Google Git
Sign in
weave/weave/libweave/c3bc82a29cdff05d67d3b583ca0bc25df96ab382^!/.
commit
c3bc82a29cdff05d67d3b583ca0bc25df96ab382
[log] [tgz]
author
Vitaly Buka <vitalybuka@google.com>
Mon Dec 14 23:24:13 2015 -0800
committer
Vitaly Buka <vitalybuka@google.com>
Tue Dec 15 19:58:21 2015 +0000
tree
125f744f314a568b00b9bb4081f0ecd42d2a5e96
parent
4ab500249f346a9fcfe084ee1619a39259f7471c [diff]
Check if device already claimed

Client can claim only unclaimed device.
Cloud can claim any device.
Claim with kNone is not allowed.

BUG=25766815, 26143922

Change-Id: Id92168b7f7c290509e672a659f09b7d06af37b76
Reviewed-on: https://weave-review.googlesource.com/1960
Reviewed-by: Vitaly Buka <vitalybuka@google.com>

diff --git a/src/config.h b/src/config.h
index 0c7ea5f..f5a8a77 100644
--- a/src/config.h
+++ b/src/config.h

@@ -21,6 +21,7 @@
 class StorageInterface;
 
 enum class RootClientTokenOwner {
+  // Keep order as it's used with order comparison operators.
   kNone,
   kClient,
   kCloud,

diff --git a/src/privet/auth_manager.cc b/src/privet/auth_manager.cc
index f38b854..f9f6777 100644
--- a/src/privet/auth_manager.cc
+++ b/src/privet/auth_manager.cc

@@ -9,6 +9,7 @@
 
 #include "src/config.h"
 #include "src/data_encoding.h"
+#include "src/privet/constants.h"
 #include "src/privet/openssl_utils.h"
 #include "src/string_utils.h"
 
@@ -80,6 +81,10 @@
   return secret;
 }
 
+bool IsClaimAllowed(RootClientTokenOwner curret, RootClientTokenOwner claimer) {
+  return claimer > curret || claimer == RootClientTokenOwner::kCloud;
+}
+
 }  // namespace
 
 AuthManager::AuthManager(Config* config,
@@ -148,6 +153,17 @@
 std::vector<uint8_t> AuthManager::ClaimRootClientAuthToken(
     RootClientTokenOwner owner,
     ErrorPtr* error) {
+  CHECK(RootClientTokenOwner::kNone != owner);
+  if (config_) {
+    auto current = config_->GetSettings().root_client_token_owner;
+    if (!IsClaimAllowed(current, owner)) {
+      Error::AddToPrintf(
+          error, FROM_HERE, errors::kDomain, errors::kAlreadyClaimed,
+          "Device already claimed by '%s'", EnumToString(current).c_str());
+      return {};
+    }
+  };
+
   pending_claims_.push_back(std::make_pair(
       std::unique_ptr<AuthManager>{new AuthManager{nullptr, {}}}, owner));
   if (pending_claims_.size() > kMaxPendingClaims)
@@ -166,8 +182,11 @@
                    [&token](const decltype(pending_claims_)::value_type& auth) {
                      return auth.first->IsValidAuthToken(token);
                    });
-  if (claim == pending_claims_.end())
+  if (claim == pending_claims_.end()) {
+    Error::AddTo(error, FROM_HERE, errors::kDomain, errors::kNotFound,
+                 "Unknown claim");
     return false;
+  }
 
   SetSecret(claim->first->GetSecret(), claim->second);
   pending_claims_.clear();

diff --git a/src/privet/auth_manager_unittest.cc b/src/privet/auth_manager_unittest.cc
index 7b4aae4..aa124e1 100644
--- a/src/privet/auth_manager_unittest.cc
+++ b/src/privet/auth_manager_unittest.cc

