Third Party authentication protocol.

remoting/protocol/third_party_authenticator_unittest.cc

+// Copyright 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "base/bind.h"
+#include "net/base/net_errors.h"
+#include "remoting/base/rsa_key_pair.h"
+#include "remoting/protocol/authenticator_test_base.h"
+#include "remoting/protocol/channel_authenticator.h"
+#include "remoting/protocol/connection_tester.h"
+#include "remoting/protocol/fake_authenticator.h"
+#include "remoting/protocol/third_party_authenticator_base.h"
+#include "remoting/protocol/third_party_client_authenticator.h"
+#include "remoting/protocol/third_party_host_authenticator.h"
+#include "testing/gmock/include/gmock/gmock.h"
+#include "testing/gtest/include/gtest/gtest.h"
+#include "third_party/libjingle/source/talk/xmllite/xmlelement.h"
+
+using testing::_;
+using testing::DeleteArg;
+using testing::SaveArg;
+
+namespace {
+
+const int kMessageSize = 100;
+const int kMessages = 1;
+
+const char kTokenIssueUrl[] = "https://example.com/Issue";
+const char kTokenVerificationUrl[] = "https://example.com/Verify";
+const char kTokenScope[] = "host:a@b.com/1 client:a@b.com/2";
+const char kToken[] = "abc123456xyz789";
+const char kSharedSecret[] = "1234-1234-5678";
+const char kSharedSecretBad[] = "0000-0000-0001";
+
+}  // namespace
+
+namespace remoting {
+namespace protocol {
+
+class ThirdPartyAuthenticatorTest : public AuthenticatorTestBase {
+  class FakeTokenFetcher {
+   public:
+    virtual ~FakeTokenFetcher() {}
+
+    virtual void FetchThirdPartyToken(
+        const GURL& token_url,
+        const std::string& host_public_key,
+        const std::string& scope,
+        const TokenFetchedCallback& token_fetched_callback) {
+      on_token_fetched_ = token_fetched_callback;
+    }
+
+    void OnTokenFetched(const std::string& token,
+                        const std::string& shared_secret) {
+      on_token_fetched_.Run(token, shared_secret);
+      on_token_fetched_.Reset();
+    }
+
+   private:
+    TokenFetchedCallback on_token_fetched_;
+  };
+
+  class FakeTokenValidator
+      : public ThirdPartyHostAuthenticator::TokenValidator {
+   public:
+    FakeTokenValidator()
+     : token_url_(kTokenIssueUrl),
+       token_scope_(kTokenScope) {}
+
+    virtual ~FakeTokenValidator() {}
+
+    virtual void ValidateThirdPartyToken(
+        const std::string& token,
+        const TokenValidatedCallback& token_validated_callback) {
+     on_token_validated_ = token_validated_callback;
+    }
+
+    void OnTokenValidated(const std::string& shared_secret) {
+      on_token_validated_.Run(shared_secret);
+      on_token_validated_.Reset();
+    }
+
+    virtual const GURL& token_url() const OVERRIDE {
+      return token_url_;
+    }
+
+    virtual const std::string& token_scope() const OVERRIDE {
+      return token_scope_;
+    }
+
+   private:
+    GURL token_url_;
+    std::string token_scope_;
+    base::Callback<void(const std::string& shared_secret)> on_token_validated_;
+  };
+
+ public:
+  ThirdPartyAuthenticatorTest() {
+  }
+  virtual ~ThirdPartyAuthenticatorTest() {
+  }
+
+ protected:
+  void InitAuthenticators() {
+    scoped_ptr<ThirdPartyHostAuthenticator::TokenValidator>
+        token_validator(new FakeTokenValidator());
+    token_validator_ = static_cast<FakeTokenValidator*>(token_validator.get());
+    host_.reset(new ThirdPartyHostAuthenticator(
+        host_cert_, key_pair_, token_validator.Pass()));
+    token_fetcher_.reset(new FakeTokenFetcher());
+    client_.reset(new ThirdPartyClientAuthenticator(
+        host_public_key_, base::Bind(&FakeTokenFetcher::FetchThirdPartyToken,
+                                     base::Unretained(token_fetcher_.get()))));
+  }
+
+  scoped_ptr<FakeTokenFetcher> token_fetcher_;
+  FakeTokenValidator* token_validator_;
+
+ private:
+  DISALLOW_COPY_AND_ASSIGN(ThirdPartyAuthenticatorTest);
+};
+
+TEST_F(ThirdPartyAuthenticatorTest, SuccessfulAuth) {
+  ASSERT_NO_FATAL_FAILURE(InitAuthenticators());
+  ASSERT_NO_FATAL_FAILURE(RunHostInitiatedAuthExchange());
+  ASSERT_EQ(Authenticator::PROCESSING_MESSAGE, client_->state());
+  ASSERT_NO_FATAL_FAILURE(token_fetcher_->OnTokenFetched(
+      kToken, kSharedSecret));
+  ASSERT_EQ(Authenticator::PROCESSING_MESSAGE, host_->state());
+  ASSERT_NO_FATAL_FAILURE(
+      token_validator_->OnTokenValidated(kSharedSecret));
+  // Both sides have finished.
