Enable V2 authentication for Me2Me host.

remoting/tools/me2me_virtual_host.py

 #!/usr/bin/env python
 # Copyright (c) 2012 The Chromium Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
 # Virtual Me2Me implementation.  This script runs and manages the processes
 # required for a Virtual Me2Me desktop, which are: X server, X desktop
 # session, and Host process.
 # This script is intended to run continuously as a background daemon
 # process, running under an ordinary (non-root) user account.
 
 import atexit
+import base64
 import getpass
 import hashlib
+import hmac
 import json
 import logging
 import optparse
 import os
 import random
 import signal
 import socket
 import subprocess
 import sys
 import time
@@ skipping 83 matching lines @@
     settings_file.close()
     os.umask(old_umask)
 
 
 class Host:
   """This manages the configuration for a host.
 
   Callers should instantiate a Host object (passing in a filename where the
   config will be kept), then should call either of the methods:
 
-  * create_config(auth): Create a new Host configuration and register it with
-  the Directory Service (the "auth" parameter is used to authenticate with the
-  Service).
+  * register(auth): Create a new Host configuration and register it
+  with the Directory Service (the "auth" parameter is used to
+  authenticate with the Service).
   * load_config(): Load a config from disk, with details of an existing Host
   registration.
 
-  After calling create_config() (or making any config changes) the method
+  After calling register() (or making any config changes) the method
   save_config() should be called to save the details to disk.
   """
 
   server = 'www.googleapis.com'
   url = 'https://' + server + '/chromoting/v1/@me/hosts'
 
   def __init__(self, config_file):
     self.config_file = config_file
+    self.host_id = str(uuid.uuid1())
+    self.host_name = socket.gethostname()
+    self.host_secret_hash = None
+    self.private_key = None
 
-  def create_config(self, auth):
-    self.host_id = str(uuid.uuid1())
+  def register(self, auth):
     logging.info("HostId: " + self.host_id)
-    self.host_name = socket.gethostname()
     logging.info("HostName: " + self.host_name)
 
     logging.info("Generating RSA key pair...")
     (self.private_key, public_key) = keygen.generateRSAKeyPair()
     logging.info("Done")
 
     json_data = {
         "data": {
             "hostId": self.host_id,
             "hostName": self.host_name,
@@ skipping 13 matching lines @@
     logging.info("Registering host with directory service...")
     try:
       res = urllib2.urlopen(request)
       data = res.read()
     except urllib2.HTTPError, err:
       logging.error("Directory returned error: " + str(err))
       logging.error(err.read())
       sys.exit(1)
     logging.info("Done")
 
+  def ask_pin(self):
+    pin = getpass.getpass("Host PIN (can be empty): ")

[Wez, 2012/01/23 23:53:49]

nit: Verify that the PIN is either empty or at least 4 characters long?

[Sergey Ulanov, 2012/01/24 06:32:22]

Done.

+    self.host_secret_hash = "hmac;" + base64.b64encode(
+        hmac.new(str(self.host_id), pin, hashlib.sha256).digest())

[Wez, 2012/01/23 23:53:49]

nit: It will make changes to inform the client of whether a PIN is required
easier of you store nothing when the user doesn't enter a PIN, and have the host
understand that.  That would also let the host be backward-compatible with
existing dogfooder's configs.

[Sergey Ulanov, 2012/01/24 06:32:22]

Done.

+
+  def ask_pin_if_unknown(self):
+    if not self.host_secret_hash:
+      self.ask_pin()
+      return True
+    return False
+
   def load_config(self):
     try:
       settings_file = open(self.config_file, 'r')
       data = json.load(settings_file)
       settings_file.close()
-      self.host_id = data["host_id"]
-      self.host_name = data["host_name"]
-      self.private_key = data["private_key"]
     except:
+      logging.info("Failed to load: " + self.config_file)
       return False
+    self.host_id = data["host_id"]
+    self.host_name = data["host_name"]
+    self.host_secret_hash = data.get("host_secret_hash")
+    self.private_key = data["private_key"]
     return True
 
   def save_config(self):
     data = {
         "host_id": self.host_id,
         "host_name": self.host_name,
+        "host_secret_hash": self.host_secret_hash,
         "private_key": self.private_key,
     }
     old_umask = os.umask(0066)
     settings_file = open(self.config_file, 'w')
     settings_file.write(json.dumps(data, indent=2))
     settings_file.close()
     os.umask(old_umask)
 
 
 class Desktop:
@@ skipping 299 matching lines @@
     try:
       auth.refresh_tokens()
     except:
       logging.error("Authentication failed.")
       return 1
     auth.save_config()
 
   host = Host(os.path.join(CONFIG_DIR, "host#%s.json" % host_hash))
 
   if not host.load_config():
-    host.create_config(auth)
+    host.ask_pin()
+    host.register(auth)
+    host.save_config()
+
+  if host.ask_pin_if_unknown():
     host.save_config()
 
   global g_pidfile
   g_pidfile = PidFile(pid_filename)
   running, pid = g_pidfile.check()
 
   if running:
     if pid == 0:
       pid = 'unknown'
 
@@ skipping 71 matching lines @@
       desktop.session_proc = None
 
     if desktop.host_proc is not None and pid == desktop.host_proc.pid:
       logging.info("Host process terminated")
       desktop.host_proc = None
 
 
 if __name__ == "__main__":
   logging.basicConfig(level=logging.DEBUG)
   sys.exit(main())