Support service accounts in the chromoting host.

remoting/host/remoting_me2me_host.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 //
 // This file implements a standalone host process for Me2Me.
 
 #include <string>
 
 #include "base/at_exit.h"
 #include "base/bind.h"
@@ skipping 240 matching lines @@
   // Accessed on the network thread.
   HostState state_;
 
   scoped_ptr<ConfigFileWatcher> config_watcher_;
 
   std::string host_id_;
   protocol::SharedSecretHash host_secret_hash_;
   scoped_refptr<RsaKeyPair> key_pair_;
   std::string oauth_refresh_token_;
   std::string serialized_config_;
+  std::string host_owner_;
   std::string xmpp_login_;
+  bool use_service_account_;
   std::string xmpp_auth_token_;
   std::string xmpp_auth_service_;
   scoped_ptr<policy_hack::PolicyWatcher> policy_watcher_;
   bool allow_nat_traversal_;
   std::string talkgadget_prefix_;
 
   bool curtain_required_;
   GURL token_url_;
   GURL token_validation_url_;
 
@@ skipping 14 matching lines @@
 #endif  // defined(REMOTING_MULTI_PROCESS)
 
   int* exit_code_out_;
   bool signal_parent_;
 };
 
 HostProcess::HostProcess(scoped_ptr<ChromotingHostContext> context,
                          int* exit_code_out)
     : context_(context.Pass()),
       state_(HOST_INITIALIZING),
+      use_service_account_(false),
       allow_nat_traversal_(true),
       curtain_required_(false),
 #if defined(REMOTING_MULTI_PROCESS)
       desktop_session_connector_(NULL),
 #endif  // defined(REMOTING_MULTI_PROCESS)
       self_(this),
       exit_code_out_(exit_code_out),
       signal_parent_(false) {
   StartOnUiThread();
 }
@@ skipping 172 matching lines @@
   }
 
   // TODO(jamiewalch): Create a pairing registry here once all the code
   // is committed.
   scoped_refptr<remoting::protocol::PairingRegistry> pairing_registry = NULL;
 
   scoped_ptr<protocol::AuthenticatorFactory> factory;
 
   if (token_url_.is_empty() && token_validation_url_.is_empty()) {
     factory = protocol::Me2MeHostAuthenticatorFactory::CreateWithSharedSecret(
-        local_certificate, key_pair_, host_secret_hash_, pairing_registry);
+        host_owner_, local_certificate, key_pair_, host_secret_hash_,
+        pairing_registry);
 
   } else if (token_url_.is_valid() && token_validation_url_.is_valid()) {
     scoped_ptr<protocol::ThirdPartyHostAuthenticator::TokenValidatorFactory>
         token_validator_factory(new TokenValidatorFactoryImpl(
             token_url_, token_validation_url_, key_pair_,
             context_->url_request_context_getter()));
     factory = protocol::Me2MeHostAuthenticatorFactory::CreateWithThirdPartyAuth(
-        local_certificate, key_pair_, token_validator_factory.Pass());
+        host_owner_, local_certificate, key_pair_,
+        token_validator_factory.Pass());
 
   } else {
     // TODO(rmsousa): If the policy is bad the host should not go online. It
     // should keep running, but not connected, until the policies are fixed.
     // Having it show up as online and then reject all clients is misleading.
     LOG(ERROR) << "One of the third-party token URLs is empty or invalid. "
                << "Host will reject all clients until policies are corrected. "
                << "TokenUrl: " << token_url_ << ", "
                << "TokenValidationUrl: " << token_validation_url_;
     factory = protocol::Me2MeHostAuthenticatorFactory::CreateRejecting();
@@ skipping 182 matching lines @@
   if (!oauth_refresh_token_.empty()) {
     xmpp_auth_token_ = "";  // This will be set to the access token later.
     xmpp_auth_service_ = "oauth2";
   } else if (!config->GetString(kXmppAuthServiceConfigPath,
                                 &xmpp_auth_service_)) {
     // For the me2me host, we default to ClientLogin token for chromiumsync
     // because earlier versions of the host had no HTTP stack with which to
     // request an OAuth2 access token.
     xmpp_auth_service_ = kChromotingTokenDefaultServiceName;
   }
+
+  if (config->GetString(kHostOwnerConfigPath, &host_owner_)) {
+    // Service account configs have a host_owner, different from the xmpp_login.
+    use_service_account_ = true;
+  } else {
+    // User credential configs only have an xmpp_login, which is also the owner.
+    host_owner_ = xmpp_login_;
+    use_service_account_ = false;
+  }
   return true;
 }
 
 void HostProcess::OnPolicyUpdate(scoped_ptr<base::DictionaryValue> policies) {
   // TODO(rmsousa): Consolidate all On*PolicyUpdate methods into this one.
   // TODO(sergeyu): Currently polices are verified only when they are loaded.
   // Separate policy loading from policy verifications - this will allow to
   // check policies again later, e.g. when host config changes.
 
