OLD | NEW |
1 // Copyright 2016 The Chromium Authors. All rights reserved. | 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "remoting/host/token_validator_base.h" | 5 #include "remoting/host/token_validator_base.h" |
6 | 6 |
7 #include <vector> | 7 #include <vector> |
8 | 8 |
9 #include "base/atomic_sequence_num.h" | 9 #include "base/atomic_sequence_num.h" |
| 10 #include "base/memory/ptr_util.h" |
10 #include "crypto/rsa_private_key.h" | 11 #include "crypto/rsa_private_key.h" |
11 #include "net/cert/x509_util.h" | 12 #include "net/cert/x509_util.h" |
| 13 #include "net/ssl/client_cert_identity_test_util.h" |
| 14 #include "net/ssl/test_ssl_private_key.h" |
12 #include "testing/gtest/include/gtest/gtest.h" | 15 #include "testing/gtest/include/gtest/gtest.h" |
13 | 16 |
14 namespace { | 17 namespace { |
15 | 18 |
16 const char kTokenUrl[] = "https://example.com/token"; | 19 const char kTokenUrl[] = "https://example.com/token"; |
17 const char kTokenValidationUrl[] = "https://example.com/validate"; | 20 const char kTokenValidationUrl[] = "https://example.com/validate"; |
18 const char kTokenValidationCertIssuer[] = "*"; | 21 const char kTokenValidationCertIssuer[] = "*"; |
19 | 22 |
20 base::StaticAtomicSequenceNumber g_serial_number; | 23 base::StaticAtomicSequenceNumber g_serial_number; |
21 | 24 |
22 scoped_refptr<net::X509Certificate> CreateFakeCert(base::Time valid_start, | 25 std::unique_ptr<net::FakeClientCertIdentity> CreateFakeCert( |
23 base::Time valid_expiry) { | 26 base::Time valid_start, |
24 std::unique_ptr<crypto::RSAPrivateKey> unused_key; | 27 base::Time valid_expiry) { |
| 28 std::unique_ptr<crypto::RSAPrivateKey> rsa_private_key; |
25 std::string cert_der; | 29 std::string cert_der; |
26 net::x509_util::CreateKeyAndSelfSignedCert( | 30 net::x509_util::CreateKeyAndSelfSignedCert( |
27 "CN=subject", g_serial_number.GetNext(), valid_start, valid_expiry, | 31 "CN=subject", g_serial_number.GetNext(), valid_start, valid_expiry, |
28 &unused_key, &cert_der); | 32 &rsa_private_key, &cert_der); |
29 return net::X509Certificate::CreateFromBytes(cert_der.data(), | 33 |
30 cert_der.size()); | 34 scoped_refptr<net::X509Certificate> cert = |
| 35 net::X509Certificate::CreateFromBytes(cert_der.data(), cert_der.size()); |
| 36 if (!cert) |
| 37 return nullptr; |
| 38 |
| 39 scoped_refptr<net::SSLPrivateKey> ssl_private_key = |
| 40 net::WrapRSAPrivateKey(rsa_private_key.get()); |
| 41 if (!ssl_private_key) |
| 42 return nullptr; |
| 43 |
| 44 return base::MakeUnique<net::FakeClientCertIdentity>(cert, ssl_private_key); |
31 } | 45 } |
32 | 46 |
33 } // namespace | 47 } // namespace |
34 | 48 |
35 namespace remoting { | 49 namespace remoting { |
36 | 50 |
37 class TestTokenValidator : TokenValidatorBase { | 51 class TestTokenValidator : TokenValidatorBase { |
38 public: | 52 public: |
39 explicit TestTokenValidator(const ThirdPartyAuthConfig& config); | 53 explicit TestTokenValidator(const ThirdPartyAuthConfig& config); |
40 ~TestTokenValidator() override; | 54 ~TestTokenValidator() override; |
41 | 55 |
42 void SelectCertificates(net::CertificateList selected_certs); | 56 void SelectCertificates(net::ClientCertIdentityList selected_certs); |
43 | 57 |
44 void ExpectContinueWithCertificate(net::X509Certificate* client_cert); | 58 void ExpectContinueWithCertificate( |
| 59 const net::FakeClientCertIdentity* identity); |
45 | 60 |
46 protected: | 61 protected: |
47 void ContinueWithCertificate(net::X509Certificate* client_cert, | 62 void ContinueWithCertificate( |
48 net::SSLPrivateKey* client_private_key) override; | 63 scoped_refptr<net::X509Certificate> client_cert, |
| 64 scoped_refptr<net::SSLPrivateKey> client_private_key) override; |
49 | 65 |
50 private: | 66 private: |
51 void StartValidateRequest(const std::string& token) override {} | 67 void StartValidateRequest(const std::string& token) override {} |
52 | 68 |
53 net::X509Certificate* expected_client_cert_ = nullptr; | 69 net::X509Certificate* expected_client_cert_ = nullptr; |
| 70 net::SSLPrivateKey* expected_private_key_ = nullptr; |
54 }; | 71 }; |
55 | 72 |
56 TestTokenValidator::TestTokenValidator(const ThirdPartyAuthConfig& config) : | 73 TestTokenValidator::TestTokenValidator(const ThirdPartyAuthConfig& config) : |
57 TokenValidatorBase(config, "", nullptr) { | 74 TokenValidatorBase(config, "", nullptr) { |
58 } | 75 } |
59 | 76 |
60 TestTokenValidator::~TestTokenValidator() {} | 77 TestTokenValidator::~TestTokenValidator() {} |
61 | 78 |
62 void TestTokenValidator::SelectCertificates( | 79 void TestTokenValidator::SelectCertificates( |
63 net::CertificateList selected_certs) { | 80 net::ClientCertIdentityList selected_certs) { |
64 OnCertificatesSelected(nullptr, std::move(selected_certs)); | 81 OnCertificatesSelected(nullptr, std::move(selected_certs)); |
65 } | 82 } |
66 | 83 |
67 void TestTokenValidator::ExpectContinueWithCertificate( | 84 void TestTokenValidator::ExpectContinueWithCertificate( |
68 net::X509Certificate* client_cert) { | 85 const net::FakeClientCertIdentity* identity) { |
69 expected_client_cert_ = client_cert; | 86 if (identity) { |
| 87 expected_client_cert_ = identity->certificate(); |
| 88 expected_private_key_ = identity->ssl_private_key(); |
| 89 } else { |
| 90 expected_client_cert_ = nullptr; |
| 91 expected_private_key_ = nullptr; |
| 92 } |
70 } | 93 } |
71 | 94 |
72 void TestTokenValidator::ContinueWithCertificate( | 95 void TestTokenValidator::ContinueWithCertificate( |
73 net::X509Certificate* client_cert, | 96 scoped_refptr<net::X509Certificate> client_cert, |
74 net::SSLPrivateKey* client_private_key) { | 97 scoped_refptr<net::SSLPrivateKey> client_private_key) { |
75 EXPECT_EQ(expected_client_cert_, client_cert); | 98 EXPECT_EQ(expected_client_cert_, client_cert.get()); |
| 99 EXPECT_EQ(expected_private_key_, client_private_key.get()); |
76 } | 100 } |
77 | 101 |
78 class TokenValidatorBaseTest : public testing::Test { | 102 class TokenValidatorBaseTest : public testing::Test { |
79 public: | 103 public: |
80 void SetUp() override; | 104 void SetUp() override; |
81 protected: | 105 protected: |
82 std::unique_ptr<TestTokenValidator> token_validator_; | 106 std::unique_ptr<TestTokenValidator> token_validator_; |
83 }; | 107 }; |
84 | 108 |
85 void TokenValidatorBaseTest::SetUp() { | 109 void TokenValidatorBaseTest::SetUp() { |
86 ThirdPartyAuthConfig config; | 110 ThirdPartyAuthConfig config; |
87 config.token_url = GURL(kTokenUrl); | 111 config.token_url = GURL(kTokenUrl); |
88 config.token_validation_url = GURL(kTokenValidationUrl); | 112 config.token_validation_url = GURL(kTokenValidationUrl); |
89 config.token_validation_cert_issuer = kTokenValidationCertIssuer; | 113 config.token_validation_cert_issuer = kTokenValidationCertIssuer; |
90 token_validator_.reset(new TestTokenValidator(config)); | 114 token_validator_.reset(new TestTokenValidator(config)); |
