identity_api.h revision 46d4c2bc3267f3f028f39e7e311b0f89aba2e4fd
1// Copyright (c) 2012 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#ifndef CHROME_BROWSER_EXTENSIONS_API_IDENTITY_IDENTITY_API_H_ 6#define CHROME_BROWSER_EXTENSIONS_API_IDENTITY_IDENTITY_API_H_ 7 8#include <map> 9#include <set> 10#include <string> 11#include <utility> 12#include <vector> 13 14#include "base/memory/ref_counted.h" 15#include "base/memory/weak_ptr.h" 16#include "base/observer_list.h" 17#include "chrome/browser/extensions/api/identity/account_tracker.h" 18#include "chrome/browser/extensions/api/identity/extension_token_key.h" 19#include "chrome/browser/extensions/api/identity/gaia_web_auth_flow.h" 20#include "chrome/browser/extensions/api/identity/identity_mint_queue.h" 21#include "chrome/browser/extensions/api/identity/identity_signin_flow.h" 22#include "chrome/browser/extensions/api/identity/web_auth_flow.h" 23#include "chrome/browser/extensions/chrome_extension_function.h" 24#include "chrome/browser/signin/signin_global_error.h" 25#include "extensions/browser/browser_context_keyed_api_factory.h" 26#include "google_apis/gaia/oauth2_mint_token_flow.h" 27#include "google_apis/gaia/oauth2_token_service.h" 28 29class GoogleServiceAuthError; 30class MockGetAuthTokenFunction; 31 32namespace content { 33class BrowserContext; 34} 35 36namespace extensions { 37 38class GetAuthTokenFunctionTest; 39class MockGetAuthTokenFunction; 40 41namespace identity_constants { 42extern const char kInvalidClientId[]; 43extern const char kInvalidScopes[]; 44extern const char kAuthFailure[]; 45extern const char kNoGrant[]; 46extern const char kUserRejected[]; 47extern const char kUserNotSignedIn[]; 48extern const char kInteractionRequired[]; 49extern const char kInvalidRedirect[]; 50extern const char kOffTheRecord[]; 51extern const char kPageLoadFailure[]; 52extern const char kCanceled[]; 53} // namespace identity_constants 54 55class IdentityTokenCacheValue { 56 public: 57 IdentityTokenCacheValue(); 58 explicit IdentityTokenCacheValue(const IssueAdviceInfo& issue_advice); 59 IdentityTokenCacheValue(const std::string& token, 60 base::TimeDelta time_to_live); 61 ~IdentityTokenCacheValue(); 62 63 // Order of these entries is used to determine whether or not new 64 // entries supercede older ones in SetCachedToken. 65 enum CacheValueStatus { 66 CACHE_STATUS_NOTFOUND, 67 CACHE_STATUS_ADVICE, 68 CACHE_STATUS_TOKEN 69 }; 70 71 CacheValueStatus status() const; 72 const IssueAdviceInfo& issue_advice() const; 73 const std::string& token() const; 74 const base::Time& expiration_time() const; 75 76 private: 77 bool is_expired() const; 78 79 CacheValueStatus status_; 80 IssueAdviceInfo issue_advice_; 81 std::string token_; 82 base::Time expiration_time_; 83}; 84 85class IdentityAPI : public BrowserContextKeyedAPI, 86 public AccountTracker::Observer { 87 public: 88 typedef std::map<ExtensionTokenKey, IdentityTokenCacheValue> CachedTokens; 89 90 class ShutdownObserver { 91 public: 92 virtual void OnShutdown() = 0; 93 }; 94 95 explicit IdentityAPI(content::BrowserContext* context); 96 virtual ~IdentityAPI(); 97 98 // Request serialization queue for getAuthToken. 99 IdentityMintRequestQueue* mint_queue(); 100 101 // Token cache 102 void SetCachedToken(const ExtensionTokenKey& key, 103 const IdentityTokenCacheValue& token_data); 104 void EraseCachedToken(const std::string& extension_id, 105 const std::string& token); 106 void EraseAllCachedTokens(); 107 const IdentityTokenCacheValue& GetCachedToken(const ExtensionTokenKey& key); 108 109 const CachedTokens& GetAllCachedTokens(); 110 111 // Account queries. 112 std::vector<std::string> GetAccounts() const; 113 std::string FindAccountKeyByGaiaId(const std::string& gaia_id); 114 115 // Global error reporting. 116 void ReportAuthError(const GoogleServiceAuthError& error); 117 GoogleServiceAuthError GetAuthStatusForTest() const; 118 119 // BrowserContextKeyedAPI implementation. 