New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 591746 link

Starred by 1 user
Status: Verified
Owner:
ajnolley@chromium.org
Last visit > 30 days ago
Closed: Jun 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug



Sign in to add a comment

[Windows Host] Update GnubbyAuthHandlerWin class to use client session ID for validation

Project Member Reported by joedow@chromium.org, Mar 3 2016 
Currently there is no easy way to retrieve the windows session ID for a session from a host extension.  This is something we want to use when establishing a gnubby IPC channel.  This bug is tracking the work to allow this value to be retrieved by and used in the GnubbyAuthHandler impls that use IPC.

Comment 1 by joedow@chromium.org, Apr 13 2016

Labels: M-52
This should be done after all the P1s have been handled.

Comment 2 by joedow@chromium.org, Apr 15 2016

Components: Services>Chromoting

Comment 3 by joedow@chromium.org, May 18 2016

Labels: -M-52 M-53

Comment 4 by joedow@chromium.org, Jun 21 2016

Status: Started (was: Assigned)
Project Member

Comment 5 by bugdroid1@chromium.org, Jun 23 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4cfe59be5d49919425d676ce63c5d46b40316b64

commit 4cfe59be5d49919425d676ce63c5d46b40316b64
Author: joedow <joedow@chromium.org>
Date: Thu Jun 23 21:58:57 2016

Add ability to query desktop process for its session ID by the network process

This change adds an access right to the Chromoting desktop process on Windows
which allows the network process (running as Local Service) to query its
session ID using its PID.  This is the first change needed to allow the network
service to restrict access to global resources to the Windows session being
remoted.

BUG= 591746 

Review-Url: https://codereview.chromium.org/2085393002
Cr-Commit-Position: refs/heads/master@{#401738}

[modify] https://crrev.com/4cfe59be5d49919425d676ce63c5d46b40316b64/remoting/host/desktop_session_win.cc
[modify] https://crrev.com/4cfe59be5d49919425d676ce63c5d46b40316b64/remoting/host/win/wts_session_process_delegate.cc
[modify] https://crrev.com/4cfe59be5d49919425d676ce63c5d46b40316b64/remoting/host/win/wts_session_process_delegate.h
Project Member

Comment 6 by bugdroid1@chromium.org, Jun 24 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0d3f8b65e95068329ec7fb8f97d4addbb52c99f5

commit 0d3f8b65e95068329ec7fb8f97d4addbb52c99f5
Author: joedow <joedow@chromium.org>
Date: Fri Jun 24 02:09:16 2016

Allow network service to query remote_security_key process for its session ID

This change updates the remote_security_key process such that it will add an
access right to allow processes running as Local Service to query its Windows
session ID.  This change is required to allow the network service to restrict
access to global resources to the Windows session being remoted.

BUG= 591746 

Review-Url: https://codereview.chromium.org/2083223003
Cr-Commit-Position: refs/heads/master@{#401786}

[modify] https://crrev.com/0d3f8b65e95068329ec7fb8f97d4addbb52c99f5/remoting/host/security_key/remote_security_key_main.cc
Project Member

Comment 7 by bugdroid1@chromium.org, Jun 24 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/90b28f848da4cd039cc7183f1c580e4b52cef84e

commit 90b28f848da4cd039cc7183f1c580e4b52cef84e
Author: joedow <joedow@chromium.org>
Date: Fri Jun 24 04:46:45 2016

Provide access to the ID for the remoted Windows session in the network process

This change updates the DesktopSessionProxy (which maintains an IPC connection
with the desktop process) to query for the session ID when connection its IPC
channel.  This session ID is then plumbed through the desktop environment
classes for use by the ClientSession in a later CL.

BUG= 591746 

Review-Url: https://codereview.chromium.org/2092483002
Cr-Commit-Position: refs/heads/master@{#401815}

[modify] https://crrev.com/90b28f848da4cd039cc7183f1c580e4b52cef84e/remoting/host/basic_desktop_environment.cc
[modify] https://crrev.com/90b28f848da4cd039cc7183f1c580e4b52cef84e/remoting/host/basic_desktop_environment.h
[modify] https://crrev.com/90b28f848da4cd039cc7183f1c580e4b52cef84e/remoting/host/desktop_environment.h
[modify] https://crrev.com/90b28f848da4cd039cc7183f1c580e4b52cef84e/remoting/host/desktop_session_proxy.cc
[modify] https://crrev.com/90b28f848da4cd039cc7183f1c580e4b52cef84e/remoting/host/desktop_session_proxy.h
[modify] https://crrev.com/90b28f848da4cd039cc7183f1c580e4b52cef84e/remoting/host/fake_desktop_environment.cc
[modify] https://crrev.com/90b28f848da4cd039cc7183f1c580e4b52cef84e/remoting/host/fake_desktop_environment.h
[modify] https://crrev.com/90b28f848da4cd039cc7183f1c580e4b52cef84e/remoting/host/host_mock_objects.h
[modify] https://crrev.com/90b28f848da4cd039cc7183f1c580e4b52cef84e/remoting/host/ipc_desktop_environment.cc
[modify] https://crrev.com/90b28f848da4cd039cc7183f1c580e4b52cef84e/remoting/host/ipc_desktop_environment.h
Project Member

