gaia_auth_fetcher.h revision 2a99a7e74a7f215066514fe81d2bfa6639d9eddd 
1// Copyright (c) 2012 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#ifndef GOOGLE_APIS_GAIA_GAIA_AUTH_FETCHER_H_
6#define GOOGLE_APIS_GAIA_GAIA_AUTH_FETCHER_H_
7
8#include <string>
9#include <vector>
10
11#include "base/gtest_prod_util.h"
12#include "base/memory/scoped_ptr.h"
13#include "google_apis/gaia/gaia_auth_consumer.h"
14#include "google_apis/gaia/google_service_auth_error.h"
15#include "googleurl/src/gurl.h"
16#include "net/url_request/url_fetcher_delegate.h"
17
18// Authenticate a user against the Google Accounts ClientLogin API
19// with various capabilities and return results to a GaiaAuthConsumer.
20//
21// In the future, we will also issue auth tokens from this class.
22// This class should be used on a single thread, but it can be whichever thread
23// that you like.
24//
25// This class can handle one request at a time on any thread. To parallelize
26// requests, create multiple GaiaAuthFetcher's.
27
28class GaiaAuthFetcherTest;
29
30namespace net {
31class URLFetcher;
32class URLRequestContextGetter;
33class URLRequestStatus;
34}
35
36class GaiaAuthFetcher : public net::URLFetcherDelegate {
37 public:
38  enum HostedAccountsSetting {
39    HostedAccountsAllowed,
40    HostedAccountsNotAllowed
41  };
42
43  // Magic string indicating that, while a second factor is still
44  // needed to complete authentication, the user provided the right password.
45  static const char kSecondFactor[];
46
47  // This will later be hidden behind an auth service which caches
48  // tokens.
49  GaiaAuthFetcher(GaiaAuthConsumer* consumer,
50                  const std::string& source,
51                  net::URLRequestContextGetter* getter);
52  virtual ~GaiaAuthFetcher();
53
54  // Start a request to obtain the SID and LSID cookies for the the account
55  // identified by |username| and |password|.  If |service| is not null or
56  // empty, then also obtains a service token for specified service.
57  //
58  // If this is a second call because of captcha challenge, then the
59  // |login_token| and |login_captcha| arugment should correspond to the
60  // solution of the challenge.
61  //
62  // Either OnClientLoginSuccess or OnClientLoginFailure will be
63  // called on the consumer on the original thread.
64  void StartClientLogin(const std::string& username,
65                        const std::string& password,
66                        const char* const service,
67                        const std::string& login_token,
68                        const std::string& login_captcha,
69                        HostedAccountsSetting allow_hosted_accounts);
70
71  // Start a request to obtain service token for the the account identified by
72  // |sid| and |lsid| and the |service|.
73  //
74  // Either OnIssueAuthTokenSuccess or OnIssueAuthTokenFailure will be
75  // called on the consumer on the original thread.
76  void StartIssueAuthToken(const std::string& sid,
77                           const std::string& lsid,
78                           const char* const service);
79
80  // Start a request to obtain |service| token for the the account identified by
81  // |uber_token|.
82  //
83  // Either OnIssueAuthTokenSuccess or OnIssueAuthTokenFailure will be
84  // called on the consumer on the original thread.
85  void StartTokenAuth(const std::string& uber_token,
86                      const char* const service);
87
88  // Start a request to obtain service token for the the account identified by
89  // |oauth2_access_token| and the |service|.
90  //
91  // Either OnIssueAuthTokenSuccess or OnIssueAuthTokenFailure will be
92  // called on the consumer on the original thread.
93  void StartIssueAuthTokenForOAuth2(const std::string& oauth2_access_token,
94                                    const char* const service);
95
96  // Start a request to exchange an "lso" service token given by |auth_token|
97  // for an OAuthLogin-scoped oauth2 token.
98  //
99  // Either OnClientOAuthSuccess or OnClientOAuthFailure will be
100  // called on the consumer on the original thread.
101  void StartLsoForOAuthLoginTokenExchange(const std::string& auth_token);
102
103  // Start a request to exchange the cookies of a signed-in user session
104  // for an OAuthLogin-scoped oauth2 token.  In the case of a session with
105  // multiple accounts signed in, |session_index| indicate the which of accounts
106  // within the session.
107  //
108  // Either OnClientOAuthSuccess or OnClientOAuthFailure will be
109  // called on the consumer on the original thread.
110  void StartCookieForOAuthLoginTokenExchange(const std::string& session_index);
111
112  // Start a request to exchange the authorization code for an OAuthLogin-scoped
113  // oauth2 token.
114  //
115  // Either OnClientOAuthSuccess or OnClientOAuthFailure will be
116  // called on the consumer on the original thread.
