| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "remoting/protocol/me2me_host_authenticator_factory.h" | 5 #include "remoting/protocol/me2me_host_authenticator_factory.h" |
| 6 | 6 |
| 7 #include <utility> | 7 #include <utility> |
| 8 | 8 |
| 9 #include "base/base64.h" | 9 #include "base/base64.h" |
| 10 #include "base/memory/ptr_util.h" | 10 #include "base/memory/ptr_util.h" |
| 11 #include "base/strings/string_util.h" | 11 #include "base/strings/string_util.h" |
| 12 #include "remoting/base/rsa_key_pair.h" | 12 #include "remoting/base/rsa_key_pair.h" |
| 13 #include "remoting/protocol/channel_authenticator.h" | 13 #include "remoting/protocol/channel_authenticator.h" |
| 14 #include "remoting/protocol/negotiating_host_authenticator.h" | 14 #include "remoting/protocol/negotiating_host_authenticator.h" |
| 15 #include "remoting/protocol/rejecting_authenticator.h" | 15 #include "remoting/protocol/rejecting_authenticator.h" |
| 16 #include "remoting/protocol/token_validator.h" | 16 #include "remoting/protocol/token_validator.h" |
| 17 #include "remoting/signaling/jid_util.h" | 17 #include "remoting/signaling/jid_util.h" |
| 18 #include "third_party/libjingle_xmpp/xmllite/xmlelement.h" | 18 #include "third_party/libjingle_xmpp/xmllite/xmlelement.h" |
| 19 | 19 |
| 20 namespace remoting { | 20 namespace remoting { |
| 21 namespace protocol { | 21 namespace protocol { |
| 22 | 22 |
| 23 // static | 23 // static |
| 24 std::unique_ptr<AuthenticatorFactory> | 24 std::unique_ptr<AuthenticatorFactory> |
| 25 Me2MeHostAuthenticatorFactory::CreateWithPin( | 25 Me2MeHostAuthenticatorFactory::CreateWithPin( |
| 26 bool use_service_account, | 26 bool use_service_account, |
| 27 const std::string& host_owner, | 27 const std::string& host_owner, |
| 28 const std::string& local_cert, | 28 const std::string& local_cert, |
| 29 scoped_refptr<RsaKeyPair> key_pair, | 29 scoped_refptr<RsaKeyPair> key_pair, |
| 30 const std::string& required_client_domain, | 30 std::vector<std::string> required_client_domain_list, |
| 31 const std::string& pin_hash, | 31 const std::string& pin_hash, |
| 32 scoped_refptr<PairingRegistry> pairing_registry) { | 32 scoped_refptr<PairingRegistry> pairing_registry) { |
| 33 std::unique_ptr<Me2MeHostAuthenticatorFactory> result( | 33 std::unique_ptr<Me2MeHostAuthenticatorFactory> result( |
| 34 new Me2MeHostAuthenticatorFactory()); | 34 new Me2MeHostAuthenticatorFactory()); |
| 35 result->use_service_account_ = use_service_account; | 35 result->use_service_account_ = use_service_account; |
| 36 result->host_owner_ = host_owner; | 36 result->host_owner_ = host_owner; |
| 37 result->local_cert_ = local_cert; | 37 result->local_cert_ = local_cert; |
| 38 result->key_pair_ = key_pair; | 38 result->key_pair_ = key_pair; |
| 39 result->required_client_domain_ = required_client_domain; | 39 result->required_client_domain_list_ = std::move(required_client_domain_list); |
| 40 result->pin_hash_ = pin_hash; | 40 result->pin_hash_ = pin_hash; |
| 41 result->pairing_registry_ = pairing_registry; | 41 result->pairing_registry_ = pairing_registry; |
| 42 return std::move(result); | 42 return std::move(result); |
| 43 } | 43 } |
| 44 | 44 |
| 45 | 45 |
