File: certificate_watcher.cc

package info (click to toggle)
chromium 139.0.7258.127-1
  • links: PTS, VCS
  • area: main
  • in suites:
  • size: 6,122,068 kB
  • sloc: cpp: 35,100,771; ansic: 7,163,530; javascript: 4,103,002; python: 1,436,920; asm: 946,517; xml: 746,709; pascal: 187,653; perl: 88,691; sh: 88,436; objc: 79,953; sql: 51,488; cs: 44,583; fortran: 24,137; makefile: 22,147; tcl: 15,277; php: 13,980; yacc: 8,984; ruby: 7,485; awk: 3,720; lisp: 3,096; lex: 1,327; ada: 727; jsp: 228; sed: 36
file content (268 lines) | stat: -rw-r--r-- 8,457 bytes parent folder | download | duplicates (7) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
 
// Copyright 2016 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include "remoting/host/linux/certificate_watcher.h"

#include "base/files/file_util.h"
#include "base/functional/bind.h"
#include "base/functional/callback_helpers.h"
#include "base/hash/hash.h"
#include "base/location.h"
#include "base/logging.h"
#include "base/path_service.h"
#include "base/task/single_thread_task_runner.h"
#include "base/threading/thread_checker.h"

namespace remoting {

namespace {

// Delay before re-reading the cert DB when a change is detected.
const int kReadDelayInSeconds = 2;

// Full Path: $HOME/.pki/nssdb
const char kCertDirectoryPath[] = ".pki/nssdb";

const char* const kCertFiles[] = {"cert9.db", "key4.db", "pkcs11.txt"};

}  // namespace

// This class lives on the IO thread, watches the certificate database files,
// and notifies the caller_task_runner thread of any updates.
class CertDbContentWatcher {
 public:
  CertDbContentWatcher(
      base::WeakPtr<CertificateWatcher> watcher,
      scoped_refptr<base::SingleThreadTaskRunner> caller_task_runner,
      base::FilePath cert_watch_path,
      base::TimeDelta read_delay);

  CertDbContentWatcher(const CertDbContentWatcher&) = delete;
  CertDbContentWatcher& operator=(const CertDbContentWatcher&) = delete;

  ~CertDbContentWatcher();

  void StartWatching();

 private:
  base::ThreadChecker thread_checker_;

  // size_t is the return type of base::HashInts() which is used to accumulate
  // a hash-code while iterating over the database files.
  typedef size_t HashValue;

  // Called by the FileWatcher when it detects any changes.
  void OnCertDirectoryChanged(const base::FilePath& path, bool error);

  // Called by |read_timer_| to trigger re-reading the DB content.
  void OnTimer();

  // Reads the certificate database files and returns a hash of their contents.
  HashValue ComputeHash();

  base::WeakPtr<CertificateWatcher> watcher_;

  // The TaskRunner to be notified of any changes.
  scoped_refptr<base::SingleThreadTaskRunner> caller_task_runner_;

  // The file watcher to watch changes inside the certificate folder.
  std::unique_ptr<base::FilePathWatcher> file_watcher_;

  // Path of the certificate files/directories.
  base::FilePath cert_watch_path_;

  // Timer to delay reading the DB files after a change notification from the
  // FileWatcher. This is done to avoid triggering multiple notifications when
  // the DB is written to. It also avoids a false notification in case the NSS
  // DB content is quickly changed and reverted.
  std::unique_ptr<base::DelayTimer> read_timer_;

  // The time to wait before re-reading the DB files after a change is
  // detected.
  base::TimeDelta delay_;

  // The hash code of the current certificate database contents. When the
  // FileWatcher detects changes, the code is re-computed and compared with
  // this stored value.
  HashValue current_hash_;
};

CertDbContentWatcher::CertDbContentWatcher(
    base::WeakPtr<CertificateWatcher> watcher,
    scoped_refptr<base::SingleThreadTaskRunner> caller_task_runner,
    base::FilePath cert_watch_path,
    base::TimeDelta read_delay)
    : watcher_(watcher),
      caller_task_runner_(caller_task_runner),
      cert_watch_path_(cert_watch_path),
      delay_(read_delay) {
  thread_checker_.DetachFromThread();
}

CertDbContentWatcher::~CertDbContentWatcher() {
  DCHECK(thread_checker_.CalledOnValidThread());
}

void CertDbContentWatcher::StartWatching() {
  DCHECK(!cert_watch_path_.empty());
  DCHECK(thread_checker_.CalledOnValidThread());

  file_watcher_.reset(new base::FilePathWatcher());

  // Initialize hash value.
  current_hash_ = ComputeHash();

