Add m-esr52 at 52.6.0

1 files changed, 496 insertions, 0 deletions

diff --git a/toolkit/identity/IdentityProvider.jsm b/toolkit/identity/IdentityProvider.jsm
new file mode 100644
index 000000000..11529bfba
--- /dev/null
+++ b/toolkit/identity/IdentityProvider.jsm
@@ -0,0 +1,496 @@
+/* -*- js-indent-level: 2; indent-tabs-mode: nil -*- */
+/* vim: set ft=javascript ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+"use strict";
+
+const Cu = Components.utils;
+const Ci = Components.interfaces;
+const Cc = Components.classes;
+const Cr = Components.results;
+
+Cu.import("resource://gre/modules/XPCOMUtils.jsm");
+Cu.import("resource://gre/modules/Services.jsm");
+Cu.import("resource://gre/modules/identity/LogUtils.jsm");
+Cu.import("resource://gre/modules/identity/Sandbox.jsm");
+
+this.EXPORTED_SYMBOLS = ["IdentityProvider"];
+const FALLBACK_PROVIDER = "browserid.org";
+
+XPCOMUtils.defineLazyModuleGetter(this,
+                                  "jwcrypto",
+                                  "resource://gre/modules/identity/jwcrypto.jsm");
+
+function log(...aMessageArgs) {
+  Logger.log.apply(Logger, ["IDP"].concat(aMessageArgs));
+}
+function reportError(...aMessageArgs) {
+  Logger.reportError.apply(Logger, ["IDP"].concat(aMessageArgs));
+}
+
+
+function IdentityProviderService() {
+  XPCOMUtils.defineLazyModuleGetter(this,
+                                    "_store",
+                                    "resource://gre/modules/identity/IdentityStore.jsm",
+                                    "IdentityStore");
+
+  this.reset();
+}
+
+IdentityProviderService.prototype = {
+  QueryInterface: XPCOMUtils.generateQI([Ci.nsISupports, Ci.nsIObserver]),
+  _sandboxConfigured: false,
+
+  observe: function observe(aSubject, aTopic, aData) {
+    switch (aTopic) {
+      case "quit-application-granted":
+        Services.obs.removeObserver(this, "quit-application-granted");
+        this.shutdown();
+        break;
+    }
+  },
+
+  reset: function IDP_reset() {
+    // Clear the provisioning flows.  Provision flows contain an
+    // identity, idpParams (how to reach the IdP to provision and
+    // authenticate), a callback (a completion callback for when things
+    // are done), and a provisioningFrame (which is the provisioning
+    // sandbox).  Additionally, two callbacks will be attached:
+    // beginProvisioningCallback and genKeyPairCallback.
+    this._provisionFlows = {};
+
+    // Clear the authentication flows.  Authentication flows attach
+    // to provision flows.  In the process of provisioning an id, it
+    // may be necessary to authenticate with an IdP.  The authentication
+    // flow maintains the state of that authentication process.
+    this._authenticationFlows = {};
+  },
+
+  getProvisionFlow: function getProvisionFlow(aProvId, aErrBack) {
+    let provFlow = this._provisionFlows[aProvId];
+    if (provFlow) {
+      return provFlow;
+    }
+
+    let err = "No provisioning flow found with id " + aProvId;
+    log("ERROR:", err);
+    if (typeof aErrBack === 'function') {
+      aErrBack(err);
+    }
+
+    return undefined;
+  },
+
+  shutdown: function RP_shutdown() {
+    this.reset();
+
+    if (this._sandboxConfigured) {
+      // Tear down message manager listening on the hidden window
+      Cu.import("resource://gre/modules/DOMIdentity.jsm");
+      DOMIdentity._configureMessages(Services.appShell.hiddenDOMWindow, false);
+      this._sandboxConfigured = false;
+    }
+
+    Services.obs.removeObserver(this, "quit-application-granted");
+  },
+
+  get securityLevel() {
+    return 1;
+  },
+
+  get certDuration() {
+    switch (this.securityLevel) {
+      default:
+        return 3600;
+    }
+  },
+
+  /**
+   * Provision an Identity
+   *
+   * @param aIdentity
+   *        (string) the email we're logging in with
+   *
+   * @param aIDPParams
+   *        (object) parameters of the IdP
+   *
+   * @param aCallback
+   *        (function) callback to invoke on completion
+   *                   with first-positional parameter the error.