   if (!context_->network_task_runner()->BelongsToCurrentThread()) {
@@ skipping 47 matching lines @@
   }
 }
 
 bool HostProcess::OnHostDomainPolicyUpdate(const std::string& host_domain) {
   // Returns true if the host has to be restarted after this policy update.
   DCHECK(context_->network_task_runner()->BelongsToCurrentThread());
 
   LOG(INFO) << "Policy sets host domain: " << host_domain;
 
   if (!host_domain.empty() &&
-      !EndsWith(xmpp_login_, std::string("@") + host_domain, false)) {
+      !EndsWith(host_owner_, std::string("@") + host_domain, false)) {
     ShutdownHost(kInvalidHostDomainExitCode);
   }
   return false;
 }
 
 bool HostProcess::OnUsernamePolicyUpdate(bool curtain_required,
                                          bool host_username_match_required) {
   // Returns false: never restart the host after this policy update.
   DCHECK(context_->network_task_runner()->BelongsToCurrentThread());
 
   if (host_username_match_required) {
     LOG(INFO) << "Policy requires host username match.";
     std::string username = GetUsername();
     bool shutdown = username.empty() ||
-        !StartsWithASCII(xmpp_login_, username + std::string("@"),
+        !StartsWithASCII(host_owner_, username + std::string("@"),
                          false);
 
 #if defined(OS_MACOSX)
     // On Mac, we run as root at the login screen, so the username won't match.
     // However, there's no need to enforce the policy at the login screen, as
     // the client will have to reconnect if a login occurs.
     if (shutdown && getuid() == 0) {
       shutdown = false;
     }
 #endif
@@ skipping 123 matching lines @@
 
   signaling_connector_.reset(new SignalingConnector(
       signal_strategy_.get(),
       context_->url_request_context_getter(),
       dns_blackhole_checker.Pass(),
       base::Bind(&HostProcess::OnAuthFailed, this)));
 
   if (!oauth_refresh_token_.empty()) {
     scoped_ptr<SignalingConnector::OAuthCredentials> oauth_credentials(
         new SignalingConnector::OAuthCredentials(
-            xmpp_login_, oauth_refresh_token_));
+            xmpp_login_, oauth_refresh_token_, use_service_account_));
     signaling_connector_->EnableOAuth(oauth_credentials.Pass());
   }
 
   NetworkSettings network_settings(
       allow_nat_traversal_ ?
       NetworkSettings::NAT_TRAVERSAL_ENABLED :
       NetworkSettings::NAT_TRAVERSAL_DISABLED);
   if (!allow_nat_traversal_) {
     network_settings.min_port = NetworkSettings::kDefaultMinPort;
     network_settings.max_port = NetworkSettings::kDefaultMaxPort;
@@ skipping 30 matching lines @@
   // Set up repoting the host status notifications.
 #if defined(REMOTING_MULTI_PROCESS)
   host_event_logger_.reset(
       new IpcHostEventLogger(host_->AsWeakPtr(), daemon_channel_.get()));
 #else  // !defined(REMOTING_MULTI_PROCESS)
   host_event_logger_ =
       HostEventLogger::Create(host_->AsWeakPtr(), kApplicationName);
 #endif  // !defined(REMOTING_MULTI_PROCESS)
 
   host_->SetEnableCurtaining(curtain_required_);
-  host_->Start(xmpp_login_);
+  host_->Start(host_owner_);
 
   CreateAuthenticatorFactory();
 }
 
 void HostProcess::OnAuthFailed() {
   ShutdownHost(kInvalidOauthCredentialsExitCode);
 }
 
 void HostProcess::RestartHost() {
   DCHECK(context_->network_task_runner()->BelongsToCurrentThread());
@@ skipping 110 matching lines @@
   return exit_code;
 }
 
 }  // namespace remoting
 
 #if !defined(OS_WIN)
 int main(int argc, char** argv) {
   return remoting::HostMain(argc, argv);
 }
 #endif  // !defined(OS_WIN)