blob: 97acdb04a4f36e9ea291e131914ed4d105fe7e49 [file] [log] [blame]
// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// This file implements a standalone host process for Me2Me.
#include <stddef.h>
#include <cstdint>
#include <memory>
#include <string>
#include <utility>
#include <vector>
#include "base/bind.h"
#include "base/callback.h"
#include "base/command_line.h"
#include "base/debug/alias.h"
#include "base/files/file_path.h"
#include "base/files/file_util.h"
#include "base/macros.h"
#include "base/message_loop/message_pump_type.h"
#include "base/run_loop.h"
#include "base/single_thread_task_runner.h"
#include "base/strings/string_number_conversions.h"
#include "base/strings/string_util.h"
#include "base/strings/stringize_macros.h"
#include "base/strings/utf_string_conversions.h"
#include "base/task/single_thread_task_executor.h"
#include "base/task/thread_pool/thread_pool_instance.h"
#include "build/build_config.h"
#include "components/policy/policy_constants.h"
#include "ipc/ipc_channel.h"
#include "ipc/ipc_channel_proxy.h"
#include "ipc/ipc_listener.h"
#include "jingle/glue/thread_wrapper.h"
#include "mojo/core/embedder/scoped_ipc_support.h"
#include "mojo/public/cpp/platform/platform_channel.h"
#include "mojo/public/cpp/system/invitation.h"
#include "net/base/network_change_notifier.h"
#include "net/base/url_util.h"
#include "net/socket/client_socket_factory.h"
#include "net/url_request/url_fetcher.h"
#include "remoting/base/auto_thread_task_runner.h"
#include "remoting/base/constants.h"
#include "remoting/base/logging.h"
#include "remoting/base/oauth_token_getter_impl.h"
#include "remoting/base/oauth_token_getter_proxy.h"
#include "remoting/base/rsa_key_pair.h"
#include "remoting/base/service_urls.h"
#include "remoting/base/util.h"
#include "remoting/host/branding.h"
#include "remoting/host/chromoting_host.h"
#include "remoting/host/chromoting_host_context.h"
#include "remoting/host/chromoting_messages.h"
#include "remoting/host/config_file_watcher.h"
#include "remoting/host/config_watcher.h"
#include "remoting/host/desktop_environment.h"
#include "remoting/host/desktop_environment_options.h"
#include "remoting/host/desktop_session_connector.h"
#include "remoting/host/ftl_echo_message_listener.h"
#include "remoting/host/ftl_host_change_notification_listener.h"
#include "remoting/host/ftl_signaling_connector.h"
#include "remoting/host/heartbeat_sender.h"
#include "remoting/host/host_config.h"
#include "remoting/host/host_event_logger.h"
#include "remoting/host/host_exit_codes.h"
#include "remoting/host/host_power_save_blocker.h"
#include "remoting/host/host_settings.h"
#include "remoting/host/host_status_logger.h"
#include "remoting/host/input_injector.h"
#include "remoting/host/ipc_desktop_environment.h"
#include "remoting/host/ipc_host_event_logger.h"
#include "remoting/host/logging.h"
#include "remoting/host/me2me_desktop_environment.h"
#include "remoting/host/pairing_registry_delegate.h"
#include "remoting/host/pin_hash.h"
#include "remoting/host/policy_watcher.h"
#include "remoting/host/security_key/security_key_auth_handler.h"
#include "remoting/host/security_key/security_key_extension.h"
#include "remoting/host/shutdown_watchdog.h"
#include "remoting/host/switches.h"
#include "remoting/host/test_echo_extension.h"
#include "remoting/host/third_party_auth_config.h"
#include "remoting/host/token_validator_factory_impl.h"
#include "remoting/host/usage_stats_consent.h"
#include "remoting/host/username.h"
#include "remoting/host/zombie_host_detector.h"
#include "remoting/protocol/authenticator.h"
#include "remoting/protocol/channel_authenticator.h"
#include "remoting/protocol/chromium_port_allocator_factory.h"
#include "remoting/protocol/jingle_session_manager.h"
#include "remoting/protocol/me2me_host_authenticator_factory.h"
#include "remoting/protocol/network_settings.h"
#include "remoting/protocol/pairing_registry.h"
#include "remoting/protocol/port_range.h"
#include "remoting/protocol/token_validator.h"
#include "remoting/protocol/transport_context.h"
#include "remoting/signaling/ftl_host_device_id_provider.h"
#include "remoting/signaling/ftl_signal_strategy.h"
#include "remoting/signaling/remoting_log_to_server.h"
#include "services/network/public/cpp/shared_url_loader_factory.h"
#include "third_party/webrtc/api/scoped_refptr.h"
#if defined(OS_POSIX)
#include <signal.h>
#include <sys/types.h>
#include <unistd.h>
#include "base/file_descriptor_posix.h"
#include "remoting/host/pam_authorization_factory_posix.h"
#include "remoting/host/posix/signal_handler.h"
#endif // defined(OS_POSIX)
#if defined(OS_APPLE)
#include "base/mac/mac_util.h"
#include "base/mac/scoped_cftyperef.h"
#include "remoting/host/audio_capturer_mac.h"
#include "remoting/host/desktop_capturer_checker.h"
#include "remoting/host/mac/permission_utils.h"
#endif // defined(OS_APPLE)
#if defined(OS_LINUX) || defined(OS_CHROMEOS)
#include <gtk/gtk.h>
#include "base/linux_util.h"
#include "remoting/host/audio_capturer_linux.h"
#include "remoting/host/linux/certificate_watcher.h"
#include "ui/events/platform/x11/x11_event_source.h"
#include "ui/gfx/x/xlib_support.h"
#endif // defined(OS_LINUX) || defined(OS_CHROMEOS)
#if defined(OS_WIN)
#include <commctrl.h>
#include "base/win/registry.h"
#include "base/win/scoped_handle.h"
#include "remoting/host/pairing_registry_delegate_win.h"
#include "remoting/host/win/session_desktop_environment.h"
#endif // defined(OS_WIN)
using remoting::protocol::PairingRegistry;
using remoting::protocol::NetworkSettings;
#if defined(OS_APPLE)
// The following creates a section that tells Mac OS X that it is OK to let us
// inject input in the login screen. Just the name of the section is important,
// not its contents.
__attribute__((used))
__attribute__((section ("__CGPreLoginApp,__cgpreloginapp")))
static const char magic_section[] = "";
#endif // defined(OS_APPLE)
namespace {
#if !defined(REMOTING_MULTI_PROCESS)
// This is used for tagging system event logs.
const char kApplicationName[] = "chromoting";
// Value used for --host-config option to indicate that the path must be read
// from stdin.
const char kStdinConfigPath[] = "-";
#endif // !defined(REMOTING_MULTI_PROCESS)
#if defined(OS_LINUX) || defined(OS_CHROMEOS)
// The command line switch used to pass name of the pipe to capture audio on
// linux.
const char kAudioPipeSwitchName[] = "audio-pipe-name";
#endif // defined(OS_LINUX) || defined(OS_CHROMEOS)
#if defined(OS_POSIX)
// The command line switch used to pass name of the unix domain socket used to
// listen for security key requests.
const char kAuthSocknameSwitchName[] = "ssh-auth-sockname";
#endif // defined(OS_POSIX)
// The command line switch used by the parent to request the host to signal it
// when it is successfully started.
const char kSignalParentSwitchName[] = "signal-parent";
// Command line switch used to send a custom offline reason and exit.
const char kReportOfflineReasonSwitchName[] = "report-offline-reason";
// Maximum time to wait for clean shutdown to occur, before forcing termination
// of the process.
const int kShutdownTimeoutSeconds = 15;
// Maximum time to wait for reporting host-offline-reason to the service,
// before continuing normal process shutdown.
const int kHostOfflineReasonTimeoutSeconds = 10;
// Host offline reasons not associated with shutting down the host process
// and therefore not expressible through HostExitCodes enum.
const char kHostOfflineReasonPolicyReadError[] = "POLICY_READ_ERROR";
const char kHostOfflineReasonPolicyChangeRequiresRestart[] =
"POLICY_CHANGE_REQUIRES_RESTART";
const char kHostOfflineReasonZombieStateDetected[] = "ZOMBIE_STATE_DETECTED";
// The default email domain for Googlers. Used to determine whether the host's
// email address is Google-internal or not.
constexpr char kGooglerEmailDomain[] = "@google.com";
} // namespace
namespace remoting {
class HostProcess : public ConfigWatcher::Delegate,
public FtlHostChangeNotificationListener::Listener,
public HeartbeatSender::Delegate,
public IPC::Listener,
public base::RefCountedThreadSafe<HostProcess> {
public:
// |shutdown_watchdog| is armed when shutdown is started, and should be kept
// alive as long as possible until the process exits (since destroying the
// watchdog disarms it).
