| Index: remoting/protocol/me2me_host_authenticator_factory.cc
|
| diff --git a/remoting/protocol/me2me_host_authenticator_factory.cc b/remoting/protocol/me2me_host_authenticator_factory.cc
|
| index bd926da8b845a9024b012d71feed2c7255ba0451..1b36ee7693e506699826febd7c700f9e0b7e3db0 100644
|
| --- a/remoting/protocol/me2me_host_authenticator_factory.cc
|
| +++ b/remoting/protocol/me2me_host_authenticator_factory.cc
|
| @@ -61,6 +61,7 @@ class RejectingAuthenticator : public Authenticator {
|
| // static
|
| scoped_ptr<AuthenticatorFactory>
|
| Me2MeHostAuthenticatorFactory::CreateWithSharedSecret(
|
| + bool use_service_account,
|
| const std::string& host_owner,
|
| const std::string& local_cert,
|
| scoped_refptr<RsaKeyPair> key_pair,
|
| @@ -68,6 +69,7 @@ Me2MeHostAuthenticatorFactory::CreateWithSharedSecret(
|
| scoped_refptr<PairingRegistry> pairing_registry) {
|
| scoped_ptr<Me2MeHostAuthenticatorFactory> result(
|
| new Me2MeHostAuthenticatorFactory());
|
| + result->use_service_account_ = use_service_account;
|
| result->host_owner_ = host_owner;
|
| result->local_cert_ = local_cert;
|
| result->key_pair_ = key_pair;
|
| @@ -80,6 +82,7 @@ Me2MeHostAuthenticatorFactory::CreateWithSharedSecret(
|
| // static
|
| scoped_ptr<AuthenticatorFactory>
|
| Me2MeHostAuthenticatorFactory::CreateWithThirdPartyAuth(
|
| + bool use_service_account,
|
| const std::string& host_owner,
|
| const std::string& local_cert,
|
| scoped_refptr<RsaKeyPair> key_pair,
|
| @@ -87,6 +90,7 @@ Me2MeHostAuthenticatorFactory::CreateWithThirdPartyAuth(
|
| token_validator_factory) {
|
| scoped_ptr<Me2MeHostAuthenticatorFactory> result(
|
| new Me2MeHostAuthenticatorFactory());
|
| + result->use_service_account_ = use_service_account;
|
| result->host_owner_ = host_owner;
|
| result->local_cert_ = local_cert;
|
| result->key_pair_ = key_pair;
|
| @@ -111,12 +115,29 @@ scoped_ptr<Authenticator> Me2MeHostAuthenticatorFactory::CreateAuthenticator(
|
| const std::string& remote_jid,
|
| const buzz::XmlElement* first_message) {
|
|
|
| - // Verify that the client's jid is an ASCII string, and then check
|
| - // that the client has the same bare jid as the host, i.e. client's
|
| - // full JID starts with host's bare jid. Comparison is case
|
| - // insensitive.
|
| + std::string remote_jid_prefix;
|
| +
|
| + if (!use_service_account_) {
|
| + // JID prefixes may not match the host owner email, for example, in cases
|
| + // where the host owner account does not have an email associated with it.
|
| + // In those cases, the only guarantee we have is that JIDs for the same
|
| + // account will have the same prefix.
|
| + size_t slash_pos = local_jid.find('/');
|
| + if (slash_pos == std::string::npos) {
|
| + LOG(DFATAL) << "Invalid local JID:" << local_jid;
|
| + return scoped_ptr<Authenticator>(new RejectingAuthenticator());
|
| + }
|
| + remote_jid_prefix = local_jid.substr(0, slash_pos);
|
| + } else {
|
| + // TODO(rmsousa): This only works for cases where the JID prefix matches
|
| + // the host owner email. Figure out a way to verify the JID in other cases.
|
| + remote_jid_prefix = host_owner_;
|
| + }
|
| +
|
| + // Verify that the client's jid is an ASCII string, and then check that the
|
| + // client JID has the expected prefix. Comparison is case insensitive.
|
| if (!IsStringASCII(remote_jid) ||
|
| - !StartsWithASCII(remote_jid, host_owner_ + '/', false)) {
|
| + !StartsWithASCII(remote_jid, remote_jid_prefix + '/', false)) {
|
| LOG(ERROR) << "Rejecting incoming connection from " << remote_jid;
|
| return scoped_ptr<Authenticator>(new RejectingAuthenticator());
|
| }
|
|
|
Chromium Code Reviews
Issue 134523007:
Fix JID checking for cases where the user account does not have a Google email associated with it. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src