Inline sign in extracts gaia id from HTTP header and seeds account tracker

chrome/browser/resources/gaia_auth/main.js

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 /**
  * Authenticator class wraps the communications between Gaia and its host.
  */
 function Authenticator() {
 }
 
@@ skipping 30 matching lines @@
  */
 Authenticator.getInstance = function() {
   if (!Authenticator.instance_) {
     Authenticator.instance_ = new Authenticator();
   }
   return Authenticator.instance_;
 };
 
 Authenticator.prototype = {
   email_: null,
+  gaiaId_: null,
 
   // Depending on the key type chosen, this will contain the plain text password
   // or a credential derived from it along with the information required to
   // repeat the derivation, such as a salt. The information will be encoded so
   // that it contains printable ASCII characters only. The exact encoding is TBD
   // when support for key types other than plain text password is added.
   passwordBytes_: null,
 
+  chooseWhatToSync_: false,
+  skipForNow_: false,
+  sessionIndex_: null,
   attemptToken_: null,
 
   // Input params from extension initialization URL.
   inputLang_: undefined,
   intputEmail_: undefined,
 
   isSAMLFlow_: false,
   gaiaLoaded_: false,
   supportChannel_: null,
 
@@ skipping 28 matching lines @@
 
     document.addEventListener('DOMContentLoaded', this.onPageLoad_.bind(this));
   },
 
   isGaiaMessage_: function(msg) {
     // Not quite right, but good enough.
     return this.gaiaUrl_.indexOf(msg.origin) == 0 ||
            this.GAIA_URL.indexOf(msg.origin) == 0;
   },
 
   isInternalMessage_: function(msg) {

[bartfab (slow), 2014/10/14 17:12:38]

Nit: No longer used.

[Roger Tawa OOO till Jul 10th, 2014/10/16 02:39:31]

Done.

     return msg.origin == Authenticator.THIS_EXTENSION_ORIGIN;
   },
 
   isParentMessage_: function(msg) {
     return msg.origin == this.parentPage_;
   },
 
   constructInitialFrameUrl_: function() {
     var url = this.gaiaUrl_ + this.gaiaPath_;
 
@@ skipping 40 matching lines @@
 
       if (this.desktopMode_) {
         this.supportChannel_.send({
           name: 'initDesktopFlow',
           gaiaUrl: this.gaiaUrl_,
           continueUrl: stripParams(this.continueUrl_),
           isConstrainedWindow: this.isConstrainedWindow_
         });
         this.supportChannel_.registerMessage(
             'switchToFullTab', this.switchToFullTab_.bind(this));
-        this.supportChannel_.registerMessage(
-            'completeLogin', this.completeLogin_.bind(this));
       }
+      this.supportChannel_.registerMessage(
+          'completeLogin', this.onCompleteLogin_.bind(this));
       this.initSAML_();
       this.maybeInitialized_();
     }.bind(this));
 
     window.setTimeout(function() {
       if (!this.supportChannel_) {
         // Re-initialize the channel if it is not connected properly, e.g.
         // connect may be called before background script started running.
         this.initSupportChannel_();
       }
@@ skipping 32 matching lines @@
    * @param {Object=} opt_extraMsg Optional extra info to send.
    */
   completeLogin_: function(opt_extraMsg) {
     var msg = {
       'method': 'completeLogin',
       'email': (opt_extraMsg && opt_extraMsg.email) || this.email_,
       'password': (opt_extraMsg && opt_extraMsg.password) ||
                   this.passwordBytes_,
       'usingSAML': this.isSAMLFlow_,
       'chooseWhatToSync': this.chooseWhatToSync_ || false,
-      'skipForNow': opt_extraMsg && opt_extraMsg.skipForNow,
-      'sessionIndex': opt_extraMsg && opt_extraMsg.sessionIndex
+      'skipForNow': (opt_extraMsg && opt_extraMsg.skipForNow) ||
+                    this.skipForNow_,
+      'sessionIndex': (opt_extraMsg && opt_extraMsg.sessionIndex) ||
+                      this.sessionIndex_,
+      'gaiaId': (opt_extraMsg && opt_extraMsg.gaiaId) || this.gaiaId_
     };
     window.parent.postMessage(msg, this.parentPage_);
     this.supportChannel_.send({name: 'resetAuth'});
   },
 
   /**
    * Invoked when support channel is connected.
    */
   initSAML_: function() {
     this.isSAMLFlow_ = false;
@@ skipping 26 matching lines @@
    */
   onAuthPageLoaded_: function(msg) {
     var isSAMLPage = msg.url.indexOf(this.gaiaUrl_) != 0;
 
     if (isSAMLPage && !this.isSAMLFlow_) {
       // GAIA redirected to a SAML login page. The credentials provided to this
       // page will determine what user gets logged in. The credentials obtained
       // from the GAIA login form are no longer relevant and can be discarded.
       this.isSAMLFlow_ = true;
       this.email_ = null;
+      this.gaiaId_ = null;
       this.passwordBytes_ = null;
     }
 
     window.parent.postMessage({
       'method': 'authPageLoaded',
       'isSAML': this.isSAMLFlow_,
       'domain': extractDomain(msg.url)
     }, this.parentPage_);
   },
 
@@ skipping 30 matching lines @@
       return;
     }
 
     if (call.method == 'add') {
       if (Authenticator.API_KEY_TYPES.indexOf(call.keyType) == -1) {
         console.error('Authenticator.onAPICall_: unsupported key type');
         return;
       }
       this.apiToken_ = call.token;
       this.email_ = call.user;
+      this.gaiaId_ = null;  // TODO(rogerta): no idea what to do here.

[guohui, 2014/10/14 18:50:02]

we should update the saml api to send the gaia id as well.

[bartfab (slow), 2014/10/15 08:39:07]

Ah, I missed that one.

The API is called by a third-party IdP who has no notion of GAIA IDs. Also, the
API call is made very early in the login process. The user is not authenticated
yet and the GAIA ID is not know.

Fortunately, the solution is trivial: A login flow that uses the API still ends
with a GAIA redirect to the success page. Thus, the |onCompleteLogin_| method
will still be called and the |email| and |gaiaId| values it receives will be
used. The |this.email_ = call.user;| line above can actually be removed. The
value it sets will always be overriden later. In line with that, there is no
need to have |this.gaiaId_ = null;| here either. The GAIA ID will be set later,
no matter what.

[Roger Tawa OOO till Jul 10th, 2014/10/16 02:39:31]

Done.

[Roger Tawa OOO till Jul 10th, 2014/10/16 02:39:32]

Removed, since it cannot be set here and will be set later.

       this.passwordBytes_ = call.passwordBytes;
     } else if (call.method == 'confirm') {
       if (call.token != this.apiToken_)
         console.error('Authenticator.onAPICall_: token mismatch');
     } else {
       console.error('Authenticator.onAPICall_: unknown message');
     }
   },
 
   sendInitializationSuccess_: function() {
     this.supportChannel_.send({name: 'apiResponse', response: {
       result: 'initialized',
       version: this.apiVersion_,
       keyTypes: Authenticator.API_KEY_TYPES
     }});
   },
 
   sendInitializationFailure_: function() {
     this.supportChannel_.send({
       name: 'apiResponse',
       response: {result: 'initialization_failed'}
     });
   },
 
-  onConfirmLogin_: function() {
-    if (!this.isSAMLFlow_) {
-      this.completeLogin_();
+  /**
+   * Callback invoked for 'completeLogin' message.
+   */
+  onCompleteLogin_: function(opt_extraMsg) {
+    // Skip SAML extra steps for desktop flow and non-SAML flow.
+    if (!this.isSAMLFlow_ || this.desktopMode_) {
+      this.completeLogin_(opt_extraMsg);
       return;
     }
 
+    if (opt_extraMsg) {

[bartfab (slow), 2014/10/14 17:12:38]

How can |opt_extraMsg| ever not exist? With the changes you made to
background.js, every |onCompleteLogin_| call should contain e-mail, GAIA ID,
etc.

[Roger Tawa OOO till Jul 10th, 2014/10/16 02:39:31]

It can't anymore.  Fixed.

+      this.email_ = opt_extraMsg.email;
+      this.gaiaId_ = opt_extraMsg.gaiaId;
+      // Password from |opt_extraMsg| is not used because ChromeOS SAML flow
+      // gets password by asking user for confirm.

[bartfab (slow), 2014/10/14 17:12:38]

Nit: s/for/to/

[Roger Tawa OOO till Jul 10th, 2014/10/16 02:39:32]

Done.

+      this.skipForNow_ = opt_extraMsg.skipForNow;
+      this.sessionIndex_ = opt_extraMsg.sessionIndex;
+    }
+
     var apiUsed = !!this.passwordBytes_;
 
     // Retrieve the e-mail address of the user who just authenticated from GAIA.

[bartfab (slow), 2014/10/14 17:12:38]

This is no longer necessary now that we get the user's e-mail address from a
GAIA header.

You can also remove that JS code that listens for the
|retrieveAuthenticatedUserEmail| message and the C++ code backing it.

