Support service accounts in the chromoting host.

remoting/protocol/me2me_host_authenticator_factory.cc

Index: remoting/protocol/me2me_host_authenticator_factory.cc
diff --git a/remoting/protocol/me2me_host_authenticator_factory.cc b/remoting/protocol/me2me_host_authenticator_factory.cc
index d0deff1f5574e8d259404edd4718365b6f767f08..f0a369fb7217de1b02e4fafbe87dc76548a0968a 100644
--- a/remoting/protocol/me2me_host_authenticator_factory.cc
+++ b/remoting/protocol/me2me_host_authenticator_factory.cc
@@ -61,12 +61,14 @@ class RejectingAuthenticator : public Authenticator {
 // static
 scoped_ptr<AuthenticatorFactory>
 Me2MeHostAuthenticatorFactory::CreateWithSharedSecret(
+    const std::string& host_owner,
     const std::string& local_cert,
     scoped_refptr<RsaKeyPair> key_pair,
     const SharedSecretHash& shared_secret_hash,
     scoped_refptr<PairingRegistry> pairing_registry) {
   scoped_ptr<Me2MeHostAuthenticatorFactory> result(
       new Me2MeHostAuthenticatorFactory());
+  result->host_owner_ = host_owner;
   result->local_cert_ = local_cert;
   result->key_pair_ = key_pair;
   result->shared_secret_hash_ = shared_secret_hash;
@@ -78,12 +80,14 @@ Me2MeHostAuthenticatorFactory::CreateWithSharedSecret(
 // static
 scoped_ptr<AuthenticatorFactory>
 Me2MeHostAuthenticatorFactory::CreateWithThirdPartyAuth(
+    const std::string& host_owner,
     const std::string& local_cert,
     scoped_refptr<RsaKeyPair> key_pair,
     scoped_ptr<ThirdPartyHostAuthenticator::TokenValidatorFactory>
         token_validator_factory) {
   scoped_ptr<Me2MeHostAuthenticatorFactory> result(
       new Me2MeHostAuthenticatorFactory());
+  result->host_owner_ = host_owner;
   result->local_cert_ = local_cert;
   result->key_pair_ = key_pair;
   result->token_validator_factory_ = token_validator_factory.Pass();
@@ -107,6 +111,7 @@ scoped_ptr<Authenticator> Me2MeHostAuthenticatorFactory::CreateAuthenticator(
     const std::string& remote_jid,
     const buzz::XmlElement* first_message) {
 
+  // TODO(rmsousa): Check that local JID is host owner or robot.

[rmsousa, 2013/07/23 21:50:21]

I'm not even sure we want to do this. I think at the end of the day, as long as
both policy checks and connection checks are performed against the host owner
(i.e. enterprises can control *who can connect* to the host), the JID with which
the host is connected is pretty much irrelevant. It's just a communication
channel.

[Sergey Ulanov, 2013/07/23 23:37:32]

That's relevant not only in the enterprise case. All users would want to control
who has access to the host.
I agree - there is no reason host will need to validate local_jid here. 

   size_t slash_pos = local_jid.find('/');
   if (slash_pos == std::string::npos) {

[Sergey Ulanov, 2013/07/23 23:37:32]

I think you can remove this code now, because slash_pos is no longer used.

     LOG(DFATAL) << "Invalid local JID:" << local_jid;
@@ -118,7 +123,7 @@ scoped_ptr<Authenticator> Me2MeHostAuthenticatorFactory::CreateAuthenticator(
   // full JID starts with host's bare jid. Comparison is case
   // insensitive.
   if (!IsStringASCII(remote_jid) ||
-      !StartsWithASCII(remote_jid, local_jid.substr(0, slash_pos + 1), false)) {
+      !StartsWithASCII(remote_jid, host_owner_ + '/', false)) {
     LOG(ERROR) << "Rejecting incoming connection from " << remote_jid;
     return scoped_ptr<Authenticator>(new RejectingAuthenticator());
   }