OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "remoting/protocol/me2me_host_authenticator_factory.h" | 5 #include "remoting/protocol/me2me_host_authenticator_factory.h" |
6 | 6 |
7 #include "base/base64.h" | 7 #include "base/base64.h" |
8 #include "base/strings/string_util.h" | 8 #include "base/strings/string_util.h" |
9 #include "remoting/base/rsa_key_pair.h" | 9 #include "remoting/base/rsa_key_pair.h" |
10 #include "remoting/protocol/channel_authenticator.h" | 10 #include "remoting/protocol/channel_authenticator.h" |
(...skipping 43 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
54 | 54 |
55 protected: | 55 protected: |
56 State state_; | 56 State state_; |
57 }; | 57 }; |
58 | 58 |
59 } // namespace | 59 } // namespace |
60 | 60 |
61 // static | 61 // static |
62 scoped_ptr<AuthenticatorFactory> | 62 scoped_ptr<AuthenticatorFactory> |
63 Me2MeHostAuthenticatorFactory::CreateWithSharedSecret( | 63 Me2MeHostAuthenticatorFactory::CreateWithSharedSecret( |
| 64 bool use_service_account, |
64 const std::string& host_owner, | 65 const std::string& host_owner, |
65 const std::string& local_cert, | 66 const std::string& local_cert, |
66 scoped_refptr<RsaKeyPair> key_pair, | 67 scoped_refptr<RsaKeyPair> key_pair, |
67 const SharedSecretHash& shared_secret_hash, | 68 const SharedSecretHash& shared_secret_hash, |
68 scoped_refptr<PairingRegistry> pairing_registry) { | 69 scoped_refptr<PairingRegistry> pairing_registry) { |
69 scoped_ptr<Me2MeHostAuthenticatorFactory> result( | 70 scoped_ptr<Me2MeHostAuthenticatorFactory> result( |
70 new Me2MeHostAuthenticatorFactory()); | 71 new Me2MeHostAuthenticatorFactory()); |
| 72 result->use_service_account_ = use_service_account; |
71 result->host_owner_ = host_owner; | 73 result->host_owner_ = host_owner; |
72 result->local_cert_ = local_cert; | 74 result->local_cert_ = local_cert; |
73 result->key_pair_ = key_pair; | 75 result->key_pair_ = key_pair; |
74 result->shared_secret_hash_ = shared_secret_hash; | 76 result->shared_secret_hash_ = shared_secret_hash; |
75 result->pairing_registry_ = pairing_registry; | 77 result->pairing_registry_ = pairing_registry; |
76 return scoped_ptr<AuthenticatorFactory>(result.Pass()); | 78 return scoped_ptr<AuthenticatorFactory>(result.Pass()); |
77 } | 79 } |
78 | 80 |
79 | 81 |
80 // static | 82 // static |
81 scoped_ptr<AuthenticatorFactory> | 83 scoped_ptr<AuthenticatorFactory> |
82 Me2MeHostAuthenticatorFactory::CreateWithThirdPartyAuth( | 84 Me2MeHostAuthenticatorFactory::CreateWithThirdPartyAuth( |
| 85 bool use_service_account, |
83 const std::string& host_owner, | 86 const std::string& host_owner, |
84 const std::string& local_cert, | 87 const std::string& local_cert, |
85 scoped_refptr<RsaKeyPair> key_pair, | 88 scoped_refptr<RsaKeyPair> key_pair, |
86 scoped_ptr<ThirdPartyHostAuthenticator::TokenValidatorFactory> | 89 scoped_ptr<ThirdPartyHostAuthenticator::TokenValidatorFactory> |
87 token_validator_factory) { | 90 token_validator_factory) { |
88 scoped_ptr<Me2MeHostAuthenticatorFactory> result( | 91 scoped_ptr<Me2MeHostAuthenticatorFactory> result( |
89 new Me2MeHostAuthenticatorFactory()); | 92 new Me2MeHostAuthenticatorFactory()); |
| 93 result->use_service_account_ = use_service_account; |
90 result->host_owner_ = host_owner; | 94 result->host_owner_ = host_owner; |
91 result->local_cert_ = local_cert; | 95 result->local_cert_ = local_cert; |
92 result->key_pair_ = key_pair; | 96 result->key_pair_ = key_pair; |
93 result->token_validator_factory_ = token_validator_factory.Pass(); | 97 result->token_validator_factory_ = token_validator_factory.Pass(); |
94 return scoped_ptr<AuthenticatorFactory>(result.Pass()); | 98 return scoped_ptr<AuthenticatorFactory>(result.Pass()); |
95 } | 99 } |
96 | 100 |
97 // static | 101 // static |
98 scoped_ptr<AuthenticatorFactory> | 102 scoped_ptr<AuthenticatorFactory> |
99 Me2MeHostAuthenticatorFactory::CreateRejecting() { | 103 Me2MeHostAuthenticatorFactory::CreateRejecting() { |
