Revert 267242 "Revert 267234 "New policies: enable/disable relay..."

Reland due to accidental incorrect revert.

> Revert 267234 "New policies: enable/disable relay; port range"
>
> > New policies: enable/disable relay; port range
> >
> > Add new Chromoting policies:
> >
> > "RemoteAccessHostAllowRelayedConnection"
> > bool, default true
> > It can be set to false to disable the use of relay servers if NAT
> > traversal is enabled.
> >
> > "RemoteAccessHostUdpPortRange"
> > string, default ""
> > Can be used to specify a range in the form "<min-port>-<max-port>" to
> > restrict the range of UDP ports available to the host for connections.
> > E.g. "12400-12409"
> >
> > BUG=355168
> >
> > Review URL: https://codereview.chromium.org/209323002
>
> TBR=dcaiafa@chromium.org
> BUG=368724
>
> Review URL: https://codereview.chromium.org/268483003

TBR=noamsml@google.com

Review URL: https://codereview.chromium.org/261633005

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@267248 0039d316-1c4b-4281-b951-d872f2087c98

5 files changed, 143 insertions, 6 deletions

diff --git a/remoting/host/it2me/it2me_host.cc b/remoting/host/it2me/it2me_host.cc
index fec201f..505efde 100644
--- a/remoting/host/it2me/it2me_host.cc
+++ b/remoting/host/it2me/it2me_host.cc
@@ -184,7 +184,7 @@ void It2MeHost::FinishConnect() {
   HOST_LOG << "NAT state: " << nat_traversal_enabled_;
   NetworkSettings network_settings(
      nat_traversal_enabled_ ?
-     NetworkSettings::NAT_TRAVERSAL_ENABLED :
+     NetworkSettings::NAT_TRAVERSAL_FULL :
      NetworkSettings::NAT_TRAVERSAL_DISABLED);
   if (!nat_traversal_enabled_) {
     network_settings.min_port = NetworkSettings::kDefaultMinPort;
diff --git a/remoting/host/policy_hack/policy_watcher.cc b/remoting/host/policy_hack/policy_watcher.cc
index fd1a37b..e603cf5 100644
--- a/remoting/host/policy_hack/policy_watcher.cc
+++ b/remoting/host/policy_hack/policy_watcher.cc
@@ -107,6 +107,12 @@ const char PolicyWatcher::kHostAllowClientPairing[] =
 const char PolicyWatcher::kHostAllowGnubbyAuthPolicyName[] =
     "RemoteAccessHostAllowGnubbyAuth";
 
+const char PolicyWatcher::kRelayPolicyName[] =
+    "RemoteAccessHostAllowRelayedConnection";
+
+const char PolicyWatcher::kUdpPortRangePolicyName[] =
+    "RemoteAccessHostUdpPortRange";
+
 const char PolicyWatcher::kHostDebugOverridePoliciesName[] =
     "RemoteAccessHostDebugOverridePolicies";
 
@@ -130,6 +136,8 @@ PolicyWatcher::PolicyWatcher(
                              std::string());
   default_values_->SetBoolean(kHostAllowClientPairing, true);
   default_values_->SetBoolean(kHostAllowGnubbyAuthPolicyName, true);
+  default_values_->SetBoolean(kRelayPolicyName, true);
+  default_values_->SetString(kUdpPortRangePolicyName, "");
 #if !defined(NDEBUG)
   default_values_->SetString(kHostDebugOverridePoliciesName, std::string());
 #endif
@@ -138,6 +146,7 @@ PolicyWatcher::PolicyWatcher(
   // For most policies these match the defaults.
   bad_type_values_.reset(default_values_->DeepCopy());
   bad_type_values_->SetBoolean(kNatPolicyName, false);
+  bad_type_values_->SetBoolean(kRelayPolicyName, false);
 }
 
