OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 // <include src="saml_handler.js"> | 5 // <include src="saml_handler.js"> |
6 | 6 |
7 /** | 7 /** |
8 * @fileoverview An UI component to authenciate to Chrome. The component hosts | 8 * @fileoverview An UI component to authenciate to Chrome. The component hosts |
9 * IdP web pages in a webview. A client who is interested in monitoring | 9 * IdP web pages in a webview. A client who is interested in monitoring |
10 * authentication events should pass a listener object of type | 10 * authentication events should pass a listener object of type |
(...skipping 13 matching lines...) Expand all Loading... |
24 'chrome-extension://mfffpogegjflfpflabcdkioaeobkgjik/success.html'; | 24 'chrome-extension://mfffpogegjflfpflabcdkioaeobkgjik/success.html'; |
25 var SIGN_IN_HEADER = 'google-accounts-signin'; | 25 var SIGN_IN_HEADER = 'google-accounts-signin'; |
26 var EMBEDDED_FORM_HEADER = 'google-accounts-embedded'; | 26 var EMBEDDED_FORM_HEADER = 'google-accounts-embedded'; |
27 var LOCATION_HEADER = 'location'; | 27 var LOCATION_HEADER = 'location'; |
28 var COOKIE_HEADER = 'cookie'; | 28 var COOKIE_HEADER = 'cookie'; |
29 var SET_COOKIE_HEADER = 'set-cookie'; | 29 var SET_COOKIE_HEADER = 'set-cookie'; |
30 var OAUTH_CODE_COOKIE = 'oauth_code'; | 30 var OAUTH_CODE_COOKIE = 'oauth_code'; |
31 var GAPS_COOKIE = 'GAPS'; | 31 var GAPS_COOKIE = 'GAPS'; |
32 var SERVICE_ID = 'chromeoslogin'; | 32 var SERVICE_ID = 'chromeoslogin'; |
33 var EMBEDDED_SETUP_CHROMEOS_ENDPOINT = 'embedded/setup/chromeos'; | 33 var EMBEDDED_SETUP_CHROMEOS_ENDPOINT = 'embedded/setup/chromeos'; |
| 34 var EMBEDDED_SETUP_CHROMEOS_ENDPOINT_V2 = 'embedded/setup/v2/chromeos'; |
34 var SAML_REDIRECTION_PATH = 'samlredirect'; | 35 var SAML_REDIRECTION_PATH = 'samlredirect'; |
35 var BLANK_PAGE_URL = 'about:blank'; | 36 var BLANK_PAGE_URL = 'about:blank'; |
36 | 37 |
37 /** | 38 /** |
38 * The source URL parameter for the constrained signin flow. | 39 * The source URL parameter for the constrained signin flow. |
39 */ | 40 */ |
40 var CONSTRAINED_FLOW_SOURCE = 'chrome'; | 41 var CONSTRAINED_FLOW_SOURCE = 'chrome'; |
41 | 42 |
42 /** | 43 /** |
43 * Enum for the authorization mode, must match AuthMode defined in | 44 * Enum for the authorization mode, must match AuthMode defined in |
(...skipping 25 matching lines...) Expand all Loading... |
69 // gaiaUrl. | 70 // gaiaUrl. |
70 'constrained', // Whether the extension is loaded in a constrained | 71 'constrained', // Whether the extension is loaded in a constrained |
71 // window. | 72 // window. |
72 'clientId', // Chrome client id. | 73 'clientId', // Chrome client id. |
73 'useEafe', // Whether to use EAFE. | 74 'useEafe', // Whether to use EAFE. |
74 'needPassword', // Whether the host is interested in getting a password. | 75 'needPassword', // Whether the host is interested in getting a password. |
75 // If this set to |false|, |confirmPasswordCallback| is | 76 // If this set to |false|, |confirmPasswordCallback| is |
76 // not called before dispatching |authCopleted|. | 77 // not called before dispatching |authCopleted|. |
77 // Default is |true|. | 78 // Default is |true|. |
78 'flow', // One of 'default', 'enterprise', or 'theftprotection'. | 79 'flow', // One of 'default', 'enterprise', or 'theftprotection'. |
79 'enterpriseDomain', // Domain in which hosting device is (or should be) | 80 'enterpriseDomain', // Domain in which hosting device is (or should be) |
80 // enrolled. | 81 // enrolled. |
81 'emailDomain', // Value used to prefill domain for email. | 82 'emailDomain', // Value used to prefill domain for email. |
82 'chromeType', // Type of Chrome OS device, e.g. "chromebox". | 83 'chromeType', // Type of Chrome OS device, e.g. "chromebox". |
83 'clientVersion', // Version of the Chrome build. | 84 'clientVersion', // Version of the Chrome build. |
84 'platformVersion', // Version of the OS build. | 85 'platformVersion', // Version of the OS build. |
85 'releaseChannel', // Installation channel. | 86 'releaseChannel', // Installation channel. |
86 'endpointGen', // Current endpoint generation. | 87 'endpointGen', // Current endpoint generation. |
