Home | History | Annotate | Download | only in gaia 
      1 // Copyright 2014 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #include "google_apis/gaia/oauth2_access_token_fetcher_impl.h"
      6 
      7 #include <algorithm>
      8 #include <string>
      9 #include <vector>
     10 
     11 #include "base/json/json_reader.h"
     12 #include "base/metrics/histogram.h"
     13 #include "base/metrics/sparse_histogram.h"
     14 #include "base/strings/string_util.h"
     15 #include "base/strings/stringprintf.h"
     16 #include "base/time/time.h"
     17 #include "base/values.h"
     18 #include "google_apis/gaia/gaia_urls.h"
     19 #include "google_apis/gaia/google_service_auth_error.h"
     20 #include "net/base/escape.h"
     21 #include "net/base/load_flags.h"
     22 #include "net/http/http_status_code.h"
     23 #include "net/url_request/url_fetcher.h"
     24 #include "net/url_request/url_request_context_getter.h"
     25 #include "net/url_request/url_request_status.h"
     26 
     27 using net::ResponseCookies;
     28 using net::URLFetcher;
     29 using net::URLFetcherDelegate;
     30 using net::URLRequestContextGetter;
     31 using net::URLRequestStatus;
     32 
     33 namespace {
     34 static const char kGetAccessTokenBodyFormat[] =
     35     "client_id=%s&"
     36     "client_secret=%s&"
     37     "grant_type=refresh_token&"
     38     "refresh_token=%s";
     39 
     40 static const char kGetAccessTokenBodyWithScopeFormat[] =
     41     "client_id=%s&"
     42     "client_secret=%s&"
     43     "grant_type=refresh_token&"
     44     "refresh_token=%s&"
     45     "scope=%s";
     46 
     47 static const char kAccessTokenKey[] = "access_token";
     48 static const char kExpiresInKey[] = "expires_in";
     49 static const char kErrorKey[] = "error";
     50 
     51 // Enumerated constants for logging server responses on 400 errors, matching
     52 // RFC 6749.
     53 enum OAuth2ErrorCodesForHistogram {
     54   OAUTH2_ACCESS_ERROR_INVALID_REQUEST = 0,
     55   OAUTH2_ACCESS_ERROR_INVALID_CLIENT,
     56   OAUTH2_ACCESS_ERROR_INVALID_GRANT,
     57   OAUTH2_ACCESS_ERROR_UNAUTHORIZED_CLIENT,
     58   OAUTH2_ACCESS_ERROR_UNSUPPORTED_GRANT_TYPE,
     59   OAUTH2_ACCESS_ERROR_INVALID_SCOPE,
     60   OAUTH2_ACCESS_ERROR_UNKNOWN,
     61   OAUTH2_ACCESS_ERROR_COUNT
     62 };
     63 
     64 OAuth2ErrorCodesForHistogram OAuth2ErrorToHistogramValue(
     65     const std::string& error) {
     66   if (error == "invalid_request")
     67     return OAUTH2_ACCESS_ERROR_INVALID_REQUEST;
     68   else if (error == "invalid_client")
     69     return OAUTH2_ACCESS_ERROR_INVALID_CLIENT;
     70   else if (error == "invalid_grant")
     71     return OAUTH2_ACCESS_ERROR_INVALID_GRANT;
     72   else if (error == "unauthorized_client")
     73     return OAUTH2_ACCESS_ERROR_UNAUTHORIZED_CLIENT;
     74   else if (error == "unsupported_grant_type")
     75     return OAUTH2_ACCESS_ERROR_UNSUPPORTED_GRANT_TYPE;
     76   else if (error == "invalid_scope")
     77     return OAUTH2_ACCESS_ERROR_INVALID_SCOPE;
     78 
     79   return OAUTH2_ACCESS_ERROR_UNKNOWN;
     80 }
     81 
     82 static GoogleServiceAuthError CreateAuthError(URLRequestStatus status) {
     83   CHECK(!status.is_success());
     84   if (status.status() == URLRequestStatus::CANCELED) {
     85     return GoogleServiceAuthError(GoogleServiceAuthError::REQUEST_CANCELED);
     86   } else {
     87     DLOG(WARNING) << "Could not reach Google Accounts servers: errno "
     88                   << status.error();
     89     return GoogleServiceAuthError::FromConnectionError(status.error());
     90   }
     91 }
     92 
     93 static URLFetcher* CreateFetcher(URLRequestContextGetter* getter,
     94                                  const GURL& url,
     95                                  const std::string& body,
     96                                  URLFetcherDelegate* delegate) {
     97   bool empty_body = body.empty();
     98   URLFetcher* result = net::URLFetcher::Create(
     99       0, url, empty_body ? URLFetcher::GET : URLFetcher::POST, delegate);
    100 
    101   result->SetRequestContext(getter);
    102   result->SetLoadFlags(net::LOAD_DO_NOT_SEND_COOKIES |
    103                        net::LOAD_DO_NOT_SAVE_COOKIES);
    104   // Fetchers are sometimes cancelled because a network change was detected,
    105   // especially at startup and after sign-in on ChromeOS. Retrying once should
    106   // be enough in those cases; let the fetcher retry up to 3 times just in case.