117  void StartAuthCodeForOAuth2TokenExchange(const std::string& auth_code);
118
119  // Start a request to get user info for the account identified by |lsid|.
120  //
121  // Either OnGetUserInfoSuccess or OnGetUserInfoFailure will be
122  // called on the consumer on the original thread.
123  void StartGetUserInfo(const std::string& lsid);
124
125  // Start a MergeSession request to pre-login the user with the given
126  // credentials.
127  //
128  // Start a MergeSession request to fill the browsing cookie jar with
129  // credentials represented by the account whose uber-auth token is
130  // |uber_token|.  This method will modify the cookies of the current profile.
131  //
132  // Either OnMergeSessionSuccess or OnMergeSessionFailure will be
133  // called on the consumer on the original thread.
134  void StartMergeSession(const std::string& uber_token);
135
136  // Start a request to exchange an OAuthLogin-scoped oauth2 access token for an
137  // uber-auth token.  The returned token can be used with the method
138  // StartMergeSession().
139  //
140  // Either OnUberAuthTokenSuccess or OnUberAuthTokenFailure will be
141  // called on the consumer on the original thread.
142  void StartTokenFetchForUberAuthExchange(const std::string& access_token);
143
144  // Start a request to obtain an OAuth2 token for the account identified by
145  // |username| and |password|.  |scopes| is a list of oauth scopes that
146  // indicate the access permerssions to assign to the returned token.
147  // |persistent_id| is an optional client identifier used to identify this
148  // particular chrome instances, which may reduce the chance of a challenge.
149  // |locale| will be used to format messages to be presented to the user in
150  // challenges, if needed.
151  //
152  // If the request cannot complete due to a challenge, the
153  // GoogleServiceAuthError will indicate the type of challenge required:
154  // either CAPTCHA_REQUIRED or TWO_FACTOR.
155  //
156  // Either OnClientOAuthSuccess or OnClientOAuthFailure will be
157  // called on the consumer on the original thread.
158  void StartClientOAuth(const std::string& username,
159                        const std::string& password,
160                        const std::vector<std::string>& scopes,
161                        const std::string& persistent_id,
162                        const std::string& locale);
163
164  // Start a challenge response to obtain an OAuth2 token.  This method is
165  // called after a challenge response is issued from a previous call to
166  // StartClientOAuth().  The |type| and |token| arguments come from the
167  // error response to StartClientOAuth(), while the |solution| argument
168  // represents the answer from the user for the partocular challenge.
169  //
170  // Either OnClientOAuthSuccess or OnClientOAuthFailure will be
171  // called on the consumer on the original thread.
172  void StartClientOAuthChallengeResponse(GoogleServiceAuthError::State type,
173                                         const std::string& token,
174                                         const std::string& solution);
175
176  // Start a request to exchange an OAuthLogin-scoped oauth2 access token for a
177  // ClientLogin-style service tokens.  The response to this request is the
178  // same as the response to a ClientLogin request, except that captcha
179  // challenges are never issued.
180  //
181  // Either OnClientLoginSuccess or OnClientLoginFailure will be
182  // called on the consumer on the original thread. If |service| is empty,
183  // the call will attempt to fetch uber auth token.
184  void StartOAuthLogin(const std::string& access_token,
185                       const std::string& service);
186
187  // Implementation of net::URLFetcherDelegate
188  virtual void OnURLFetchComplete(const net::URLFetcher* source) OVERRIDE;
189
190  // StartClientLogin been called && results not back yet?
191  bool HasPendingFetch();
192
193  // Stop any URL fetches in progress.
194  void CancelRequest();
195
196  // From a URLFetcher result, generate an appropriate error.
197  // From the API documentation, both IssueAuthToken and ClientLogin have
198  // the same error returns.
199  static GoogleServiceAuthError GenerateOAuthLoginError(
200      const std::string& data,
201      const net::URLRequestStatus& status);
202
203 private:
204  // ClientLogin body constants that don't change
205  static const char kCookiePersistence[];
206  static const char kAccountTypeHostedOrGoogle[];
207  static const char kAccountTypeGoogle[];
208
209  // The format of the POST body for ClientLogin.
210  static const char kClientLoginFormat[];
211  // The format of said POST body when CAPTCHA token & answer are specified.
212  static const char kClientLoginCaptchaFormat[];
213  // The format of the POST body for IssueAuthToken.
214  static const char kIssueAuthTokenFormat[];
215  // The format of the POST body to get OAuth2 auth code from auth token.
216  static const char kClientLoginToOAuth2BodyFormat[];
217  // The format of the POST body to get OAuth2 token pair from auth code.
218  static const char kOAuth2CodeToTokenPairBodyFormat[];
219  // The format of the POST body for GetUserInfo.
220  static const char kGetUserInfoFormat[];
221  // The format of the POST body for MergeSession.
222  static const char kMergeSessionFormat[];
223  // The format of the URL for UberAuthToken.
