OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 // | 4 // |
5 // This file implements a standalone host process for Me2Me. | 5 // This file implements a standalone host process for Me2Me. |
6 | 6 |
7 #include <string> | 7 #include <string> |
8 | 8 |
9 #include "base/at_exit.h" | 9 #include "base/at_exit.h" |
10 #include "base/bind.h" | 10 #include "base/bind.h" |
(...skipping 240 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
251 // Accessed on the network thread. | 251 // Accessed on the network thread. |
252 HostState state_; | 252 HostState state_; |
253 | 253 |
254 scoped_ptr<ConfigFileWatcher> config_watcher_; | 254 scoped_ptr<ConfigFileWatcher> config_watcher_; |
255 | 255 |
256 std::string host_id_; | 256 std::string host_id_; |
257 protocol::SharedSecretHash host_secret_hash_; | 257 protocol::SharedSecretHash host_secret_hash_; |
258 scoped_refptr<RsaKeyPair> key_pair_; | 258 scoped_refptr<RsaKeyPair> key_pair_; |
259 std::string oauth_refresh_token_; | 259 std::string oauth_refresh_token_; |
260 std::string serialized_config_; | 260 std::string serialized_config_; |
| 261 std::string host_owner_; |
261 std::string xmpp_login_; | 262 std::string xmpp_login_; |
| 263 bool use_service_account_; |
262 std::string xmpp_auth_token_; | 264 std::string xmpp_auth_token_; |
263 std::string xmpp_auth_service_; | 265 std::string xmpp_auth_service_; |
264 scoped_ptr<policy_hack::PolicyWatcher> policy_watcher_; | 266 scoped_ptr<policy_hack::PolicyWatcher> policy_watcher_; |
265 bool allow_nat_traversal_; | 267 bool allow_nat_traversal_; |
266 std::string talkgadget_prefix_; | 268 std::string talkgadget_prefix_; |
267 | 269 |
268 bool curtain_required_; | 270 bool curtain_required_; |
269 GURL token_url_; | 271 GURL token_url_; |
270 GURL token_validation_url_; | 272 GURL token_validation_url_; |
271 | 273 |
(...skipping 14 matching lines...) Expand all Loading... |
286 #endif // defined(REMOTING_MULTI_PROCESS) | 288 #endif // defined(REMOTING_MULTI_PROCESS) |
287 | 289 |
288 int* exit_code_out_; | 290 int* exit_code_out_; |
289 bool signal_parent_; | 291 bool signal_parent_; |
290 }; | 292 }; |
291 | 293 |
292 HostProcess::HostProcess(scoped_ptr<ChromotingHostContext> context, | 294 HostProcess::HostProcess(scoped_ptr<ChromotingHostContext> context, |
293 int* exit_code_out) | 295 int* exit_code_out) |
294 : context_(context.Pass()), | 296 : context_(context.Pass()), |
295 state_(HOST_INITIALIZING), | 297 state_(HOST_INITIALIZING), |
| 298 use_service_account_(false), |
296 allow_nat_traversal_(true), | 299 allow_nat_traversal_(true), |
297 curtain_required_(false), | 300 curtain_required_(false), |
298 #if defined(REMOTING_MULTI_PROCESS) | 301 #if defined(REMOTING_MULTI_PROCESS) |
299 desktop_session_connector_(NULL), | 302 desktop_session_connector_(NULL), |
300 #endif // defined(REMOTING_MULTI_PROCESS) | 303 #endif // defined(REMOTING_MULTI_PROCESS) |
301 self_(this), | 304 self_(this), |
302 exit_code_out_(exit_code_out), | 305 exit_code_out_(exit_code_out), |
303 signal_parent_(false) { | 306 signal_parent_(false) { |
304 StartOnUiThread(); | 307 StartOnUiThread(); |
305 } | 308 } |
(...skipping 172 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
478 } | 481 } |
479 | 482 |
480 // TODO(jamiewalch): Create a pairing registry here once all the code | 483 // TODO(jamiewalch): Create a pairing registry here once all the code |
481 // is committed. | 484 // is committed. |
482 scoped_refptr<remoting::protocol::PairingRegistry> pairing_registry = NULL; | 485 scoped_refptr<remoting::protocol::PairingRegistry> pairing_registry = NULL; |
483 | 486 |
484 scoped_ptr<protocol::AuthenticatorFactory> factory; | 487 scoped_ptr<protocol::AuthenticatorFactory> factory; |
485 | 488 |
486 if (token_url_.is_empty() && token_validation_url_.is_empty()) { | 489 if (token_url_.is_empty() && token_validation_url_.is_empty()) { |
