| blob | 482a4d1df4c8d115a686c8e70e26a620c9852608 |
1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 /**
6 * @fileoverview
7 * A background script of the auth extension that bridges the communication
8 * between the main and injected scripts.
9 *
10 * Here is an overview of the communication flow when SAML is being used:
11 * 1. The main script sends the |startAuth| signal to this background script,
12 * indicating that the authentication flow has started and SAML pages may be
13 * loaded from now on.
14 * 2. A script is injected into each SAML page. The injected script sends three
15 * main types of messages to this background script:
16 * a) A |pageLoaded| message is sent when the page has been loaded. This is
17 * forwarded to the main script as |onAuthPageLoaded|.
18 * b) If the SAML provider supports the credential passing API, the API calls
19 * are sent to this background script as |apiCall| messages. These
20 * messages are forwarded unmodified to the main script.
21 * c) The injected script scrapes passwords. They are sent to this background
22 * script in |updatePassword| messages. The main script can request a list
23 * of the scraped passwords by sending the |getScrapedPasswords| message.
24 */
26 /**
27 * BackgroundBridgeManager maintains an array of BackgroundBridge, indexed by
28 * the associated tab id.
29 */
32 }
37 // Maps a tab id to its associated BackgroundBridge.
55 else
76 },
91 }
92 },
96 }
97 };
99 /**
100 * BackgroundBridge allows the main script and the injected script to
101 * collaborate. It forwards credentials API calls to the main script and
102 * maintains a list of scraped passwords.
103 * @param {string} tabId The associated tab ID.
104 */
108 }
111 // The associated tab ID. Only used for debugging now.
114 // The initial URL loaded in the gaia iframe. We only want to handle
115 // onCompleted() for the frame that loaded this URL.
118 // On process onCompleted() requests that come from this frame Id.
123 // Whether the extension is loaded in a constrained window.
124 // Set from main auth script.
127 // Email of the newly authenticated user based on the gaia response header
128 // 'google-accounts-signin'.
131 // Gaia Id of the newly authenticated user based on the gaia response
132 // header 'google-accounts-signin'.
135 // Session index of the newly authenticated user based on the gaia response
136 // header 'google-accounts-signin'.
139 // Gaia URL base that is set from main auth script.
142 // Whether to abort the authentication flow and show an error messagen when
143 // content served over an unencrypted connection is detected.
146 // Whether auth flow has started. It is used as a signal of whether the
147 // injected script should scrape passwords.
150 // Whether SAML flow is going.
158 /**
159 * Sets up the communication channel with the main script.
160 */
165 // Registers for desktop related messages.
169 // Registers for SAML related messages.
186 });
187 },
189 /**
190 * Sets up the communication channel with the injected script.
191 */
204 },
206 /**
207 * Handler for 'initDesktopFlow' signal sent from the main script.
208 * Only called in desktop mode.
209 */
215 },
217 /**
218 * Handler for webRequest.onCompleted. It 1) detects loading of continue URL
219 * and notifies the main script of signin completion; 2) detects if the
220 * current page could be loaded in a constrained window and signals the main
221 * script of switching to full tab if necessary.
222 */
224 // Only monitors requests in the gaia frame. The gaia frame is the one
225 // where the initial frame URL completes.
229 }
231 // If for some reason the frameId could not be set above, just make sure
232 // the frame is more than two levels deep (since the gaia frame is at
233 // least three levels deep).
238 }
246 // TOOD(guohui): For desktop SAML flow, show password confirmation UI.
255 };
258 // The header google-accounts-embedded is only set on gaia domain.
264 }
265 }
269 };
271 }
272 },
274 /**
275 * Handler for webRequest.onBeforeRequest, invoked when content served over an
276 * unencrypted connection is detected. Determines whether the request should
277 * be blocked and if so, signals that an error message needs to be shown.
278 * @param {string} url The URL that was blocked.
279 * @return {!Object} Decision whether to block the request.
280 */
286 },
288 /**
289 * Handler or webRequest.onHeadersReceived. It reads the authenticated user
290 * email from google-accounts-signin-header.
291 * @return {!Object} Modified request headers.
292 */
304 });
305 // Remove "" around.
310 }
311 }
312 }
315 // Check whether GAIA headers indicating the start or end of a SAML
316 // redirect are present. If so, synthesize cookies to mark these points.
322 // GAIA is redirecting to a SAML IdP. Any cookies contained in the
323 // current |headers| were set by GAIA. Any cookies set in future
324 // requests will be coming from the IdP. Append a cookie to the
325 // current |headers| that marks the point at which the redirect
326 // occurred.
332 // The SAML IdP has redirected back to GAIA. Add a cookie that marks
333 // the point at which the redirect occurred occurred. It is
334 // important that this cookie be prepended to the current |headers|
335 // because any cookies contained in the |headers| were already set
336 // by GAIA, not the IdP. Due to limitations in the webRequest API,
337 // it is not trivial to prepend a cookie:
338 //
339 // The webRequest API only allows for deleting and appending
340 // headers. To prepend a cookie (C), three steps are needed:
341 // 1) Delete any headers that set cookies (e.g., A, B).
342 // 2) Append a header which sets the cookie (C).
343 // 3) Append the original headers (A, B).
344 //
345 // Due to a further limitation of the webRequest API, it is not
346 // possible to delete a header in step 1) and append an identical
347 // header in step 3). To work around this, a trailing semicolon is
348 // added to each header before appending it. Trailing semicolons are
349 // ignored by Chrome in cookie headers, causing the modified headers
350 // to actually set the original cookies.
361 }
362 }
364 }
365 }
366 }
367 }
370 },
372 /**
373 * Handler for webRequest.onBeforeSendHeaders.
374 * @return {!Object} Modified request headers.
375 */
382 });
383 }
385 },
387 /**
388 * Handler for 'setGaiaUrl' signal sent from the main script.
389 */
392 },
394 /**
395 * Handler for 'setBlockInsecureContent' signal sent from the main script.
396 */
399 },
401 /**
402 * Handler for 'resetAuth' signal sent from the main script.
403 */
408 },
410 /**
411 * Handler for 'authStarted' signal sent from the main script.
412 */
417 },
419 /**
420 * Handler for 'getScrapedPasswords' request sent from the main script.
421 * @return {Array<string>} The array with de-duped scraped passwords.
422 */
427 }
429 },
431 /**
432 * Handler for 'apiResponse' signal sent from the main script. Passes on the
433 * |msg| to the injected script.
434 */
437 },
441 },
448 },
455 },
459 }
460 };