Comment 8 by bugdroid1@chromium.org, Jun 27 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4fa09d9b658fe3a79765eaef2fb58f89bbe84cd6

commit 4fa09d9b658fe3a79765eaef2fb58f89bbe84cd6
Author: joedow <joedow@chromium.org>
Date: Mon Jun 27 21:26:17 2016

Add new interface to expose ClientSession details to Host Extensions

Prior to the introduction of HostExtensions, code running in the ClientSession
had access to private state information which it could use to make decisions.
Once this code was moved into a HostExtension, it needed to interact with the
session via the ClientSessionControl interface.  This interface was already
being used for other purposes though so it is too easy to pollute it with
methods/properties which the other consumers of the interface don't care about.

My change adds a new, HostExtension specific interface which wraps the
ClientSessionControl interface.  It also provides a location to add new
methods/properties specifcally for HostExtensions.

This change uses this new interface by adding the session Id property and
exposing it to Host Extensions.  A future CL will update the existing
extensions to ue it.

BUG= 591746 

Review-Url: https://codereview.chromium.org/2091553002
Cr-Commit-Position: refs/heads/master@{#402288}

[modify] https://crrev.com/4fa09d9b658fe3a79765eaef2fb58f89bbe84cd6/remoting/host/client_session.cc
[modify] https://crrev.com/4fa09d9b658fe3a79765eaef2fb58f89bbe84cd6/remoting/host/client_session.h
[add] https://crrev.com/4fa09d9b658fe3a79765eaef2fb58f89bbe84cd6/remoting/host/client_session_details.h
[modify] https://crrev.com/4fa09d9b658fe3a79765eaef2fb58f89bbe84cd6/remoting/host/fake_host_extension.cc
[modify] https://crrev.com/4fa09d9b658fe3a79765eaef2fb58f89bbe84cd6/remoting/host/fake_host_extension.h
[modify] https://crrev.com/4fa09d9b658fe3a79765eaef2fb58f89bbe84cd6/remoting/host/host_extension.h
[modify] https://crrev.com/4fa09d9b658fe3a79765eaef2fb58f89bbe84cd6/remoting/host/host_extension_session.h
[modify] https://crrev.com/4fa09d9b658fe3a79765eaef2fb58f89bbe84cd6/remoting/host/host_extension_session_manager.cc
[modify] https://crrev.com/4fa09d9b658fe3a79765eaef2fb58f89bbe84cd6/remoting/host/host_extension_session_manager.h
[modify] https://crrev.com/4fa09d9b658fe3a79765eaef2fb58f89bbe84cd6/remoting/host/host_extension_session_manager_unittest.cc
[modify] https://crrev.com/4fa09d9b658fe3a79765eaef2fb58f89bbe84cd6/remoting/host/host_mock_objects.cc
[modify] https://crrev.com/4fa09d9b658fe3a79765eaef2fb58f89bbe84cd6/remoting/host/host_mock_objects.h
[modify] https://crrev.com/4fa09d9b658fe3a79765eaef2fb58f89bbe84cd6/remoting/host/security_key/gnubby_extension.cc
[modify] https://crrev.com/4fa09d9b658fe3a79765eaef2fb58f89bbe84cd6/remoting/host/security_key/gnubby_extension.h
[modify] https://crrev.com/4fa09d9b658fe3a79765eaef2fb58f89bbe84cd6/remoting/host/security_key/gnubby_extension_session.cc
[modify] https://crrev.com/4fa09d9b658fe3a79765eaef2fb58f89bbe84cd6/remoting/host/security_key/gnubby_extension_session.h
[modify] https://crrev.com/4fa09d9b658fe3a79765eaef2fb58f89bbe84cd6/remoting/remoting_host_srcs.gypi
Project Member

Comment 9 by bugdroid1@chromium.org, Jun 30 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/76487d64faec882985665a1cb6b838b7b12b4150

commit 76487d64faec882985665a1cb6b838b7b12b4150
Author: joedow <joedow@chromium.org>
Date: Thu Jun 30 00:58:23 2016

Update GnubbyAuthHandler to use the current session ID

This CL plumbs the SessionID value through to the Security Key HostExtension.
It also updates the logic in the method which handles SK IPC channel connection
which prevents requests being made from sessions which we are not remoted.