 PolicyWatcher::~PolicyWatcher() {
diff --git a/remoting/host/policy_hack/policy_watcher.h b/remoting/host/policy_hack/policy_watcher.h
index a3afee0..0ced8f2 100644
--- a/remoting/host/policy_hack/policy_watcher.h
+++ b/remoting/host/policy_hack/policy_watcher.h
@@ -77,6 +77,12 @@ class PolicyWatcher {
   // The name of the policy for disabling gnubbyd forwarding.
   static const char kHostAllowGnubbyAuthPolicyName[];
 
+  // The name of the policy for allowing use of relay servers.
+  static const char kRelayPolicyName[];
+
+  // The name of the policy that restricts the range of host UDP ports.
+  static const char kUdpPortRangePolicyName[];
+
   // The name of the policy for overriding policies, for use in testing.
   static const char kHostDebugOverridePoliciesName[];
 
diff --git a/remoting/host/policy_hack/policy_watcher_unittest.cc b/remoting/host/policy_hack/policy_watcher_unittest.cc
index 729a7bb..0ed1a55 100644
--- a/remoting/host/policy_hack/policy_watcher_unittest.cc
+++ b/remoting/host/policy_hack/policy_watcher_unittest.cc
@@ -75,6 +75,13 @@ class PolicyWatcherTest : public testing::Test {
                                  true);
     gnubby_auth_false_.SetBoolean(PolicyWatcher::kHostAllowGnubbyAuthPolicyName,
                                  false);
+    relay_true_.SetBoolean(PolicyWatcher::kRelayPolicyName, true);
+    relay_false_.SetBoolean(PolicyWatcher::kRelayPolicyName, false);
+    port_range_full_.SetString(PolicyWatcher::kUdpPortRangePolicyName,
+                               kPortRange);
+    port_range_empty_.SetString(PolicyWatcher::kUdpPortRangePolicyName,
+                                std::string());
+
 #if !defined(NDEBUG)
     SetDefaults(nat_false_overridden_others_default_);
     nat_false_overridden_others_default_.SetBoolean(
@@ -99,6 +106,7 @@ class PolicyWatcherTest : public testing::Test {
   }
 
   static const char* kHostDomain;
+  static const char* kPortRange;
   base::MessageLoop message_loop_;
   scoped_refptr<base::MessageLoopProxy> message_loop_proxy_;
   MockPolicyCallback mock_policy_callback_;
@@ -126,10 +134,16 @@ class PolicyWatcherTest : public testing::Test {
   base::DictionaryValue pairing_false_;
   base::DictionaryValue gnubby_auth_true_;
   base::DictionaryValue gnubby_auth_false_;
+  base::DictionaryValue relay_true_;
+  base::DictionaryValue relay_false_;
+  base::DictionaryValue port_range_full_;
+  base::DictionaryValue port_range_empty_;
 
  private:
   void SetDefaults(base::DictionaryValue& dict) {
     dict.SetBoolean(PolicyWatcher::kNatPolicyName, true);
+    dict.SetBoolean(PolicyWatcher::kRelayPolicyName, true);
+    dict.SetString(PolicyWatcher::kUdpPortRangePolicyName, "");
     dict.SetBoolean(PolicyWatcher::kHostRequireTwoFactorPolicyName, false);
     dict.SetString(PolicyWatcher::kHostDomainPolicyName, std::string());
     dict.SetBoolean(PolicyWatcher::kHostMatchUsernamePolicyName, false);
@@ -150,6 +164,7 @@ class PolicyWatcherTest : public testing::Test {
 };
 
 const char* PolicyWatcherTest::kHostDomain = "google.com";
+const char* PolicyWatcherTest::kPortRange = "12400-12409";
 
 MATCHER_P(IsPolicies, dict, "") {
   return arg->Equals(dict);
@@ -355,5 +370,37 @@ TEST_F(PolicyWatcherTest, GnubbyAuth) {
   StopWatching();
 }
 
