Request public SAML session redirect URL from the DM server.

The API for sending the redirect URL is specified by the .proto file.
The endpoint is still passed in a command line switch.

Bug: 984021
Change-Id: I38fae8c86a942eae91ba3be3ad4eaa95701748d7
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1787322
Commit-Queue: Kamila Śledź <kamilasledz@google.com>
Reviewed-by: Denis Kuznetsov <antrim@chromium.org>
Reviewed-by: Roman Sorokin [CET] <rsorokin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#695570}

chrome/browser/chromeos/BUILD.gn

@@ -1310,6 +1310,8 @@ source_set("chromeos") {
     "login/saml/in_session_password_change_manager.h",
     "login/saml/password_expiry_notification.cc",
     "login/saml/password_expiry_notification.h",
+    "login/saml/public_saml_url_fetcher.cc",
+    "login/saml/public_saml_url_fetcher.h",
     "login/saml/saml_offline_signin_limiter.cc",
     "login/saml/saml_offline_signin_limiter.h",
     "login/saml/saml_offline_signin_limiter_factory.cc",

chrome/browser/chromeos/login/saml/public_saml_url_fetcher.cc

+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/chromeos/login/saml/public_saml_url_fetcher.h"
+
+#include <string>
+#include <utility>
+
+#include "base/bind.h"
+#include "base/logging.h"
+#include "chrome/browser/browser_process.h"
+#include "chrome/browser/chromeos/arc/arc_optin_uma.h"
+#include "chrome/browser/chromeos/policy/browser_policy_connector_chromeos.h"
+#include "chrome/browser/chromeos/policy/device_local_account.h"
+#include "chrome/browser/chromeos/policy/dm_token_storage.h"
+#include "chrome/browser/chromeos/settings/cros_settings.h"
+#include "chrome/browser/chromeos/settings/device_settings_service.h"
+#include "chrome/browser/net/system_network_context_manager.h"
+#include "chromeos/tpm/install_attributes.h"
+#include "components/account_id/account_id.h"
+#include "components/policy/core/common/cloud/device_management_service.h"
+#include "components/policy/core/common/cloud/dm_auth.h"
+#include "components/policy/core/common/cloud/dmserver_job_configurations.h"
+#include "services/network/public/cpp/shared_url_loader_factory.h"
+#include "url/gurl.h"
+
+namespace em = enterprise_management;
+namespace {
+std::string GetDeviceId() {
+  policy::BrowserPolicyConnectorChromeOS* connector =
+      g_browser_process->platform_part()->browser_policy_connector_chromeos();
+  return connector->GetInstallAttributes()->GetDeviceId();
+}
+
+std::string GetAccountId(std::string user_id) {
+  std::vector<policy::DeviceLocalAccount> device_local_accounts =
+      policy::GetDeviceLocalAccounts(chromeos::CrosSettings::Get());
+  for (auto account : device_local_accounts) {
+    if (account.user_id == user_id) {
+      return account.account_id;
+    }
+  }
+  return std::string();
+}
+}  // namespace
+
+namespace chromeos {
+PublicSamlUrlFetcher::PublicSamlUrlFetcher(AccountId account_id)
+    : account_id_(GetAccountId(account_id.GetUserEmail())) {}
+
+PublicSamlUrlFetcher::~PublicSamlUrlFetcher() = default;
+
+std::string PublicSamlUrlFetcher::GetRedirectUrl() {
+  return redirect_url_;
+}
+
+bool PublicSamlUrlFetcher::FetchSucceeded() {
+  return fetch_succeeded_;
+}
+
+void PublicSamlUrlFetcher::Fetch(base::OnceClosure callback) {
+  DCHECK(!callback_);
+  callback_ = std::move(callback);
+  policy::DeviceManagementService* service =
+      g_browser_process->platform_part()
+          ->browser_policy_connector_chromeos()
+          ->device_management_service();
+  std::unique_ptr<policy::DMServerJobConfiguration> config = std::make_unique<
+      policy::DMServerJobConfiguration>(
+      service,
+      policy::DeviceManagementService::JobConfiguration::TYPE_REQUEST_SAML_URL,
+      GetDeviceId(), /*critical=*/false,
+      policy::DMAuth::FromDMToken(chromeos::DeviceSettingsService::Get()
+                                      ->policy_data()
+                                      ->request_token()),
+      /*oauth_token=*/base::nullopt,
+      g_browser_process->system_network_context_manager()
+          ->GetSharedURLLoaderFactory(),
+      base::Bind(&PublicSamlUrlFetcher::OnPublicSamlUrlReceived,
+                 weak_ptr_factory_.GetWeakPtr()));
+
+  em::PublicSamlUserRequest* saml_url_request =
+      config->request()->mutable_public_saml_user_request();
+  saml_url_request->set_account_id(account_id_);
+  fetch_request_job_ = service->CreateJob(std::move(config));
+}
+
+void PublicSamlUrlFetcher::OnPublicSamlUrlReceived(
+    policy::DeviceManagementService::Job* job,
+    policy::DeviceManagementStatus dm_status,
+    int net_error,
+    const enterprise_management::DeviceManagementResponse& response) {
+  VLOG(1) << "Public SAML url response received. DM Status: " << dm_status;
+  fetch_request_job_.reset();
+  std::string user_id;
+
+  switch (dm_status) {
+    case policy::DM_STATUS_SUCCESS: {
+      if (!response.has_public_saml_user_response()) {
+        LOG(WARNING) << "Invalid public SAML url response.";
+        break;
+      }
+      const em::PublicSamlUserResponse& saml_url_response =
+          response.public_saml_user_response();
+
+      if (!saml_url_response.has_saml_parameters()) {
+        LOG(WARNING) << "Invalid public SAML url response.";
+        break;
+      }
+      // Fetch has succeeded.
+      fetch_succeeded_ = true;
+      const em::SamlParametersProto& saml_params =
+          saml_url_response.saml_parameters();
+      redirect_url_ = saml_params.auth_redirect_url();
+      break;
+    }
+    default: {  // All other error cases
+      LOG(ERROR) << "Fetching public SAML url failed. DM Status: " << dm_status;
+      break;
+    }
+  }
+  std::move(callback_).Run();
+}
+
+}  // namespace chromeos

