Network traffic annotation added to OAuth2ApiCallFlow and its subclasses.

chrome/browser/extensions/api/identity/identity_get_auth_token_function.cc

Index: chrome/browser/extensions/api/identity/identity_get_auth_token_function.cc
diff --git a/chrome/browser/extensions/api/identity/identity_get_auth_token_function.cc b/chrome/browser/extensions/api/identity/identity_get_auth_token_function.cc
index 3ebce8aeba83239e763c610f3e598fcb7dd9a70f..b9debb3bc03472cb6c000eca91a8fa8b7e408e8e 100644
--- a/chrome/browser/extensions/api/identity/identity_get_auth_token_function.cc
+++ b/chrome/browser/extensions/api/identity/identity_get_auth_token_function.cc
@@ -17,6 +17,7 @@
 #include "components/signin/core/common/profile_management_switches.h"
 #include "extensions/common/extension_l10n_util.h"
 #include "google_apis/gaia/gaia_urls.h"
+#include "net/traffic_annotation/network_traffic_annotation.h"
 
 #if defined(OS_CHROMEOS)
 #include "chrome/browser/app_mode/app_mode_utils.h"
@@ -577,8 +578,29 @@ void IdentityGetAuthTokenFunction::StartGaiaRequest(
     const std::string& login_access_token) {
   DCHECK(!login_access_token.empty());
   mint_token_flow_.reset(CreateMintTokenFlow());
-  mint_token_flow_->Start(GetProfile()->GetRequestContext(),
-                          login_access_token);
+  net::NetworkTrafficAnnotationTag traffic_annotation =
+      net::DefineNetworkTrafficAnnotation("...", R"(
+        semantics {
+          sender: "..."

[Michael Courage, 2017/05/17 22:59:16]

Chrome Identity API maybe? Really the sender is a Chrome App or Extension

[Ramin Halavati, 2017/05/24 13:04:41]

|sender| should represent this module, which is creating the request. I think
"Chrome Identity API" is good. 

+          description: "..."

[Michael Courage, 2017/05/17 22:59:16]

requests a token from gaia allowing an app or extension to act as the user when
calling other google APIs

[Ramin Halavati, 2017/05/24 13:04:40]

Done.

+          trigger: "..."

[Michael Courage, 2017/05/17 22:59:16]

api call from the app/extension

[Ramin Halavati, 2017/05/24 13:04:40]

Done.

+          data: "..."

[Michael Courage, 2017/05/17 22:59:16]

The data sent is the user's login token, the identity of a chrome app/extension,
and a list of oauth scopes requested by the app/extension.

[Ramin Halavati, 2017/05/24 13:04:41]

Done.

+          destination: WEBSITE/GOOGLE_OWNED_SERVICE/OTHER/LOCAL

[Michael Courage, 2017/05/17 22:59:16]

talks to a google owned service (gaia)

[Ramin Halavati, 2017/05/24 13:04:41]

Done.

+        }
+        policy {

[Michael Courage, 2017/05/17 22:59:16]

I guess it's hard to split up these annotations given the way they are
implemented, but it doesn't make a lot of sense for this piece of code to be
declaring things like the cookie store used, since it doesn't control the cookie
store used. 

[Ramin Halavati, 2017/05/24 13:04:40]

Acknowledged.

+          cookies_allowed: false/true

[Michael Courage, 2017/05/17 22:59:16]

Looks like OAuth2ApiCallFlow disables cookies

[Ramin Halavati, 2017/05/24 13:04:41]

Done.

+          cookies_store: "..."
+          setting: "..."
+          chrome_policy {

[Michael Courage, 2017/05/17 22:59:16]

I don't know much about chrome policy. There's a SigninAllowed policy that says
it can disable chrome.identity APIs (which would include this one), but for some
reason it says it is deprecated.

[Ramin Halavati, 2017/05/24 13:04:41]

Acknowledged.

+            [POLICY_NAME] {
+              policy_options {mode: MANDATORY/RECOMMENDED/UNSET}
+              [POLICY_NAME]: ... //(value to disable it)
+            }
+          }
+          policy_exception_justification: "..."
+        })");
+  mint_token_flow_->Start(GetProfile()->GetRequestContext(), login_access_token,
+                          traffic_annotation);
 }
 
 void IdentityGetAuthTokenFunction::ShowLoginPopup() {