OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "remoting/protocol/me2me_host_authenticator_factory.h" | 5 #include "remoting/protocol/me2me_host_authenticator_factory.h" |
6 | 6 |
7 #include <utility> | 7 #include <utility> |
8 | 8 |
9 #include "base/base64.h" | 9 #include "base/base64.h" |
| 10 #include "base/memory/ptr_util.h" |
10 #include "base/strings/string_util.h" | 11 #include "base/strings/string_util.h" |
11 #include "remoting/base/rsa_key_pair.h" | 12 #include "remoting/base/rsa_key_pair.h" |
12 #include "remoting/protocol/channel_authenticator.h" | 13 #include "remoting/protocol/channel_authenticator.h" |
13 #include "remoting/protocol/negotiating_host_authenticator.h" | 14 #include "remoting/protocol/negotiating_host_authenticator.h" |
14 #include "remoting/protocol/rejecting_authenticator.h" | 15 #include "remoting/protocol/rejecting_authenticator.h" |
15 #include "remoting/protocol/token_validator.h" | 16 #include "remoting/protocol/token_validator.h" |
16 #include "remoting/signaling/jid_util.h" | 17 #include "remoting/signaling/jid_util.h" |
17 #include "third_party/webrtc/libjingle/xmllite/xmlelement.h" | 18 #include "third_party/webrtc/libjingle/xmllite/xmlelement.h" |
18 | 19 |
19 namespace remoting { | 20 namespace remoting { |
20 namespace protocol { | 21 namespace protocol { |
21 | 22 |
22 // static | 23 // static |
23 scoped_ptr<AuthenticatorFactory> Me2MeHostAuthenticatorFactory::CreateWithPin( | 24 std::unique_ptr<AuthenticatorFactory> |
| 25 Me2MeHostAuthenticatorFactory::CreateWithPin( |
24 bool use_service_account, | 26 bool use_service_account, |
25 const std::string& host_owner, | 27 const std::string& host_owner, |
26 const std::string& local_cert, | 28 const std::string& local_cert, |
27 scoped_refptr<RsaKeyPair> key_pair, | 29 scoped_refptr<RsaKeyPair> key_pair, |
28 const std::string& required_client_domain, | 30 const std::string& required_client_domain, |
29 const std::string& pin_hash, | 31 const std::string& pin_hash, |
30 scoped_refptr<PairingRegistry> pairing_registry) { | 32 scoped_refptr<PairingRegistry> pairing_registry) { |
31 scoped_ptr<Me2MeHostAuthenticatorFactory> result( | 33 std::unique_ptr<Me2MeHostAuthenticatorFactory> result( |
32 new Me2MeHostAuthenticatorFactory()); | 34 new Me2MeHostAuthenticatorFactory()); |
33 result->use_service_account_ = use_service_account; | 35 result->use_service_account_ = use_service_account; |
34 result->host_owner_ = host_owner; | 36 result->host_owner_ = host_owner; |
35 result->local_cert_ = local_cert; | 37 result->local_cert_ = local_cert; |
36 result->key_pair_ = key_pair; | 38 result->key_pair_ = key_pair; |
37 result->required_client_domain_ = required_client_domain; | 39 result->required_client_domain_ = required_client_domain; |
38 result->pin_hash_ = pin_hash; | 40 result->pin_hash_ = pin_hash; |
39 result->pairing_registry_ = pairing_registry; | 41 result->pairing_registry_ = pairing_registry; |
40 return std::move(result); | 42 return std::move(result); |
41 } | 43 } |
42 | 44 |
43 | 45 |
44 // static | 46 // static |
45 scoped_ptr<AuthenticatorFactory> | 47 std::unique_ptr<AuthenticatorFactory> |
46 Me2MeHostAuthenticatorFactory::CreateWithThirdPartyAuth( | 48 Me2MeHostAuthenticatorFactory::CreateWithThirdPartyAuth( |
47 bool use_service_account, | 49 bool use_service_account, |
48 const std::string& host_owner, | 50 const std::string& host_owner, |
49 const std::string& local_cert, | 51 const std::string& local_cert, |
50 scoped_refptr<RsaKeyPair> key_pair, | 52 scoped_refptr<RsaKeyPair> key_pair, |
51 const std::string& required_client_domain, | 53 const std::string& required_client_domain, |
