Google Git
Sign in
weave / weave / libweave / 305ab613de85f6640f300010a17cb6ea22be2081 / . / src / privet / auth_manager.cc
blob: 62a640f0c444eb2794f74666b8ec1839b4d0d227 [file] [log] [blame]
Vitaly Bukaf08caeb2015-12-02 13:47:48 -0800[diff] [blame]1// Copyright 2015 The Weave Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#include "src/privet/auth_manager.h"
6
7#include <base/rand_util.h>
8#include <base/strings/string_number_conversions.h>
9
Vitaly Buka229113e2015-12-13 23:12:42 -0800[diff] [blame]10#include "src/config.h"
Vitaly Bukaf08caeb2015-12-02 13:47:48 -0800[diff] [blame]11#include "src/data_encoding.h"
Vitaly Bukac3bc82a2015-12-14 23:24:13 -0800[diff] [blame]12#include "src/privet/constants.h"
Vitaly Bukaf08caeb2015-12-02 13:47:48 -0800[diff] [blame]13#include "src/privet/openssl_utils.h"
14#include "src/string_utils.h"
15
Vitaly Bukaa37056e2015-12-09 14:53:39 -0800[diff] [blame]16extern "C" {
17#include "third_party/libuweave/src/macaroon.h"
18}
19
Vitaly Bukaf08caeb2015-12-02 13:47:48 -0800[diff] [blame]20namespace weave {
21namespace privet {
22
23namespace {
24
25const char kTokenDelimeter[] = ":";
Vitaly Bukaa37056e2015-12-09 14:53:39 -0800[diff] [blame]26const size_t kCaveatBuffetSize = 32;
27const size_t kMaxMacaroonSize = 1024;
Vitaly Bukacc77fad2015-12-13 21:04:46 -0800[diff] [blame]28const size_t kMaxPendingClaims = 10;
Vitaly Bukaf08caeb2015-12-02 13:47:48 -0800[diff] [blame]29
30// Returns "scope:id:time".
31std::string CreateTokenData(const UserInfo& user_info, const base::Time& time) {
32 return base::IntToString(static_cast<int>(user_info.scope())) +
33 kTokenDelimeter + base::Uint64ToString(user_info.user_id()) +
34 kTokenDelimeter + base::Int64ToString(time.ToTimeT());
35}
36
37// Splits string of "scope:id:time" format.
38UserInfo SplitTokenData(const std::string& token, base::Time* time) {
39 const UserInfo kNone;
40 auto parts = Split(token, kTokenDelimeter, false, false);
41 if (parts.size() != 3)
42 return kNone;
43 int scope = 0;
44 if (!base::StringToInt(parts[0], &scope) ||
45 scope < static_cast<int>(AuthScope::kNone) ||
46 scope > static_cast<int>(AuthScope::kOwner)) {
47 return kNone;
48 }
49
50 uint64_t id{0};
51 if (!base::StringToUint64(parts[1], &id))
52 return kNone;
53
54 int64_t timestamp{0};
55 if (!base::StringToInt64(parts[2], &timestamp))
56 return kNone;
Vitaly Buka0de42f52015-12-13 18:47:13 -0800[diff] [blame]57 if (time)
58 *time = base::Time::FromTimeT(timestamp);
Vitaly Bukaf08caeb2015-12-02 13:47:48 -0800[diff] [blame]59 return UserInfo{static_cast<AuthScope>(scope), id};
60}
61
Vitaly Bukaa37056e2015-12-09 14:53:39 -0800[diff] [blame]62class Caveat {
63 public:
64 Caveat(UwMacaroonCaveatType type, uint32_t value) {
65 CHECK(uw_macaroon_caveat_create_with_uint_(type, value, buffer,
66 sizeof(buffer), &caveat));
67 }
68
69 const UwMacaroonCaveat& GetCaveat() const { return caveat; }
70
71 private:
72 UwMacaroonCaveat caveat;
73 uint8_t buffer[kCaveatBuffetSize];
74
75 DISALLOW_COPY_AND_ASSIGN(Caveat);
76};
77
Vitaly Buka229113e2015-12-13 23:12:42 -0800[diff] [blame]78std::vector<uint8_t> CreateSecret() {
79 std::vector<uint8_t> secret(kSha256OutputSize);
80 base::RandBytes(secret.data(), secret.size());
81 return secret;
82}
83
Vitaly Bukac3bc82a2015-12-14 23:24:13 -0800[diff] [blame]84bool IsClaimAllowed(RootClientTokenOwner curret, RootClientTokenOwner claimer) {
85 return claimer > curret || claimer == RootClientTokenOwner::kCloud;
86}
87
Vitaly Bukaf08caeb2015-12-02 13:47:48 -0800[diff] [blame]88} // namespace
89
Vitaly Buka229113e2015-12-13 23:12:42 -0800[diff] [blame]90AuthManager::AuthManager(Config* config,
91 const std::vector<uint8_t>& certificate_fingerprint)
92 : config_{config}, certificate_fingerprint_{certificate_fingerprint} {
Vitaly Bukaa10ab1c2015-12-14 16:28:47 -0800[diff] [blame]93 if (config_) {
94 SetSecret(config_->GetSettings().secret,
95 config_->GetSettings().root_client_token_owner);
96 } else {
