// Copyright 2013 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "remoting/protocol/negotiating_client_authenticator.h"
#include <algorithm>
#include <sstream>
#include "base/bind.h"
#include "base/callback.h"
#include "base/logging.h"
#include "base/strings/string_split.h"
#include "remoting/protocol/channel_authenticator.h"
#include "remoting/protocol/pairing_client_authenticator.h"
#include "remoting/protocol/v2_authenticator.h"
#include "third_party/libjingle/source/talk/xmllite/xmlelement.h"
namespace remoting {
namespace protocol {
NegotiatingClientAuthenticator::NegotiatingClientAuthenticator(
const std::string& client_pairing_id,
const std::string& shared_secret,
const std::string& authentication_tag,
const FetchSecretCallback& fetch_secret_callback,
scoped_ptr<ThirdPartyClientAuthenticator::TokenFetcher> token_fetcher,
const std::vector<AuthenticationMethod>& methods)
: NegotiatingAuthenticatorBase(MESSAGE_READY),
client_pairing_id_(client_pairing_id),
shared_secret_(shared_secret),
authentication_tag_(authentication_tag),
fetch_secret_callback_(fetch_secret_callback),
token_fetcher_(token_fetcher.Pass()),
method_set_by_host_(false),
weak_factory_(this) {
DCHECK(!methods.empty());
for (std::vector<AuthenticationMethod>::const_iterator it = methods.begin();
it != methods.end(); ++it) {
AddMethod(*it);
}
}
NegotiatingClientAuthenticator::~NegotiatingClientAuthenticator() {
}
void NegotiatingClientAuthenticator::ProcessMessage(
const buzz::XmlElement* message,
const base::Closure& resume_callback) {
DCHECK_EQ(state(), WAITING_MESSAGE);
std::string method_attr = message->Attr(kMethodAttributeQName);
AuthenticationMethod method = AuthenticationMethod::FromString(method_attr);
// The host picked a method different from the one the client had selected.
if (method != current_method_) {
// The host must pick a method that is valid and supported by the client,
// and it must not change methods after it has picked one.
if (method_set_by_host_ || !method.is_valid() ||
std::find(methods_.begin(), methods_.end(), method) == methods_.end()) {
state_ = REJECTED;
rejection_reason_ = PROTOCOL_ERROR;
resume_callback.Run();
return;
}
current_method_ = method;
method_set_by_host_ = true;
state_ = PROCESSING_MESSAGE;
// Copy the message since the authenticator may process it asynchronously.
base::Closure callback = base::Bind(
&NegotiatingAuthenticatorBase::ProcessMessageInternal,
base::Unretained(this), base::Owned(new buzz::XmlElement(*message)),
resume_callback);
CreateAuthenticatorForCurrentMethod(WAITING_MESSAGE, callback);
return;
}
ProcessMessageInternal(message, resume_callback);
}
scoped_ptr<buzz::XmlElement> NegotiatingClientAuthenticator::GetNextMessage() {
DCHECK_EQ(state(), MESSAGE_READY);
// This is the first message to the host, send a list of supported methods.
if (!current_method_.is_valid()) {
// If no authentication method has been chosen, see if we can optimistically
// choose one.
scoped_ptr<buzz::XmlElement> result;
CreatePreferredAuthenticator();
if (current_authenticator_) {
DCHECK(current_authenticator_->state() == MESSAGE_READY);
result = GetNextMessageInternal();
} else {
result = CreateEmptyAuthenticatorMessage();
}
// Include a list of supported methods.
std::stringstream supported_methods(std::stringstream::out);
for (std::vector<AuthenticationMethod>::iterator it = methods_.begin();
it != methods_.end(); ++it) {
if (it != methods_.begin())
supported_methods << kSupportedMethodsSeparator;
supported_methods << it->ToString();
}
result->AddAttr(kSupportedMethodsAttributeQName, supported_methods.str());
state_ = WAITING_MESSAGE;
return result.Pass();
}
return GetNextMessageInternal();
}
void NegotiatingClientAuthenticator::CreateAuthenticatorForCurrentMethod(
Authenticator::State preferred_initial_state,
const base::Closure& resume_callback) {
DCHECK(current_method_.is_valid());
if (current_method_.type() == AuthenticationMethod::THIRD_PARTY) {
// |ThirdPartyClientAuthenticator| takes ownership of |token_fetcher_|.
// The authentication method negotiation logic should guarantee that only
// one |ThirdPartyClientAuthenticator| will need to be created per session.
DCHECK(token_fetcher_);
current_authenticator_.reset(new ThirdPartyClientAuthenticator(
token_fetcher_.Pass()));
resume_callback.Run();
} else {
DCHECK(current_method_.type() == AuthenticationMethod::SPAKE2 ||
current_method_.type() == AuthenticationMethod::SPAKE2_PAIR);
bool pairing_supported =
(current_method_.type() == AuthenticationMethod::SPAKE2_PAIR);
SecretFetchedCallback callback = base::Bind(
&NegotiatingClientAuthenticator::CreateV2AuthenticatorWithSecret,
weak_factory_.GetWeakPtr(), preferred_initial_state, resume_callback);
fetch_secret_callback_.Run(pairing_supported, callback);
}
}
void NegotiatingClientAuthenticator::CreatePreferredAuthenticator() {
if (!client_pairing_id_.empty() && !shared_secret_.empty() &&
std::find(methods_.begin(), methods_.end(),
AuthenticationMethod::Spake2Pair()) != methods_.end()) {
// If the client specified a pairing id and shared secret, then create a
// PairingAuthenticator.
current_authenticator_.reset(new PairingClientAuthenticator(
client_pairing_id_, shared_secret_, fetch_secret_callback_,
authentication_tag_));
current_method_ = AuthenticationMethod::Spake2Pair();
}
}
void NegotiatingClientAuthenticator::CreateV2AuthenticatorWithSecret(
Authenticator::State initial_state,
const base::Closure& resume_callback,
const std::string& shared_secret) {
current_authenticator_ = V2Authenticator::CreateForClient(
AuthenticationMethod::ApplyHashFunction(
current_method_.hash_function(), authentication_tag_, shared_secret),
initial_state);
resume_callback.Run();
}
} // namespace protocol
} // namespace remoting