  // base::Unretained() is safe since this class owns the FileWatcher.
  file_watcher_->Watch(
      cert_watch_path_, base::FilePathWatcher::Type::kRecursive,
      base::BindRepeating(&CertDbContentWatcher::OnCertDirectoryChanged,
                          base::Unretained(this)));

  read_timer_.reset(new base::DelayTimer(FROM_HERE, delay_, this,
                                         &CertDbContentWatcher::OnTimer));
}

void CertDbContentWatcher::OnCertDirectoryChanged(const base::FilePath& path,
                                                  bool error) {
  DCHECK(path == cert_watch_path_);
  DCHECK(thread_checker_.CalledOnValidThread());

  if (error) {
    LOG(FATAL) << "Error occurred while watching for changes of file: "
               << cert_watch_path_.MaybeAsASCII();
  }

  read_timer_->Reset();
}

void CertDbContentWatcher::OnTimer() {
  DCHECK(thread_checker_.CalledOnValidThread());

  HashValue new_hash = ComputeHash();
  if (new_hash != current_hash_) {
    current_hash_ = new_hash;
    caller_task_runner_->PostTask(
        FROM_HERE,
        base::BindOnce(&CertificateWatcher::DatabaseChanged, watcher_));
  } else {
    VLOG(1) << "Directory changed but contents are the same.";
  }
}

CertDbContentWatcher::HashValue CertDbContentWatcher::ComputeHash() {
  DCHECK(thread_checker_.CalledOnValidThread());

  HashValue result = 0;

  for (const char* file : kCertFiles) {
    base::FilePath path = cert_watch_path_.AppendASCII(file);
    std::string content;
    HashValue file_hash = 0;

    // It's possible the file might not exist. Compute the overall hash in a
    // consistent way for the set of files that do exist. If a new file comes
    // into existence, the resulting hash-code should change.
    if (base::ReadFileToString(path, &content)) {
      file_hash = base::Hash(content);
    }
    result = base::HashInts(result, file_hash);
  }
  return result;
}

CertificateWatcher::CertificateWatcher(
    const base::RepeatingClosure& restart_action,
    scoped_refptr<base::SingleThreadTaskRunner> io_task_runner)
    : restart_action_(restart_action),
      caller_task_runner_(base::SingleThreadTaskRunner::GetCurrentDefault()),
      io_task_runner_(io_task_runner),
      delay_(base::Seconds(kReadDelayInSeconds)) {
  if (!base::PathService::Get(base::DIR_HOME, &cert_watch_path_)) {
    LOG(FATAL) << "Failed to get path of the home directory.";
  }
  cert_watch_path_ = cert_watch_path_.AppendASCII(kCertDirectoryPath);
}

CertificateWatcher::~CertificateWatcher() {
  DCHECK(caller_task_runner_->BelongsToCurrentThread());

  if (!is_started()) {
    return;
  }
  if (monitor_) {
    monitor_->RemoveStatusObserver(this);
  }
  io_task_runner_->DeleteSoon(FROM_HERE, content_watcher_.release());

  VLOG(1) << "Stopped watching certificate changes.";
}

void CertificateWatcher::Start() {
  DCHECK(caller_task_runner_->BelongsToCurrentThread());
  DCHECK(!cert_watch_path_.empty());

  content_watcher_.reset(new CertDbContentWatcher(weak_factory_.GetWeakPtr(),
                                                  caller_task_runner_,
                                                  cert_watch_path_, delay_));

  io_task_runner_->PostTask(
      FROM_HERE, base::BindOnce(&CertDbContentWatcher::StartWatching,
                                base::Unretained(content_watcher_.get())));

  VLOG(1) << "Started watching certificate changes.";
}

void CertificateWatcher::SetMonitor(scoped_refptr<HostStatusMonitor> monitor) {
  DCHECK(is_started());
  if (monitor_) {
    monitor_->RemoveStatusObserver(this);
  }
  monitor->AddStatusObserver(this);
  monitor_ = monitor;
}

void CertificateWatcher::OnClientConnected(const std::string& jid) {
  DCHECK(is_started());
  DCHECK(caller_task_runner_->BelongsToCurrentThread());
  inhibit_mode_ = true;
}

void CertificateWatcher::OnClientDisconnected(const std::string& jid) {
  DCHECK(is_started());
  DCHECK(caller_task_runner_->BelongsToCurrentThread());
  inhibit_mode_ = false;
  if (restart_pending_) {
    restart_pending_ = false;
    restart_action_.Run();
  }
}

void CertificateWatcher::SetDelayForTests(const base::TimeDelta& delay) {
  DCHECK(!is_started());
  delay_ = delay;
}

void CertificateWatcher::SetWatchPathForTests(
    const base::FilePath& watch_path) {
  DCHECK(!is_started());
  cert_watch_path_ = watch_path;
}

bool CertificateWatcher::is_started() const {
  return content_watcher_ != nullptr;
}

void CertificateWatcher::DatabaseChanged() {
  DCHECK(caller_task_runner_->BelongsToCurrentThread());

  if (inhibit_mode_) {
    restart_pending_ = true;
    return;
  }

  VLOG(1) << "Certificate was updated. Calling restart...";
  restart_action_.Run();
}

}  // namespace remoting