Implement exponential backoff for failed Me2Me authentication attempts

remoting/host/chromoting_host.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "remoting/host/chromoting_host.h"
 
 #include "base/bind.h"
 #include "base/callback.h"
 #include "base/logging.h"
 #include "base/message_loop_proxy.h"
@@ skipping 13 matching lines @@
 #include "remoting/protocol/input_stub.h"
 #include "remoting/protocol/jingle_session_manager.h"
 #include "remoting/protocol/libjingle_transport_factory.h"
 #include "remoting/protocol/session_config.h"
 
 using remoting::protocol::ConnectionToClient;
 using remoting::protocol::InputStub;
 
 namespace remoting {
 
+namespace {
+
+const net::BackoffEntry::Policy kDefaultBackoffPolicy = {
+  // Number of initial errors (in sequence) to ignore before applying
+  // exponential back-off rules.
+  0,
+
+  // Initial delay for exponential back-off in ms.
+  2000,
+
+  // Factor by which the waiting time will be multiplied.
+  2,
+
+  // Fuzzing percentage. ex: 10% will spread requests randomly
+  // between 90%-100% of the calculated time.
+  0,
+
+  // Maximum amount of time we are willing to delay our request in ms.
+  -1,
+
+  // Time to keep an entry from being discarded even when it
+  // has no significant state, -1 to never discard.
+  -1,
+};
+
+}  // namespace
+
 ChromotingHost::ChromotingHost(
     ChromotingHostContext* context,
     SignalStrategy* signal_strategy,
     DesktopEnvironment* environment,
     const protocol::NetworkSettings& network_settings)
     : context_(context),
       desktop_environment_(environment),
       network_settings_(network_settings),
       signal_strategy_(signal_strategy),
       stopping_recorders_(0),
       state_(kInitial),
       protocol_config_(protocol::CandidateSessionConfig::CreateDefault()),
+      login_backoff_(&kDefaultBackoffPolicy),
       authenticating_client_(false),
       reject_authenticating_client_(false) {
   DCHECK(context_);
   DCHECK(signal_strategy);
   DCHECK(desktop_environment_);
   DCHECK(context_->network_message_loop()->BelongsToCurrentThread());
   desktop_environment_->set_host(this);
 }
 
 ChromotingHost::~ChromotingHost() {
@@ skipping 74 matching lines @@
     scoped_ptr<protocol::AuthenticatorFactory> authenticator_factory) {
   DCHECK(context_->network_message_loop()->BelongsToCurrentThread());
   session_manager_->set_authenticator_factory(authenticator_factory.Pass());
 }
 
 ////////////////////////////////////////////////////////////////////////////
 // protocol::ClientSession::EventHandler implementation.
 void ChromotingHost::OnSessionAuthenticated(ClientSession* client) {
   DCHECK(context_->network_message_loop()->BelongsToCurrentThread());
 
-  // TODO(sergeyu): Update BackoffEntry here.
+  login_backoff_.Reset();
 }
 
 void ChromotingHost::OnSessionAuthenticatedAndConnected(ClientSession* client) {
   DCHECK(context_->network_message_loop()->BelongsToCurrentThread());
 
   // Disconnect all other clients.
   // Iterate over a copy of the list of clients, to avoid mutating the list
   // while iterating over it.
   ClientList clients_copy(clients_);
   for (ClientList::const_iterator other_client = clients_copy.begin();
@@ skipping 93 matching lines @@
 void ChromotingHost::OnIncomingSession(
       protocol::Session* session,
       protocol::SessionManager::IncomingSessionResponse* response) {
   DCHECK(context_->network_message_loop()->BelongsToCurrentThread());
 
   if (state_ != kStarted) {
     *response = protocol::SessionManager::DECLINE;
     return;
   }
 
+  if (login_backoff_.ShouldRejectRequest()) {
+    *response = protocol::SessionManager::DISABLED;
+    return;
+  }
+
+  login_backoff_.InformOfRequest(false);

[Jói, 2012/03/26 12:31:56]

It's confusing to me that this is unconditionally false (i.e. considered an
error event for the BackoffEntry).  Is this correct?  If it is, I would suggest
adding a comment to explain.

I guess perhaps the idea is to assume an error here until you get into
OnSessionAuthenticated at which point you Reset(), but this isn't immediately
obvious since the semantics of an InformOfRequest(false) call would normally be
understood to indicate an actual error rather than an
assumed-error-until-proven-otherwise error.

[Sergey Ulanov, 2012/03/26 23:00:32]

Yes, that's the idea. This method is called when a new client is connected but
not authenticated yet. We want to prevent attacks when multiple connections are
made simultaneously and then all try to authenticate. Added comments about it.

+
   protocol::SessionConfig config;
   if (!protocol_config_->Select(session->candidate_config(), &config)) {
     LOG(WARNING) << "Rejecting connection from " << session->jid()
                  << " because no compatible configuration has been found.";
     *response = protocol::SessionManager::INCOMPATIBLE;
     return;
   }
 
   session->set_config(config);
 
@@ skipping 106 matching lines @@
                     OnShutdown());
 
   for (std::vector<base::Closure>::iterator it = shutdown_tasks_.begin();
        it != shutdown_tasks_.end(); ++it) {
     it->Run();
   }
   shutdown_tasks_.clear();
 }
 
 }  // namespace remoting