87 'gapsCookie', // GAPS cookie | 88 'gapsCookie', // GAPS cookie |
| 89 'chromeOSApiVersion', // GAIA Chrome OS API version |
88 | 90 |
89 // The email fields allow for the following possibilities: | 91 // The email fields allow for the following possibilities: |
90 // | 92 // |
91 // 1/ If 'email' is not supplied, then the email text field is blank and the | 93 // 1/ If 'email' is not supplied, then the email text field is blank and the |
92 // user must type an email to proceed. | 94 // user must type an email to proceed. |
93 // | 95 // |
94 // 2/ If 'email' is supplied, and 'readOnlyEmail' is truthy, then the email | 96 // 2/ If 'email' is supplied, and 'readOnlyEmail' is truthy, then the email |
95 // is hardcoded and the user cannot change it. The user is asked for | 97 // is hardcoded and the user cannot change it. The user is asked for |
96 // password. This is useful for re-auth scenarios, where chrome needs the | 98 // password. This is useful for re-auth scenarios, where chrome needs the |
97 // user to authenticate for a specific account and only that account. | 99 // user to authenticate for a specific account and only that account. |
(...skipping 126 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
224 this.continueUrl_.substring(0, this.continueUrl_.indexOf('?')) || | 226 this.continueUrl_.substring(0, this.continueUrl_.indexOf('?')) || |
225 this.continueUrl_; | 227 this.continueUrl_; |
226 this.isConstrainedWindow_ = data.constrained == '1'; | 228 this.isConstrainedWindow_ = data.constrained == '1'; |
227 this.isNewGaiaFlow = data.isNewGaiaFlow; | 229 this.isNewGaiaFlow = data.isNewGaiaFlow; |
228 this.useEafe_ = data.useEafe || false; | 230 this.useEafe_ = data.useEafe || false; |
229 this.clientId_ = data.clientId; | 231 this.clientId_ = data.clientId; |
230 this.gapsCookie_ = data.gapsCookie; | 232 this.gapsCookie_ = data.gapsCookie; |
231 this.gapsCookieSent_ = false; | 233 this.gapsCookieSent_ = false; |
232 this.newGapsCookie_ = null; | 234 this.newGapsCookie_ = null; |
233 this.dontResizeNonEmbeddedPages = data.dontResizeNonEmbeddedPages; | 235 this.dontResizeNonEmbeddedPages = data.dontResizeNonEmbeddedPages; |
| 236 this.chromeOSApiVersion_ = data.chromeOSApiVersion; |
234 | 237 |
235 this.initialFrameUrl_ = this.constructInitialFrameUrl_(data); | 238 this.initialFrameUrl_ = this.constructInitialFrameUrl_(data); |
236 this.reloadUrl_ = data.frameUrl || this.initialFrameUrl_; | 239 this.reloadUrl_ = data.frameUrl || this.initialFrameUrl_; |
237 // Don't block insecure content for desktop flow because it lands on | 240 // Don't block insecure content for desktop flow because it lands on |
238 // http. Otherwise, block insecure content as long as gaia is https. | 241 // http. Otherwise, block insecure content as long as gaia is https. |
239 this.samlHandler_.blockInsecureContent = | 242 this.samlHandler_.blockInsecureContent = |
240 authMode != AuthMode.DESKTOP && this.idpOrigin_.startsWith('https://'); | 243 authMode != AuthMode.DESKTOP && this.idpOrigin_.startsWith('https://'); |
241 this.needPassword = !('needPassword' in data) || data.needPassword; | 244 this.needPassword = !('needPassword' in data) || data.needPassword; |
242 | 245 |
243 if (this.isNewGaiaFlow) { | 246 if (this.isNewGaiaFlow) { |
244 this.webview_.contextMenus.onShow.addListener(function(e) { | 247 this.webview_.contextMenus.onShow.addListener(function(e) { |
245 e.preventDefault(); | 248 e.preventDefault(); |
246 }); | 249 }); |
247 | 250 |
248 if (!this.onBeforeSetHeadersSet_) { | 251 if (!this.onBeforeSetHeadersSet_) { |
249 this.onBeforeSetHeadersSet_ = true; | 252 this.onBeforeSetHeadersSet_ = true; |
250 var filterPrefix = this.idpOrigin_ + EMBEDDED_SETUP_CHROMEOS_ENDPOINT; | 253 var filterPrefix = this.constructChromeOSAPIUrl_(); |
251 // This depends on gaiaUrl parameter, that is why it is here. | 254 // This depends on gaiaUrl parameter, that is why it is here. |
252 this.webview_.request.onBeforeSendHeaders.addListener( | 255 this.webview_.request.onBeforeSendHeaders.addListener( |
253 this.onBeforeSendHeaders_.bind(this), | 256 this.onBeforeSendHeaders_.bind(this), |
