Add support for multiple allowed domains

remoting/host/it2me/it2me_host.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "remoting/host/it2me/it2me_host.h"
 
 #include <cstdint>
 #include <memory>
 #include <string>
 #include <utility>
@@ skipping 162 matching lines @@
   }
 
   // Check the host domain policy.
   if (!required_host_domain_.empty() &&
       !base::EndsWith(username_, std::string("@") + required_host_domain_,
                       base::CompareCase::INSENSITIVE_ASCII)) {
     SetState(kInvalidDomainError, "");
     return;
   }
 
+  if (!required_host_domain_list_.empty()) {
+    bool matched = false;
+    for (const std::string& domain : required_client_domain_list_) {
+      if (base::EndsWith(username_, std::string("@") + domain,
+                         base::CompareCase::INSENSITIVE_ASCII)) {
+        matched = true;
+        break;
+      }
+    }
+    if (!matched) {
+      SetState(kInvalidDomainError, "");
+      return;
+    }
+  }
+
   // Generate a key pair for the Host to use.
   // TODO(wez): Move this to the worker thread.
   host_key_pair_ = RsaKeyPair::Generate();
 
   // Request registration of the host for support.
   std::unique_ptr<RegisterSupportHostRequest> register_request(
       new RegisterSupportHostRequest(
           signal_strategy_.get(), host_key_pair_, directory_bot_jid_,
           base::Bind(&It2MeHost::OnReceivedSupportID, base::Unretained(this))));
 
@@ skipping 121 matching lines @@
 
   bool nat_policy;
   if (policies->GetBoolean(policy::key::kRemoteAccessHostFirewallTraversal,
                            &nat_policy)) {
     UpdateNatPolicy(nat_policy);
   }
   std::string host_domain;
   if (policies->GetString(policy::key::kRemoteAccessHostDomain, &host_domain)) {
     UpdateHostDomainPolicy(host_domain);
   }
+  const base::ListValue* host_domain_list;
+  if (policies->GetList(policy::key::kRemoteAccessHostDomainList,
+                        &host_domain_list)) {
+    std::vector<std::string> host_domain_list_vector;
+    for (const auto& value : *host_domain_list) {
+      const base::StringValue* domain;
+      if(!value->GetAsString(&domain)) {
+        // Should be prevented by policy validation
+        DCHECK(false);
+        continue;
+      }
+      host_domain_list_vector.push_back(domain->GetString());
+    }
+    UpdateHostDomainListPolicy(std::move(host_domain_list_vector));
+  }
   std::string client_domain;
   if (policies->GetString(policy::key::kRemoteAccessHostClientDomain,
                           &client_domain)) {
     UpdateClientDomainPolicy(client_domain);
   }
+  const base::ListValue* client_domain_list;
+  if (policies->GetList(policy::key::kRemoteAccessHostClientDomainList,
+                        &client_domain_list)) {
+    std::vector<std::string> client_domain_list_vector;
+    for (const auto& value : *client_domain_list) {
+      const base::StringValue* domain;
+      if(!value->GetAsString(&domain)) {
+        // Should be prevented by policy validation
+        DCHECK(false);
+        continue;
+      }
+      client_domain_list_vector.push_back(domain->GetString());
+    }
+    UpdateClientDomainListPolicy(std::move(client_domain_list_vector));
+  }
 
   policy_received_ = true;
 
   if (!pending_connect_.is_null()) {
     base::ResetAndReturn(&pending_connect_).Run();
   }
 }
 
 void It2MeHost::OnPolicyError() {
   // TODO(lukasza): Report the policy error to the user.  crbug.com/433009
@@ skipping 25 matching lines @@
   VLOG(2) << "UpdateHostDomainPolicy: " << host_domain;
 