120 virtual void Shutdown() OVERRIDE; 121 static BrowserContextKeyedAPIFactory<IdentityAPI>* GetFactoryInstance(); 122 123 // AccountTracker::Observer implementation: 124 virtual void OnAccountAdded(const AccountIds& ids) OVERRIDE; 125 virtual void OnAccountRemoved(const AccountIds& ids) OVERRIDE; 126 virtual void OnAccountSignInChanged(const AccountIds& ids, 127 bool is_signed_in) OVERRIDE; 128 129 void AddShutdownObserver(ShutdownObserver* observer); 130 void RemoveShutdownObserver(ShutdownObserver* observer); 131 132 void SetAccountStateForTest(AccountIds ids, bool is_signed_in); 133 134 private: 135 friend class BrowserContextKeyedAPIFactory<IdentityAPI>; 136 137 // BrowserContextKeyedAPI implementation. 138 static const char* service_name() { return "IdentityAPI"; } 139 static const bool kServiceIsNULLWhileTesting = true; 140 141 content::BrowserContext* browser_context_; 142 IdentityMintRequestQueue mint_queue_; 143 CachedTokens token_cache_; 144 AccountTracker account_tracker_; 145 ObserverList<ShutdownObserver> shutdown_observer_list_; 146}; 147 148template <> 149void BrowserContextKeyedAPIFactory<IdentityAPI>::DeclareFactoryDependencies(); 150 151class IdentityGetAccountsFunction : public ChromeUIThreadExtensionFunction { 152 public: 153 DECLARE_EXTENSION_FUNCTION("identity.getAccounts", 154 IDENTITY_GETACCOUNTS); 155 156 IdentityGetAccountsFunction(); 157 158 private: 159 virtual ~IdentityGetAccountsFunction(); 160 161 // UIThreadExtensionFunction implementation. 162 virtual ExtensionFunction::ResponseAction Run() OVERRIDE; 163}; 164 165// identity.getAuthToken fetches an OAuth 2 function for the 166// caller. The request has three sub-flows: non-interactive, 167// interactive, and sign-in. 168// 169// In the non-interactive flow, getAuthToken requests a token from 170// GAIA. GAIA may respond with a token, an error, or "consent 171// required". In the consent required cases, getAuthToken proceeds to 172// the second, interactive phase. 173// 174// The interactive flow presents a scope approval dialog to the 175// user. If the user approves the request, a grant will be recorded on 176// the server, and an access token will be returned to the caller. 177// 178// In some cases we need to display a sign-in dialog. Normally the 179// profile will be signed in already, but if it turns out we need a 180// new login token, there is a sign-in flow. If that flow completes 181// successfully, getAuthToken proceeds to the non-interactive flow. 182class IdentityGetAuthTokenFunction : public ChromeAsyncExtensionFunction, 183 public GaiaWebAuthFlow::Delegate, 184 public IdentityMintRequestQueue::Request, 185 public OAuth2MintTokenFlow::Delegate, 186 public IdentitySigninFlow::Delegate, 187 public OAuth2TokenService::Consumer, 188 public IdentityAPI::ShutdownObserver { 189 public: 190 DECLARE_EXTENSION_FUNCTION("identity.getAuthToken", 191 EXPERIMENTAL_IDENTITY_GETAUTHTOKEN); 192 193 IdentityGetAuthTokenFunction(); 194 195 protected: 196 virtual ~IdentityGetAuthTokenFunction(); 197 198 // IdentitySigninFlow::Delegate implementation: 199 virtual void SigninSuccess() OVERRIDE; 200 virtual void SigninFailed() OVERRIDE; 201 202 // GaiaWebAuthFlow::Delegate implementation: 203 virtual void OnGaiaFlowFailure(GaiaWebAuthFlow::Failure failure, 204 GoogleServiceAuthError service_error, 205 const std::string& oauth_error) OVERRIDE; 206 virtual void OnGaiaFlowCompleted(const std::string& access_token, 207 const std::string& expiration) OVERRIDE; 208 209 // OAuth2TokenService::Consumer implementation: 210 virtual void OnGetTokenSuccess(const OAuth2TokenService::Request* request, 211 const std::string& access_token, 212 const base::Time& expiration_time) OVERRIDE; 213 virtual void OnGetTokenFailure(const OAuth2TokenService::Request* request, 214 const GoogleServiceAuthError& error) OVERRIDE; 215 216 scoped_ptr<OAuth2TokenService::Request> login_token_request_; 217 218 private: 219 FRIEND_TEST_ALL_PREFIXES(GetAuthTokenFunctionTest, 220 ComponentWithChromeClientId); 221 FRIEND_TEST_ALL_PREFIXES(GetAuthTokenFunctionTest, 222 ComponentWithNormalClientId); 223 FRIEND_TEST_ALL_PREFIXES(GetAuthTokenFunctionTest, InteractiveQueueShutdown); 224 FRIEND_TEST_ALL_PREFIXES(GetAuthTokenFunctionTest, NoninteractiveShutdown); 225 friend class MockGetAuthTokenFunction; 226 227 // ExtensionFunction: 228 virtual bool RunAsync() OVERRIDE; 229 230 // Helpers to report async function results to the caller. 