Enable 3rd party support for Security Keys.

chrome/browser/resources/cryptotoken/enroller.js

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 /**
  * @fileoverview Handles web page requests for gnubby enrollment.
  */
 
 'use strict';
 
@@ skipping 23 matching lines @@
       sendErrorResponse({errorCode: ErrorCodes.OTHER_ERROR});
       return;
     }
     var responseData =
         makeEnrollResponseData(enrollChallenge, u2fVersion,
             'enrollData', info, 'browserData', browserData);
     var response = makeWebSuccessResponse(request, responseData);
     sendResponseOnce(sentResponse, closeable, response, sendResponse);
   }
 
+  function timeout() {
+    sendErrorResponse({errorCode: ErrorCodes.TIMEOUT});
+  }
+
   var sender = createSenderFromMessageSender(messageSender);
   if (!sender) {
     sendErrorResponse({errorCode: ErrorCodes.BAD_REQUEST});
     return null;
   }
 
-  var enroller =
-      validateEnrollRequest(
-          sender, request, 'enrollChallenges', 'signData',
-          sendErrorResponse, sendSuccessResponse);
-  if (enroller) {
-    var registerRequests = request['enrollChallenges'];
-    var signRequests = getSignRequestsFromEnrollRequest(request, 'signData');
-    closeable = /** @type {Closeable} */ (enroller);
-    enroller.doEnroll(registerRequests, signRequests, request['appId']);
+  if (!isValidEnrollRequest(request, 'enrollChallenges', 'signData')) {
+    sendErrorResponse({errorCode: ErrorCodes.BAD_REQUEST});
+    return null;
   }
+
+  var timeoutValueSeconds = getTimeoutValueFromRequest(request);
+  // Attenuate watchdog timeout value less than the enroller's timeout, so the
+  // watchdog only fires after the enroller could reasonably have called back,
+  // not before.
+  var watchdogTimeoutValueSeconds = attenuateTimeoutInSeconds(
+      timeoutValueSeconds, MINIMUM_TIMEOUT_ATTENUATION_SECONDS / 2);
+  var watchdog = new WatchdogRequestHandler(watchdogTimeoutValueSeconds,
+      timeout);
+  var wrappedErrorCb = watchdog.wrapCallback(sendErrorResponse);
+  var wrappedSuccessCb = watchdog.wrapCallback(sendSuccessResponse);
+
+  var timer = createAttenuatedTimer(
+      FACTORY_REGISTRY.getCountdownFactory(), timeoutValueSeconds);
+  var logMsgUrl = request['logMsgUrl'];
+  var enroller = new Enroller(timer, sender, wrappedErrorCb, wrappedSuccessCb,
+      logMsgUrl);
+  watchdog.setCloseable(/** @type {!Closeable} */ (enroller));
+  closeable = watchdog;
+
+  var registerRequests = request['enrollChallenges'];
+  var signRequests = getSignRequestsFromEnrollRequest(request, 'signData');
+  enroller.doEnroll(registerRequests, signRequests, request['appId']);
+
   return closeable;
 }
 
 /**
  * Handles a U2F enroll request.
  * @param {MessageSender} messageSender The message sender.
  * @param {Object} request The web page's enroll request.
  * @param {Function} sendResponse Called back with the result of the enroll.
  * @return {Closeable} A handler object to be closed when the browser channel
  *     closes.
@@ skipping 16 matching lines @@
       sendErrorResponse({errorCode: ErrorCodes.OTHER_ERROR});
       return;
     }
     var responseData =
         makeEnrollResponseData(enrollChallenge, u2fVersion,
             'registrationData', info, 'clientData', browserData);
     var response = makeU2fSuccessResponse(request, responseData);
     sendResponseOnce(sentResponse, closeable, response, sendResponse);
   }
 
+  function timeout() {
+    sendErrorResponse({errorCode: ErrorCodes.TIMEOUT});
+  }
+
   var sender = createSenderFromMessageSender(messageSender);
   if (!sender) {
     sendErrorResponse({errorCode: ErrorCodes.BAD_REQUEST});
     return null;
   }
 
