New policies: enable/disable relay; port range

remoting/host/remoting_me2me_host.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 //
 // This file implements a standalone host process for Me2Me.
 
 #include <string>
 
 #include "base/at_exit.h"
 #include "base/bind.h"
@@ skipping 18 matching lines @@
 #include "media/base/media.h"
 #include "net/base/network_change_notifier.h"
 #include "net/socket/client_socket_factory.h"
 #include "net/socket/ssl_server_socket.h"
 #include "net/url_request/url_fetcher.h"
 #include "remoting/base/auto_thread_task_runner.h"
 #include "remoting/base/breakpad.h"
 #include "remoting/base/constants.h"
 #include "remoting/base/logging.h"
 #include "remoting/base/rsa_key_pair.h"
+#include "remoting/base/util.h"
 #include "remoting/host/branding.h"
 #include "remoting/host/chromoting_host.h"
 #include "remoting/host/chromoting_host_context.h"
 #include "remoting/host/chromoting_messages.h"
 #include "remoting/host/config_file_watcher.h"
 #include "remoting/host/config_watcher.h"
 #include "remoting/host/desktop_environment.h"
 #include "remoting/host/desktop_session_connector.h"
 #include "remoting/host/dns_blackhole_checker.h"
 #include "remoting/host/heartbeat_sender.h"
@@ skipping 171 matching lines @@
   void ShutdownOnUiThread();
 
   // Applies the host config, returning true if successful.
   bool ApplyConfig(scoped_ptr<JsonHostConfig> config);
 
   void OnPolicyUpdate(scoped_ptr<base::DictionaryValue> policies);
   bool OnHostDomainPolicyUpdate(const std::string& host_domain);
   bool OnUsernamePolicyUpdate(bool curtain_required,
                               bool username_match_required);
   bool OnNatPolicyUpdate(bool nat_traversal_enabled);
+  bool OnRelayPolicyUpdate(bool allow_relay);
+  bool OnUdpPortPolicyUpdate(const std::string& udp_port_range);
   void OnCurtainPolicyUpdate(bool curtain_required);
   bool OnHostTalkGadgetPrefixPolicyUpdate(const std::string& talkgadget_prefix);
   bool OnHostTokenUrlPolicyUpdate(
       const GURL& token_url,
       const GURL& token_validation_url,
       const std::string& token_validation_cert_issuer);
   bool OnPairingPolicyUpdate(bool pairing_enabled);
   bool OnGnubbyAuthPolicyUpdate(bool enable_gnubby_auth);
 
   void StartHost();
@@ skipping 40 matching lines @@
 
   std::string host_id_;
   protocol::SharedSecretHash host_secret_hash_;
   scoped_refptr<RsaKeyPair> key_pair_;
   std::string oauth_refresh_token_;
   std::string serialized_config_;
   std::string host_owner_;
   bool use_service_account_;
   scoped_ptr<policy_hack::PolicyWatcher> policy_watcher_;
   bool allow_nat_traversal_;
+  bool allow_relay_;
+  int min_udp_port_;
+  int max_udp_port_;
   std::string talkgadget_prefix_;
   bool allow_pairing_;
 
   bool curtain_required_;
   ThirdPartyAuthConfig third_party_auth_config_;
   bool enable_gnubby_auth_;
 
   scoped_ptr<OAuthTokenGetter> oauth_token_getter_;
   scoped_ptr<XmppSignalStrategy> signal_strategy_;
   scoped_ptr<SignalingConnector> signaling_connector_;
@@ skipping 17 matching lines @@
 
   scoped_ptr<PairingRegistry::Delegate> pairing_registry_delegate_;
 };
 
 HostProcess::HostProcess(scoped_ptr<ChromotingHostContext> context,
                          int* exit_code_out)
     : context_(context.Pass()),
       state_(HOST_INITIALIZING),
       use_service_account_(false),
       allow_nat_traversal_(true),
+      allow_relay_(true),
+      min_udp_port_(0),
+      max_udp_port_(0),
       allow_pairing_(true),
       curtain_required_(false),
       enable_gnubby_auth_(false),
 #if defined(REMOTING_MULTI_PROCESS)
       desktop_session_connector_(NULL),
 #endif  // defined(REMOTING_MULTI_PROCESS)
       self_(this),
       exit_code_out_(exit_code_out),
       signal_parent_(false) {
   StartOnUiThread();
@@ skipping 492 matching lines @@
   }
   if (policies->GetBoolean(
       policy_hack::PolicyWatcher::kHostMatchUsernamePolicyName,
       &bool_value)) {
     restart_required |= OnUsernamePolicyUpdate(curtain_required, bool_value);
   }
   if (policies->GetBoolean(policy_hack::PolicyWatcher::kNatPolicyName,
                            &bool_value)) {
     restart_required |= OnNatPolicyUpdate(bool_value);
   }
+  if (policies->GetBoolean(policy_hack::PolicyWatcher::kRelayPolicyName,
+                           &bool_value)) {
+    restart_required |= OnRelayPolicyUpdate(bool_value);
+  }
+  std::string udp_port_range;
+  if (policies->GetString(policy_hack::PolicyWatcher::kUdpPortRangePolicyName,
+                           &udp_port_range)) {
+    restart_required |= OnUdpPortPolicyUpdate(udp_port_range);
+  }
+
   if (policies->GetString(
           policy_hack::PolicyWatcher::kHostTalkGadgetPrefixPolicyName,
           &string_value)) {
     restart_required |= OnHostTalkGadgetPrefixPolicyUpdate(string_value);
   }
   std::string token_url_string, token_validation_url_string;
   std::string token_validation_cert_issuer;
   if (policies->GetString(
           policy_hack::PolicyWatcher::kHostTokenUrlPolicyName,
           &token_url_string) &&
@@ skipping 86 matching lines @@
     if (nat_traversal_enabled)
       HOST_LOG << "Policy enables NAT traversal.";
     else
       HOST_LOG << "Policy disables NAT traversal.";
     allow_nat_traversal_ = nat_traversal_enabled;
     return true;
   }
   return false;
 }
 