+   */
+  _provisionIdentity: function _provisionIdentity(aIdentity, aIDPParams, aProvId, aCallback) {
+    let provPath = aIDPParams.idpParams.provisioning;
+    let url = Services.io.newURI("https://" + aIDPParams.domain, null, null).resolve(provPath);
+    log("_provisionIdentity: identity:", aIdentity, "url:", url);
+
+    // If aProvId is not null, then we already have a flow
+    // with a sandbox.  Otherwise, get a sandbox and create a
+    // new provision flow.
+
+    if (aProvId) {
+      // Re-use an existing sandbox
+      log("_provisionIdentity: re-using sandbox in provisioning flow with id:", aProvId);
+      this._provisionFlows[aProvId].provisioningSandbox.reload();
+
+    } else {
+      this._createProvisioningSandbox(url, function createdSandbox(aSandbox) {
+        // create a provisioning flow, using the sandbox id, and
+        // stash callback associated with this provisioning workflow.
+
+        let provId = aSandbox.id;
+        this._provisionFlows[provId] = {
+          identity: aIdentity,
+          idpParams: aIDPParams,
+          securityLevel: this.securityLevel,
+          provisioningSandbox: aSandbox,
+          callback: function doCallback(aErr) {
+            aCallback(aErr, provId);
+          },
+        };
+
+        log("_provisionIdentity: Created sandbox and provisioning flow with id:", provId);
+        // XXX bug 769862 - provisioning flow should timeout after N seconds
+
+      }.bind(this));
+    }
+  },
+
+  // DOM Methods
+  /**
+   * the provisioning iframe sandbox has called navigator.id.beginProvisioning()
+   *
+   * @param aCaller
+   *        (object)  the iframe sandbox caller with all callbacks and
+   *                  other information.  Callbacks include:
+   *                  - doBeginProvisioningCallback(id, duration_s)
+   *                  - doGenKeyPairCallback(pk)
+   */
+  beginProvisioning: function beginProvisioning(aCaller) {
+    log("beginProvisioning:", aCaller.id);
+
+    // Expect a flow for this caller already to be underway.
+    let provFlow = this.getProvisionFlow(aCaller.id, aCaller.doError);
+
+    // keep the caller object around
+    provFlow.caller = aCaller;
+
+    let identity = provFlow.identity;
+    let frame = provFlow.provisioningFrame;
+
+    // Determine recommended length of cert.
+    let duration = this.certDuration;
+
+    // Make a record that we have begun provisioning.  This is required
+    // for genKeyPair.
+    provFlow.didBeginProvisioning = true;
+
+    // Let the sandbox know to invoke the callback to beginProvisioning with
+    // the identity and cert length.
+    return aCaller.doBeginProvisioningCallback(identity, duration);
+  },
+
+  /**
+   * the provisioning iframe sandbox has called
+   * navigator.id.raiseProvisioningFailure()
+   *
+   * @param aProvId
+   *        (int)  the identifier of the provisioning flow tied to that sandbox
+   * @param aReason
+   */
+  raiseProvisioningFailure: function raiseProvisioningFailure(aProvId, aReason) {
+    reportError("Provisioning failure", aReason);
+
+    // look up the provisioning caller and its callback
+    let provFlow = this.getProvisionFlow(aProvId);
+
+    // Sandbox is deleted in _cleanUpProvisionFlow in case we re-use it.
+
+    // This may be either a "soft" or "hard" fail.  If it's a
+    // soft fail, we'll flow through setAuthenticationFlow, where
+    // the provision flow data will be copied into a new auth
+    // flow.  If it's a hard fail, then the callback will be
+    // responsible for cleaning up the now defunct provision flow.
+
+    // invoke the callback with an error.
+    provFlow.callback(aReason);
+  },
+
+  /**
+   * When navigator.id.genKeyPair is called from provisioning iframe sandbox.
+   * Generates a keypair for the current user being provisioned.
+   *
+   * @param aProvId
+   *        (int)  the identifier of the provisioning caller tied to that sandbox
+   *
+   * It is an error to call genKeypair without receiving the callback for
+   * the beginProvisioning() call first.
+   */
+  genKeyPair: function genKeyPair(aProvId) {
+    // Look up the provisioning caller and make sure it's valid.
+    let provFlow = this.getProvisionFlow(aProvId);
+
+    if (!provFlow.didBeginProvisioning) {
+      let errStr = "ERROR: genKeyPair called before beginProvisioning";
+      log(errStr);
+      provFlow.callback(errStr);
+      return;
+    }
+
+    // Ok generate a keypair
+    jwcrypto.generateKeyPair(jwcrypto.ALGORITHMS.DS160, function gkpCb(err, kp) {
+      log("in gkp callback");
+      if (err) {
+        log("ERROR: genKeyPair:", err);
+        provFlow.callback(err);
+        return;
+      }
+
+      provFlow.kp = kp;
+
+      // Serialize the publicKey of the keypair and send it back to the
+      // sandbox.
