remoting/protocol/me2me_host_authenticator_factory.cc - Issue 19796006: Support service accounts in the chromoting host.

Side by Side Diff: remoting/protocol/me2me_host_authenticator_factory.cc

Issue 19796006: Support service accounts in the chromoting host. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Created 7 years, 5 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "remoting/protocol/me2me_host_authenticator_factory.h"	5 #include "remoting/protocol/me2me_host_authenticator_factory.h"

6	6

7 #include "base/base64.h"	7 #include "base/base64.h"

8 #include "base/strings/string_util.h"	8 #include "base/strings/string_util.h"

9 #include "remoting/base/rsa_key_pair.h"	9 #include "remoting/base/rsa_key_pair.h"

10 #include "remoting/protocol/channel_authenticator.h"	10 #include "remoting/protocol/channel_authenticator.h"

(...skipping 43 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
54	54

55 protected:	55 protected:

56 State state_;	56 State state_;

57 };	57 };

58	58

59 } // namespace	59 } // namespace

60	60

61 // static	61 // static

62 scoped_ptr<AuthenticatorFactory>	62 scoped_ptr<AuthenticatorFactory>

63 Me2MeHostAuthenticatorFactory::CreateWithSharedSecret(	63 Me2MeHostAuthenticatorFactory::CreateWithSharedSecret(

	64 const std::string& host_owner,

64 const std::string& local_cert,	65 const std::string& local_cert,

65 scoped_refptr<RsaKeyPair> key_pair,	66 scoped_refptr<RsaKeyPair> key_pair,

66 const SharedSecretHash& shared_secret_hash,	67 const SharedSecretHash& shared_secret_hash,

67 scoped_refptr<PairingRegistry> pairing_registry) {	68 scoped_refptr<PairingRegistry> pairing_registry) {

68 scoped_ptr<Me2MeHostAuthenticatorFactory> result(	69 scoped_ptr<Me2MeHostAuthenticatorFactory> result(

69 new Me2MeHostAuthenticatorFactory());	70 new Me2MeHostAuthenticatorFactory());

	71 result->host_owner_ = host_owner;

70 result->local_cert_ = local_cert;	72 result->local_cert_ = local_cert;

71 result->key_pair_ = key_pair;	73 result->key_pair_ = key_pair;

72 result->shared_secret_hash_ = shared_secret_hash;	74 result->shared_secret_hash_ = shared_secret_hash;

73 result->pairing_registry_ = pairing_registry;	75 result->pairing_registry_ = pairing_registry;

74 return scoped_ptr<AuthenticatorFactory>(result.Pass());	76 return scoped_ptr<AuthenticatorFactory>(result.Pass());

75 }	77 }

76	78

77	79

78 // static	80 // static

79 scoped_ptr<AuthenticatorFactory>	81 scoped_ptr<AuthenticatorFactory>

80 Me2MeHostAuthenticatorFactory::CreateWithThirdPartyAuth(	82 Me2MeHostAuthenticatorFactory::CreateWithThirdPartyAuth(

	83 const std::string& host_owner,

81 const std::string& local_cert,	84 const std::string& local_cert,

82 scoped_refptr<RsaKeyPair> key_pair,	85 scoped_refptr<RsaKeyPair> key_pair,

83 scoped_ptr<ThirdPartyHostAuthenticator::TokenValidatorFactory>	86 scoped_ptr<ThirdPartyHostAuthenticator::TokenValidatorFactory>

84 token_validator_factory) {	87 token_validator_factory) {

85 scoped_ptr<Me2MeHostAuthenticatorFactory> result(	88 scoped_ptr<Me2MeHostAuthenticatorFactory> result(

86 new Me2MeHostAuthenticatorFactory());	89 new Me2MeHostAuthenticatorFactory());

	90 result->host_owner_ = host_owner;

87 result->local_cert_ = local_cert;	91 result->local_cert_ = local_cert;

88 result->key_pair_ = key_pair;	92 result->key_pair_ = key_pair;

89 result->token_validator_factory_ = token_validator_factory.Pass();	93 result->token_validator_factory_ = token_validator_factory.Pass();

90 return scoped_ptr<AuthenticatorFactory>(result.Pass());	94 return scoped_ptr<AuthenticatorFactory>(result.Pass());

91 }	95 }

92	96

93 // static	97 // static

94 scoped_ptr<AuthenticatorFactory>	98 scoped_ptr<AuthenticatorFactory>

95 Me2MeHostAuthenticatorFactory::CreateRejecting() {	99 Me2MeHostAuthenticatorFactory::CreateRejecting() {

96 return scoped_ptr<AuthenticatorFactory>(new Me2MeHostAuthenticatorFactory());	100 return scoped_ptr<AuthenticatorFactory>(new Me2MeHostAuthenticatorFactory());

97 }	101 }

98	102

99 Me2MeHostAuthenticatorFactory::Me2MeHostAuthenticatorFactory() {	103 Me2MeHostAuthenticatorFactory::Me2MeHostAuthenticatorFactory() {