HostProcess(std::unique_ptr<ChromotingHostContext> context,
int* exit_code_out,
ShutdownWatchdog* shutdown_watchdog);
// ConfigWatcher::Delegate interface.
void OnConfigUpdated(const std::string& serialized_config) override;
void OnConfigWatcherError() override;
// IPC::Listener implementation.
bool OnMessageReceived(const IPC::Message& message) override;
void OnChannelError() override;
// FtlHostChangeNotificationListener::Listener overrides.
void OnHostDeleted() override;
// Handler of the ChromotingDaemonNetworkMsg_InitializePairingRegistry IPC
// message.
void OnInitializePairingRegistry(
IPC::PlatformFileForTransit privileged_key,
IPC::PlatformFileForTransit unprivileged_key);
private:
// See SetState method for a list of allowed state transitions.
enum HostState {
// Waiting for valid config and policies to be read from the disk.
// Either the host process has just been started, or it is trying to start
// again after temporarily going offline due to policy change or error.
HOST_STARTING,
// Host is started and running.
HOST_STARTED,
// Host is sending offline reason, before trying to restart.
HOST_GOING_OFFLINE_TO_RESTART,
// Host is sending offline reason, before shutting down.
HOST_GOING_OFFLINE_TO_STOP,
// Host has been stopped (host process will end soon).
HOST_STOPPED,
};
enum PolicyState {
// Cannot start the host, because a valid policy has not been read yet.
POLICY_INITIALIZING,
// Policy was loaded successfully.
POLICY_LOADED,
// Policy error was detected, and we haven't yet sent out a
// host-offline-reason (i.e. because we haven't yet read the config).
POLICY_ERROR_REPORT_PENDING,
// Policy error was detected, and we have sent out a host-offline-reason.
POLICY_ERROR_REPORTED,
};
friend class base::RefCountedThreadSafe<HostProcess>;
~HostProcess() override;
void SetState(HostState target_state);
void StartOnNetworkThread();
#if defined(OS_POSIX)
// Callback passed to RegisterSignalHandler() to handle SIGTERM events.
void SigTermHandler(int signal_number);
#endif
// Called to initialize resources on the UI thread.
void StartOnUiThread();
// Initializes IPC control channel and config file path from |cmd_line|.
// Called on the UI thread.
bool InitWithCommandLine(const base::CommandLine* cmd_line);
// Called on the UI thread to start monitoring the configuration file.
void StartWatchingConfigChanges();
// Called on the network thread to set the host's Authenticator factory.
void CreateAuthenticatorFactory();
// Tear down resources that run on the UI thread.
void ShutdownOnUiThread();
// Applies the host config, returning true if successful.
bool ApplyConfig(const base::DictionaryValue& config);
// Handles policy updates, by calling On*PolicyUpdate methods.
void OnPolicyUpdate(std::unique_ptr<base::DictionaryValue> policies);
void OnPolicyError();
void ReportPolicyErrorAndRestartHost();
void ApplyHostDomainListPolicy();
void ApplyUsernamePolicy();
void ApplyAllowRemoteAccessConnections();
bool OnClientDomainListPolicyUpdate(base::DictionaryValue* policies);
bool OnHostDomainListPolicyUpdate(base::DictionaryValue* policies);
bool OnUsernamePolicyUpdate(base::DictionaryValue* policies);
bool OnNatPolicyUpdate(base::DictionaryValue* policies);
bool OnRelayPolicyUpdate(base::DictionaryValue* policies);
bool OnUdpPortPolicyUpdate(base::DictionaryValue* policies);
bool OnCurtainPolicyUpdate(base::DictionaryValue* policies);
bool OnHostTokenUrlPolicyUpdate(base::DictionaryValue* policies);
bool OnPairingPolicyUpdate(base::DictionaryValue* policies);
bool OnGnubbyAuthPolicyUpdate(base::DictionaryValue* policies);
bool OnFileTransferPolicyUpdate(base::DictionaryValue* policies);
bool OnEnableUserInterfacePolicyUpdate(base::DictionaryValue* policies);
bool OnAllowRemoteAccessConnections(base::DictionaryValue* policies);
bool OnMaxSessionDurationPolicyUpdate(base::DictionaryValue* policies);
void InitializeSignaling();
void StartHostIfReady();
void StartHost();
// HeartbeatSender::Delegate implementation.
void OnFirstHeartbeatSuccessful() override;
void OnHostNotFound() override;
void OnAuthFailed() override;
void OnZombieStateDetected();
void RestartHost(const std::string& host_offline_reason);
void ShutdownHost(HostExitCodes exit_code);
// Helper methods doing the work needed by RestartHost and ShutdownHost.
void GoOffline(const std::string& host_offline_reason);
void OnHostOfflineReasonAck(bool success);
#if defined(OS_WIN)
// Initializes the pairing registry on Windows. This should be invoked on the
// network thread.
void InitializePairingRegistry(
IPC::PlatformFileForTransit privileged_key,
IPC::PlatformFileForTransit unprivileged_key);
#endif // defined(OS_WIN)
// Crashes the process in response to a daemon's request. The daemon passes
// the location of the code that detected the fatal error resulted in this
// request.
void OnCrash(const std::string& function_name,
const std::string& file_name,
const int& line_number);
std::unique_ptr<ChromotingHostContext> context_;
#if defined(OS_LINUX) || defined(OS_CHROMEOS)
// Watch for certificate changes and kill the host when changes occur
std::unique_ptr<CertificateWatcher> cert_watcher_;
#endif
// Created on the UI thread but used from the network thread.
base::FilePath host_config_path_;
std::string host_config_;
std::unique_ptr<DesktopEnvironmentFactory> desktop_environment_factory_;
// Accessed on the network thread.
HostState state_ = HOST_STARTING;
std::unique_ptr<ConfigWatcher> config_watcher_;
std::string host_id_;
std::string pin_hash_;
scoped_refptr<RsaKeyPair> key_pair_;
std::string oauth_refresh_token_;
std::string robot_account_username_;
std::string serialized_config_;
std::string host_owner_;
bool is_googler_ = false;
std::unique_ptr<PolicyWatcher> policy_watcher_;
PolicyState policy_state_ = POLICY_INITIALIZING;
std::vector<std::string> client_domain_list_;
std::vector<std::string> host_domain_list_;
bool host_username_match_required_ = false;
bool allow_nat_traversal_ = true;
bool allow_relay_ = true;
PortRange udp_port_range_;
bool allow_pairing_ = true;
bool enable_user_interface_ = true;
bool allow_remote_access_connections_ = true;
DesktopEnvironmentOptions desktop_environment_options_;
ThirdPartyAuthConfig third_party_auth_config_;
bool security_key_auth_policy_enabled_ = false;
bool security_key_extension_supported_ = true;
int max_session_duration_minutes_ = 0;
// Used to specify which window to stream, if enabled.
webrtc::WindowId window_id_ = 0;
// Must outlive |signal_strategy_| and |ftl_signaling_connector_|.
std::unique_ptr<OAuthTokenGetterImpl> oauth_token_getter_;
// Must outlive |host_status_logger_|.
std::unique_ptr<LogToServer> log_to_server_;
// Must outlive |signal_strategy_| and |heartbeat_sender_|.
std::unique_ptr<ZombieHostDetector> zombie_host_detector_;
// Signal strategies must outlive |ftl_signaling_connector_|.
std::unique_ptr<SignalStrategy> signal_strategy_;
std::unique_ptr<FtlSignalingConnector> ftl_signaling_connector_;
std::unique_ptr<HeartbeatSender> heartbeat_sender_;
std::unique_ptr<FtlHostChangeNotificationListener>
ftl_host_change_notification_listener_;
std::unique_ptr<FtlEchoMessageListener> ftl_echo_message_listener_;
std::unique_ptr<HostStatusLogger> host_status_logger_;
std::unique_ptr<HostEventLogger> host_event_logger_;
std::unique_ptr<HostPowerSaveBlocker> power_save_blocker_;
std::unique_ptr<ChromotingHost> host_;
// Used to keep this HostProcess alive until it is shutdown.
scoped_refptr<HostProcess> self_;
std::unique_ptr<mojo::core::ScopedIPCSupport> ipc_support_;
#if defined(REMOTING_MULTI_PROCESS)
// Accessed on the UI thread.
std::unique_ptr<IPC::ChannelProxy> daemon_channel_;
// Owned as |desktop_environment_factory_|.
