Chromium Code Reviews Chromium Code Reviews
Issue 966433002:
Malformed PortRange or ThirdPartyAuthConfig trigger OnPolicyError. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| Index: remoting/host/remoting_me2me_host.cc |
| diff --git a/remoting/host/remoting_me2me_host.cc b/remoting/host/remoting_me2me_host.cc |
| index 8cf6ccee505728f99c5e5587acba15fe03f03f5e..71102b5ae5b537189be8a413790065a993a06050 100644 |
| --- a/remoting/host/remoting_me2me_host.cc |
| +++ b/remoting/host/remoting_me2me_host.cc |
| @@ -35,6 +35,7 @@ |
| #include "remoting/base/breakpad.h" |
| #include "remoting/base/constants.h" |
| #include "remoting/base/logging.h" |
| +#include "remoting/base/port_range.h" |
| #include "remoting/base/rsa_key_pair.h" |
| #include "remoting/base/service_urls.h" |
| #include "remoting/base/util.h" |
| @@ -64,6 +65,7 @@ |
| #include "remoting/host/shutdown_watchdog.h" |
| #include "remoting/host/signaling_connector.h" |
| #include "remoting/host/single_window_desktop_environment.h" |
| +#include "remoting/host/third_party_auth_config.h" |
| #include "remoting/host/token_validator_factory_impl.h" |
| #include "remoting/host/usage_stats_consent.h" |
| #include "remoting/host/username.h" |
| @@ -339,8 +341,7 @@ class HostProcess : public ConfigWatcher::Delegate, |
| bool host_username_match_required_; |
| bool allow_nat_traversal_; |
| bool allow_relay_; |
| - uint16 min_udp_port_; |
| - uint16 max_udp_port_; |
| + PortRange udp_port_range_; |
| std::string talkgadget_prefix_; |
| bool allow_pairing_; |
| @@ -394,8 +395,6 @@ HostProcess::HostProcess(scoped_ptr<ChromotingHostContext> context, |
| host_username_match_required_(false), |
| allow_nat_traversal_(true), |
| allow_relay_(true), |
| - min_udp_port_(0), |
|
Sergey Ulanov
2015/02/27 03:05:19
Without PortRange constructor the values inside of
Łukasz Anforowicz
2015/02/27 18:36:12
Right. Hmmm... I realized this, but for some reas
|
| - max_udp_port_(0), |
| allow_pairing_(true), |
| curtain_required_(false), |
| enable_gnubby_auth_(false), |
| @@ -696,7 +695,10 @@ void HostProcess::CreateAuthenticatorFactory() { |
| host_secret_hash_, pairing_registry); |
| host_->set_pairing_registry(pairing_registry); |
| - } else if (third_party_auth_config_.is_valid()) { |
| + } else { |
| + CHECK(third_party_auth_config_.token_url.is_valid()); |
| + CHECK(third_party_auth_config_.token_validation_url.is_valid()); |
| + |
| scoped_ptr<protocol::TokenValidatorFactory> token_validator_factory( |
| new TokenValidatorFactoryImpl( |
| third_party_auth_config_, |
| @@ -704,17 +706,6 @@ void HostProcess::CreateAuthenticatorFactory() { |
| factory = protocol::Me2MeHostAuthenticatorFactory::CreateWithThirdPartyAuth( |
| use_service_account_, host_owner_, local_certificate, key_pair_, |
| token_validator_factory.Pass()); |
| - |
| - } else { |
| - // TODO(rmsousa): If the policy is bad the host should not go online. It |
| - // should keep running, but not connected, until the policies are fixed. |
| - // Having it show up as online and then reject all clients is misleading. |
| - LOG(ERROR) << "One of the third-party token URLs is empty or invalid. " |
| - << "Host will reject all clients until policies are corrected. " |
| - << "TokenUrl: " << third_party_auth_config_.token_url << ", " |
| - << "TokenValidationUrl: " |
| - << third_party_auth_config_.token_validation_url; |
| - factory = protocol::Me2MeHostAuthenticatorFactory::CreateRejecting(); |
| } |
| #if defined(OS_POSIX) |
| @@ -1205,34 +1196,15 @@ bool HostProcess::OnUdpPortPolicyUpdate(base::DictionaryValue* policies) { |
| // Returns true if the host has to be restarted after this policy update. |
| DCHECK(context_->network_task_runner()->BelongsToCurrentThread()); |
| - std::string udp_port_range; |
| + std::string string_value; |
| if (!policies->GetString(policy::key::kRemoteAccessHostUdpPortRange, |
| - &udp_port_range)) { |
| + &string_value)) { |
| return false; |
| } |
| - // Use default values if policy setting is empty or invalid. |
