Network traffic annotation added to gaia_auth_fetcher.

google_apis/gaia/gaia_auth_fetcher.cc

Index: google_apis/gaia/gaia_auth_fetcher.cc
diff --git a/google_apis/gaia/gaia_auth_fetcher.cc b/google_apis/gaia/gaia_auth_fetcher.cc
index dcc6eb4e2aefe6c59eff45c4d6791dfe39476ccd..814fc0099ed578e478468df6ffe73cd6cc6c3cf8 100644
--- a/google_apis/gaia/gaia_auth_fetcher.cc
+++ b/google_apis/gaia/gaia_auth_fetcher.cc
@@ -219,14 +219,16 @@ void GaiaAuthFetcher::CancelRequest() {
   fetch_pending_ = false;
 }
 
-void GaiaAuthFetcher::CreateAndStartGaiaFetcher(const std::string& body,
-                                                const std::string& headers,
-                                                const GURL& gaia_gurl,
-                                                int load_flags) {
+void GaiaAuthFetcher::CreateAndStartGaiaFetcher(
+    const std::string& body,
+    const std::string& headers,
+    const GURL& gaia_gurl,
+    int load_flags,
+    const net::NetworkTrafficAnnotationTag& traffic_annotation) {
   DCHECK(!fetch_pending_) << "Tried to fetch two things at once!";
   fetcher_ = net::URLFetcher::Create(
       0, gaia_gurl, body.empty() ? net::URLFetcher::GET : net::URLFetcher::POST,
-      this);
+      this, traffic_annotation);
   fetcher_->SetRequestContext(getter_);
   fetcher_->SetUploadData("application/x-www-form-urlencoded", body);
   gaia::MarkURLFetcherAsGaia(fetcher_.get());
@@ -511,25 +513,37 @@ bool GaiaAuthFetcher::ParseListIdpSessionsResponse(const std::string& data,
   return true;
 }
 
-void GaiaAuthFetcher::StartIssueAuthToken(const std::string& sid,
-                                          const std::string& lsid,
-                                          const char* const service) {
-  DCHECK(!fetch_pending_) << "Tried to fetch two things at once!";
-
-  VLOG(1) << "Starting IssueAuthToken for: " << service;
-  requested_service_ = service;
-  request_body_ = MakeIssueAuthTokenBody(sid, lsid, service);
-  CreateAndStartGaiaFetcher(request_body_, std::string(),
-                            issue_auth_token_gurl_, kLoadFlagsIgnoreCookies);
-}
 
 void GaiaAuthFetcher::StartRevokeOAuth2Token(const std::string& auth_token) {
   DCHECK(!fetch_pending_) << "Tried to fetch two things at once!";
 
   VLOG(1) << "Starting OAuth2 token revocation";
   request_body_ = MakeRevokeTokenBody(auth_token);
+  net::NetworkTrafficAnnotationTag traffic_annotation =
+      net::DefineNetworkTrafficAnnotation("gaia_auth_revoke_token", R"(
+        semantics {
+          sender: "Chrome - Google authentication API"
+          description: "This request revokes an OAuth 2.0 refresh token."
+          trigger:
+            "This request is part of Gaia Auth API, and is triggered whenever "
+            "an OAuth 2.0 refresh token needs to be revoked."
+          data: "The OAuth 2.0 refresh token that should be revoked."
+          destination: GOOGLE_OWNED_SERVICE
+        }
+        policy {
+          cookies_allowed: false
+          setting:
+            "This feature cannot be disabled in settings, but if user signs "

[msramek, 2017/05/26 12:24:52]

nit: Not a native speaker, but should this be "the user"? (here and elsewhere)

[Ramin Halavati, 2017/05/29 08:00:49]

Done.

