OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 // | 4 // |
5 // This file implements a standalone host process for Me2Me. | 5 // This file implements a standalone host process for Me2Me. |
6 | 6 |
7 #include <string> | 7 #include <string> |
8 | 8 |
9 #include "base/at_exit.h" | 9 #include "base/at_exit.h" |
10 #include "base/bind.h" | 10 #include "base/bind.h" |
(...skipping 248 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
259 // Accessed on the network thread. | 259 // Accessed on the network thread. |
260 HostState state_; | 260 HostState state_; |
261 | 261 |
262 scoped_ptr<ConfigFileWatcher> config_watcher_; | 262 scoped_ptr<ConfigFileWatcher> config_watcher_; |
263 | 263 |
264 std::string host_id_; | 264 std::string host_id_; |
265 protocol::SharedSecretHash host_secret_hash_; | 265 protocol::SharedSecretHash host_secret_hash_; |
266 scoped_refptr<RsaKeyPair> key_pair_; | 266 scoped_refptr<RsaKeyPair> key_pair_; |
267 std::string oauth_refresh_token_; | 267 std::string oauth_refresh_token_; |
268 std::string serialized_config_; | 268 std::string serialized_config_; |
| 269 std::string host_owner_; |
269 std::string xmpp_login_; | 270 std::string xmpp_login_; |
| 271 bool use_service_account_; |
270 std::string xmpp_auth_token_; | 272 std::string xmpp_auth_token_; |
271 std::string xmpp_auth_service_; | 273 std::string xmpp_auth_service_; |
272 scoped_ptr<policy_hack::PolicyWatcher> policy_watcher_; | 274 scoped_ptr<policy_hack::PolicyWatcher> policy_watcher_; |
273 bool allow_nat_traversal_; | 275 bool allow_nat_traversal_; |
274 std::string talkgadget_prefix_; | 276 std::string talkgadget_prefix_; |
275 bool allow_pairing_; | 277 bool allow_pairing_; |
276 | 278 |
277 bool curtain_required_; | 279 bool curtain_required_; |
278 GURL token_url_; | 280 GURL token_url_; |
279 GURL token_validation_url_; | 281 GURL token_validation_url_; |
(...skipping 16 matching lines...) Expand all Loading... |
296 #endif // defined(REMOTING_MULTI_PROCESS) | 298 #endif // defined(REMOTING_MULTI_PROCESS) |
297 | 299 |
298 int* exit_code_out_; | 300 int* exit_code_out_; |
299 bool signal_parent_; | 301 bool signal_parent_; |
300 }; | 302 }; |
301 | 303 |
302 HostProcess::HostProcess(scoped_ptr<ChromotingHostContext> context, | 304 HostProcess::HostProcess(scoped_ptr<ChromotingHostContext> context, |
303 int* exit_code_out) | 305 int* exit_code_out) |
304 : context_(context.Pass()), | 306 : context_(context.Pass()), |
305 state_(HOST_INITIALIZING), | 307 state_(HOST_INITIALIZING), |
| 308 use_service_account_(false), |
306 allow_nat_traversal_(true), | 309 allow_nat_traversal_(true), |
307 allow_pairing_(true), | 310 allow_pairing_(true), |
308 curtain_required_(false), | 311 curtain_required_(false), |
309 #if defined(REMOTING_MULTI_PROCESS) | 312 #if defined(REMOTING_MULTI_PROCESS) |
310 desktop_session_connector_(NULL), | 313 desktop_session_connector_(NULL), |
311 #endif // defined(REMOTING_MULTI_PROCESS) | 314 #endif // defined(REMOTING_MULTI_PROCESS) |
312 self_(this), | 315 self_(this), |
313 exit_code_out_(exit_code_out), | 316 exit_code_out_(exit_code_out), |
314 signal_parent_(false) { | 317 signal_parent_(false) { |
315 StartOnUiThread(); | 318 StartOnUiThread(); |
(...skipping 197 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
513 | 516 |
514 scoped_refptr<protocol::PairingRegistry> pairing_registry = NULL; | 517 scoped_refptr<protocol::PairingRegistry> pairing_registry = NULL; |
515 if (allow_pairing_) { | 518 if (allow_pairing_) { |
516 pairing_registry = CreatePairingRegistry(context_->file_task_runner()); | 519 pairing_registry = CreatePairingRegistry(context_->file_task_runner()); |
517 } | 520 } |
518 | 521 |
519 scoped_ptr<protocol::AuthenticatorFactory> factory; | 522 scoped_ptr<protocol::AuthenticatorFactory> factory; |
520 | 523 |
521 if (token_url_.is_empty() && token_validation_url_.is_empty()) { | 524 if (token_url_.is_empty() && token_validation_url_.is_empty()) { |
