Google Git
Sign in
weave / weave / libweave / a0a813490ff37868827b65d7f9aeb554c996c17c / . / src / privet / auth_manager.cc
blob: 27a5e7e194052c32e2dec72ba31c4851bbdb3585 [file] [log] [blame]
Vitaly Bukaf08caeb2015-12-02 13:47:48 -0800[diff] [blame]1// Copyright 2015 The Weave Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#include "src/privet/auth_manager.h"
6
7#include <base/rand_util.h>
8#include <base/strings/string_number_conversions.h>
9
Vitaly Buka229113e2015-12-13 23:12:42 -0800[diff] [blame]10#include "src/config.h"
Vitaly Bukaf08caeb2015-12-02 13:47:48 -0800[diff] [blame]11#include "src/data_encoding.h"
Vitaly Bukac3bc82a2015-12-14 23:24:13 -0800[diff] [blame]12#include "src/privet/constants.h"
Vitaly Bukaf08caeb2015-12-02 13:47:48 -0800[diff] [blame]13#include "src/privet/openssl_utils.h"
14#include "src/string_utils.h"
15
Vitaly Bukaa37056e2015-12-09 14:53:39 -0800[diff] [blame]16extern "C" {
17#include "third_party/libuweave/src/macaroon.h"
18}
19
Vitaly Bukaf08caeb2015-12-02 13:47:48 -0800[diff] [blame]20namespace weave {
21namespace privet {
22
23namespace {
24
25const char kTokenDelimeter[] = ":";
Vitaly Bukaa37056e2015-12-09 14:53:39 -0800[diff] [blame]26const size_t kCaveatBuffetSize = 32;
27const size_t kMaxMacaroonSize = 1024;
Vitaly Bukacc77fad2015-12-13 21:04:46 -0800[diff] [blame]28const size_t kMaxPendingClaims = 10;
Vitaly Bukaf08caeb2015-12-02 13:47:48 -0800[diff] [blame]29
Vitaly Buka483d5972015-12-16 13:45:35 -0800[diff] [blame]30template <class T>
31void AppendToArray(T value, std::vector<uint8_t>* array) {
32 auto begin = reinterpret_cast<const uint8_t*>(&value);
33 array->insert(array->end(), begin, begin + sizeof(value));
34}
35
Vitaly Bukaf08caeb2015-12-02 13:47:48 -0800[diff] [blame]36// Returns "scope:id:time".
37std::string CreateTokenData(const UserInfo& user_info, const base::Time& time) {
38 return base::IntToString(static_cast<int>(user_info.scope())) +
39 kTokenDelimeter + base::Uint64ToString(user_info.user_id()) +
40 kTokenDelimeter + base::Int64ToString(time.ToTimeT());
41}
42
43// Splits string of "scope:id:time" format.
44UserInfo SplitTokenData(const std::string& token, base::Time* time) {
45 const UserInfo kNone;
46 auto parts = Split(token, kTokenDelimeter, false, false);
47 if (parts.size() != 3)
48 return kNone;
49 int scope = 0;
50 if (!base::StringToInt(parts[0], &scope) ||
51 scope < static_cast<int>(AuthScope::kNone) ||
52 scope > static_cast<int>(AuthScope::kOwner)) {
53 return kNone;
54 }
55
56 uint64_t id{0};
57 if (!base::StringToUint64(parts[1], &id))
58 return kNone;
59
60 int64_t timestamp{0};
61 if (!base::StringToInt64(parts[2], &timestamp))
62 return kNone;
Vitaly Buka0de42f52015-12-13 18:47:13 -0800[diff] [blame]63 if (time)
64 *time = base::Time::FromTimeT(timestamp);
Vitaly Bukaf08caeb2015-12-02 13:47:48 -0800[diff] [blame]65 return UserInfo{static_cast<AuthScope>(scope), id};
66}
67
Vitaly Bukaa37056e2015-12-09 14:53:39 -0800[diff] [blame]68class Caveat {
69 public:
70 Caveat(UwMacaroonCaveatType type, uint32_t value) {
71 CHECK(uw_macaroon_caveat_create_with_uint_(type, value, buffer,
72 sizeof(buffer), &caveat));
73 }
74
75 const UwMacaroonCaveat& GetCaveat() const { return caveat; }
76
