Network traffic annotation added to OAuth2ApiCallFlow and its subclasses.

components/cryptauth/cryptauth_client_impl.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "components/cryptauth/cryptauth_client_impl.h"
 
 #include <utility>
 
 #include "base/bind.h"
 #include "base/command_line.h"
@@ skipping 48 matching lines @@
       device_classifier_(device_classifier),
       has_call_started_(false),
       weak_ptr_factory_(this) {}
 
 CryptAuthClientImpl::~CryptAuthClientImpl() {
 }
 
 void CryptAuthClientImpl::GetMyDevices(
     const GetMyDevicesRequest& request,
     const GetMyDevicesCallback& callback,
-    const ErrorCallback& error_callback) {
-  MakeApiCall(kGetMyDevicesPath, request, callback, error_callback);
+    const ErrorCallback& error_callback,
+    const net::PartialNetworkTrafficAnnotationTag& partial_traffic_annotation) {
+  MakeApiCall(kGetMyDevicesPath, request, callback, error_callback,
+              partial_traffic_annotation);
 }
 
 void CryptAuthClientImpl::FindEligibleUnlockDevices(
     const FindEligibleUnlockDevicesRequest& request,
     const FindEligibleUnlockDevicesCallback& callback,
     const ErrorCallback& error_callback) {
-  MakeApiCall(kFindEligibleUnlockDevicesPath, request, callback,
-              error_callback);
+  net::PartialNetworkTrafficAnnotationTag partial_traffic_annotation =
+      net::DefinePartialNetworkTrafficAnnotation(
+          "cryptauth_find_eligible_unlock_devices", "oauth2_api_call_flow",
+          R"(
+      semantics {
+        sender: "CryptAuth Device Manager"
+        description:
+          "Gets the list of mobile devices that can be used by Smart Lock to "
+          "unlock the current device."
+        trigger:
+          "This request is sent when the user starts the Smart Lock setup flow."
+        data: "OAuth 2.0 token and the device's public key."
+        destination: GOOGLE_OWNED_SERVICE
+      }
+      policy {
+        setting:
+          "This feature cannot be disabled in settings, but the request will "
+          "only be send if the user explicitly tries to enable Smart Lock "

[msramek, 2017/06/28 08:40:55]

typo: sent

[Ramin Halavati, 2017/06/28 09:21:29]

Done.

+          "(EasyUnlock), i.e. starts the setup flow."
+        chrome_policy {
+          EasyUnlockAllowed {
+            EasyUnlockAllowed: false
+          }
+        }
+      })");
+  MakeApiCall(kFindEligibleUnlockDevicesPath, request, callback, error_callback,
+              partial_traffic_annotation);
 }
 
 void CryptAuthClientImpl::SendDeviceSyncTickle(
     const SendDeviceSyncTickleRequest& request,
     const SendDeviceSyncTickleCallback& callback,
-    const ErrorCallback& error_callback) {
-  MakeApiCall(kSendDeviceSyncTicklePath, request, callback, error_callback);
+    const ErrorCallback& error_callback,
+    const net::PartialNetworkTrafficAnnotationTag& partial_traffic_annotation) {
+  MakeApiCall(kSendDeviceSyncTicklePath, request, callback, error_callback,
+              partial_traffic_annotation);
 }
 
 void CryptAuthClientImpl::ToggleEasyUnlock(
     const ToggleEasyUnlockRequest& request,
     const ToggleEasyUnlockCallback& callback,
     const ErrorCallback& error_callback) {
-  MakeApiCall(kToggleEasyUnlockPath, request, callback, error_callback);
+  net::PartialNetworkTrafficAnnotationTag partial_traffic_annotation =
+      net::DefinePartialNetworkTrafficAnnotation("cryptauth_toggle_easyunlock",
+                                                 "oauth2_api_call_flow", R"(
+      semantics {
+        sender: "CryptAuth Device Manager"
+        description: "Enables Smart Lock (EasyUnlock) for the current device."
+        trigger:
+          "This request is send after the user goes through the EasyUnlock "
+          "setup flow."
+        data: "OAuth 2.0 token and the device public key."
+        destination: GOOGLE_OWNED_SERVICE
+      }
+      policy {
+        setting:
+          "This feature cannot be disabled in settings, but the request will "
+          "only be send if the user explicitly enables Smart Lock "
+          "(EasyUnlock), i.e. uccessfully complete the setup flow."
+        chrome_policy {
+          EasyUnlockAllowed {
+            EasyUnlockAllowed: false
+          }
+        }
+      })");
+  MakeApiCall(kToggleEasyUnlockPath, request, callback, error_callback,
+              partial_traffic_annotation);
 }
 
 void CryptAuthClientImpl::SetupEnrollment(
     const SetupEnrollmentRequest& request,
     const SetupEnrollmentCallback& callback,
     const ErrorCallback& error_callback) {
-  MakeApiCall(kSetupEnrollmentPath, request, callback, error_callback);
+  net::PartialNetworkTrafficAnnotationTag partial_traffic_annotation =
+      net::DefinePartialNetworkTrafficAnnotation(
+          "cryptauth_enrollment_flow_setup", "oauth2_api_call_flow", R"(
+      semantics {
+        sender: "CryptAuth Device Manager"
+        description: "Starts the CryptAuth registration flow."