DesktopSessionConnector* desktop_session_connector_ = nullptr;
#endif // defined(REMOTING_MULTI_PROCESS)
int* exit_code_out_;
bool signal_parent_ = false;
std::string report_offline_reason_;
scoped_refptr<PairingRegistry> pairing_registry_;
ShutdownWatchdog* shutdown_watchdog_;
#if defined(OS_APPLE)
// When using the command line option to check the Accessibility or Screen
// Recording permission, these track the permission state and indicate that
// the host should exit immediately with the result.
bool checking_permission_state_ = false;
bool permission_granted_ = false;
#endif // defined(OS_APPLE)
DISALLOW_COPY_AND_ASSIGN(HostProcess);
};
HostProcess::HostProcess(std::unique_ptr<ChromotingHostContext> context,
int* exit_code_out,
ShutdownWatchdog* shutdown_watchdog)
: context_(std::move(context)),
desktop_environment_options_(DesktopEnvironmentOptions::CreateDefault()),
self_(this),
exit_code_out_(exit_code_out),
shutdown_watchdog_(shutdown_watchdog) {
// TODO(zijiehe):
// desktop_environment_options_.desktop_capture_options()
// ->set_use_update_notifications(true);
// And remove the same line from me2me_desktop_environment.cc.
StartOnUiThread();
#if defined(OS_APPLE)
if (checking_permission_state_) {
*exit_code_out = (permission_granted_ ? EXIT_SUCCESS : EXIT_FAILURE);
}
#endif
}
HostProcess::~HostProcess() {
// Verify that UI components have been torn down.
DCHECK(!config_watcher_);
DCHECK(!desktop_environment_factory_);
// We might be getting deleted on one of the threads the |host_context| owns,
// so we need to post it back to the caller thread to safely join & delete the
// threads it contains. This will go away when we move to AutoThread.
// |context_release()| will null |context_| before the method is invoked, so
// we need to pull out the task-runner on which to call DeleteSoon first.
scoped_refptr<base::SingleThreadTaskRunner> task_runner =
context_->ui_task_runner();
task_runner->DeleteSoon(FROM_HERE, context_.release());
}
bool HostProcess::InitWithCommandLine(const base::CommandLine* cmd_line) {
#if defined(OS_APPLE)
if (cmd_line->HasSwitch(kCheckAccessibilityPermissionSwitchName)) {
checking_permission_state_ = true;
permission_granted_ = mac::CanInjectInput();
return false;
}
if (cmd_line->HasSwitch(kCheckScreenRecordingPermissionSwitchName)) {
// Trigger screen-capture, even if CanRecordScreen() returns true. It uses a
// heuristic that might not be 100% reliable, but it is critically
// important to add the host bundle to the list of apps under
// Security & Privacy -> Screen Recording.
if (base::mac::IsAtLeastOS10_15()) {
DesktopCapturerChecker().TriggerSingleCapture();
}
checking_permission_state_ = true;
permission_granted_ = mac::CanRecordScreen();
return false;
}
if (cmd_line->HasSwitch(kListAudioDevicesSwitchName)) {
std::vector<AudioCapturerMac::AudioDeviceInfo> audio_devices =
AudioCapturerMac::GetAudioDevices();
printf("Audio devices:\n");
for (const auto& audio_device : audio_devices) {
printf("\n");
printf(" Device name: %s\n", audio_device.device_name.c_str());
printf(" Device UID: %s\n", audio_device.device_uid.c_str());
}
return false;
}
#endif // defined(OS_APPLE)
// Mojo keeps the task runner passed to it alive forever, so an
// AutoThreadTaskRunner should not be passed to it. Otherwise, the process may
// never shut down cleanly.
ipc_support_ = std::make_unique<mojo::core::ScopedIPCSupport>(
context_->network_task_runner()->task_runner(),
mojo::core::ScopedIPCSupport::ShutdownPolicy::FAST);
#if defined(REMOTING_MULTI_PROCESS)
auto endpoint =
mojo::PlatformChannel::RecoverPassedEndpointFromCommandLine(*cmd_line);
auto invitation = mojo::IncomingInvitation::Accept(std::move(endpoint));
// Connect to the daemon process.
daemon_channel_ = IPC::ChannelProxy::Create(
invitation
.ExtractMessagePipe(cmd_line->GetSwitchValueASCII(kMojoPipeToken))
.release(),
IPC::Channel::MODE_CLIENT, this, context_->network_task_runner(),
base::ThreadTaskRunnerHandle::Get());
#else // !defined(REMOTING_MULTI_PROCESS)
if (cmd_line->HasSwitch(kHostConfigSwitchName)) {
host_config_path_ = cmd_line->GetSwitchValuePath(kHostConfigSwitchName);
// Read config from stdin if necessary.
if (host_config_path_ == base::FilePath(kStdinConfigPath)) {
const size_t kBufferSize = 4096;
std::unique_ptr<char[]> buf(new char[kBufferSize]);
size_t len;
while ((len = fread(buf.get(), 1, kBufferSize, stdin)) > 0) {
host_config_.append(buf.get(), len);
}
}
} else {
base::FilePath default_config_dir = remoting::GetConfigDir();
host_config_path_ = default_config_dir.Append(kDefaultHostConfigFile);
}
if (host_config_path_ != base::FilePath(kStdinConfigPath) &&
!base::PathExists(host_config_path_)) {
LOG(ERROR) << "Can't find host config at " << host_config_path_.value();
return false;
}
#endif // !defined(REMOTING_MULTI_PROCESS)
// Ignore certificate requests - the host currently has no client certificate
// support, so ignoring certificate requests allows connecting to servers that
// request, but don't require, a certificate (optional client authentication).
net::URLFetcher::SetIgnoreCertificateRequests(true);
signal_parent_ = cmd_line->HasSwitch(kSignalParentSwitchName);
if (cmd_line->HasSwitch(kReportOfflineReasonSwitchName)) {
report_offline_reason_ =
cmd_line->GetSwitchValueASCII(kReportOfflineReasonSwitchName);
if (report_offline_reason_.empty()) {
LOG(ERROR) << "--" << kReportOfflineReasonSwitchName
<< " requires an argument.";
return false;
}
}
return true;
}
void HostProcess::OnConfigUpdated(
const std::string& serialized_config) {
if (!context_->network_task_runner()->BelongsToCurrentThread()) {
context_->network_task_runner()->PostTask(
FROM_HERE,
base::BindOnce(&HostProcess::OnConfigUpdated, this, serialized_config));
return;
}
// Filter out duplicates.
if (serialized_config_ == serialized_config)
return;
HOST_LOG << "Processing new host configuration.";
serialized_config_ = serialized_config;
std::unique_ptr<base::DictionaryValue> config(
HostConfigFromJson(serialized_config));
if (!config) {
LOG(ERROR) << "Invalid configuration.";
ShutdownHost(kInvalidHostConfigurationExitCode);
return;
}
if (!ApplyConfig(*config)) {
LOG(ERROR) << "Failed to apply the configuration.";
ShutdownHost(kInvalidHostConfigurationExitCode);
return;
}
if (state_ == HOST_STARTING) {
StartHostIfReady();
} else if (state_ == HOST_STARTED) {
// Reapply policies that could be affected by a new config.
DCHECK_EQ(policy_state_, POLICY_LOADED);
ApplyHostDomainListPolicy();
ApplyUsernamePolicy();
ApplyAllowRemoteAccessConnections();
// TODO(sergeyu): Here we assume that PIN is the only part of the config
// that may change while the service is running. Change ApplyConfig() to
// detect other changes in the config and restart host if necessary here.
CreateAuthenticatorFactory();
}
}
void HostProcess::OnConfigWatcherError() {
DCHECK(context_->network_task_runner()->BelongsToCurrentThread());
ShutdownHost(kInvalidHostConfigurationExitCode);
}
// Allowed state transitions (enforced via DCHECKs in SetState method):
// STARTING->STARTED (once we have valid config + policy)
// STARTING->GOING_OFFLINE_TO_STOP
// STARTING->GOING_OFFLINE_TO_RESTART
// STARTED->GOING_OFFLINE_TO_STOP
// STARTED->GOING_OFFLINE_TO_RESTART
// GOING_OFFLINE_TO_RESTART->GOING_OFFLINE_TO_STOP
// GOING_OFFLINE_TO_RESTART->STARTING (after OnHostOfflineReasonAck)
// GOING_OFFLINE_TO_STOP->STOPPED (after OnHostOfflineReasonAck)
//
// |host_| must be not-null in STARTED state and nullptr in all other states
// (although this invariant can be temporarily violated when doing
// synchronous processing on the networking thread).
void HostProcess::SetState(HostState target_state) {
DCHECK(context_->network_task_runner()->BelongsToCurrentThread());
// DCHECKs below enforce state allowed transitions listed in HostState.
switch (state_) {
case HOST_STARTING:
DCHECK((target_state == HOST_STARTED) ||
(target_state == HOST_GOING_OFFLINE_TO_STOP) ||
(target_state == HOST_GOING_OFFLINE_TO_RESTART))
<< state_ << " -> " << target_state;
break;
case HOST_STARTED:
DCHECK((target_state == HOST_GOING_OFFLINE_TO_STOP) ||
(target_state == HOST_GOING_OFFLINE_TO_RESTART))
<< state_ << " -> " << target_state;
break;
case HOST_GOING_OFFLINE_TO_RESTART:
DCHECK((target_state == HOST_GOING_OFFLINE_TO_STOP) ||
(target_state == HOST_STARTING))
<< state_ << " -> " << target_state;
break;
case HOST_GOING_OFFLINE_TO_STOP:
DCHECK_EQ(target_state, HOST_STOPPED);
break;
case HOST_STOPPED: // HOST_STOPPED is a terminal state.
default:
NOTREACHED() << state_ << " -> " << target_state;
break;
}
state_ = target_state;
}
void HostProcess::StartOnNetworkThread() {
DCHECK(context_->network_task_runner()->BelongsToCurrentThread());
if (state_ != HOST_STARTING) {
// Host was shutdown before the task had a chance to run.
return;
}
#if !defined(REMOTING_MULTI_PROCESS)
if (host_config_path_ == base::FilePath(kStdinConfigPath)) {
// Process config we've read from stdin.
OnConfigUpdated(host_config_);
} else {
// Start watching the host configuration file.
config_watcher_ = std::make_unique<ConfigFileWatcher>(
context_->network_task_runner(), context_->file_task_runner(),
host_config_path_);
config_watcher_->Watch(this);
}
#endif // !defined(REMOTING_MULTI_PROCESS)
#if defined(OS_POSIX)
remoting::RegisterSignalHandler(
SIGTERM, base::BindRepeating(&HostProcess::SigTermHandler,
base::Unretained(this)));
#endif // defined(OS_POSIX)
}
#if defined(OS_POSIX)
void HostProcess::SigTermHandler(int signal_number) {
DCHECK(signal_number == SIGTERM);
DCHECK(context_->network_task_runner()->BelongsToCurrentThread());
HOST_LOG << "Caught SIGTERM: Shutting down...";
ShutdownHost(kSuccessExitCode);
}
#endif // OS_POSIX
void HostProcess::CreateAuthenticatorFactory() {
DCHECK(context_->network_task_runner()->BelongsToCurrentThread());
if (state_ != HOST_STARTED)
return;
std::string local_certificate = key_pair_->GenerateCertificate();
if (local_certificate.empty()) {
LOG(ERROR) << "Failed to generate host certificate.";
ShutdownHost(kInitializationFailed);
return;
}
std::unique_ptr<protocol::AuthenticatorFactory> factory;
if (third_party_auth_config_.is_null()) {
scoped_refptr<PairingRegistry> pairing_registry;
if (allow_pairing_) {
// On Windows |pairing_registry_| is initialized in
// InitializePairingRegistry().
#if !defined(OS_WIN)
if (!pairing_registry_) {
std::unique_ptr<PairingRegistry::Delegate> delegate =
CreatePairingRegistryDelegate();
if (delegate)
pairing_registry_ = new PairingRegistry(context_->file_task_runner(),
std::move(delegate));
}
#endif // defined(OS_WIN)
pairing_registry = pairing_registry_;
}
factory = protocol::Me2MeHostAuthenticatorFactory::CreateWithPin(
host_owner_, local_certificate, key_pair_, client_domain_list_,
pin_hash_, pairing_registry);
host_->set_pairing_registry(pairing_registry);
} else {
// ThirdPartyAuthConfig::Parse() leaves the config in a valid state, so
// these URLs are both valid.
DCHECK(third_party_auth_config_.token_url.is_valid());
DCHECK(third_party_auth_config_.token_validation_url.is_valid());
#if defined(OS_LINUX) || defined(OS_CHROMEOS)
if (!cert_watcher_) {
cert_watcher_ = std::make_unique<CertificateWatcher>(
base::BindRepeating(&HostProcess::ShutdownHost, this,
kSuccessExitCode),
context_->file_task_runner());
cert_watcher_->Start();
}
cert_watcher_->SetMonitor(host_->status_monitor());
#endif
scoped_refptr<protocol::TokenValidatorFactory> token_validator_factory =
new TokenValidatorFactoryImpl(third_party_auth_config_, key_pair_,
context_->url_request_context_getter());
factory = protocol::Me2MeHostAuthenticatorFactory::CreateWithThirdPartyAuth(
host_owner_, local_certificate, key_pair_, client_domain_list_,
token_validator_factory);
}
#if defined(OS_POSIX)
// On Linux and Mac, perform a PAM authorization step after authentication.
factory = std::make_unique<PamAuthorizationFactory>(std::move(factory));
#endif
host_->SetAuthenticatorFactory(std::move(factory));
}
// IPC::Listener implementation.
bool HostProcess::OnMessageReceived(const IPC::Message& message) {
DCHECK(context_->ui_task_runner()->BelongsToCurrentThread());
#if defined(REMOTING_MULTI_PROCESS)
bool handled = true;
IPC_BEGIN_MESSAGE_MAP(HostProcess, message)
IPC_MESSAGE_HANDLER(ChromotingDaemonMsg_Crash, OnCrash)
IPC_MESSAGE_HANDLER(ChromotingDaemonNetworkMsg_Configuration,
OnConfigUpdated)
IPC_MESSAGE_HANDLER(ChromotingDaemonNetworkMsg_InitializePairingRegistry,
OnInitializePairingRegistry)
IPC_MESSAGE_FORWARD(
ChromotingDaemonNetworkMsg_DesktopAttached,
desktop_session_connector_,
DesktopSessionConnector::OnDesktopSessionAgentAttached)
IPC_MESSAGE_FORWARD(ChromotingDaemonNetworkMsg_TerminalDisconnected,
desktop_session_connector_,
DesktopSessionConnector::OnTerminalDisconnected)
IPC_MESSAGE_UNHANDLED(handled = false)
IPC_END_MESSAGE_MAP()
CHECK(handled) << "Received unexpected IPC type: " << message.type();
return handled;
#else // !defined(REMOTING_MULTI_PROCESS)
return false;
#endif // !defined(REMOTING_MULTI_PROCESS)
}
void HostProcess::OnChannelError() {
DCHECK(context_->ui_task_runner()->BelongsToCurrentThread());
// Shutdown the host if the daemon process disconnects the IPC channel.
context_->network_task_runner()->PostTask(
FROM_HERE,
base::BindOnce(&HostProcess::ShutdownHost, this, kSuccessExitCode));
}
void HostProcess::StartOnUiThread() {
DCHECK(context_->ui_task_runner()->BelongsToCurrentThread());
if (!InitWithCommandLine(base::CommandLine::ForCurrentProcess())) {
// Shutdown the host if the command line is invalid.
ShutdownOnUiThread();
return;
}
HostSettings::Initialize();
if (!report_offline_reason_.empty()) {
// Don't need to do any UI initialization.
context_->network_task_runner()->PostTask(
FROM_HERE, base::BindOnce(&HostProcess::StartOnNetworkThread, this));
return;
}
policy_watcher_ =
PolicyWatcher::CreateWithTaskRunner(context_->file_task_runner());
policy_watcher_->StartWatching(
base::BindRepeating(&HostProcess::OnPolicyUpdate, base::Unretained(this)),
base::BindRepeating(&HostProcess::OnPolicyError, base::Unretained(this)));
#if defined(OS_LINUX) || defined(OS_CHROMEOS)
// If an audio pipe is specific on the command-line then initialize
// AudioCapturerLinux to capture from it.
base::FilePath audio_pipe_name = base::CommandLine::ForCurrentProcess()->
GetSwitchValuePath(kAudioPipeSwitchName);
if (!audio_pipe_name.empty()) {
remoting::AudioCapturerLinux::InitializePipeReader(
context_->audio_task_runner(), audio_pipe_name);
}
#endif // defined(OS_LINUX) || defined(OS_CHROMEOS)
#if defined(OS_POSIX)
base::FilePath security_key_socket_name =
base::CommandLine::ForCurrentProcess()->GetSwitchValuePath(
kAuthSocknameSwitchName);
if (!security_key_socket_name.empty()) {
remoting::SecurityKeyAuthHandler::SetSecurityKeySocketName(
security_key_socket_name);
} else {
security_key_extension_supported_ = false;
}
#endif // defined(OS_POSIX)
// Create a desktop environment factory appropriate to the build type &
// platform.
#if defined(REMOTING_MULTI_PROCESS)
IpcDesktopEnvironmentFactory* desktop_environment_factory =
new IpcDesktopEnvironmentFactory(
context_->audio_task_runner(), context_->network_task_runner(),
context_->network_task_runner(), daemon_channel_.get());
desktop_session_connector_ = desktop_environment_factory;
#else // !defined(REMOTING_MULTI_PROCESS)
BasicDesktopEnvironmentFactory* desktop_environment_factory;
desktop_environment_factory = new Me2MeDesktopEnvironmentFactory(
context_->network_task_runner(), context_->video_capture_task_runner(),
context_->input_task_runner(), context_->ui_task_runner());
#endif // !defined(REMOTING_MULTI_PROCESS)
desktop_environment_factory_.reset(desktop_environment_factory);
context_->network_task_runner()->PostTask(
FROM_HERE, base::BindOnce(&HostProcess::StartOnNetworkThread, this));
}
void HostProcess::ShutdownOnUiThread() {
DCHECK(context_->ui_task_runner()->BelongsToCurrentThread());
// Tear down resources that need to be torn down on the UI thread.
desktop_environment_factory_.reset();
policy_watcher_.reset();
#if defined(REMOTING_MULTI_PROCESS)
daemon_channel_.reset();
#endif // defined(REMOTING_MULTI_PROCESS)
// It is now safe for the HostProcess to be deleted.
self_ = nullptr;
#if defined(OS_LINUX) || defined(OS_CHROMEOS)
// Cause the global AudioPipeReader to be freed, otherwise the audio
// thread will remain in-use and prevent the process from exiting.
// TODO(wez): DesktopEnvironmentFactory should own the pipe reader.
// See crbug.com/161373 and crbug.com/104544.
AudioCapturerLinux::InitializePipeReader(nullptr, base::FilePath());
#endif
}
void HostProcess::OnHostNotFound() {
LOG(ERROR) << "Host ID not found.";
ShutdownHost(kInvalidHostIdExitCode);
}
void HostProcess::OnFirstHeartbeatSuccessful() {
if (state_ != HOST_STARTED) {
return;
}
HOST_LOG << "Host ready to receive connections.";
#if defined(OS_POSIX)
if (signal_parent_) {
kill(getppid(), SIGUSR1);
signal_parent_ = false;
}
#endif
}
void HostProcess::OnHostDeleted() {
LOG(ERROR) << "Host was deleted from the directory.";
ShutdownHost(kHostDeletedExitCode);
}
void HostProcess::OnInitializePairingRegistry(
IPC::PlatformFileForTransit privileged_key,
IPC::PlatformFileForTransit unprivileged_key) {
DCHECK(context_->ui_task_runner()->BelongsToCurrentThread());
#if defined(OS_WIN)
context_->network_task_runner()->PostTask(
FROM_HERE, base::BindOnce(&HostProcess::InitializePairingRegistry, this,
privileged_key, unprivileged_key));
#else // !defined(OS_WIN)
NOTREACHED();
#endif // !defined(OS_WIN)
}
#if defined(OS_WIN)
void HostProcess::InitializePairingRegistry(
IPC::PlatformFileForTransit privileged_key,
IPC::PlatformFileForTransit unprivileged_key) {
DCHECK(context_->network_task_runner()->BelongsToCurrentThread());
// |privileged_key| can be nullptr but not |unprivileged_key|.
DCHECK(unprivileged_key.IsValid());
// |pairing_registry_| should only be initialized once.
DCHECK(!pairing_registry_);
HKEY privileged_hkey = reinterpret_cast<HKEY>(
IPC::PlatformFileForTransitToPlatformFile(privileged_key));
HKEY unprivileged_hkey = reinterpret_cast<HKEY>(
IPC::PlatformFileForTransitToPlatformFile(unprivileged_key));
std::unique_ptr<PairingRegistryDelegateWin> delegate(
new PairingRegistryDelegateWin());
delegate->SetRootKeys(privileged_hkey, unprivileged_hkey);
pairing_registry_ = new PairingRegistry(context_->file_task_runner(),
std::move(delegate));
// (Re)Create the authenticator factory now that |pairing_registry_| has been
// initialized.
CreateAuthenticatorFactory();
}
#endif // !defined(OS_WIN)
// Applies the host config, returning true if successful.
bool HostProcess::ApplyConfig(const base::DictionaryValue& config) {
DCHECK(context_->network_task_runner()->BelongsToCurrentThread());
if (!config.GetString(kHostIdConfigPath, &host_id_)) {
LOG(ERROR) << "Config does not define " << kHostIdConfigPath << ".";
return false;
}
std::string key_base64;
if (!config.GetString(kPrivateKeyConfigPath, &key_base64)) {
LOG(ERROR) << "Private key couldn't be read from the config file.";
return false;
}
key_pair_ = RsaKeyPair::FromString(key_base64);
if (!key_pair_.get()) {
LOG(ERROR) << "Invalid private key in the config file.";
return false;
}
std::string host_secret_hash_string;
if (!config.GetString(kHostSecretHashConfigPath, &host_secret_hash_string) ||
!ParsePinHashFromConfig(host_secret_hash_string, host_id_, &pin_hash_)) {
LOG(ERROR) << "Cannot parse host_secret_hash configuration value.";
return false;
}
// Retrieve robot account credentials for session signaling.
if (!config.GetString(kXmppLoginConfigPath, &robot_account_username_) ||
!config.GetString(kOAuthRefreshTokenConfigPath, &oauth_refresh_token_)) {
LOG(ERROR) << "Robot account credentials are not defined in the config.";
return false;
}
// Some old host configs have a host_owner field that's set to a JID ending
// with @id.talk.google.com, and a host_owner_email field that's set to the
// owner's actual email address. Other host configs only have a host_owner
// field. We are not generating separate addresses nor using JID any more but
// we still read host_owner_email first for compatibility reason.
const std::string* host_owner_ptr =
config.FindStringPath(kHostOwnerEmailConfigPath);
if (!host_owner_ptr) {
host_owner_ptr = config.FindStringPath(kHostOwnerConfigPath);
}
if (!host_owner_ptr) {
LOG(ERROR) << "Host config has no host_owner or host_owner_email fields.";
return false;
}
host_owner_ = *host_owner_ptr;
// Check if the host owner's email is Google-internal.
is_googler_ = base::EndsWith(host_owner_, kGooglerEmailDomain,
base::CompareCase::INSENSITIVE_ASCII);
return true;
}
void HostProcess::OnPolicyUpdate(
std::unique_ptr<base::DictionaryValue> policies) {
if (!context_->network_task_runner()->BelongsToCurrentThread()) {
context_->network_task_runner()->PostTask(
FROM_HERE, base::BindOnce(&HostProcess::OnPolicyUpdate, this,
std::move(policies)));
return;
}
bool restart_required = false;
restart_required |= OnClientDomainListPolicyUpdate(policies.get());
restart_required |= OnHostDomainListPolicyUpdate(policies.get());
restart_required |= OnCurtainPolicyUpdate(policies.get());
// Note: UsernamePolicyUpdate must run after OnCurtainPolicyUpdate.
restart_required |= OnUsernamePolicyUpdate(policies.get());
restart_required |= OnNatPolicyUpdate(policies.get());
restart_required |= OnRelayPolicyUpdate(policies.get());
restart_required |= OnUdpPortPolicyUpdate(policies.get());
restart_required |= OnHostTokenUrlPolicyUpdate(policies.get());
restart_required |= OnPairingPolicyUpdate(policies.get());
restart_required |= OnGnubbyAuthPolicyUpdate(policies.get());
restart_required |= OnFileTransferPolicyUpdate(policies.get());
restart_required |= OnEnableUserInterfacePolicyUpdate(policies.get());
restart_required |= OnAllowRemoteAccessConnections(policies.get());
restart_required |= OnMaxSessionDurationPolicyUpdate(policies.get());
policy_state_ = POLICY_LOADED;
if (state_ == HOST_STARTING) {
StartHostIfReady();
} else if (state_ == HOST_STARTED) {
if (restart_required)
RestartHost(kHostOfflineReasonPolicyChangeRequiresRestart);
}
}
void HostProcess::OnPolicyError() {
if (!context_->network_task_runner()->BelongsToCurrentThread()) {
context_->network_task_runner()->PostTask(
FROM_HERE, base::BindOnce(&HostProcess::OnPolicyError, this));
return;
}
if (policy_state_ != POLICY_ERROR_REPORTED) {
policy_state_ = POLICY_ERROR_REPORT_PENDING;
if ((state_ == HOST_STARTED) ||
(state_ == HOST_STARTING && !serialized_config_.empty())) {
ReportPolicyErrorAndRestartHost();
}
}
}
void HostProcess::ReportPolicyErrorAndRestartHost() {
DCHECK(context_->network_task_runner()->BelongsToCurrentThread());
DCHECK(!serialized_config_.empty());
DCHECK_EQ(policy_state_, POLICY_ERROR_REPORT_PENDING);
policy_state_ = POLICY_ERROR_REPORTED;
HOST_LOG << "Restarting the host due to policy errors.";
RestartHost(kHostOfflineReasonPolicyReadError);
}
void HostProcess::ApplyHostDomainListPolicy() {
if (state_ != HOST_STARTED)
return;
HOST_LOG << "Policy sets host domains: "
<< base::JoinString(host_domain_list_, ", ");
if (!host_domain_list_.empty()) {
bool matched = false;
for (const std::string& domain : host_domain_list_) {
if (base::EndsWith(host_owner_, std::string("@") + domain,
base::CompareCase::INSENSITIVE_ASCII)) {
matched = true;
}
}
if (!matched) {
LOG(ERROR) << "The host domain does not match the policy.";
ShutdownHost(kInvalidHostDomainExitCode);
}
}
}
void HostProcess::ApplyAllowRemoteAccessConnections() {
if (state_ != HOST_STARTED)
return;
HOST_LOG << "Policy allows remote access connections: "
<< allow_remote_access_connections_;
if (!allow_remote_access_connections_) {
ShutdownHost(kRemoteAccessDisallowedExitCode);
}
}
bool HostProcess::OnHostDomainListPolicyUpdate(
base::DictionaryValue* policies) {
// Returns false: never restart the host after this policy update.
DCHECK(context_->network_task_runner()->BelongsToCurrentThread());
const base::ListValue* list;
if (!policies->GetList(policy::key::kRemoteAccessHostDomainList, &list)) {
return false;
}
host_domain_list_.clear();
for (const auto& value : list->GetList()) {
host_domain_list_.push_back(value.GetString());
}
ApplyHostDomainListPolicy();
return false;
}
bool HostProcess::OnClientDomainListPolicyUpdate(
base::DictionaryValue* policies) {
// Returns true if the host has to be restarted after this policy update.
DCHECK(context_->network_task_runner()->BelongsToCurrentThread());
const base::ListValue* list;
if (!policies->GetList(policy::key::kRemoteAccessHostClientDomainList,
&list)) {
return false;
}
client_domain_list_.clear();
for (const auto& value : list->GetList()) {
client_domain_list_.push_back(value.GetString());
}
return true;
}
void HostProcess::ApplyUsernamePolicy() {
if (state_ != HOST_STARTED)
return;
if (host_username_match_required_) {
HOST_LOG << "Policy requires host username match.";
std::string username = GetUsername();
bool shutdown =
username.empty() ||
!base::StartsWith(host_owner_, username + std::string("@"),
base::CompareCase::INSENSITIVE_ASCII);
#if defined(OS_APPLE)
// On Mac, we run as root at the login screen, so the username won't match.
// However, there's no need to enforce the policy at the login screen, as
// the client will have to reconnect if a login occurs.
if (shutdown && getuid() == 0) {
shutdown = false;
}
#endif
// Curtain-mode on Windows presents the standard OS login prompt to the user
// for each connection, removing the need for an explicit user-name matching
// check.
#if defined(OS_WIN) && defined(REMOTING_RDP_SESSION)
if (desktop_environment_options_.enable_curtaining())
return;
#endif // defined(OS_WIN) && defined(REMOTING_RDP_SESSION)
// Shutdown the host if the username does not match.
if (shutdown) {
LOG(ERROR) << "The host username does not match.";
ShutdownHost(kUsernameMismatchExitCode);
}
} else {
HOST_LOG << "Policy does not require host username match.";
}
}
bool HostProcess::OnUsernamePolicyUpdate(base::DictionaryValue* policies) {
// Returns false: never restart the host after this policy update.
DCHECK(context_->network_task_runner()->BelongsToCurrentThread());
if (!policies->GetBoolean(policy::key::kRemoteAccessHostMatchUsername,
&host_username_match_required_)) {
return false;
}
ApplyUsernamePolicy();
return false;
}
bool HostProcess::OnNatPolicyUpdate(base::DictionaryValue* policies) {
// Returns true if the host has to be restarted after this policy update.
DCHECK(context_->network_task_runner()->BelongsToCurrentThread());
if (!policies->GetBoolean(policy::key::kRemoteAccessHostFirewallTraversal,
&allow_nat_traversal_)) {
return false;
}
if (allow_nat_traversal_) {
HOST_LOG << "Policy enables NAT traversal.";
} else {
HOST_LOG << "Policy disables NAT traversal.";
}
return true;
}
bool HostProcess::OnRelayPolicyUpdate(base::DictionaryValue* policies) {
// Returns true if the host has to be restarted after this policy update.
DCHECK(context_->network_task_runner()->BelongsToCurrentThread());
if (!policies->GetBoolean(
policy::key::kRemoteAccessHostAllowRelayedConnection,
&allow_relay_)) {
return false;
}
if (allow_relay_) {
HOST_LOG << "Policy enables use of relay server.";
} else {
HOST_LOG << "Policy disables use of relay server.";
}
return true;
}
bool HostProcess::OnUdpPortPolicyUpdate(base::DictionaryValue* policies) {
// Returns true if the host has to be restarted after this policy update.
DCHECK(context_->network_task_runner()->BelongsToCurrentThread());
std::string string_value;
if (!policies->GetString(policy::key::kRemoteAccessHostUdpPortRange,
&string_value)) {
return false;
}
if (!PortRange::Parse(string_value, &udp_port_range_)) {
// PolicyWatcher verifies that the value is formatted correctly.
LOG(FATAL) << "Invalid port range: " << string_value;
}
HOST_LOG << "Policy restricts UDP port range to: " << udp_port_range_;
return true;
}
bool HostProcess::OnCurtainPolicyUpdate(base::DictionaryValue* policies) {
// Returns true if the host has to be restarted after this policy update.
DCHECK(context_->network_task_runner()->BelongsToCurrentThread());
bool curtain_required;
if (!policies->GetBoolean(policy::key::kRemoteAccessHostRequireCurtain,
&curtain_required)) {
return false;
}
desktop_environment_options_.set_enable_curtaining(curtain_required);
#if defined(OS_APPLE)
if (curtain_required) {
// When curtain mode is in effect on Mac, the host process runs in the
// user's switched-out session, but launchd will also run an instance at
// the console login screen. Even if no user is currently logged-on, we
// can't support remote-access to the login screen because the current host
// process model disconnects the client during login, which would leave
// the logged in session un-curtained on the console until they reconnect.
//
// TODO(jamiewalch): Fix this once we have implemented the multi-process
// daemon architecture (crbug.com/134894)
if (getuid() == 0) {
LOG(ERROR) << "Running the host in the console login session is not yet "
"supported.";
ShutdownHost(kLoginScreenNotSupportedExitCode);
return false;
}
}
#endif
if (curtain_required) {
HOST_LOG << "Policy requires curtain-mode.";
} else {
HOST_LOG << "Policy does not require curtain-mode.";
}
return true;
}
bool HostProcess::OnHostTokenUrlPolicyUpdate(base::DictionaryValue* policies) {
switch (ThirdPartyAuthConfig::Parse(*policies, &third_party_auth_config_)) {
case ThirdPartyAuthConfig::NoPolicy:
return false;
case ThirdPartyAuthConfig::ParsingSuccess:
HOST_LOG << "Policy sets third-party token URLs: "
<< third_party_auth_config_;
return true;
case ThirdPartyAuthConfig::InvalidPolicy:
default:
// Unreachable, because PolicyWatcher::OnPolicyUpdated() enforces that
// the policy is well-formed (including checks specific to
// ThirdPartyAuthConfig), before notifying of policy updates.
NOTREACHED();
return false;
}
}
bool HostProcess::OnPairingPolicyUpdate(base::DictionaryValue* policies) {
DCHECK(context_->network_task_runner()->BelongsToCurrentThread());
if (!policies->GetBoolean(policy::key::kRemoteAccessHostAllowClientPairing,
&allow_pairing_)) {
return false;
}
if (allow_pairing_) {
HOST_LOG << "Policy enables client pairing.";
} else {
HOST_LOG << "Policy disables client pairing.";
}
return true;
}
bool HostProcess::OnGnubbyAuthPolicyUpdate(base::DictionaryValue* policies) {
DCHECK(context_->network_task_runner()->BelongsToCurrentThread());
if (!policies->GetBoolean(policy::key::kRemoteAccessHostAllowGnubbyAuth,
&security_key_auth_policy_enabled_)) {
return false;
}
if (security_key_auth_policy_enabled_) {
HOST_LOG << "Policy enables security key auth.";
} else {
HOST_LOG << "Policy disables security key auth.";
}
return true;
}
bool HostProcess::OnFileTransferPolicyUpdate(base::DictionaryValue* policies) {
DCHECK(context_->network_task_runner()->BelongsToCurrentThread());
bool file_transfer_enabled;
if (!policies->GetBoolean(policy::key::kRemoteAccessHostAllowFileTransfer,
&file_transfer_enabled)) {
return false;
}
desktop_environment_options_.set_enable_file_transfer(file_transfer_enabled);
if (file_transfer_enabled) {
HOST_LOG << "Policy enables file transfer.";
} else {
HOST_LOG << "Policy disables file transfer.";
}
// Restart required.
return true;
}
bool HostProcess::OnEnableUserInterfacePolicyUpdate(
base::DictionaryValue* policies) {
DCHECK(context_->network_task_runner()->BelongsToCurrentThread());
bool enable_user_interface;
if (!policies->GetBoolean(policy::key::kRemoteAccessHostEnableUserInterface,
&enable_user_interface)) {
return false;
}
// Save the value until we have parsed the host config since we only want the
// policy to be applied to machines owned by a Googler.
enable_user_interface_ = enable_user_interface;
if (enable_user_interface_) {
HOST_LOG << "Policy enables user interface for non-curtained sessions.";
} else {
HOST_LOG << "Policy disables user interface for non-curtained sessions.";
}
// Restart required.
return true;
}
bool HostProcess::OnMaxSessionDurationPolicyUpdate(
base::DictionaryValue* policies) {
DCHECK(context_->network_task_runner()->BelongsToCurrentThread());
if (!policies->GetInteger(
policy::key::kRemoteAccessHostMaximumSessionDurationMinutes,
&max_session_duration_minutes_)) {
return false;
}
if (max_session_duration_minutes_ > 0) {
HOST_LOG << "Policy sets maximum session duration to "
<< max_session_duration_minutes_ << " minutes.";
} else {
HOST_LOG << "Policy does not set a maximum session duration.";
}
// Restart required.
return true;
}
bool HostProcess::OnAllowRemoteAccessConnections(
base::DictionaryValue* policies) {
// Returns false: never restart the host after this policy update.
DCHECK(context_->network_task_runner()->BelongsToCurrentThread());
bool allow_remote_access_connections;
if (!policies->GetBoolean(
policy::key::kRemoteAccessHostAllowRemoteAccessConnections,
&allow_remote_access_connections)) {
return false;
}
// Update the value if the policy was set and retrieval was successful.
allow_remote_access_connections_ = allow_remote_access_connections;
ApplyAllowRemoteAccessConnections();
return false;
}
void HostProcess::InitializeSignaling() {
DCHECK(!host_id_.empty()); // ApplyConfig() should already have been run.
DCHECK(!signal_strategy_);
DCHECK(!oauth_token_getter_);
DCHECK(!ftl_signaling_connector_);
DCHECK(!heartbeat_sender_);
auto oauth_credentials =
std::make_unique<OAuthTokenGetter::OAuthAuthorizationCredentials>(
robot_account_username_, oauth_refresh_token_,
/* is_service_account */ true);
// Unretained is sound because we own the OAuthTokenGetterImpl, and the
// callback will never be invoked once it is destroyed.
oauth_token_getter_ = std::make_unique<OAuthTokenGetterImpl>(
std::move(oauth_credentials),
context_->url_loader_factory(), false);
log_to_server_ = std::make_unique<RemotingLogToServer>(
ServerLogEntry::ME2ME,
std::make_unique<OAuthTokenGetterProxy>(
oauth_token_getter_->GetWeakPtr()),
context_->url_loader_factory());
zombie_host_detector_ = std::make_unique<ZombieHostDetector>(base::BindOnce(
&HostProcess::OnZombieStateDetected, base::Unretained(this)));
auto ftl_signal_strategy = std::make_unique<FtlSignalStrategy>(
std::make_unique<OAuthTokenGetterProxy>(
oauth_token_getter_->GetWeakPtr()),
context_->url_loader_factory(),
std::make_unique<FtlHostDeviceIdProvider>(host_id_),
zombie_host_detector_.get());
ftl_signaling_connector_ = std::make_unique<FtlSignalingConnector>(
ftl_signal_strategy.get(),
base::BindOnce(&HostProcess::OnAuthFailed, base::Unretained(this)));
ftl_signaling_connector_->Start();
heartbeat_sender_ = std::make_unique<HeartbeatSender>(
this, host_id_, ftl_signal_strategy.get(), oauth_token_getter_.get(),
zombie_host_detector_.get(), context_->url_loader_factory(), is_googler_);
signal_strategy_ = std::move(ftl_signal_strategy);
zombie_host_detector_->Start();
}
void HostProcess::StartHostIfReady() {
DCHECK(context_->network_task_runner()->BelongsToCurrentThread());
DCHECK_EQ(state_, HOST_STARTING);
// Start the host if both the config and the policies are loaded.
if (!serialized_config_.empty()) {
if (!report_offline_reason_.empty()) {
SetState(HOST_GOING_OFFLINE_TO_STOP);
GoOffline(report_offline_reason_);
} else if (policy_state_ == POLICY_LOADED) {
StartHost();
} else if (policy_state_ == POLICY_ERROR_REPORT_PENDING) {
ReportPolicyErrorAndRestartHost();
}
}
}
void HostProcess::StartHost() {
DCHECK(context_->network_task_runner()->BelongsToCurrentThread());
DCHECK(!host_);
SetState(HOST_STARTED);
InitializeSignaling();
uint32_t network_flags = 0;
if (allow_nat_traversal_) {
network_flags = NetworkSettings::NAT_TRAVERSAL_STUN |
NetworkSettings::NAT_TRAVERSAL_OUTGOING;
if (allow_relay_)
network_flags |= NetworkSettings::NAT_TRAVERSAL_RELAY;
}
NetworkSettings network_settings(network_flags);
if (!udp_port_range_.is_null()) {
network_settings.port_range = udp_port_range_;
} else if (!allow_nat_traversal_) {
// For legacy reasons we have to restrict the port range to a set of default
// values when nat traversal is disabled, even if the port range was not
// set in policy.
network_settings.port_range.min_port = NetworkSettings::kDefaultMinPort;
network_settings.port_range.max_port = NetworkSettings::kDefaultMaxPort;
}
scoped_refptr<protocol::TransportContext> transport_context =
new protocol::TransportContext(
std::make_unique<protocol::ChromiumPortAllocatorFactory>(),
context_->url_loader_factory(), oauth_token_getter_.get(),
network_settings, protocol::TransportRole::SERVER);
std::unique_ptr<protocol::SessionManager> session_manager(
new protocol::JingleSessionManager(signal_strategy_.get()));
std::unique_ptr<protocol::CandidateSessionConfig> protocol_config =
protocol::CandidateSessionConfig::CreateDefault();
if (!desktop_environment_factory_->SupportsAudioCapture())
protocol_config->DisableAudioChannel();
protocol_config->set_webrtc_supported(true);
session_manager->set_protocol_config(std::move(protocol_config));
if (is_googler_) {
// Enabling this policy means that a local user sitting at a host would not
// see any UI or indication that a remote user was connected. We do have a
// few use cases for this internally where we know for a fact that there
// will not be a local user. Since that isn't something we can control
// externally, we don't want to apply this policy for non-Googlers.
desktop_environment_options_.set_enable_user_interface(
enable_user_interface_);
}
host_ = std::make_unique<ChromotingHost>(
desktop_environment_factory_.get(), std::move(session_manager),
transport_context, context_->audio_task_runner(),
context_->video_encode_task_runner(), desktop_environment_options_);
if (security_key_auth_policy_enabled_ && security_key_extension_supported_) {
host_->AddExtension(
std::make_unique<SecurityKeyExtension>(context_->file_task_runner()));
}
host_->AddExtension(std::make_unique<TestEchoExtension>());
if (max_session_duration_minutes_ > 0) {
host_->SetMaximumSessionDuration(
base::TimeDelta::FromMinutes(max_session_duration_minutes_));
}
host_status_logger_ = std::make_unique<HostStatusLogger>(
host_->status_monitor(), log_to_server_.get());
power_save_blocker_ = std::make_unique<HostPowerSaveBlocker>(
host_->status_monitor(), context_->ui_task_runner(),
context_->file_task_runner());
ftl_host_change_notification_listener_ =
std::make_unique<FtlHostChangeNotificationListener>(
this, signal_strategy_.get());
ftl_echo_message_listener_ = std::make_unique<FtlEchoMessageListener>(
host_owner_, signal_strategy_.get());
// Set up reporting the host status notifications.
