patchpanel/client.h

// Copyright 2019 The Chromium OS Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#ifndef PATCHPANEL_CLIENT_H_
#define PATCHPANEL_CLIENT_H_

#include <memory>
#include <string>
#include <utility>
#include <vector>

#include "base/files/scoped_file.h"
#include <brillo/brillo_export.h>
#include <dbus/bus.h>
#include <dbus/object_proxy.h>
#include <patchpanel/proto_bindings/patchpanel_service.pb.h>

namespace patchpanel {

// Simple wrapper around patchpanel DBus API. All public functions are blocking
// DBus calls to patchpaneld. The method names and protobuf schema used by
// patchpanel DBus API are defined in platform2/system_api/dbus/patchpanel.
// Access control for clients is defined in platform2/patchpanel/dbus.
class BRILLO_EXPORT Client {
 public:
  static std::unique_ptr<Client> New();

  Client(const scoped_refptr<dbus::Bus>& bus, dbus::ObjectProxy* proxy)
      : bus_(std::move(bus)), proxy_(proxy) {}
  ~Client();

  bool NotifyArcStartup(pid_t pid);
  bool NotifyArcShutdown();

  std::vector<NetworkDevice> NotifyArcVmStartup(uint32_t cid);
  bool NotifyArcVmShutdown(uint32_t cid);

  bool NotifyTerminaVmStartup(uint32_t cid,
                              NetworkDevice* device,
                              IPv4Subnet* container_subnet);
  bool NotifyTerminaVmShutdown(uint32_t cid);

  bool NotifyPluginVmStartup(uint64_t vm_id,
                             int subnet_index,
                             NetworkDevice* device);
  bool NotifyPluginVmShutdown(uint64_t vm_id);

  // Reset the VPN routing intent mark on a socket to the default policy for
  // the current uid. This is in general incorrect to call this method for
  // a socket that is already connected.
  bool DefaultVpnRouting(int socket);

  // Mark a socket to be always routed through a VPN if there is one.
  // Must be called before the socket is connected.
  bool RouteOnVpn(int socket);

  // Mark a socket to be always routed through the physical network.
  // Must be called before the socket is connected.
  bool BypassVpn(int socket);

  // Sends a ConnectNamespaceRequest for the given namespace pid. Returns a
  // pair with a valid ScopedFD and the ConnectNamespaceResponse proto message
  // received if the request succeeded. Closing the ScopedFD will teardown the
  // veth and routing setup and free the allocated IPv4 subnet.
  std::pair<base::ScopedFD, patchpanel::ConnectNamespaceResponse>
  ConnectNamespace(pid_t pid,
                   const std::string& outbound_ifname,
                   bool forward_user_traffic);

  // Gets the traffic counters kept by patchpanel. |devices| is the set of
  // interfaces (shill devices) for which counters should be returned, any
  // unknown interfaces will be ignored. If |devices| is empty, counters for all
  // known interfaces will be returned.
  std::vector<TrafficCounter> GetTrafficCounters(
      const std::set<std::string>& devices);

  // Sends a ModifyPortRuleRequest to modify iptables ingress rules.
  // This should only be called by permission_broker's 'devbroker'.
  bool ModifyPortRule(patchpanel::ModifyPortRuleRequest::Operation op,
                      patchpanel::ModifyPortRuleRequest::RuleType type,
                      patchpanel::ModifyPortRuleRequest::Protocol proto,
                      const std::string& input_ifname,
                      const std::string& input_dst_ip,
                      uint32_t input_dst_port,
                      const std::string& dst_ip,
                      uint32_t dst_port);

 private:
  scoped_refptr<dbus::Bus> bus_;
  dbus::ObjectProxy* proxy_ = nullptr;  // owned by bus_

  bool SendSetVpnIntentRequest(int socket,
                               SetVpnIntentRequest::VpnRoutingPolicy policy);

  DISALLOW_COPY_AND_ASSIGN(Client);
};

}  // namespace patchpanel

#endif  // PATCHPANEL_CLIENT_H_