Commit d66d8174 authored by rmsousa@chromium.org's avatar rmsousa@chromium.org

Support service accounts in the chromoting host.

This change allows running a host *already configured* with service account credentials. Support for obtaining service account credentails during host setup will come in follow up CLs.

BUG=224742

Review URL: https://chromiumcodereview.appspot.com/19796006

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@217941 0039d316-1c4b-4281-b951-d872f2087c98
parent 788e9517
......@@ -49,6 +49,14 @@
#define GOOGLE_CLIENT_SECRET_REMOTING DUMMY_API_TOKEN
#endif
#if !defined(GOOGLE_CLIENT_ID_REMOTING_HOST)
#define GOOGLE_CLIENT_ID_REMOTING_HOST DUMMY_API_TOKEN
#endif
#if !defined(GOOGLE_CLIENT_SECRET_REMOTING_HOST)
#define GOOGLE_CLIENT_SECRET_REMOTING_HOST DUMMY_API_TOKEN
#endif
// These are used as shortcuts for developers and users providing
// OAuth credentials via preprocessor defines or environment
// variables. If set, they will be used to replace any of the client
......@@ -152,6 +160,21 @@ class APIKeyCache {
default_client_secret,
environment.get(),
command_line);
client_ids_[CLIENT_REMOTING_HOST] = CalculateKeyValue(
GOOGLE_CLIENT_ID_REMOTING_HOST,
STRINGIZE_NO_EXPANSION(GOOGLE_CLIENT_ID_REMOTING_HOST),
NULL,
default_client_id,
environment.get(),
command_line);
client_secrets_[CLIENT_REMOTING_HOST] = CalculateKeyValue(
GOOGLE_CLIENT_SECRET_REMOTING_HOST,
STRINGIZE_NO_EXPANSION(GOOGLE_CLIENT_SECRET_REMOTING_HOST),
NULL,
default_client_secret,
environment.get(),
command_line);
}
std::string api_key() const { return api_key_; }
......
......@@ -71,6 +71,7 @@ enum OAuth2Client {
CLIENT_MAIN, // Several different features use this.
CLIENT_CLOUD_PRINT,
CLIENT_REMOTING,
CLIENT_REMOTING_HOST,
CLIENT_NUM_ITEMS // Must be last item.
};
......
......@@ -88,3 +88,6 @@ if __name__ == "__main__":
print 'GOOGLE_CLIENT_SECRET_CLOUD_PRINT=%s' % GetClientSecret('CLOUD_PRINT')
print 'GOOGLE_CLIENT_ID_REMOTING=%s' % GetClientID('REMOTING')
print 'GOOGLE_CLIENT_SECRET_REMOTING=%s' % GetClientSecret('REMOTING')
print 'GOOGLE_CLIENT_ID_REMOTING_HOST=%s' % GetClientID('REMOTING_HOST')
print 'GOOGLE_CLIENT_SECRET_REMOTING_HOST=%s' % GetClientSecret(
'REMOTING_HOST')
......@@ -59,8 +59,10 @@ class GoogleAPIKeysTest : public testing::Test {
env_cache_[4].variable_name = "GOOGLE_CLIENT_SECRET_CLOUD_PRINT";
env_cache_[5].variable_name = "GOOGLE_CLIENT_ID_REMOTING";
env_cache_[6].variable_name = "GOOGLE_CLIENT_SECRET_REMOTING";
env_cache_[7].variable_name = "GOOGLE_DEFAULT_CLIENT_ID";
env_cache_[8].variable_name = "GOOGLE_DEFAULT_CLIENT_SECRET";
env_cache_[7].variable_name = "GOOGLE_CLIENT_ID_REMOTING_HOST";
env_cache_[8].variable_name = "GOOGLE_CLIENT_SECRET_REMOTING_HOST";
env_cache_[9].variable_name = "GOOGLE_DEFAULT_CLIENT_ID";
env_cache_[10].variable_name = "GOOGLE_DEFAULT_CLIENT_SECRET";
}
virtual void SetUp() {
......@@ -114,6 +116,8 @@ namespace official_build {
#undef GOOGLE_CLIENT_SECRET_CLOUD_PRINT
#undef GOOGLE_CLIENT_ID_REMOTING
#undef GOOGLE_CLIENT_SECRET_REMOTING
#undef GOOGLE_CLIENT_ID_REMOTING_HOST
#undef GOOGLE_CLIENT_SECRET_REMOTING_HOST
#undef GOOGLE_DEFAULT_CLIENT_ID
#undef GOOGLE_DEFAULT_CLIENT_SECRET
......@@ -150,6 +154,11 @@ TEST_F(GoogleAPIKeysTest, OfficialKeys) {
std::string secret_remoting =
testcase::g_api_key_cache.Get().GetClientSecret(
testcase::CLIENT_REMOTING);
std::string id_remoting_host = testcase::g_api_key_cache.Get().GetClientID(
testcase::CLIENT_REMOTING_HOST);
std::string secret_remoting_host =
testcase::g_api_key_cache.Get().GetClientSecret(
testcase::CLIENT_REMOTING_HOST);
EXPECT_NE(0u, api_key.size());
EXPECT_NE(DUMMY_API_TOKEN, api_key);
......@@ -180,6 +189,14 @@ TEST_F(GoogleAPIKeysTest, OfficialKeys) {
EXPECT_NE(0u, secret_remoting.size());
EXPECT_NE(DUMMY_API_TOKEN, secret_remoting);
EXPECT_NE(kDummyToken, secret_remoting);
EXPECT_NE(0u, id_remoting_host.size());
EXPECT_NE(DUMMY_API_TOKEN, id_remoting_host);
EXPECT_NE(kDummyToken, id_remoting_host);
EXPECT_NE(0u, secret_remoting_host.size());
EXPECT_NE(DUMMY_API_TOKEN, secret_remoting_host);
EXPECT_NE(kDummyToken, secret_remoting_host);
}
#endif // defined(GOOGLE_CHROME_BUILD) || defined(USE_OFFICIAL_GOOGLE_API_KEYS)
......@@ -201,6 +218,8 @@ namespace default_keys {
#undef GOOGLE_CLIENT_SECRET_CLOUD_PRINT
#undef GOOGLE_CLIENT_ID_REMOTING
#undef GOOGLE_CLIENT_SECRET_REMOTING
#undef GOOGLE_CLIENT_ID_REMOTING_HOST
#undef GOOGLE_CLIENT_SECRET_REMOTING_HOST
#undef GOOGLE_DEFAULT_CLIENT_ID
#undef GOOGLE_DEFAULT_CLIENT_SECRET
......@@ -232,6 +251,11 @@ TEST_F(GoogleAPIKeysTest, DefaultKeys) {
std::string secret_remoting =
testcase::g_api_key_cache.Get().GetClientSecret(
testcase::CLIENT_REMOTING);
std::string id_remoting_host = testcase::g_api_key_cache.Get().GetClientID(
testcase::CLIENT_REMOTING_HOST);
std::string secret_remoting_host =
testcase::g_api_key_cache.Get().GetClientSecret(
testcase::CLIENT_REMOTING_HOST);
EXPECT_EQ(kDummyToken, api_key);
EXPECT_EQ(kDummyToken, id_main);
......@@ -240,6 +264,8 @@ TEST_F(GoogleAPIKeysTest, DefaultKeys) {
EXPECT_EQ(kDummyToken, secret_cloud_print);
EXPECT_EQ(kDummyToken, id_remoting);
EXPECT_EQ(kDummyToken, secret_remoting);
EXPECT_EQ(kDummyToken, id_remoting_host);
EXPECT_EQ(kDummyToken, secret_remoting_host);
}
// Override a couple of keys, leave the rest default.