+TEST_F(PolicyWatcherTest, Relay) {
+  testing::InSequence sequence;
+  EXPECT_CALL(mock_policy_callback_,
+              OnPolicyUpdatePtr(IsPolicies(&nat_true_others_default_)));
+  EXPECT_CALL(mock_policy_callback_,
+              OnPolicyUpdatePtr(IsPolicies(&relay_false_)));
+  EXPECT_CALL(mock_policy_callback_,
+              OnPolicyUpdatePtr(IsPolicies(&relay_true_)));
+
+  StartWatching();
+  policy_watcher_->SetPolicies(&empty_);
+  policy_watcher_->SetPolicies(&relay_false_);
+  policy_watcher_->SetPolicies(&relay_true_);
+  StopWatching();
+}
+
+TEST_F(PolicyWatcherTest, UdpPortRange) {
+  testing::InSequence sequence;
+  EXPECT_CALL(mock_policy_callback_,
+              OnPolicyUpdatePtr(IsPolicies(&nat_true_others_default_)));
+  EXPECT_CALL(mock_policy_callback_,
+              OnPolicyUpdatePtr(IsPolicies(&port_range_full_)));
+  EXPECT_CALL(mock_policy_callback_,
+              OnPolicyUpdatePtr(IsPolicies(&port_range_empty_)));
+
+  StartWatching();
+  policy_watcher_->SetPolicies(&empty_);
+  policy_watcher_->SetPolicies(&port_range_full_);
+  policy_watcher_->SetPolicies(&port_range_empty_);
+  StopWatching();
+}
+
 }  // namespace policy_hack
 }  // namespace remoting
diff --git a/remoting/host/remoting_me2me_host.cc b/remoting/host/remoting_me2me_host.cc
index b9f4057..5d33b02 100644
--- a/remoting/host/remoting_me2me_host.cc
+++ b/remoting/host/remoting_me2me_host.cc
@@ -36,6 +36,7 @@
 #include "remoting/base/constants.h"
 #include "remoting/base/logging.h"
 #include "remoting/base/rsa_key_pair.h"
+#include "remoting/base/util.h"
 #include "remoting/host/branding.h"
 #include "remoting/host/chromoting_host.h"
 #include "remoting/host/chromoting_host_context.h"
@@ -227,6 +228,8 @@ class HostProcess
   bool OnUsernamePolicyUpdate(bool curtain_required,
                               bool username_match_required);
   bool OnNatPolicyUpdate(bool nat_traversal_enabled);
+  bool OnRelayPolicyUpdate(bool allow_relay);
+  bool OnUdpPortPolicyUpdate(const std::string& udp_port_range);
   void OnCurtainPolicyUpdate(bool curtain_required);
   bool OnHostTalkGadgetPrefixPolicyUpdate(const std::string& talkgadget_prefix);
   bool OnHostTokenUrlPolicyUpdate(
@@ -287,6 +290,9 @@ class HostProcess
   bool use_service_account_;
   scoped_ptr<policy_hack::PolicyWatcher> policy_watcher_;
   bool allow_nat_traversal_;
+  bool allow_relay_;
+  int min_udp_port_;
+  int max_udp_port_;
   std::string talkgadget_prefix_;
   bool allow_pairing_;
 
@@ -324,6 +330,9 @@ HostProcess::HostProcess(scoped_ptr<ChromotingHostContext> context,
       state_(HOST_INITIALIZING),
       use_service_account_(false),
       allow_nat_traversal_(true),
+      allow_relay_(true),
+      min_udp_port_(0),
+      max_udp_port_(0),
       allow_pairing_(true),
       curtain_required_(false),
       enable_gnubby_auth_(false),
@@ -836,6 +845,16 @@ void HostProcess::OnPolicyUpdate(scoped_ptr<base::DictionaryValue> policies) {
                            &bool_value)) {
     restart_required |= OnNatPolicyUpdate(bool_value);
   }
+  if (policies->GetBoolean(policy_hack::PolicyWatcher::kRelayPolicyName,
+                           &bool_value)) {
+    restart_required |= OnRelayPolicyUpdate(bool_value);
+  }
+  std::string udp_port_range;
+  if (policies->GetString(policy_hack::PolicyWatcher::kUdpPortRangePolicyName,
+                           &udp_port_range)) {
+    restart_required |= OnUdpPortPolicyUpdate(udp_port_range);
+  }
+
   if (policies->GetString(
           policy_hack::PolicyWatcher::kHostTalkGadgetPrefixPolicyName,
           &string_value)) {
@@ -942,6 +961,49 @@ bool HostProcess::OnNatPolicyUpdate(bool nat_traversal_enabled) {
   return false;
 }
 