97 SetSecret({}, RootClientTokenOwner::kNone);
98 }
Vitaly Buka229113e2015-12-13 23:12:42 -0800[diff] [blame]99}
100
Vitaly Bukaf08caeb2015-12-02 13:47:48 -0800[diff] [blame]101AuthManager::AuthManager(const std::vector<uint8_t>& secret,
Vitaly Buka41aa8092015-12-09 20:04:34 -0800[diff] [blame]102 const std::vector<uint8_t>& certificate_fingerprint,
103 base::Clock* clock)
Vitaly Buka229113e2015-12-13 23:12:42 -0800[diff] [blame]104 : AuthManager(nullptr, certificate_fingerprint) {
Vitaly Bukaa10ab1c2015-12-14 16:28:47 -0800[diff] [blame]105 SetSecret(secret, RootClientTokenOwner::kNone);
Vitaly Buka229113e2015-12-13 23:12:42 -0800[diff] [blame]106 if (clock)
107 clock_ = clock;
108}
109
Vitaly Bukaa10ab1c2015-12-14 16:28:47 -0800[diff] [blame]110void AuthManager::SetSecret(const std::vector<uint8_t>& secret,
111 RootClientTokenOwner owner) {
112 secret_ = secret;
113
114 if (secret.size() != kSha256OutputSize) {
115 secret_ = CreateSecret();
116 owner = RootClientTokenOwner::kNone;
Vitaly Bukaf08caeb2015-12-02 13:47:48 -0800[diff] [blame]117 }
Vitaly Bukaa10ab1c2015-12-14 16:28:47 -0800[diff] [blame]118
119 if (!config_ || (config_->GetSettings().secret == secret_ &&
120 config_->GetSettings().root_client_token_owner == owner)) {
121 return;
122 }
123
124 Config::Transaction change{config_};
125 change.set_secret(secret);
126 change.set_root_client_token_owner(owner);
127 change.Commit();
Vitaly Bukaf08caeb2015-12-02 13:47:48 -0800[diff] [blame]128}
129
130AuthManager::~AuthManager() {}
131
132// Returns "[hmac]scope:id:time".
Vitaly Buka41aa8092015-12-09 20:04:34 -0800[diff] [blame]133std::vector<uint8_t> AuthManager::CreateAccessToken(const UserInfo& user_info) {
134 std::string data_str{CreateTokenData(user_info, Now())};
Vitaly Bukaf08caeb2015-12-02 13:47:48 -0800[diff] [blame]135 std::vector<uint8_t> data{data_str.begin(), data_str.end()};
136 std::vector<uint8_t> hash{HmacSha256(secret_, data)};
137 hash.insert(hash.end(), data.begin(), data.end());
138 return hash;
139}
140
141// Parses "base64([hmac]scope:id:time)".
142UserInfo AuthManager::ParseAccessToken(const std::vector<uint8_t>& token,
143 base::Time* time) const {
144 if (token.size() <= kSha256OutputSize)
145 return UserInfo{};
146 std::vector<uint8_t> hash(token.begin(), token.begin() + kSha256OutputSize);
147 std::vector<uint8_t> data(token.begin() + kSha256OutputSize, token.end());
148 if (hash != HmacSha256(secret_, data))
149 return UserInfo{};
150 return SplitTokenData(std::string(data.begin(), data.end()), time);
151}
152
Vitaly Bukaa10ab1c2015-12-14 16:28:47 -0800[diff] [blame]153std::vector<uint8_t> AuthManager::ClaimRootClientAuthToken(
Vitaly Buka4ab50022015-12-14 22:32:24 -0800[diff] [blame]154 RootClientTokenOwner owner,
155 ErrorPtr* error) {
Vitaly Bukac3bc82a2015-12-14 23:24:13 -0800[diff] [blame]156 CHECK(RootClientTokenOwner::kNone != owner);
157 if (config_) {
158 auto current = config_->GetSettings().root_client_token_owner;
159 if (!IsClaimAllowed(current, owner)) {
160 Error::AddToPrintf(
161 error, FROM_HERE, errors::kDomain, errors::kAlreadyClaimed,
162 "Device already claimed by '%s'", EnumToString(current).c_str());
163 return {};
164 }
165 };
166
Vitaly Bukaa10ab1c2015-12-14 16:28:47 -0800[diff] [blame]167 pending_claims_.push_back(std::make_pair(
168 std::unique_ptr<AuthManager>{new AuthManager{nullptr, {}}}, owner));
Vitaly Bukacc77fad2015-12-13 21:04:46 -0800[diff] [blame]169 if (pending_claims_.size() > kMaxPendingClaims)
170 pending_claims_.pop_front();
Vitaly Bukaa10ab1c2015-12-14 16:28:47 -0800[diff] [blame]171 return pending_claims_.back().first->GetRootClientAuthToken();
Vitaly Bukacc77fad2015-12-13 21:04:46 -0800[diff] [blame]172}
173
Vitaly Buka305ab612015-12-15 12:02:59 -0800[diff] [blame^]174bool AuthManager::ConfirmClientAuthToken(const std::vector<uint8_t>& token,
175 ErrorPtr* error) {
Vitaly Bukacc77fad2015-12-13 21:04:46 -0800[diff] [blame]176 // Cover case when caller sent confirm twice.
177 if (pending_claims_.empty() && IsValidAuthToken(token))
178 return true;
179
Vitaly Bukaa10ab1c2015-12-14 16:28:47 -0800[diff] [blame]180 auto claim =
181 std::find_if(pending_claims_.begin(), pending_claims_.end(),
182 [&token](const decltype(pending_claims_)::value_type& auth) {
183 return auth.first->IsValidAuthToken(token);
184 });
Vitaly Bukac3bc82a2015-12-14 23:24:13 -0800[diff] [blame]185 if (claim == pending_claims_.end()) {
186 Error::AddTo(error, FROM_HERE, errors::kDomain, errors::kNotFound,
187 "Unknown claim");
Vitaly Bukacc77fad2015-12-13 21:04:46 -0800[diff] [blame]188 return false;
Vitaly Bukac3bc82a2015-12-14 23:24:13 -0800[diff] [blame]189 }
Vitaly Bukacc77fad2015-12-13 21:04:46 -0800[diff] [blame]190
Vitaly Bukaa10ab1c2015-12-14 16:28:47 -0800[diff] [blame]191 SetSecret(claim->first->GetSecret(), claim->second);
Vitaly Bukacc77fad2015-12-13 21:04:46 -0800[diff] [blame]192 pending_claims_.clear();
193 return true;
194}
195
Vitaly Buka47743a32015-12-10 14:59:11 -0800[diff] [blame]196std::vector<uint8_t> AuthManager::GetRootClientAuthToken() const {
Vitaly Bukaa37056e2015-12-09 14:53:39 -0800[diff] [blame]197 Caveat scope{kUwMacaroonCaveatTypeScope, kUwMacaroonCaveatScopeTypeOwner};
198 Caveat issued{kUwMacaroonCaveatTypeIssued,
Vitaly Buka41aa8092015-12-09 20:04:34 -0800[diff] [blame]199 static_cast<uint32_t>(Now().ToTimeT())};
Vitaly Bukaa37056e2015-12-09 14:53:39 -0800[diff] [blame]200
201 UwMacaroonCaveat caveats[] = {
202 scope.GetCaveat(), issued.GetCaveat(),
203 };
204
Vitaly Buka229113e2015-12-13 23:12:42 -0800[diff] [blame]205 CHECK_EQ(kSha256OutputSize, secret_.size());
Vitaly Bukaa37056e2015-12-09 14:53:39 -0800[diff] [blame]206 UwMacaroon macaroon{};
207 CHECK(uw_macaroon_new_from_root_key_(
208 &macaroon, secret_.data(), secret_.size(), caveats, arraysize(caveats)));
209
210 std::vector<uint8_t> token(kMaxMacaroonSize);
211 size_t len = 0;
212 CHECK(uw_macaroon_dump_(&macaroon, token.data(), token.size(), &len));
213 token.resize(len);
214 return token;
215}
216
Vitaly Buka41aa8092015-12-09 20:04:34 -0800[diff] [blame]217base::Time AuthManager::Now() const {
218 return clock_->Now();
219}
220
Vitaly Bukae08c7c62015-12-13 20:12:39 -0800[diff] [blame]221bool AuthManager::IsValidAuthToken(const std::vector<uint8_t>& token) const {
222 std::vector<uint8_t> buffer(kMaxMacaroonSize);
223 UwMacaroon macaroon{};
224 if (!uw_macaroon_load_(token.data(), token.size(), buffer.data(),
225 buffer.size(), &macaroon)) {
226 return false;
227 }
228
Vitaly Buka229113e2015-12-13 23:12:42 -0800[diff] [blame]229 CHECK_EQ(kSha256OutputSize, secret_.size());
Vitaly Bukae08c7c62015-12-13 20:12:39 -0800[diff] [blame]230 return uw_macaroon_verify_(&macaroon, secret_.data(), secret_.size());
231}
232
Vitaly Bukaf08caeb2015-12-02 13:47:48 -0800[diff] [blame]233} // namespace privet
234} // namespace weave