487 factory = protocol::Me2MeHostAuthenticatorFactory::CreateWithSharedSecret( | 490 factory = protocol::Me2MeHostAuthenticatorFactory::CreateWithSharedSecret( |
488 local_certificate, key_pair_, host_secret_hash_, pairing_registry); | 491 host_owner_, local_certificate, key_pair_, host_secret_hash_, |
| 492 pairing_registry); |
489 | 493 |
490 } else if (token_url_.is_valid() && token_validation_url_.is_valid()) { | 494 } else if (token_url_.is_valid() && token_validation_url_.is_valid()) { |
491 scoped_ptr<protocol::ThirdPartyHostAuthenticator::TokenValidatorFactory> | 495 scoped_ptr<protocol::ThirdPartyHostAuthenticator::TokenValidatorFactory> |
492 token_validator_factory(new TokenValidatorFactoryImpl( | 496 token_validator_factory(new TokenValidatorFactoryImpl( |
493 token_url_, token_validation_url_, key_pair_, | 497 token_url_, token_validation_url_, key_pair_, |
494 context_->url_request_context_getter())); | 498 context_->url_request_context_getter())); |
495 factory = protocol::Me2MeHostAuthenticatorFactory::CreateWithThirdPartyAuth( | 499 factory = protocol::Me2MeHostAuthenticatorFactory::CreateWithThirdPartyAuth( |
496 local_certificate, key_pair_, token_validator_factory.Pass()); | 500 host_owner_, local_certificate, key_pair_, |
| 501 token_validator_factory.Pass()); |
497 | 502 |
498 } else { | 503 } else { |
499 // TODO(rmsousa): If the policy is bad the host should not go online. It | 504 // TODO(rmsousa): If the policy is bad the host should not go online. It |
500 // should keep running, but not connected, until the policies are fixed. | 505 // should keep running, but not connected, until the policies are fixed. |
501 // Having it show up as online and then reject all clients is misleading. | 506 // Having it show up as online and then reject all clients is misleading. |
502 LOG(ERROR) << "One of the third-party token URLs is empty or invalid. " | 507 LOG(ERROR) << "One of the third-party token URLs is empty or invalid. " |
503 << "Host will reject all clients until policies are corrected. " | 508 << "Host will reject all clients until policies are corrected. " |
504 << "TokenUrl: " << token_url_ << ", " | 509 << "TokenUrl: " << token_url_ << ", " |
505 << "TokenValidationUrl: " << token_validation_url_; | 510 << "TokenValidationUrl: " << token_validation_url_; |
506 factory = protocol::Me2MeHostAuthenticatorFactory::CreateRejecting(); | 511 factory = protocol::Me2MeHostAuthenticatorFactory::CreateRejecting(); |
(...skipping 182 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
689 if (!oauth_refresh_token_.empty()) { | 694 if (!oauth_refresh_token_.empty()) { |
690 xmpp_auth_token_ = ""; // This will be set to the access token later. | 695 xmpp_auth_token_ = ""; // This will be set to the access token later. |
691 xmpp_auth_service_ = "oauth2"; | 696 xmpp_auth_service_ = "oauth2"; |
692 } else if (!config->GetString(kXmppAuthServiceConfigPath, | 697 } else if (!config->GetString(kXmppAuthServiceConfigPath, |
693 &xmpp_auth_service_)) { | 698 &xmpp_auth_service_)) { |
694 // For the me2me host, we default to ClientLogin token for chromiumsync | 699 // For the me2me host, we default to ClientLogin token for chromiumsync |
695 // because earlier versions of the host had no HTTP stack with which to | 700 // because earlier versions of the host had no HTTP stack with which to |
696 // request an OAuth2 access token. | 701 // request an OAuth2 access token. |
697 xmpp_auth_service_ = kChromotingTokenDefaultServiceName; | 702 xmpp_auth_service_ = kChromotingTokenDefaultServiceName; |
698 } | 703 } |
| 704 |
| 705 if (config->GetString(kHostOwnerConfigPath, &host_owner_)) { |
| 706 // Service account configs have a host_owner, different from the xmpp_login. |
| 707 use_service_account_ = true; |
| 708 } else { |
| 709 // User credential configs only have an xmpp_login, which is also the owner. |
| 710 host_owner_ = xmpp_login_; |
| 711 use_service_account_ = false; |
