Fix JID checking for cases where the user account does not have a Google email associated with it.

BUG=333464 Review URL: https://codereview.chromium.org/134523007 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@244361 0039d316-1c4b-4281-b951-d872f2087c98

Fix JID checking for cases where the user account does not have a Google email associated with it.
BUG=333464 Review URL: https://codereview.chromium.org/134523007 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@244361 0039d316-1c4b-4281-b951-d872f2087c98
b4e6a31a · rmsousa@chromium.org · db46e8a9 · b4e6a31a · b4e6a31a · b4e6a31a
Commit b4e6a31a authored Jan 11, 2014 by rmsousa@chromium.org
3 changed files
--- a/remoting/host/remoting_me2me_host.cc
+++ b/remoting/host/remoting_me2me_host.cc
@@ -516,8 +516,8 @@ void HostProcess::CreateAuthenticatorFactory() {
  if (token_url_.is_empty() && token_validation_url_.is_empty()) {
    factory = protocol::Me2MeHostAuthenticatorFactory::CreateWithSharedSecret(
-        host_owner_, local_certificate, key_pair_, host_secret_hash_,
+        use_service_account_, host_owner_, local_certificate, key_pair_,
-        pairing_registry);
+        host_secret_hash_, pairing_registry);
  } else if (token_url_.is_valid() && token_validation_url_.is_valid()) {
    scoped_ptr<protocol::ThirdPartyHostAuthenticator::TokenValidatorFactory>
@@ -525,7 +525,7 @@ void HostProcess::CreateAuthenticatorFactory() {
            token_url_, token_validation_url_, key_pair_,
            context_->url_request_context_getter()));
    factory = protocol::Me2MeHostAuthenticatorFactory::CreateWithThirdPartyAuth(
-        host_owner_, local_certificate, key_pair_,
+        use_service_account_, host_owner_, local_certificate, key_pair_,
        token_validator_factory.Pass());
  } else {

--- a/remoting/protocol/me2me_host_authenticator_factory.cc
+++ b/remoting/protocol/me2me_host_authenticator_factory.cc
@@ -61,6 +61,7 @@ class RejectingAuthenticator : public Authenticator {
 // static
 scoped_ptr<AuthenticatorFactory>
 Me2MeHostAuthenticatorFactory::CreateWithSharedSecret(
+    bool use_service_account,
    const std::string& host_owner,
    const std::string& local_cert,
    scoped_refptr<RsaKeyPair> key_pair,
@@ -68,6 +69,7 @@ Me2MeHostAuthenticatorFactory::CreateWithSharedSecret(
    scoped_refptr<PairingRegistry> pairing_registry) {
  scoped_ptr<Me2MeHostAuthenticatorFactory> result(
      new Me2MeHostAuthenticatorFactory());
+  result->use_service_account_ = use_service_account;
  result->host_owner_ = host_owner;
  result->local_cert_ = local_cert;
  result->key_pair_ = key_pair;
@@ -80,6 +82,7 @@ Me2MeHostAuthenticatorFactory::CreateWithSharedSecret(
 // static
 scoped_ptr<AuthenticatorFactory>
 Me2MeHostAuthenticatorFactory::CreateWithThirdPartyAuth(
+    bool use_service_account,
    const std::string& host_owner,
    const std::string& local_cert,
    scoped_refptr<RsaKeyPair> key_pair,
@@ -87,6 +90,7 @@ Me2MeHostAuthenticatorFactory::CreateWithThirdPartyAuth(
        token_validator_factory) {
  scoped_ptr<Me2MeHostAuthenticatorFactory> result(
      new Me2MeHostAuthenticatorFactory());
+  result->use_service_account_ = use_service_account;
  result->host_owner_ = host_owner;
  result->local_cert_ = local_cert;
  result->key_pair_ = key_pair;
@@ -111,12 +115,29 @@ scoped_ptr<Authenticator> Me2MeHostAuthenticatorFactory::CreateAuthenticator(
    const std::string& remote_jid,
    const buzz::XmlElement* first_message) {
-  // Verify that the client's jid is an ASCII string, and then check
+  std::string remote_jid_prefix;
-  // that the client has the same bare jid as the host, i.e. client's
-  // full JID starts with host's bare jid. Comparison is case
+  if (!use_service_account_) {
-  // insensitive.
+    // JID prefixes may not match the host owner email, for example, in cases
+    // where the host owner account does not have an email associated with it.
+    // In those cases, the only guarantee we have is that JIDs for the same
+    // account will have the same prefix.
+    size_t slash_pos = local_jid.find('/');
+    if (slash_pos == std::string::npos) {
+      LOG(DFATAL) << "Invalid local JID:" << local_jid;
+      return scoped_ptr<Authenticator>(new RejectingAuthenticator());
+    }
+    remote_jid_prefix = local_jid.substr(0, slash_pos);
+  } else {
+    // TODO(rmsousa): This only works for cases where the JID prefix matches
+    // the host owner email. Figure out a way to verify the JID in other cases.
+    remote_jid_prefix = host_owner_;
+  }
+  // Verify that the client's jid is an ASCII string, and then check that the
+  // client JID has the expected prefix. Comparison is case insensitive.
  if (!IsStringASCII(remote_jid) ||
-      !StartsWithASCII(remote_jid, host_owner_ + '/', false)) {
+      !StartsWithASCII(remote_jid, remote_jid_prefix + '/', false)) {
    LOG(ERROR) << "Rejecting incoming connection from " << remote_jid;
    return scoped_ptr<Authenticator>(new RejectingAuthenticator());
  }

--- a/remoting/protocol/me2me_host_authenticator_factory.h
+++ b/remoting/protocol/me2me_host_authenticator_factory.h
@@ -27,6 +27,7 @@ class Me2MeHostAuthenticatorFactory : public AuthenticatorFactory {
 public:
  // Create a factory that dispenses shared secret authenticators.
  static scoped_ptr<AuthenticatorFactory> CreateWithSharedSecret(
+      bool use_service_account,
      const std::string& host_owner,
      const std::string& local_cert,
      scoped_refptr<RsaKeyPair> key_pair,
@@ -35,6 +36,7 @@ class Me2MeHostAuthenticatorFactory : public AuthenticatorFactory {
  // Create a factory that dispenses third party authenticators.
  static scoped_ptr<AuthenticatorFactory> CreateWithThirdPartyAuth(
+      bool use_service_account,
      const std::string& host_owner,
      const std::string& local_cert,
      scoped_refptr<RsaKeyPair> key_pair,
@@ -56,6 +58,7 @@ class Me2MeHostAuthenticatorFactory : public AuthenticatorFactory {
 private:
  // Used for all host authenticators.
+  bool use_service_account_;
  std::string host_owner_;
  std::string local_cert_;
  scoped_refptr<RsaKeyPair> key_pair_;