1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "base/bind.h"
6 #include "net/base/net_errors.h"
7 #include "remoting/base/rsa_key_pair.h"
8 #include "remoting/protocol/authenticator_test_base.h"
9 #include "remoting/protocol/channel_authenticator.h"
10 #include "remoting/protocol/connection_tester.h"
11 #include "remoting/protocol/fake_authenticator.h"
12 #include "remoting/protocol/third_party_authenticator_base.h"
13 #include "remoting/protocol/third_party_client_authenticator.h"
14 #include "remoting/protocol/third_party_host_authenticator.h"
15 #include "remoting/protocol/token_validator.h"
16 #include "testing/gmock/include/gmock/gmock.h"
17 #include "testing/gtest/include/gtest/gtest.h"
18 #include "third_party/libjingle/source/talk/xmllite/xmlelement.h"
19
20 using testing::_;
21 using testing::DeleteArg;
22 using testing::SaveArg;
23
24 namespace {
25
26 const int kMessageSize = 100;
27 const int kMessages = 1;
28
29 const char kTokenUrl[] = "https://example.com/Issue";
30 const char kTokenScope[] = "host:a@b.com/1 client:a@b.com/2";
31 const char kToken[] = "abc123456xyz789";
32 const char kSharedSecret[] = "1234-1234-5678";
33 const char kSharedSecretBad[] = "0000-0000-0001";
34
35 } // namespace
36
37 namespace remoting {
38 namespace protocol {
39
40 class ThirdPartyAuthenticatorTest : public AuthenticatorTestBase {
41 class FakeTokenFetcher : public ThirdPartyClientAuthenticator::TokenFetcher {
42 public:
FetchThirdPartyToken(const GURL & token_url,const std::string & scope,const TokenFetchedCallback & token_fetched_callback)43 virtual void FetchThirdPartyToken(
44 const GURL& token_url,
45 const std::string& scope,
46 const TokenFetchedCallback& token_fetched_callback) OVERRIDE {
47 ASSERT_EQ(token_url.spec(), kTokenUrl);
48 ASSERT_EQ(scope, kTokenScope);
49 ASSERT_FALSE(token_fetched_callback.is_null());
50 on_token_fetched_ = token_fetched_callback;
51 }
52
OnTokenFetched(const std::string & token,const std::string & shared_secret)53 void OnTokenFetched(const std::string& token,
54 const std::string& shared_secret) {
55 ASSERT_FALSE(on_token_fetched_.is_null());
56 TokenFetchedCallback on_token_fetched = on_token_fetched_;
57 on_token_fetched_.Reset();
58 on_token_fetched.Run(token, shared_secret);
59 }
60
61 private:
62 TokenFetchedCallback on_token_fetched_;
63 };
64
65 class FakeTokenValidator : public TokenValidator {
66 public:
FakeTokenValidator()67 FakeTokenValidator()
68 : token_url_(kTokenUrl),
69 token_scope_(kTokenScope) {}
70
~FakeTokenValidator()71 virtual ~FakeTokenValidator() {}
72
ValidateThirdPartyToken(const std::string & token,const TokenValidatedCallback & token_validated_callback)73 virtual void ValidateThirdPartyToken(
74 const std::string& token,
75 const TokenValidatedCallback& token_validated_callback) OVERRIDE {
76 ASSERT_FALSE(token_validated_callback.is_null());
77 on_token_validated_ = token_validated_callback;
78 }
79
OnTokenValidated(const std::string & shared_secret)80 void OnTokenValidated(const std::string& shared_secret) {
81 ASSERT_FALSE(on_token_validated_.is_null());
82 TokenValidatedCallback on_token_validated = on_token_validated_;