100 }	104 }

101	105

102 Me2MeHostAuthenticatorFactory::~Me2MeHostAuthenticatorFactory() {	106 Me2MeHostAuthenticatorFactory::~Me2MeHostAuthenticatorFactory() {

103 }	107 }

104	108

105 scoped_ptr<Authenticator> Me2MeHostAuthenticatorFactory::CreateAuthenticator(	109 scoped_ptr<Authenticator> Me2MeHostAuthenticatorFactory::CreateAuthenticator(

106 const std::string& local_jid,	110 const std::string& local_jid,

107 const std::string& remote_jid,	111 const std::string& remote_jid,

108 const buzz::XmlElement* first_message) {	112 const buzz::XmlElement* first_message) {

109	113

	114 // TODO(rmsousa): Check that local JID is host owner or robot.
	rmsousa 2013/07/23 21:50:21 I'm not even sure we want to do this. I think at t I'm not even sure we want to do this. I think at the end of the day, as long as both policy checks and connection checks are performed against the host owner (i.e. enterprises can control who can connect to the host), the JID with which the host is connected is pretty much irrelevant. It's just a communication channel. Sergey Ulanov 2013/07/23 23:37:32 That's relevant not only in the enterprise case. A Show quoted text On 2013/07/23 21:50:21, rmsousa wrote: > I'm not even sure we want to do this. I think at the end of the day, as long as > both policy checks and connection checks are performed against the host owner > (i.e. enterprises can control who can connect to the host), That's relevant not only in the enterprise case. All users would want to control who has access to the host. Show quoted text > the JID with which > the host is connected is pretty much irrelevant. It's just a communication > channel. I agree - there is no reason host will need to validate local_jid here.
110 size_t slash_pos = local_jid.find('/');	115 size_t slash_pos = local_jid.find('/');

111 if (slash_pos == std::string::npos) {	116 if (slash_pos == std::string::npos) {
	Sergey Ulanov 2013/07/23 23:37:32 I think you can remove this code now, because slas I think you can remove this code now, because slash_pos is no longer used.
112 LOG(DFATAL) << "Invalid local JID:" << local_jid;	117 LOG(DFATAL) << "Invalid local JID:" << local_jid;

113 return scoped_ptr<Authenticator>(new RejectingAuthenticator());	118 return scoped_ptr<Authenticator>(new RejectingAuthenticator());

114 }	119 }

115	120

116 // Verify that the client's jid is an ASCII string, and then check	121 // Verify that the client's jid is an ASCII string, and then check

117 // that the client has the same bare jid as the host, i.e. client's	122 // that the client has the same bare jid as the host, i.e. client's

118 // full JID starts with host's bare jid. Comparison is case	123 // full JID starts with host's bare jid. Comparison is case

119 // insensitive.	124 // insensitive.

120 if (!IsStringASCII(remote_jid) \|\|	125 if (!IsStringASCII(remote_jid) \|\|

121 !StartsWithASCII(remote_jid, local_jid.substr(0, slash_pos + 1), false)) {	126 !StartsWithASCII(remote_jid, host_owner_ + '/', false)) {

122 LOG(ERROR) << "Rejecting incoming connection from " << remote_jid;	127 LOG(ERROR) << "Rejecting incoming connection from " << remote_jid;

123 return scoped_ptr<Authenticator>(new RejectingAuthenticator());	128 return scoped_ptr<Authenticator>(new RejectingAuthenticator());

124 }	129 }

125	130

126 if (!local_cert_.empty() && key_pair_.get()) {	131 if (!local_cert_.empty() && key_pair_.get()) {

127 if (token_validator_factory_) {	132 if (token_validator_factory_) {

128 return NegotiatingHostAuthenticator::CreateWithThirdPartyAuth(	133 return NegotiatingHostAuthenticator::CreateWithThirdPartyAuth(

129 local_cert_, key_pair_,	134 local_cert_, key_pair_,

130 token_validator_factory_->CreateTokenValidator(	135 token_validator_factory_->CreateTokenValidator(

131 local_jid, remote_jid));	136 local_jid, remote_jid));

132 }	137 }

133	138

134 return NegotiatingHostAuthenticator::CreateWithSharedSecret(	139 return NegotiatingHostAuthenticator::CreateWithSharedSecret(

135 local_cert_, key_pair_, shared_secret_hash_.value,	140 local_cert_, key_pair_, shared_secret_hash_.value,

136 shared_secret_hash_.hash_function, pairing_registry_);	141 shared_secret_hash_.hash_function, pairing_registry_);

137 }	142 }

138	143

139 return scoped_ptr<Authenticator>(new RejectingAuthenticator());	144 return scoped_ptr<Authenticator>(new RejectingAuthenticator());

140 }	145 }

141	146

142 } // namespace protocol	147 } // namespace protocol

143 } // namespace remoting	148 } // namespace remoting

OLD	NEW

« remoting/host/signaling_connector.cc ('K') | « remoting/protocol/me2me_host_authenticator_factory.h ('k') | no next file » | no next file with comments »