| 712 } |
699 return true; | 713 return true; |
700 } | 714 } |
701 | 715 |
702 void HostProcess::OnPolicyUpdate(scoped_ptr<base::DictionaryValue> policies) { | 716 void HostProcess::OnPolicyUpdate(scoped_ptr<base::DictionaryValue> policies) { |
703 // TODO(rmsousa): Consolidate all On*PolicyUpdate methods into this one. | 717 // TODO(rmsousa): Consolidate all On*PolicyUpdate methods into this one. |
704 // TODO(sergeyu): Currently polices are verified only when they are loaded. | 718 // TODO(sergeyu): Currently polices are verified only when they are loaded. |
705 // Separate policy loading from policy verifications - this will allow to | 719 // Separate policy loading from policy verifications - this will allow to |
706 // check policies again later, e.g. when host config changes. | 720 // check policies again later, e.g. when host config changes. |
707 | 721 |
708 if (!context_->network_task_runner()->BelongsToCurrentThread()) { | 722 if (!context_->network_task_runner()->BelongsToCurrentThread()) { |
(...skipping 47 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
756 } | 770 } |
757 } | 771 } |
758 | 772 |
759 bool HostProcess::OnHostDomainPolicyUpdate(const std::string& host_domain) { | 773 bool HostProcess::OnHostDomainPolicyUpdate(const std::string& host_domain) { |
760 // Returns true if the host has to be restarted after this policy update. | 774 // Returns true if the host has to be restarted after this policy update. |
761 DCHECK(context_->network_task_runner()->BelongsToCurrentThread()); | 775 DCHECK(context_->network_task_runner()->BelongsToCurrentThread()); |
762 | 776 |
763 LOG(INFO) << "Policy sets host domain: " << host_domain; | 777 LOG(INFO) << "Policy sets host domain: " << host_domain; |
764 | 778 |
765 if (!host_domain.empty() && | 779 if (!host_domain.empty() && |
766 !EndsWith(xmpp_login_, std::string("@") + host_domain, false)) { | 780 !EndsWith(host_owner_, std::string("@") + host_domain, false)) { |
767 ShutdownHost(kInvalidHostDomainExitCode); | 781 ShutdownHost(kInvalidHostDomainExitCode); |
768 } | 782 } |
769 return false; | 783 return false; |
770 } | 784 } |
771 | 785 |
772 bool HostProcess::OnUsernamePolicyUpdate(bool curtain_required, | 786 bool HostProcess::OnUsernamePolicyUpdate(bool curtain_required, |
773 bool host_username_match_required) { | 787 bool host_username_match_required) { |
774 // Returns false: never restart the host after this policy update. | 788 // Returns false: never restart the host after this policy update. |
775 DCHECK(context_->network_task_runner()->BelongsToCurrentThread()); | 789 DCHECK(context_->network_task_runner()->BelongsToCurrentThread()); |
776 | 790 |
777 if (host_username_match_required) { | 791 if (host_username_match_required) { |
778 LOG(INFO) << "Policy requires host username match."; | 792 LOG(INFO) << "Policy requires host username match."; |
779 std::string username = GetUsername(); | 793 std::string username = GetUsername(); |
780 bool shutdown = username.empty() || | 794 bool shutdown = username.empty() || |
781 !StartsWithASCII(xmpp_login_, username + std::string("@"), | 795 !StartsWithASCII(host_owner_, username + std::string("@"), |
782 false); | 796 false); |
783 | 797 |
784 #if defined(OS_MACOSX) | 798 #if defined(OS_MACOSX) |
785 // On Mac, we run as root at the login screen, so the username won't match. | 799 // On Mac, we run as root at the login screen, so the username won't match. |
786 // However, there's no need to enforce the policy at the login screen, as | 800 // However, there's no need to enforce the policy at the login screen, as |
787 // the client will have to reconnect if a login occurs. | 801 // the client will have to reconnect if a login occurs. |
788 if (shutdown && getuid() == 0) { | 802 if (shutdown && getuid() == 0) { |
789 shutdown = false; | 803 shutdown = false; |
790 } | 804 } |
791 #endif | 805 #endif |
