {
   StartCookieForOAuthLoginTokenExchangeWithDeviceId(session_index,
                                                     std::string());
 }
 
 void GaiaAuthFetcher::StartCookieForOAuthLoginTokenExchangeWithDeviceId(
     const std::string& session_index,
@@ skipping 25 matching lines @@
   if (!session_index.empty())
     query_string += "&authuser=" + session_index;
 
   std::string device_id_header;
   if (!device_id.empty()) {
     device_id_header =
         base::StringPrintf(kDeviceIdHeaderFormat, device_id.c_str());
   }
 
   fetch_token_from_auth_code_ = fetch_token_from_auth_code;
+  net::NetworkTrafficAnnotationTag traffic_annotation =
+      net::DefineNetworkTrafficAnnotation("gaia_auth_exchange_cookies", R"(
+        semantics {
+          sender: "Chrome - Google authentication API"
+          description:
+            "This request exchanges the cookies of a Google signed-in user "
+            "session for an OAuth 2.0 refresh token."
+          trigger:
+            "This request is part of Gaia Auth API, and may be triggered at "
+            "the end of the Chrome sign-in flow."
+          data:
+            "The Google console client ID of the Chrome application, the ID of "
+            "the device, and the index of the session in the Google "
+            "authentication cookies."
+          destination: GOOGLE_OWNED_SERVICE
+        }
+        policy {
+          cookies_allowed: true
+          cookies_store: "user"
+          setting:
+            "This feature cannot be disabled in settings, but if user signs "
+            "out of Chrome, this request would not be made."
+          chrome_policy {
+            SigninAllowed {
+              policy_options {mode: MANDATORY}
+              SigninAllowed: false
+            }
+          }
+        })");
   CreateAndStartGaiaFetcher(std::string(), device_id_header,
                             client_login_to_oauth2_gurl_.Resolve(query_string),
-                            net::LOAD_NORMAL);
+                            net::LOAD_NORMAL, traffic_annotation);
 }
 
 void GaiaAuthFetcher::StartAuthCodeForOAuth2TokenExchange(
     const std::string& auth_code) {
   StartAuthCodeForOAuth2TokenExchangeWithDeviceId(auth_code, std::string());
 }
 
 void GaiaAuthFetcher::StartAuthCodeForOAuth2TokenExchangeWithDeviceId(
     const std::string& auth_code,
     const std::string& device_id) {
   DCHECK(!fetch_pending_) << "Tried to fetch two things at once!";
 
   VLOG(1) << "Starting OAuth token pair fetch";
   request_body_ = MakeGetTokenPairBody(auth_code, device_id);
+  net::NetworkTrafficAnnotationTag traffic_annotation =
+      net::DefineNetworkTrafficAnnotation("gaia_auth_exchange_device_id", R"(
+        semantics {
+          sender: "Chrome - Google authentication API"
+          description:
+            "This request exchanges an authorization code for an OAuth 2.0 "
+            "refresh token."
+          trigger:
+            "This request is part of Gaia Auth API, and may be triggered at "
+            "the end of the Chrome sign-in flow."
+          data:
+            "The Google console client ID and client secret of the Chrome "
+            "application, the OAuth 2.0 authorization code, and the ID of the "
+            "device."
+          destination: GOOGLE_OWNED_SERVICE
+        }
+        policy {
+          cookies_allowed: false
+          setting:
+            "This feature cannot be disabled in settings, but if user signs "
+            "out of Chrome, this request would not be made."
+          chrome_policy {
+            SigninAllowed {
+              policy_options {mode: MANDATORY}
+              SigninAllowed: false
+            }
+          }
+        })");
   CreateAndStartGaiaFetcher(request_body_, std::string(), oauth2_token_gurl_,
-                            kLoadFlagsIgnoreCookies);
+                            kLoadFlagsIgnoreCookies, traffic_annotation);
 }
 
 void GaiaAuthFetcher::StartGetUserInfo(const std::string& lsid) {
   DCHECK(!fetch_pending_) << "Tried to fetch two things at once!";
 