    107   // http://crbug.com/163710
    108   result->SetAutomaticallyRetryOnNetworkChanges(3);
    109 
    110   if (!empty_body)
    111     result->SetUploadData("application/x-www-form-urlencoded", body);
    112 
    113   return result;
    114 }
    115 
    116 scoped_ptr<base::DictionaryValue> ParseGetAccessTokenResponse(
    117     const net::URLFetcher* source) {
    118   CHECK(source);
    119 
    120   std::string data;
    121   source->GetResponseAsString(&data);
    122   scoped_ptr<base::Value> value(base::JSONReader::Read(data));
    123   if (!value.get() || value->GetType() != base::Value::TYPE_DICTIONARY)
    124     value.reset();
    125 
    126   return scoped_ptr<base::DictionaryValue>(
    127       static_cast<base::DictionaryValue*>(value.release()));
    128 }
    129 
    130 }  // namespace
    131 
    132 OAuth2AccessTokenFetcherImpl::OAuth2AccessTokenFetcherImpl(
    133     OAuth2AccessTokenConsumer* consumer,
    134     net::URLRequestContextGetter* getter,
    135     const std::string& refresh_token)
    136     : OAuth2AccessTokenFetcher(consumer),
    137       getter_(getter),
    138       refresh_token_(refresh_token),
    139       state_(INITIAL) {}
    140 
    141 OAuth2AccessTokenFetcherImpl::~OAuth2AccessTokenFetcherImpl() {}
    142 
    143 void OAuth2AccessTokenFetcherImpl::CancelRequest() { fetcher_.reset(); }
    144 
    145 void OAuth2AccessTokenFetcherImpl::Start(
    146     const std::string& client_id,
    147     const std::string& client_secret,
    148     const std::vector<std::string>& scopes) {
    149   client_id_ = client_id;
    150   client_secret_ = client_secret;
    151   scopes_ = scopes;
    152   StartGetAccessToken();
    153 }
    154 
    155 void OAuth2AccessTokenFetcherImpl::StartGetAccessToken() {
    156   CHECK_EQ(INITIAL, state_);
    157   state_ = GET_ACCESS_TOKEN_STARTED;
    158   fetcher_.reset(
    159       CreateFetcher(getter_,
    160                     MakeGetAccessTokenUrl(),
    161                     MakeGetAccessTokenBody(
    162                         client_id_, client_secret_, refresh_token_, scopes_),
    163                     this));
    164   fetcher_->Start();  // OnURLFetchComplete will be called.
    165 }
    166 
    167 void OAuth2AccessTokenFetcherImpl::EndGetAccessToken(
    168     const net::URLFetcher* source) {
    169   CHECK_EQ(GET_ACCESS_TOKEN_STARTED, state_);
    170   state_ = GET_ACCESS_TOKEN_DONE;
    171 
    172   URLRequestStatus status = source->GetStatus();
    173   int histogram_value =
    174       status.is_success() ? source->GetResponseCode() : status.error();
    175   UMA_HISTOGRAM_SPARSE_SLOWLY("Gaia.ResponseCodesForOAuth2AccessToken",
    176                               histogram_value);
    177   if (!status.is_success()) {
    178     OnGetTokenFailure(CreateAuthError(status));
    179     return;
    180   }
    181 
    182   switch (source->GetResponseCode()) {
    183     case net::HTTP_OK:
    184       break;
    185     case net::HTTP_FORBIDDEN:
    186       // HTTP_FORBIDDEN (403) is treated as temporary error, because it may be
    187       // '403 Rate Limit Exeeded.'
    188       OnGetTokenFailure(
    189           GoogleServiceAuthError(GoogleServiceAuthError::SERVICE_UNAVAILABLE));
    190       return;
    191     case net::HTTP_BAD_REQUEST: {
    192       // HTTP_BAD_REQUEST (400) usually contains error as per
    193       // http://tools.ietf.org/html/rfc6749#section-5.2.
    194       std::string gaia_error;
    195       if (!ParseGetAccessTokenFailureResponse(source, &gaia_error)) {
    196         OnGetTokenFailure(
    197             GoogleServiceAuthError(GoogleServiceAuthError::SERVICE_ERROR));
    198         return;
    199       }
    200 
    201       OAuth2ErrorCodesForHistogram access_error(
    202           OAuth2ErrorToHistogramValue(gaia_error));
    203       UMA_HISTOGRAM_ENUMERATION("Gaia.BadRequestTypeForOAuth2AccessToken",
    204                                 access_error,
    205                                 OAUTH2_ACCESS_ERROR_COUNT);
    206 
    207       OnGetTokenFailure(
    208           access_error == OAUTH2_ACCESS_ERROR_INVALID_GRANT
    209               ? GoogleServiceAuthError(
    210                     GoogleServiceAuthError::INVALID_GAIA_CREDENTIALS)
    211               : GoogleServiceAuthError(GoogleServiceAuthError::SERVICE_ERROR));
    212       return;
    213     }
    214     default: {
    215       if (source->GetResponseCode() >= net::HTTP_INTERNAL_SERVER_ERROR) {
    216         // 5xx is always treated as transient.