+      log("genKeyPair: generated keypair for provisioning flow with id:", aProvId);
+      provFlow.caller.doGenKeyPairCallback(provFlow.kp.serializedPublicKey);
+    }.bind(this));
+  },
+
+  /**
+   * When navigator.id.registerCertificate is called from provisioning iframe
+   * sandbox.
+   *
+   * Sets the certificate for the user for which a certificate was requested
+   * via a preceding call to beginProvisioning (and genKeypair).
+   *
+   * @param aProvId
+   *        (integer) the identifier of the provisioning caller tied to that
+   *                  sandbox
+   *
+   * @param aCert
+   *        (String)  A JWT representing the signed certificate for the user
+   *                  being provisioned, provided by the IdP.
+   */
+  registerCertificate: function registerCertificate(aProvId, aCert) {
+    log("registerCertificate:", aProvId, aCert);
+
+    // look up provisioning caller, make sure it's valid.
+    let provFlow = this.getProvisionFlow(aProvId);
+
+    if (!provFlow.caller) {
+      reportError("registerCertificate", "No provision flow or caller");
+      return;
+    }
+    if (!provFlow.kp)  {
+      let errStr = "Cannot register a certificate without a keypair";
+      reportError("registerCertificate", errStr);
+      provFlow.callback(errStr);
+      return;
+    }
+
+    // store the keypair and certificate just provided in IDStore.
+    this._store.addIdentity(provFlow.identity, provFlow.kp, aCert);
+
+    // Great success!
+    provFlow.callback(null);
+
+    // Clean up the flow.
+    this._cleanUpProvisionFlow(aProvId);
+  },
+
+  /**
+   * Begin the authentication process with an IdP
+   *
+   * @param aProvId
+   *        (int) the identifier of the provisioning flow which failed
+   *
+   * @param aCallback
+   *        (function) to invoke upon completion, with
+   *                   first-positional-param error.
+   */
+  _doAuthentication: function _doAuthentication(aProvId, aIDPParams) {
+    log("_doAuthentication: provId:", aProvId, "idpParams:", aIDPParams);
+    // create an authentication caller and its identifier AuthId
+    // stash aIdentity, idpparams, and callback in it.
+
+    // extract authentication URL from idpParams
+    let authPath = aIDPParams.idpParams.authentication;
+    let authURI = Services.io.newURI("https://" + aIDPParams.domain, null, null).resolve(authPath);
+
+    // beginAuthenticationFlow causes the "identity-auth" topic to be
+    // observed.  Since it's sending a notification to the DOM, there's
+    // no callback.  We wait for the DOM to trigger the next phase of
+    // provisioning.
+    this._beginAuthenticationFlow(aProvId, authURI);
+
+    // either we bind the AuthID to the sandbox ourselves, or UX does that,
+    // in which case we need to tell UX the AuthId.
+    // Currently, the UX creates the UI and gets the AuthId from the window
+    // and sets is with setAuthenticationFlow
+  },
+
+  /**
+   * The authentication frame has called navigator.id.beginAuthentication
+   *
+   * IMPORTANT: the aCaller is *always* non-null, even if this is called from
+   * a regular content page. We have to make sure, on every DOM call, that
+   * aCaller is an expected authentication-flow identifier. If not, we throw
+   * an error or something.
+   *
+   * @param aCaller
+   *        (object)  the authentication caller
+   *
+   */
+  beginAuthentication: function beginAuthentication(aCaller) {
+    log("beginAuthentication: caller id:", aCaller.id);
+
+    // Begin the authentication flow after having concluded a provisioning
+    // flow.  The aCaller that the DOM gives us will have the same ID as
+    // the provisioning flow we just concluded.  (see setAuthenticationFlow)
+    let authFlow = this._authenticationFlows[aCaller.id];
+    if (!authFlow) {
+      return aCaller.doError("beginAuthentication: no flow for caller id", aCaller.id);
+    }
+
+    authFlow.caller = aCaller;
+
+    let identity = this._provisionFlows[authFlow.provId].identity;
+
+    // tell the UI to start the authentication process
+    log("beginAuthentication: authFlow:", aCaller.id, "identity:", identity);
+    return authFlow.caller.doBeginAuthenticationCallback(identity);
+  },
+
+  /**
+   * The auth frame has called navigator.id.completeAuthentication
+   *
+   * @param aAuthId
+   *        (int)  the identifier of the authentication caller tied to that sandbox
+   *
+   */
+  completeAuthentication: function completeAuthentication(aAuthId) {
+    log("completeAuthentication:", aAuthId);
+
+    // look up the AuthId caller, and get its callback.