   VLOG(1) << "Starting GetUserInfo for lsid=" << lsid;
   request_body_ = MakeGetUserInfoBody(lsid);
+  net::NetworkTrafficAnnotationTag traffic_annotation =
+      net::DefineNetworkTrafficAnnotation("gaia_auth_get_user_info", R"(
+        semantics {
+          sender: "Chrome - Google authentication API"
+          description:
+            "This request fetches user information of a Google account."
+          trigger:
+            "This fetcher is only used after signing in with a child account."
+          data: "The value of the Google authentication LSID cookie."
+          destination: GOOGLE_OWNED_SERVICE
+        }
+        policy {
+          cookies_allowed: false
+          setting:
+            "This feature cannot be disabled in settings, but if user signs "
+            "out of Chrome, this request would not be made."
+          chrome_policy {
+            SigninAllowed {
+              policy_options {mode: MANDATORY}
+              SigninAllowed: false
+            }
+          }
+        })");
   CreateAndStartGaiaFetcher(request_body_, std::string(), get_user_info_gurl_,
-                            kLoadFlagsIgnoreCookies);
+                            kLoadFlagsIgnoreCookies, traffic_annotation);
 }
 
 void GaiaAuthFetcher::StartMergeSession(const std::string& uber_token,
                                         const std::string& external_cc_result) {
   DCHECK(!fetch_pending_) << "Tried to fetch two things at once!";
 
   VLOG(1) << "Starting MergeSession with uber_token=" << uber_token;
 
   // The continue URL is a required parameter of the MergeSession API, but in
   // this case we don't actually need or want to navigate to it.  Setting it to
   // an arbitrary Google URL.
   //
   // In order for the new session to be merged correctly, the server needs to
   // know what sessions already exist in the browser.  The fetcher needs to be
   // created such that it sends the cookies with the request, which is
   // different from all other requests the fetcher can make.
   std::string continue_url("http://www.google.com");
   std::string query = MakeMergeSessionQuery(uber_token, external_cc_result,
                                             continue_url, source_);
+  net::NetworkTrafficAnnotationTag traffic_annotation =
+      net::DefineNetworkTrafficAnnotation("gaia_auth_merge_sessions", R"(
+        semantics {
+          sender: "Chrome - Google authentication API"
+          description:
+            "This request adds an account to the Google authentication cookies."
+          trigger:
+            "This request is part of Gaia Auth API, and is triggered whenever "
+            "a new Google account is added to the browser."
+          data:
+            "This request includes the user-auth token and sometimes a string "
+            "containing the result of connection checks for various Google web "
+            "properties."
+          destination: GOOGLE_OWNED_SERVICE
+        }
+        policy {
+          cookies_allowed: true
+          cookies_store: "user"
+          setting:
+            "This feature cannot be disabled in settings, but if user signs "
+            "out of Chrome, this request would not be made."
+          chrome_policy {
+            SigninAllowed {
+              policy_options {mode: MANDATORY}
+              SigninAllowed: false
+            }
+          }
+        })");
   CreateAndStartGaiaFetcher(std::string(), std::string(),
                             merge_session_gurl_.Resolve(query),
-                            net::LOAD_NORMAL);
+                            net::LOAD_NORMAL, traffic_annotation);
 }
 
 void GaiaAuthFetcher::StartTokenFetchForUberAuthExchange(
     const std::string& access_token,
     bool is_bound_to_channel_id) {
   DCHECK(!fetch_pending_) << "Tried to fetch two things at once!";
 
   VLOG(1) << "Starting StartTokenFetchForUberAuthExchange with access_token="
            << access_token;
   std::string authentication_header =
       base::StringPrintf(kOAuthHeaderFormat, access_token.c_str());
   int load_flags =
       is_bound_to_channel_id ? net::LOAD_NORMAL : kLoadFlagsIgnoreCookies;
+  net::NetworkTrafficAnnotationTag traffic_annotation =
+      net::DefineNetworkTrafficAnnotation("gaia_auth_fetch_for_uber", R"(
+        semantics {
+          sender: "Chrome - Google authentication API"
+          description:
+            "This request exchanges an Oauth2 access token for an uber-auth "
+            "token. This token may be used to add an account to the Google "
+            "authentication cookies."
+          trigger:
+            "This request is part of Gaia Auth API, and is triggered whenever "
+            "a new Google account is added to the browser."
+          data: "This request contains an OAuth 2.0 access token. "
+          destination: GOOGLE_OWNED_SERVICE
+        }
+        policy {
+          cookies_allowed: true
+          cookies_store: "user"
+          setting:
+            "This feature cannot be disabled in settings, but if user signs "
+            "out of Chrome, this request would not be made."
+          chrome_policy {
+            SigninAllowed {
+              policy_options {mode: MANDATORY}
+              SigninAllowed: false
+            }
+          }
+        })");
   CreateAndStartGaiaFetcher(std::string(), authentication_header,
-                            uberauth_token_gurl_, load_flags);
+                            uberauth_token_gurl_, load_flags,
+                            traffic_annotation);
 }
 
