| blob | 1a3f7acb726272cec75a0d1c273187d2b1747619 |
1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 /**
6 * @fileoverview
7 * A background script of the auth extension that bridges the communication
8 * between the main and injected scripts.
9 *
10 * Here is an overview of the communication flow when SAML is being used:
11 * 1. The main script sends the |startAuth| signal to this background script,
12 * indicating that the authentication flow has started and SAML pages may be
13 * loaded from now on.
14 * 2. A script is injected into each SAML page. The injected script sends three
15 * main types of messages to this background script:
16 * a) A |pageLoaded| message is sent when the page has been loaded. This is
17 * forwarded to the main script as |onAuthPageLoaded|.
18 * b) If the SAML provider supports the credential passing API, the API calls
19 * are sent to this backgroudn script as |apiCall| messages. These
20 * messages are forwarded unmodified to the main script.
21 * c) The injected script scrapes passwords. They are sent to this background
22 * script in |updatePassword| messages. The main script can request a list
23 * of the scraped passwords by sending the |getScrapedPasswords| message.
24 */
26 /**
27 * BackgroundBridgeManager maintains an array of BackgroundBridge, indexed by
28 * the associated tab id.
29 */
30 function BackgroundBridgeManager() {
31 }
33 BackgroundBridgeManager.prototype = {
34 // Maps a tab id to its associated BackgroundBridge.
35 bridges_: {},
37 run: function() {
38 chrome.runtime.onConnect.addListener(this.onConnect_.bind(this));
40 chrome.webRequest.onBeforeRequest.addListener(
41 function(details) {
42 if (this.bridges_[details.tabId])
43 return this.bridges_[details.tabId].onInsecureRequest();
44 }.bind(this),
45 {urls: ['http://*/*', 'file://*/*', 'ftp://*/*']},
46 ['blocking']);
48 chrome.webRequest.onBeforeSendHeaders.addListener(
49 function(details) {
50 if (this.bridges_[details.tabId])
51 return this.bridges_[details.tabId].onBeforeSendHeaders(details);
52 else
53 return {requestHeaders: details.requestHeaders};
54 }.bind(this),
55 {urls: ['*://*/*'], types: ['sub_frame']},
56 ['blocking', 'requestHeaders']);
58 chrome.webRequest.onHeadersReceived.addListener(
59 function(details) {
60 if (this.bridges_[details.tabId])
61 this.bridges_[details.tabId].onHeadersReceived(details);
62 }.bind(this),
63 {urls: ['*://*/*'], types: ['sub_frame']},
64 ['responseHeaders']);
66 chrome.webRequest.onCompleted.addListener(
67 function(details) {
68 if (this.bridges_[details.tabId])
69 this.bridges_[details.tabId].onCompleted(details);
70 }.bind(this),
71 {urls: ['*://*/*'], types: ['sub_frame']},
72 ['responseHeaders']);
73 },
75 onConnect_: function(port) {
76 var tabId = this.getTabIdFromPort_(port);
77 if (!this.bridges_[tabId])
78 this.bridges_[tabId] = new BackgroundBridge(tabId);
79 if (port.name == 'authMain') {
80 this.bridges_[tabId].setupForAuthMain(port);
81 port.onDisconnect.addListener(function() {
82 delete this.bridges_[tabId];
83 }.bind(this));
84 } else if (port.name == 'injected') {
85 this.bridges_[tabId].setupForInjected(port);
86 } else {
87 console.error('Unexpected connection, port.name=' + port.name);
88 }
89 },
91 getTabIdFromPort_: function(port) {
92 return port.sender.tab ? port.sender.tab.id : -1;
93 }
94 };
96 /**
97 * BackgroundBridge allows the main script and the injected script to
98 * collaborate. It forwards credentials API calls to the main script and
99 * maintains a list of scraped passwords.
100 * @param {string} tabId The associated tab ID.
101 */
102 function BackgroundBridge(tabId) {
103 this.tabId_ = tabId;
104 }
106 BackgroundBridge.prototype = {
107 // The associated tab ID. Only used for debugging now.
108 tabId: null,
110 isDesktopFlow_: false,
112 // Continue URL that is set from main auth script.
113 continueUrl_: null,
115 // Whether the extension is loaded in a constrained window.
116 // Set from main auth script.
117 isConstrainedWindow_: null,
119 // Email of the newly authenticated user based on the gaia response header
120 // 'google-accounts-signin'.