+  ASSERT_EQ(Authenticator::ACCEPTED, host_->state());
+  ASSERT_EQ(Authenticator::ACCEPTED, client_->state());
+
+  // An authenticated channel can be created after the authentication.
+  client_auth_ = client_->CreateChannelAuthenticator();
+  host_auth_ = host_->CreateChannelAuthenticator();
+  RunChannelAuth(false);
+
+  StreamConnectionTester tester(host_socket_.get(), client_socket_.get(),
+                                kMessageSize, kMessages);
+
+  tester.Start();
+  message_loop_.Run();
+  tester.CheckResults();
+}
+
+TEST_F(ThirdPartyAuthenticatorTest, ClientNoSecret) {
+  ASSERT_NO_FATAL_FAILURE(InitAuthenticators());
+  ASSERT_NO_FATAL_FAILURE(RunHostInitiatedAuthExchange());
+  ASSERT_EQ(Authenticator::PROCESSING_MESSAGE, client_->state());
+  ASSERT_NO_FATAL_FAILURE(token_fetcher_->OnTokenFetched(kToken, ""));
+  // The end result is that the client rejected the connection, since it
+  // couldn't fetch the secret.
+  ASSERT_EQ(Authenticator::REJECTED, client_->state());
+}
+
+TEST_F(ThirdPartyAuthenticatorTest, InvalidToken) {
+  ASSERT_NO_FATAL_FAILURE(InitAuthenticators());
+  ASSERT_NO_FATAL_FAILURE(RunHostInitiatedAuthExchange());
+  ASSERT_EQ(Authenticator::PROCESSING_MESSAGE, client_->state());
+  ASSERT_NO_FATAL_FAILURE(token_fetcher_->OnTokenFetched(
+      kToken, kSharedSecret));
+  ASSERT_EQ(Authenticator::PROCESSING_MESSAGE, host_->state());
+  ASSERT_NO_FATAL_FAILURE(token_validator_->OnTokenValidated(""));
+
+  // The end result is that the host rejected the token.
+  ASSERT_EQ(Authenticator::REJECTED, host_->state());
+}
+
+TEST_F(ThirdPartyAuthenticatorTest, CannotFetchToken) {
+  ASSERT_NO_FATAL_FAILURE(InitAuthenticators());
+  ASSERT_NO_FATAL_FAILURE(RunHostInitiatedAuthExchange());
+  ASSERT_EQ(Authenticator::PROCESSING_MESSAGE, client_->state());
+  ASSERT_NO_FATAL_FAILURE(token_fetcher_->OnTokenFetched("", ""));
+
+  // The end result is that the client rejected the connection, since it
+  // couldn't fetch the token.
+  ASSERT_EQ(Authenticator::REJECTED, client_->state());
+}
+
+// Test that negotiation stops when the fake authentication is rejected.
+TEST_F(ThirdPartyAuthenticatorTest, HostBadSecret) {
+  ASSERT_NO_FATAL_FAILURE(InitAuthenticators());
+  ASSERT_NO_FATAL_FAILURE(RunHostInitiatedAuthExchange());
+
+  ASSERT_EQ(Authenticator::PROCESSING_MESSAGE, client_->state());
+  ASSERT_NO_FATAL_FAILURE(token_fetcher_->OnTokenFetched(
+      kToken, kSharedSecret));
+  ASSERT_EQ(Authenticator::PROCESSING_MESSAGE, host_->state());
+  ASSERT_NO_FATAL_FAILURE(
+      token_validator_->OnTokenValidated(kSharedSecretBad));
+
+  // The end result is that the host rejected the fake authentication.
+  ASSERT_EQ(Authenticator::REJECTED, client_->state());
+}
+
+TEST_F(ThirdPartyAuthenticatorTest, ClientBadSecret) {
+  ASSERT_NO_FATAL_FAILURE(InitAuthenticators());
+  ASSERT_NO_FATAL_FAILURE(RunHostInitiatedAuthExchange());
+
+  ASSERT_EQ(Authenticator::PROCESSING_MESSAGE, client_->state());
+  ASSERT_NO_FATAL_FAILURE(
+      token_fetcher_->OnTokenFetched(kToken, kSharedSecretBad));
+  ASSERT_EQ(Authenticator::PROCESSING_MESSAGE, host_->state());
+  ASSERT_NO_FATAL_FAILURE(
+      token_validator_->OnTokenValidated(kSharedSecret));
+
+  // The end result is that the host rejected the fake authentication.
+  ASSERT_EQ(Authenticator::REJECTED, client_->state());
+}
+
+}  // namespace protocol
+}  // namespace remoting