91 } | 115 } |
92 | 116 |
93 TEST_F(TokenValidatorBaseTest, TestSelectCertificate) { | 117 TEST_F(TokenValidatorBaseTest, TestSelectCertificate) { |
94 base::Time now = base::Time::Now(); | 118 base::Time now = base::Time::Now(); |
95 | 119 |
96 scoped_refptr<net::X509Certificate> cert_expired_5_minutes_ago = | 120 std::unique_ptr<net::FakeClientCertIdentity> cert_expired_5_minutes_ago = |
97 CreateFakeCert(now - base::TimeDelta::FromMinutes(10), | 121 CreateFakeCert(now - base::TimeDelta::FromMinutes(10), |
98 now - base::TimeDelta::FromMinutes(5)); | 122 now - base::TimeDelta::FromMinutes(5)); |
99 ASSERT_TRUE(cert_expired_5_minutes_ago); | 123 ASSERT_TRUE(cert_expired_5_minutes_ago); |
100 | 124 |
101 scoped_refptr<net::X509Certificate> cert_start_5min_expire_5min = | 125 std::unique_ptr<net::FakeClientCertIdentity> cert_start_5min_expire_5min = |
102 CreateFakeCert(now - base::TimeDelta::FromMinutes(5), | 126 CreateFakeCert(now - base::TimeDelta::FromMinutes(5), |
103 now + base::TimeDelta::FromMinutes(5)); | 127 now + base::TimeDelta::FromMinutes(5)); |
104 ASSERT_TRUE(cert_start_5min_expire_5min); | 128 ASSERT_TRUE(cert_start_5min_expire_5min); |
105 | 129 |
106 scoped_refptr<net::X509Certificate> cert_start_10min_expire_5min = | 130 std::unique_ptr<net::FakeClientCertIdentity> cert_start_10min_expire_5min = |
107 CreateFakeCert(now - base::TimeDelta::FromMinutes(10), | 131 CreateFakeCert(now - base::TimeDelta::FromMinutes(10), |
108 now + base::TimeDelta::FromMinutes(5)); | 132 now + base::TimeDelta::FromMinutes(5)); |
109 ASSERT_TRUE(cert_start_10min_expire_5min); | 133 ASSERT_TRUE(cert_start_10min_expire_5min); |
110 | 134 |
111 scoped_refptr<net::X509Certificate> cert_start_5min_expire_10min = | 135 std::unique_ptr<net::FakeClientCertIdentity> cert_start_5min_expire_10min = |
112 CreateFakeCert(now - base::TimeDelta::FromMinutes(5), | 136 CreateFakeCert(now - base::TimeDelta::FromMinutes(5), |
113 now + base::TimeDelta::FromMinutes(10)); | 137 now + base::TimeDelta::FromMinutes(10)); |
114 ASSERT_TRUE(cert_start_5min_expire_10min); | 138 ASSERT_TRUE(cert_start_5min_expire_10min); |
115 | 139 |
116 // No certificate. | 140 // No certificate. |
117 net::CertificateList certificates {}; | |
118 token_validator_->ExpectContinueWithCertificate(nullptr); | 141 token_validator_->ExpectContinueWithCertificate(nullptr); |
119 token_validator_->SelectCertificates(std::move(certificates)); | 142 token_validator_->SelectCertificates(net::ClientCertIdentityList()); |
120 | 143 { |
121 // One invalid certificate. | 144 // One invalid certificate. |
122 certificates = { cert_expired_5_minutes_ago }; | 145 net::ClientCertIdentityList client_certs; |
123 token_validator_->ExpectContinueWithCertificate(nullptr); | 146 client_certs.push_back(cert_expired_5_minutes_ago->Copy()); |
124 token_validator_->SelectCertificates(std::move(certificates)); | 147 token_validator_->ExpectContinueWithCertificate(nullptr); |
125 | 148 token_validator_->SelectCertificates(std::move(client_certs)); |
126 // One valid certificate. | 149 } |
127 certificates = { cert_start_5min_expire_5min }; | 150 { |
128 token_validator_->ExpectContinueWithCertificate( | 151 // One valid certificate. |
129 cert_start_5min_expire_5min.get()); | 152 net::ClientCertIdentityList client_certs; |
