// Copyright 2014 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "google_apis/gaia/oauth2_access_token_fetcher_impl.h"
#include <algorithm>
#include <string>
#include <vector>
#include "base/json/json_reader.h"
#include "base/metrics/histogram.h"
#include "base/metrics/sparse_histogram.h"
#include "base/strings/string_util.h"
#include "base/strings/stringprintf.h"
#include "base/time/time.h"
#include "base/values.h"
#include "google_apis/gaia/gaia_urls.h"
#include "google_apis/gaia/google_service_auth_error.h"
#include "net/base/escape.h"
#include "net/base/load_flags.h"
#include "net/http/http_status_code.h"
#include "net/url_request/url_fetcher.h"
#include "net/url_request/url_request_context_getter.h"
#include "net/url_request/url_request_status.h"
using net::ResponseCookies;
using net::URLFetcher;
using net::URLFetcherDelegate;
using net::URLRequestContextGetter;
using net::URLRequestStatus;
namespace {
static const char kGetAccessTokenBodyFormat[] =
"client_id=%s&"
"client_secret=%s&"
"grant_type=refresh_token&"
"refresh_token=%s";
static const char kGetAccessTokenBodyWithScopeFormat[] =
"client_id=%s&"
"client_secret=%s&"
"grant_type=refresh_token&"
"refresh_token=%s&"
"scope=%s";
static const char kAccessTokenKey[] = "access_token";
static const char kExpiresInKey[] = "expires_in";
static const char kErrorKey[] = "error";
// Enumerated constants for logging server responses on 400 errors, matching
// RFC 6749.
enum OAuth2ErrorCodesForHistogram {
OAUTH2_ACCESS_ERROR_INVALID_REQUEST = 0,
OAUTH2_ACCESS_ERROR_INVALID_CLIENT,
OAUTH2_ACCESS_ERROR_INVALID_GRANT,
OAUTH2_ACCESS_ERROR_UNAUTHORIZED_CLIENT,
OAUTH2_ACCESS_ERROR_UNSUPPORTED_GRANT_TYPE,
OAUTH2_ACCESS_ERROR_INVALID_SCOPE,
OAUTH2_ACCESS_ERROR_UNKNOWN,
OAUTH2_ACCESS_ERROR_COUNT
};
OAuth2ErrorCodesForHistogram OAuth2ErrorToHistogramValue(
const std::string& error) {
if (error == "invalid_request")
return OAUTH2_ACCESS_ERROR_INVALID_REQUEST;
else if (error == "invalid_client")
return OAUTH2_ACCESS_ERROR_INVALID_CLIENT;
else if (error == "invalid_grant")
return OAUTH2_ACCESS_ERROR_INVALID_GRANT;
else if (error == "unauthorized_client")
return OAUTH2_ACCESS_ERROR_UNAUTHORIZED_CLIENT;
else if (error == "unsupported_grant_type")
return OAUTH2_ACCESS_ERROR_UNSUPPORTED_GRANT_TYPE;
else if (error == "invalid_scope")
return OAUTH2_ACCESS_ERROR_INVALID_SCOPE;
return OAUTH2_ACCESS_ERROR_UNKNOWN;
}
static GoogleServiceAuthError CreateAuthError(URLRequestStatus status) {
CHECK(!status.is_success());
if (status.status() == URLRequestStatus::CANCELED) {
return GoogleServiceAuthError(GoogleServiceAuthError::REQUEST_CANCELED);
} else {
DLOG(WARNING) << "Could not reach Google Accounts servers: errno "
<< status.error();
return GoogleServiceAuthError::FromConnectionError(status.error());
}
}
static URLFetcher* CreateFetcher(URLRequestContextGetter* getter,
const GURL& url,
const std::string& body,
URLFetcherDelegate* delegate) {
bool empty_body = body.empty();
URLFetcher* result = net::URLFetcher::Create(
0, url, empty_body ? URLFetcher::GET : URLFetcher::POST, delegate);
result->SetRequestContext(getter);
result->SetLoadFlags(net::LOAD_DO_NOT_SEND_COOKIES |
net::LOAD_DO_NOT_SAVE_COOKIES);
// Fetchers are sometimes cancelled because a network change was detected,
// especially at startup and after sign-in on ChromeOS. Retrying once should
// be enough in those cases; let the fetcher retry up to 3 times just in case.