......@@ -255,6 +281,8 @@ namespace override_some_keys {
#undef GOOGLE_CLIENT_SECRET_CLOUD_PRINT
#undef GOOGLE_CLIENT_ID_REMOTING
#undef GOOGLE_CLIENT_SECRET_REMOTING
#undef GOOGLE_CLIENT_ID_REMOTING_HOST
#undef GOOGLE_CLIENT_SECRET_REMOTING_HOST
#undef GOOGLE_DEFAULT_CLIENT_ID
#undef GOOGLE_DEFAULT_CLIENT_SECRET
......@@ -289,6 +317,11 @@ TEST_F(GoogleAPIKeysTest, OverrideSomeKeys) {
std::string secret_remoting =
testcase::g_api_key_cache.Get().GetClientSecret(
testcase::CLIENT_REMOTING);
std::string id_remoting_host = testcase::g_api_key_cache.Get().GetClientID(
testcase::CLIENT_REMOTING_HOST);
std::string secret_remoting_host =
testcase::g_api_key_cache.Get().GetClientSecret(
testcase::CLIENT_REMOTING_HOST);
EXPECT_EQ("API_KEY override", api_key);
EXPECT_EQ(kDummyToken, id_main);
......@@ -297,6 +330,8 @@ TEST_F(GoogleAPIKeysTest, OverrideSomeKeys) {
EXPECT_EQ(kDummyToken, secret_cloud_print);
EXPECT_EQ("CLIENT_ID_REMOTING override", id_remoting);
EXPECT_EQ(kDummyToken, secret_remoting);
EXPECT_EQ(kDummyToken, id_remoting_host);
EXPECT_EQ(kDummyToken, secret_remoting_host);
}
// Override all keys.
......@@ -312,6 +347,8 @@ namespace override_all_keys {
#undef GOOGLE_CLIENT_SECRET_CLOUD_PRINT
#undef GOOGLE_CLIENT_ID_REMOTING
#undef GOOGLE_CLIENT_SECRET_REMOTING
#undef GOOGLE_CLIENT_ID_REMOTING_HOST
#undef GOOGLE_CLIENT_SECRET_REMOTING_HOST
#undef GOOGLE_DEFAULT_CLIENT_ID
#undef GOOGLE_DEFAULT_CLIENT_SECRET
......@@ -322,6 +359,8 @@ namespace override_all_keys {
#define GOOGLE_CLIENT_SECRET_CLOUD_PRINT "SECRET_CLOUD_PRINT"
#define GOOGLE_CLIENT_ID_REMOTING "ID_REMOTING"
#define GOOGLE_CLIENT_SECRET_REMOTING "SECRET_REMOTING"
#define GOOGLE_CLIENT_ID_REMOTING_HOST "ID_REMOTING_HOST"
#define GOOGLE_CLIENT_SECRET_REMOTING_HOST "SECRET_REMOTING_HOST"
// Undef include guard so things get defined again, within this namespace.
#undef GOOGLE_APIS_GOOGLE_API_KEYS_H_
......@@ -351,6 +390,11 @@ TEST_F(GoogleAPIKeysTest, OverrideAllKeys) {
std::string secret_remoting =
testcase::g_api_key_cache.Get().GetClientSecret(
testcase::CLIENT_REMOTING);
std::string id_remoting_host = testcase::g_api_key_cache.Get().GetClientID(
testcase::CLIENT_REMOTING_HOST);
std::string secret_remoting_host =
testcase::g_api_key_cache.Get().GetClientSecret(
testcase::CLIENT_REMOTING_HOST);
EXPECT_EQ("API_KEY", api_key);
EXPECT_EQ("ID_MAIN", id_main);
......@@ -359,6 +403,8 @@ TEST_F(GoogleAPIKeysTest, OverrideAllKeys) {
EXPECT_EQ("SECRET_CLOUD_PRINT", secret_cloud_print);
EXPECT_EQ("ID_REMOTING", id_remoting);
EXPECT_EQ("SECRET_REMOTING", secret_remoting);
EXPECT_EQ("ID_REMOTING_HOST", id_remoting_host);
EXPECT_EQ("SECRET_REMOTING_HOST", secret_remoting_host);
}
// Override all keys using both preprocessor defines and environment
......@@ -375,6 +421,8 @@ namespace override_all_keys_env {
#undef GOOGLE_CLIENT_SECRET_CLOUD_PRINT
#undef GOOGLE_CLIENT_ID_REMOTING