+bool HostProcess::OnRelayPolicyUpdate(bool allow_relay) {
+  // Returns true if the host has to be restarted after this policy update.
+  DCHECK(context_->network_task_runner()->BelongsToCurrentThread());
+
+  if (allow_relay_ != allow_relay) {
+    if (allow_relay)
+      HOST_LOG << "Policy enables use of relay server.";
+    else
+      HOST_LOG << "Policy disables use of relay server.";
+    allow_relay_ = allow_relay;
+    return true;
+  }
+  return false;
+}
+
+bool HostProcess::OnUdpPortPolicyUpdate(const std::string& udp_port_range) {
+  // Returns true if the host has to be restarted after this policy update.
+  DCHECK(context_->network_task_runner()->BelongsToCurrentThread());
+
+  // Use default values if policy setting is empty or invalid.
+  int min_udp_port = 0;
+  int max_udp_port = 0;
+  if (!udp_port_range.empty() &&
+      !NetworkSettings::ParsePortRange(udp_port_range, &min_udp_port,
+                                       &max_udp_port)) {
+    LOG(WARNING) << "Invalid port range policy: \"" << udp_port_range
+                 << "\". Using default values.";
+  }
+
+  if (min_udp_port_ != min_udp_port || max_udp_port_ != max_udp_port) {
+    if (min_udp_port != 0 && max_udp_port != 0) {
+      HOST_LOG << "Policy restricts UDP port range to [" << min_udp_port
+               << ", " << max_udp_port << "]";
+    } else {
+      HOST_LOG << "Policy does not restrict UDP port range.";
+    }
+    min_udp_port_ = min_udp_port;
+    max_udp_port_ = max_udp_port;
+    return true;
+  }
+  return false;
+}
+
 void HostProcess::OnCurtainPolicyUpdate(bool curtain_required) {
   // Returns true if the host has to be restarted after this policy update.
   DCHECK(context_->network_task_runner()->BelongsToCurrentThread());
 
 #if defined(OS_MACOSX)
   if (curtain_required) {
     // When curtain mode is in effect on Mac, the host process runs in the
     // user's switched-out session, but launchd will also run an instance at
     // the console login screen.  Even if no user is currently logged-on, we
     // can't support remote-access to the login screen because the current host
@@ skipping 125 matching lines @@
         new OAuthTokenGetter::OAuthCredentials(
             xmpp_server_config_.username, oauth_refresh_token_,
             use_service_account_));
 
     oauth_token_getter_.reset(new OAuthTokenGetter(
         oauth_credentials.Pass(), context_->url_request_context_getter()));
 
     signaling_connector_->EnableOAuth(oauth_token_getter_.get());
   }
 
-  NetworkSettings network_settings(
-      allow_nat_traversal_ ?
-      NetworkSettings::NAT_TRAVERSAL_ENABLED :
-      NetworkSettings::NAT_TRAVERSAL_DISABLED);
-  if (!allow_nat_traversal_) {
+  uint32 network_flags = allow_nat_traversal_ ?
+      NetworkSettings::NAT_TRAVERSAL_STUN : 0;
+
+  if (allow_relay_)
+    network_flags |= NetworkSettings::NAT_TRAVERSAL_RELAY;
+
+  if (allow_relay_ || allow_nat_traversal_)
+    network_flags |= NetworkSettings::NAT_TRAVERSAL_OUTGOING;
+
+  NetworkSettings network_settings(network_flags);
+
+  if (min_udp_port_ && max_udp_port_) {
+    network_settings.min_port = min_udp_port_;
+    network_settings.max_port = max_udp_port_;
+  } else if (!allow_nat_traversal_) {
+    // For legacy reasons we have to restrict the port range to a set of default
+    // values when nat traversal is disabled, even if the port range was not
+    // set in policy.
     network_settings.min_port = NetworkSettings::kDefaultMinPort;
     network_settings.max_port = NetworkSettings::kDefaultMaxPort;
   }
 
   host_.reset(new ChromotingHost(
       signal_strategy_.get(),
       desktop_environment_factory_.get(),
       CreateHostSessionManager(signal_strategy_.get(), network_settings,
                                context_->url_request_context_getter()),
       context_->audio_task_runner(),
@@ skipping 173 matching lines @@
   return exit_code;
 }
 
 }  // namespace remoting
 
 #if !defined(OS_WIN)
 int main(int argc, char** argv) {
   return remoting::HostMain(argc, argv);
 }
 #endif  // !defined(OS_WIN)