chrome/browser/chromeos/login/saml/public_saml_url_fetcher.h

+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CHROME_BROWSER_CHROMEOS_LOGIN_SAML_PUBLIC_SAML_URL_FETCHER_H_
+#define CHROME_BROWSER_CHROMEOS_LOGIN_SAML_PUBLIC_SAML_URL_FETCHER_H_
+
+#include <memory>
+#include <string>
+
+#include "base/callback.h"
+#include "base/macros.h"
+#include "base/memory/weak_ptr.h"
+#include "components/account_id/account_id.h"
+#include "components/policy/core/common/cloud/cloud_policy_constants.h"
+#include "components/policy/core/common/cloud/device_management_service.h"
+
+namespace enterprise_management {
+class DeviceManagementResponse;
+}  // namespace enterprise_management
+
+namespace chromeos {
+
+// This class handles sending request for public SAML session URL to DM
+// server, waits for the response and retrieves the redirect URL from it.
+class PublicSamlUrlFetcher {
+ public:
+  explicit PublicSamlUrlFetcher(AccountId account_id);
+  ~PublicSamlUrlFetcher();
+
+  // Sends request to the DM server, gets and checks the response and
+  // calls the callback.
+  void Fetch(base::OnceClosure callback);
+  std::string GetRedirectUrl();
+  bool FetchSucceeded();
+
+ private:
+  // Response from DM server. Calls the stored FetchCallback or initiates the
+  // SAML flow.
+  void OnPublicSamlUrlReceived(
+      policy::DeviceManagementService::Job* job,
+      policy::DeviceManagementStatus dm_status,
+      int net_error,
+      const enterprise_management::DeviceManagementResponse& response);
+
+  // Account ID, added to the DM server request.
+  std::string account_id_;
+
+  // Indicates whether fetching the redirect URL was successful.
+  bool fetch_succeeded_ = false;
+
+  // Job that sends request to the DM server.
+  std::unique_ptr<policy::DeviceManagementService::Job> fetch_request_job_;
+
+  // The redirect URL.
+  std::string redirect_url_;
+
+  // Called at the end of Fetch().
+  base::OnceClosure callback_;
+  base::WeakPtrFactory<PublicSamlUrlFetcher> weak_ptr_factory_{this};
+
+  DISALLOW_COPY_AND_ASSIGN(PublicSamlUrlFetcher);
+};
+
+}  // namespace chromeos
+
+#endif  // CHROME_BROWSER_CHROMEOS_LOGIN_SAML_PUBLIC_SAML_URL_FETCHER_H_