522 factory = protocol::Me2MeHostAuthenticatorFactory::CreateWithSharedSecret( | 525 factory = protocol::Me2MeHostAuthenticatorFactory::CreateWithSharedSecret( |
523 local_certificate, key_pair_, host_secret_hash_, pairing_registry); | 526 host_owner_, local_certificate, key_pair_, host_secret_hash_, |
| 527 pairing_registry); |
524 | 528 |
525 } else if (token_url_.is_valid() && token_validation_url_.is_valid()) { | 529 } else if (token_url_.is_valid() && token_validation_url_.is_valid()) { |
526 scoped_ptr<protocol::ThirdPartyHostAuthenticator::TokenValidatorFactory> | 530 scoped_ptr<protocol::ThirdPartyHostAuthenticator::TokenValidatorFactory> |
527 token_validator_factory(new TokenValidatorFactoryImpl( | 531 token_validator_factory(new TokenValidatorFactoryImpl( |
528 token_url_, token_validation_url_, key_pair_, | 532 token_url_, token_validation_url_, key_pair_, |
529 context_->url_request_context_getter())); | 533 context_->url_request_context_getter())); |
530 factory = protocol::Me2MeHostAuthenticatorFactory::CreateWithThirdPartyAuth( | 534 factory = protocol::Me2MeHostAuthenticatorFactory::CreateWithThirdPartyAuth( |
531 local_certificate, key_pair_, token_validator_factory.Pass()); | 535 host_owner_, local_certificate, key_pair_, |
| 536 token_validator_factory.Pass()); |
532 | 537 |
533 } else { | 538 } else { |
534 // TODO(rmsousa): If the policy is bad the host should not go online. It | 539 // TODO(rmsousa): If the policy is bad the host should not go online. It |
535 // should keep running, but not connected, until the policies are fixed. | 540 // should keep running, but not connected, until the policies are fixed. |
536 // Having it show up as online and then reject all clients is misleading. | 541 // Having it show up as online and then reject all clients is misleading. |
537 LOG(ERROR) << "One of the third-party token URLs is empty or invalid. " | 542 LOG(ERROR) << "One of the third-party token URLs is empty or invalid. " |
538 << "Host will reject all clients until policies are corrected. " | 543 << "Host will reject all clients until policies are corrected. " |
539 << "TokenUrl: " << token_url_ << ", " | 544 << "TokenUrl: " << token_url_ << ", " |
540 << "TokenValidationUrl: " << token_validation_url_; | 545 << "TokenValidationUrl: " << token_validation_url_; |
541 factory = protocol::Me2MeHostAuthenticatorFactory::CreateRejecting(); | 546 factory = protocol::Me2MeHostAuthenticatorFactory::CreateRejecting(); |
(...skipping 178 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
720 if (!oauth_refresh_token_.empty()) { | 725 if (!oauth_refresh_token_.empty()) { |
721 xmpp_auth_token_ = ""; // This will be set to the access token later. | 726 xmpp_auth_token_ = ""; // This will be set to the access token later. |
722 xmpp_auth_service_ = "oauth2"; | 727 xmpp_auth_service_ = "oauth2"; |
723 } else if (!config->GetString(kXmppAuthServiceConfigPath, | 728 } else if (!config->GetString(kXmppAuthServiceConfigPath, |
724 &xmpp_auth_service_)) { | 729 &xmpp_auth_service_)) { |
725 // For the me2me host, we default to ClientLogin token for chromiumsync | 730 // For the me2me host, we default to ClientLogin token for chromiumsync |
726 // because earlier versions of the host had no HTTP stack with which to | 731 // because earlier versions of the host had no HTTP stack with which to |
727 // request an OAuth2 access token. | 732 // request an OAuth2 access token. |
728 xmpp_auth_service_ = kChromotingTokenDefaultServiceName; | 733 xmpp_auth_service_ = kChromotingTokenDefaultServiceName; |
729 } | 734 } |
| 735 |
| 736 if (config->GetString(kHostOwnerConfigPath, &host_owner_)) { |
| 737 // Service account configs have a host_owner, different from the xmpp_login. |
| 738 use_service_account_ = true; |
| 739 } else { |
| 740 // User credential configs only have an xmpp_login, which is also the owner. |
| 741 host_owner_ = xmpp_login_; |
| 742 use_service_account_ = false; |