| - uint16 min_udp_port = 0; |
| - uint16 max_udp_port = 0; |
| - if (!udp_port_range.empty() && |
| - !NetworkSettings::ParsePortRange(udp_port_range, &min_udp_port, |
| - &max_udp_port)) { |
| - LOG(WARNING) << "Invalid port range policy: \"" << udp_port_range |
| - << "\". Using default values."; |
| - } |
| - |
| - if (min_udp_port_ != min_udp_port || max_udp_port_ != max_udp_port) { |
| - if (min_udp_port != 0 && max_udp_port != 0) { |
| - HOST_LOG << "Policy restricts UDP port range to [" << min_udp_port |
| - << ", " << max_udp_port << "]"; |
| - } else { |
| - HOST_LOG << "Policy does not restrict UDP port range."; |
| - } |
| - min_udp_port_ = min_udp_port; |
| - max_udp_port_ = max_udp_port; |
| - return true; |
| - } |
| - return false; |
| + CHECK(PortRange::Parse(string_value, &udp_port_range_)); |
| + HOST_LOG << "Policy restricts UDP port range to: " << udp_port_range_; |
| + return true; |
| } |
| bool HostProcess::OnCurtainPolicyUpdate(base::DictionaryValue* policies) { |
| @@ -1290,39 +1262,25 @@ bool HostProcess::OnHostTalkGadgetPrefixPolicyUpdate( |
| } |
| bool HostProcess::OnHostTokenUrlPolicyUpdate(base::DictionaryValue* policies) { |
| - // Returns true if the host has to be restarted after this policy update. |
| - DCHECK(context_->network_task_runner()->BelongsToCurrentThread()); |
| - |
| - bool token_policy_changed = false; |
| - std::string token_url_string; |
| - if (policies->GetString(policy::key::kRemoteAccessHostTokenUrl, |
| - &token_url_string)) { |
| - token_policy_changed = true; |
| - third_party_auth_config_.token_url = GURL(token_url_string); |
| - } |
| - std::string token_validation_url_string; |
| - if (policies->GetString(policy::key::kRemoteAccessHostTokenValidationUrl, |
| - &token_validation_url_string)) { |
| - token_policy_changed = true; |
| - third_party_auth_config_.token_validation_url = |
| - GURL(token_validation_url_string); |
| - } |
| - if (policies->GetString( |
| - policy::key::kRemoteAccessHostTokenValidationCertificateIssuer, |
| - &third_party_auth_config_.token_validation_cert_issuer)) { |
| - token_policy_changed = true; |
| + // Extract 3 individial policy values. |
| + std::string token_url; |
| + std::string token_validation_url; |
| + std::string token_validation_cert_issuer; |
| + bool changed_entries_present = ThirdPartyAuthConfig::ExtractPolicyValues( |
| + *policies, &token_url, &token_validation_url, |
| + &token_validation_cert_issuer); |
| + if (!changed_entries_present) { |
| + return false; |
| } |
| - if (token_policy_changed) { |
| - HOST_LOG << "Policy sets third-party token URLs: " |
| - << "TokenUrl: " |
| - << third_party_auth_config_.token_url << ", " |
| - << "TokenValidationUrl: " |
| - << third_party_auth_config_.token_validation_url << ", " |
| - << "TokenValidationCertificateIssuer: " |
| - << third_party_auth_config_.token_validation_cert_issuer; |
| - } |
| - return token_policy_changed; |
| + // Parse the policy value. |
| + ThirdPartyAuthConfig third_party_auth_config; |
| + CHECK(ThirdPartyAuthConfig::Parse(token_url, token_validation_url, |
| + token_validation_cert_issuer, |
| + &third_party_auth_config_)); |
| + HOST_LOG << "Policy sets third-party token URLs: " |
| + << third_party_auth_config_; |
| + return true; |
| } |
| bool HostProcess::OnPairingPolicyUpdate(base::DictionaryValue* policies) { |
| @@ -1408,9 +1366,9 @@ void HostProcess::StartHost() { |
| NetworkSettings network_settings(network_flags); |
| - if (min_udp_port_ && max_udp_port_) { |
| - network_settings.min_port = min_udp_port_; |
| - network_settings.max_port = max_udp_port_; |
| + if (!udp_port_range_.is_empty()) { |
| + network_settings.min_port = udp_port_range_.min_port; |
| + network_settings.max_port = udp_port_range_.max_port; |
| } else if (!allow_nat_traversal_) { |
| // For legacy reasons we have to restrict the port range to a set of default |
| // values when nat traversal is disabled, even if the port range was not |
