Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(572)

Unified Diff: remoting/protocol/me2me_host_authenticator_factory.cc

Issue 1643793002: Add policy to restrict client domain for Me2Me. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Fix remoting_perftests compile. Created 4 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « remoting/protocol/me2me_host_authenticator_factory.h ('k') | remoting/protocol/rejecting_authenticator.h » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: remoting/protocol/me2me_host_authenticator_factory.cc
diff --git a/remoting/protocol/me2me_host_authenticator_factory.cc b/remoting/protocol/me2me_host_authenticator_factory.cc
index ce218e7f0786503a3425b6e62c684bfbe211bcbd..bd31a0d25584b52babbf2c804f1b37f18df3d397 100644
--- a/remoting/protocol/me2me_host_authenticator_factory.cc
+++ b/remoting/protocol/me2me_host_authenticator_factory.cc
@@ -11,6 +11,7 @@
#include "remoting/base/rsa_key_pair.h"
#include "remoting/protocol/channel_authenticator.h"
#include "remoting/protocol/negotiating_host_authenticator.h"
+#include "remoting/protocol/rejecting_authenticator.h"
#include "remoting/protocol/token_validator.h"
#include "remoting/signaling/jid_util.h"
#include "third_party/webrtc/libjingle/xmllite/xmlelement.h"
@@ -18,54 +19,6 @@
namespace remoting {
namespace protocol {
-namespace {
-
-// Authenticator that accepts one message and rejects connection after that.
-class RejectingAuthenticator : public Authenticator {
- public:
- RejectingAuthenticator()
- : state_(WAITING_MESSAGE) {
- }
- ~RejectingAuthenticator() override {}
-
- State state() const override { return state_; }
-
- bool started() const override { return true; }
-
- RejectionReason rejection_reason() const override {
- DCHECK_EQ(state_, REJECTED);
- return INVALID_CREDENTIALS;
- }
-
- void ProcessMessage(const buzz::XmlElement* message,
- const base::Closure& resume_callback) override {
- DCHECK_EQ(state_, WAITING_MESSAGE);
- state_ = REJECTED;
- resume_callback.Run();
- }
-
- scoped_ptr<buzz::XmlElement> GetNextMessage() override {
- NOTREACHED();
- return nullptr;
- }
-
- const std::string& GetAuthKey() const override {
- NOTREACHED();
- return auth_key_;
- };
-
- scoped_ptr<ChannelAuthenticator> CreateChannelAuthenticator() const override {
- NOTREACHED();
- return nullptr;
- }
-
- protected:
- State state_;
- std::string auth_key_;
-};
-
-} // namespace
-
// static
scoped_ptr<AuthenticatorFactory>
Me2MeHostAuthenticatorFactory::CreateWithSharedSecret(
@@ -73,6 +26,7 @@ Me2MeHostAuthenticatorFactory::CreateWithSharedSecret(
const std::string& host_owner,
const std::string& local_cert,
scoped_refptr<RsaKeyPair> key_pair,
+ const std::string& required_client_domain,
const SharedSecretHash& shared_secret_hash,
scoped_refptr<PairingRegistry> pairing_registry) {
scoped_ptr<Me2MeHostAuthenticatorFactory> result(
@@ -81,6 +35,7 @@ Me2MeHostAuthenticatorFactory::CreateWithSharedSecret(
result->host_owner_ = host_owner;
result->local_cert_ = local_cert;
result->key_pair_ = key_pair;
+ result->required_client_domain_ = required_client_domain;
result->shared_secret_hash_ = shared_secret_hash;
result->pairing_registry_ = pairing_registry;
return std::move(result);
@@ -94,6 +49,7 @@ Me2MeHostAuthenticatorFactory::CreateWithThirdPartyAuth(
const std::string& host_owner,
const std::string& local_cert,
scoped_refptr<RsaKeyPair> key_pair,
+ const std::string& required_client_domain,
scoped_ptr<TokenValidatorFactory>
token_validator_factory) {
scoped_ptr<Me2MeHostAuthenticatorFactory> result(
@@ -102,6 +58,7 @@ Me2MeHostAuthenticatorFactory::CreateWithThirdPartyAuth(
result->host_owner_ = host_owner;
result->local_cert_ = local_cert;
result->key_pair_ = key_pair;
+ result->required_client_domain_ = required_client_domain;
result->token_validator_factory_ = std::move(token_validator_factory);
return std::move(result);
}
@@ -126,7 +83,8 @@ scoped_ptr<Authenticator> Me2MeHostAuthenticatorFactory::CreateAuthenticator(
// account will have the same prefix.
if (!SplitJidResource(local_jid, &remote_jid_prefix, nullptr)) {
LOG(DFATAL) << "Invalid local JID:" << local_jid;
- return make_scoped_ptr(new RejectingAuthenticator());
+ return make_scoped_ptr(
+ new RejectingAuthenticator(Authenticator::INVALID_CREDENTIALS));
}
} else {
// TODO(rmsousa): This only works for cases where the JID prefix matches
@@ -139,8 +97,27 @@ scoped_ptr<Authenticator> Me2MeHostAuthenticatorFactory::CreateAuthenticator(
if (!base::IsStringASCII(remote_jid) ||
!base::StartsWith(remote_jid, remote_jid_prefix + '/',
base::CompareCase::INSENSITIVE_ASCII)) {
- LOG(ERROR) << "Rejecting incoming connection from " << remote_jid;
- return make_scoped_ptr(new RejectingAuthenticator());
+ LOG(ERROR) << "Rejecting incoming connection from " << remote_jid
+ << ": Prefix mismatch.";
+ return make_scoped_ptr(
+ new RejectingAuthenticator(Authenticator::INVALID_CREDENTIALS));
+ }
+
+ // If necessary, verify that the client's jid belongs to the correct domain.
+ if (!required_client_domain_.empty()) {
+ std::string client_username = remote_jid;
+ size_t pos = client_username.find('/');
+ if (pos != std::string::npos) {
+ client_username.replace(pos, std::string::npos, "");
+ }
+ if (!base::EndsWith(client_username,
+ std::string("@") + required_client_domain_,
+ base::CompareCase::INSENSITIVE_ASCII)) {
+ LOG(ERROR) << "Rejecting incoming connection from " << remote_jid
+ << ": Domain mismatch.";
+ return make_scoped_ptr(
+ new RejectingAuthenticator(Authenticator::INVALID_CREDENTIALS));
+ }
}
if (!local_cert_.empty() && key_pair_.get()) {
@@ -156,7 +133,8 @@ scoped_ptr<Authenticator> Me2MeHostAuthenticatorFactory::CreateAuthenticator(
shared_secret_hash_.hash_function, pairing_registry_);
}
- return make_scoped_ptr(new RejectingAuthenticator());
+ return make_scoped_ptr(
+ new RejectingAuthenticator(Authenticator::INVALID_CREDENTIALS));
}
} // namespace protocol
« no previous file with comments | « remoting/protocol/me2me_host_authenticator_factory.h ('k') | remoting/protocol/rejecting_authenticator.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698