Use GAIA headers to distinguish between GAIA and SAML IdP cookies

chrome/browser/chromeos/login/profile_auth_data.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/login/profile_auth_data.h"
 
 #include <string>
 
 #include "base/bind.h"
 #include "base/bind_helpers.h"
 #include "base/callback.h"
 #include "base/location.h"
 #include "base/logging.h"
 #include "base/memory/ref_counted.h"
 #include "base/message_loop/message_loop.h"
+#include "base/time/time.h"
 #include "content/public/browser/browser_context.h"
 #include "content/public/browser/browser_thread.h"
 #include "net/cookies/canonical_cookie.h"
 #include "net/cookies/cookie_monster.h"
 #include "net/cookies/cookie_store.h"
 #include "net/http/http_auth_cache.h"
 #include "net/http/http_network_session.h"
 #include "net/http/http_transaction_factory.h"
 #include "net/ssl/channel_id_service.h"
 #include "net/ssl/channel_id_store.h"
 #include "net/url_request/url_request_context.h"
 #include "net/url_request/url_request_context_getter.h"
 #include "url/gurl.h"
 
 using content::BrowserThread;
 
 namespace chromeos {
 
 namespace {
 
-// Given a |cookie| set during login, returns true if the cookie may have been
-// set by GAIA. While GAIA can set cookies for many different domains, the
-// domain names it sets cookies for during Chrome OS login will always contain
-// the strings "google" or "youtube".
-bool IsGAIACookie(const net::CanonicalCookie& cookie) {
-  const std::string& domain = cookie.Domain();
-  return domain.find("google") != std::string::npos ||
-         domain.find("youtube") != std::string::npos;
-}
+const char kSAMLStartCookie[] = "google-accounts-saml-start";
+const char kSAMLEndCookie[] = "google-accounts-saml-end";
 
 class ProfileAuthDataTransferer {
  public:
   ProfileAuthDataTransferer(
       content::BrowserContext* from_context,
       content::BrowserContext* to_context,
       bool transfer_auth_cookies_and_channel_ids_on_first_login,
       bool transfer_saml_auth_cookies_on_subsequent_login,
       const base::Closure& completion_callback);
 
@@ skipping 24 matching lines @@
 
   // Retrieve |from_context_|'s channel IDs. When the retrieval finishes,
   // OnChannelIDsToTransferRetrieved will be called with the result.
   void RetrieveChannelIDsToTransfer();
 
   // Callback that receives |from_context_|'s channel IDs. Calls
   // MaybeTransferCookiesAndChannelIDs() to try and perform the transfer.
   void OnChannelIDsToTransferRetrieved(
       const net::ChannelIDStore::ChannelIDList& channel_ids_to_transfer);
 
+  // Given a |cookie| set during login, returns true if the cookie may have been
+  // set by GAIA. The main criterion is the |cookie|'s creation date. The points
+  // in time at which redirects from GAIA to SAML IdP and back occur are stored
+  // in |saml_start_time_| and |saml_end_time_|. If the cookie was set between
+  // these two times, it was created by the SAML IdP. Otherwise, it was created
+  // by GAIA.
+  // As an additional precaution, the cookie's domain is checked. If the domain
+  // contains "google" or "youtube", the cookie is considered to have been set
+  // by GAIA as well.
+  bool IsGAIACookie(const net::CanonicalCookie& cookie);
+
   // If all data to be transferred has been retrieved already, transfer it to
   // |to_context_| and call Finish().
   void MaybeTransferCookiesAndChannelIDs();
 
   // Post the |completion_callback_| to the UI thread and schedule destruction
   // of |this|.
   void Finish();
 
   scoped_refptr<net::URLRequestContextGetter> from_context_;
   scoped_refptr<net::URLRequestContextGetter> to_context_;
   bool transfer_auth_cookies_and_channel_ids_on_first_login_;
   bool transfer_saml_auth_cookies_on_subsequent_login_;
   base::Closure completion_callback_;
 
   net::CookieList cookies_to_transfer_;
   net::ChannelIDStore::ChannelIDList channel_ids_to_transfer_;
 
+  // The time at which a redirect from GAIA to a SAML IdP occurred.
+  base::Time saml_start_time_;
+  // The time at which a redirect from a SAML IdP back to GAIA occurred.
+  base::Time saml_end_time_;
+
   bool first_login_;
   bool waiting_for_auth_cookies_;
   bool waiting_for_channel_ids_;
 };
 