| 46 // static | 46 // static |
| 47 std::unique_ptr<AuthenticatorFactory> | 47 std::unique_ptr<AuthenticatorFactory> |
| 48 Me2MeHostAuthenticatorFactory::CreateWithThirdPartyAuth( | 48 Me2MeHostAuthenticatorFactory::CreateWithThirdPartyAuth( |
| 49 bool use_service_account, | 49 bool use_service_account, |
| 50 const std::string& host_owner, | 50 const std::string& host_owner, |
| 51 const std::string& local_cert, | 51 const std::string& local_cert, |
| 52 scoped_refptr<RsaKeyPair> key_pair, | 52 scoped_refptr<RsaKeyPair> key_pair, |
| 53 const std::string& required_client_domain, | 53 std::vector<std::string> required_client_domain_list, |
| 54 scoped_refptr<TokenValidatorFactory> token_validator_factory) { | 54 scoped_refptr<TokenValidatorFactory> token_validator_factory) { |
| 55 std::unique_ptr<Me2MeHostAuthenticatorFactory> result( | 55 std::unique_ptr<Me2MeHostAuthenticatorFactory> result( |
| 56 new Me2MeHostAuthenticatorFactory()); | 56 new Me2MeHostAuthenticatorFactory()); |
| 57 result->use_service_account_ = use_service_account; | 57 result->use_service_account_ = use_service_account; |
| 58 result->host_owner_ = host_owner; | 58 result->host_owner_ = host_owner; |
| 59 result->local_cert_ = local_cert; | 59 result->local_cert_ = local_cert; |
| 60 result->key_pair_ = key_pair; | 60 result->key_pair_ = key_pair; |
| 61 result->required_client_domain_ = required_client_domain; | 61 result->required_client_domain_list_ = std::move(required_client_domain_list); |
| 62 result->token_validator_factory_ = token_validator_factory; | 62 result->token_validator_factory_ = token_validator_factory; |
| 63 return std::move(result); | 63 return std::move(result); |
| 64 } | 64 } |
| 65 | 65 |
| 66 Me2MeHostAuthenticatorFactory::Me2MeHostAuthenticatorFactory() {} | 66 Me2MeHostAuthenticatorFactory::Me2MeHostAuthenticatorFactory() {} |
| 67 | 67 |
| 68 Me2MeHostAuthenticatorFactory::~Me2MeHostAuthenticatorFactory() {} | 68 Me2MeHostAuthenticatorFactory::~Me2MeHostAuthenticatorFactory() {} |
| 69 | 69 |
| 70 std::unique_ptr<Authenticator> | 70 std::unique_ptr<Authenticator> |
| 71 Me2MeHostAuthenticatorFactory::CreateAuthenticator( | 71 Me2MeHostAuthenticatorFactory::CreateAuthenticator( |
| (...skipping 22 matching lines...) Expand all Loading... |
| 94 if (!base::IsStringASCII(remote_jid) || | 94 if (!base::IsStringASCII(remote_jid) || |
| 95 !base::StartsWith(remote_jid, remote_jid_prefix + '/', | 95 !base::StartsWith(remote_jid, remote_jid_prefix + '/', |
| 96 base::CompareCase::INSENSITIVE_ASCII)) { | 96 base::CompareCase::INSENSITIVE_ASCII)) { |
| 97 LOG(ERROR) << "Rejecting incoming connection from " << remote_jid | 97 LOG(ERROR) << "Rejecting incoming connection from " << remote_jid |
| 98 << ": Prefix mismatch. Expected: " << remote_jid_prefix; | 98 << ": Prefix mismatch. Expected: " << remote_jid_prefix; |
| 99 return base::WrapUnique( | 99 return base::WrapUnique( |
| 100 new RejectingAuthenticator(Authenticator::INVALID_CREDENTIALS)); | 100 new RejectingAuthenticator(Authenticator::INVALID_CREDENTIALS)); |
| 101 } | 101 } |
| 102 | 102 |
| 103 // If necessary, verify that the client's jid belongs to the correct domain. | 103 // If necessary, verify that the client's jid belongs to the correct domain. |