+            "out of Chrome, this request would not be made."
+          chrome_policy {
+            SigninAllowed {
+              policy_options {mode: MANDATORY}
+              SigninAllowed: false
+            }
+          }
+        })");
   CreateAndStartGaiaFetcher(request_body_, std::string(), oauth2_revoke_gurl_,
-                            kLoadFlagsIgnoreCookies);
+                            kLoadFlagsIgnoreCookies, traffic_annotation);
 }
 
 void GaiaAuthFetcher::StartCookieForOAuthLoginTokenExchange(
@@ -575,9 +589,38 @@ void GaiaAuthFetcher::StartCookieForOAuthLoginTokenExchange(
   }
 
   fetch_token_from_auth_code_ = fetch_token_from_auth_code;
+  net::NetworkTrafficAnnotationTag traffic_annotation =
+      net::DefineNetworkTrafficAnnotation("gaia_auth_exchange_cookies", R"(
+        semantics {
+          sender: "Chrome - Google authentication API"
+          description:
+            "This request exchanges the cookies of a Google signed-in user "
+            "session for an OAuth 2.0 refresh token."
+          trigger:
+            "This request is part of Gaia Auth API, and may be triggered at "
+            "the end of the Chrome sign-in flow."
+          data:
+            "The Google console client ID of the Chrome application, the ID of "
+            "the device, and the index of the session in the Google "
+            "authentication cookies."
+          destination: GOOGLE_OWNED_SERVICE
+        }
+        policy {
+          cookies_allowed: true
+          cookies_store: "user"
+          setting:
+            "This feature cannot be disabled in settings, but if user signs "
+            "out of Chrome, this request would not be made."
+          chrome_policy {
+            SigninAllowed {
+              policy_options {mode: MANDATORY}
+              SigninAllowed: false
+            }
+          }
+        })");
   CreateAndStartGaiaFetcher(std::string(), device_id_header,
                             client_login_to_oauth2_gurl_.Resolve(query_string),
-                            net::LOAD_NORMAL);
+                            net::LOAD_NORMAL, traffic_annotation);
 }
 
 void GaiaAuthFetcher::StartAuthCodeForOAuth2TokenExchange(
@@ -592,8 +635,36 @@ void GaiaAuthFetcher::StartAuthCodeForOAuth2TokenExchangeWithDeviceId(
 
   VLOG(1) << "Starting OAuth token pair fetch";
   request_body_ = MakeGetTokenPairBody(auth_code, device_id);
+  net::NetworkTrafficAnnotationTag traffic_annotation =
+      net::DefineNetworkTrafficAnnotation("gaia_auth_exchange_device_id", R"(
+        semantics {
+          sender: "Chrome - Google authentication API"
+          description:
+            "This request exchanges an authorization code for an OAuth 2.0 "
+            "refresh token."
+          trigger:
+            "This request is part of Gaia Auth API, and may be triggered at "
+            "the end of the Chrome sign-in flow."
+          data:
+            "The Google console client ID and client secret of the Chrome "
+            "application, the OAuth 2.0 authorization code, and the ID of the "
+            "device."
+          destination: GOOGLE_OWNED_SERVICE
+        }
+        policy {
+          cookies_allowed: false
+          setting:
+            "This feature cannot be disabled in settings, but if user signs "
+            "out of Chrome, this request would not be made."
+          chrome_policy {
+            SigninAllowed {
+              policy_options {mode: MANDATORY}
+              SigninAllowed: false
+            }
+          }
+        })");
   CreateAndStartGaiaFetcher(request_body_, std::string(), oauth2_token_gurl_,
-                            kLoadFlagsIgnoreCookies);
+                            kLoadFlagsIgnoreCookies, traffic_annotation);
 }
 
 void GaiaAuthFetcher::StartGetUserInfo(const std::string& lsid) {
@@ -601,8 +672,31 @@ void GaiaAuthFetcher::StartGetUserInfo(const std::string& lsid) {
 
