File: device_oauth2_token_store_desktop.cc

package info (click to toggle)
chromium 138.0.7204.157-1
  • links: PTS, VCS
  • area: main
  • in suites: trixie
  • size: 6,071,864 kB
  • sloc: cpp: 34,936,859; ansic: 7,176,967; javascript: 4,110,704; python: 1,419,953; asm: 946,768; xml: 739,967; pascal: 187,324; sh: 89,623; perl: 88,663; objc: 79,944; sql: 50,304; cs: 41,786; fortran: 24,137; makefile: 21,806; php: 13,980; tcl: 13,166; yacc: 8,925; ruby: 7,485; awk: 3,720; lisp: 3,096; lex: 1,327; ada: 727; jsp: 228; sed: 36
file content (139 lines) | stat: -rw-r--r-- 4,865 bytes parent folder | download | duplicates (4) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
 
// Copyright 2020 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include "chrome/browser/device_identity/device_oauth2_token_store_desktop.h"

#include <string>

#include "base/base64.h"
#include "base/functional/bind.h"
#include "chrome/common/pref_names.h"
#include "components/os_crypt/sync/os_crypt.h"
#include "components/policy/core/common/policy_pref_names.h"
#include "components/prefs/pref_registry_simple.h"
#include "components/prefs/pref_service.h"

// This pref will hold the base64-encoded representation of the encrypted
// refresh token for the browser's service account.
const char kCBCMServiceAccountRefreshToken[] =
    "cbcm.service_account_refresh_token";

// The account email for the robot account used for policy invalidations on
// Desktop platforms by Chrome Browser Cloud Management (CBCM). This is similar
// to kDeviceRobotAnyApiRefreshToken on ChromeOS.
const char kCBCMServiceAccountEmail[] = "cbcm.service_account_email";

DeviceOAuth2TokenStoreDesktop::DeviceOAuth2TokenStoreDesktop(
    PrefService* local_state)
    : local_state_(local_state) {}
DeviceOAuth2TokenStoreDesktop::~DeviceOAuth2TokenStoreDesktop() = default;

// static
void DeviceOAuth2TokenStoreDesktop::RegisterPrefs(
    PrefRegistrySimple* registry) {
  registry->RegisterStringPref(kCBCMServiceAccountRefreshToken, std::string());
  registry->RegisterStringPref(kCBCMServiceAccountEmail, std::string());
}

void DeviceOAuth2TokenStoreDesktop::Init(InitCallback callback) {
  std::string base64_encrypted_token =
      local_state_->GetString(kCBCMServiceAccountRefreshToken);

  if (base64_encrypted_token.empty()) {
    // It's valid for the refresh token to not exist in the store, in
    // which case init is successful and there shouldn't be a token
    // validation step.
    std::move(callback).Run(true, false);
    return;
  }

  std::string decoded;
  if (!base::Base64Decode(base64_encrypted_token, &decoded)) {
    std::move(callback).Run(false, true);
    return;
  }

  refresh_token_ = decoded;

  // If the robot account ID is not available yet, do not announce the token.
  // It will be done from OnServiceAccountIdentityChanged() once the robot
  // account ID becomes available as well.
  if (observer() && !GetAccountId().empty())
    observer()->OnRefreshTokenAvailable();

  std::move(callback).Run(true, true);
}

CoreAccountId DeviceOAuth2TokenStoreDesktop::GetAccountId() const {
  return CoreAccountId::FromRobotEmail(
      local_state_->GetString(kCBCMServiceAccountEmail));
}

std::string DeviceOAuth2TokenStoreDesktop::GetRefreshToken() const {
  // Only trigger token decryption if there is a refresh token present already,
  // it wasn't decrypted already.
  if (!token_decrypted_ && !refresh_token_.empty())
    DecryptToken();

  return refresh_token_;
}

void DeviceOAuth2TokenStoreDesktop::SetAndSaveRefreshToken(
    const std::string& refresh_token,
    StatusCallback result_callback) {
  std::string encrypted_token;
  bool success = OSCrypt::EncryptString(refresh_token, &encrypted_token);

  if (success) {
    refresh_token_ = refresh_token;

    // Set token_decrypted_ to true here, because it's possible that there was
    // no encrypted token on disc, or that it wasn't read, meaning that follow
    // up calls to GetRefreshToken would attempt to decrypt an already
    // un-encrypted token.
    token_decrypted_ = true;

    // The string must be encoded as base64 for storage in local state.
    std::string encoded = base::Base64Encode(encrypted_token);

    local_state_->SetString(kCBCMServiceAccountRefreshToken, encoded);
    if (observer() && !GetAccountId().empty())
      observer()->OnRefreshTokenAvailable();
  }

  std::move(result_callback).Run(success);
}

void DeviceOAuth2TokenStoreDesktop::PrepareTrustedAccountId(
    TrustedAccountIdCallback callback) {
  // There's no cryptohome or anything similar to initialize on non-chromeos
  // platforms, so just run the callback as a success now.
  callback.Run(true);
}

void DeviceOAuth2TokenStoreDesktop::SetAccountEmail(
    const std::string& account_email) {
  if (GetAccountId() == CoreAccountId::FromRobotEmail(account_email))
    return;

  local_state_->SetString(kCBCMServiceAccountEmail, account_email);
  OnServiceAccountIdentityChanged();
}

void DeviceOAuth2TokenStoreDesktop::OnServiceAccountIdentityChanged() {
  if (observer() && !GetAccountId().empty() && !refresh_token_.empty())
    observer()->OnRefreshTokenAvailable();
}

void DeviceOAuth2TokenStoreDesktop::DecryptToken() const {
  DCHECK(!token_decrypted_);
  DCHECK(!refresh_token_.empty());

  std::string decrypted_token;
  bool success = OSCrypt::DecryptString(refresh_token_, &decrypted_token);
  if (success) {
    refresh_token_ = decrypted_token;
    token_decrypted_ = true;
  }
}