    217         OnGetTokenFailure(GoogleServiceAuthError(
    218             GoogleServiceAuthError::SERVICE_UNAVAILABLE));
    219       } else {
    220         // The other errors are treated as permanent error.
    221         DLOG(ERROR) << "Unexpected persistent error: http_status="
    222                     << source->GetResponseCode();
    223         OnGetTokenFailure(GoogleServiceAuthError(
    224             GoogleServiceAuthError::INVALID_GAIA_CREDENTIALS));
    225       }
    226       return;
    227     }
    228   }
    229 
    230   // The request was successfully fetched and it returned OK.
    231   // Parse out the access token and the expiration time.
    232   std::string access_token;
    233   int expires_in;
    234   if (!ParseGetAccessTokenSuccessResponse(source, &access_token, &expires_in)) {
    235     DLOG(WARNING) << "Response doesn't match expected format";
    236     OnGetTokenFailure(
    237         GoogleServiceAuthError(GoogleServiceAuthError::SERVICE_UNAVAILABLE));
    238     return;
    239   }
    240   // The token will expire in |expires_in| seconds. Take a 10% error margin to
    241   // prevent reusing a token too close to its expiration date.
    242   OnGetTokenSuccess(
    243       access_token,
    244       base::Time::Now() + base::TimeDelta::FromSeconds(9 * expires_in / 10));
    245 }
    246 
    247 void OAuth2AccessTokenFetcherImpl::OnGetTokenSuccess(
    248     const std::string& access_token,
    249     const base::Time& expiration_time) {
    250   FireOnGetTokenSuccess(access_token, expiration_time);
    251 }
    252 
    253 void OAuth2AccessTokenFetcherImpl::OnGetTokenFailure(
    254     const GoogleServiceAuthError& error) {
    255   state_ = ERROR_STATE;
    256   FireOnGetTokenFailure(error);
    257 }
    258 
    259 void OAuth2AccessTokenFetcherImpl::OnURLFetchComplete(
    260     const net::URLFetcher* source) {
    261   CHECK(source);
    262   CHECK(state_ == GET_ACCESS_TOKEN_STARTED);
    263   EndGetAccessToken(source);
    264 }
    265 
    266 // static
    267 GURL OAuth2AccessTokenFetcherImpl::MakeGetAccessTokenUrl() {
    268   return GaiaUrls::GetInstance()->oauth2_token_url();
    269 }
    270 
    271 // static
    272 std::string OAuth2AccessTokenFetcherImpl::MakeGetAccessTokenBody(
    273     const std::string& client_id,
    274     const std::string& client_secret,
    275     const std::string& refresh_token,
    276     const std::vector<std::string>& scopes) {
    277   std::string enc_client_id = net::EscapeUrlEncodedData(client_id, true);
    278   std::string enc_client_secret =
    279       net::EscapeUrlEncodedData(client_secret, true);
    280   std::string enc_refresh_token =
    281       net::EscapeUrlEncodedData(refresh_token, true);
    282   if (scopes.empty()) {
    283     return base::StringPrintf(kGetAccessTokenBodyFormat,
    284                               enc_client_id.c_str(),
    285                               enc_client_secret.c_str(),
    286                               enc_refresh_token.c_str());
    287   } else {
    288     std::string scopes_string = JoinString(scopes, ' ');
    289     return base::StringPrintf(
    290         kGetAccessTokenBodyWithScopeFormat,
    291         enc_client_id.c_str(),
    292         enc_client_secret.c_str(),
    293         enc_refresh_token.c_str(),
    294         net::EscapeUrlEncodedData(scopes_string, true).c_str());
    295   }
    296 }
    297 
    298 // static
    299 bool OAuth2AccessTokenFetcherImpl::ParseGetAccessTokenSuccessResponse(
    300     const net::URLFetcher* source,
    301     std::string* access_token,
    302     int* expires_in) {
    303   CHECK(access_token);
    304   scoped_ptr<base::DictionaryValue> value = ParseGetAccessTokenResponse(source);
    305   if (value.get() == NULL)
    306     return false;
    307 
    308   return value->GetString(kAccessTokenKey, access_token) &&
    309          value->GetInteger(kExpiresInKey, expires_in);
    310 }
    311 
    312 // static
    313 bool OAuth2AccessTokenFetcherImpl::ParseGetAccessTokenFailureResponse(
    314     const net::URLFetcher* source,
    315     std::string* error) {
    316   CHECK(error);
    317   scoped_ptr<base::DictionaryValue> value = ParseGetAccessTokenResponse(source);
    318   if (value.get() == NULL)
    319     return false;
    320   return value->GetString(kErrorKey, error);
    321 }
    322