   VLOG(1) << "Starting GetUserInfo for lsid=" << lsid;
   request_body_ = MakeGetUserInfoBody(lsid);
+  net::NetworkTrafficAnnotationTag traffic_annotation =
+      net::DefineNetworkTrafficAnnotation("gaia_auth_get_user_info", R"(
+        semantics {
+          sender: "Chrome - Google authentication API"
+          description:
+            "This request fetches user information of a Google account."
+          trigger:
+            "This fetcher is only used after signing in with a child account."
+          data: "The value of the Google authentication LSID cookie."
+          destination: GOOGLE_OWNED_SERVICE
+        }
+        policy {
+          cookies_allowed: false
+          setting:
+            "This feature cannot be disabled in settings, but if user signs "
+            "out of Chrome, this request would not be made."
+          chrome_policy {
+            SigninAllowed {
+              policy_options {mode: MANDATORY}
+              SigninAllowed: false
+            }
+          }
+        })");
   CreateAndStartGaiaFetcher(request_body_, std::string(), get_user_info_gurl_,
-                            kLoadFlagsIgnoreCookies);
+                            kLoadFlagsIgnoreCookies, traffic_annotation);
 }
 
 void GaiaAuthFetcher::StartMergeSession(const std::string& uber_token,
@@ -622,9 +716,37 @@ void GaiaAuthFetcher::StartMergeSession(const std::string& uber_token,
   std::string continue_url("http://www.google.com");
   std::string query = MakeMergeSessionQuery(uber_token, external_cc_result,
                                             continue_url, source_);
+  net::NetworkTrafficAnnotationTag traffic_annotation =
+      net::DefineNetworkTrafficAnnotation("gaia_auth_merge_sessions", R"(
+        semantics {
+          sender: "Chrome - Google authentication API"
+          description:
+            "This request adds an account to the Google authentication cookies."
+          trigger:
+            "This request is part of Gaia Auth API, and is triggered whenever "
+            "a new Google account is added to the browser."
+          data:
+            "This request includes the user-auth token and sometimes a string "
+            "containing the result of connection checks for various Google web "
+            "properties."
+          destination: GOOGLE_OWNED_SERVICE
+        }
+        policy {
+          cookies_allowed: true
+          cookies_store: "user"
+          setting:
+            "This feature cannot be disabled in settings, but if user signs "
+            "out of Chrome, this request would not be made."
+          chrome_policy {
+            SigninAllowed {
+              policy_options {mode: MANDATORY}
+              SigninAllowed: false
+            }
+          }
+        })");
   CreateAndStartGaiaFetcher(std::string(), std::string(),
                             merge_session_gurl_.Resolve(query),
-                            net::LOAD_NORMAL);
+                            net::LOAD_NORMAL, traffic_annotation);
 }
 
 void GaiaAuthFetcher::StartTokenFetchForUberAuthExchange(
@@ -638,8 +760,36 @@ void GaiaAuthFetcher::StartTokenFetchForUberAuthExchange(
       base::StringPrintf(kOAuthHeaderFormat, access_token.c_str());
   int load_flags =
       is_bound_to_channel_id ? net::LOAD_NORMAL : kLoadFlagsIgnoreCookies;
+  net::NetworkTrafficAnnotationTag traffic_annotation =
+      net::DefineNetworkTrafficAnnotation("gaia_auth_fetch_for_uber", R"(
+        semantics {
+          sender: "Chrome - Google authentication API"
+          description:
+            "This request exchanges an Oauth2 access token for an uber-auth "
+            "token. This token may be used to add an account to the Google "
+            "authentication cookies."
+          trigger:
+            "This request is part of Gaia Auth API, and is triggered whenever "
+            "a new Google account is added to the browser."
+          data: "This request contains an OAuth 2.0 access token. "
+          destination: GOOGLE_OWNED_SERVICE
+        }
+        policy {
+          cookies_allowed: true
+          cookies_store: "user"
+          setting:
+            "This feature cannot be disabled in settings, but if user signs "
+            "out of Chrome, this request would not be made."
+          chrome_policy {
+            SigninAllowed {
+              policy_options {mode: MANDATORY}
+              SigninAllowed: false
+            }
+          }
+        })");
   CreateAndStartGaiaFetcher(std::string(), authentication_header,
-                            uberauth_token_gurl_, load_flags);
+                            uberauth_token_gurl_, load_flags,
+                            traffic_annotation);
 }
 
