| Index: remoting/host/remoting_me2me_host.cc
|
| diff --git a/remoting/host/remoting_me2me_host.cc b/remoting/host/remoting_me2me_host.cc
|
| index 2614950375c408ac8c7971ca0bc8f7a75efc18ad..131a3c2853c043c38a00a3ea8e1607bdcc48418b 100644
|
| --- a/remoting/host/remoting_me2me_host.cc
|
| +++ b/remoting/host/remoting_me2me_host.cc
|
| @@ -34,6 +34,7 @@
|
| #include "remoting/base/auto_thread_task_runner.h"
|
| #include "remoting/base/breakpad.h"
|
| #include "remoting/base/constants.h"
|
| +#include "remoting/base/rsa_key_pair.h"
|
| #include "remoting/base/util.h"
|
| #include "remoting/host/branding.h"
|
| #include "remoting/host/chromoting_host.h"
|
| @@ -64,6 +65,7 @@
|
| #include "remoting/host/service_urls.h"
|
| #include "remoting/host/session_manager_factory.h"
|
| #include "remoting/host/signaling_connector.h"
|
| +#include "remoting/host/token_validator_factory_impl.h"
|
| #include "remoting/host/ui_strings.h"
|
| #include "remoting/host/usage_stats_consent.h"
|
| #include "remoting/jingle_glue/xmpp_signal_strategy.h"
|
| @@ -205,6 +207,8 @@ class HostProcess
|
| bool OnNatPolicyUpdate(bool nat_traversal_enabled);
|
| bool OnCurtainPolicyUpdate(bool curtain_required);
|
| bool OnHostTalkGadgetPrefixPolicyUpdate(const std::string& talkgadget_prefix);
|
| + bool OnHostTokenUrlPolicyUpdate(const GURL& token_url,
|
| + const GURL& token_validation_url);
|
|
|
| void StartHost();
|
|
|
| @@ -268,6 +272,8 @@ class HostProcess
|
| scoped_ptr<CurtainMode> curtain_;
|
| scoped_ptr<CurtainingHostObserver> curtaining_host_observer_;
|
| bool curtain_required_;
|
| + GURL token_url_;
|
| + GURL token_validation_url_;
|
|
|
| scoped_ptr<XmppSignalStrategy> signal_strategy_;
|
| scoped_ptr<SignalingConnector> signaling_connector_;
|
| @@ -481,10 +487,29 @@ void HostProcess::CreateAuthenticatorFactory() {
|
| ShutdownHost(kInitializationFailed);
|
| return;
|
| }
|
| + scoped_ptr<protocol::AuthenticatorFactory> factory;
|
| +
|
| + if (token_url_.is_empty() && token_validation_url_.is_empty()) {
|
| + factory = protocol::Me2MeHostAuthenticatorFactory::CreateWithSharedSecret(
|
| + local_certificate, key_pair_, host_secret_hash_);
|
| + } else if (token_url_.is_valid() && token_validation_url_.is_valid()) {
|
| + scoped_ptr<protocol::ThirdPartyHostAuthenticator::TokenValidatorFactory>
|
| + token_validator_factory(new TokenValidatorFactoryImpl(
|
| + token_url_, token_validation_url_, key_pair_,
|
| + context_->url_request_context_getter()));
|
| + factory = protocol::Me2MeHostAuthenticatorFactory::CreateWithThirdPartyAuth(
|
| + local_certificate, key_pair_, token_validator_factory.Pass());
|
| + } else {
|
| + // TODO(rmsousa): If the policy is bad the host should not go online. It
|
| + // should keep running, but not connected, until the policies are fixed.
|
| + // Having it show up as online and then reject all clients is misleading.
|
| + LOG(ERROR) << "One of the third-party token URLs is empty or invalid. "
|
| + << "Host will reject all clients until policies are corrected. "
|
| + << "TokenUrl: " << token_url_ << ", "
|
| + << "TokenValidationUrl: " << token_validation_url_;
|
| + factory = protocol::Me2MeHostAuthenticatorFactory::CreateRejecting();
|
| + }
|
|
|
| - scoped_ptr<protocol::AuthenticatorFactory> factory(
|
| - new protocol::Me2MeHostAuthenticatorFactory(
|
| - local_certificate, key_pair_, host_secret_hash_));
|
| #if defined(OS_POSIX)
|
| // On Linux and Mac, perform a PAM authorization step after authentication.
|
| factory.reset(new PamAuthorizationFactory(factory.Pass()));
|
| @@ -742,6 +767,16 @@ void HostProcess::OnPolicyUpdate(scoped_ptr<base::DictionaryValue> policies) {
|
| &bool_value)) {
|
| restart_required |= OnCurtainPolicyUpdate(bool_value);
|
| }
|
| + std::string token_url_string, token_validation_url_string;
|
| + if (policies->GetString(
|
| + policy_hack::PolicyWatcher::kHostTokenUrlPolicyName,
|
| + &token_url_string) &&
|
| + policies->GetString(
|
| + policy_hack::PolicyWatcher::kHostTokenValidationUrlPolicyName,
|
| + &token_validation_url_string)) {
|
| + restart_required |= OnHostTokenUrlPolicyUpdate(
|
| + GURL(token_url_string), GURL(token_validation_url_string));
|
| + }
|
|
|
| if (state_ == HOST_INITIALIZING) {
|
| StartHost();
|
| @@ -865,6 +900,26 @@ bool HostProcess::OnHostTalkGadgetPrefixPolicyUpdate(
|
| return false;
|
| }
|
|
|
| +bool HostProcess::OnHostTokenUrlPolicyUpdate(
|
| + const GURL& token_url,
|
| + const GURL& token_validation_url) {
|
| + // Returns true if the host has to be restarted after this policy update.
|
| + DCHECK(context_->network_task_runner()->BelongsToCurrentThread());
|
| +
|
| + if (token_url_ != token_url ||
|
| + token_validation_url_ != token_validation_url) {
|
| + LOG(INFO) << "Policy sets third-party token URLs: "
|
| + << "TokenUrl: " << token_url << ", "
|
| + << "TokenValidationUrl: " << token_validation_url;
|
| +
|
| + token_url_ = token_url;
|
| + token_validation_url_ = token_validation_url;
|
| + return true;
|
| + }
|
| +
|
| + return false;
|
| +}
|
| +
|
| void HostProcess::StartHost() {
|
| DCHECK(context_->network_task_runner()->BelongsToCurrentThread());
|
| DCHECK(!host_);
|
|
|
Chromium Code Reviews
Issue 12313085:
Host-side third party token validation (Closed)
Base URL: http://git.chromium.org/chromium/src.git@third_party_auth_protocol