[Roger Tawa OOO till Jul 10th, 2014/10/16 02:39:31]

Done.

     window.parent.postMessage({method: 'retrieveAuthenticatedUserEmail',
                                attemptToken: this.attemptToken_,
                                apiUsed: apiUsed},
                               this.parentPage_);
 
     if (!apiUsed) {
       this.supportChannel_.sendWithCallback(
           {name: 'getScrapedPasswords'},
           function(passwords) {
             if (passwords.length == 0) {
               window.parent.postMessage(
                   {method: 'noPassword', email: this.email_},
                   this.parentPage_);
             } else {
               window.parent.postMessage({method: 'confirmPassword',
                                          email: this.email_,
                                          passwordCount: passwords.length},
                                         this.parentPage_);
             }
           }.bind(this));
     }
   },
 
   maybeCompleteSAMLLogin_: function() {

[bartfab (slow), 2014/10/14 17:12:38]

This can be folded into onVerifyConfirmedPassword_() now because we no longer
need to wait for e-mail retrieval.

[Roger Tawa OOO till Jul 10th, 2014/10/16 02:39:31]

Done.

     // SAML login is complete when the user's e-mail address has been retrieved
     // from GAIA and the user has successfully confirmed the password.
     if (this.email_ !== null && this.passwordBytes_ !== null)
       this.completeLogin_();
   },
 
   onVerifyConfirmedPassword_: function(password) {
     this.supportChannel_.sendWithCallback(
         {name: 'getScrapedPasswords'},
         function(passwords) {
           for (var i = 0; i < passwords.length; ++i) {
             if (passwords[i] == password) {
               this.passwordBytes_ = passwords[i];
               this.maybeCompleteSAMLLogin_();
               return;
             }
           }
           window.parent.postMessage(
               {method: 'confirmPassword', email: this.email_},
               this.parentPage_);
         }.bind(this));
   },
 
   onMessage: function(e) {
     var msg = e.data;
     if (msg.method == 'attemptLogin' && this.isGaiaMessage_(e)) {
+      // At this point GAIA does not yet know the gaiaId, so its not set here.
       this.email_ = msg.email;
       this.passwordBytes_ = msg.password;
       this.attemptToken_ = msg.attemptToken;
       this.chooseWhatToSync_ = msg.chooseWhatToSync;
       this.isSAMLFlow_ = false;
       if (this.supportChannel_)
         this.supportChannel_.send({name: 'startAuth'});
       else
         console.error('Support channel is not initialized.');
     } else if (msg.method == 'clearOldAttempts' && this.isGaiaMessage_(e)) {
       if (!this.gaiaLoaded_) {
         this.gaiaLoaded_ = true;
         this.maybeInitialized_();
       }
       this.email_ = null;
+      this.gaiaId_ = null;

[bartfab (slow), 2014/10/14 17:12:38]

Should |chooseWhatToSync_|, |skipForNow_| and |sessionIndex_| not be reset here
as well?

[Roger Tawa OOO till Jul 10th, 2014/10/20 16:04:00]

Done.

       this.passwordBytes_ = null;
       this.attemptToken_ = null;
       this.isSAMLFlow_ = false;
       if (this.supportChannel_)
         this.supportChannel_.send({name: 'resetAuth'});
     } else if (msg.method == 'setAuthenticatedUserEmail' &&

[bartfab (slow), 2014/10/14 17:12:38]

This is no longer necessary now that we get the user's e-mail address from a
GAIA header.

[Roger Tawa OOO till Jul 10th, 2014/10/16 02:39:31]

Done.

                this.isParentMessage_(e)) {
       if (this.attemptToken_ == msg.attemptToken) {
         this.email_ = msg.email;
         this.maybeCompleteSAMLLogin_();
       }
-    } else if (msg.method == 'confirmLogin' && this.isInternalMessage_(e)) {
-      // In the desktop mode, Chrome needs to wait for extra info such as
-      // session index from the background JS.
-      if (this.desktopMode_)
-        return;
-
-      if (this.attemptToken_ == msg.attemptToken)
-        this.onConfirmLogin_();
-      else
-        console.error('Authenticator.onMessage: unexpected attemptToken!?');
     } else if (msg.method == 'verifyConfirmedPassword' &&
                this.isParentMessage_(e)) {
       this.onVerifyConfirmedPassword_(msg.password);
     } else if (msg.method == 'redirectToSignin' &&
                this.isParentMessage_(e)) {
       $('gaia-frame').src = this.constructInitialFrameUrl_();
     } else {
        console.error('Authenticator.onMessage: unknown message + origin!?');
     }
   }
 };
 
 Authenticator.getInstance().initialize();