121 email_: null,
123 // Session index of the newly authenticated user based on the gaia response
124 // header 'google-accounts-signin'.
125 sessionIndex_: null,
127 // Gaia URL base that is set from main auth script.
128 gaiaUrl_: null,
130 // Whether to abort the authentication flow and show an error messagen when
131 // content served over an unencrypted connection is detected.
132 blockInsecureContent_: false,
134 // Whether auth flow has started. It is used as a signal of whether the
135 // injected script should scrape passwords.
136 authStarted_: false,
138 passwordStore_: {},
140 channelMain_: null,
141 channelInjected_: null,
143 /**
144 * Sets up the communication channel with the main script.
145 */
146 setupForAuthMain: function(port) {
147 this.channelMain_ = new Channel();
148 this.channelMain_.init(port);
150 // Registers for desktop related messages.
151 this.channelMain_.registerMessage(
152 'initDesktopFlow', this.onInitDesktopFlow_.bind(this));
154 // Registers for SAML related messages.
155 this.channelMain_.registerMessage(
156 'setGaiaUrl', this.onSetGaiaUrl_.bind(this));
157 this.channelMain_.registerMessage(
158 'setBlockInsecureContent', this.onSetBlockInsecureContent_.bind(this));
159 this.channelMain_.registerMessage(
160 'resetAuth', this.onResetAuth_.bind(this));
161 this.channelMain_.registerMessage(
162 'startAuth', this.onAuthStarted_.bind(this));
163 this.channelMain_.registerMessage(
164 'getScrapedPasswords',
165 this.onGetScrapedPasswords_.bind(this));
166 this.channelMain_.registerMessage(
167 'apiResponse', this.onAPIResponse_.bind(this));
169 this.channelMain_.send({
170 'name': 'channelConnected'
171 });
172 },
174 /**
175 * Sets up the communication channel with the injected script.
176 */
177 setupForInjected: function(port) {
178 this.channelInjected_ = new Channel();
179 this.channelInjected_.init(port);
181 this.channelInjected_.registerMessage(
182 'apiCall', this.onAPICall_.bind(this));
183 this.channelInjected_.registerMessage(
184 'updatePassword', this.onUpdatePassword_.bind(this));
185 this.channelInjected_.registerMessage(
186 'pageLoaded', this.onPageLoaded_.bind(this));
187 },
189 /**
190 * Handler for 'initDesktopFlow' signal sent from the main script.
191 * Only called in desktop mode.
192 */
193 onInitDesktopFlow_: function(msg) {
194 this.isDesktopFlow_ = true;
195 this.gaiaUrl_ = msg.gaiaUrl;
196 this.continueUrl_ = msg.continueUrl;
197 this.isConstrainedWindow_ = msg.isConstrainedWindow;
198 },
200 /**
201 * Handler for webRequest.onCompleted. It 1) detects loading of continue URL
202 * and notifies the main script of signin completion; 2) detects if the
203 * current page could be loaded in a constrained window and signals the main
204 * script of switching to full tab if necessary.
205 */
206 onCompleted: function(details) {
207 // Only monitors requests in the gaia frame whose parent frame ID must be
208 // positive.
209 if (!this.isDesktopFlow_ || details.parentFrameId <= 0)
210 return;
212 var msg = null;
213 if (this.continueUrl_ &&
214 details.url.lastIndexOf(this.continueUrl_, 0) == 0) {
215 var skipForNow = false;
216 if (details.url.indexOf('ntp=1') >= 0)
217 skipForNow = true;
219 // TOOD(guohui): Show password confirmation UI.
220 var passwords = this.onGetScrapedPasswords_();
221 msg = {
222 'name': 'completeLogin',
223 'email': this.email_,
224 'password': passwords[0],
225 'sessionIndex': this.sessionIndex_,
226 'skipForNow': skipForNow
227 };
228 this.channelMain_.send(msg);
229 } else if (this.isConstrainedWindow_) {
230 // The header google-accounts-embedded is only set on gaia domain.
