Restart the host when the third party auth certificate changes

remoting/host/remoting_me2me_host.cc

Index: remoting/host/remoting_me2me_host.cc
diff --git a/remoting/host/remoting_me2me_host.cc b/remoting/host/remoting_me2me_host.cc
index 2460328157713065969fef344a444be07d218ae1..f55d1726abe7b270dbb746945462a19c13ac8890 100644
--- a/remoting/host/remoting_me2me_host.cc
+++ b/remoting/host/remoting_me2me_host.cc
@@ -115,6 +115,7 @@
 #undef Status  // Xlib.h #defines this, which breaks protobuf headers.
 #include <base/linux_util.h>
 #include "remoting/host/audio_capturer_linux.h"
+#include "remoting/host/linux/certificate_watcher.h"
 #endif  // defined(OS_LINUX)
 
 #if defined(OS_WIN)
@@ -179,6 +180,10 @@ const int kShutdownTimeoutSeconds = 15;
 // before continuing normal process shutdown.
 const int kHostOfflineReasonTimeoutSeconds = 10;
 
+// Delay time to shutdown the host when a change of NSS database is detected.
+// This is to repeating restarts when continuous writes to the database occur.
+const int kCertUpdateShutdownDelaySeconds = 2;
+
 // Host offline reasons not associated with shutting down the host process
 // and therefore not expressible through HostExitCodes enum.
 const char kHostOfflineReasonPolicyReadError[] = "POLICY_READ_ERROR";
@@ -270,6 +275,7 @@ class HostProcess : public ConfigWatcher::Delegate,
       IPC::PlatformFileForTransit unprivileged_key);
 
  private:
+

[Sergey Ulanov, 2016/03/30 21:02:46]

don't need this empty line.

[Yuwei, 2016/03/31 17:40:06]

Done.

   // See SetState method for a list of allowed state transitions.
   enum HostState {
     // Waiting for valid config and policies to be read from the disk.
@@ -366,6 +372,9 @@ class HostProcess : public ConfigWatcher::Delegate,
   // Error handler for SignalingConnector.
   void OnAuthFailed();
 
+  // Handler for NSS certificate update event when the host is running.

[Sergey Ulanov, 2016/03/30 21:02:46]

Suggest not referring to NSS in this file. The host needs to be restarted when
client certs are changed. The fact that NSS is used to read the certs is an
uninteresting detail here.

[Yuwei, 2016/03/31 17:40:06]

Done.

+  void OnNSSCertificateUpdate();

[Sergey Ulanov, 2016/03/30 21:02:46]

Suggest renaming to "OnHostRestartRequested".

[Yuwei, 2016/03/31 17:40:06]

Done.

+
   void RestartHost(const std::string& host_offline_reason);
   void ShutdownHost(HostExitCodes exit_code);
 
@@ -390,6 +399,11 @@ class HostProcess : public ConfigWatcher::Delegate,
 
   scoped_ptr<ChromotingHostContext> context_;
 
+#if defined(OS_LINUX)
+  // Watch for NSS database changes and kill the host when changes occur
+  CertificateWatcher cert_watcher_;
+#endif
+
   // XMPP server/remoting bot configuration (initialized from the command line).
   XmppSignalStrategy::XmppServerConfig xmpp_server_config_;
   std::string directory_bot_jid_;
@@ -483,6 +497,10 @@ HostProcess::HostProcess(scoped_ptr<ChromotingHostContext> context,
                          int* exit_code_out,
                          ShutdownWatchdog* shutdown_watchdog)
     : context_(std::move(context)),
+#if defined(OS_LINUX)
+      cert_watcher_(kCertUpdateShutdownDelaySeconds,
+                    base::Bind(&HostProcess::OnNSSCertificateUpdate, this)),
+#endif
       state_(HOST_STARTING),
       use_service_account_(false),
       enable_vp9_(false),
@@ -807,6 +825,10 @@ void HostProcess::CreateAuthenticatorFactory() {
     DCHECK(third_party_auth_config_.token_url.is_valid());
     DCHECK(third_party_auth_config_.token_validation_url.is_valid());
 
+#if defined(OS_LINUX)
+    cert_watcher_.StartOn(context_->file_task_runner(), host_->AsWeakPtr());
+#endif
+
     scoped_refptr<protocol::TokenValidatorFactory> token_validator_factory =
         new TokenValidatorFactoryImpl(third_party_auth_config_, key_pair_,
                                       context_->url_request_context_getter());
@@ -1705,6 +1727,16 @@ void HostProcess::OnCrash(const std::string& function_name,
   CHECK(false) << message;
 }
 
+void HostProcess::OnNSSCertificateUpdate() {
+  // restarts(shutdowns) the server when the certificate is updated
+  if (!context_->network_task_runner()->BelongsToCurrentThread()) {
+    context_->network_task_runner()->PostTask(FROM_HERE,
+        base::Bind(&HostProcess::OnNSSCertificateUpdate, this));
+    return;
+  }
+  ShutdownHost(kSuccessExitCode);
+}
+
 int HostProcessMain() {
   HOST_LOG << "Starting host process: version " << STRINGIZE(VERSION);