| 104 if (!required_client_domain_.empty()) { | 104 if (!required_client_domain_list_.empty()) { |
| 105 std::string client_username = remote_jid; | 105 std::string client_username = remote_jid; |
| 106 size_t pos = client_username.find('/'); | 106 size_t pos = client_username.find('/'); |
| 107 if (pos != std::string::npos) { | 107 if (pos != std::string::npos) { |
| 108 client_username.replace(pos, std::string::npos, ""); | 108 client_username.replace(pos, std::string::npos, ""); |
| 109 } | 109 } |
| 110 if (!base::EndsWith(client_username, | 110 bool matched = false; |
| 111 std::string("@") + required_client_domain_, | 111 for (const std::string& domain : required_client_domain_list_) { |
| 112 base::CompareCase::INSENSITIVE_ASCII)) { | 112 if (base::EndsWith(client_username, std::string("@") + domain, |
| 113 base::CompareCase::INSENSITIVE_ASCII)) { |
| 114 matched = true; |
| 115 break; |
| 116 } |
| 117 } |
| 118 if (!matched) { |
| 113 LOG(ERROR) << "Rejecting incoming connection from " << remote_jid | 119 LOG(ERROR) << "Rejecting incoming connection from " << remote_jid |
| 114 << ": Domain mismatch."; | 120 << ": Domain not allowed."; |
| 115 return base::WrapUnique( | 121 return base::MakeUnique<RejectingAuthenticator>( |
| 116 new RejectingAuthenticator(Authenticator::INVALID_ACCOUNT)); | 122 Authenticator::INVALID_ACCOUNT); |
| 117 } | 123 } |
| 118 } | 124 } |
| 119 | 125 |
| 120 if (!local_cert_.empty() && key_pair_.get()) { | 126 if (!local_cert_.empty() && key_pair_.get()) { |
| 121 std::string normalized_local_jid = NormalizeJid(local_jid); | 127 std::string normalized_local_jid = NormalizeJid(local_jid); |
| 122 std::string normalized_remote_jid = NormalizeJid(remote_jid); | 128 std::string normalized_remote_jid = NormalizeJid(remote_jid); |
| 123 | 129 |
| 124 if (token_validator_factory_) { | 130 if (token_validator_factory_) { |
| 125 return NegotiatingHostAuthenticator::CreateWithThirdPartyAuth( | 131 return NegotiatingHostAuthenticator::CreateWithThirdPartyAuth( |
| 126 normalized_local_jid, normalized_remote_jid, local_cert_, key_pair_, | 132 normalized_local_jid, normalized_remote_jid, local_cert_, key_pair_, |
| 127 token_validator_factory_); | 133 token_validator_factory_); |
| 128 } | 134 } |
| 129 | 135 |
| 130 return NegotiatingHostAuthenticator::CreateWithSharedSecret( | 136 return NegotiatingHostAuthenticator::CreateWithSharedSecret( |
| 131 normalized_local_jid, normalized_remote_jid, local_cert_, key_pair_, | 137 normalized_local_jid, normalized_remote_jid, local_cert_, key_pair_, |
| 132 pin_hash_, pairing_registry_); | 138 pin_hash_, pairing_registry_); |
| 133 } | 139 } |
| 134 | 140 |
| 135 return base::WrapUnique( | 141 return base::WrapUnique( |
| 136 new RejectingAuthenticator(Authenticator::INVALID_CREDENTIALS)); | 142 new RejectingAuthenticator(Authenticator::INVALID_CREDENTIALS)); |
| 137 } | 143 } |
| 138 | 144 |
| 139 } // namespace protocol | 145 } // namespace protocol |
| 140 } // namespace remoting | 146 } // namespace remoting |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2682473003:
Add support for multiple allowed domains (Closed)