| 743 } |
730 return true; | 744 return true; |
731 } | 745 } |
732 | 746 |
733 void HostProcess::OnPolicyUpdate(scoped_ptr<base::DictionaryValue> policies) { | 747 void HostProcess::OnPolicyUpdate(scoped_ptr<base::DictionaryValue> policies) { |
734 // TODO(rmsousa): Consolidate all On*PolicyUpdate methods into this one. | 748 // TODO(rmsousa): Consolidate all On*PolicyUpdate methods into this one. |
735 // TODO(sergeyu): Currently polices are verified only when they are loaded. | 749 // TODO(sergeyu): Currently polices are verified only when they are loaded. |
736 // Separate policy loading from policy verifications - this will allow to | 750 // Separate policy loading from policy verifications - this will allow to |
737 // check policies again later, e.g. when host config changes. | 751 // check policies again later, e.g. when host config changes. |
738 | 752 |
739 if (!context_->network_task_runner()->BelongsToCurrentThread()) { | 753 if (!context_->network_task_runner()->BelongsToCurrentThread()) { |
(...skipping 52 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
792 } | 806 } |
793 } | 807 } |
794 | 808 |
795 bool HostProcess::OnHostDomainPolicyUpdate(const std::string& host_domain) { | 809 bool HostProcess::OnHostDomainPolicyUpdate(const std::string& host_domain) { |
796 // Returns true if the host has to be restarted after this policy update. | 810 // Returns true if the host has to be restarted after this policy update. |
797 DCHECK(context_->network_task_runner()->BelongsToCurrentThread()); | 811 DCHECK(context_->network_task_runner()->BelongsToCurrentThread()); |
798 | 812 |
799 LOG(INFO) << "Policy sets host domain: " << host_domain; | 813 LOG(INFO) << "Policy sets host domain: " << host_domain; |
800 | 814 |
801 if (!host_domain.empty() && | 815 if (!host_domain.empty() && |
802 !EndsWith(xmpp_login_, std::string("@") + host_domain, false)) { | 816 !EndsWith(host_owner_, std::string("@") + host_domain, false)) { |
803 ShutdownHost(kInvalidHostDomainExitCode); | 817 ShutdownHost(kInvalidHostDomainExitCode); |
804 } | 818 } |
805 return false; | 819 return false; |
806 } | 820 } |
807 | 821 |
808 bool HostProcess::OnUsernamePolicyUpdate(bool curtain_required, | 822 bool HostProcess::OnUsernamePolicyUpdate(bool curtain_required, |
809 bool host_username_match_required) { | 823 bool host_username_match_required) { |
810 // Returns false: never restart the host after this policy update. | 824 // Returns false: never restart the host after this policy update. |
811 DCHECK(context_->network_task_runner()->BelongsToCurrentThread()); | 825 DCHECK(context_->network_task_runner()->BelongsToCurrentThread()); |
812 | 826 |
813 if (host_username_match_required) { | 827 if (host_username_match_required) { |
814 LOG(INFO) << "Policy requires host username match."; | 828 LOG(INFO) << "Policy requires host username match."; |
815 std::string username = GetUsername(); | 829 std::string username = GetUsername(); |
816 bool shutdown = username.empty() || | 830 bool shutdown = username.empty() || |
817 !StartsWithASCII(xmpp_login_, username + std::string("@"), | 831 !StartsWithASCII(host_owner_, username + std::string("@"), |
818 false); | 832 false); |
819 | 833 |
820 #if defined(OS_MACOSX) | 834 #if defined(OS_MACOSX) |
821 // On Mac, we run as root at the login screen, so the username won't match. | 835 // On Mac, we run as root at the login screen, so the username won't match. |
822 // However, there's no need to enforce the policy at the login screen, as | 836 // However, there's no need to enforce the policy at the login screen, as |
823 // the client will have to reconnect if a login occurs. | 837 // the client will have to reconnect if a login occurs. |
824 if (shutdown && getuid() == 0) { | 838 if (shutdown && getuid() == 0) { |
825 shutdown = false; | 839 shutdown = false; |
826 } | 840 } |
827 #endif | 841 #endif |
(...skipping 137 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
