Google Git
Sign in
weave / weave / libweave / 0bc02ede1d7ac6b0ed264b8891844d15bdb4733e^! / . / src / privet / auth_manager.cc
commit0bc02ede1d7ac6b0ed264b8891844d15bdb4733e[log] [tgz]
authorVitaly Buka <vitalybuka@google.com>Fri Dec 18 14:13:12 2015 -0800
committerVitaly Buka <vitalybuka@google.com>Mon Dec 21 19:25:54 2015 +0000
treede03e97228ef9f8625cb374061c1b635370ae2a4
parent3020c495e853c12bc4febca66b4ab739dbb773ef [diff] [blame]
Use different secret for auth and access tokens

Temporarily secret guaranties invalidation of access tokens on device
reboot. Without that when device updates, we can have tokens signed
with valid key, but with invalid format, or user_id collision.

Change-Id: I0a6dbd782165715d781501456a4fd29bb060ffdd
Reviewed-on: https://weave-review.googlesource.com/2062
Reviewed-by: Alex Vakulenko <avakulenko@google.com>

diff --git a/src/privet/auth_manager.cc b/src/privet/auth_manager.cc
index 27a5e7e..86a564d 100644
--- a/src/privet/auth_manager.cc
+++ b/src/privet/auth_manager.cc

@@ -95,34 +95,39 @@
 
 AuthManager::AuthManager(Config* config,
                          const std::vector<uint8_t>& certificate_fingerprint)
-    : config_{config}, certificate_fingerprint_{certificate_fingerprint} {
+    : config_{config},
+      certificate_fingerprint_{certificate_fingerprint},
+      access_secret_{CreateSecret()} {
   if (config_) {
-    SetSecret(config_->GetSettings().secret,
-              config_->GetSettings().root_client_token_owner);
+    SetAuthSecret(config_->GetSettings().secret,
+                  config_->GetSettings().root_client_token_owner);
   } else {
-    SetSecret({}, RootClientTokenOwner::kNone);
+    SetAuthSecret({}, RootClientTokenOwner::kNone);
   }
 }
 
-AuthManager::AuthManager(const std::vector<uint8_t>& secret,
+AuthManager::AuthManager(const std::vector<uint8_t>& auth_secret,
                          const std::vector<uint8_t>& certificate_fingerprint,
+                         const std::vector<uint8_t>& access_secret,
                          base::Clock* clock)
     : AuthManager(nullptr, certificate_fingerprint) {
-  SetSecret(secret, RootClientTokenOwner::kNone);
+  access_secret_ = access_secret.size() == kSha256OutputSize ? access_secret
+                                                             : CreateSecret();
+  SetAuthSecret(auth_secret, RootClientTokenOwner::kNone);
   if (clock)
     clock_ = clock;
 }
 
-void AuthManager::SetSecret(const std::vector<uint8_t>& secret,
-                            RootClientTokenOwner owner) {
-  secret_ = secret;
+void AuthManager::SetAuthSecret(const std::vector<uint8_t>& secret,
+                                RootClientTokenOwner owner) {
+  auth_secret_ = secret;
 
-  if (secret.size() != kSha256OutputSize) {
-    secret_ = CreateSecret();
+  if (auth_secret_.size() != kSha256OutputSize) {
+    auth_secret_ = CreateSecret();
     owner = RootClientTokenOwner::kNone;
   }
 
-  if (!config_ || (config_->GetSettings().secret == secret_ &&
+  if (!config_ || (config_->GetSettings().secret == auth_secret_ &&
                    config_->GetSettings().root_client_token_owner == owner)) {
     return;
   }
@@ -140,7 +145,7 @@
                                                     base::TimeDelta ttl) const {
   std::string data_str{CreateTokenData(user_info, Now() + ttl)};
   std::vector<uint8_t> data{data_str.begin(), data_str.end()};
-  std::vector<uint8_t> hash{HmacSha256(secret_, data)};
+  std::vector<uint8_t> hash{HmacSha256(access_secret_, data)};
   hash.insert(hash.end(), data.begin(), data.end());
   return hash;
 }
@@ -158,7 +163,7 @@
   }
   std::vector<uint8_t> hash(token.begin(), token.begin() + kSha256OutputSize);
   std::vector<uint8_t> data(token.begin() + kSha256OutputSize, token.end());
-  if (hash != HmacSha256(secret_, data)) {
+  if (hash != HmacSha256(access_secret_, data)) {
     Error::AddTo(error, FROM_HERE, errors::kDomain,
                  errors::kInvalidAuthorization, "Invalid signature");
     return false;
@@ -222,7 +227,7 @@
     return false;
   }
 
-  SetSecret(claim->first->GetSecret(), claim->second);
+  SetAuthSecret(claim->first->GetAuthSecret(), claim->second);
   pending_claims_.clear();
   return true;
 }
@@ -236,10 +241,11 @@
       scope.GetCaveat(), issued.GetCaveat(),
   };
 
-  CHECK_EQ(kSha256OutputSize, secret_.size());
+  CHECK_EQ(kSha256OutputSize, auth_secret_.size());
   UwMacaroon macaroon{};
-  CHECK(uw_macaroon_new_from_root_key_(
-      &macaroon, secret_.data(), secret_.size(), caveats, arraysize(caveats)));
+  CHECK(uw_macaroon_new_from_root_key_(&macaroon, auth_secret_.data(),
+                                       auth_secret_.size(), caveats,
+                                       arraysize(caveats)));
 
   std::vector<uint8_t> token(kMaxMacaroonSize);
   size_t len = 0;
@@ -260,8 +266,9 @@
     return false;
   }
 
-  CHECK_EQ(kSha256OutputSize, secret_.size());
-  return uw_macaroon_verify_(&macaroon, secret_.data(), secret_.size());
+  CHECK_EQ(kSha256OutputSize, auth_secret_.size());
+  return uw_macaroon_verify_(&macaroon, auth_secret_.data(),
+                             auth_secret_.size());
 }
 
 std::vector<uint8_t> AuthManager::CreateSessionId() {