chrome/browser/chromeos/settings/device_oauth2_token_service.h

   1 // Copyright 2013 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #ifndef CHROME_BROWSER_CHROMEOS_SETTINGS_DEVICE_OAUTH2_TOKEN_SERVICE_H_
   6 #define CHROME_BROWSER_CHROMEOS_SETTINGS_DEVICE_OAUTH2_TOKEN_SERVICE_H_
   7
   8 #include <string>
   9 #include <vector>
  10
  11 #include "base/basictypes.h"
  12 #include "base/callback.h"
  13 #include "base/gtest_prod_util.h"
  14 #include "base/memory/scoped_ptr.h"
  15 #include "base/memory/weak_ptr.h"
  16 #include "base/stl_util.h"
  17 #include "base/time/time.h"
  18 #include "chrome/browser/chromeos/settings/cros_settings.h"
  19 #include "google_apis/gaia/gaia_oauth_client.h"
  20 #include "google_apis/gaia/oauth2_token_service.h"
  21 #include "net/url_request/url_request_context_getter.h"
  22
  23 namespace gaia {
  24 class GaiaOAuthClient;
  25 }
  26
  27 namespace net {
  28 class URLRequestContextGetter;
  29 }
  30
  31 class PrefRegistrySimple;
  32 class PrefService;
  33
  34 namespace chromeos {
  35
  36 // DeviceOAuth2TokenService retrieves OAuth2 access tokens for a given
  37 // set of scopes using the device-level OAuth2 any-api refresh token
  38 // obtained during enterprise device enrollment.
  39 //
  40 // See |OAuth2TokenService| for usage details.
  41 //
  42 // When using DeviceOAuth2TokenService, a value of |GetRobotAccountId| should
  43 // be used in places where API expects |account_id|.
  44 //
  45 // Note that requests must be made from the UI thread.
  46 class DeviceOAuth2TokenService : public OAuth2TokenService,
  47                                  public gaia::GaiaOAuthClient::Delegate {
  48  public:
  49   typedef base::Callback<void(bool)> StatusCallback;
  50
  51   // Persist the given refresh token on the device. Overwrites any previous
  52   // value. Should only be called during initial device setup. Signals
  53   // completion via the given callback, passing true if the operation succeeded.
  54   void SetAndSaveRefreshToken(const std::string& refresh_token,
  55                               const StatusCallback& callback);
  56
  57   static void RegisterPrefs(PrefRegistrySimple* registry);
  58
  59   // Implementation of OAuth2TokenService.
  60   bool RefreshTokenIsAvailable(const std::string& account_id) const override;
  61
  62   // Pull the robot account ID from device policy.
  63   virtual std::string GetRobotAccountId() const;
  64
  65   // gaia::GaiaOAuthClient::Delegate implementation.
  66   void OnRefreshTokenResponse(const std::string& access_token,
  67                               int expires_in_seconds) override;
  68   void OnGetTokenInfoResponse(
  69       scoped_ptr<base::DictionaryValue> token_info) override;
  70   void OnOAuthError() override;
  71   void OnNetworkError(int response_code) override;
  72
  73  protected:
  74   // Implementation of OAuth2TokenService.
  75   net::URLRequestContextGetter* GetRequestContext() override;
  76   void FetchOAuth2Token(RequestImpl* request,
  77                         const std::string& account_id,
  78                         net::URLRequestContextGetter* getter,
  79                         const std::string& client_id,
  80                         const std::string& client_secret,
  81                         const ScopeSet& scopes) override;
  82   OAuth2AccessTokenFetcher* CreateAccessTokenFetcher(
  83       const std::string& account_id,
  84       net::URLRequestContextGetter* getter,
  85       OAuth2AccessTokenConsumer* consumer) override;
  86
  87  private:
  88   struct PendingRequest;
  89   friend class DeviceOAuth2TokenServiceFactory;
  90   friend class DeviceOAuth2TokenServiceTest;
  91
  92   // Describes the operational state of this object.
  93   enum State {
  94     // Pending system salt / refresh token load.
  95     STATE_LOADING,
  96     // No token available.
  97     STATE_NO_TOKEN,
  98     // System salt loaded, validation not started yet.
  99     STATE_VALIDATION_PENDING,
 100     // Refresh token validation underway.
 101     STATE_VALIDATION_STARTED,
 102     // Token validation failed.
 103     STATE_TOKEN_INVALID,
 104     // Refresh token is valid.
 105     STATE_TOKEN_VALID,
 106   };
 107
 108   // Invoked by CrosSettings when the robot account ID becomes available.
 109   void OnServiceAccountIdentityChanged();
 110
 111   // Use DeviceOAuth2TokenServiceFactory to get an instance of this class.
 112   // Ownership of |token_encryptor| will be taken.
 113   explicit DeviceOAuth2TokenService(net::URLRequestContextGetter* getter,
 114                                     PrefService* local_state);
 115   ~DeviceOAuth2TokenService() override;
 116
 117   // Returns the refresh token for account_id.
 118   std::string GetRefreshToken(const std::string& account_id) const;
 119
 120   // Handles completion of the system salt input.
 121   void DidGetSystemSalt(const std::string& system_salt);
 122
 123   // Checks whether |gaia_robot_id| matches the expected account ID indicated in
 124   // device settings.
 125   void CheckRobotAccountId(const std::string& gaia_robot_id);
 126
 127   // Encrypts and saves the refresh token. Should only be called when the system
 128   // salt is available.
 129   void EncryptAndSaveToken();
 130
 131   // Starts the token validation flow, i.e. token info fetch.
 132   void StartValidation();
 133
 134   // Flushes |pending_requests_|, indicating the specified result.
 135   void FlushPendingRequests(bool token_is_valid,
 136                             GoogleServiceAuthError::State error);
 137
 138   // Flushes |token_save_callbacks_|, indicating the specified result.
 139   void FlushTokenSaveCallbacks(bool result);
 140
 141   // Signals failure on the specified request, passing |error| as the reason.
 142   void FailRequest(RequestImpl* request, GoogleServiceAuthError::State error);
 143
 144   // Dependencies.
 145   scoped_refptr<net::URLRequestContextGetter> url_request_context_getter_;
 146   PrefService* local_state_;
 147
 148   // Current operational state.
 149   State state_;
 150
 151   // Token save callbacks waiting to be completed.
 152   std::vector<StatusCallback> token_save_callbacks_;
 153
 154   // Currently open requests that are waiting while loading the system salt or
 155   // validating the token.
 156   std::vector<PendingRequest*> pending_requests_;
 157
 158   // The system salt for encrypting and decrypting the refresh token.
 159   std::string system_salt_;
 160
 161   int max_refresh_token_validation_retries_;
 162
 163   // Cache the decrypted refresh token, so we only decrypt once.
 164   std::string refresh_token_;
 165
 166   scoped_ptr<gaia::GaiaOAuthClient> gaia_oauth_client_;
 167
 168   scoped_ptr<CrosSettings::ObserverSubscription>
 169       service_account_identity_subscription_;
 170
 171   base::WeakPtrFactory<DeviceOAuth2TokenService> weak_ptr_factory_;
 172
 173   DISALLOW_COPY_AND_ASSIGN(DeviceOAuth2TokenService);
 174 };
 175
 176 }  // namespace chromeos
 177
 178 #endif  // CHROME_BROWSER_CHROMEOS_SETTINGS_DEVICE_OAUTH2_TOKEN_SERVICE_H_