231 if (this.gaiaUrl_ && details.url.lastIndexOf(this.gaiaUrl_) == 0) {
232 var headers = details.responseHeaders;
233 for (var i = 0; headers && i < headers.length; ++i) {
234 if (headers[i].name.toLowerCase() == 'google-accounts-embedded')
235 return;
236 }
237 }
238 msg = {
239 'name': 'switchToFullTab',
240 'url': details.url
241 };
242 this.channelMain_.send(msg);
243 }
244 },
246 /**
247 * Handler for webRequest.onBeforeRequest, invoked when content served over an
248 * unencrypted connection is detected. Determines whether the request should
249 * be blocked and if so, signals that an error message needs to be shown.
250 * @return {!Object} Decision whether to block the request.
251 */
252 onInsecureRequest: function() {
253 if (!this.blockInsecureContent_)
254 return {};
255 this.channelMain_.send({name: 'onInsecureContentBlocked'});
256 return {cancel: true};
257 },
259 /**
260 * Handler or webRequest.onHeadersReceived. It reads the authenticated user
261 * email from google-accounts-signin-header.
262 */
263 onHeadersReceived: function(details) {
264 if (!this.isDesktopFlow_ ||
265 !this.gaiaUrl_ ||
266 details.url.lastIndexOf(this.gaiaUrl_) != 0) {
267 // TODO(xiyuan, guohui): CrOS should reuse the logic below for reading the
268 // email for SAML users and cut off the /ListAccount call.
269 return;
270 }
272 var headers = details.responseHeaders;
273 for (var i = 0; headers && i < headers.length; ++i) {
274 if (headers[i].name.toLowerCase() == 'google-accounts-signin') {
275 var headerValues = headers[i].value.toLowerCase().split(',');
276 var signinDetails = {};
277 headerValues.forEach(function(e) {
278 var pair = e.split('=');
279 signinDetails[pair[0].trim()] = pair[1].trim();
280 });
281 // Remove "" around.
282 this.email_ = signinDetails['email'].slice(1, -1);
283 this.sessionIndex_ = signinDetails['sessionindex'];
284 return;
285 }
286 }
287 },
289 /**
290 * Handler for webRequest.onBeforeSendHeaders.
291 * @return {!Object} Modified request headers.
292 */
293 onBeforeSendHeaders: function(details) {
294 if (!this.isDesktopFlow_ && this.gaiaUrl_ &&
295 details.url.indexOf(this.gaiaUrl_) == 0) {
296 details.requestHeaders.push({
297 name: 'X-Cros-Auth-Ext-Support',
298 value: 'SAML'
299 });
300 }
301 return {requestHeaders: details.requestHeaders};
302 },
304 /**
305 * Handler for 'setGaiaUrl' signal sent from the main script.
306 */
307 onSetGaiaUrl_: function(msg) {
308 this.gaiaUrl_ = msg.gaiaUrl;
309 },
311 /**
312 * Handler for 'setBlockInsecureContent' signal sent from the main script.
313 */
314 onSetBlockInsecureContent_: function(msg) {
315 this.blockInsecureContent_ = msg.blockInsecureContent;
316 },
318 /**
319 * Handler for 'resetAuth' signal sent from the main script.
320 */
321 onResetAuth_: function() {
322 this.authStarted_ = false;
323 this.passwordStore_ = {};
324 },
326 /**
327 * Handler for 'authStarted' signal sent from the main script.
328 */
329 onAuthStarted_: function() {
330 this.authStarted_ = true;
331 this.passwordStore_ = {};
332 },
334 /**
335 * Handler for 'getScrapedPasswords' request sent from the main script.
336 * @return {Array.<string>} The array with de-duped scraped passwords.
337 */
338 onGetScrapedPasswords_: function() {
339 var passwords = {};
340 for (var property in this.passwordStore_) {
341 passwords[this.passwordStore_[property]] = true;
342 }
343 return Object.keys(passwords);
344 },
346 /**
347 * Handler for 'apiResponse' signal sent from the main script. Passes on the
348 * |msg| to the injected script.
349 */
350 onAPIResponse_: function(msg) {
351 this.channelInjected_.send(msg);
352 },
354 onAPICall_: function(msg) {
355 this.channelMain_.send(msg);
356 },
358 onUpdatePassword_: function(msg) {
359 if (!this.authStarted_)
360 return;
362 this.passwordStore_[msg.id] = msg.password;
363 },
365 onPageLoaded_: function(msg) {
366 if (this.channelMain_)
367 this.channelMain_.send({name: 'onAuthPageLoaded', url: msg.url});
368 }
369 };
371 var backgroundBridgeManager = new BackgroundBridgeManager();
372 backgroundBridgeManager.run();