Add Port Forwarding methods to the permission broker client.

Bug: chromium:848127
Test: Build and unit tests

Cq-Depend: chromium:1930355
Change-Id: If9b39882bdae9ba91fc65523f9788e4213e33ff8
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1925835
Commit-Queue: David Munro <davidmunro@google.com>
Reviewed-by: Ryo Hashimoto <hashimoto@chromium.org>
Reviewed-by: Nicholas Verne <nverne@chromium.org>
Cr-Commit-Position: refs/heads/master@{#718511}

chromeos/dbus/permission_broker/fake_permission_broker_client.cc

@@ -135,6 +135,40 @@ bool FakePermissionBrokerClient::HasUdpHole(uint16_t port,
   return udp_hole_set_.find(rule) != udp_hole_set_.end();
 }
 
+void FakePermissionBrokerClient::RequestTcpPortForward(
+    uint16_t in_port,
+    const std::string& in_interface,
+    const std::string& dst_ip,
+    uint16_t dst_port,
+    int lifeline_fd,
+    ResultCallback callback) {
+  std::move(callback).Run(false);
+}
+
+void FakePermissionBrokerClient::RequestUdpPortForward(
+    uint16_t in_port,
+    const std::string& in_interface,
+    const std::string& dst_ip,
+    uint16_t dst_port,
+    int lifeline_fd,
+    ResultCallback callback) {
+  std::move(callback).Run(false);
+}
+
+void FakePermissionBrokerClient::ReleaseTcpPortForward(
+    uint16_t in_port,
+    const std::string& in_interface,
+    ResultCallback callback) {
+  std::move(callback).Run(false);
+}
+
+void FakePermissionBrokerClient::ReleaseUdpPortForward(
+    uint16_t in_port,
+    const std::string& in_interface,
+    ResultCallback callback) {
+  std::move(callback).Run(false);
+}
+
 bool FakePermissionBrokerClient::RequestPortImpl(uint16_t port,
                                                  const std::string& interface,
                                                  const RuleSet& deny_rule_set,

chromeos/dbus/permission_broker/fake_permission_broker_client.h

@@ -45,6 +45,24 @@ class COMPONENT_EXPORT(PERMISSION_BROKER) FakePermissionBrokerClient
   void ReleaseUdpPort(uint16_t port,
                       const std::string& interface,
                       ResultCallback callback) override;
+  void RequestTcpPortForward(uint16_t in_port,
+                             const std::string& in_interface,
+                             const std::string& dst_ip,
+                             uint16_t dst_port,
+                             int lifeline_fd,
+                             ResultCallback callback) override;
+  void RequestUdpPortForward(uint16_t in_port,
+                             const std::string& in_interface,
+                             const std::string& dst_ip,
+                             uint16_t dst_port,
+                             int lifeline_fd,
+                             ResultCallback callback) override;
+  void ReleaseTcpPortForward(uint16_t in_port,
+                             const std::string& in_interface,
+                             ResultCallback callback) override;
+  void ReleaseUdpPortForward(uint16_t in_port,
+                             const std::string& in_interface,
+                             ResultCallback callback) override;
 
   // Add a rule to have RequestTcpPortAccess fail.
   void AddTcpDenyRule(uint16_t port, const std::string& interface);

chromeos/dbus/permission_broker/permission_broker_client.cc

@@ -22,9 +22,13 @@ using permission_broker::kPermissionBrokerInterface;
 using permission_broker::kPermissionBrokerServiceName;
 using permission_broker::kPermissionBrokerServicePath;
 using permission_broker::kReleaseTcpPort;
+using permission_broker::kReleaseTcpPortForward;
 using permission_broker::kReleaseUdpPort;
+using permission_broker::kReleaseUdpPortForward;
 using permission_broker::kRequestTcpPortAccess;
+using permission_broker::kRequestTcpPortForward;
 using permission_broker::kRequestUdpPortAccess;
+using permission_broker::kRequestUdpPortForward;
 
 namespace chromeos {
 
@@ -125,6 +129,74 @@ class PermissionBrokerClientImpl : public PermissionBrokerClient {
                        weak_ptr_factory_.GetWeakPtr(), std::move(callback)));
   }
 