 void GaiaAuthFetcher::StartOAuthLogin(const std::string& access_token,
                                       const std::string& service) {
   DCHECK(!fetch_pending_) << "Tried to fetch two things at once!";
 
   request_body_ = MakeOAuthLoginBody(service, source_);
   std::string authentication_header =
       base::StringPrintf(kOAuth2BearerHeaderFormat, access_token.c_str());
+  net::NetworkTrafficAnnotationTag traffic_annotation =
+      net::DefineNetworkTrafficAnnotation("gaia_auth_login", R"(
+        semantics {
+          sender: "Chrome - Google authentication API"
+          description:
+            "This request exchanges an OAuthLogin-scoped oauth2 access token "
+            "for a ClientLogin-style service tokens. The response to this "

[msramek, 2017/05/26 12:24:52]

What is ClientLogin? Does this refer to the ClientLogin API?

This page https://developers.google.com/identity/protocols/AuthForInstalledApps
states that it's long deprecated, so I'm not sure if it makes sense to describe
our OAuth2 login process in its terms.

[msarda, 2017/05/29 11:34:13]

This is not part of an OAuth 2.0 process - it exchanges an OAuth 2.0 access
token for a ClientLogin token. Apparently the Chrome child account code still
uses ClientLogin here
https://cs.chromium.org/chromium/src/components/signin/core/browser/child_acc...

Martin: Do you have any specific suggestion on how to phrase this differently (I
think the current description is accurate)? 

 

[msramek, 2017/05/29 13:39:31]

Ah, I guess I misunderstood originally. If we're still using ClientLogin, then I
agree that no change is needed. Thanks!

[Ramin Halavati, 2017/05/29 13:52:51]

Acknowledged.

+            "request is the same as the response to a ClientLogin request, "
+            "except that captcha challenges are never issued."
+          trigger:
+            "This request is part of Gaia Auth API, and is triggered after "
+            "signing in with a child account."
+          data:
+            "This request contains an OAuth 2.0 access token and the service "
+            "for which a ClientLogin-style should be delivered."
+          destination: GOOGLE_OWNED_SERVICE
+        }
+        policy {
+          cookies_allowed: true
+          cookies_store: "user"
+          setting:
+            "This feature cannot be disabled in settings, but if user signs "
+            "out of Chrome, this request would not be made."
+          chrome_policy {
+            SigninAllowed {
+              policy_options {mode: MANDATORY}
+              SigninAllowed: false
+            }
+          }
+        })");
   CreateAndStartGaiaFetcher(request_body_, authentication_header,
-                            oauth_login_gurl_, net::LOAD_NORMAL);
+                            oauth_login_gurl_, net::LOAD_NORMAL,
+                            traffic_annotation);
 }
 
 void GaiaAuthFetcher::StartListAccounts() {
   DCHECK(!fetch_pending_) << "Tried to fetch two things at once!";
 
+  net::NetworkTrafficAnnotationTag traffic_annotation =
+      net::DefineNetworkTrafficAnnotation("gaia_auth_list_accounts", R"(
+        semantics {
+          sender: "Chrome - Google authentication API"
+          description:
+            "This request is used to list the accounts in the Google "
+            "authentication cookies."
+          trigger:
+            "This request is part of Gaia Auth API, and is triggered whenever "
+            "the list of all available accounts in the Google authentication "
+            "cookies is required."
+          data: "None."
+          destination: GOOGLE_OWNED_SERVICE
+        }
+        policy {
+          cookies_allowed: true
+          cookies_store: "user"
+          setting:
+            "This feature cannot be disabled in settings, but if user signs "
+            "out of Chrome, this request would not be made."
+          chrome_policy {
+            SigninAllowed {
+              policy_options {mode: MANDATORY}
+              SigninAllowed: false
+            }
+          }
+        })");
   CreateAndStartGaiaFetcher(" ",  // To force an HTTP POST.
                             "Origin: https://www.google.com",
-                            list_accounts_gurl_, net::LOAD_NORMAL);
+                            list_accounts_gurl_, net::LOAD_NORMAL,
+                            traffic_annotation);
 }
 
 void GaiaAuthFetcher::StartLogOut() {
   DCHECK(!fetch_pending_) << "Tried to fetch two things at once!";
 
