Merge Chromium + Blink git repositories
[chromium-blink-merge.git] / remoting / protocol / me2me_host_authenticator_factory.cc
blob59267083edb670db6741d8d5b4ec622657cc1653
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "remoting/protocol/me2me_host_authenticator_factory.h"
7 #include "base/base64.h"
8 #include "base/strings/string_util.h"
9 #include "remoting/base/rsa_key_pair.h"
10 #include "remoting/protocol/channel_authenticator.h"
11 #include "remoting/protocol/negotiating_host_authenticator.h"
12 #include "remoting/protocol/token_validator.h"
13 #include "remoting/signaling/jid_util.h"
14 #include "third_party/webrtc/libjingle/xmllite/xmlelement.h"
16 namespace remoting {
17 namespace protocol {
19 namespace {
21 // Authenticator that accepts one message and rejects connection after that.
22 class RejectingAuthenticator : public Authenticator {
23 public:
24 RejectingAuthenticator()
25 : state_(WAITING_MESSAGE) {
27 ~RejectingAuthenticator() override {}
29 State state() const override { return state_; }
31 bool started() const override { return true; }
33 RejectionReason rejection_reason() const override {
34 DCHECK_EQ(state_, REJECTED);
35 return INVALID_CREDENTIALS;
38 void ProcessMessage(const buzz::XmlElement* message,
39 const base::Closure& resume_callback) override {
40 DCHECK_EQ(state_, WAITING_MESSAGE);
41 state_ = REJECTED;
42 resume_callback.Run();
45 scoped_ptr<buzz::XmlElement> GetNextMessage() override {
46 NOTREACHED();
47 return nullptr;
50 const std::string& GetAuthKey() const override {
51 NOTREACHED();
52 return auth_key_;
55 scoped_ptr<ChannelAuthenticator> CreateChannelAuthenticator() const override {
56 NOTREACHED();
57 return nullptr;
60 protected:
61 State state_;
62 std::string auth_key_;
65 } // namespace
67 // static
68 scoped_ptr<AuthenticatorFactory>
69 Me2MeHostAuthenticatorFactory::CreateWithSharedSecret(
70 bool use_service_account,
71 const std::string& host_owner,
72 const std::string& local_cert,
73 scoped_refptr<RsaKeyPair> key_pair,
74 const SharedSecretHash& shared_secret_hash,
75 scoped_refptr<PairingRegistry> pairing_registry) {
76 scoped_ptr<Me2MeHostAuthenticatorFactory> result(
77 new Me2MeHostAuthenticatorFactory());
78 result->use_service_account_ = use_service_account;
79 result->host_owner_ = host_owner;
80 result->local_cert_ = local_cert;
81 result->key_pair_ = key_pair;
82 result->shared_secret_hash_ = shared_secret_hash;
83 result->pairing_registry_ = pairing_registry;
84 return result.Pass();
88 // static
89 scoped_ptr<AuthenticatorFactory>
90 Me2MeHostAuthenticatorFactory::CreateWithThirdPartyAuth(
91 bool use_service_account,
92 const std::string& host_owner,
93 const std::string& local_cert,
94 scoped_refptr<RsaKeyPair> key_pair,
95 scoped_ptr<TokenValidatorFactory>
96 token_validator_factory) {
97 scoped_ptr<Me2MeHostAuthenticatorFactory> result(
98 new Me2MeHostAuthenticatorFactory());
99 result->use_service_account_ = use_service_account;
100 result->host_owner_ = host_owner;
101 result->local_cert_ = local_cert;
102 result->key_pair_ = key_pair;
103 result->token_validator_factory_ = token_validator_factory.Pass();
104 return result.Pass();
107 Me2MeHostAuthenticatorFactory::Me2MeHostAuthenticatorFactory() {
110 Me2MeHostAuthenticatorFactory::~Me2MeHostAuthenticatorFactory() {
113 scoped_ptr<Authenticator> Me2MeHostAuthenticatorFactory::CreateAuthenticator(
114 const std::string& local_jid,
115 const std::string& remote_jid,
116 const buzz::XmlElement* first_message) {
118 std::string remote_jid_prefix;
120 if (!use_service_account_) {
121 // JID prefixes may not match the host owner email, for example, in cases
122 // where the host owner account does not have an email associated with it.
123 // In those cases, the only guarantee we have is that JIDs for the same
124 // account will have the same prefix.
125 if (!SplitJidResource(local_jid, &remote_jid_prefix, nullptr)) {
126 LOG(DFATAL) << "Invalid local JID:" << local_jid;
127 return make_scoped_ptr(new RejectingAuthenticator());
129 } else {
130 // TODO(rmsousa): This only works for cases where the JID prefix matches
131 // the host owner email. Figure out a way to verify the JID in other cases.
132 remote_jid_prefix = host_owner_;
135 // Verify that the client's jid is an ASCII string, and then check that the
136 // client JID has the expected prefix. Comparison is case insensitive.
137 if (!base::IsStringASCII(remote_jid) ||
138 !base::StartsWith(remote_jid, remote_jid_prefix + '/',
139 base::CompareCase::INSENSITIVE_ASCII)) {
140 LOG(ERROR) << "Rejecting incoming connection from " << remote_jid;
141 return make_scoped_ptr(new RejectingAuthenticator());
144 if (!local_cert_.empty() && key_pair_.get()) {
145 if (token_validator_factory_) {
146 return NegotiatingHostAuthenticator::CreateWithThirdPartyAuth(
147 local_cert_, key_pair_,
148 token_validator_factory_->CreateTokenValidator(
149 local_jid, remote_jid));
152 return NegotiatingHostAuthenticator::CreateWithSharedSecret(
153 local_cert_, key_pair_, shared_secret_hash_.value,
154 shared_secret_hash_.hash_function, pairing_registry_);
157 return make_scoped_ptr(new RejectingAuthenticator());
160 } // namespace protocol
161 } // namespace remoting