chrome/browser/ui/webui/chromeos/login/gaia_screen_handler.cc

@@ -33,6 +33,7 @@
 #include "chrome/browser/chromeos/language_preferences.h"
 #include "chrome/browser/chromeos/login/lock_screen_utils.h"
 #include "chrome/browser/chromeos/login/reauth_stats.h"
+#include "chrome/browser/chromeos/login/saml/public_saml_url_fetcher.h"
 #include "chrome/browser/chromeos/login/screens/network_error.h"
 #include "chrome/browser/chromeos/login/signin_partition_manager.h"
 #include "chrome/browser/chromeos/login/ui/login_display_host.h"
@@ -365,10 +366,29 @@ void GaiaScreenHandler::LoadGaia(const GaiaContext& context) {
   login::SigninPartitionManager* signin_partition_manager =
       login::SigninPartitionManager::Factory::GetForBrowserContext(
           Profile::FromWebUI(web_ui()));
-  signin_partition_manager->StartSigninSession(
-      web_ui()->GetWebContents(),
+
+  auto partition_call = base::BindOnce(
+      &login::SigninPartitionManager::StartSigninSession,
+      base::Unretained(signin_partition_manager), web_ui()->GetWebContents(),
       base::BindOnce(&GaiaScreenHandler::LoadGaiaWithPartition,
                      weak_factory_.GetWeakPtr(), context));
+
+  if (!context.email.empty()) {
+    const AccountId account_id = GetAccountId(
+        context.email, std::string() /* id */, AccountType::UNKNOWN);
+    const user_manager::User* const user =
+        user_manager::UserManager::Get()->FindUser(account_id);
+
+    if (user && user->using_saml() &&
+        user->GetType() == user_manager::USER_TYPE_PUBLIC_ACCOUNT) {
+      public_saml_url_fetcher_ =
+          std::make_unique<chromeos::PublicSamlUrlFetcher>(account_id);
+      public_saml_url_fetcher_->Fetch(std::move(partition_call));
+      return;
+    }
+  }
+  public_saml_url_fetcher_.reset();
+  std::move(partition_call).Run();
 }
 
 void GaiaScreenHandler::LoadGaiaWithPartition(
@@ -444,30 +464,6 @@ void GaiaScreenHandler::LoadGaiaWithPartitionAndVersionAndConsent(
   screen_mode_ = GetGaiaScreenMode(context.email, context.use_offline);
   params.SetInteger("screenMode", screen_mode_);
 
-  if (!context.email.empty()) {
-    const AccountId account_id = GetAccountId(
-        context.email, std::string() /* id */, AccountType::UNKNOWN);
-    const user_manager::User* const user =
-        user_manager::UserManager::Get()->FindUser(account_id);
-    if (user && user->using_saml() &&
-        user->GetType() == user_manager::USER_TYPE_PUBLIC_ACCOUNT &&
-        base::CommandLine::ForCurrentProcess()->HasSwitch(
-            switches::kPublicAccountsSamlUrl)) {
-      std::string saml_url =
-          base::CommandLine::ForCurrentProcess()->GetSwitchValueASCII(
-              switches::kPublicAccountsSamlUrl);
-      params.SetBoolean("startsOnSamlPage", true);
-      params.SetString("frameUrl", saml_url);
-      params.SetString("email", account_id.GetUserEmail());
-      CHECK(base::CommandLine::ForCurrentProcess()->HasSwitch(
-          switches::kPublicAccountsSamlAclUrl));
-      std::string saml_acl_url =
-          base::CommandLine::ForCurrentProcess()->GetSwitchValueASCII(
-              switches::kPublicAccountsSamlAclUrl);
-      params.SetString("samlAclUrl", saml_acl_url);
-    }
-  }
-
   if (screen_mode_ == GAIA_SCREEN_MODE_AD && !authpolicy_login_helper_)
     authpolicy_login_helper_ = std::make_unique<AuthPolicyHelper>();
 
