Validate origins when generating subdomain tokens

tools/origin_trials/generate_token.py

Index: tools/origin_trials/generate_token.py
diff --git a/tools/origin_trials/generate_token.py b/tools/origin_trials/generate_token.py
index a79f169234b01b78da36485504799b2302ae6c1a..f1c07a9d60bde1ee304d72f264297d375b8d0e26 100755
--- a/tools/origin_trials/generate_token.py
+++ b/tools/origin_trials/generate_token.py
@@ -86,6 +86,24 @@ def ExpiryFromArgs(args):
     return int(args.expire_timestamp)
   return (int(time.time()) + (int(args.expire_days) * 86400))
 
+def ValidateSubdomainTokenOrigin(origin):
+  """ Calls validate_subdomain_origin utility to check the origin
+
+  If the utility is not found, prints a warning for manual validation, and
+  returns True
+  """
+  utility_path = "bin/validate_subdomain_origin"

[iclelland, 2016/11/02 15:25:47]

How does this utility end up in a bin/ directory? I've tried running

ninja -c out/Default validate_subdomain_origin

and it builds, but it places the executable in my output directory, where the
script doesn't find it.

I don't think that the script should be in src/tools, since it's generated, but
maybe we could do something like what run-blink-tests does, and take a --target
parameter which points to the correct output directory (default to /out/Default,
but allow any other directory to be used)

[chasej, 2016/11/03 19:23:39]

I forgot to add instructions, but I just used a symbolic link (e.g. ln -s
path/to/out/Default/validate_subdomain_origin bin/validate_subdomain_origin).

Since the generate script is run manually, I thought a manual install step was
reasonable.

I do like your suggestion of --target parameter with a default. Changed to use
that approach.

+  if not os.path.exists(utility_path):
+    print "WARNING!"
+    print "Origin not validated for use in subdomain token"
+    print "  (missing '%s' utility)" % utility_path
+    print "Must manually check origin against the Public Suffix List"
+    print
+    return True
+
+  rc = os.system("%s %s >/dev/null 2>&1" % (utility_path, origin))
+  return rc == 0

[iclelland, 2016/11/02 15:25:47]

It is also possible for other non-zero status to be returned: I tried moving the
utility into a bin/ directory, and running it from there returns a 127 status,
as the shared libraries are not available (I built as a component build)

stderr there says "bin/validate_subdomain_origin: error while loading shared
libraries: libbase.so: cannot open shared object file: No such file or
directory"

Clearly my error, but the script silently interpreted this as "The specified
origin is not valid for use in a subdomain token." for every domain.

I think the simplest thing to do is to check for any out-of-bounds status here,
and sys.exit() with an error if we see one.

[chasej, 2016/11/03 19:23:39]

Done.

+
 def GenerateTokenData(origin, is_subdomain, feature_name, expiry):
   data = {"origin": origin,
           "feature": feature_name,
@@ -159,6 +177,12 @@ def main():
     print("Unable to use the specified private key file.")
     sys.exit(1)
 
+  # For subdomain tokens, validate that the origin is allowed
+  if args.is_subdomain:
+    if not ValidateSubdomainTokenOrigin(args.origin):
+      print "The specified origin is not valid for use in a subdomain token."
+      sys.exit(1)
+
   token_data = GenerateTokenData(args.origin, args.is_subdomain,
                                  args.trial_name, expiry)
   data_to_sign = GenerateDataToSign(VERSION, token_data)