83 on_token_validated_.Reset();
84 on_token_validated.Run(shared_secret);
85 }
86
token_url() const87 virtual const GURL& token_url() const OVERRIDE {
88 return token_url_;
89 }
90
token_scope() const91 virtual const std::string& token_scope() const OVERRIDE {
92 return token_scope_;
93 }
94
95 private:
96 GURL token_url_;
97 std::string token_scope_;
98 base::Callback<void(const std::string& shared_secret)> on_token_validated_;
99 };
100
101 public:
ThirdPartyAuthenticatorTest()102 ThirdPartyAuthenticatorTest() {}
~ThirdPartyAuthenticatorTest()103 virtual ~ThirdPartyAuthenticatorTest() {}
104
105 protected:
InitAuthenticators()106 void InitAuthenticators() {
107 scoped_ptr<TokenValidator> token_validator(new FakeTokenValidator());
108 token_validator_ = static_cast<FakeTokenValidator*>(token_validator.get());
109 host_.reset(new ThirdPartyHostAuthenticator(
110 host_cert_, key_pair_, token_validator.Pass()));
111 scoped_ptr<ThirdPartyClientAuthenticator::TokenFetcher>
112 token_fetcher(new FakeTokenFetcher());
113 token_fetcher_ = static_cast<FakeTokenFetcher*>(token_fetcher.get());
114 client_.reset(new ThirdPartyClientAuthenticator(token_fetcher.Pass()));
115 }
116
117 FakeTokenFetcher* token_fetcher_;
118 FakeTokenValidator* token_validator_;
119
120 private:
121 DISALLOW_COPY_AND_ASSIGN(ThirdPartyAuthenticatorTest);
122 };
123
124 // These tests use net::SSLServerSocket which is not implemented for OpenSSL.
125 #if defined(USE_OPENSSL)
126 #define MAYBE(x) DISABLED_##x
127 #else
128 #define MAYBE(x) x
129 #endif
130
TEST_F(ThirdPartyAuthenticatorTest,MAYBE (SuccessfulAuth))131 TEST_F(ThirdPartyAuthenticatorTest, MAYBE(SuccessfulAuth)) {
132 ASSERT_NO_FATAL_FAILURE(InitAuthenticators());
133 ASSERT_NO_FATAL_FAILURE(RunHostInitiatedAuthExchange());
134 ASSERT_EQ(Authenticator::PROCESSING_MESSAGE, client_->state());
135 ASSERT_NO_FATAL_FAILURE(token_fetcher_->OnTokenFetched(
136 kToken, kSharedSecret));
137 ASSERT_EQ(Authenticator::PROCESSING_MESSAGE, host_->state());
138 ASSERT_NO_FATAL_FAILURE(
139 token_validator_->OnTokenValidated(kSharedSecret));
140
141 // Both sides have finished.
142 ASSERT_EQ(Authenticator::ACCEPTED, host_->state());
143 ASSERT_EQ(Authenticator::ACCEPTED, client_->state());
144
145 // An authenticated channel can be created after the authentication.
146 client_auth_ = client_->CreateChannelAuthenticator();
147 host_auth_ = host_->CreateChannelAuthenticator();
148 RunChannelAuth(false);
149
150 StreamConnectionTester tester(host_socket_.get(), client_socket_.get(),
151 kMessageSize, kMessages);
152
153 tester.Start();
154 message_loop_.Run();
155 tester.CheckResults();
156 }
157
TEST_F(ThirdPartyAuthenticatorTest,MAYBE (ClientNoSecret))158 TEST_F(ThirdPartyAuthenticatorTest, MAYBE(ClientNoSecret)) {
159 ASSERT_NO_FATAL_FAILURE(InitAuthenticators());
160 ASSERT_NO_FATAL_FAILURE(RunHostInitiatedAuthExchange());
161 ASSERT_EQ(Authenticator::PROCESSING_MESSAGE, client_->state());
162 ASSERT_NO_FATAL_FAILURE(
163 token_fetcher_->OnTokenFetched(kToken, std::string()));
164
165 // The end result is that the client rejected the connection, since it
166 // couldn't fetch the secret.