[msramek, 2017/06/28 08:40:55]

Since this cannot be disabled, could you expand the description to explain the
motivation why this must be done regularly?

[sacomoto, 2017/06/30 10:09:54]

The periodic re-enrollments are part of the CryptAuth protocol, if the device
doesn't re-enroll for more than XX (> 45) days then it gets removed from the
server. They have two main functions: update the device information and rotate
the master symmetric key negotiated during the enrollment.  

[Ramin Halavati, 2017/06/30 11:51:36]

Done.

+        trigger: "Occurs periodically, at least once a month."
+        data:
+          "Various device information (public key, bluetooth MAC address, "
+          "model, OS version, screen size, manufacturer, has screen lock "
+          "enabled), and OAuth 2.0 token."
+        destination: GOOGLE_OWNED_SERVICE
+      }
+      policy {
+        setting:
+          "This feature cannot be disabled by settings. However, this request "
+          "is made only for signed-in users."
+        chrome_policy {
+          SigninAllowed {
+            SigninAllowed: false
+          }
+        }
+      })");
+  MakeApiCall(kSetupEnrollmentPath, request, callback, error_callback,
+              partial_traffic_annotation);
 }
 
 void CryptAuthClientImpl::FinishEnrollment(
     const FinishEnrollmentRequest& request,
     const FinishEnrollmentCallback& callback,
     const ErrorCallback& error_callback) {
-  MakeApiCall(kFinishEnrollmentPath, request, callback, error_callback);
+  net::PartialNetworkTrafficAnnotationTag partial_traffic_annotation =
+      net::DefinePartialNetworkTrafficAnnotation(
+          "cryptauth_enrollment_flow_finish", "oauth2_api_call_flow", R"(
+      semantics {
+        sender: "CryptAuth Device Manager"
+        description: "Finishes the CryptAuth registration flow."

[msramek, 2017/06/28 08:40:55]

Ditto here (I understand that this is related to the previous one).

[sacomoto, 2017/06/30 10:09:54]

See the previous comment.

[Ramin Halavati, 2017/06/30 11:51:36]

Done.

+        trigger: "Occurs periodically, at least once a month."
+        data: "OAuth 2.0 token."
+        destination: GOOGLE_OWNED_SERVICE
+      }
+      policy {
+        setting:
+          "This feature cannot be disabled by settings. However, this request "
+          "is made only for signed-in users."
+        chrome_policy {
+          SigninAllowed {
+            SigninAllowed: false
+          }
+        }
+      })");
+  MakeApiCall(kFinishEnrollmentPath, request, callback, error_callback,
+              partial_traffic_annotation);
 }
 
 std::string CryptAuthClientImpl::GetAccessTokenUsed() {
   return access_token_used_;
 }
 
 template <class RequestProto, class ResponseProto>
 void CryptAuthClientImpl::MakeApiCall(
     const std::string& request_path,
     const RequestProto& request_proto,
     const base::Callback<void(const ResponseProto&)>& response_callback,
-    const ErrorCallback& error_callback) {
+    const ErrorCallback& error_callback,
+    const net::PartialNetworkTrafficAnnotationTag& partial_traffic_annotation) {
   if (has_call_started_) {
     error_callback.Run(
         "Client has been used for another request. Do not reuse.");
     return;
   }
   has_call_started_ = true;
 
+  api_call_flow_->SetPartialNetworkTrafficAnnotation(
+      partial_traffic_annotation);
+
   // The |device_classifier| field must be present for all CryptAuth requests.
   RequestProto request_copy(request_proto);
   request_copy.mutable_device_classifier()->CopyFrom(device_classifier_);
 
   std::string serialized_request;
   if (!request_copy.SerializeToString(&serialized_request)) {
     error_callback.Run(std::string("Failed to serialize ") +
                        request_proto.GetTypeName() + " proto.");
     return;
   }
@@ skipping 58 matching lines @@
 
 std::unique_ptr<CryptAuthClient> CryptAuthClientFactoryImpl::CreateInstance() {
   return base::MakeUnique<CryptAuthClientImpl>(
       base::WrapUnique(new CryptAuthApiCallFlow()),
       base::WrapUnique(
           new CryptAuthAccessTokenFetcherImpl(token_service_, account_id_)),
       url_request_context_, device_classifier_);
 }
 
 }  // namespace cryptauth