(...skipping 123 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
915 | 929 |
916 signaling_connector_.reset(new SignalingConnector( | 930 signaling_connector_.reset(new SignalingConnector( |
917 signal_strategy_.get(), | 931 signal_strategy_.get(), |
918 context_->url_request_context_getter(), | 932 context_->url_request_context_getter(), |
919 dns_blackhole_checker.Pass(), | 933 dns_blackhole_checker.Pass(), |
920 base::Bind(&HostProcess::OnAuthFailed, this))); | 934 base::Bind(&HostProcess::OnAuthFailed, this))); |
921 | 935 |
922 if (!oauth_refresh_token_.empty()) { | 936 if (!oauth_refresh_token_.empty()) { |
923 scoped_ptr<SignalingConnector::OAuthCredentials> oauth_credentials( | 937 scoped_ptr<SignalingConnector::OAuthCredentials> oauth_credentials( |
924 new SignalingConnector::OAuthCredentials( | 938 new SignalingConnector::OAuthCredentials( |
925 xmpp_login_, oauth_refresh_token_)); | 939 xmpp_login_, oauth_refresh_token_, use_service_account_)); |
926 signaling_connector_->EnableOAuth(oauth_credentials.Pass()); | 940 signaling_connector_->EnableOAuth(oauth_credentials.Pass()); |
927 } | 941 } |
928 | 942 |
929 NetworkSettings network_settings( | 943 NetworkSettings network_settings( |
930 allow_nat_traversal_ ? | 944 allow_nat_traversal_ ? |
931 NetworkSettings::NAT_TRAVERSAL_ENABLED : | 945 NetworkSettings::NAT_TRAVERSAL_ENABLED : |
932 NetworkSettings::NAT_TRAVERSAL_DISABLED); | 946 NetworkSettings::NAT_TRAVERSAL_DISABLED); |
933 if (!allow_nat_traversal_) { | 947 if (!allow_nat_traversal_) { |
934 network_settings.min_port = NetworkSettings::kDefaultMinPort; | 948 network_settings.min_port = NetworkSettings::kDefaultMinPort; |
935 network_settings.max_port = NetworkSettings::kDefaultMaxPort; | 949 network_settings.max_port = NetworkSettings::kDefaultMaxPort; |
(...skipping 30 matching lines...) Expand all Loading... |
966 // Set up repoting the host status notifications. | 980 // Set up repoting the host status notifications. |
967 #if defined(REMOTING_MULTI_PROCESS) | 981 #if defined(REMOTING_MULTI_PROCESS) |
968 host_event_logger_.reset( | 982 host_event_logger_.reset( |
969 new IpcHostEventLogger(host_->AsWeakPtr(), daemon_channel_.get())); | 983 new IpcHostEventLogger(host_->AsWeakPtr(), daemon_channel_.get())); |
970 #else // !defined(REMOTING_MULTI_PROCESS) | 984 #else // !defined(REMOTING_MULTI_PROCESS) |
971 host_event_logger_ = | 985 host_event_logger_ = |
972 HostEventLogger::Create(host_->AsWeakPtr(), kApplicationName); | 986 HostEventLogger::Create(host_->AsWeakPtr(), kApplicationName); |
973 #endif // !defined(REMOTING_MULTI_PROCESS) | 987 #endif // !defined(REMOTING_MULTI_PROCESS) |
974 | 988 |
975 host_->SetEnableCurtaining(curtain_required_); | 989 host_->SetEnableCurtaining(curtain_required_); |
976 host_->Start(xmpp_login_); | 990 host_->Start(host_owner_); |
977 | 991 |
978 CreateAuthenticatorFactory(); | 992 CreateAuthenticatorFactory(); |
979 } | 993 } |
980 | 994 |
981 void HostProcess::OnAuthFailed() { | 995 void HostProcess::OnAuthFailed() { |
982 ShutdownHost(kInvalidOauthCredentialsExitCode); | 996 ShutdownHost(kInvalidOauthCredentialsExitCode); |
983 } | 997 } |
984 | 998 |
985 void HostProcess::RestartHost() { | 999 void HostProcess::RestartHost() { |
986 DCHECK(context_->network_task_runner()->BelongsToCurrentThread()); | 1000 DCHECK(context_->network_task_runner()->BelongsToCurrentThread()); |
(...skipping 110 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1097 return exit_code; | 1111 return exit_code; |
1098 } | 1112 } |
1099 | 1113 |
1100 } // namespace remoting | 1114 } // namespace remoting |
1101 | 1115 |
1102 #if !defined(OS_WIN) | 1116 #if !defined(OS_WIN) |
1103 int main(int argc, char** argv) { | 1117 int main(int argc, char** argv) { |
1104 return remoting::HostMain(argc, argv); | 1118 return remoting::HostMain(argc, argv); |
1105 } | 1119 } |
1106 #endif // !defined(OS_WIN) | 1120 #endif // !defined(OS_WIN) |
OLD | NEW |