+    let authFlow = this._authenticationFlows[aAuthId];
+    if (!authFlow) {
+      reportError("completeAuthentication", "No auth flow with id", aAuthId);
+      return;
+    }
+    let provId = authFlow.provId;
+
+    // delete caller
+    delete authFlow['caller'];
+    delete this._authenticationFlows[aAuthId];
+
+    let provFlow = this.getProvisionFlow(provId);
+    provFlow.didAuthentication = true;
+    let subject = {
+      rpId: provFlow.rpId,
+      identity: provFlow.identity,
+    };
+    Services.obs.notifyObservers({ wrappedJSObject: subject }, "identity-auth-complete", aAuthId);
+  },
+
+  /**
+   * The auth frame has called navigator.id.cancelAuthentication
+   *
+   * @param aAuthId
+   *        (int)  the identifier of the authentication caller
+   *
+   */
+  cancelAuthentication: function cancelAuthentication(aAuthId) {
+    log("cancelAuthentication:", aAuthId);
+
+    // look up the AuthId caller, and get its callback.
+    let authFlow = this._authenticationFlows[aAuthId];
+    if (!authFlow) {
+      reportError("cancelAuthentication", "No auth flow with id:", aAuthId);
+      return;
+    }
+    let provId = authFlow.provId;
+
+    // delete caller
+    delete authFlow['caller'];
+    delete this._authenticationFlows[aAuthId];
+
+    let provFlow = this.getProvisionFlow(provId);
+    provFlow.didAuthentication = true;
+    Services.obs.notifyObservers(null, "identity-auth-complete", aAuthId);
+
+    // invoke callback with ERROR.
+    let errStr = "Authentication canceled by IDP";
+    log("ERROR: cancelAuthentication:", errStr);
+    provFlow.callback(errStr);
+  },
+
+  /**
+   * Called by the UI to set the ID and caller for the authentication flow after it gets its ID
+   */
+  setAuthenticationFlow: function(aAuthId, aProvId) {
+    // this is the transition point between the two flows,
+    // provision and authenticate.  We tell the auth flow which
+    // provisioning flow it is started from.
+    log("setAuthenticationFlow: authId:", aAuthId, "provId:", aProvId);
+    this._authenticationFlows[aAuthId] = { provId: aProvId };
+    this._provisionFlows[aProvId].authId = aAuthId;
+  },
+
+  /**
+   * Load the provisioning URL in a hidden frame to start the provisioning
+   * process.
+   */
+  _createProvisioningSandbox: function _createProvisioningSandbox(aURL, aCallback) {
+    log("_createProvisioningSandbox:", aURL);
+
+    if (!this._sandboxConfigured) {
+      // Configure message manager listening on the hidden window
+      Cu.import("resource://gre/modules/DOMIdentity.jsm");
+      DOMIdentity._configureMessages(Services.appShell.hiddenDOMWindow, true);
+      this._sandboxConfigured = true;
+    }
+
+    new Sandbox(aURL, aCallback);
+  },
+
+  /**
+   * Load the authentication UI to start the authentication process.
+   */
+  _beginAuthenticationFlow: function _beginAuthenticationFlow(aProvId, aURL) {
+    log("_beginAuthenticationFlow:", aProvId, aURL);
+    let propBag = {provId: aProvId};
+
+    Services.obs.notifyObservers({wrappedJSObject:propBag}, "identity-auth", aURL);
+  },
+
+  /**
+   * Clean up a provision flow and the authentication flow and sandbox
+   * that may be attached to it.
+   */
+  _cleanUpProvisionFlow: function _cleanUpProvisionFlow(aProvId) {
+    log('_cleanUpProvisionFlow:', aProvId);
+    let prov = this._provisionFlows[aProvId];
+
+    // Clean up the sandbox, if there is one.
+    if (prov.provisioningSandbox) {
+      let sandbox = this._provisionFlows[aProvId]['provisioningSandbox'];
+      if (sandbox.free) {
+        log('_cleanUpProvisionFlow: freeing sandbox');
+        sandbox.free();
+      }
+      delete this._provisionFlows[aProvId]['provisioningSandbox'];
+    }
+
+    // Clean up a related authentication flow, if there is one.
+    if (this._authenticationFlows[prov.authId]) {
+      delete this._authenticationFlows[prov.authId];
+    }
+
+    // Finally delete the provision flow
+    delete this._provisionFlows[aProvId];
+  }
+
+};
+
+this.IdentityProvider = new IdentityProviderService();