+  net::NetworkTrafficAnnotationTag traffic_annotation =
+      net::DefineNetworkTrafficAnnotation("gaia_auth_log_out", R"(
+        semantics {
+          sender: "Chrome - Google authentication API"
+          description:
+            "This request is part of the Chrome - Google authentication API "
+            "and allows its callers to sign out all Google accounts from the "
+            "content area."
+          trigger:
+            "This request is part of Gaia Auth API, and is triggered whenever "
+            "signing out of all Google accounts is required."
+          data: "None."
+          destination: GOOGLE_OWNED_SERVICE
+        }
+        policy {
+          cookies_allowed: true
+          cookies_store: "user"
+          setting:
+            "This feature cannot be disabled in settings, but if user signs "
+            "out of Chrome, this request would not be made."
+          chrome_policy {
+            SigninAllowed {
+              policy_options {mode: MANDATORY}
+              SigninAllowed: false
+            }
+          }
+        })");
   CreateAndStartGaiaFetcher(std::string(), logout_headers_, logout_gurl_,
-                            net::LOAD_NORMAL);
+                            net::LOAD_NORMAL, traffic_annotation);
 }
 
 void GaiaAuthFetcher::StartGetCheckConnectionInfo() {
   DCHECK(!fetch_pending_) << "Tried to fetch two things at once!";
 
+  net::NetworkTrafficAnnotationTag traffic_annotation =
+      net::DefineNetworkTrafficAnnotation("gaia_auth_check_connection_info", R"(
+        semantics {
+          sender: "Chrome - Google authentication API"
+          description:
+            "This request is used to fetch from the Google authentication "
+            "server the the list of URLs to check its connection info."
+          trigger:
+            "This request is part of Gaia Auth API, and is triggered once "
+            "after a Google account is added to the browser."
+          data: "None."
+          destination: GOOGLE_OWNED_SERVICE
+        }
+        policy {
+          cookies_allowed: false
+          setting:
+            "This feature cannot be disabled in settings, but if user signs "
+            "out of Chrome, this request would not be made."
+          chrome_policy {
+            SigninAllowed {
+              policy_options {mode: MANDATORY}
+              SigninAllowed: false
+            }
+          }
+        })");
   CreateAndStartGaiaFetcher(std::string(), std::string(),
                             get_check_connection_info_url_,
-                            kLoadFlagsIgnoreCookies);
+                            kLoadFlagsIgnoreCookies, traffic_annotation);
 }
 
-void GaiaAuthFetcher::StartListIDPSessions(const std::string& scopes,
-                                           const std::string& domain) {
-  DCHECK(!fetch_pending_) << "Tried to fetch two things at once!";
-
-  request_body_ = MakeListIDPSessionsBody(scopes, domain);
-  requested_service_ = kListIdpServiceRequested;
-  CreateAndStartGaiaFetcher(request_body_, std::string(), oauth2_iframe_url_,
-                            net::LOAD_NORMAL);
-}
-
-void GaiaAuthFetcher::StartGetTokenResponse(const std::string& scopes,
-                                            const std::string& domain,
-                                            const std::string& login_hint) {
-  DCHECK(!fetch_pending_) << "Tried to fetch two things at once!";
-
-  request_body_ = MakeGetTokenResponseBody(scopes, domain, login_hint);
-  requested_service_ = kGetTokenResponseRequested;
-  CreateAndStartGaiaFetcher(request_body_, std::string(), oauth2_iframe_url_,
-                            net::LOAD_NORMAL);
-}
 
 // static
 GoogleServiceAuthError GaiaAuthFetcher::GenerateAuthError(
     const std::string& data,
     const net::URLRequestStatus& status) {
   if (!status.is_success()) {
     if (status.status() == net::URLRequestStatus::CANCELED) {
       return GoogleServiceAuthError(GoogleServiceAuthError::REQUEST_CANCELED);
     }
     DLOG(WARNING) << "Could not reach Google Accounts servers: errno "
@@ skipping 309 matching lines @@
   return alleged_error.find(kSecondFactor) !=
       std::string::npos;
 }
 
 // static
 bool GaiaAuthFetcher::IsWebLoginRequiredSuccess(
     const std::string& alleged_error) {
   return alleged_error.find(kWebLoginRequired) !=
       std::string::npos;
 }