Open a firewall hole when a TCP server or UDP socket is bound.

extensions/browser/api/socket/socket_api.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "extensions/browser/api/socket/socket_api.h"
 
 #include <vector>
 
 #include "base/bind.h"
 #include "base/containers/hash_tables.h"
@@ skipping 11 matching lines @@
 #include "extensions/common/permissions/socket_permission.h"
 #include "net/base/host_port_pair.h"
 #include "net/base/io_buffer.h"
 #include "net/base/ip_endpoint.h"
 #include "net/base/net_errors.h"
 #include "net/base/net_log.h"
 #include "net/base/net_util.h"
 #include "net/url_request/url_request_context.h"
 #include "net/url_request/url_request_context_getter.h"
 
+#if defined(OS_CHROMEOS)
+#include "base/command_line.h"
+#include "chromeos/chromeos_switches.h"
+#include "chromeos/network/firewall_hole.h"
+#include "content/public/browser/browser_thread.h"
+#endif  // OS_CHROMEOS
+
 namespace extensions {
 
 using content::SocketPermissionRequest;
 
 const char kAddressKey[] = "address";
 const char kPortKey[] = "port";
 const char kBytesWrittenKey[] = "bytesWritten";
 const char kDataKey[] = "data";
 const char kResultCodeKey[] = "resultCode";
 const char kSocketIdKey[] = "socketId";
 
 const char kSocketNotFoundError[] = "Socket not found";
 const char kDnsLookupFailedError[] = "DNS resolution failed";
 const char kPermissionError[] = "App does not have permission";
 const char kNetworkListError[] = "Network lookup failed or unsupported";
 const char kTCPSocketBindError[] =
     "TCP socket does not support bind. For TCP server please use listen.";
 const char kMulticastSocketTypeError[] = "Only UDP socket supports multicast.";
 const char kSecureSocketTypeError[] = "Only TCP sockets are supported for TLS.";
 const char kSocketNotConnectedError[] = "Socket not connected";
 const char kWildcardAddress[] = "*";
 const uint16 kWildcardPort = 0;
 
+#if defined(OS_CHROMEOS)
+const char kFirewallFailure[] = "Failed to open firewall port";
+#endif  // OS_CHROMEOS
+
 SocketAsyncApiFunction::SocketAsyncApiFunction() {}
 
 SocketAsyncApiFunction::~SocketAsyncApiFunction() {}
 
 bool SocketAsyncApiFunction::PrePrepare() {
   manager_ = CreateSocketResourceManager();
   return manager_->SetBrowserContext(browser_context());
 }
 
 bool SocketAsyncApiFunction::Respond() { return error_.empty(); }
@@ skipping 18 matching lines @@
 }
 
 base::hash_set<int>* SocketAsyncApiFunction::GetSocketIds() {
   return manager_->GetResourceIds(extension_->id());
 }
 
 void SocketAsyncApiFunction::RemoveSocket(int api_resource_id) {
   manager_->Remove(extension_->id(), api_resource_id);
 }
 
+void SocketAsyncApiFunction::OpenFirewallHole(const std::string& address,
+                                              int socket_id,
+                                              Socket* socket) {
+#if defined(OS_CHROMEOS)
+  if (!net::IsLocalhost(address) &&
+      base::CommandLine::ForCurrentProcess()->HasSwitch(
+          chromeos::switches::kEnableFirewallHolePunching)) {
+    net::IPEndPoint local_address;
+    if (!socket->GetLocalAddress(&local_address)) {
+      NOTREACHED() << "Cannot get address of recently bound socket.";
+      error_ = kFirewallFailure;
+      SetResult(new base::FundamentalValue(-1));
+      AsyncWorkCompleted();
+      return;
+    }
+
+    chromeos::FirewallHole::PortType port_type;
+    if (socket->GetSocketType() == Socket::TYPE_TCP) {
+      port_type = chromeos::FirewallHole::PortType::TCP;
+    } else {
+      port_type = chromeos::FirewallHole::PortType::UDP;
+    }
+
+    content::BrowserThread::PostTask(
+        content::BrowserThread::UI, FROM_HERE,
+        base::Bind(
+            &chromeos::FirewallHole::Open, port_type, local_address.port(),
+            "" /* all interfaces */,
+            base::Bind(&SocketAsyncApiFunction::OnFirewallHoleOpenedOnUIThread,
+                       this, socket_id)));
+    return;
+  }
+#endif
+  AsyncWorkCompleted();
+}
+
+#if defined(OS_CHROMEOS)
+
+void SocketAsyncApiFunction::OnFirewallHoleOpenedOnUIThread(
+    int socket_id,
+    scoped_ptr<chromeos::FirewallHole> hole) {
+  content::BrowserThread::PostTask(
+      content::BrowserThread::IO, FROM_HERE,
+      base::Bind(&SocketAsyncApiFunction::OnFirewallHoleOpened, this, socket_id,
+                 base::Passed(&hole)));
+}
+
+void SocketAsyncApiFunction::OnFirewallHoleOpened(
+    int socket_id,
+    scoped_ptr<chromeos::FirewallHole> hole) {
+  if (!hole) {
+    error_ = kFirewallFailure;
+    SetResult(new base::FundamentalValue(-1));
+    AsyncWorkCompleted();
+    return;
+  }
+
+  Socket* socket = GetSocket(socket_id);
+  if (!socket) {
+    error_ = kSocketNotFoundError;
+    SetResult(new base::FundamentalValue(-1));
+    AsyncWorkCompleted();
+    return;
+  }
+
+  socket->set_firewall_hole(hole.Pass());
+  AsyncWorkCompleted();
+}
+
+#endif  // OS_CHROMEOS
+
 SocketExtensionWithDnsLookupFunction::SocketExtensionWithDnsLookupFunction()
     : resource_context_(NULL),
       request_handle_(new net::HostResolver::RequestHandle),
       addresses_(new net::AddressList) {}
 