231 void StartAsyncRun(); 232 void CompleteAsyncRun(bool success); 233 void CompleteFunctionWithResult(const std::string& access_token); 234 void CompleteFunctionWithError(const std::string& error); 235 236 // Initiate/complete the sub-flows. 237 void StartSigninFlow(); 238 void StartMintTokenFlow(IdentityMintRequestQueue::MintType type); 239 void CompleteMintTokenFlow(); 240 241 // IdentityMintRequestQueue::Request implementation: 242 virtual void StartMintToken(IdentityMintRequestQueue::MintType type) OVERRIDE; 243 244 // OAuth2MintTokenFlow::Delegate implementation: 245 virtual void OnMintTokenSuccess(const std::string& access_token, 246 int time_to_live) OVERRIDE; 247 virtual void OnMintTokenFailure( 248 const GoogleServiceAuthError& error) OVERRIDE; 249 virtual void OnIssueAdviceSuccess( 250 const IssueAdviceInfo& issue_advice) OVERRIDE; 251 252 // IdentityAPI::ShutdownObserver implementation: 253 virtual void OnShutdown() OVERRIDE; 254 255 // Starts a login access token request. 256 virtual void StartLoginAccessTokenRequest(); 257 258#if defined(OS_CHROMEOS) 259 // Starts a login access token request for device robot account. This method 260 // will be called only in enterprise kiosk mode in ChromeOS. 261 virtual void StartDeviceLoginAccessTokenRequest(); 262#endif 263 264 // Starts a mint token request to GAIA. 265 void StartGaiaRequest(const std::string& login_access_token); 266 267 // Methods for invoking UI. Overridable for testing. 268 virtual void ShowLoginPopup(); 269 virtual void ShowOAuthApprovalDialog(const IssueAdviceInfo& issue_advice); 270 // Caller owns the returned instance. 271 virtual OAuth2MintTokenFlow* CreateMintTokenFlow( 272 const std::string& login_access_token); 273 274 // Checks if there is a master login token to mint tokens for the extension. 275 virtual bool HasLoginToken() const; 276 277 // Maps OAuth2 protocol errors to an error message returned to the 278 // developer in chrome.runtime.lastError. 279 std::string MapOAuth2ErrorToDescription(const std::string& error); 280 281 std::string GetOAuth2ClientId() const; 282 283 bool should_prompt_for_scopes_; 284 IdentityMintRequestQueue::MintType mint_token_flow_type_; 285 scoped_ptr<OAuth2MintTokenFlow> mint_token_flow_; 286 OAuth2MintTokenFlow::Mode gaia_mint_token_mode_; 287 bool should_prompt_for_signin_; 288 289 scoped_ptr<ExtensionTokenKey> token_key_; 290 std::string oauth2_client_id_; 291 // When launched in interactive mode, and if there is no existing grant, 292 // a permissions prompt will be popped up to the user. 293 IssueAdviceInfo issue_advice_; 294 scoped_ptr<GaiaWebAuthFlow> gaia_web_auth_flow_; 295 scoped_ptr<IdentitySigninFlow> signin_flow_; 296}; 297 298class IdentityRemoveCachedAuthTokenFunction 299 : public ChromeSyncExtensionFunction { 300 public: 301 DECLARE_EXTENSION_FUNCTION("identity.removeCachedAuthToken", 302 EXPERIMENTAL_IDENTITY_REMOVECACHEDAUTHTOKEN) 303 IdentityRemoveCachedAuthTokenFunction(); 304 305 protected: 306 virtual ~IdentityRemoveCachedAuthTokenFunction(); 307 308 // SyncExtensionFunction implementation: 309 virtual bool RunSync() OVERRIDE; 310}; 311 312class IdentityLaunchWebAuthFlowFunction : public ChromeAsyncExtensionFunction, 313 public WebAuthFlow::Delegate { 314 public: 315 DECLARE_EXTENSION_FUNCTION("identity.launchWebAuthFlow", 316 EXPERIMENTAL_IDENTITY_LAUNCHWEBAUTHFLOW); 317 318 IdentityLaunchWebAuthFlowFunction(); 319 320 // Tests may override extension_id. 321 void InitFinalRedirectURLPrefixForTest(const std::string& extension_id); 322 323 private: 324 virtual ~IdentityLaunchWebAuthFlowFunction(); 325 virtual bool RunAsync() OVERRIDE; 326 327 // WebAuthFlow::Delegate implementation. 328 virtual void OnAuthFlowFailure(WebAuthFlow::Failure failure) OVERRIDE; 329 virtual void OnAuthFlowURLChange(const GURL& redirect_url) OVERRIDE; 330 virtual void OnAuthFlowTitleChange(const std::string& title) OVERRIDE {} 331 332 // Helper to initialize final URL prefix. 333 void InitFinalRedirectURLPrefix(const std::string& extension_id); 334 335 scoped_ptr<WebAuthFlow> auth_flow_; 336 GURL final_url_prefix_; 337}; 338 339} // namespace extensions 340 341#endif // CHROME_BROWSER_EXTENSIONS_API_IDENTITY_IDENTITY_API_H_ 342