965 | 979 |
966 signaling_connector_.reset(new SignalingConnector( | 980 signaling_connector_.reset(new SignalingConnector( |
967 signal_strategy_.get(), | 981 signal_strategy_.get(), |
968 context_->url_request_context_getter(), | 982 context_->url_request_context_getter(), |
969 dns_blackhole_checker.Pass(), | 983 dns_blackhole_checker.Pass(), |
970 base::Bind(&HostProcess::OnAuthFailed, this))); | 984 base::Bind(&HostProcess::OnAuthFailed, this))); |
971 | 985 |
972 if (!oauth_refresh_token_.empty()) { | 986 if (!oauth_refresh_token_.empty()) { |
973 scoped_ptr<SignalingConnector::OAuthCredentials> oauth_credentials( | 987 scoped_ptr<SignalingConnector::OAuthCredentials> oauth_credentials( |
974 new SignalingConnector::OAuthCredentials( | 988 new SignalingConnector::OAuthCredentials( |
975 xmpp_login_, oauth_refresh_token_)); | 989 xmpp_login_, oauth_refresh_token_, use_service_account_)); |
976 signaling_connector_->EnableOAuth(oauth_credentials.Pass()); | 990 signaling_connector_->EnableOAuth(oauth_credentials.Pass()); |
977 } | 991 } |
978 | 992 |
979 NetworkSettings network_settings( | 993 NetworkSettings network_settings( |
980 allow_nat_traversal_ ? | 994 allow_nat_traversal_ ? |
981 NetworkSettings::NAT_TRAVERSAL_ENABLED : | 995 NetworkSettings::NAT_TRAVERSAL_ENABLED : |
982 NetworkSettings::NAT_TRAVERSAL_DISABLED); | 996 NetworkSettings::NAT_TRAVERSAL_DISABLED); |
983 if (!allow_nat_traversal_) { | 997 if (!allow_nat_traversal_) { |
984 network_settings.min_port = NetworkSettings::kDefaultMinPort; | 998 network_settings.min_port = NetworkSettings::kDefaultMinPort; |
985 network_settings.max_port = NetworkSettings::kDefaultMaxPort; | 999 network_settings.max_port = NetworkSettings::kDefaultMaxPort; |
(...skipping 33 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1019 // Set up repoting the host status notifications. | 1033 // Set up repoting the host status notifications. |
1020 #if defined(REMOTING_MULTI_PROCESS) | 1034 #if defined(REMOTING_MULTI_PROCESS) |
1021 host_event_logger_.reset( | 1035 host_event_logger_.reset( |
1022 new IpcHostEventLogger(host_->AsWeakPtr(), daemon_channel_.get())); | 1036 new IpcHostEventLogger(host_->AsWeakPtr(), daemon_channel_.get())); |
1023 #else // !defined(REMOTING_MULTI_PROCESS) | 1037 #else // !defined(REMOTING_MULTI_PROCESS) |
1024 host_event_logger_ = | 1038 host_event_logger_ = |
1025 HostEventLogger::Create(host_->AsWeakPtr(), kApplicationName); | 1039 HostEventLogger::Create(host_->AsWeakPtr(), kApplicationName); |
1026 #endif // !defined(REMOTING_MULTI_PROCESS) | 1040 #endif // !defined(REMOTING_MULTI_PROCESS) |
1027 | 1041 |
1028 host_->SetEnableCurtaining(curtain_required_); | 1042 host_->SetEnableCurtaining(curtain_required_); |
1029 host_->Start(xmpp_login_); | 1043 host_->Start(host_owner_); |
1030 | 1044 |
1031 CreateAuthenticatorFactory(); | 1045 CreateAuthenticatorFactory(); |
1032 } | 1046 } |
1033 | 1047 |
1034 void HostProcess::OnAuthFailed() { | 1048 void HostProcess::OnAuthFailed() { |
1035 ShutdownHost(kInvalidOauthCredentialsExitCode); | 1049 ShutdownHost(kInvalidOauthCredentialsExitCode); |
1036 } | 1050 } |
1037 | 1051 |
1038 void HostProcess::RestartHost() { | 1052 void HostProcess::RestartHost() { |
1039 DCHECK(context_->network_task_runner()->BelongsToCurrentThread()); | 1053 DCHECK(context_->network_task_runner()->BelongsToCurrentThread()); |
(...skipping 126 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1166 return exit_code; | 1180 return exit_code; |
1167 } | 1181 } |
1168 | 1182 |
1169 } // namespace remoting | 1183 } // namespace remoting |
1170 | 1184 |
1171 #if !defined(OS_WIN) | 1185 #if !defined(OS_WIN) |
1172 int main(int argc, char** argv) { | 1186 int main(int argc, char** argv) { |
1173 return remoting::HostMain(argc, argv); | 1187 return remoting::HostMain(argc, argv); |
1174 } | 1188 } |
1175 #endif // !defined(OS_WIN) | 1189 #endif // !defined(OS_WIN) |
OLD | NEW |