// http://crbug.com/163710
result->SetAutomaticallyRetryOnNetworkChanges(3);
if (!empty_body)
result->SetUploadData("application/x-www-form-urlencoded", body);
return result;
}
scoped_ptr<base::DictionaryValue> ParseGetAccessTokenResponse(
const net::URLFetcher* source) {
CHECK(source);
std::string data;
source->GetResponseAsString(&data);
scoped_ptr<base::Value> value(base::JSONReader::Read(data));
if (!value.get() || value->GetType() != base::Value::TYPE_DICTIONARY)
value.reset();
return scoped_ptr<base::DictionaryValue>(
static_cast<base::DictionaryValue*>(value.release()));
}
} // namespace
OAuth2AccessTokenFetcherImpl::OAuth2AccessTokenFetcherImpl(
OAuth2AccessTokenConsumer* consumer,
net::URLRequestContextGetter* getter,
const std::string& refresh_token)
: OAuth2AccessTokenFetcher(consumer),
getter_(getter),
refresh_token_(refresh_token),
state_(INITIAL) {}
OAuth2AccessTokenFetcherImpl::~OAuth2AccessTokenFetcherImpl() {}
void OAuth2AccessTokenFetcherImpl::CancelRequest() { fetcher_.reset(); }
void OAuth2AccessTokenFetcherImpl::Start(
const std::string& client_id,
const std::string& client_secret,
const std::vector<std::string>& scopes) {
client_id_ = client_id;
client_secret_ = client_secret;
scopes_ = scopes;
StartGetAccessToken();
}
void OAuth2AccessTokenFetcherImpl::StartGetAccessToken() {
CHECK_EQ(INITIAL, state_);
state_ = GET_ACCESS_TOKEN_STARTED;
fetcher_.reset(
CreateFetcher(getter_,
MakeGetAccessTokenUrl(),
MakeGetAccessTokenBody(
client_id_, client_secret_, refresh_token_, scopes_),
this));
fetcher_->Start(); // OnURLFetchComplete will be called.
}
void OAuth2AccessTokenFetcherImpl::EndGetAccessToken(
const net::URLFetcher* source) {
CHECK_EQ(GET_ACCESS_TOKEN_STARTED, state_);
state_ = GET_ACCESS_TOKEN_DONE;
URLRequestStatus status = source->GetStatus();
int histogram_value =
status.is_success() ? source->GetResponseCode() : status.error();
UMA_HISTOGRAM_SPARSE_SLOWLY("Gaia.ResponseCodesForOAuth2AccessToken",
histogram_value);
if (!status.is_success()) {
OnGetTokenFailure(CreateAuthError(status));
return;
}
switch (source->GetResponseCode()) {
case net::HTTP_OK:
break;
case net::HTTP_FORBIDDEN:
// HTTP_FORBIDDEN (403) is treated as temporary error, because it may be
// '403 Rate Limit Exeeded.'
OnGetTokenFailure(
GoogleServiceAuthError(GoogleServiceAuthError::SERVICE_UNAVAILABLE));
return;
case net::HTTP_BAD_REQUEST: {
// HTTP_BAD_REQUEST (400) usually contains error as per
// http://tools.ietf.org/html/rfc6749#section-5.2.
std::string gaia_error;
if (!ParseGetAccessTokenFailureResponse(source, &gaia_error)) {
OnGetTokenFailure(
GoogleServiceAuthError(GoogleServiceAuthError::SERVICE_ERROR));
return;
}
OAuth2ErrorCodesForHistogram access_error(
OAuth2ErrorToHistogramValue(gaia_error));
UMA_HISTOGRAM_ENUMERATION("Gaia.BadRequestTypeForOAuth2AccessToken",
access_error,
OAUTH2_ACCESS_ERROR_COUNT);
OnGetTokenFailure(
access_error == OAUTH2_ACCESS_ERROR_INVALID_GRANT
? GoogleServiceAuthError(
GoogleServiceAuthError::INVALID_GAIA_CREDENTIALS)
: GoogleServiceAuthError(GoogleServiceAuthError::SERVICE_ERROR));
return;
}
default: {
if (source->GetResponseCode() >= net::HTTP_INTERNAL_SERVER_ERROR) {
// 5xx is always treated as transient.