@@ -538,6 +534,26 @@ void GaiaScreenHandler::LoadGaiaWithPartitionAndVersionAndConsent(
                     ExtractSamlPasswordAttributesEnabled());
   params.SetBoolean("enableGaiaActionButtons", GaiaActionButtonsEnabled());
 
+  if (public_saml_url_fetcher_) {
+    params.SetBoolean("startsOnSamlPage", true);
+    CHECK(base::CommandLine::ForCurrentProcess()->HasSwitch(
+        switches::kPublicAccountsSamlAclUrl));
+    std::string saml_acl_url =
+        base::CommandLine::ForCurrentProcess()->GetSwitchValueASCII(
+            switches::kPublicAccountsSamlAclUrl);
+    params.SetString("samlAclUrl", saml_acl_url);
+    if (public_saml_url_fetcher_->FetchSucceeded()) {
+      params.SetString("frameUrl", public_saml_url_fetcher_->GetRedirectUrl());
+    } else {
+      // TODO: make the string localized.
+      std::string msg = "Failed to fetch the SAML redirect URL from the server";
+      core_oobe_view_->ShowSignInError(
+          0, msg, std::string(), HelpAppLauncher::HELP_CANT_ACCESS_ACCOUNT);
+      return;
+    }
+  }
+  public_saml_url_fetcher_.reset();
+
   frame_state_ = FRAME_STATE_LOADING;
   CallJS("login.GaiaSigninScreen.loadAuthExtension", params);
 }

chrome/browser/ui/webui/chromeos/login/gaia_screen_handler.h

@@ -39,6 +39,7 @@ class Key;
 class SamlPasswordAttributes;
 class SigninScreenHandler;
 class UserContext;
+class PublicSamlUrlFetcher;
 
 class GaiaView {
  public:
@@ -414,6 +415,8 @@ class GaiaScreenHandler : public BaseScreenHandler,
   std::unique_ptr<LoginClientCertUsageObserver>
       extension_provided_client_cert_usage_observer_;
 
+  std::unique_ptr<chromeos::PublicSamlUrlFetcher> public_saml_url_fetcher_;
+
   // State of the security token PIN dialogs:
 
   // Whether this instance is currently registered as a host for showing the

chromeos/constants/chromeos_switches.cc

@@ -433,10 +433,6 @@ const char kOobeTimerInterval[] = "oobe-timer-interval";
 // TODO(984021): Remove when URL is sent by DMServer.
 const char kPublicAccountsSamlAclUrl[] = "public-accounts-saml-acl-url";
 
-// Url address of SAML provider for a SAML public session.
-// TODO(984021): Remove when URL is sent by DMServer.
-const char kPublicAccountsSamlUrl[] = "public-accounts-saml-url";
-
 // If set to "true", the profile requires policy during restart (policy load
 // must succeed, otherwise session restart should fail).
 const char kProfileRequiresPolicy[] = "profile-requires-policy";

chromeos/constants/chromeos_switches.h

@@ -172,7 +172,6 @@ COMPONENT_EXPORT(CHROMEOS_CONSTANTS) extern const char kOobeSkipToLogin[];
 COMPONENT_EXPORT(CHROMEOS_CONSTANTS) extern const char kOobeTimerInterval[];
 COMPONENT_EXPORT(CHROMEOS_CONSTANTS)
 extern const char kPublicAccountsSamlAclUrl[];
-COMPONENT_EXPORT(CHROMEOS_CONSTANTS) extern const char kPublicAccountsSamlUrl[];
 COMPONENT_EXPORT(CHROMEOS_CONSTANTS)
 extern const char kDisableArcCpuRestriction[];
 COMPONENT_EXPORT(CHROMEOS_CONSTANTS) extern const char kProfileRequiresPolicy[];

components/policy/core/common/cloud/cloud_policy_constants.cc

@@ -64,6 +64,7 @@ const char kValueRequestInitialEnrollmentStateRetrieval[] =
     "device_initial_enrollment_state";
 const char kValueRequestUploadPolicyValidationReport[] =
     "policy_validation_report";
+const char kValueRequestPublicSamlUser[] = "public_saml_user_request";
 
