Host-side third party token validation

remoting/host/remoting_me2me_host.cc

Index: remoting/host/remoting_me2me_host.cc
diff --git a/remoting/host/remoting_me2me_host.cc b/remoting/host/remoting_me2me_host.cc
index 2614950375c408ac8c7971ca0bc8f7a75efc18ad..3fdaa34fac6399b9bec964d12cf4311d8d1e6861 100644
--- a/remoting/host/remoting_me2me_host.cc
+++ b/remoting/host/remoting_me2me_host.cc
@@ -34,6 +34,7 @@
 #include "remoting/base/auto_thread_task_runner.h"
 #include "remoting/base/breakpad.h"
 #include "remoting/base/constants.h"
+#include "remoting/base/rsa_key_pair.h"
 #include "remoting/base/util.h"
 #include "remoting/host/branding.h"
 #include "remoting/host/chromoting_host.h"
@@ -65,6 +66,7 @@
 #include "remoting/host/session_manager_factory.h"
 #include "remoting/host/signaling_connector.h"
 #include "remoting/host/ui_strings.h"
+#include "remoting/host/url_fetcher_token_validator_factory.h"
 #include "remoting/host/usage_stats_consent.h"
 #include "remoting/jingle_glue/xmpp_signal_strategy.h"
 #include "remoting/protocol/me2me_host_authenticator_factory.h"
@@ -205,6 +207,8 @@ class HostProcess
   bool OnNatPolicyUpdate(bool nat_traversal_enabled);
   bool OnCurtainPolicyUpdate(bool curtain_required);
   bool OnHostTalkGadgetPrefixPolicyUpdate(const std::string& talkgadget_prefix);
+  bool OnHostTokenUrlPolicyUpdate(const GURL& token_url,
+                                  const GURL& token_validation_url);
 
   void StartHost();
 
@@ -268,6 +272,8 @@ class HostProcess
   scoped_ptr<CurtainMode> curtain_;
   scoped_ptr<CurtainingHostObserver> curtaining_host_observer_;
   bool curtain_required_;
+  GURL token_url_;
+  GURL token_validation_url_;
 
   scoped_ptr<XmppSignalStrategy> signal_strategy_;
   scoped_ptr<SignalingConnector> signaling_connector_;
@@ -482,9 +488,17 @@ void HostProcess::CreateAuthenticatorFactory() {
     return;
   }
 
+  // Create the validator factory for third-party token authentication.
+  scoped_ptr<protocol::ThirdPartyHostAuthenticator::TokenValidatorFactory>
+      token_validator_factory(new UrlFetcherTokenValidatorFactory(
+          token_url_, token_validation_url_, key_pair_,
+          context_->url_request_context_getter()));
+
   scoped_ptr<protocol::AuthenticatorFactory> factory(
       new protocol::Me2MeHostAuthenticatorFactory(
-          local_certificate, key_pair_, host_secret_hash_));
+          local_certificate, key_pair_, host_secret_hash_,
+          token_validator_factory.Pass()));
+
 #if defined(OS_POSIX)
   // On Linux and Mac, perform a PAM authorization step after authentication.
   factory.reset(new PamAuthorizationFactory(factory.Pass()));
@@ -742,6 +756,16 @@ void HostProcess::OnPolicyUpdate(scoped_ptr<base::DictionaryValue> policies) {
           &bool_value)) {
     restart_required |= OnCurtainPolicyUpdate(bool_value);
   }
+  std::string token_url_string, token_validation_url_string;
+  if (policies->GetString(

[Sergey Ulanov, 2013/04/05 20:28:34]

not related to this CL, so not worth fixing here: it's expected that the values
are always in the dictionary, so this if can be replaced with a DCHECK.

[rmsousa, 2013/04/06 00:37:25]

Done.

+          policy_hack::PolicyWatcher::kHostTokenUrlPolicyName,
+          &token_url_string) &&
+      policies->GetString(
+          policy_hack::PolicyWatcher::kHostTokenValidationUrlPolicyName,
+          &token_validation_url_string)) {
+    restart_required |= OnHostTokenUrlPolicyUpdate(
+        GURL(token_url_string), GURL(token_validation_url_string));
+  }
 
   if (state_ == HOST_INITIALIZING) {
     StartHost();
@@ -865,6 +889,34 @@ bool HostProcess::OnHostTalkGadgetPrefixPolicyUpdate(
   return false;
 }
 
+bool HostProcess::OnHostTokenUrlPolicyUpdate(
+    const GURL& token_url,
+    const GURL& token_validation_url) {
+  // Returns true if the host has to be restarted after this policy update.
+  DCHECK(context_->network_task_runner()->BelongsToCurrentThread());
+
+  if (token_url_ != token_url ||
+      token_validation_url_ != token_validation_url) {
+    if (token_url.is_empty() && token_validation_url.is_empty()) {
+      LOG(INFO) << "Policy disables third-party authentication";
+    } else if ((!token_url.is_valid() || !token_validation_url.is_valid())) {
+      LOG(ERROR) << "One of the third-party token URLs is empty or invalid. "
+          << "TokenUrl: " << token_url << ", "

[Sergey Ulanov, 2013/04/05 20:28:34]

nit: << should be aligned with << on the previous line when wrapped:
  LOG(ERROR) << "foo "
             << x << "bar";

but if it's wrapped because the string is too long, then you don't need the
second <<. In that case it should be indented 4 spaces
  LOG(ERROR) << "foo "
      "bar" << x;

[rmsousa, 2013/04/06 00:37:25]

Done.

+          << "TokenValidationUrl: " << token_validation_url;
+    } else {
+      LOG(INFO) << "Policy sets third-party token URLs: "
+          << "TokenUrl: " << token_url << ", "
+          << "TokenValidationUrl: " << token_validation_url;
+    }
+
+    token_url_ = token_url;
+    token_validation_url_ = token_validation_url;
+    return true;
+  }
+
+  return false;
+}
+
 void HostProcess::StartHost() {
   DCHECK(context_->network_task_runner()->BelongsToCurrentThread());
   DCHECK(!host_);