| blob | 9b6ceb94c001034cff1594c0687406de6c1657c9 |
1 // Copyright 2015 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
7 /**
8 * @fileoverview Saml support for webview based auth.
9 */
14 /**
15 * The lowest version of the credentials passing API supported.
16 * @type {number}
17 */
20 /**
21 * The highest version of the credentials passing API supported.
22 * @type {number}
23 */
26 /**
27 * The key types supported by the credentials passing API.
28 * @type {Array} Array of strings.
29 */
32 ];
34 /** @const */
37 /**
38 * The script to inject into webview and its sub frames.
39 * @type {string}
40 */
42 <include src="webview_saml_injected.js">
45 /**
46 * Creates a new URL by striping all query parameters.
47 * @param {string} url The original URL.
48 * @return {string} The new URL with all query parameters stripped.
49 */
52 }
54 /**
55 * Extract domain name from an URL.
56 * @param {string} url An URL string.
57 * @return {string} The host name of the URL.
58 */
63 }
65 /**
66 * A handler to provide saml support for the given webview that hosts the
67 * auth IdP pages.
68 * @extends {cr.EventTarget}
69 * @param {webview} webview
70 * @constructor
71 */
73 /**
74 * The webview that serves IdP pages.
75 * @type {webview}
76 */
79 /**
80 * Whether a Saml IdP page is display in the webview.
81 * @type {boolean}
82 */
85 /**
86 * Pending Saml IdP page flag that is set when a SAML_HEADER is received
87 * and is copied to |isSamlPage_| in loadcommit.
88 * @type {boolean}
89 */
92 /**
93 * The last aborted top level url. It is recorded in loadabort event and
94 * used to skip injection into Chrome's error page in the following
95 * loadcommit event.
96 * @type {string}
97 */
100 /**
101 * The domain of the Saml IdP.
102 * @type {string}
103 */
106 /**
107 * Scraped password stored in an id to password field value map.
108 * @type {Object<string, string>}
109 * @private
110 */
113 /**
114 * Whether Saml API is initialized.
115 * @type {boolean}
116 */
119 /**
120 * Saml API version to use.
121 * @type {number}
122 */
125 /**
126 * Saml API token received.
127 * @type {string}
128 */
131 /**
132 * Saml API password bytes.
133 * @type {string}
134 */
137 /*
138 * Whether to abort the authentication flow and show an error messagen when
139 * content served over an unencrypted connection is detected.
140 * @type {boolean}
141 */
163 js: {
164 code: injectedJs
165 },
168 }]);
171 }
176 /**
177 * Whether Saml API is used during auth.
178 * @return {boolean}
179 */
182 },
184 /**
185 * Returns the Saml API password bytes.
186 * @return {string}
187 */
190 },
192 /**
193 * Returns the number of scraped passwords.
194 * @return {number}
195 */
198 },
200 /**
201 * Gets the de-duped scraped passwords.
202 * @return {Array<string>}
203 * @private
204 */
209 }
211 },
213 /**
214 * Resets all auth states
215 */
225 },
227 /**
228 * Check whether the given |password| is in the scraped passwords.
229 * @return {boolean} True if the |password| is found.
230 */
233 },
235 /**
236 * Invoked on the webview's contentload event.
237 * @private
238 */
241 },
243 /**
244 * Invoked on the webview's loadabort event.
245 * @private
246 */
250 },
252 /**
253 * Invoked on the webview's loadcommit event for both main and sub frames.
254 * @private
255 */
257 // Skip this loadcommit if the top level load is just aborted.
261 }
263 // Skip for none http/https url.
267 }
270 },
272 /**
273 * Handler for webRequest.onBeforeRequest, invoked when content served over
274 * an unencrypted connection is detected. Determines whether the request
275 * should be blocked and if so, signals that an error message needs to be
276 * shown.
277 * @param {Object} details
278 * @return {!Object} Decision whether to block the request.
279 */
287 },
289 /**
290 * Invoked when headers are received for the main frame.
291 * @private
292 */
296 // Check whether GAIA headers indicating the start or end of a SAML
297 // redirect are present. If so, synthesize cookies to mark these points.
307 // GAIA is redirecting to a SAML IdP. Any cookies contained in the
308 // current |headers| were set by GAIA. Any cookies set in future
309 // requests will be coming from the IdP. Append a cookie to the
310 // current |headers| that marks the point at which the redirect
311 // occurred.
318 // The SAML IdP has redirected back to GAIA. Add a cookie that marks
319 // the point at which the redirect occurred occurred. It is
320 // important that this cookie be prepended to the current |headers|
321 // because any cookies contained in the |headers| were already set
322 // by GAIA, not the IdP. Due to limitations in the webRequest API,
323 // it is not trivial to prepend a cookie:
324 //
325 // The webRequest API only allows for deleting and appending
326 // headers. To prepend a cookie (C), three steps are needed:
327 // 1) Delete any headers that set cookies (e.g., A, B).
328 // 2) Append a header which sets the cookie (C).
329 // 3) Append the original headers (A, B).
330 //
331 // Due to a further limitation of the webRequest API, it is not
332 // possible to delete a header in step 1) and append an identical
333 // header in step 3). To work around this, a trailing semicolon is
334 // added to each header before appending it. Trailing semicolons are
335 // ignored by Chrome in cookie headers, causing the modified headers
336 // to actually set the original cookies.
347 }
348 }
350 }
351 }
352 }
355 },
357 /**
358 * Invoked when the injected JS makes a connection.
359 */
375 },
381 keyTypes: API_KEY_TYPES
382 }});
383 },
389 });
390 },
392 /**
393 * Handlers for channel messages.
394 * @param {Channel} channel A channel to send back response.
395 * @param {Object} msg Received message.
396 * @private
397 */
405 }
408 MAX_API_VERSION_VERSION);
412 }
418 }
419 // Not setting |email_| and |gaiaId_| because this API call will
420 // eventually be followed by onCompleteLogin_() which does set it.
428 }
429 },
434 },
443 },
447 },
448 };
451 SamlHandler: SamlHandler
452 };
453 });