77 private:
78 UwMacaroonCaveat caveat;
79 uint8_t buffer[kCaveatBuffetSize];
80
81 DISALLOW_COPY_AND_ASSIGN(Caveat);
82};
83
Vitaly Buka229113e2015-12-13 23:12:42 -0800[diff] [blame]84std::vector<uint8_t> CreateSecret() {
85 std::vector<uint8_t> secret(kSha256OutputSize);
86 base::RandBytes(secret.data(), secret.size());
87 return secret;
88}
89
Vitaly Bukac3bc82a2015-12-14 23:24:13 -0800[diff] [blame]90bool IsClaimAllowed(RootClientTokenOwner curret, RootClientTokenOwner claimer) {
91 return claimer > curret || claimer == RootClientTokenOwner::kCloud;
92}
93
Vitaly Bukaf08caeb2015-12-02 13:47:48 -0800[diff] [blame]94} // namespace
95
Vitaly Buka229113e2015-12-13 23:12:42 -0800[diff] [blame]96AuthManager::AuthManager(Config* config,
97 const std::vector<uint8_t>& certificate_fingerprint)
98 : config_{config}, certificate_fingerprint_{certificate_fingerprint} {
Vitaly Bukaa10ab1c2015-12-14 16:28:47 -0800[diff] [blame]99 if (config_) {
100 SetSecret(config_->GetSettings().secret,
101 config_->GetSettings().root_client_token_owner);
102 } else {
103 SetSecret({}, RootClientTokenOwner::kNone);
104 }
Vitaly Buka229113e2015-12-13 23:12:42 -0800[diff] [blame]105}
106
Vitaly Bukaf08caeb2015-12-02 13:47:48 -0800[diff] [blame]107AuthManager::AuthManager(const std::vector<uint8_t>& secret,
Vitaly Buka41aa8092015-12-09 20:04:34 -0800[diff] [blame]108 const std::vector<uint8_t>& certificate_fingerprint,
109 base::Clock* clock)
Vitaly Buka229113e2015-12-13 23:12:42 -0800[diff] [blame]110 : AuthManager(nullptr, certificate_fingerprint) {
Vitaly Bukaa10ab1c2015-12-14 16:28:47 -0800[diff] [blame]111 SetSecret(secret, RootClientTokenOwner::kNone);
Vitaly Buka229113e2015-12-13 23:12:42 -0800[diff] [blame]112 if (clock)
113 clock_ = clock;
114}
115
Vitaly Bukaa10ab1c2015-12-14 16:28:47 -0800[diff] [blame]116void AuthManager::SetSecret(const std::vector<uint8_t>& secret,
117 RootClientTokenOwner owner) {
118 secret_ = secret;
119
120 if (secret.size() != kSha256OutputSize) {
121 secret_ = CreateSecret();
122 owner = RootClientTokenOwner::kNone;
Vitaly Bukaf08caeb2015-12-02 13:47:48 -0800[diff] [blame]123 }
Vitaly Bukaa10ab1c2015-12-14 16:28:47 -0800[diff] [blame]124
125 if (!config_ || (config_->GetSettings().secret == secret_ &&
126 config_->GetSettings().root_client_token_owner == owner)) {
127 return;
128 }
129
130 Config::Transaction change{config_};
131 change.set_secret(secret);
132 change.set_root_client_token_owner(owner);
133 change.Commit();
Vitaly Bukaf08caeb2015-12-02 13:47:48 -0800[diff] [blame]134}
135
136AuthManager::~AuthManager() {}
137
Vitaly Bukaa0a81342015-12-17 13:42:13 -0800[diff] [blame^]138// Returns "[hmac]scope:id:expiration_time".
139std::vector<uint8_t> AuthManager::CreateAccessToken(const UserInfo& user_info,
140 base::TimeDelta ttl) const {
141 std::string data_str{CreateTokenData(user_info, Now() + ttl)};
Vitaly Bukaf08caeb2015-12-02 13:47:48 -0800[diff] [blame]142 std::vector<uint8_t> data{data_str.begin(), data_str.end()};
143 std::vector<uint8_t> hash{HmacSha256(secret_, data)};
144 hash.insert(hash.end(), data.begin(), data.end());
145 return hash;
146}
147
Vitaly Bukaa0a81342015-12-17 13:42:13 -0800[diff] [blame^]148// TODO(vitalybuka): Switch to Macaroon?