224  static const char kUberAuthTokenURLFormat[];
225  // The format of the body for OAuthLogin.
226  static const char kOAuthLoginFormat[];
227
228  // Constants for parsing ClientLogin errors.
229  static const char kAccountDeletedError[];
230  static const char kAccountDeletedErrorCode[];
231  static const char kAccountDisabledError[];
232  static const char kAccountDisabledErrorCode[];
233  static const char kBadAuthenticationError[];
234  static const char kBadAuthenticationErrorCode[];
235  static const char kCaptchaError[];
236  static const char kCaptchaErrorCode[];
237  static const char kServiceUnavailableError[];
238  static const char kServiceUnavailableErrorCode[];
239  static const char kErrorParam[];
240  static const char kErrorUrlParam[];
241  static const char kCaptchaUrlParam[];
242  static const char kCaptchaTokenParam[];
243
244  // Constants for parsing ClientOAuth errors.
245  static const char kNeedsAdditional[];
246  static const char kCaptcha[];
247  static const char kTwoFactor[];
248
249  // Constants for request/response for OAuth2 requests.
250  static const char kAuthHeaderFormat[];
251  static const char kOAuthHeaderFormat[];
252  static const char kOAuth2BearerHeaderFormat[];
253  static const char kClientLoginToOAuth2CookiePartSecure[];
254  static const char kClientLoginToOAuth2CookiePartHttpOnly[];
255  static const char kClientLoginToOAuth2CookiePartCodePrefix[];
256  static const int kClientLoginToOAuth2CookiePartCodePrefixLength;
257
258  // Process the results of a ClientLogin fetch.
259  void OnClientLoginFetched(const std::string& data,
260                            const net::URLRequestStatus& status,
261                            int response_code);
262
263  void OnIssueAuthTokenFetched(const std::string& data,
264                               const net::URLRequestStatus& status,
265                               int response_code);
266
267  void OnClientLoginToOAuth2Fetched(const std::string& data,
268                                    const net::ResponseCookies& cookies,
269                                    const net::URLRequestStatus& status,
270                                    int response_code);
271
272  void OnOAuth2TokenPairFetched(const std::string& data,
273                                const net::URLRequestStatus& status,
274                                int response_code);
275
276  void OnGetUserInfoFetched(const std::string& data,
277                            const net::URLRequestStatus& status,
278                            int response_code);
279
280  void OnMergeSessionFetched(const std::string& data,
281                             const net::URLRequestStatus& status,
282                             int response_code);
283
284  void OnUberAuthTokenFetch(const std::string& data,
285                            const net::URLRequestStatus& status,
286                            int response_code);
287
288  void OnClientOAuthFetched(const std::string& data,
289                            const net::URLRequestStatus& status,
290                            int response_code);
291
292  void OnOAuthLoginFetched(const std::string& data,
293                           const net::URLRequestStatus& status,
294                           int response_code);
295
296  // Tokenize the results of a ClientLogin fetch.
297  static void ParseClientLoginResponse(const std::string& data,
298                                       std::string* sid,
299                                       std::string* lsid,
300                                       std::string* token);
301
302  static void ParseClientLoginFailure(const std::string& data,
303                                      std::string* error,
304                                      std::string* error_url,
305                                      std::string* captcha_url,
306                                      std::string* captcha_token);
307
308  // Parse ClientLogin to OAuth2 response.
309  static bool ParseClientLoginToOAuth2Response(
310      const net::ResponseCookies& cookies,
311      std::string* auth_code);
312
313  static bool ParseClientLoginToOAuth2Cookie(const std::string& cookie,
314                                             std::string* auth_code);
315
316  static GoogleServiceAuthError GenerateClientOAuthError(
317      const std::string& data,
318      const net::URLRequestStatus& status);
319
320  // Is this a special case Gaia error for TwoFactor auth?
321  static bool IsSecondFactorSuccess(const std::string& alleged_error);
322
323  // Given parameters, create a ClientLogin request body.
324  static std::string MakeClientLoginBody(
325      const std::string& username,
326      const std::string& password,
327      const std::string& source,
328      const char* const service,
329      const std::string& login_token,
330      const std::string& login_captcha,
331      HostedAccountsSetting allow_hosted_accounts);
332  // Supply the sid / lsid returned from ClientLogin in order to
333  // request a long lived auth token for a service.
334  static std::string MakeIssueAuthTokenBody(const std::string& sid,
335                                            const std::string& lsid,
336                                            const char* const service);
337  // Create body to get OAuth2 auth code.
338  static std::string MakeGetAuthCodeBody();
339  // Given auth code, create body to get OAuth2 token pair.
340  static std::string MakeGetTokenPairBody(const std::string& auth_code);
341  // Supply the lsid returned from ClientLogin in order to fetch
342  // user information.
