Add policy to restrict client domain for Me2Me.

remoting/protocol/me2me_host_authenticator_factory.cc

Index: remoting/protocol/me2me_host_authenticator_factory.cc
diff --git a/remoting/protocol/me2me_host_authenticator_factory.cc b/remoting/protocol/me2me_host_authenticator_factory.cc
index ce218e7f0786503a3425b6e62c684bfbe211bcbd..bd31a0d25584b52babbf2c804f1b37f18df3d397 100644
--- a/remoting/protocol/me2me_host_authenticator_factory.cc
+++ b/remoting/protocol/me2me_host_authenticator_factory.cc
@@ -11,6 +11,7 @@
 #include "remoting/base/rsa_key_pair.h"
 #include "remoting/protocol/channel_authenticator.h"
 #include "remoting/protocol/negotiating_host_authenticator.h"
+#include "remoting/protocol/rejecting_authenticator.h"
 #include "remoting/protocol/token_validator.h"
 #include "remoting/signaling/jid_util.h"
 #include "third_party/webrtc/libjingle/xmllite/xmlelement.h"
@@ -18,54 +19,6 @@
 namespace remoting {
 namespace protocol {
 
-namespace {
-
-// Authenticator that accepts one message and rejects connection after that.
-class RejectingAuthenticator : public Authenticator {
- public:
-  RejectingAuthenticator()
-      : state_(WAITING_MESSAGE) {
-  }
-  ~RejectingAuthenticator() override {}
-
-  State state() const override { return state_; }
-
-  bool started() const override { return true; }
-
-  RejectionReason rejection_reason() const override {
-    DCHECK_EQ(state_, REJECTED);
-    return INVALID_CREDENTIALS;
-  }
-
-  void ProcessMessage(const buzz::XmlElement* message,
-                      const base::Closure& resume_callback) override {
-    DCHECK_EQ(state_, WAITING_MESSAGE);
-    state_ = REJECTED;
-    resume_callback.Run();
-  }
-
-  scoped_ptr<buzz::XmlElement> GetNextMessage() override {
-    NOTREACHED();
-    return nullptr;
-  }
-
-  const std::string& GetAuthKey() const override {
-    NOTREACHED();
-    return auth_key_;
-  };
-
-  scoped_ptr<ChannelAuthenticator> CreateChannelAuthenticator() const override {
-    NOTREACHED();
-    return nullptr;
-  }
-
- protected:
-  State state_;
-  std::string auth_key_;
-};
-
-}  // namespace
-
 // static
 scoped_ptr<AuthenticatorFactory>
 Me2MeHostAuthenticatorFactory::CreateWithSharedSecret(
@@ -73,6 +26,7 @@ Me2MeHostAuthenticatorFactory::CreateWithSharedSecret(
     const std::string& host_owner,
     const std::string& local_cert,
     scoped_refptr<RsaKeyPair> key_pair,
+    const std::string& required_client_domain,
     const SharedSecretHash& shared_secret_hash,
     scoped_refptr<PairingRegistry> pairing_registry) {
   scoped_ptr<Me2MeHostAuthenticatorFactory> result(
@@ -81,6 +35,7 @@ Me2MeHostAuthenticatorFactory::CreateWithSharedSecret(
   result->host_owner_ = host_owner;
   result->local_cert_ = local_cert;
   result->key_pair_ = key_pair;
+  result->required_client_domain_ = required_client_domain;
   result->shared_secret_hash_ = shared_secret_hash;
   result->pairing_registry_ = pairing_registry;
   return std::move(result);
@@ -94,6 +49,7 @@ Me2MeHostAuthenticatorFactory::CreateWithThirdPartyAuth(
     const std::string& host_owner,
     const std::string& local_cert,
     scoped_refptr<RsaKeyPair> key_pair,
+      const std::string& required_client_domain,
     scoped_ptr<TokenValidatorFactory>
         token_validator_factory) {
   scoped_ptr<Me2MeHostAuthenticatorFactory> result(
@@ -102,6 +58,7 @@ Me2MeHostAuthenticatorFactory::CreateWithThirdPartyAuth(
   result->host_owner_ = host_owner;
   result->local_cert_ = local_cert;
   result->key_pair_ = key_pair;
+  result->required_client_domain_ = required_client_domain;
   result->token_validator_factory_ = std::move(token_validator_factory);
   return std::move(result);
 }
@@ -126,7 +83,8 @@ scoped_ptr<Authenticator> Me2MeHostAuthenticatorFactory::CreateAuthenticator(
     // account will have the same prefix.
     if (!SplitJidResource(local_jid, &remote_jid_prefix, nullptr)) {
       LOG(DFATAL) << "Invalid local JID:" << local_jid;
-      return make_scoped_ptr(new RejectingAuthenticator());
+      return make_scoped_ptr(
+          new RejectingAuthenticator(Authenticator::INVALID_CREDENTIALS));
     }
   } else {
     // TODO(rmsousa): This only works for cases where the JID prefix matches
@@ -139,8 +97,27 @@ scoped_ptr<Authenticator> Me2MeHostAuthenticatorFactory::CreateAuthenticator(
   if (!base::IsStringASCII(remote_jid) ||
       !base::StartsWith(remote_jid, remote_jid_prefix + '/',
                         base::CompareCase::INSENSITIVE_ASCII)) {
-    LOG(ERROR) << "Rejecting incoming connection from " << remote_jid;
-    return make_scoped_ptr(new RejectingAuthenticator());
+    LOG(ERROR) << "Rejecting incoming connection from " << remote_jid
+               << ": Prefix mismatch.";
+    return make_scoped_ptr(
+        new RejectingAuthenticator(Authenticator::INVALID_CREDENTIALS));
+  }
+
+  // If necessary, verify that the client's jid belongs to the correct domain.
+  if (!required_client_domain_.empty()) {
+    std::string client_username = remote_jid;
+    size_t pos = client_username.find('/');
+    if (pos != std::string::npos) {
+      client_username.replace(pos, std::string::npos, "");
+    }
+    if (!base::EndsWith(client_username,
+                        std::string("@") + required_client_domain_,
+                        base::CompareCase::INSENSITIVE_ASCII)) {
+      LOG(ERROR) << "Rejecting incoming connection from " << remote_jid
+                 << ": Domain mismatch.";
+      return make_scoped_ptr(
+          new RejectingAuthenticator(Authenticator::INVALID_CREDENTIALS));
+    }
   }
 
   if (!local_cert_.empty() && key_pair_.get()) {
@@ -156,7 +133,8 @@ scoped_ptr<Authenticator> Me2MeHostAuthenticatorFactory::CreateAuthenticator(
         shared_secret_hash_.hash_function, pairing_registry_);
   }
 
-  return make_scoped_ptr(new RejectingAuthenticator());
+  return make_scoped_ptr(
+      new RejectingAuthenticator(Authenticator::INVALID_CREDENTIALS));
 }
 
 }  // namespace protocol