#if defined(REMOTING_MULTI_PROCESS)
host_event_logger_ = std::make_unique<IpcHostEventLogger>(
host_->status_monitor(), daemon_channel_.get());
#else // !defined(REMOTING_MULTI_PROCESS)
host_event_logger_ =
HostEventLogger::Create(host_->status_monitor(), kApplicationName);
#endif // !defined(REMOTING_MULTI_PROCESS)
#if defined(OS_APPLE)
// Don't run the permission-checks as root (i.e. at the login screen), as they
// are not actionable there.
// Also, the permission-checks are not needed on MacOS 10.15+, as they are
// always handled by the new permission-wizard (the old shell script is
// never used on 10.15+).
if (getuid() != 0U && base::mac::IsAtMostOS10_14()) {
mac::PromptUserToChangeTrustStateIfNeeded(context_->ui_task_runner());
}
#endif // defined(OS_APPLE)
host_->Start(host_owner_);
CreateAuthenticatorFactory();
ApplyHostDomainListPolicy();
ApplyUsernamePolicy();
ApplyAllowRemoteAccessConnections();
}
void HostProcess::OnAuthFailed() {
ShutdownHost(kInvalidOauthCredentialsExitCode);
}
void HostProcess::OnZombieStateDetected() {
RestartHost(kHostOfflineReasonZombieStateDetected);
}
void HostProcess::RestartHost(const std::string& host_offline_reason) {
DCHECK(context_->network_task_runner()->BelongsToCurrentThread());
DCHECK(!host_offline_reason.empty());
SetState(HOST_GOING_OFFLINE_TO_RESTART);
GoOffline(host_offline_reason);
}
void HostProcess::ShutdownHost(HostExitCodes exit_code) {
DCHECK(context_->network_task_runner()->BelongsToCurrentThread());
*exit_code_out_ = exit_code;
switch (state_) {
case HOST_STARTING:
case HOST_STARTED:
SetState(HOST_GOING_OFFLINE_TO_STOP);
GoOffline(ExitCodeToString(exit_code));
break;
case HOST_GOING_OFFLINE_TO_RESTART:
SetState(HOST_GOING_OFFLINE_TO_STOP);
break;
case HOST_GOING_OFFLINE_TO_STOP:
case HOST_STOPPED:
// Host is already stopped or being stopped. No action is required.
break;
}
}
void HostProcess::GoOffline(const std::string& host_offline_reason) {
DCHECK(context_->network_task_runner()->BelongsToCurrentThread());
DCHECK(!host_offline_reason.empty());
DCHECK((state_ == HOST_GOING_OFFLINE_TO_STOP) ||
(state_ == HOST_GOING_OFFLINE_TO_RESTART));
// Shut down everything except the HostSignalingManager.
host_.reset();
host_event_logger_.reset();
host_status_logger_.reset();
power_save_blocker_.reset();
ftl_host_change_notification_listener_.reset();
// Before shutting down HostSignalingManager, send the |host_offline_reason|
// if possible (i.e. if we have the config).
if (host_offline_reason == ExitCodeToString(kHostDeletedExitCode)) {
// Host is deleted. There is no need to report the host offline reason back
// to directory.
OnHostOfflineReasonAck(true);
return;
} else if (!serialized_config_.empty()) {
if (!signal_strategy_)
InitializeSignaling();
HOST_LOG << "SendHostOfflineReason: sending " << host_offline_reason << ".";
heartbeat_sender_->SetHostOfflineReason(
host_offline_reason,
base::TimeDelta::FromSeconds(kHostOfflineReasonTimeoutSeconds),
base::BindOnce(&HostProcess::OnHostOfflineReasonAck, this));
return; // Shutdown will resume after OnHostOfflineReasonAck.
}
// Continue the shutdown without sending the host offline reason.
HOST_LOG << "Can't send offline reason (" << host_offline_reason << ") "
<< "without a valid host config.";
OnHostOfflineReasonAck(false);
}
void HostProcess::OnHostOfflineReasonAck(bool success) {
DCHECK(context_->network_task_runner()->BelongsToCurrentThread());
DCHECK(!host_); // Assert that the host is really offline at this point.
HOST_LOG << "SendHostOfflineReason " << (success ? "succeeded." : "failed.");
log_to_server_.reset();
heartbeat_sender_.reset();
oauth_token_getter_.reset();
ftl_signaling_connector_.reset();
ftl_echo_message_listener_.reset();
signal_strategy_.reset();
zombie_host_detector_.reset();
if (state_ == HOST_GOING_OFFLINE_TO_RESTART) {
SetState(HOST_STARTING);
StartHostIfReady();
} else if (state_ == HOST_GOING_OFFLINE_TO_STOP) {
SetState(HOST_STOPPED);
shutdown_watchdog_->SetExitCode(*exit_code_out_);
shutdown_watchdog_->Arm();
config_watcher_.reset();
// Complete the rest of shutdown on the main thread.
context_->ui_task_runner()->PostTask(
FROM_HERE, base::BindOnce(&HostProcess::ShutdownOnUiThread, this));
} else {
NOTREACHED();
}
}
void HostProcess::OnCrash(const std::string& function_name,
const std::string& file_name,
const int& line_number) {
char message[1024];
base::snprintf(message, sizeof(message),
"Requested by %s at %s, line %d.",
function_name.c_str(), file_name.c_str(), line_number);
base::debug::Alias(message);
// The daemon requested us to crash the process.
CHECK(false) << message;
}
int HostProcessMain() {
HOST_LOG << "Starting host process: version " << STRINGIZE(VERSION);
#if defined(OS_LINUX) || defined(OS_CHROMEOS)
// Initialize Xlib for multi-threaded use, allowing non-Chromium code to
// use X11 safely (such as the WebRTC capturer, GTK ...)
x11::InitXlib();
if (!base::CommandLine::ForCurrentProcess()->HasSwitch(
kReportOfflineReasonSwitchName)) {
// Required for any calls into GTK functions, such as the Disconnect and
// Continue windows, though these should not be used for the Me2Me case
// (crbug.com/104377).
#if GTK_CHECK_VERSION(3, 90, 0)
gtk_init();
#else
gtk_init(nullptr, nullptr);
#endif
}
// Need to prime the host OS version value for linux to prevent IO on the
// network thread. base::GetLinuxDistro() caches the result.
base::GetLinuxDistro();
#endif
base::ThreadPoolInstance::CreateAndStartWithDefaultParams("Me2Me");
// Create the main task executor and start helper threads.
base::SingleThreadTaskExecutor main_task_executor(base::MessagePumpType::UI);
base::RunLoop run_loop;
std::unique_ptr<ChromotingHostContext> context =
ChromotingHostContext::Create(new AutoThreadTaskRunner(
main_task_executor.task_runner(), run_loop.QuitClosure()));
if (!context)
return kInitializationFailed;
// NetworkChangeNotifier must be initialized after SingleThreadTaskExecutor.
std::unique_ptr<net::NetworkChangeNotifier> network_change_notifier(
net::NetworkChangeNotifier::CreateIfNeeded());
#if defined(OS_LINUX) || defined(OS_CHROMEOS)
// Create an X11EventSource on all UI threads, so the global X11 connection
// (x11::Connection::Get()) can dispatch X events.
auto event_source =
std::make_unique<ui::X11EventSource>(x11::Connection::Get());
auto input_task_runner = context->input_task_runner();
input_task_runner->PostTask(FROM_HERE, base::BindOnce([]() {
new ui::X11EventSource(x11::Connection::Get());
}));
#endif // defined(OS_LINUX) || defined(OS_CHROMEOS)
// Create & start the HostProcess using these threads.
// TODO(wez): The HostProcess holds a reference to itself until Shutdown().
// Remove this hack as part of the multi-process refactoring.
int exit_code = kSuccessExitCode;
ShutdownWatchdog shutdown_watchdog(
base::TimeDelta::FromSeconds(kShutdownTimeoutSeconds));
new HostProcess(std::move(context), &exit_code, &shutdown_watchdog);
// Run the main (also UI) task executor until the host no longer needs it.
run_loop.Run();
#if defined(OS_LINUX) || defined(OS_CHROMEOS)
input_task_runner->PostTask(FROM_HERE, base::BindOnce([]() {
delete ui::X11EventSource::GetInstance();
}));
#endif // defined(OS_LINUX) || defined(OS_CHROMEOS)
// Block until tasks blocking shutdown have completed their execution.
base::ThreadPoolInstance::Get()->Shutdown();
return exit_code;
}
} // namespace remoting