   // When setting a host domain policy, force disconnect any existing session.
   if (!host_domain.empty() && IsRunning()) {
     DisconnectOnNetworkThread();
   }
 
   required_host_domain_ = host_domain;
 }
 
+void It2MeHost::UpdateHostDomainListPolicy(
+    std::vector<std::string> host_domain_list) {
+  DCHECK(host_context_->network_task_runner()->BelongsToCurrentThread());
+
+  VLOG(2) << "UpdateHostDomainListPolicy: "
+          << base::JoinString(host_domain_list, ", ");
+
+  // When setting a host domain policy, force disconnect any existing session.
+  if (!host_domain_list.empty() && IsRunning()) {
+    DisconnectOnNetworkThread();
+  }
+
+  required_host_domain_list_ = std::move(host_domain_list);
+}
+
 void It2MeHost::UpdateClientDomainPolicy(const std::string& client_domain) {
   DCHECK(host_context_->network_task_runner()->BelongsToCurrentThread());
 
   VLOG(2) << "UpdateClientDomainPolicy: " << client_domain;
 
   // When setting a client  domain policy, disconnect any existing session.
   if (!client_domain.empty() && IsRunning()) {
     DisconnectOnNetworkThread();
   }
 
   required_client_domain_ = client_domain;
 }
 
+void It2MeHost::UpdateClientDomainListPolicy(
+    std::vector<std::string> client_domain_list) {
+  DCHECK(host_context_->network_task_runner()->BelongsToCurrentThread());
+
+  VLOG(2) << "UpdateClientDomainListPolicy: "
+          << base::JoinString(client_domain_list, ", ");
+
+  // When setting a client domain policy, disconnect any existing session.
+  if (!client_domain_list.empty() && IsRunning()) {
+    DisconnectOnNetworkThread();
+  }
+
+  required_client_domain_list_ = std::move(client_domain_list);
+}
+
 void It2MeHost::SetState(It2MeHostState state,
                          const std::string& error_message) {
   DCHECK(host_context_->network_task_runner()->BelongsToCurrentThread());
 
   switch (state_) {
     case kDisconnected:
       DCHECK(state == kStarting ||
              state == kError) << state;
       break;
     case kStarting:
@@ skipping 113 matching lines @@
                         std::string("@") + required_client_domain_,
                         base::CompareCase::INSENSITIVE_ASCII)) {
       LOG(ERROR) << "Rejecting incoming connection from " << remote_jid
                  << ": Domain mismatch.";
       result_callback.Run(ValidationResult::ERROR_INVALID_ACCOUNT);
       DisconnectOnNetworkThread();
       return;
     }
   }
 
+  if (!required_client_domain_list_.empty()) {
+    bool matched = false;
+    for (const std::string& domain : required_client_domain_list_) {
+      if (base::EndsWith(client_username, std::string("@") + domain,
+                         base::CompareCase::INSENSITIVE_ASCII)) {
+        matched = true;
+        break;
+      }
+    }
+    if (!matched) {
+      LOG(ERROR) << "Rejecting incoming connection from " << remote_jid
+                 << ": Domain not allowed.";
+      result_callback.Run(ValidationResult::ERROR_INVALID_ACCOUNT);
+      DisconnectOnNetworkThread();
+      return;
+    }
+  }
+
   HOST_LOG << "Client " << client_username << " connecting.";
   SetState(kConnecting, std::string());
 
   // Show a confirmation dialog to the user to allow them to confirm/reject it.
   confirmation_dialog_proxy_.reset(new It2MeConfirmationDialogProxy(
       host_context_->ui_task_runner(), std::move(confirmation_dialog_)));
 
   confirmation_dialog_proxy_->Show(
       client_username, base::Bind(&It2MeHost::OnConfirmationResult,
                                   base::Unretained(this), result_callback));
@@ skipping 30 matching lines @@
   DCHECK(context->ui_task_runner()->BelongsToCurrentThread());
 
   std::unique_ptr<PolicyWatcher> policy_watcher =
       PolicyWatcher::Create(policy_service, context->file_task_runner());
   return new It2MeHost(std::move(context), std::move(policy_watcher),
                        It2MeConfirmationDialog::Create(), observer,
                        std::move(signal_strategy), username, directory_bot_jid);
 }
 
 }  // namespace remoting