OnGetTokenFailure(GoogleServiceAuthError(
GoogleServiceAuthError::SERVICE_UNAVAILABLE));
} else {
// The other errors are treated as permanent error.
DLOG(ERROR) << "Unexpected persistent error: http_status="
<< source->GetResponseCode();
OnGetTokenFailure(GoogleServiceAuthError(
GoogleServiceAuthError::INVALID_GAIA_CREDENTIALS));
}
return;
}
}
// The request was successfully fetched and it returned OK.
// Parse out the access token and the expiration time.
std::string access_token;
int expires_in;
if (!ParseGetAccessTokenSuccessResponse(source, &access_token, &expires_in)) {
DLOG(WARNING) << "Response doesn't match expected format";
OnGetTokenFailure(
GoogleServiceAuthError(GoogleServiceAuthError::SERVICE_UNAVAILABLE));
return;
}
// The token will expire in |expires_in| seconds. Take a 10% error margin to
// prevent reusing a token too close to its expiration date.
OnGetTokenSuccess(
access_token,
base::Time::Now() + base::TimeDelta::FromSeconds(9 * expires_in / 10));
}
void OAuth2AccessTokenFetcherImpl::OnGetTokenSuccess(
const std::string& access_token,
const base::Time& expiration_time) {
FireOnGetTokenSuccess(access_token, expiration_time);
}
void OAuth2AccessTokenFetcherImpl::OnGetTokenFailure(
const GoogleServiceAuthError& error) {
state_ = ERROR_STATE;
FireOnGetTokenFailure(error);
}
void OAuth2AccessTokenFetcherImpl::OnURLFetchComplete(
const net::URLFetcher* source) {
CHECK(source);
CHECK(state_ == GET_ACCESS_TOKEN_STARTED);
EndGetAccessToken(source);
}
// static
GURL OAuth2AccessTokenFetcherImpl::MakeGetAccessTokenUrl() {
return GaiaUrls::GetInstance()->oauth2_token_url();
}
// static
std::string OAuth2AccessTokenFetcherImpl::MakeGetAccessTokenBody(
const std::string& client_id,
const std::string& client_secret,
const std::string& refresh_token,
const std::vector<std::string>& scopes) {
std::string enc_client_id = net::EscapeUrlEncodedData(client_id, true);
std::string enc_client_secret =
net::EscapeUrlEncodedData(client_secret, true);
std::string enc_refresh_token =
net::EscapeUrlEncodedData(refresh_token, true);
if (scopes.empty()) {
return base::StringPrintf(kGetAccessTokenBodyFormat,
enc_client_id.c_str(),
enc_client_secret.c_str(),
enc_refresh_token.c_str());
} else {
std::string scopes_string = JoinString(scopes, ' ');
return base::StringPrintf(
kGetAccessTokenBodyWithScopeFormat,
enc_client_id.c_str(),
enc_client_secret.c_str(),
enc_refresh_token.c_str(),
net::EscapeUrlEncodedData(scopes_string, true).c_str());
}
}
// static
bool OAuth2AccessTokenFetcherImpl::ParseGetAccessTokenSuccessResponse(
const net::URLFetcher* source,
std::string* access_token,
int* expires_in) {
CHECK(access_token);
scoped_ptr<base::DictionaryValue> value = ParseGetAccessTokenResponse(source);
if (value.get() == NULL)
return false;
return value->GetString(kAccessTokenKey, access_token) &&
value->GetInteger(kExpiresInKey, expires_in);
}
// static
bool OAuth2AccessTokenFetcherImpl::ParseGetAccessTokenFailureResponse(
const net::URLFetcher* source,
std::string* error) {
CHECK(error);
scoped_ptr<base::DictionaryValue> value = ParseGetAccessTokenResponse(source);
if (value.get() == NULL)
return false;
return value->GetString(kErrorKey, error);
}