343  static std::string MakeGetUserInfoBody(const std::string& lsid);
344
345  // Supply the authentication token returned from StartIssueAuthToken.
346  static std::string MakeMergeSessionBody(const std::string& auth_token,
347                                       const std::string& continue_url,
348                                       const std::string& source);
349
350  static std::string MakeGetAuthCodeHeader(const std::string& auth_token);
351
352  static std::string MakeClientOAuthBody(const std::string& username,
353                                         const std::string& password,
354                                         const std::vector<std::string>& scopes,
355                                         const std::string& persistent_id,
356                                         const std::string& friendly_name,
357                                         const std::string& locale);
358
359  static std::string MakeClientOAuthChallengeResponseBody(
360      const std::string& name,
361      const std::string& token,
362      const std::string& solution);
363
364  static std::string MakeOAuthLoginBody(const std::string& service,
365                                        const std::string& source);
366
367  // Create a fetcher usable for making any Gaia request.  |body| is used
368  // as the body of the POST request sent to GAIA.  Any strings listed in
369  // |headers| are added as extra HTTP headers in the request.
370  //
371  // |load_flags| are passed to directly to net::URLFetcher::Create() when
372  // creating the URL fetcher.
373  static net::URLFetcher* CreateGaiaFetcher(
374      net::URLRequestContextGetter* getter,
375      const std::string& body,
376      const std::string& headers,
377      const GURL& gaia_gurl,
378      int load_flags,
379      net::URLFetcherDelegate* delegate);
380
381  // From a URLFetcher result, generate an appropriate error.
382  // From the API documentation, both IssueAuthToken and ClientLogin have
383  // the same error returns.
384  static GoogleServiceAuthError GenerateAuthError(
385      const std::string& data,
386      const net::URLRequestStatus& status);
387
388  // These fields are common to GaiaAuthFetcher, same every request
389  GaiaAuthConsumer* const consumer_;
390  net::URLRequestContextGetter* const getter_;
391  std::string source_;
392  const GURL client_login_gurl_;
393  const GURL issue_auth_token_gurl_;
394  const GURL oauth2_token_gurl_;
395  const GURL get_user_info_gurl_;
396  const GURL merge_session_gurl_;
397  const GURL uberauth_token_gurl_;
398  const GURL client_oauth_gurl_;
399  const GURL oauth_login_gurl_;
400
401  // While a fetch is going on:
402  scoped_ptr<net::URLFetcher> fetcher_;
403  GURL client_login_to_oauth2_gurl_;
404  std::string request_body_;
405  std::string requested_service_; // Currently tracked for IssueAuthToken only.
406  bool fetch_pending_;
407
408  friend class GaiaAuthFetcherTest;
409  FRIEND_TEST_ALL_PREFIXES(GaiaAuthFetcherTest, CaptchaParse);
410  FRIEND_TEST_ALL_PREFIXES(GaiaAuthFetcherTest, AccountDeletedError);
411  FRIEND_TEST_ALL_PREFIXES(GaiaAuthFetcherTest, AccountDisabledError);
412  FRIEND_TEST_ALL_PREFIXES(GaiaAuthFetcherTest, BadAuthenticationError);
413  FRIEND_TEST_ALL_PREFIXES(GaiaAuthFetcherTest, IncomprehensibleError);
414  FRIEND_TEST_ALL_PREFIXES(GaiaAuthFetcherTest, ServiceUnavailableError);
415  FRIEND_TEST_ALL_PREFIXES(GaiaAuthFetcherTest, CheckNormalErrorCode);
416  FRIEND_TEST_ALL_PREFIXES(GaiaAuthFetcherTest, CheckTwoFactorResponse);
417  FRIEND_TEST_ALL_PREFIXES(GaiaAuthFetcherTest, LoginNetFailure);
418  FRIEND_TEST_ALL_PREFIXES(GaiaAuthFetcherTest,
419      ParseClientLoginToOAuth2Response);
420  FRIEND_TEST_ALL_PREFIXES(GaiaAuthFetcherTest, ParseOAuth2TokenPairResponse);
421  FRIEND_TEST_ALL_PREFIXES(GaiaAuthFetcherTest, ClientOAuthSuccess);
422  FRIEND_TEST_ALL_PREFIXES(GaiaAuthFetcherTest, ClientOAuthWithQuote);
423  FRIEND_TEST_ALL_PREFIXES(GaiaAuthFetcherTest, ClientOAuthChallengeSuccess);
424  FRIEND_TEST_ALL_PREFIXES(GaiaAuthFetcherTest, ClientOAuthChallengeQuote);
425
426  DISALLOW_COPY_AND_ASSIGN(GaiaAuthFetcher);
427};
428
429#endif  // GOOGLE_APIS_GAIA_GAIA_AUTH_FETCHER_H_
430