Use GAIA headers to distinguish between GAIA and SAML IdP cookies

chrome/browser/chromeos/login/profile_auth_data.cc

Index: chrome/browser/chromeos/login/profile_auth_data.cc
diff --git a/chrome/browser/chromeos/login/profile_auth_data.cc b/chrome/browser/chromeos/login/profile_auth_data.cc
index e269ca2eb08fe0298f11d24ff64299c2324504bc..0dc0d72d250d01cfd28316997a526865167d2e04 100644
--- a/chrome/browser/chromeos/login/profile_auth_data.cc
+++ b/chrome/browser/chromeos/login/profile_auth_data.cc
@@ -13,6 +13,7 @@
 #include "base/logging.h"
 #include "base/memory/ref_counted.h"
 #include "base/message_loop/message_loop.h"
+#include "base/time/time.h"
 #include "content/public/browser/browser_context.h"
 #include "content/public/browser/browser_thread.h"
 #include "net/cookies/canonical_cookie.h"
@@ -33,15 +34,8 @@ namespace chromeos {
 
 namespace {
 
-// Given a |cookie| set during login, returns true if the cookie may have been
-// set by GAIA. While GAIA can set cookies for many different domains, the
-// domain names it sets cookies for during Chrome OS login will always contain
-// the strings "google" or "youtube".
-bool IsGAIACookie(const net::CanonicalCookie& cookie) {
-  const std::string& domain = cookie.Domain();
-  return domain.find("google") != std::string::npos ||
-         domain.find("youtube") != std::string::npos;
-}
+const char kSAMLStartCookie[] = "google-accounts-saml-start";
+const char kSAMLEndCookie[] = "google-accounts-saml-end";
 
 class ProfileAuthDataTransferer {
  public:
@@ -86,6 +80,17 @@ class ProfileAuthDataTransferer {
   void OnChannelIDsToTransferRetrieved(
       const net::ChannelIDStore::ChannelIDList& channel_ids_to_transfer);
 
+  // Given a |cookie| set during login, returns true if the cookie may have been
+  // set by GAIA. The main criterion is the |cookie|'s creation date. The points
+  // in time at which redirects from GAIA to SAML IdP and back occur are stored
+  // in |saml_start_time_| and |saml_end_time_|. If the cookie was set between
+  // these two times, it was created by the SAML IdP. Otherwise, it was created
+  // by GAIA.
+  // As an additional precaution, the cookie's domain is checked. If the domain
+  // contains "google" or "youtube", the cookie is considered to have been set
+  // by GAIA as well.
+  bool IsGAIACookie(const net::CanonicalCookie& cookie);
+
   // If all data to be transferred has been retrieved already, transfer it to
   // |to_context_| and call Finish().
   void MaybeTransferCookiesAndChannelIDs();
@@ -103,6 +108,11 @@ class ProfileAuthDataTransferer {
   net::CookieList cookies_to_transfer_;
   net::ChannelIDStore::ChannelIDList channel_ids_to_transfer_;
 
+  // The time at which a redirect from GAIA to a SAML IdP occurred.
+  base::Time saml_start_time_;
+  // The time at which a redirect from a SAML IdP back to GAIA occurred.
+  base::Time saml_end_time_;
+
   bool first_login_;
   bool waiting_for_auth_cookies_;
   bool waiting_for_channel_ids_;
@@ -214,6 +224,25 @@ void ProfileAuthDataTransferer::OnCookiesToTransferRetrieved(
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::IO));
   waiting_for_auth_cookies_ = false;
   cookies_to_transfer_ = cookies_to_transfer;
+
+  // Look for cookies indicating the points in time at which redirects from GAIA
+  // to SAML IdP and back occurred. These cookies are synthesized by
+  // chrome/browser/resources/gaia_auth/background.js. If the cookies are found,
+  // their creation times are stored in |saml_start_time_| and
+  // |cookies_to_transfer_| and the cookies are deleted.
+  for (net::CookieList::iterator it = cookies_to_transfer_.begin();
+       it != cookies_to_transfer_.end(); ) {
+    if (it->Name() == kSAMLStartCookie) {
+      saml_start_time_ = it->CreationDate();
+      it = cookies_to_transfer_.erase(it);
+    } else if (it->Name() == kSAMLEndCookie) {
+      saml_end_time_ = it->CreationDate();
+      it = cookies_to_transfer_.erase(it);
+    } else {
+      ++it;
+    }
+  }
+
   MaybeTransferCookiesAndChannelIDs();
 }
 
@@ -235,6 +264,19 @@ void ProfileAuthDataTransferer::OnChannelIDsToTransferRetrieved(
   MaybeTransferCookiesAndChannelIDs();
 }
 
+bool ProfileAuthDataTransferer::IsGAIACookie(
+    const net::CanonicalCookie& cookie) {
+  const base::Time& creation_date = cookie.CreationDate();
+  if (creation_date < saml_start_time_)
+    return true;
+  if (!saml_end_time_.is_null() && creation_date > saml_end_time_)
+    return true;
+

[dzhioev (left Google), 2014/08/07 09:17:44]

I can't understand how does this change help to transfer IdP cookies to user's
profile. I mean IsGAIACookie became more permissive with you change, which means
less cookies will be transferred, right?

[bartfab (slow), 2014/08/07 11:59:45]

Done - I replied to this directly and Pavel was happy with the explanation.

+  const std::string& domain = cookie.Domain();
+  return domain.find("google") != std::string::npos ||
+         domain.find("youtube") != std::string::npos;
+}
+
 void ProfileAuthDataTransferer::MaybeTransferCookiesAndChannelIDs() {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::IO));
   if (waiting_for_auth_cookies_ || waiting_for_channel_ids_)