52 scoped_refptr<TokenValidatorFactory> token_validator_factory) { | 54 scoped_refptr<TokenValidatorFactory> token_validator_factory) { |
53 scoped_ptr<Me2MeHostAuthenticatorFactory> result( | 55 std::unique_ptr<Me2MeHostAuthenticatorFactory> result( |
54 new Me2MeHostAuthenticatorFactory()); | 56 new Me2MeHostAuthenticatorFactory()); |
55 result->use_service_account_ = use_service_account; | 57 result->use_service_account_ = use_service_account; |
56 result->host_owner_ = host_owner; | 58 result->host_owner_ = host_owner; |
57 result->local_cert_ = local_cert; | 59 result->local_cert_ = local_cert; |
58 result->key_pair_ = key_pair; | 60 result->key_pair_ = key_pair; |
59 result->required_client_domain_ = required_client_domain; | 61 result->required_client_domain_ = required_client_domain; |
60 result->token_validator_factory_ = token_validator_factory; | 62 result->token_validator_factory_ = token_validator_factory; |
61 return std::move(result); | 63 return std::move(result); |
62 } | 64 } |
63 | 65 |
64 Me2MeHostAuthenticatorFactory::Me2MeHostAuthenticatorFactory() {} | 66 Me2MeHostAuthenticatorFactory::Me2MeHostAuthenticatorFactory() {} |
65 | 67 |
66 Me2MeHostAuthenticatorFactory::~Me2MeHostAuthenticatorFactory() {} | 68 Me2MeHostAuthenticatorFactory::~Me2MeHostAuthenticatorFactory() {} |
67 | 69 |
68 scoped_ptr<Authenticator> Me2MeHostAuthenticatorFactory::CreateAuthenticator( | 70 std::unique_ptr<Authenticator> |
| 71 Me2MeHostAuthenticatorFactory::CreateAuthenticator( |
69 const std::string& local_jid, | 72 const std::string& local_jid, |
70 const std::string& remote_jid) { | 73 const std::string& remote_jid) { |
71 | |
72 std::string remote_jid_prefix; | 74 std::string remote_jid_prefix; |
73 | 75 |
74 if (!use_service_account_) { | 76 if (!use_service_account_) { |
75 // JID prefixes may not match the host owner email, for example, in cases | 77 // JID prefixes may not match the host owner email, for example, in cases |
76 // where the host owner account does not have an email associated with it. | 78 // where the host owner account does not have an email associated with it. |
77 // In those cases, the only guarantee we have is that JIDs for the same | 79 // In those cases, the only guarantee we have is that JIDs for the same |
78 // account will have the same prefix. | 80 // account will have the same prefix. |
79 if (!SplitJidResource(local_jid, &remote_jid_prefix, nullptr)) { | 81 if (!SplitJidResource(local_jid, &remote_jid_prefix, nullptr)) { |
80 LOG(DFATAL) << "Invalid local JID:" << local_jid; | 82 LOG(DFATAL) << "Invalid local JID:" << local_jid; |
81 return make_scoped_ptr( | 83 return base::WrapUnique( |
82 new RejectingAuthenticator(Authenticator::INVALID_CREDENTIALS)); | 84 new RejectingAuthenticator(Authenticator::INVALID_CREDENTIALS)); |
83 } | 85 } |
84 } else { | 86 } else { |
85 // TODO(rmsousa): This only works for cases where the JID prefix matches | 87 // TODO(rmsousa): This only works for cases where the JID prefix matches |
86 // the host owner email. Figure out a way to verify the JID in other cases. | 88 // the host owner email. Figure out a way to verify the JID in other cases. |
87 remote_jid_prefix = host_owner_; | 89 remote_jid_prefix = host_owner_; |
88 } | 90 } |
89 | 91 |
90 // Verify that the client's jid is an ASCII string, and then check that the | 92 // Verify that the client's jid is an ASCII string, and then check that the |
91 // client JID has the expected prefix. Comparison is case insensitive. | 93 // client JID has the expected prefix. Comparison is case insensitive. |
92 if (!base::IsStringASCII(remote_jid) || | 94 if (!base::IsStringASCII(remote_jid) || |