+bool HostProcess::OnRelayPolicyUpdate(bool allow_relay) {
+  // Returns true if the host has to be restarted after this policy update.
+  DCHECK(context_->network_task_runner()->BelongsToCurrentThread());
+
+  if (allow_relay_ != allow_relay) {
+    if (allow_relay)
+      HOST_LOG << "Policy enables use of relay server.";
+    else
+      HOST_LOG << "Policy disables use of relay server.";
+    allow_relay_ = allow_relay;
+    return true;
+  }
+  return false;
+}
+
+bool HostProcess::OnUdpPortPolicyUpdate(const std::string& udp_port_range) {
+  // Returns true if the host has to be restarted after this policy update.
+  DCHECK(context_->network_task_runner()->BelongsToCurrentThread());
+
+  // Use default values if policy setting is empty or invalid.
+  int min_udp_port = 0;
+  int max_udp_port = 0;
+  if (!udp_port_range.empty() &&
+      !NetworkSettings::ParsePortRange(udp_port_range, &min_udp_port,
+                                       &max_udp_port)) {
+    LOG(WARNING) << "Invalid port range policy: \"" << udp_port_range
+                 << "\". Using default values.";
+  }
+
+  if (min_udp_port_ != min_udp_port || max_udp_port_ != max_udp_port) {
+    if (min_udp_port != 0 && max_udp_port != 0) {
+      HOST_LOG << "Policy restricts UDP port range to [" << min_udp_port
+               << ", " << max_udp_port << "]";
+    } else {
+      HOST_LOG << "Policy does not restrict UDP port range.";
+    }
+    min_udp_port_ = min_udp_port;
+    max_udp_port_ = max_udp_port;
+    return true;
+  }
+  return false;
+}
+
 void HostProcess::OnCurtainPolicyUpdate(bool curtain_required) {
   // Returns true if the host has to be restarted after this policy update.
   DCHECK(context_->network_task_runner()->BelongsToCurrentThread());
@@ -1087,11 +1149,24 @@ void HostProcess::StartHost() {
     signaling_connector_->EnableOAuth(oauth_token_getter_.get());
   }
 
-  NetworkSettings network_settings(
-      allow_nat_traversal_ ?
-      NetworkSettings::NAT_TRAVERSAL_ENABLED :
-      NetworkSettings::NAT_TRAVERSAL_DISABLED);
-  if (!allow_nat_traversal_) {
+  uint32 network_flags = allow_nat_traversal_ ?
+      NetworkSettings::NAT_TRAVERSAL_STUN : 0;
+
+  if (allow_relay_)
+    network_flags |= NetworkSettings::NAT_TRAVERSAL_RELAY;
+
+  if (allow_relay_ || allow_nat_traversal_)
+    network_flags |= NetworkSettings::NAT_TRAVERSAL_OUTGOING;
+
+  NetworkSettings network_settings(network_flags);
+
+  if (min_udp_port_ && max_udp_port_) {
+    network_settings.min_port = min_udp_port_;
+    network_settings.max_port = max_udp_port_;
+  } else if (!allow_nat_traversal_) {
+    // For legacy reasons we have to restrict the port range to a set of default
+    // values when nat traversal is disabled, even if the port range was not
+    // set in policy.
     network_settings.min_port = NetworkSettings::kDefaultMinPort;
     network_settings.max_port = NetworkSettings::kDefaultMaxPort;
   }