BUG= 591746 

Review-Url: https://codereview.chromium.org/2085353004
Cr-Commit-Position: refs/heads/master@{#403045}

[modify] https://crrev.com/76487d64faec882985665a1cb6b838b7b12b4150/remoting/host/host_extension_session.h
[modify] https://crrev.com/76487d64faec882985665a1cb6b838b7b12b4150/remoting/host/host_mock_objects.h
[modify] https://crrev.com/76487d64faec882985665a1cb6b838b7b12b4150/remoting/host/security_key/fake_remote_security_key_ipc_client.cc
[modify] https://crrev.com/76487d64faec882985665a1cb6b838b7b12b4150/remoting/host/security_key/fake_remote_security_key_ipc_client.h
[modify] https://crrev.com/76487d64faec882985665a1cb6b838b7b12b4150/remoting/host/security_key/fake_remote_security_key_ipc_server.cc
[modify] https://crrev.com/76487d64faec882985665a1cb6b838b7b12b4150/remoting/host/security_key/fake_remote_security_key_ipc_server.h
[modify] https://crrev.com/76487d64faec882985665a1cb6b838b7b12b4150/remoting/host/security_key/gnubby_auth_handler.h
[modify] https://crrev.com/76487d64faec882985665a1cb6b838b7b12b4150/remoting/host/security_key/gnubby_auth_handler_android.cc
[modify] https://crrev.com/76487d64faec882985665a1cb6b838b7b12b4150/remoting/host/security_key/gnubby_auth_handler_linux.cc
[modify] https://crrev.com/76487d64faec882985665a1cb6b838b7b12b4150/remoting/host/security_key/gnubby_auth_handler_linux_unittest.cc
[modify] https://crrev.com/76487d64faec882985665a1cb6b838b7b12b4150/remoting/host/security_key/gnubby_auth_handler_mac.cc
[modify] https://crrev.com/76487d64faec882985665a1cb6b838b7b12b4150/remoting/host/security_key/gnubby_auth_handler_win.cc
[modify] https://crrev.com/76487d64faec882985665a1cb6b838b7b12b4150/remoting/host/security_key/gnubby_auth_handler_win_unittest.cc
[modify] https://crrev.com/76487d64faec882985665a1cb6b838b7b12b4150/remoting/host/security_key/gnubby_extension.cc
[modify] https://crrev.com/76487d64faec882985665a1cb6b838b7b12b4150/remoting/host/security_key/gnubby_extension_session.cc
[modify] https://crrev.com/76487d64faec882985665a1cb6b838b7b12b4150/remoting/host/security_key/gnubby_extension_session.h
[modify] https://crrev.com/76487d64faec882985665a1cb6b838b7b12b4150/remoting/host/security_key/gnubby_extension_session_unittest.cc
[modify] https://crrev.com/76487d64faec882985665a1cb6b838b7b12b4150/remoting/host/security_key/remote_security_key_ipc_client_unittest.cc
[modify] https://crrev.com/76487d64faec882985665a1cb6b838b7b12b4150/remoting/host/security_key/remote_security_key_ipc_server.cc
[modify] https://crrev.com/76487d64faec882985665a1cb6b838b7b12b4150/remoting/host/security_key/remote_security_key_ipc_server.h
[modify] https://crrev.com/76487d64faec882985665a1cb6b838b7b12b4150/remoting/host/security_key/remote_security_key_ipc_server_impl.cc
[modify] https://crrev.com/76487d64faec882985665a1cb6b838b7b12b4150/remoting/host/security_key/remote_security_key_ipc_server_impl.h
[modify] https://crrev.com/76487d64faec882985665a1cb6b838b7b12b4150/remoting/host/security_key/remote_security_key_ipc_server_unittest.cc

Comment 10 by joedow@chromium.org, Jun 30 2016

Owner: ajnolley@chromium.org
Status: Fixed (was: Started)
With this change, SK requests from a windows session outside of the remoted session will be ignored and handled locally.

Comment 11 by ajnolley@chromium.org, Aug 9 2016

Status: Verified (was: Fixed)
local SK requests are now handled by the local SK, not by the remote SK. Verified in 53.0.2785.56

Sign in to add a comment