93 !base::StartsWith(remote_jid, remote_jid_prefix + '/', | 95 !base::StartsWith(remote_jid, remote_jid_prefix + '/', |
94 base::CompareCase::INSENSITIVE_ASCII)) { | 96 base::CompareCase::INSENSITIVE_ASCII)) { |
95 LOG(ERROR) << "Rejecting incoming connection from " << remote_jid | 97 LOG(ERROR) << "Rejecting incoming connection from " << remote_jid |
96 << ": Prefix mismatch."; | 98 << ": Prefix mismatch."; |
97 return make_scoped_ptr( | 99 return base::WrapUnique( |
98 new RejectingAuthenticator(Authenticator::INVALID_CREDENTIALS)); | 100 new RejectingAuthenticator(Authenticator::INVALID_CREDENTIALS)); |
99 } | 101 } |
100 | 102 |
101 // If necessary, verify that the client's jid belongs to the correct domain. | 103 // If necessary, verify that the client's jid belongs to the correct domain. |
102 if (!required_client_domain_.empty()) { | 104 if (!required_client_domain_.empty()) { |
103 std::string client_username = remote_jid; | 105 std::string client_username = remote_jid; |
104 size_t pos = client_username.find('/'); | 106 size_t pos = client_username.find('/'); |
105 if (pos != std::string::npos) { | 107 if (pos != std::string::npos) { |
106 client_username.replace(pos, std::string::npos, ""); | 108 client_username.replace(pos, std::string::npos, ""); |
107 } | 109 } |
108 if (!base::EndsWith(client_username, | 110 if (!base::EndsWith(client_username, |
109 std::string("@") + required_client_domain_, | 111 std::string("@") + required_client_domain_, |
110 base::CompareCase::INSENSITIVE_ASCII)) { | 112 base::CompareCase::INSENSITIVE_ASCII)) { |
111 LOG(ERROR) << "Rejecting incoming connection from " << remote_jid | 113 LOG(ERROR) << "Rejecting incoming connection from " << remote_jid |
112 << ": Domain mismatch."; | 114 << ": Domain mismatch."; |
113 return make_scoped_ptr( | 115 return base::WrapUnique( |
114 new RejectingAuthenticator(Authenticator::INVALID_CREDENTIALS)); | 116 new RejectingAuthenticator(Authenticator::INVALID_CREDENTIALS)); |
115 } | 117 } |
116 } | 118 } |
117 | 119 |
118 if (!local_cert_.empty() && key_pair_.get()) { | 120 if (!local_cert_.empty() && key_pair_.get()) { |
119 std::string normalized_local_jid = NormalizeJid(local_jid); | 121 std::string normalized_local_jid = NormalizeJid(local_jid); |
120 std::string normalized_remote_jid = NormalizeJid(remote_jid); | 122 std::string normalized_remote_jid = NormalizeJid(remote_jid); |
121 | 123 |
122 if (token_validator_factory_) { | 124 if (token_validator_factory_) { |
123 return NegotiatingHostAuthenticator::CreateWithThirdPartyAuth( | 125 return NegotiatingHostAuthenticator::CreateWithThirdPartyAuth( |
124 normalized_local_jid, normalized_remote_jid, local_cert_, key_pair_, | 126 normalized_local_jid, normalized_remote_jid, local_cert_, key_pair_, |
125 token_validator_factory_); | 127 token_validator_factory_); |
126 } | 128 } |
127 | 129 |
128 return NegotiatingHostAuthenticator::CreateWithSharedSecret( | 130 return NegotiatingHostAuthenticator::CreateWithSharedSecret( |
129 normalized_local_jid, normalized_remote_jid, local_cert_, key_pair_, | 131 normalized_local_jid, normalized_remote_jid, local_cert_, key_pair_, |
130 pin_hash_, pairing_registry_); | 132 pin_hash_, pairing_registry_); |
131 } | 133 } |
132 | 134 |
133 return make_scoped_ptr( | 135 return base::WrapUnique( |
134 new RejectingAuthenticator(Authenticator::INVALID_CREDENTIALS)); | 136 new RejectingAuthenticator(Authenticator::INVALID_CREDENTIALS)); |
135 } | 137 } |
136 | 138 |
137 } // namespace protocol | 139 } // namespace protocol |
138 } // namespace remoting | 140 } // namespace remoting |
OLD | NEW |