#undef GOOGLE_CLIENT_SECRET_REMOTING
#undef GOOGLE_CLIENT_ID_REMOTING_HOST
#undef GOOGLE_CLIENT_SECRET_REMOTING_HOST
#undef GOOGLE_DEFAULT_CLIENT_ID
#undef GOOGLE_DEFAULT_CLIENT_SECRET
......@@ -385,6 +433,8 @@ namespace override_all_keys_env {
#define GOOGLE_CLIENT_SECRET_CLOUD_PRINT "SECRET_CLOUD_PRINT"
#define GOOGLE_CLIENT_ID_REMOTING "ID_REMOTING"
#define GOOGLE_CLIENT_SECRET_REMOTING "SECRET_REMOTING"
#define GOOGLE_CLIENT_ID_REMOTING_HOST "ID_REMOTING_HOST"
#define GOOGLE_CLIENT_SECRET_REMOTING_HOST "SECRET_REMOTING_HOST"
// Undef include guard so things get defined again, within this namespace.
#undef GOOGLE_APIS_GOOGLE_API_KEYS_H_
......@@ -401,9 +451,11 @@ TEST_F(GoogleAPIKeysTest, OverrideAllKeysUsingEnvironment) {
env->SetVar("GOOGLE_CLIENT_ID_MAIN", "env-ID_MAIN");
env->SetVar("GOOGLE_CLIENT_ID_CLOUD_PRINT", "env-ID_CLOUD_PRINT");
env->SetVar("GOOGLE_CLIENT_ID_REMOTING", "env-ID_REMOTING");
env->SetVar("GOOGLE_CLIENT_ID_REMOTING_HOST", "env-ID_REMOTING_HOST");
env->SetVar("GOOGLE_CLIENT_SECRET_MAIN", "env-SECRET_MAIN");
env->SetVar("GOOGLE_CLIENT_SECRET_CLOUD_PRINT", "env-SECRET_CLOUD_PRINT");
env->SetVar("GOOGLE_CLIENT_SECRET_REMOTING", "env-SECRET_REMOTING");
env->SetVar("GOOGLE_CLIENT_SECRET_REMOTING_HOST", "env-SECRET_REMOTING_HOST");
EXPECT_TRUE(testcase::HasKeysConfigured());
......@@ -425,6 +477,11 @@ TEST_F(GoogleAPIKeysTest, OverrideAllKeysUsingEnvironment) {
std::string secret_remoting =
testcase::g_api_key_cache.Get().GetClientSecret(
testcase::CLIENT_REMOTING);
std::string id_remoting_host = testcase::g_api_key_cache.Get().GetClientID(
testcase::CLIENT_REMOTING_HOST);
std::string secret_remoting_host =
testcase::g_api_key_cache.Get().GetClientSecret(
testcase::CLIENT_REMOTING_HOST);
EXPECT_EQ("env-API_KEY", api_key);
EXPECT_EQ("env-ID_MAIN", id_main);
......@@ -433,6 +490,8 @@ TEST_F(GoogleAPIKeysTest, OverrideAllKeysUsingEnvironment) {
EXPECT_EQ("env-SECRET_CLOUD_PRINT", secret_cloud_print);
EXPECT_EQ("env-ID_REMOTING", id_remoting);
EXPECT_EQ("env-SECRET_REMOTING", secret_remoting);
EXPECT_EQ("env-ID_REMOTING_HOST", id_remoting_host);
EXPECT_EQ("env-SECRET_REMOTING_HOST", secret_remoting_host);
}
#endif // defined(OS_LINUX) || defined(OS_MACOSX)
......@@ -109,13 +109,13 @@ ChromotingHost::~ChromotingHost() {
FOR_EACH_OBSERVER(HostStatusObserver, status_observers_, OnShutdown());
}
void ChromotingHost::Start(const std::string& xmpp_login) {
void ChromotingHost::Start(const std::string& host_owner) {
DCHECK(CalledOnValidThread());
DCHECK(!started_);
LOG(INFO) << "Starting host";
started_ = true;
FOR_EACH_OBSERVER(HostStatusObserver, status_observers_, OnStart(xmpp_login));
FOR_EACH_OBSERVER(HostStatusObserver, status_observers_, OnStart(host_owner));
// Start the SessionManager, supplying this ChromotingHost as the listener.
session_manager_->Init(signal_strategy_, this);
......