 SocketExtensionWithDnsLookupFunction::~SocketExtensionWithDnsLookupFunction() {}
 
 bool SocketExtensionWithDnsLookupFunction::PrePrepare() {
   if (!SocketAsyncApiFunction::PrePrepare())
     return false;
@@ skipping 184 matching lines @@
 bool SocketBindFunction::Prepare() {
   EXTENSION_FUNCTION_VALIDATE(args_->GetInteger(0, &socket_id_));
   EXTENSION_FUNCTION_VALIDATE(args_->GetString(1, &address_));
   int port;
   EXTENSION_FUNCTION_VALIDATE(
       args_->GetInteger(2, &port) && port >= 0 && port <= 65535);
   port_ = static_cast<uint16>(port);
   return true;
 }
 
-void SocketBindFunction::Work() {
-  int result = -1;
+void SocketBindFunction::AsyncWorkStart() {
   Socket* socket = GetSocket(socket_id_);
-
   if (!socket) {
     error_ = kSocketNotFoundError;
-    SetResult(new base::FundamentalValue(result));
+    SetResult(new base::FundamentalValue(-1));
+    AsyncWorkCompleted();
     return;
   }
 
-  if (socket->GetSocketType() == Socket::TYPE_UDP) {
-    SocketPermission::CheckParam param(
-        SocketPermissionRequest::UDP_BIND, address_, port_);
-    if (!extension()->permissions_data()->CheckAPIPermissionWithParam(
-            APIPermission::kSocket, &param)) {
-      error_ = kPermissionError;
-      SetResult(new base::FundamentalValue(result));
-      return;
-    }
-  } else if (socket->GetSocketType() == Socket::TYPE_TCP) {
+  if (socket->GetSocketType() == Socket::TYPE_TCP) {
     error_ = kTCPSocketBindError;
-    SetResult(new base::FundamentalValue(result));
+    SetResult(new base::FundamentalValue(-1));
+    AsyncWorkCompleted();
     return;
   }
 
-  result = socket->Bind(address_, port_);
+  CHECK(socket->GetSocketType() == Socket::TYPE_UDP);
+  SocketPermission::CheckParam param(SocketPermissionRequest::UDP_BIND,
+                                     address_, port_);
+  if (!extension()->permissions_data()->CheckAPIPermissionWithParam(
+          APIPermission::kSocket, &param)) {
+    error_ = kPermissionError;
+    SetResult(new base::FundamentalValue(-1));
+    AsyncWorkCompleted();
+    return;
+  }
+
+  int result = socket->Bind(address_, port_);
   SetResult(new base::FundamentalValue(result));
+  if (result != net::OK) {
+    AsyncWorkCompleted();
+    return;
+  }
+
+  OpenFirewallHole(address_, socket_id_, socket);
 }
 
 SocketListenFunction::SocketListenFunction() {}
 
 SocketListenFunction::~SocketListenFunction() {}
 
 bool SocketListenFunction::Prepare() {
   params_ = core_api::socket::Listen::Params::Create(*args_);
   EXTENSION_FUNCTION_VALIDATE(params_.get());
   return true;
 }
 
-void SocketListenFunction::Work() {
-  int result = -1;
-
+void SocketListenFunction::AsyncWorkStart() {
   Socket* socket = GetSocket(params_->socket_id);
-  if (socket) {
-    SocketPermission::CheckParam param(
-        SocketPermissionRequest::TCP_LISTEN, params_->address, params_->port);
-    if (!extension()->permissions_data()->CheckAPIPermissionWithParam(
-            APIPermission::kSocket, &param)) {
-      error_ = kPermissionError;
-      SetResult(new base::FundamentalValue(result));
-      return;
-    }
-
-    result =
-        socket->Listen(params_->address,
-                       params_->port,
-                       params_->backlog.get() ? *params_->backlog.get() : 5,
-                       &error_);
-  } else {
+  if (!socket) {
     error_ = kSocketNotFoundError;
+    SetResult(new base::FundamentalValue(-1));
+    AsyncWorkCompleted();
+    return;
   }
 
+  SocketPermission::CheckParam param(SocketPermissionRequest::TCP_LISTEN,
+                                     params_->address, params_->port);
+  if (!extension()->permissions_data()->CheckAPIPermissionWithParam(
+          APIPermission::kSocket, &param)) {
+    error_ = kPermissionError;
+    SetResult(new base::FundamentalValue(-1));
+    AsyncWorkCompleted();
+    return;
+  }
+
+  int result = socket->Listen(
+      params_->address, params_->port,
+      params_->backlog.get() ? *params_->backlog.get() : 5, &error_);
   SetResult(new base::FundamentalValue(result));
+  if (result != net::OK) {
+    AsyncWorkCompleted();
+    return;
+  }
+
+  OpenFirewallHole(params_->address, params_->socket_id, socket);
 }
 
 SocketAcceptFunction::SocketAcceptFunction() {}
 
 SocketAcceptFunction::~SocketAcceptFunction() {}
 
 bool SocketAcceptFunction::Prepare() {
   params_ = core_api::socket::Accept::Params::Create(*args_);
   EXTENSION_FUNCTION_VALIDATE(params_.get());
   return true;
@@ skipping 624 matching lines @@
   } else {
     RemoveSocket(params_->socket_id);
     error_ = net::ErrorToString(result);
   }
 
   results_ = core_api::socket::Secure::Results::Create(result);
   AsyncWorkCompleted();
 }
 
 }  // namespace extensions