Cast audio only policy enforcement support.

extensions/browser/api/cast_channel/cast_socket.cc

Index: extensions/browser/api/cast_channel/cast_socket.cc
diff --git a/extensions/browser/api/cast_channel/cast_socket.cc b/extensions/browser/api/cast_channel/cast_socket.cc
index 0fc70cb3a2a4ca0904de31b0365e2b80b6213d2f..089ad4b1859b02a072e8f3be569814715eb6c166 100644
--- a/extensions/browser/api/cast_channel/cast_socket.cc
+++ b/extensions/browser/api/cast_channel/cast_socket.cc
@@ -53,6 +53,9 @@ const int kTcpKeepAliveDelaySecs = 10;
 
 const int kMaxSelfSignedCertLifetimeInDays = 2;
 
+const char kAudioOnlyPolicy[] =

[mark a. foltz, 2015/01/12 22:01:57]

This is an odd place to define a constant that is related to the certificate
contents.  cast_auth_util.cc would be better

[vadimgo, 2015/01/13 00:08:27]

Done.

+    {0x06, 0x0A, 0x2B, 0x06, 0x01, 0x04, 0x01, 0xD6, 0x79, 0x02, 0x05, 0x02};
+
 std::string FormatTimeForLogging(base::Time time) {
   base::Time::Exploded exploded;
   time.UTCExplode(&exploded);
@@ -101,6 +104,7 @@ CastSocketImpl::CastSocketImpl(const std::string& owner_extension_id,
       connect_timeout_(timeout),
       connect_timeout_timer_(new base::OneShotTimer<CastSocketImpl>),
       is_canceled_(false),
+      has_video_out_(true),
       connect_state_(proto::CONN_STATE_NONE),
       error_state_(CHANNEL_ERROR_NONE),
       ready_state_(READY_STATE_NONE) {
@@ -137,6 +141,10 @@ void CastSocketImpl::set_id(int id) {
   channel_id_ = id;
 }
 
+void CastSocketImpl::set_has_video_out(bool has_video_out) {
+  has_video_out_ = has_video_out;
+}
+
 ChannelAuthType CastSocketImpl::channel_auth() const {
   return channel_auth_;
 }
@@ -218,10 +226,19 @@ bool CastSocketImpl::ExtractPeerCert(std::string* cert) {
 
 bool CastSocketImpl::VerifyChallengeReply() {
   AuthResult result = AuthenticateChallengeReply(*challenge_reply_, peer_cert_);
+  logger_->LogSocketChallengeReplyEvent(channel_id_, result);
   if (result.success()) {
     VLOG(1) << result.error_message;
+    if (has_video_out_) {

[mark a. foltz, 2015/01/12 22:01:57]

if (HasCapability(VIDEO_OUT) && result.HasPolicy(AuthResult::AUDIO_ONLY_POLICY))
{ ... }

[mark a. foltz, 2015/01/12 22:01:57]

Slightly prefer to capture policy enforcement in its own method:

CastSocketImpl::EnforceConnectionPolicy(result);

[vadimgo, 2015/01/13 00:08:27]

Done.

+      if (result.client_auth_certificate.find(kAudioOnlyPolicy) !=
+          std::string::npos) {
+        // The device claims to have a video out capability, but the certificate
+        // contains audio only policy.
+        LOG(ERROR) << "Audio only policy enforced";

[mark a. foltz, 2015/01/12 22:01:57]

Please add an event to logging.proto and log it here so we capture the reason
the authenication failed.

Perhaps the call to LogSocketChallengeReplyEvent on success could be moved after
this block and instead we LogSocketChallengeReplyEvent here with a different
code on error.

[vadimgo, 2015/01/13 00:08:27]

Done.

+        return false;
+      }
+    }
   }
-  logger_->LogSocketChallengeReplyEvent(channel_id_, result);
   return result.success();
 }