......@@ -86,7 +86,7 @@ class ChromotingHost : public base::NonThreadSafe,
// network and start listening for incoming connections.
//
// This method can only be called once during the lifetime of this object.
void Start(const std::string& xmpp_login);
void Start(const std::string& host_owner);
// HostStatusMonitor interface.
virtual void AddStatusObserver(HostStatusObserver* observer) OVERRIDE;
......
......@@ -7,6 +7,7 @@
namespace remoting {
const char kHostEnabledConfigPath[] = "enabled";
const char kHostOwnerConfigPath[] = "host_owner";
const char kXmppLoginConfigPath[] = "xmpp_login";
const char kXmppAuthTokenConfigPath[] = "xmpp_auth_token";
const char kOAuthRefreshTokenConfigPath[] = "oauth_refresh_token";
......
......@@ -19,6 +19,8 @@ namespace remoting {
// Status of the host, whether it is enabled or disabled.
extern const char kHostEnabledConfigPath[];
// Google account of the owner of this host.
extern const char kHostOwnerConfigPath[];
// Login used to authenticate in XMPP network.
extern const char kXmppLoginConfigPath[];
// Auth token used to authenticate to XMPP network.
......
......@@ -266,7 +266,9 @@ class HostProcess
scoped_refptr<RsaKeyPair> key_pair_;
std::string oauth_refresh_token_;
std::string serialized_config_;
std::string host_owner_;
std::string xmpp_login_;
bool use_service_account_;
std::string xmpp_auth_token_;
std::string xmpp_auth_service_;
scoped_ptr<policy_hack::PolicyWatcher> policy_watcher_;
......@@ -303,6 +305,7 @@ HostProcess::HostProcess(scoped_ptr<ChromotingHostContext> context,
int* exit_code_out)
: context_(context.Pass()),
state_(HOST_INITIALIZING),
use_service_account_(false),
allow_nat_traversal_(true),
allow_pairing_(true),
curtain_required_(false),
......@@ -520,7 +523,8 @@ void HostProcess::CreateAuthenticatorFactory() {
if (token_url_.is_empty() && token_validation_url_.is_empty()) {
factory = protocol::Me2MeHostAuthenticatorFactory::CreateWithSharedSecret(
local_certificate, key_pair_, host_secret_hash_, pairing_registry);
host_owner_, local_certificate, key_pair_, host_secret_hash_,
pairing_registry);
} else if (token_url_.is_valid() && token_validation_url_.is_valid()) {
scoped_ptr<protocol::ThirdPartyHostAuthenticator::TokenValidatorFactory>
......@@ -528,7 +532,8 @@ void HostProcess::CreateAuthenticatorFactory() {
token_url_, token_validation_url_, key_pair_,
context_->url_request_context_getter()));
factory = protocol::Me2MeHostAuthenticatorFactory::CreateWithThirdPartyAuth(
local_certificate, key_pair_, token_validator_factory.Pass());
host_owner_, local_certificate, key_pair_,
token_validator_factory.Pass());
} else {
// TODO(rmsousa): If the policy is bad the host should not go online. It
......@@ -727,6 +732,15 @@ bool HostProcess::ApplyConfig(scoped_ptr<JsonHostConfig> config) {
// request an OAuth2 access token.
xmpp_auth_service_ = kChromotingTokenDefaultServiceName;
}
if (config->GetString(kHostOwnerConfigPath, &host_owner_)) {
// Service account configs have a host_owner, different from the xmpp_login.
use_service_account_ = true;
} else {
// User credential configs only have an xmpp_login, which is also the owner.
host_owner_ = xmpp_login_;
use_service_account_ = false;
}
return true;
}
......@@ -799,7 +813,7 @@ bool HostProcess::OnHostDomainPolicyUpdate(const std::string& host_domain) {
LOG(INFO) << "Policy sets host domain: " << host_domain;
if (!host_domain.empty() &&
!EndsWith(xmpp_login_, std::string("@") + host_domain, false)) {
!EndsWith(host_owner_, std::string("@") + host_domain, false)) {
ShutdownHost(kInvalidHostDomainExitCode);
}
return false;
......@@ -814,7 +828,7 @@ bool HostProcess::OnUsernamePolicyUpdate(bool curtain_required,
LOG(INFO) << "Policy requires host username match.";
std::string username = GetUsername();
bool shutdown = username.empty() ||
!StartsWithASCII(xmpp_login_, username + std::string("@"),
!StartsWithASCII(host_owner_, username + std::string("@"),
false);
#if defined(OS_MACOSX)
......@@ -972,7 +986,7 @@ void HostProcess::StartHost() {
if (!oauth_refresh_token_.empty()) {
scoped_ptr<SignalingConnector::OAuthCredentials> oauth_credentials(
new SignalingConnector::OAuthCredentials(
xmpp_login_, oauth_refresh_token_));
xmpp_login_, oauth_refresh_token_, use_service_account_));
signaling_connector_->EnableOAuth(oauth_credentials.Pass());
}
......@@ -1026,7 +1040,7 @@ void HostProcess::StartHost() {
#endif // !defined(REMOTING_MULTI_PROCESS)
host_->SetEnableCurtaining(curtain_required_);
host_->Start(xmpp_login_);
host_->Start(host_owner_);
CreateAuthenticatorFactory();
}
......
......@@ -6,6 +6,7 @@
#include "base/bind.h"
#include "base/callback.h"
#include "base/strings/string_util.h"
#include "google_apis/google_api_keys.h"
#include "net/url_request/url_fetcher.h"
#include "net/url_request/url_request_context_getter.h"
......@@ -26,9 +27,11 @@ const int kTokenUpdateTimeBeforeExpirySeconds = 60;
SignalingConnector::OAuthCredentials::OAuthCredentials(
const std::string& login_value,
const std::string& refresh_token_value)
const std::string& refresh_token_value,
bool is_service_account)
: login(login_value),
refresh_token(refresh_token_value) {
refresh_token(refresh_token_value),
is_service_account(is_service_account) {
}
SignalingConnector::SignalingConnector(
......@@ -228,12 +231,20 @@ void SignalingConnector::RefreshOAuthToken() {
LOG(INFO) << "Refreshing OAuth token.";
DCHECK(!refreshing_oauth_token_);
// Service accounts use different API keys, as they use the client app flow.
google_apis::OAuth2Client oauth2_client;
if (oauth_credentials_->is_service_account) {
oauth2_client = google_apis::CLIENT_REMOTING_HOST;
} else {
oauth2_client = google_apis::CLIENT_REMOTING;
}
gaia::OAuthClientInfo client_info = {
google_apis::GetOAuth2ClientID(google_apis::CLIENT_REMOTING),
google_apis::GetOAuth2ClientSecret(google_apis::CLIENT_REMOTING),
// Redirect URL is only used when getting tokens from auth code. It
// is not required when getting access tokens.
""
google_apis::GetOAuth2ClientID(oauth2_client),
google_apis::GetOAuth2ClientSecret(oauth2_client),
// Redirect URL is only used when getting tokens from auth code. It
// is not required when getting access tokens.
""
};
refreshing_oauth_token_ = true;
......
......@@ -40,13 +40,17 @@ class SignalingConnector
// authentication to OAuth2.
struct OAuthCredentials {
OAuthCredentials(const std::string& login_value,
const std::string& refresh_token_value);
const std::string& refresh_token_value,
bool is_service_account);
// The user's account name (i.e. their email address).
std::string login;
// Token delegating authority to us to act as the user.
std::string refresh_token;
// Whether these credentials belong to a service account.
bool is_service_account;
};
// The |auth_failed_callback| is called when authentication fails.
......
......@@ -61,12 +61,14 @@ class RejectingAuthenticator : public Authenticator {
// static
scoped_ptr<AuthenticatorFactory>
Me2MeHostAuthenticatorFactory::CreateWithSharedSecret(
const std::string& host_owner,
const std::string& local_cert,
scoped_refptr<RsaKeyPair> key_pair,
const SharedSecretHash& shared_secret_hash,
scoped_refptr<PairingRegistry> pairing_registry) {
scoped_ptr<Me2MeHostAuthenticatorFactory> result(
new Me2MeHostAuthenticatorFactory());
result->host_owner_ = host_owner;
result->local_cert_ = local_cert;
result->key_pair_ = key_pair;
result->shared_secret_hash_ = shared_secret_hash;
......@@ -78,12 +80,14 @@ Me2MeHostAuthenticatorFactory::CreateWithSharedSecret(
// static
scoped_ptr<AuthenticatorFactory>
Me2MeHostAuthenticatorFactory::CreateWithThirdPartyAuth(
const std::string& host_owner,
const std::string& local_cert,
scoped_refptr<RsaKeyPair> key_pair,
scoped_ptr<ThirdPartyHostAuthenticator::TokenValidatorFactory>
token_validator_factory) {
scoped_ptr<Me2MeHostAuthenticatorFactory> result(
new Me2MeHostAuthenticatorFactory());
result->host_owner_ = host_owner;
result->local_cert_ = local_cert;
result->key_pair_ = key_pair;
result->token_validator_factory_ = token_validator_factory.Pass();
......@@ -107,18 +111,12 @@ scoped_ptr<Authenticator> Me2MeHostAuthenticatorFactory::CreateAuthenticator(
const std::string& remote_jid,
const buzz::XmlElement* first_message) {
size_t slash_pos = local_jid.find('/');
if (slash_pos == std::string::npos) {
LOG(DFATAL) << "Invalid local JID:" << local_jid;
return scoped_ptr<Authenticator>(new RejectingAuthenticator());
}
// Verify that the client's jid is an ASCII string, and then check
// that the client has the same bare jid as the host, i.e. client's
// full JID starts with host's bare jid. Comparison is case
// insensitive.
if (!IsStringASCII(remote_jid) ||
!StartsWithASCII(remote_jid, local_jid.substr(0, slash_pos + 1), false)) {
!StartsWithASCII(remote_jid, host_owner_ + '/', false)) {
LOG(ERROR) << "Rejecting incoming connection from " << remote_jid;
return scoped_ptr<Authenticator>(new RejectingAuthenticator());
}
......
......@@ -27,6 +27,7 @@ class Me2MeHostAuthenticatorFactory : public AuthenticatorFactory {
public:
// Create a factory that dispenses shared secret authenticators.
static scoped_ptr<AuthenticatorFactory> CreateWithSharedSecret(
const std::string& host_owner,
const std::string& local_cert,
scoped_refptr<RsaKeyPair> key_pair,
const SharedSecretHash& shared_secret_hash,
......@@ -34,6 +35,7 @@ class Me2MeHostAuthenticatorFactory : public AuthenticatorFactory {
// Create a factory that dispenses third party authenticators.
static scoped_ptr<AuthenticatorFactory> CreateWithThirdPartyAuth(
const std::string& host_owner,
const std::string& local_cert,
scoped_refptr<RsaKeyPair> key_pair,
scoped_ptr<ThirdPartyHostAuthenticator::TokenValidatorFactory>
......@@ -54,6 +56,7 @@ class Me2MeHostAuthenticatorFactory : public AuthenticatorFactory {
private:
// Used for all host authenticators.
std::string host_owner_;
std::string local_cert_;
scoped_refptr<RsaKeyPair> key_pair_;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment