#include "remoting/base/constants.h"
#include "remoting/base/logging.h"
#include "remoting/base/rsa_key_pair.h"
+#include "remoting/base/util.h"
#include "remoting/host/branding.h"
#include "remoting/host/chromoting_host.h"
#include "remoting/host/chromoting_host_context.h"
#include "remoting/jingle_glue/xmpp_signal_strategy.h"
#include "remoting/protocol/me2me_host_authenticator_factory.h"
#include "remoting/protocol/pairing_registry.h"
+#include "remoting/protocol/token_validator.h"
#if defined(OS_POSIX)
#include <signal.h>
// The command line switch used to pass name of the pipe to capture audio on
// linux.
const char kAudioPipeSwitchName[] = "audio-pipe-name";
+
+// The command line switch used to pass name of the unix domain socket used to
+// listen for gnubby requests.
+const char kAuthSocknameSwitchName[] = "ssh-auth-sockname";
#endif // defined(OS_LINUX)
// The command line switch used by the parent to request the host to signal it
bool OnUsernamePolicyUpdate(bool curtain_required,
bool username_match_required);
bool OnNatPolicyUpdate(bool nat_traversal_enabled);
+ bool OnRelayPolicyUpdate(bool allow_relay);
+ bool OnUdpPortPolicyUpdate(const std::string& udp_port_range);
void OnCurtainPolicyUpdate(bool curtain_required);
bool OnHostTalkGadgetPrefixPolicyUpdate(const std::string& talkgadget_prefix);
bool OnHostTokenUrlPolicyUpdate(
const GURL& token_validation_url,
const std::string& token_validation_cert_issuer);
bool OnPairingPolicyUpdate(bool pairing_enabled);
+ bool OnGnubbyAuthPolicyUpdate(bool enable_gnubby_auth);
void StartHost();
bool use_service_account_;
scoped_ptr<policy_hack::PolicyWatcher> policy_watcher_;
bool allow_nat_traversal_;
+ bool allow_relay_;
+ int min_udp_port_;
+ int max_udp_port_;
std::string talkgadget_prefix_;
bool allow_pairing_;
bool curtain_required_;
ThirdPartyAuthConfig third_party_auth_config_;
+ bool enable_gnubby_auth_;
scoped_ptr<OAuthTokenGetter> oauth_token_getter_;
scoped_ptr<XmppSignalStrategy> signal_strategy_;
state_(HOST_INITIALIZING),
use_service_account_(false),
allow_nat_traversal_(true),
+ allow_relay_(true),
+ min_udp_port_(0),
+ max_udp_port_(0),
allow_pairing_(true),
curtain_required_(false),
+ enable_gnubby_auth_(false),
#if defined(REMOTING_MULTI_PROCESS)
desktop_session_connector_(NULL),
#endif // defined(REMOTING_MULTI_PROCESS)
host_secret_hash_, pairing_registry);
} else if (third_party_auth_config_.is_valid()) {
- scoped_ptr<protocol::ThirdPartyHostAuthenticator::TokenValidatorFactory>
- token_validator_factory(new TokenValidatorFactoryImpl(
+ scoped_ptr<protocol::TokenValidatorFactory> token_validator_factory(
+ new TokenValidatorFactoryImpl(
third_party_auth_config_,
key_pair_, context_->url_request_context_getter()));
factory = protocol::Me2MeHostAuthenticatorFactory::CreateWithThirdPartyAuth(
remoting::AudioCapturerLinux::InitializePipeReader(
context_->audio_task_runner(), audio_pipe_name);
}
+
+ base::FilePath gnubby_socket_name = CommandLine::ForCurrentProcess()->
+ GetSwitchValuePath(kAuthSocknameSwitchName);
+ if (!gnubby_socket_name.empty())
+ remoting::GnubbyAuthHandler::SetGnubbySocketName(gnubby_socket_name);
#endif // defined(OS_LINUX)
// Create a desktop environment factory appropriate to the build type &
#endif // !defined(OS_WIN)
desktop_environment_factory_.reset(desktop_environment_factory);
+ desktop_environment_factory_->SetEnableGnubbyAuth(enable_gnubby_auth_);
context_->network_task_runner()->PostTask(
FROM_HERE,
&bool_value)) {
restart_required |= OnNatPolicyUpdate(bool_value);
}
+ if (policies->GetBoolean(policy_hack::PolicyWatcher::kRelayPolicyName,
+ &bool_value)) {
+ restart_required |= OnRelayPolicyUpdate(bool_value);
+ }
+ std::string udp_port_range;
+ if (policies->GetString(policy_hack::PolicyWatcher::kUdpPortRangePolicyName,
+ &udp_port_range)) {
+ restart_required |= OnUdpPortPolicyUpdate(udp_port_range);
+ }
+
if (policies->GetString(
policy_hack::PolicyWatcher::kHostTalkGadgetPrefixPolicyName,
&string_value)) {
&bool_value)) {
restart_required |= OnPairingPolicyUpdate(bool_value);
}
+ if (policies->GetBoolean(
+ policy_hack::PolicyWatcher::kHostAllowGnubbyAuthPolicyName,
+ &bool_value))
+ restart_required |= OnGnubbyAuthPolicyUpdate(bool_value);
if (state_ == HOST_INITIALIZING) {
StartHost();
return false;
}
+bool HostProcess::OnRelayPolicyUpdate(bool allow_relay) {
+ // Returns true if the host has to be restarted after this policy update.
+ DCHECK(context_->network_task_runner()->BelongsToCurrentThread());
+
+ if (allow_relay_ != allow_relay) {
+ if (allow_relay)
+ HOST_LOG << "Policy enables use of relay server.";
+ else
+ HOST_LOG << "Policy disables use of relay server.";
+ allow_relay_ = allow_relay;
+ return true;
+ }
+ return false;
+}
+
+bool HostProcess::OnUdpPortPolicyUpdate(const std::string& udp_port_range) {
+ // Returns true if the host has to be restarted after this policy update.
+ DCHECK(context_->network_task_runner()->BelongsToCurrentThread());
+
+ // Use default values if policy setting is empty or invalid.
+ int min_udp_port = 0;
+ int max_udp_port = 0;
+ if (!udp_port_range.empty() &&
+ !NetworkSettings::ParsePortRange(udp_port_range, &min_udp_port,
+ &max_udp_port)) {
+ LOG(WARNING) << "Invalid port range policy: \"" << udp_port_range
+ << "\". Using default values.";
+ }
+
+ if (min_udp_port_ != min_udp_port || max_udp_port_ != max_udp_port) {
+ if (min_udp_port != 0 && max_udp_port != 0) {
+ HOST_LOG << "Policy restricts UDP port range to [" << min_udp_port
+ << ", " << max_udp_port << "]";
+ } else {
+ HOST_LOG << "Policy does not restrict UDP port range.";
+ }
+ min_udp_port_ = min_udp_port;
+ max_udp_port_ = max_udp_port;
+ return true;
+ }
+ return false;
+}
+
void HostProcess::OnCurtainPolicyUpdate(bool curtain_required) {
// Returns true if the host has to be restarted after this policy update.
DCHECK(context_->network_task_runner()->BelongsToCurrentThread());
return true;
}
+bool HostProcess::OnGnubbyAuthPolicyUpdate(bool enable_gnubby_auth) {
+ DCHECK(context_->network_task_runner()->BelongsToCurrentThread());
+
+ if (enable_gnubby_auth_ == enable_gnubby_auth)
+ return false;
+
+ if (enable_gnubby_auth) {
+ HOST_LOG << "Policy enables gnubby auth.";
+ } else {
+ HOST_LOG << "Policy disables gnubby auth.";
+ }
+ enable_gnubby_auth_ = enable_gnubby_auth;
+
+ if (desktop_environment_factory_)
+ desktop_environment_factory_->SetEnableGnubbyAuth(enable_gnubby_auth);
+
+ return true;
+}
+
void HostProcess::StartHost() {
DCHECK(context_->network_task_runner()->BelongsToCurrentThread());
DCHECK(!host_);
signaling_connector_->EnableOAuth(oauth_token_getter_.get());
}
- NetworkSettings network_settings(
- allow_nat_traversal_ ?
- NetworkSettings::NAT_TRAVERSAL_ENABLED :
- NetworkSettings::NAT_TRAVERSAL_DISABLED);
- if (!allow_nat_traversal_) {
+ uint32 network_flags = allow_nat_traversal_ ?
+ NetworkSettings::NAT_TRAVERSAL_STUN : 0;
+
+ if (allow_relay_)
+ network_flags |= NetworkSettings::NAT_TRAVERSAL_RELAY;
+
+ if (allow_relay_ || allow_nat_traversal_)
+ network_flags |= NetworkSettings::NAT_TRAVERSAL_OUTGOING;
+
+ NetworkSettings network_settings(network_flags);
+
+ if (min_udp_port_ && max_udp_port_) {
+ network_settings.min_port = min_udp_port_;
+ network_settings.max_port = max_udp_port_;
+ } else if (!allow_nat_traversal_) {
+ // For legacy reasons we have to restrict the port range to a set of default
+ // values when nat traversal is disabled, even if the port range was not
+ // set in policy.
network_settings.min_port = NetworkSettings::kDefaultMinPort;
network_settings.max_port = NetworkSettings::kDefaultMaxPort;
}