130 token_validator_->SelectCertificates(std::move(certificates)); | 153 client_certs.push_back(cert_start_5min_expire_5min->Copy()); |
131 | 154 token_validator_->ExpectContinueWithCertificate( |
132 // One valid one invalid. | 155 cert_start_5min_expire_5min.get()); |
133 certificates = { cert_expired_5_minutes_ago, cert_start_5min_expire_5min }; | 156 token_validator_->SelectCertificates(std::move(client_certs)); |
134 token_validator_->ExpectContinueWithCertificate( | 157 } |
135 cert_start_5min_expire_5min.get()); | 158 { |
136 token_validator_->SelectCertificates(std::move(certificates)); | 159 // One valid one invalid. |
137 | 160 net::ClientCertIdentityList client_certs; |
138 // Two valid certs. Choose latest created. | 161 client_certs.push_back(cert_expired_5_minutes_ago->Copy()); |
139 certificates = { cert_start_10min_expire_5min, cert_start_5min_expire_5min }; | 162 client_certs.push_back(cert_start_5min_expire_5min->Copy()); |
140 token_validator_->ExpectContinueWithCertificate( | 163 token_validator_->ExpectContinueWithCertificate( |
141 cert_start_5min_expire_5min.get()); | 164 cert_start_5min_expire_5min.get()); |
142 token_validator_->SelectCertificates(std::move(certificates)); | 165 token_validator_->SelectCertificates(std::move(client_certs)); |
143 | 166 } |
144 // Two valid certs. Choose latest expires. | 167 { |
145 certificates = { cert_start_5min_expire_5min, cert_start_5min_expire_10min }; | 168 // Two valid certs. Choose latest created. |
146 token_validator_->ExpectContinueWithCertificate( | 169 net::ClientCertIdentityList client_certs; |
147 cert_start_5min_expire_10min.get()); | 170 client_certs.push_back(cert_start_10min_expire_5min->Copy()); |
148 token_validator_->SelectCertificates(std::move(certificates)); | 171 client_certs.push_back(cert_start_5min_expire_5min->Copy()); |
149 | 172 token_validator_->ExpectContinueWithCertificate( |
150 // Pick the best given all certificates. | 173 cert_start_5min_expire_5min.get()); |
151 certificates = { cert_expired_5_minutes_ago, cert_start_5min_expire_5min, | 174 token_validator_->SelectCertificates(std::move(client_certs)); |
152 cert_start_5min_expire_10min, cert_start_10min_expire_5min }; | 175 } |
| 176 { |
| 177 // Two valid certs. Choose latest expires. |
| 178 net::ClientCertIdentityList client_certs; |
| 179 client_certs.push_back(cert_start_5min_expire_5min->Copy()); |
| 180 client_certs.push_back(cert_start_5min_expire_10min->Copy()); |
153 token_validator_->ExpectContinueWithCertificate( | 181 token_validator_->ExpectContinueWithCertificate( |
154 cert_start_5min_expire_10min.get()); | 182 cert_start_5min_expire_10min.get()); |
155 token_validator_->SelectCertificates(std::move(certificates)); | 183 token_validator_->SelectCertificates(std::move(client_certs)); |
| 184 } |
| 185 { |
| 186 // Pick the best given all certificates. |
| 187 net::ClientCertIdentityList client_certs; |
| 188 client_certs.push_back(cert_expired_5_minutes_ago->Copy()); |
| 189 client_certs.push_back(cert_start_5min_expire_5min->Copy()); |
| 190 client_certs.push_back(cert_start_5min_expire_10min->Copy()); |
| 191 client_certs.push_back(cert_start_10min_expire_5min->Copy()); |
| 192 token_validator_->ExpectContinueWithCertificate( |
| 193 cert_start_5min_expire_10min.get()); |
| 194 token_validator_->SelectCertificates(std::move(client_certs)); |
| 195 } |
156 } | 196 } |
157 | 197 |
158 } // namespace remoting | 198 } // namespace remoting |
OLD | NEW |