149// Parses "base64([hmac]scope:id:expriration_time)".
150bool AuthManager::ParseAccessToken(const std::vector<uint8_t>& token,
151 UserInfo* user_info,
152 ErrorPtr* error) const {
153 if (token.size() <= kSha256OutputSize) {
154 Error::AddToPrintf(error, FROM_HERE, errors::kDomain,
155 errors::kInvalidAuthorization, "Invalid token size: %zu",
156 token.size());
157 return false;
158 }
Vitaly Bukaf08caeb2015-12-02 13:47:48 -0800[diff] [blame]159 std::vector<uint8_t> hash(token.begin(), token.begin() + kSha256OutputSize);
160 std::vector<uint8_t> data(token.begin() + kSha256OutputSize, token.end());
Vitaly Bukaa0a81342015-12-17 13:42:13 -0800[diff] [blame^]161 if (hash != HmacSha256(secret_, data)) {
162 Error::AddTo(error, FROM_HERE, errors::kDomain,
163 errors::kInvalidAuthorization, "Invalid signature");
164 return false;
165 }
166
167 base::Time time;
168 UserInfo info = SplitTokenData(std::string(data.begin(), data.end()), &time);
169 if (info.scope() == AuthScope::kNone) {
170 Error::AddTo(error, FROM_HERE, errors::kDomain,
171 errors::kInvalidAuthorization, "Invalid token data");
172 return false;
173 }
174
175 if (time < clock_->Now()) {
176 Error::AddTo(error, FROM_HERE, errors::kDomain,
177 errors::kAuthorizationExpired, "Token is expired");
178 return false;
179 }
180
181 if (user_info)
182 *user_info = info;
183
184 return true;
Vitaly Bukaf08caeb2015-12-02 13:47:48 -0800[diff] [blame]185}
186
Vitaly Bukaa10ab1c2015-12-14 16:28:47 -0800[diff] [blame]187std::vector<uint8_t> AuthManager::ClaimRootClientAuthToken(
Vitaly Buka4ab50022015-12-14 22:32:24 -0800[diff] [blame]188 RootClientTokenOwner owner,
189 ErrorPtr* error) {
Vitaly Bukac3bc82a2015-12-14 23:24:13 -0800[diff] [blame]190 CHECK(RootClientTokenOwner::kNone != owner);
191 if (config_) {
192 auto current = config_->GetSettings().root_client_token_owner;
193 if (!IsClaimAllowed(current, owner)) {
194 Error::AddToPrintf(
195 error, FROM_HERE, errors::kDomain, errors::kAlreadyClaimed,
196 "Device already claimed by '%s'", EnumToString(current).c_str());
197 return {};
198 }
199 };
200
Vitaly Bukaa10ab1c2015-12-14 16:28:47 -0800[diff] [blame]201 pending_claims_.push_back(std::make_pair(
202 std::unique_ptr<AuthManager>{new AuthManager{nullptr, {}}}, owner));
Vitaly Bukacc77fad2015-12-13 21:04:46 -0800[diff] [blame]203 if (pending_claims_.size() > kMaxPendingClaims)
204 pending_claims_.pop_front();
Vitaly Bukaa10ab1c2015-12-14 16:28:47 -0800[diff] [blame]205 return pending_claims_.back().first->GetRootClientAuthToken();
Vitaly Bukacc77fad2015-12-13 21:04:46 -0800[diff] [blame]206}
207
Vitaly Buka305ab612015-12-15 12:02:59 -0800[diff] [blame]208bool AuthManager::ConfirmClientAuthToken(const std::vector<uint8_t>& token,
209 ErrorPtr* error) {
Vitaly Bukacc77fad2015-12-13 21:04:46 -0800[diff] [blame]210 // Cover case when caller sent confirm twice.
211 if (pending_claims_.empty() && IsValidAuthToken(token))
212 return true;
213
Vitaly Bukaa10ab1c2015-12-14 16:28:47 -0800[diff] [blame]214 auto claim =
215 std::find_if(pending_claims_.begin(), pending_claims_.end(),
216 [&token](const decltype(pending_claims_)::value_type& auth) {
217 return auth.first->IsValidAuthToken(token);
218 });
Vitaly Bukac3bc82a2015-12-14 23:24:13 -0800[diff] [blame]219 if (claim == pending_claims_.end()) {
220 Error::AddTo(error, FROM_HERE, errors::kDomain, errors::kNotFound,
221 "Unknown claim");
Vitaly Bukacc77fad2015-12-13 21:04:46 -0800[diff] [blame]222 return false;
Vitaly Bukac3bc82a2015-12-14 23:24:13 -0800[diff] [blame]223 }
Vitaly Bukacc77fad2015-12-13 21:04:46 -0800[diff] [blame]224
Vitaly Bukaa10ab1c2015-12-14 16:28:47 -0800[diff] [blame]225 SetSecret(claim->first->GetSecret(), claim->second);
Vitaly Bukacc77fad2015-12-13 21:04:46 -0800[diff] [blame]226 pending_claims_.clear();
227 return true;
228}
229
Vitaly Buka47743a32015-12-10 14:59:11 -0800[diff] [blame]230std::vector<uint8_t> AuthManager::GetRootClientAuthToken() const {
Vitaly Bukaa37056e2015-12-09 14:53:39 -0800[diff] [blame]231 Caveat scope{kUwMacaroonCaveatTypeScope, kUwMacaroonCaveatScopeTypeOwner};
232 Caveat issued{kUwMacaroonCaveatTypeIssued,
Vitaly Buka41aa8092015-12-09 20:04:34 -0800[diff] [blame]233 static_cast<uint32_t>(Now().ToTimeT())};
Vitaly Bukaa37056e2015-12-09 14:53:39 -0800[diff] [blame]234
235 UwMacaroonCaveat caveats[] = {
236 scope.GetCaveat(), issued.GetCaveat(),
237 };
238
Vitaly Buka229113e2015-12-13 23:12:42 -0800[diff] [blame]239 CHECK_EQ(kSha256OutputSize, secret_.size());
Vitaly Bukaa37056e2015-12-09 14:53:39 -0800[diff] [blame]240 UwMacaroon macaroon{};
241 CHECK(uw_macaroon_new_from_root_key_(
242 &macaroon, secret_.data(), secret_.size(), caveats, arraysize(caveats)));
243
244 std::vector<uint8_t> token(kMaxMacaroonSize);
245 size_t len = 0;
246 CHECK(uw_macaroon_dump_(&macaroon, token.data(), token.size(), &len));
247 token.resize(len);
248 return token;
249}
250
Vitaly Buka41aa8092015-12-09 20:04:34 -0800[diff] [blame]251base::Time AuthManager::Now() const {
252 return clock_->Now();
253}
254
Vitaly Bukae08c7c62015-12-13 20:12:39 -0800[diff] [blame]255bool AuthManager::IsValidAuthToken(const std::vector<uint8_t>& token) const {
256 std::vector<uint8_t> buffer(kMaxMacaroonSize);
257 UwMacaroon macaroon{};
258 if (!uw_macaroon_load_(token.data(), token.size(), buffer.data(),
259 buffer.size(), &macaroon)) {
260 return false;
261 }
262
Vitaly Buka229113e2015-12-13 23:12:42 -0800[diff] [blame]263 CHECK_EQ(kSha256OutputSize, secret_.size());
Vitaly Bukae08c7c62015-12-13 20:12:39 -0800[diff] [blame]264 return uw_macaroon_verify_(&macaroon, secret_.data(), secret_.size());
265}
266
Vitaly Buka483d5972015-12-16 13:45:35 -0800[diff] [blame]267std::vector<uint8_t> AuthManager::CreateSessionId() {
268 std::vector<uint8_t> result;
269 AppendToArray(Now().ToTimeT(), &result);
270 AppendToArray(++session_counter_, &result);
271 return result;
272}
273
Vitaly Bukaf08caeb2015-12-02 13:47:48 -0800[diff] [blame]274} // namespace privet
275} // namespace weave