167 ASSERT_EQ(Authenticator::REJECTED, client_->state());
168 }
169
TEST_F(ThirdPartyAuthenticatorTest,MAYBE (InvalidToken))170 TEST_F(ThirdPartyAuthenticatorTest, MAYBE(InvalidToken)) {
171 ASSERT_NO_FATAL_FAILURE(InitAuthenticators());
172 ASSERT_NO_FATAL_FAILURE(RunHostInitiatedAuthExchange());
173 ASSERT_EQ(Authenticator::PROCESSING_MESSAGE, client_->state());
174 ASSERT_NO_FATAL_FAILURE(token_fetcher_->OnTokenFetched(
175 kToken, kSharedSecret));
176 ASSERT_EQ(Authenticator::PROCESSING_MESSAGE, host_->state());
177 ASSERT_NO_FATAL_FAILURE(token_validator_->OnTokenValidated(std::string()));
178
179 // The end result is that the host rejected the token.
180 ASSERT_EQ(Authenticator::REJECTED, host_->state());
181 }
182
TEST_F(ThirdPartyAuthenticatorTest,MAYBE (CannotFetchToken))183 TEST_F(ThirdPartyAuthenticatorTest, MAYBE(CannotFetchToken)) {
184 ASSERT_NO_FATAL_FAILURE(InitAuthenticators());
185 ASSERT_NO_FATAL_FAILURE(RunHostInitiatedAuthExchange());
186 ASSERT_EQ(Authenticator::PROCESSING_MESSAGE, client_->state());
187 ASSERT_NO_FATAL_FAILURE(
188 token_fetcher_->OnTokenFetched(std::string(), std::string()));
189
190 // The end result is that the client rejected the connection, since it
191 // couldn't fetch the token.
192 ASSERT_EQ(Authenticator::REJECTED, client_->state());
193 }
194
195 // Test that negotiation stops when the fake authentication is rejected.
TEST_F(ThirdPartyAuthenticatorTest,MAYBE (HostBadSecret))196 TEST_F(ThirdPartyAuthenticatorTest, MAYBE(HostBadSecret)) {
197 ASSERT_NO_FATAL_FAILURE(InitAuthenticators());
198 ASSERT_NO_FATAL_FAILURE(RunHostInitiatedAuthExchange());
199 ASSERT_EQ(Authenticator::PROCESSING_MESSAGE, client_->state());
200 ASSERT_NO_FATAL_FAILURE(token_fetcher_->OnTokenFetched(
201 kToken, kSharedSecret));
202 ASSERT_EQ(Authenticator::PROCESSING_MESSAGE, host_->state());
203 ASSERT_NO_FATAL_FAILURE(
204 token_validator_->OnTokenValidated(kSharedSecretBad));
205
206 // The end result is that the host rejected the fake authentication.
207 ASSERT_EQ(Authenticator::REJECTED, client_->state());
208 }
209
TEST_F(ThirdPartyAuthenticatorTest,MAYBE (ClientBadSecret))210 TEST_F(ThirdPartyAuthenticatorTest, MAYBE(ClientBadSecret)) {
211 ASSERT_NO_FATAL_FAILURE(InitAuthenticators());
212 ASSERT_NO_FATAL_FAILURE(RunHostInitiatedAuthExchange());
213 ASSERT_EQ(Authenticator::PROCESSING_MESSAGE, client_->state());
214 ASSERT_NO_FATAL_FAILURE(
215 token_fetcher_->OnTokenFetched(kToken, kSharedSecretBad));
216 ASSERT_EQ(Authenticator::PROCESSING_MESSAGE, host_->state());
217 ASSERT_NO_FATAL_FAILURE(
218 token_validator_->OnTokenValidated(kSharedSecret));
219
220 // The end result is that the host rejected the fake authentication.
221 ASSERT_EQ(Authenticator::REJECTED, client_->state());
222 }
223
224 } // namespace protocol
225 } // namespace remoting
226