Save the client base JID for authentication in case it differs from the email (for accounts non-Goo…

remoting/host/remoting_me2me_host.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 //
 // This file implements a standalone host process for Me2Me.
 
 #include <string>
 
 #include "base/at_exit.h"
 #include "base/bind.h"
@@ skipping 277 matching lines @@
   HostState state_;
 
   scoped_ptr<ConfigWatcher> config_watcher_;
 
   std::string host_id_;
   protocol::SharedSecretHash host_secret_hash_;
   scoped_refptr<RsaKeyPair> key_pair_;
   std::string oauth_refresh_token_;
   std::string serialized_config_;
   std::string host_owner_;
+  std::string host_owner_email_;
   bool use_service_account_;
   bool enable_vp9_;
   int64_t frame_recorder_buffer_size_;
 
   scoped_ptr<policy_hack::PolicyWatcher> policy_watcher_;
   std::string host_domain_;
   bool host_username_match_required_;
   bool allow_nat_traversal_;
   bool allow_relay_;
   int min_udp_port_;
@@ skipping 554 matching lines @@
 
   if (config->GetString(kHostOwnerConfigPath, &host_owner_)) {
     // Service account configs have a host_owner, different from the xmpp_login.
     use_service_account_ = true;
   } else {
     // User credential configs only have an xmpp_login, which is also the owner.
     host_owner_ = xmpp_server_config_.username;
     use_service_account_ = false;
   }
 
+  // For non-Gmail Google accounts, the owner base JID differs from the email.
+  // host_owner_ contains the base JID (used for authenticating clients), while
+  // host_owner_email contains the account's email (used for UI and logs).
+  if (!config->GetString(kHostOwnerEmailConfigPath, &host_owner_email_)) {
+    host_owner_email_ = host_owner_;
+  }
+
   // Allow offering of VP9 encoding to be overridden by the command-line.
   if (CommandLine::ForCurrentProcess()->HasSwitch(kEnableVp9SwitchName)) {
     enable_vp9_ = true;
   } else {
     config->GetBoolean(kEnableVp9ConfigPath, &enable_vp9_);
   }
 
   // Allow the command-line to override the size of the frame recorder buffer.
   std::string frame_recorder_buffer_kb;
   if (CommandLine::ForCurrentProcess()->HasSwitch(
@@ skipping 37 matching lines @@
 
   if (state_ == HOST_INITIALIZING) {
     StartHost();
   } else if (state_ == HOST_STARTED && restart_required) {
     RestartHost();
   }
 }
 
 void HostProcess::ApplyHostDomainPolicy() {
   HOST_LOG << "Policy sets host domain: " << host_domain_;
+
+  // If the user does not have a Google email, their client JID will not be
+  // based on their email. In that case, the username/host domain policies would
+  // be meaningless, since there is no way to check that the JID attempting to
+  // connect actually corresponds to the owner email in question.
+  if (host_owner_ != host_owner_email_) {
+    LOG(ERROR) << "The username and host domain policies cannot be enabled for "
+               << "accounts with a non-Google email.";
+    ShutdownHost(kInvalidHostDomainExitCode);
+  }
+
   if (!host_domain_.empty() &&
       !EndsWith(host_owner_, std::string("@") + host_domain_, false)) {
     LOG(ERROR) << "The host domain does not match the policy.";
     ShutdownHost(kInvalidHostDomainExitCode);
   }
 }
 
 bool HostProcess::OnHostDomainPolicyUpdate(base::DictionaryValue* policies) {
   // Returns true if the host has to be restarted after this policy update.
   DCHECK(context_->network_task_runner()->BelongsToCurrentThread());
 
   if (!policies->GetString(policy_hack::PolicyWatcher::kHostDomainPolicyName,
                           &host_domain_)) {
     return false;
   }
 
   ApplyHostDomainPolicy();
   return false;
 }
 
 void HostProcess::ApplyUsernamePolicy() {
+  // See comment in ApplyHostDomainPolicy.
+  if (host_owner_ != host_owner_email_) {
+    LOG(ERROR) << "The username and host domain policies cannot be enabled for "
+               << "accounts with a non-Google email.";
+    ShutdownHost(kUsernameMismatchExitCode);
+  }
+
   if (host_username_match_required_) {
     HOST_LOG << "Policy requires host username match.";
     std::string username = GetUsername();
     bool shutdown = username.empty() ||
         !StartsWithASCII(host_owner_, username + std::string("@"),
                          false);
 
 #if defined(OS_MACOSX)
     // On Mac, we run as root at the login screen, so the username won't match.
     // However, there's no need to enforce the policy at the login screen, as
@@ skipping 343 matching lines @@
   // Set up reporting the host status notifications.
 #if defined(REMOTING_MULTI_PROCESS)
   host_event_logger_.reset(
       new IpcHostEventLogger(host_->AsWeakPtr(), daemon_channel_.get()));
 #else  // !defined(REMOTING_MULTI_PROCESS)
   host_event_logger_ =
       HostEventLogger::Create(host_->AsWeakPtr(), kApplicationName);
 #endif  // !defined(REMOTING_MULTI_PROCESS)
 
   host_->SetEnableCurtaining(curtain_required_);
-  host_->Start(host_owner_);
+  host_->Start(host_owner_email_);
 
   CreateAuthenticatorFactory();
 }
 
 void HostProcess::OnAuthFailed() {
   ShutdownHost(kInvalidOauthCredentialsExitCode);
 }
 
 void HostProcess::RestartHost() {
   DCHECK(context_->network_task_runner()->BelongsToCurrentThread());
@@ skipping 124 matching lines @@
   int exit_code = kSuccessExitCode;
   new HostProcess(context.Pass(), &exit_code);
 
   // Run the main (also UI) message loop until the host no longer needs it.
   message_loop.Run();
 
   return exit_code;
 }
 
 }  // namespace remoting