Commit b4e6a31a authored by rmsousa@chromium.org's avatar rmsousa@chromium.org

Fix JID checking for cases where the user account does not have a Google email associated with it.

BUG=333464

Review URL: https://codereview.chromium.org/134523007

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@244361 0039d316-1c4b-4281-b951-d872f2087c98
parent db46e8a9
......@@ -516,8 +516,8 @@ void HostProcess::CreateAuthenticatorFactory() {
if (token_url_.is_empty() && token_validation_url_.is_empty()) {
factory = protocol::Me2MeHostAuthenticatorFactory::CreateWithSharedSecret(
host_owner_, local_certificate, key_pair_, host_secret_hash_,
pairing_registry);
use_service_account_, host_owner_, local_certificate, key_pair_,
host_secret_hash_, pairing_registry);
} else if (token_url_.is_valid() && token_validation_url_.is_valid()) {
scoped_ptr<protocol::ThirdPartyHostAuthenticator::TokenValidatorFactory>
......@@ -525,7 +525,7 @@ void HostProcess::CreateAuthenticatorFactory() {
token_url_, token_validation_url_, key_pair_,
context_->url_request_context_getter()));
factory = protocol::Me2MeHostAuthenticatorFactory::CreateWithThirdPartyAuth(
host_owner_, local_certificate, key_pair_,
use_service_account_, host_owner_, local_certificate, key_pair_,
token_validator_factory.Pass());
} else {
......
......@@ -61,6 +61,7 @@ class RejectingAuthenticator : public Authenticator {
// static
scoped_ptr<AuthenticatorFactory>
Me2MeHostAuthenticatorFactory::CreateWithSharedSecret(
bool use_service_account,
const std::string& host_owner,
const std::string& local_cert,
scoped_refptr<RsaKeyPair> key_pair,
......@@ -68,6 +69,7 @@ Me2MeHostAuthenticatorFactory::CreateWithSharedSecret(
scoped_refptr<PairingRegistry> pairing_registry) {
scoped_ptr<Me2MeHostAuthenticatorFactory> result(
new Me2MeHostAuthenticatorFactory());
result->use_service_account_ = use_service_account;
result->host_owner_ = host_owner;
result->local_cert_ = local_cert;
result->key_pair_ = key_pair;
......@@ -80,6 +82,7 @@ Me2MeHostAuthenticatorFactory::CreateWithSharedSecret(
// static
scoped_ptr<AuthenticatorFactory>
Me2MeHostAuthenticatorFactory::CreateWithThirdPartyAuth(
bool use_service_account,
const std::string& host_owner,
const std::string& local_cert,
scoped_refptr<RsaKeyPair> key_pair,
......@@ -87,6 +90,7 @@ Me2MeHostAuthenticatorFactory::CreateWithThirdPartyAuth(
token_validator_factory) {
scoped_ptr<Me2MeHostAuthenticatorFactory> result(
new Me2MeHostAuthenticatorFactory());
result->use_service_account_ = use_service_account;
result->host_owner_ = host_owner;
result->local_cert_ = local_cert;
result->key_pair_ = key_pair;
......@@ -111,12 +115,29 @@ scoped_ptr<Authenticator> Me2MeHostAuthenticatorFactory::CreateAuthenticator(
const std::string& remote_jid,
const buzz::XmlElement* first_message) {
// Verify that the client's jid is an ASCII string, and then check
// that the client has the same bare jid as the host, i.e. client's
// full JID starts with host's bare jid. Comparison is case
// insensitive.
std::string remote_jid_prefix;
if (!use_service_account_) {
// JID prefixes may not match the host owner email, for example, in cases
// where the host owner account does not have an email associated with it.
// In those cases, the only guarantee we have is that JIDs for the same
// account will have the same prefix.
size_t slash_pos = local_jid.find('/');
if (slash_pos == std::string::npos) {
LOG(DFATAL) << "Invalid local JID:" << local_jid;
return scoped_ptr<Authenticator>(new RejectingAuthenticator());
}
remote_jid_prefix = local_jid.substr(0, slash_pos);
} else {
// TODO(rmsousa): This only works for cases where the JID prefix matches
// the host owner email. Figure out a way to verify the JID in other cases.
remote_jid_prefix = host_owner_;
}
// Verify that the client's jid is an ASCII string, and then check that the
// client JID has the expected prefix. Comparison is case insensitive.
if (!IsStringASCII(remote_jid) ||
!StartsWithASCII(remote_jid, host_owner_ + '/', false)) {
!StartsWithASCII(remote_jid, remote_jid_prefix + '/', false)) {
LOG(ERROR) << "Rejecting incoming connection from " << remote_jid;
return scoped_ptr<Authenticator>(new RejectingAuthenticator());
}
......
......@@ -27,6 +27,7 @@ class Me2MeHostAuthenticatorFactory : public AuthenticatorFactory {
public:
// Create a factory that dispenses shared secret authenticators.
static scoped_ptr<AuthenticatorFactory> CreateWithSharedSecret(
bool use_service_account,
const std::string& host_owner,
const std::string& local_cert,
scoped_refptr<RsaKeyPair> key_pair,
......@@ -35,6 +36,7 @@ class Me2MeHostAuthenticatorFactory : public AuthenticatorFactory {
// Create a factory that dispenses third party authenticators.
static scoped_ptr<AuthenticatorFactory> CreateWithThirdPartyAuth(
bool use_service_account,
const std::string& host_owner,
const std::string& local_cert,
scoped_refptr<RsaKeyPair> key_pair,
......@@ -56,6 +58,7 @@ class Me2MeHostAuthenticatorFactory : public AuthenticatorFactory {
private:
// Used for all host authenticators.
bool use_service_account_;
std::string host_owner_;
std::string local_cert_;
scoped_refptr<RsaKeyPair> key_pair_;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment