remoting/protocol/me2me_host_authenticator_factory.cc

   1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "remoting/protocol/me2me_host_authenticator_factory.h"
   6
   7 #include "base/base64.h"
   8 #include "base/strings/string_util.h"
   9 #include "remoting/base/rsa_key_pair.h"
  10 #include "remoting/protocol/channel_authenticator.h"
  11 #include "remoting/protocol/negotiating_host_authenticator.h"
  12 #include "remoting/protocol/token_validator.h"
  13 #include "remoting/signaling/jid_util.h"
  14 #include "third_party/webrtc/libjingle/xmllite/xmlelement.h"
  15
  16 namespace remoting {
  17 namespace protocol {
  18
  19 namespace {
  20
  21 // Authenticator that accepts one message and rejects connection after that.
  22 class RejectingAuthenticator : public Authenticator {
  23  public:
  24   RejectingAuthenticator()
  25       : state_(WAITING_MESSAGE) {
  26   }
  27   ~RejectingAuthenticator() override {}
  28
  29   State state() const override { return state_; }
  30
  31   bool started() const override { return true; }
  32
  33   RejectionReason rejection_reason() const override {
  34     DCHECK_EQ(state_, REJECTED);
  35     return INVALID_CREDENTIALS;
  36   }
  37
  38   void ProcessMessage(const buzz::XmlElement* message,
  39                       const base::Closure& resume_callback) override {
  40     DCHECK_EQ(state_, WAITING_MESSAGE);
  41     state_ = REJECTED;
  42     resume_callback.Run();
  43   }
  44
  45   scoped_ptr<buzz::XmlElement> GetNextMessage() override {
  46     NOTREACHED();
  47     return nullptr;
  48   }
  49
  50   const std::string& GetAuthKey() const override {
  51     NOTREACHED();
  52     return auth_key_;
  53   };
  54
  55   scoped_ptr<ChannelAuthenticator> CreateChannelAuthenticator() const override {
  56     NOTREACHED();
  57     return nullptr;
  58   }
  59
  60  protected:
  61   State state_;
  62   std::string auth_key_;
  63 };
  64
  65 }  // namespace
  66
  67 // static
  68 scoped_ptr<AuthenticatorFactory>
  69 Me2MeHostAuthenticatorFactory::CreateWithSharedSecret(
  70     bool use_service_account,
  71     const std::string& host_owner,
  72     const std::string& local_cert,
  73     scoped_refptr<RsaKeyPair> key_pair,
  74     const SharedSecretHash& shared_secret_hash,
  75     scoped_refptr<PairingRegistry> pairing_registry) {
  76   scoped_ptr<Me2MeHostAuthenticatorFactory> result(
  77       new Me2MeHostAuthenticatorFactory());
  78   result->use_service_account_ = use_service_account;
  79   result->host_owner_ = host_owner;
  80   result->local_cert_ = local_cert;
  81   result->key_pair_ = key_pair;
  82   result->shared_secret_hash_ = shared_secret_hash;
  83   result->pairing_registry_ = pairing_registry;
  84   return result.Pass();
  85 }
  86
  87
  88 // static
  89 scoped_ptr<AuthenticatorFactory>
  90 Me2MeHostAuthenticatorFactory::CreateWithThirdPartyAuth(
  91     bool use_service_account,
  92     const std::string& host_owner,
  93     const std::string& local_cert,
  94     scoped_refptr<RsaKeyPair> key_pair,
  95     scoped_ptr<TokenValidatorFactory>
  96         token_validator_factory) {
  97   scoped_ptr<Me2MeHostAuthenticatorFactory> result(
  98       new Me2MeHostAuthenticatorFactory());
  99   result->use_service_account_ = use_service_account;
 100   result->host_owner_ = host_owner;
 101   result->local_cert_ = local_cert;
 102   result->key_pair_ = key_pair;
 103   result->token_validator_factory_ = token_validator_factory.Pass();
 104   return result.Pass();
 105 }
 106
 107 Me2MeHostAuthenticatorFactory::Me2MeHostAuthenticatorFactory() {
 108 }
 109
 110 Me2MeHostAuthenticatorFactory::~Me2MeHostAuthenticatorFactory() {
 111 }
 112
 113 scoped_ptr<Authenticator> Me2MeHostAuthenticatorFactory::CreateAuthenticator(
 114     const std::string& local_jid,
 115     const std::string& remote_jid,
 116     const buzz::XmlElement* first_message) {
 117
 118   std::string remote_jid_prefix;
 119
 120   if (!use_service_account_) {
 121     // JID prefixes may not match the host owner email, for example, in cases
 122     // where the host owner account does not have an email associated with it.
 123     // In those cases, the only guarantee we have is that JIDs for the same
 124     // account will have the same prefix.
 125     if (!SplitJidResource(local_jid, &remote_jid_prefix, nullptr)) {
 126       LOG(DFATAL) << "Invalid local JID:" << local_jid;
 127       return make_scoped_ptr(new RejectingAuthenticator());
 128     }
 129   } else {
 130     // TODO(rmsousa): This only works for cases where the JID prefix matches
 131     // the host owner email. Figure out a way to verify the JID in other cases.
 132     remote_jid_prefix = host_owner_;
 133   }
 134
 135   // Verify that the client's jid is an ASCII string, and then check that the
 136   // client JID has the expected prefix. Comparison is case insensitive.
 137   if (!base::IsStringASCII(remote_jid) ||
 138       !base::StartsWith(remote_jid, remote_jid_prefix + '/',
 139                         base::CompareCase::INSENSITIVE_ASCII)) {
 140     LOG(ERROR) << "Rejecting incoming connection from " << remote_jid;
 141     return make_scoped_ptr(new RejectingAuthenticator());
 142   }
 143
 144   if (!local_cert_.empty() && key_pair_.get()) {
 145     if (token_validator_factory_) {
 146       return NegotiatingHostAuthenticator::CreateWithThirdPartyAuth(
 147           local_cert_, key_pair_,
 148           token_validator_factory_->CreateTokenValidator(
 149               local_jid, remote_jid));
 150     }
 151
 152     return NegotiatingHostAuthenticator::CreateWithSharedSecret(
 153         local_cert_, key_pair_, shared_secret_hash_.value,
 154         shared_secret_hash_.hash_function, pairing_registry_);
 155   }
 156
 157   return make_scoped_ptr(new RejectingAuthenticator());
 158 }
 159
 160 }  // namespace protocol
 161 }  // namespace remoting