 const char kChromeDevicePolicyType[] = "google/chromeos/device";
 #if defined(OS_CHROMEOS)

components/policy/core/common/cloud/cloud_policy_constants.h

@@ -57,6 +57,7 @@ POLICY_EXPORT extern const char kValueRequestTokenEnrollment[];
 POLICY_EXPORT extern const char kValueRequestChromeDesktopReport[];
 POLICY_EXPORT extern const char kValueRequestInitialEnrollmentStateRetrieval[];
 POLICY_EXPORT extern const char kValueRequestUploadPolicyValidationReport[];
+POLICY_EXPORT extern const char kValueRequestPublicSamlUser[];
 
 // Policy type strings for the policy_type field in PolicyFetchRequest.
 POLICY_EXPORT extern const char kChromeDevicePolicyType[];

components/policy/core/common/cloud/device_management_service.cc

@@ -185,6 +185,8 @@ std::string DeviceManagementService::JobConfiguration::GetJobTypeAsString(
     case DeviceManagementService::JobConfiguration::
         TYPE_UPLOAD_REAL_TIME_REPORT:
       return "UploadrealtimeReport";
+    case DeviceManagementService::JobConfiguration::TYPE_REQUEST_SAML_URL:
+      return "PublicSamlUserRequest";
   }
   NOTREACHED() << "Invalid job type " << type;
   return "";

components/policy/core/common/cloud/device_management_service.h

@@ -49,7 +49,7 @@ enum class DMServerRequestSuccess {
   // 1..kMaxRetries: number of retries. kMaxRetries is the maximum number of
   // retries allowed, defined in the .cc file.
 
-  // The request failed (too many retries or non-retriable error).
+  // The request failed (too many retries or non-retryable error).
   kRequestFailed = 10,
   // The server responded with an error.
   kRequestError = 11,
@@ -119,7 +119,7 @@ class POLICY_EXPORT DeviceManagementService {
   //
   // JobConfiguration is the interface used by callers to specify parameters
   // of network requests.  This object is not immutable and may be changed after
-  // a call to OnBeforeRetry().  DeviceManagemmentService calls the GetXXX
+  // a call to OnBeforeRetry().  DeviceManagementService calls the GetXXX
   // methods again to create a new network request for each retry.
   //
   // JobControl is the interface used internally by DeviceManagementService to
@@ -163,6 +163,7 @@ class POLICY_EXPORT DeviceManagementService {
       TYPE_INITIAL_ENROLLMENT_STATE_RETRIEVAL = 20,
       TYPE_UPLOAD_POLICY_VALIDATION_REPORT = 21,
       TYPE_UPLOAD_REAL_TIME_REPORT = 22,
+      TYPE_REQUEST_SAML_URL = 23,
     };
 
     // The set of HTTP query parmaters of the request.
@@ -350,7 +351,7 @@ class POLICY_EXPORT JobConfigurationBase
 
  protected:
   // Adds the query parameter to the network request's URL.  If the parameter
-  // already eixsts its value is replaced.
+  // already exists its value is replaced.
   void AddParameter(const std::string& name, const std::string& value);
 
   const DMAuth& GetAuth() { return *auth_data_.get(); }
@@ -379,7 +380,7 @@ class POLICY_EXPORT JobConfigurationBase
   // and |oauth_token_| can be specified for one request.
   base::Optional<std::string> oauth_token_;
 
-  // Query pamaters for the network request.
+  // Query parameters for the network request.
   ParameterMap query_params_;
 
   DISALLOW_COPY_AND_ASSIGN(JobConfigurationBase);

components/policy/core/common/cloud/dmserver_job_configurations.cc

@@ -76,6 +76,8 @@ const char* JobTypeToRequestType(
     case DeviceManagementService::JobConfiguration::
         TYPE_UPLOAD_POLICY_VALIDATION_REPORT:
       return dm_protocol::kValueRequestUploadPolicyValidationReport;
+    case DeviceManagementService::JobConfiguration::TYPE_REQUEST_SAML_URL:
+      return dm_protocol::kValueRequestPublicSamlUser;
     case DeviceManagementService::JobConfiguration::
         TYPE_UPLOAD_REAL_TIME_REPORT:
       NOTREACHED() << "Not a DMServer request type" << type;