@@ -147,23 +147,65 @@
   }
 }
 
-TEST_F(AuthManagerTest, ClaimRootClientAuthToken) {
+class AuthManagerClaimTest : public testing::Test {
+ public:
+  void SetUp() override { EXPECT_GE(auth_.GetSecret().size(), 32u); }
+
+  bool TestClaim(RootClientTokenOwner owner, RootClientTokenOwner claimer) {
+    Config::Transaction change{&config_};
+    change.set_root_client_token_owner(owner);
+    change.Commit();
+    return !auth_.ClaimRootClientAuthToken(claimer, nullptr).empty();
+  }
+
+ protected:
+  Config config_{nullptr};
+  AuthManager auth_{&config_, {}};
+};
+
+TEST_F(AuthManagerClaimTest, WithPreviosOwner) {
+  EXPECT_DEATH(
+      TestClaim(RootClientTokenOwner::kNone, RootClientTokenOwner::kNone), "");
+  EXPECT_DEATH(
+      TestClaim(RootClientTokenOwner::kClient, RootClientTokenOwner::kNone),
+      "");
+  EXPECT_DEATH(
+      TestClaim(RootClientTokenOwner::kCloud, RootClientTokenOwner::kNone), "");
+  EXPECT_TRUE(
+      TestClaim(RootClientTokenOwner::kNone, RootClientTokenOwner::kClient));
+  EXPECT_FALSE(
+      TestClaim(RootClientTokenOwner::kClient, RootClientTokenOwner::kClient));
+  EXPECT_FALSE(
+      TestClaim(RootClientTokenOwner::kCloud, RootClientTokenOwner::kClient));
+  EXPECT_TRUE(
+      TestClaim(RootClientTokenOwner::kNone, RootClientTokenOwner::kCloud));
+  EXPECT_TRUE(
+      TestClaim(RootClientTokenOwner::kClient, RootClientTokenOwner::kCloud));
+  EXPECT_TRUE(
+      TestClaim(RootClientTokenOwner::kCloud, RootClientTokenOwner::kCloud));
+}
+
+TEST_F(AuthManagerClaimTest, NormalClaim) {
   auto token =
       auth_.ClaimRootClientAuthToken(RootClientTokenOwner::kCloud, nullptr);
   EXPECT_FALSE(auth_.IsValidAuthToken(token));
+  EXPECT_EQ(RootClientTokenOwner::kNone,
+            config_.GetSettings().root_client_token_owner);
 
   EXPECT_TRUE(auth_.ConfirmAuthToken(token, nullptr));
   EXPECT_TRUE(auth_.IsValidAuthToken(token));
+  EXPECT_EQ(RootClientTokenOwner::kCloud,
+            config_.GetSettings().root_client_token_owner);
 }
 
-TEST_F(AuthManagerTest, ClaimRootClientAuthTokenDoubleConfirm) {
+TEST_F(AuthManagerClaimTest, DoubleConfirm) {
   auto token =
       auth_.ClaimRootClientAuthToken(RootClientTokenOwner::kCloud, nullptr);
   EXPECT_TRUE(auth_.ConfirmAuthToken(token, nullptr));
   EXPECT_TRUE(auth_.ConfirmAuthToken(token, nullptr));
 }
 
-TEST_F(AuthManagerTest, DoubleClaimRootClientAuthToken) {
+TEST_F(AuthManagerClaimTest, DoubleClaim) {
   auto token1 =
       auth_.ClaimRootClientAuthToken(RootClientTokenOwner::kCloud, nullptr);
   auto token2 =
@@ -172,7 +214,7 @@
   EXPECT_FALSE(auth_.ConfirmAuthToken(token2, nullptr));
 }
 
-TEST_F(AuthManagerTest, ClaimRootClientAuthTokenOverflow) {
+TEST_F(AuthManagerClaimTest, TokenOverflow) {
   auto token =
       auth_.ClaimRootClientAuthToken(RootClientTokenOwner::kCloud, nullptr);
   for (size_t i = 0; i < 100; ++i)

diff --git a/src/privet/constants.cc b/src/privet/constants.cc
index 3cc3e4a..e1962bd 100644
--- a/src/privet/constants.cc
+++ b/src/privet/constants.cc

@@ -30,6 +30,7 @@
 const char kInvalidPassphrase[] = "invalidPassphrase";
 const char kNotFound[] = "notFound";
 const char kNotImplemented[] = "notImplemented";
+const char kAlreadyClaimed[] = "alreadyClaimed";
 
 }  // namespace errors
 }  // namespace privet

diff --git a/src/privet/constants.h b/src/privet/constants.h
index 0668879..2b001aa 100644
--- a/src/privet/constants.h
+++ b/src/privet/constants.h

@@ -32,6 +32,7 @@
 extern const char kInvalidPassphrase[];
 extern const char kNotFound[];
 extern const char kNotImplemented[];
+extern const char kAlreadyClaimed[];
 }  // namespace errors
 }  // namespace privet
 }  // namespace weave

diff --git a/src/privet/privet_handler.cc b/src/privet/privet_handler.cc
index 86a2a85..b435435 100644
--- a/src/privet/privet_handler.cc
+++ b/src/privet/privet_handler.cc

@@ -153,6 +153,7 @@
     {errors::kInvalidState, http::kInternalServerError},
     {errors::kNotFound, http::kNotFound},
     {errors::kNotImplemented, http::kNotSupported},
+    {errors::kAlreadyClaimed, http::kDenied},
 };
 
 AuthScope AuthScopeFromString(const std::string& scope, AuthScope auto_scope) {