254 {urls: [filterPrefix + '?*', filterPrefix + '/*']}, | 257 {urls: [filterPrefix + '?*', filterPrefix + '/*']}, |
255 ['requestHeaders', 'blocking']); | 258 ['requestHeaders', 'blocking']); |
256 } | 259 } |
257 } | 260 } |
258 | 261 |
259 this.webview_.src = this.reloadUrl_; | 262 this.webview_.src = this.reloadUrl_; |
260 this.isLoaded_ = true; | 263 this.isLoaded_ = true; |
261 }; | 264 }; |
262 | 265 |
| 266 Authenticator.prototype.constructChromeOSAPIUrl_ = function() { |
| 267 if (this.chromeOSApiVersion_ && this.chromeOSApiVersion_ == 2) |
| 268 return this.idpOrigin_ + EMBEDDED_SETUP_CHROMEOS_ENDPOINT_V2; |
| 269 |
| 270 return this.idpOrigin_ + EMBEDDED_SETUP_CHROMEOS_ENDPOINT; |
| 271 }; |
| 272 |
263 /** | 273 /** |
264 * Reloads the authenticator component. | 274 * Reloads the authenticator component. |
265 */ | 275 */ |
266 Authenticator.prototype.reload = function() { | 276 Authenticator.prototype.reload = function() { |
267 this.resetStates(); | 277 this.resetStates(); |
268 this.webview_.src = this.reloadUrl_; | 278 this.webview_.src = this.reloadUrl_; |
269 this.isLoaded_ = true; | 279 this.isLoaded_ = true; |
270 }; | 280 }; |
271 | 281 |
272 Authenticator.prototype.constructInitialFrameUrl_ = function(data) { | 282 Authenticator.prototype.constructInitialFrameUrl_ = function(data) { |
273 if (data.doSamlRedirect) { | 283 if (data.doSamlRedirect) { |
274 var url = this.idpOrigin_ + SAML_REDIRECTION_PATH; | 284 var url = this.idpOrigin_ + SAML_REDIRECTION_PATH; |
275 url = appendParam(url, 'domain', data.enterpriseDomain); | 285 url = appendParam(url, 'domain', data.enterpriseDomain); |
276 url = appendParam( | 286 url = appendParam( |
277 url, 'continue', | 287 url, 'continue', |
278 data.gaiaUrl + 'o/oauth2/programmatic_auth?hl=' + data.hl + | 288 data.gaiaUrl + 'o/oauth2/programmatic_auth?hl=' + data.hl + |
279 '&scope=https%3A%2F%2Fwww.google.com%2Faccounts%2FOAuthLogin&' + | 289 '&scope=https%3A%2F%2Fwww.google.com%2Faccounts%2FOAuthLogin&' + |
280 'client_id=' + encodeURIComponent(data.clientId) + | 290 'client_id=' + encodeURIComponent(data.clientId) + |
281 '&access_type=offline'); | 291 '&access_type=offline'); |
282 | 292 |
283 return url; | 293 return url; |
284 } | 294 } |
285 | 295 |
286 var path = data.gaiaPath; | 296 var url; |
287 if (!path && this.isNewGaiaFlow) | 297 if (data.gaiaPath) |
288 path = EMBEDDED_SETUP_CHROMEOS_ENDPOINT; | 298 url = this.idpOrigin_ + data.gaiaPath; |
289 if (!path) | 299 else if (this.isNewGaiaFlow) |
290 path = IDP_PATH; | 300 url = this.constructChromeOSAPIUrl_(); |
291 var url = this.idpOrigin_ + path; | 301 else |
| 302 url = this.idpOrigin_ + IDP_PATH; |
292 | 303 |
293 if (this.isNewGaiaFlow) { | 304 if (this.isNewGaiaFlow) { |
294 if (data.chromeType) | 305 if (data.chromeType) |
295 url = appendParam(url, 'chrometype', data.chromeType); | 306 url = appendParam(url, 'chrometype', data.chromeType); |
296 if (data.clientId) | 307 if (data.clientId) |
297 url = appendParam(url, 'client_id', data.clientId); | 308 url = appendParam(url, 'client_id', data.clientId); |
298 if (data.enterpriseDomain) | 309 if (data.enterpriseDomain) |
299 url = appendParam(url, 'manageddomain', data.enterpriseDomain); | 310 url = appendParam(url, 'manageddomain', data.enterpriseDomain); |
300 if (data.clientVersion) | 311 if (data.clientVersion) |
301 url = appendParam(url, 'client_version', data.clientVersion); | 312 url = appendParam(url, 'client_version', data.clientVersion); |
(...skipping 571 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
873 Authenticator.AuthMode = AuthMode; | 884 Authenticator.AuthMode = AuthMode; |
874 Authenticator.SUPPORTED_PARAMS = SUPPORTED_PARAMS; | 885 Authenticator.SUPPORTED_PARAMS = SUPPORTED_PARAMS; |
875 | 886 |
876 return { | 887 return { |
877 // TODO(guohui, xiyuan): Rename GaiaAuthHost to Authenticator once the old | 888 // TODO(guohui, xiyuan): Rename GaiaAuthHost to Authenticator once the old |
878 // iframe-based flow is deprecated. | 889 // iframe-based flow is deprecated. |
879 GaiaAuthHost: Authenticator, | 890 GaiaAuthHost: Authenticator, |
880 Authenticator: Authenticator | 891 Authenticator: Authenticator |
881 }; | 892 }; |
882 }); | 893 }); |
OLD | NEW |