+  void RequestTcpPortForward(uint16_t in_port,
+                             const std::string& in_interface,
+                             const std::string& dst_ip,
+                             uint16_t dst_port,
+                             int lifeline_fd,
+                             ResultCallback callback) override {
+    dbus::MethodCall method_call(kPermissionBrokerInterface,
+                                 kRequestTcpPortForward);
+    dbus::MessageWriter writer(&method_call);
+    writer.AppendUint16(in_port);
+    writer.AppendString(in_interface);
+    writer.AppendString(dst_ip);
+    writer.AppendUint16(dst_port);
+    writer.AppendFileDescriptor(lifeline_fd);
+    proxy_->CallMethod(
+        &method_call, dbus::ObjectProxy::TIMEOUT_USE_DEFAULT,
+        base::BindOnce(&PermissionBrokerClientImpl::OnResponse,
+                       weak_ptr_factory_.GetWeakPtr(), std::move(callback)));
+  }
+
+  void RequestUdpPortForward(uint16_t in_port,
+                             const std::string& in_interface,
+                             const std::string& dst_ip,
+                             uint16_t dst_port,
+                             int lifeline_fd,
+                             ResultCallback callback) override {
+    dbus::MethodCall method_call(kPermissionBrokerInterface,
+                                 kRequestUdpPortForward);
+    dbus::MessageWriter writer(&method_call);
+    writer.AppendUint16(in_port);
+    writer.AppendString(in_interface);
+    writer.AppendString(dst_ip);
+    writer.AppendUint16(dst_port);
+    writer.AppendFileDescriptor(lifeline_fd);
+    proxy_->CallMethod(
+        &method_call, dbus::ObjectProxy::TIMEOUT_USE_DEFAULT,
+        base::BindOnce(&PermissionBrokerClientImpl::OnResponse,
+                       weak_ptr_factory_.GetWeakPtr(), std::move(callback)));
+  }
+
+  void ReleaseTcpPortForward(uint16_t in_port,
+                             const std::string& in_interface,
+                             ResultCallback callback) override {
+    dbus::MethodCall method_call(kPermissionBrokerInterface,
+                                 kReleaseTcpPortForward);
+    dbus::MessageWriter writer(&method_call);
+    writer.AppendUint16(in_port);
+    writer.AppendString(in_interface);
+    proxy_->CallMethod(
+        &method_call, dbus::ObjectProxy::TIMEOUT_USE_DEFAULT,
+        base::BindOnce(&PermissionBrokerClientImpl::OnResponse,
+                       weak_ptr_factory_.GetWeakPtr(), std::move(callback)));
+  }
+
+  void ReleaseUdpPortForward(uint16_t in_port,
+                             const std::string& in_interface,
+                             ResultCallback callback) override {
+    dbus::MethodCall method_call(kPermissionBrokerInterface,
+                                 kReleaseUdpPortForward);
+    dbus::MessageWriter writer(&method_call);
+    writer.AppendUint16(in_port);
+    writer.AppendString(in_interface);
+    proxy_->CallMethod(
+        &method_call, dbus::ObjectProxy::TIMEOUT_USE_DEFAULT,
+        base::BindOnce(&PermissionBrokerClientImpl::OnResponse,
+                       weak_ptr_factory_.GetWeakPtr(), std::move(callback)));
+  }
+
   void Init(dbus::Bus* bus) {
     proxy_ =
         bus->GetObjectProxy(kPermissionBrokerServiceName,

chromeos/dbus/permission_broker/permission_broker_client.h

@@ -104,6 +104,50 @@ class COMPONENT_EXPORT(PERMISSION_BROKER) PermissionBrokerClient {
                               const std::string& interface,
                               ResultCallback callback) = 0;
 
+  // Requests that |in_port| on |in_interface| be opened for and forward TCP
+  // traffic to |dst_ip| on |dst_port|. One end of an open pipe must be passed
+  // as |lifeline_fd| so that the permission broker can monitor the lifetime of
+  // the calling process by being notified when the other end is closed. This
+  // method duplicates |lifeline_fd| so it's OK to close it without waiting for
+  // the result.
+  // See PortTracker::ValidatePortRule in permission_broker for the restrictions
+  // on port forwarding requests.
+  virtual void RequestTcpPortForward(uint16_t in_port,
+                                     const std::string& in_interface,
+                                     const std::string& dst_ip,
+                                     uint16_t dst_port,
+                                     int lifeline_fd,
+                                     ResultCallback callback) = 0;
+
+  // Requests that |in_port| on |in_interface| be opened for and forward UDP
+  // traffic to |dst_ip| on |dst_port|. One end of an open pipe must be passed
+  // as |lifeline_fd| so that the permission broker can monitor the lifetime of
+  // the calling process by being notified when the other end is closed. This
+  // method duplicates |lifeline_fd| so it's OK to close it without waiting for
+  // the result.
+  // See PortTracker::ValidatePortRule in permission_broker for the restrictions
+  // on port forwarding requests.
+  virtual void RequestUdpPortForward(uint16_t in_port,
+                                     const std::string& in_interface,
+                                     const std::string& dst_ip,
+                                     uint16_t dst_port,
+                                     int lifeline_fd,
+                                     ResultCallback callback) = 0;
+
+  // Releases a request for an open forwarding rule for TCP packets. The
+  // |in_port| and |in_interface| parameters must be the same as a previous call
+  // to RequestUdpPortForward.
+  virtual void ReleaseTcpPortForward(uint16_t in_port,
+                                     const std::string& in_interface,
+                                     ResultCallback callback) = 0;
+
+  // Releases a request for an open forwarding rule for UDP packets. The
+  // |in_port| and |in_interface| parameters must be the same as a previous call
+  // to RequestUdpPortForward.
+  virtual void ReleaseUdpPortForward(uint16_t in_port,
+                                     const std::string& in_interface,
+                                     ResultCallback callback) = 0;
+
  protected:
   // Initialize/Shutdown should be used instead.
   PermissionBrokerClient();