remoting/host/third_party_auth_config.cc - Issue 966433002: Malformed PortRange or ThirdPartyAuthConfig trigger OnPolicyError.

Side by Side Diff: remoting/host/third_party_auth_config.cc

Issue 966433002: Malformed PortRange or ThirdPartyAuthConfig trigger OnPolicyError. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Addressed code review feedback from Sergey. Created 5 years, 9 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
(Empty)
	1 // Copyright 2015 The Chromium Authors. All rights reserved.

	2 // Use of this source code is governed by a BSD-style license that can be

	3 // found in the LICENSE file.

	4

	5 #include "remoting/host/third_party_auth_config.h"

	6

	7 #include "base/logging.h"

	8 #include "base/values.h"

	9 #include "policy/policy_constants.h"

	10

	11 namespace remoting {

	12

	13 namespace {

	14

	15 bool ParseUrlPolicy(const std::string& str, GURL* out) {

	16 if (str.empty()) {

	17 *out = GURL();

	18 return true;

	19 }

	20

	21 GURL gurl(str);

	22 if (!gurl.is_valid()) {

	23 LOG(ERROR) << "Not a valid URL: " << str;

	24 return false;

	25 }

	26 if (!gurl.SchemeIsSecure()) {

	27 LOG(ERROR) << "Not a secure URL: " << str;
	rmsousa 2015/02/27 23:56:14 was this a security requirement? can we make it re was this a security requirement? can we make it release only? Or at least make it secure _or localhost_? This adds a lot of trouble when testing authentication services locally (one will have to create a root CA, add it as trusted in their system, and manually override the http server to set up https with that CA when running locally). Łukasz Anforowicz 2015/03/02 17:34:47 Not an official security requirement - this is jus Show quoted text On 2015/02/27 23:56:14, rmsousa wrote: > was this a security requirement? can we make it release only? Or at least make > it secure _or localhost_? This adds a lot of trouble when testing authentication > services locally (one will have to create a root CA, add it as trusted in their > system, and manually override the http server to set up https with that CA when > running locally). Not an official security requirement - this is just me, making up extra checks that might catch issues in policy configs in the wild. Let's make it release only.
	28 return false;

	29 }

	30

	31 *out = gurl;

	32 return true;

	33 }

	34

	35 } // namespace

	36

	37 bool ThirdPartyAuthConfig::Parse(

	38 const std::string& token_url,

	39 const std::string& token_validation_url,

	40 const std::string& token_validation_cert_issuer,

	41 ThirdPartyAuthConfig* result) {

	42 ThirdPartyAuthConfig tmp;

	43

	44 // Extract raw values for the 3 individial fields.
	rmsousa 2015/02/27 23:56:14 nit: individual nit: individual Łukasz Anforowicz 2015/03/02 17:34:47 Done. Show quoted text On 2015/02/27 23:56:14, rmsousa wrote: > nit: individual Done.
	45 bool urls_valid = true;

	46 urls_valid &= ParseUrlPolicy(token_url, &tmp.token_url);

	47 urls_valid &= ParseUrlPolicy(token_validation_url, &tmp.token_validation_url);

	48 if (!urls_valid) {

	49 return false;

	50 }

	51 tmp.token_validation_cert_issuer = token_validation_cert_issuer;

	52

	53 // Validate inter-dependencies between the 3 fields.

	54 if (tmp.token_url.is_empty() ^ tmp.token_validation_url.is_empty()) {

	55 LOG(ERROR) << "TokenUrl and TokenValidationUrl "

	56 << "have to be specified together.";

	57 return false;

	58 }

	59 if (!tmp.token_validation_cert_issuer.empty() && tmp.token_url.is_empty()) {

	60 LOG(ERROR) << "TokenValidationCertificateIssuer cannot be used "

	61 << "without TokenUrl and TokenValidationUrl.";

	62 return false;

	63 }

	64

	65 *result = tmp;

	66 return true;

	67 }

	68

	69 namespace {

	70

	71 void ExtractHelper(const base::DictionaryValue& policy_dict,

	72 const std::string& policy_name,

	73 bool* policy_present,

	74 std::string* policy_value) {

	75 if (policy_dict.GetString(policy_name, policy_value)) {

	76 *policy_present = true;

	77 } else {

	78 policy_value->clear();

	79 }

	80 }

	81

	82 } // namespace

	83

	84 bool ThirdPartyAuthConfig::ExtractPolicyValues(

	85 const base::DictionaryValue& policy_dict,

	86 std::string* token_url,

	87 std::string* token_validation_url,

	88 std::string* token_validation_cert_issuer) {

	89 bool policies_present = false;

	90 ExtractHelper(policy_dict, policy::key::kRemoteAccessHostTokenUrl,

	91 &policies_present, token_url);

	92 ExtractHelper(policy_dict, policy::key::kRemoteAccessHostTokenValidationUrl,

	93 &policies_present, token_validation_url);

	94 ExtractHelper(policy_dict,

	95 policy::key::kRemoteAccessHostTokenValidationCertificateIssuer,

	96 &policies_present, token_validation_cert_issuer);

	97 return policies_present;

	98 }

	99

	100 std::ostream& operator<<(std::ostream& os, const ThirdPartyAuthConfig& cfg) {

	101 if (cfg.is_null()) {

	102 os << "<no 3rd party auth config specified>";

	103 } else {

	104 os << "TokenUrl = " << cfg.token_url << ", ";
	rmsousa 2015/02/27 23:56:14 super nit: enclose in <> as well? super nit: enclose in <> as well? Łukasz Anforowicz 2015/03/02 17:34:47 Done. Show quoted text On 2015/02/27 23:56:14, rmsousa wrote: > super nit: enclose in <> as well? Done.
	105 os << "TokenValidationUrl = " << cfg.token_validation_url << ", ";

	106 os << "TokenValidationCertificateIssuer = "

	107 << cfg.token_validation_cert_issuer;

	108 }

	109 return os;

	110 }

	111

	112 } // namespace remoting

OLD	NEW

« remoting/host/third_party_auth_config.h ('K') | « remoting/host/third_party_auth_config.h ('k') | remoting/host/third_party_auth_config_unittest.cc » ('j') | no next file with comments »