-  var enroller =
-      validateEnrollRequest(
-          sender, request, 'registerRequests', 'signRequests',
-          sendErrorResponse, sendSuccessResponse, 'registeredKeys');
-  if (enroller) {
-    var registerRequests = request['registerRequests'];
-    var signRequests = getSignRequestsFromEnrollRequest(request,
-        'signRequests', 'registeredKeys');
-    closeable = /** @type {Closeable} */ (enroller);
-    enroller.doEnroll(registerRequests, signRequests, request['appId']);
+  if (!isValidEnrollRequest(request, 'registerRequests', 'signRequests',
+      'registeredKeys')) {
+    sendErrorResponse({errorCode: ErrorCodes.BAD_REQUEST});
+    return null;
   }
+
+  var timeoutValueSeconds = getTimeoutValueFromRequest(request);
+  // Attenuate watchdog timeout value less than the enroller's timeout, so the
+  // watchdog only fires after the enroller could reasonably have called back,
+  // not before.
+  var watchdogTimeoutValueSeconds = attenuateTimeoutInSeconds(
+      timeoutValueSeconds, MINIMUM_TIMEOUT_ATTENUATION_SECONDS / 2);
+  var watchdog = new WatchdogRequestHandler(watchdogTimeoutValueSeconds,
+      timeout);
+  var wrappedErrorCb = watchdog.wrapCallback(sendErrorResponse);
+  var wrappedSuccessCb = watchdog.wrapCallback(sendSuccessResponse);
+
+  var timer = createAttenuatedTimer(
+      FACTORY_REGISTRY.getCountdownFactory(), timeoutValueSeconds);
+  var logMsgUrl = request['logMsgUrl'];
+  var enroller = new Enroller(timer, sender, sendErrorResponse,
+      sendSuccessResponse, logMsgUrl);
+  watchdog.setCloseable(/** @type {!Closeable} */ (enroller));
+  closeable = watchdog;
+
+  var registerRequests = request['registerRequests'];
+  var signRequests = getSignRequestsFromEnrollRequest(request,
+      'signRequests', 'registeredKeys');
+  enroller.doEnroll(registerRequests, signRequests, request['appId']);
+
   return closeable;
 }
 
 /**
- * Validates an enroll request using the given parameters.
- * @param {WebRequestSender} sender The sender of the message.
- * @param {Object} request The web page's enroll request.
- * @param {string} enrollChallengesName The name of the enroll challenges value
- *     in the request.
- * @param {string} signChallengesName The name of the sign challenges value in
- *     the request.
- * @param {function(U2fError)} errorCb Error callback.
- * @param {function(string, string, (string|undefined))} successCb Success
- *     callback.
- * @param {string=} opt_registeredKeysName The name of the registered keys
- *     value in the request.
- * @return {Enroller} Enroller object representing the request, if the request
- *     is valid, or null if the request is invalid.
- */
-function validateEnrollRequest(sender, request,
-    enrollChallengesName, signChallengesName, errorCb, successCb,
-    opt_registeredKeysName) {
-  if (!isValidEnrollRequest(request, enrollChallengesName,
-      signChallengesName, opt_registeredKeysName)) {
-    errorCb({errorCode: ErrorCodes.BAD_REQUEST});
-    return null;
-  }
-
-  var timeoutValueSeconds = getTimeoutValueFromRequest(request);
-  var timer = createAttenuatedTimer(
-      FACTORY_REGISTRY.getCountdownFactory(), timeoutValueSeconds);
-  var logMsgUrl = request['logMsgUrl'];
-  var enroller = new Enroller(timer, sender, errorCb, successCb, logMsgUrl);
-  return enroller;
-}
-
-/**
  * Returns whether the request appears to be a valid enroll request.
  * @param {Object} request The request.
  * @param {string} enrollChallengesName The name of the enroll challenges value
  *     in the request.
  * @param {string} signChallengesName The name of the sign challenges value in
  *     the request.
  * @param {string=} opt_registeredKeysName The name of the registered keys
  *     value in the request.
  * @return {boolean} Whether the request appears valid.
  */
@@ skipping 226 matching lines @@
  * to the request to the handler if/when the user has done so.
  * @private
  */
 Enroller.prototype.approveOrigin_ = function() {
   var self = this;
   FACTORY_REGISTRY.getApprovedOrigins()
       .isApprovedOrigin(this.sender_.origin, this.sender_.tabId)
       .then(function(result) {
         if (self.done_) return;
         if (!result) {
-          // Origin not approved: fail the result.
-          self.notifyError_({errorCode: ErrorCodes.BAD_REQUEST});
+          // Origin not approved: rather than give an explicit indication to
+          // the web page, let a timeout occur.
+          if (self.timer_.expired()) {
+            self.notifyTimeout_();
+            return;
+          }
+          var newTimer = self.timer_.clone(self.notifyTimeout_.bind(self));
+          self.timer_.clearTimeout();
+          self.timer_ = newTimer;
           return;
         }
         self.sendEnrollRequestToHelper_();
       });
 };
 
 /**
+ * Notifies the caller of a timeout error.
+ * @private
+ */
+Enroller.prototype.notifyTimeout_ = function() {
+  this.notifyError_({errorCode: ErrorCodes.TIMEOUT});
+};
+
+/**
  * Performs an enroll request with this instance's enroll and sign challenges,
  * by encoding them into a helper request and passing the resulting request to
  * the factory registry's helper.
  * @private
  */
 Enroller.prototype.sendEnrollRequestToHelper_ = function() {
   var encodedEnrollChallenges =
       this.encodeEnrollChallenges_(this.enrollChallenges_, this.appId_);
   // If the request didn't contain a sign challenge, provide one. The value
   // doesn't matter.
@@ skipping 220 matching lines @@
       // For U2F_V2, the challenge sent to the gnubby is modified to be the hash
       // of the browser data. Include the browser data.
       browserData = this.browserData_[reply.version];
     }
 
     this.notifySuccess_(/** @type {string} */ (reply.version),
                         /** @type {string} */ (reply.enrollData),
                         browserData);
   }
 };