[Dice] Parse the Dice response header

chrome/browser/signin/chrome_signin_helper.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/signin/chrome_signin_helper.h"
 
 #include "base/strings/string_util.h"
-#include "build/build_config.h"
 #include "chrome/browser/prefs/incognito_mode_prefs.h"
 #include "chrome/browser/profiles/profile_io_data.h"
 #include "chrome/browser/signin/account_reconcilor_factory.h"
 #include "chrome/browser/signin/chrome_signin_client.h"
 #include "chrome/browser/tab_contents/tab_util.h"
 #include "chrome/browser/ui/browser_window.h"
 #include "chrome/common/url_constants.h"
 #include "components/signin/core/browser/account_reconcilor.h"
 #include "components/signin/core/browser/chrome_connected_header_helper.h"
 #include "components/signin/core/browser/signin_header_helper.h"
@@ skipping 11 matching lines @@
 #include "chrome/browser/ui/browser_commands.h"
 #include "chrome/browser/ui/browser_finder.h"
 #include "extensions/browser/guest_view/web_view/web_view_renderer_state.h"
 #endif  // defined(OS_ANDROID)
 
 namespace signin {
 
 namespace {
 
 const char kChromeManageAccountsHeader[] = "X-Chrome-Manage-Accounts";
+const char kDiceResponseHeader[] = "X-Chrome-ID-Consistency-Response";
 
 // Processes the mirror response header on the UI thread. Currently depending
 // on the value of |header_value|, it either shows the profile avatar menu, or
 // opens an incognito window/tab.
 void ProcessMirrorHeaderUIThread(int child_id,
                                  int route_id,
                                  ManageAccountsParams manage_accounts_params) {
   DCHECK_CURRENTLY_ON(content::BrowserThread::UI);
 
   if (switches::GetAccountConsistencyMethod() !=
@@ skipping 86 matching lines @@
       IncognitoModePrefs::ArePlatformParentalControlsEnabled()) {
     profile_mode_mask |= PROFILE_MODE_INCOGNITO_DISABLED;
   }
 
   // If new url is eligible to have the header, add it, otherwise remove it.
   AppendOrRemoveAccountConsistentyRequestHeader(
       request, redirect_url, io_data->google_services_account_id()->GetValue(),
       io_data->GetCookieSettings(), profile_mode_mask);
 }
 
 void ProcessMirrorResponseHeaderIfExists(net::URLRequest* request,

[msarda, 2017/06/12 11:52:21]

Could we replace this with a similar strategy as for
FixAccountConsistencyRequestHeader - add a public method
ProcessAccountConsistencyResponseHeader that either calls
ProcessMirrorResponseHeaderIfExists or ProcessDiceResponseHeaderIfExists. Or do
these calls needs to be made at different moments?

[droger, 2017/06/12 12:39:14]

They are done at different times currently.
It probably would not hurt much to call them at the same time (it would just add
some unneeded extra header parsing).

[msarda, 2017/06/12 14:03:42]

This was one of the reasons why I wanted to get a clear understanding on the
various messages SIGNIN vs SIGNOUT vs SIGNOUT_SINGLE_SESSION before implementing
them. It may be that we get the header on SIGNIN header on redirect, but SIGNOUT
on final response.

We may need to ask this of GAIA to understand when we should expect the response
to have the Dice response header.

[droger, 2017/06/12 16:12:58]

Ok. I'm going to ask them.

I think in the meantime we can probably go forward with this CL.

                                          ProfileIOData* io_data,
                                          int child_id,
                                          int route_id) {
   DCHECK_CURRENTLY_ON(content::BrowserThread::IO);
 
   if (io_data->IsOffTheRecord())
     return;
 
   const content::ResourceRequestInfo* info =
       content::ResourceRequestInfo::ForRequest(request);
@@ skipping 19 matching lines @@
   if (params.service_type == GAIA_SERVICE_TYPE_NONE)
     return;
 
   params.child_id = child_id;
   params.route_id = route_id;
   content::BrowserThread::PostTask(
       content::BrowserThread::UI, FROM_HERE,
       base::Bind(ProcessMirrorHeaderUIThread, child_id, route_id, params));
 }
 
+#if !defined(OS_IOS) && !defined(OS_ANDROID)
+void ProcessDiceResponseHeaderIfExists(net::URLRequest* request,
+                                       ProfileIOData* io_data) {
+  DCHECK_CURRENTLY_ON(content::BrowserThread::IO);
+
+  if (io_data->IsOffTheRecord())
+    return;
+
+  const content::ResourceRequestInfo* info =
+      content::ResourceRequestInfo::ForRequest(request);
+  if (!(info && info->GetResourceType() == content::RESOURCE_TYPE_MAIN_FRAME))
+    return;
+
+  if (!gaia::IsGaiaSignonRealm(request->url().GetOrigin()))
+    return;
+
+  if (switches::GetAccountConsistencyMethod() !=
+      switches::AccountConsistencyMethod::kDice) {
+    return;
+  }
+
+  net::HttpResponseHeaders* response_headers = request->response_headers();
+  if (!response_headers)
+    return;
+
+  std::string header_value;
+  if (!response_headers->GetNormalizedHeader(kDiceResponseHeader,
+                                             &header_value)) {
+    return;
+  }
+
+  DiceResponseParams params = BuildDiceResponseParams(header_value);
+  // If the request does not have a response header or if the header contains
+  // garbage, then |user_intention| is set to |NONE|.
+  if (params.user_intention == DiceAction::NONE)
+    return;
+
+  // TODO(droger): Start the Chrome authentication flow.

[msarda, 2017/06/12 11:52:21]

This TODO is wrong as we do not plan to start an authentication flow here. I
would change this to TODO(droger): Process the Dice header: on sign-in, exchange
the authorization code for an refresh token, on sign-out just follow the
sign-out URL.

Note that we did not yet decide what to do for sign-out (the thought was to
leave all the UI on Gaia - then on Chrome we can simply revoke the token when an
account is signed out).

[droger, 2017/06/12 12:39:14]

Done.

+}
+#endif  // !defined(OS_IOS) && !defined(OS_ANDROID)
+
 }  // namespace signin