 ProfileAuthDataTransferer::ProfileAuthDataTransferer(
     content::BrowserContext* from_context,
     content::BrowserContext* to_context,
     bool transfer_auth_cookies_and_channel_ids_on_first_login,
     bool transfer_saml_auth_cookies_on_subsequent_login,
@@ skipping 91 matching lines @@
   from_monster->GetAllCookiesAsync(
       base::Bind(&ProfileAuthDataTransferer::OnCookiesToTransferRetrieved,
                  base::Unretained(this)));
 }
 
 void ProfileAuthDataTransferer::OnCookiesToTransferRetrieved(
     const net::CookieList& cookies_to_transfer) {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::IO));
   waiting_for_auth_cookies_ = false;
   cookies_to_transfer_ = cookies_to_transfer;
+
+  // Look for cookies indicating the points in time at which redirects from GAIA
+  // to SAML IdP and back occurred. These cookies are synthesized by
+  // chrome/browser/resources/gaia_auth/background.js. If the cookies are found,
+  // their creation times are stored in |saml_start_time_| and
+  // |cookies_to_transfer_| and the cookies are deleted.
+  for (net::CookieList::iterator it = cookies_to_transfer_.begin();
+       it != cookies_to_transfer_.end(); ) {
+    if (it->Name() == kSAMLStartCookie) {
+      saml_start_time_ = it->CreationDate();
+      it = cookies_to_transfer_.erase(it);
+    } else if (it->Name() == kSAMLEndCookie) {
+      saml_end_time_ = it->CreationDate();
+      it = cookies_to_transfer_.erase(it);
+    } else {
+      ++it;
+    }
+  }
+
   MaybeTransferCookiesAndChannelIDs();
 }
 
 void ProfileAuthDataTransferer::RetrieveChannelIDsToTransfer() {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::IO));
   net::ChannelIDService* from_service =
       from_context_->GetURLRequestContext()->channel_id_service();
   from_service->GetChannelIDStore()->GetAllChannelIDs(
       base::Bind(
           &ProfileAuthDataTransferer::OnChannelIDsToTransferRetrieved,
           base::Unretained(this)));
 }
 
 void ProfileAuthDataTransferer::OnChannelIDsToTransferRetrieved(
     const net::ChannelIDStore::ChannelIDList& channel_ids_to_transfer) {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::IO));
   channel_ids_to_transfer_ = channel_ids_to_transfer;
   waiting_for_channel_ids_ = false;
   MaybeTransferCookiesAndChannelIDs();
 }
 
+bool ProfileAuthDataTransferer::IsGAIACookie(
+    const net::CanonicalCookie& cookie) {
+  const base::Time& creation_date = cookie.CreationDate();
+  if (creation_date < saml_start_time_)
+    return true;
+  if (!saml_end_time_.is_null() && creation_date > saml_end_time_)
+    return true;
+

[dzhioev (left Google), 2014/08/07 09:17:44]

I can't understand how does this change help to transfer IdP cookies to user's
profile. I mean IsGAIACookie became more permissive with you change, which means
less cookies will be transferred, right?

[bartfab (slow), 2014/08/07 11:59:45]

Done - I replied to this directly and Pavel was happy with the explanation.

+  const std::string& domain = cookie.Domain();
+  return domain.find("google") != std::string::npos ||
+         domain.find("youtube") != std::string::npos;
+}
+
 void ProfileAuthDataTransferer::MaybeTransferCookiesAndChannelIDs() {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::IO));
   if (waiting_for_auth_cookies_ || waiting_for_channel_ids_)
     return;
 
   net::CookieStore* to_store =
       to_context_->GetURLRequestContext()->cookie_store();
   net::CookieMonster* to_monster = to_store->GetCookieMonster();
   if (first_login_) {
     to_monster->InitializeFrom(cookies_to_transfer_);
@@ skipping 44 matching lines @@
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
   (new ProfileAuthDataTransferer(
        from_context,
        to_context,
        transfer_auth_cookies_and_channel_ids_on_first_login,
        transfer_saml_auth_cookies_on_subsequent_login,
        completion_callback))->BeginTransfer();
 }
 
 }  // namespace chromeos