12a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)// Copyright 2013 The Chromium Authors. All rights reserved. 22a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)// Use of this source code is governed by a BSD-style license that can be 32a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)// found in the LICENSE file. 42a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 52a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#ifndef REMOTING_PROTOCOL_THIRD_PARTY_HOST_AUTHENTICATOR_H_ 62a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#define REMOTING_PROTOCOL_THIRD_PARTY_HOST_AUTHENTICATOR_H_ 72a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 82a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#include <string> 92a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 102a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#include "base/callback.h" 112a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#include "base/memory/scoped_ptr.h" 122a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#include "remoting/protocol/third_party_authenticator_base.h" 137dbb3d5cf0c15f500944d211057644d6a2f37371Ben Murdoch#include "url/gurl.h" 142a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 152a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)namespace remoting { 162a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 172a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)class RsaKeyPair; 182a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 192a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)namespace protocol { 202a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 212a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)// Implements the host side of the third party authentication mechanism. 222a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)// The host authenticator sends the |token_url| and |scope| obtained from the 232a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)// |TokenValidator| to the client, and expects a |token| in response. 242a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)// Once that token is received, it calls |TokenValidator| asynchronously to 252a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)// validate it, and exchange it for a |shared_secret|. Once the |TokenValidator| 262a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)// returns, the host uses the |shared_secret| to create an underlying 272a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)// |V2Authenticator|, which is used to establish the encrypted connection. 282a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)class ThirdPartyHostAuthenticator : public ThirdPartyAuthenticatorBase { 292a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) public: 302a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) class TokenValidator { 312a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) public: 322a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // Callback passed to |ValidateThirdPartyToken|, and called once the host 332a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // authentication finishes. |shared_secret| should be used by the host to 342a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // create a V2Authenticator. In case of failure, the callback is called with 352a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // an empty |shared_secret|. 362a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) typedef base::Callback<void( 372a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) const std::string& shared_secret)> TokenValidatedCallback; 382a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 392a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) virtual ~TokenValidator() {} 402a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 412a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // Validates |token| with the server and exchanges it for a |shared_secret|. 422a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // |token_validated_callback| is called when the host authentication ends, 432a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // in the same thread |ValidateThirdPartyToken| was originally called. 442a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // The request is canceled if this object is destroyed. 452a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) virtual void ValidateThirdPartyToken( 462a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) const std::string& token, 472a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) const TokenValidatedCallback& token_validated_callback) = 0; 482a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 492a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // URL sent to the client, to be used by its |TokenFetcher| to get a token. 502a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) virtual const GURL& token_url() const = 0; 512a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 522a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // Space-separated list of connection attributes the host must send to the 532a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // client, and require the token received in response to match. 542a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) virtual const std::string& token_scope() const = 0; 552a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) }; 562a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 57c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) class TokenValidatorFactory { 58c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) public: 59c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) virtual ~TokenValidatorFactory() {} 60c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) 61c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) // Creates a TokenValidator. |local_jid| and |remote_jid| are used to create 62c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) // a token scope that is restricted to the current connection's JIDs. 63c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) virtual scoped_ptr<TokenValidator> CreateTokenValidator( 64c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) const std::string& local_jid, 65c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) const std::string& remote_jid) = 0; 66c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) }; 67c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) 682a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // Creates a third-party host authenticator. |local_cert| and |key_pair| are 692a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // used by the underlying V2Authenticator to create the SSL channels. 702a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // |token_validator| contains the token parameters to be sent to the client 712a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // and is used to obtain the shared secret. 722a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) ThirdPartyHostAuthenticator(const std::string& local_cert, 732a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) scoped_refptr<RsaKeyPair> key_pair, 742a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) scoped_ptr<TokenValidator> token_validator); 752a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) virtual ~ThirdPartyHostAuthenticator(); 762a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 772a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) protected: 782a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // ThirdPartyAuthenticator implementation. 792a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) virtual void ProcessTokenMessage( 802a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) const buzz::XmlElement* message, 812a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) const base::Closure& resume_callback) OVERRIDE; 822a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) virtual void AddTokenElements(buzz::XmlElement* message) OVERRIDE; 832a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 842a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) private: 852a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) void OnThirdPartyTokenValidated(const buzz::XmlElement* message, 862a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) const base::Closure& resume_callback, 872a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) const std::string& shared_secret); 882a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 892a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) std::string local_cert_; 902a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) scoped_refptr<RsaKeyPair> key_pair_; 912a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) scoped_ptr<TokenValidator> token_validator_; 92c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) 93c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) DISALLOW_COPY_AND_ASSIGN(ThirdPartyHostAuthenticator); 942a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)}; 952a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 962a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)} // namespace protocol 972a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)} // namespace remoting 982a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 992a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#endif // REMOTING_PROTOCOL_THIRD_PARTY_HOST_AUTHENTICATOR_H_ 100