100 return scoped_ptr<AuthenticatorFactory>(new Me2MeHostAuthenticatorFactory()); | 104 return scoped_ptr<AuthenticatorFactory>(new Me2MeHostAuthenticatorFactory()); |
101 } | 105 } |
102 | 106 |
103 Me2MeHostAuthenticatorFactory::Me2MeHostAuthenticatorFactory() { | 107 Me2MeHostAuthenticatorFactory::Me2MeHostAuthenticatorFactory() { |
104 } | 108 } |
105 | 109 |
106 Me2MeHostAuthenticatorFactory::~Me2MeHostAuthenticatorFactory() { | 110 Me2MeHostAuthenticatorFactory::~Me2MeHostAuthenticatorFactory() { |
107 } | 111 } |
108 | 112 |
109 scoped_ptr<Authenticator> Me2MeHostAuthenticatorFactory::CreateAuthenticator( | 113 scoped_ptr<Authenticator> Me2MeHostAuthenticatorFactory::CreateAuthenticator( |
110 const std::string& local_jid, | 114 const std::string& local_jid, |
111 const std::string& remote_jid, | 115 const std::string& remote_jid, |
112 const buzz::XmlElement* first_message) { | 116 const buzz::XmlElement* first_message) { |
113 | 117 |
114 // Verify that the client's jid is an ASCII string, and then check | 118 std::string remote_jid_prefix; |
115 // that the client has the same bare jid as the host, i.e. client's | 119 |
116 // full JID starts with host's bare jid. Comparison is case | 120 if (!use_service_account_) { |
117 // insensitive. | 121 // JID prefixes may not match the host owner email, for example, in cases |
| 122 // where the host owner account does not have an email associated with it. |
| 123 // In those cases, the only guarantee we have is that JIDs for the same |
| 124 // account will have the same prefix. |
| 125 size_t slash_pos = local_jid.find('/'); |
| 126 if (slash_pos == std::string::npos) { |
| 127 LOG(DFATAL) << "Invalid local JID:" << local_jid; |
| 128 return scoped_ptr<Authenticator>(new RejectingAuthenticator()); |
| 129 } |
| 130 remote_jid_prefix = local_jid.substr(0, slash_pos); |
| 131 } else { |
| 132 // TODO(rmsousa): This only works for cases where the JID prefix matches |
| 133 // the host owner email. Figure out a way to verify the JID in other cases. |
| 134 remote_jid_prefix = host_owner_; |
| 135 } |
| 136 |
| 137 // Verify that the client's jid is an ASCII string, and then check that the |
| 138 // client JID has the expected prefix. Comparison is case insensitive. |
118 if (!IsStringASCII(remote_jid) || | 139 if (!IsStringASCII(remote_jid) || |
119 !StartsWithASCII(remote_jid, host_owner_ + '/', false)) { | 140 !StartsWithASCII(remote_jid, remote_jid_prefix + '/', false)) { |
120 LOG(ERROR) << "Rejecting incoming connection from " << remote_jid; | 141 LOG(ERROR) << "Rejecting incoming connection from " << remote_jid; |
121 return scoped_ptr<Authenticator>(new RejectingAuthenticator()); | 142 return scoped_ptr<Authenticator>(new RejectingAuthenticator()); |
122 } | 143 } |
123 | 144 |
124 if (!local_cert_.empty() && key_pair_.get()) { | 145 if (!local_cert_.empty() && key_pair_.get()) { |
125 if (token_validator_factory_) { | 146 if (token_validator_factory_) { |
126 return NegotiatingHostAuthenticator::CreateWithThirdPartyAuth( | 147 return NegotiatingHostAuthenticator::CreateWithThirdPartyAuth( |
127 local_cert_, key_pair_, | 148 local_cert_, key_pair_, |
128 token_validator_factory_->CreateTokenValidator( | 149 token_validator_factory_->CreateTokenValidator( |
129 local_jid, remote_jid)); | 150 local_jid, remote_jid)); |
130 } | 151 } |
131 | 152 |
132 return NegotiatingHostAuthenticator::CreateWithSharedSecret( | 153 return NegotiatingHostAuthenticator::CreateWithSharedSecret( |
133 local_cert_, key_pair_, shared_secret_hash_.value, | 154 local_cert_, key_pair_, shared_secret_hash_.value, |
134 shared_secret_hash_.hash_function, pairing_registry_); | 155 shared_secret_hash_.hash_function, pairing_registry_); |
135 } | 156 } |
136 | 157 |
137 return scoped_ptr<Authenticator>(new RejectingAuthenticator()); | 158 return scoped_ptr<Authenticator>(new RejectingAuthenticator()); |
138 } | 159 } |
139 | 160 |
140 } // namespace protocol | 161 } // namespace protocol |
141 } // namespace remoting | 162 } // namespace remoting |
OLD | NEW |