Host-side third party token validation

remoting/protocol/negotiating_host_authenticator.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "remoting/protocol/negotiating_host_authenticator.h"
 
 #include <algorithm>
 #include <sstream>
 
 #include "base/bind.h"
 #include "base/callback.h"
 #include "base/logging.h"
 #include "base/strings/string_split.h"
 #include "remoting/base/rsa_key_pair.h"
 #include "remoting/protocol/channel_authenticator.h"
 #include "remoting/protocol/v2_authenticator.h"
 #include "third_party/libjingle/source/talk/xmllite/xmlelement.h"
 
 namespace remoting {
 namespace protocol {
 
 NegotiatingHostAuthenticator::NegotiatingHostAuthenticator(
     const std::string& local_cert,
+    scoped_refptr<RsaKeyPair> key_pair)
+    : NegotiatingAuthenticatorBase(WAITING_MESSAGE),
+      local_cert_(local_cert),
+      local_key_pair_(key_pair) {
+}
+
+// static
+scoped_ptr<Authenticator> NegotiatingHostAuthenticator::CreateWithSharedSecret(
+    const std::string& local_cert,
     scoped_refptr<RsaKeyPair> key_pair,
     const std::string& shared_secret_hash,
-    AuthenticationMethod::HashFunction hash_function)
-    : NegotiatingAuthenticatorBase(WAITING_MESSAGE),
-      local_cert_(local_cert),
-      local_key_pair_(key_pair),
-      shared_secret_hash_(shared_secret_hash) {
+    AuthenticationMethod::HashFunction hash_function) {
+  scoped_ptr<NegotiatingHostAuthenticator> result(
+      new NegotiatingHostAuthenticator(local_cert, key_pair));
+  result->shared_secret_hash_ = shared_secret_hash;
+  result->AddMethod(AuthenticationMethod::Spake2(hash_function));
+  return scoped_ptr<Authenticator>(result.Pass());
+}
 
-  AddMethod(AuthenticationMethod::Spake2(hash_function));
+// static
+scoped_ptr<Authenticator>
+NegotiatingHostAuthenticator::CreateWithThirdPartyAuth(
+    const std::string& local_cert,
+    scoped_refptr<RsaKeyPair> key_pair,
+    scoped_ptr<ThirdPartyHostAuthenticator::TokenValidator> token_validator) {
+  scoped_ptr<NegotiatingHostAuthenticator> result(
+      new NegotiatingHostAuthenticator(local_cert, key_pair));
+  result->token_validator_ = token_validator.Pass();
+  result->AddMethod(AuthenticationMethod::ThirdParty());
+  return scoped_ptr<Authenticator>(result.Pass());
 }
 
 NegotiatingHostAuthenticator::~NegotiatingHostAuthenticator() {
 }
 
 void NegotiatingHostAuthenticator::ProcessMessage(
     const buzz::XmlElement* message,
     const base::Closure& resume_callback) {
   DCHECK_EQ(state(), WAITING_MESSAGE);
 
   std::string method_attr = message->Attr(kMethodAttributeQName);
   AuthenticationMethod method = AuthenticationMethod::FromString(method_attr);
 
   // If the host has already chosen a method, it can't be changed by the client.
   if (current_method_.is_valid() && method != current_method_) {
     state_ = REJECTED;
     rejection_reason_ = PROTOCOL_ERROR;
     resume_callback.Run();
     return;
   }
 
   // If the client did not specify auth method or specified unknown method,
   // then select the first known method from the supported-methods attribute.
   if (!method.is_valid() ||
       std::find(methods_.begin(), methods_.end(), method) == methods_.end()) {
-
     method = AuthenticationMethod::Invalid();
 
     std::string supported_methods_attr =
         message->Attr(kSupportedMethodsAttributeQName);
     if (supported_methods_attr.empty()) {
       // Message contains neither method nor supported-methods attributes.
       state_ = REJECTED;
       rejection_reason_ = PROTOCOL_ERROR;
       resume_callback.Run();
       return;
@@ skipping 50 matching lines @@
   ProcessMessageInternal(message, resume_callback);
 }
 
 scoped_ptr<buzz::XmlElement> NegotiatingHostAuthenticator::GetNextMessage() {
   return GetNextMessageInternal();
 }
 
 void NegotiatingHostAuthenticator::CreateAuthenticator(
     Authenticator::State preferred_initial_state,
     const base::Closure& resume_callback) {
-  current_authenticator_ = V2Authenticator::CreateForHost(
-      local_cert_, local_key_pair_, shared_secret_hash_,
-      preferred_initial_state);
+  DCHECK(current_method_.is_valid());
+
+  if (current_method_.type() == AuthenticationMethod::THIRD_PARTY) {
+    // |ThirdPartyHostAuthenticator| takes ownership of |token_validator_|.
+    // The authentication method negotiation logic should guarantee that only
+    // one |ThirdPartyHostAuthenticator| will need to be created per session.
+    DCHECK(token_validator_);
+    current_authenticator_.reset(new ThirdPartyHostAuthenticator(
+        local_cert_, local_key_pair_, token_validator_.Pass()));
+  } else {
+    current_authenticator_ = V2Authenticator::CreateForHost(
+        local_cert_, local_key_pair_, shared_secret_hash_,
+        preferred_initial_state);
+  }
+
   resume_callback.Run();
 }
 
 }  // namespace protocol
 }  // namespace remoting