 void GaiaAuthFetcher::StartOAuthLogin(const std::string& access_token,
@@ -649,53 +799,144 @@ void GaiaAuthFetcher::StartOAuthLogin(const std::string& access_token,
   request_body_ = MakeOAuthLoginBody(service, source_);
   std::string authentication_header =
       base::StringPrintf(kOAuth2BearerHeaderFormat, access_token.c_str());
+  net::NetworkTrafficAnnotationTag traffic_annotation =
+      net::DefineNetworkTrafficAnnotation("gaia_auth_login", R"(
+        semantics {
+          sender: "Chrome - Google authentication API"
+          description:
+            "This request exchanges an OAuthLogin-scoped oauth2 access token "
+            "for a ClientLogin-style service tokens. The response to this "

[msramek, 2017/05/26 12:24:52]

What is ClientLogin? Does this refer to the ClientLogin API?

This page https://developers.google.com/identity/protocols/AuthForInstalledApps
states that it's long deprecated, so I'm not sure if it makes sense to describe
our OAuth2 login process in its terms.

[msarda, 2017/05/29 11:34:13]

This is not part of an OAuth 2.0 process - it exchanges an OAuth 2.0 access
token for a ClientLogin token. Apparently the Chrome child account code still
uses ClientLogin here
https://cs.chromium.org/chromium/src/components/signin/core/browser/child_acc...

Martin: Do you have any specific suggestion on how to phrase this differently (I
think the current description is accurate)? 

 

[msramek, 2017/05/29 13:39:31]

Ah, I guess I misunderstood originally. If we're still using ClientLogin, then I
agree that no change is needed. Thanks!

[Ramin Halavati, 2017/05/29 13:52:51]

Acknowledged.

+            "request is the same as the response to a ClientLogin request, "
+            "except that captcha challenges are never issued."
+          trigger:
+            "This request is part of Gaia Auth API, and is triggered after "
+            "signing in with a child account."
+          data:
+            "This request contains an OAuth 2.0 access token and the service "
+            "for which a ClientLogin-style should be delivered."
+          destination: GOOGLE_OWNED_SERVICE
+        }
+        policy {
+          cookies_allowed: true
+          cookies_store: "user"
+          setting:
+            "This feature cannot be disabled in settings, but if user signs "
+            "out of Chrome, this request would not be made."
+          chrome_policy {
+            SigninAllowed {
+              policy_options {mode: MANDATORY}
+              SigninAllowed: false
+            }
+          }
+        })");
   CreateAndStartGaiaFetcher(request_body_, authentication_header,
-                            oauth_login_gurl_, net::LOAD_NORMAL);
+                            oauth_login_gurl_, net::LOAD_NORMAL,
+                            traffic_annotation);
 }
 
 void GaiaAuthFetcher::StartListAccounts() {
   DCHECK(!fetch_pending_) << "Tried to fetch two things at once!";
 
+  net::NetworkTrafficAnnotationTag traffic_annotation =
+      net::DefineNetworkTrafficAnnotation("gaia_auth_list_accounts", R"(
+        semantics {
+          sender: "Chrome - Google authentication API"
+          description:
+            "This request is used to list the accounts in the Google "
+            "authentication cookies."
+          trigger:
+            "This request is part of Gaia Auth API, and is triggered whenever "
+            "the list of all available accounts in the Google authentication "
+            "cookies is required."
+          data: "None."
+          destination: GOOGLE_OWNED_SERVICE
+        }
+        policy {
+          cookies_allowed: true
+          cookies_store: "user"
+          setting:
+            "This feature cannot be disabled in settings, but if user signs "
+            "out of Chrome, this request would not be made."
+          chrome_policy {
+            SigninAllowed {
+              policy_options {mode: MANDATORY}
+              SigninAllowed: false
+            }
+          }
+        })");
   CreateAndStartGaiaFetcher(" ",  // To force an HTTP POST.
                             "Origin: https://www.google.com",
-                            list_accounts_gurl_, net::LOAD_NORMAL);
+                            list_accounts_gurl_, net::LOAD_NORMAL,
+                            traffic_annotation);
 }
 
 void GaiaAuthFetcher::StartLogOut() {
   DCHECK(!fetch_pending_) << "Tried to fetch two things at once!";
 
+  net::NetworkTrafficAnnotationTag traffic_annotation =
+      net::DefineNetworkTrafficAnnotation("gaia_auth_log_out", R"(
+        semantics {
+          sender: "Chrome - Google authentication API"
+          description:
+            "This request is part of the Chrome - Google authentication API "
+            "and allows its callers to sign out all Google accounts from the "
+            "content area."
+          trigger:
+            "This request is part of Gaia Auth API, and is triggered whenever "
+            "signing out of all Google accounts is required."
+          data: "None."
+          destination: GOOGLE_OWNED_SERVICE
+        }
+        policy {
+          cookies_allowed: true
+          cookies_store: "user"
+          setting:
+            "This feature cannot be disabled in settings, but if user signs "
+            "out of Chrome, this request would not be made."
+          chrome_policy {
+            SigninAllowed {
+              policy_options {mode: MANDATORY}
+              SigninAllowed: false
+            }
+          }
+        })");
   CreateAndStartGaiaFetcher(std::string(), logout_headers_, logout_gurl_,
-                            net::LOAD_NORMAL);
+                            net::LOAD_NORMAL, traffic_annotation);
 }
 
 void GaiaAuthFetcher::StartGetCheckConnectionInfo() {
   DCHECK(!fetch_pending_) << "Tried to fetch two things at once!";
 
+  net::NetworkTrafficAnnotationTag traffic_annotation =
+      net::DefineNetworkTrafficAnnotation("gaia_auth_check_connection_info", R"(
+        semantics {
+          sender: "Chrome - Google authentication API"
+          description:
+            "This request is used to fetch from the Google authentication "
+            "server the the list of URLs to check its connection info."
+          trigger:
+            "This request is part of Gaia Auth API, and is triggered once "
+            "after a Google account is added to the browser."
+          data: "None."
+          destination: GOOGLE_OWNED_SERVICE
+        }
+        policy {
+          cookies_allowed: false
+          setting:
+            "This feature cannot be disabled in settings, but if user signs "
+            "out of Chrome, this request would not be made."
+          chrome_policy {
+            SigninAllowed {
+              policy_options {mode: MANDATORY}
+              SigninAllowed: false
+            }
+          }
+        })");
   CreateAndStartGaiaFetcher(std::string(), std::string(),
                             get_check_connection_info_url_,
-                            kLoadFlagsIgnoreCookies);
-}
-
-void GaiaAuthFetcher::StartListIDPSessions(const std::string& scopes,
-                                           const std::string& domain) {
-  DCHECK(!fetch_pending_) << "Tried to fetch two things at once!";
-
-  request_body_ = MakeListIDPSessionsBody(scopes, domain);
-  requested_service_ = kListIdpServiceRequested;
-  CreateAndStartGaiaFetcher(request_body_, std::string(), oauth2_iframe_url_,
-                            net::LOAD_NORMAL);
+                            kLoadFlagsIgnoreCookies, traffic_annotation);
 }
 
-void GaiaAuthFetcher::StartGetTokenResponse(const std::string& scopes,
-                                            const std::string& domain,
-                                            const std::string& login_hint) {
-  DCHECK(!fetch_pending_) << "Tried to fetch two things at once!";
-
-  request_body_ = MakeGetTokenResponseBody(scopes, domain, login_hint);
-  requested_service_ = kGetTokenResponseRequested;
-  CreateAndStartGaiaFetcher(request_body_, std::string(), oauth2_iframe_url_,
-                            net::LOAD_NORMAL);
-}
 
 // static
 GoogleServiceAuthError GaiaAuthFetcher::GenerateAuthError(