Mirrors/overte-JulianGro
3
0
Fork 0
mirror of https://github.com/JulianGro/overte.git synced 2025-04-30 14:03:10 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

handle verification of username signature during connection

Browse source
This commit is contained in:
Stephen Birarda 2014-10-14 18:02:22 -07:00
parent e3ba8cddbb
commit 50f27d3e16
5 changed files with 102 additions and 43 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
domain-server/CMakeLists.txt
View file

@ -38,4 +38,12 @@ endif ()
# link the shared hifi libraries # link the shared hifi libraries
link_hifi_libraries(embedded-webserver networking shared) link_hifi_libraries(embedded-webserver networking shared)
# find OpenSSL
find_package(OpenSSL REQUIRED)
include_directories(SYSTEM "${OPENSSL_INCLUDE_DIR}")
# append OpenSSL to our list of libraries to link
list(APPEND ${TARGET_NAME}_LIBRARIES_TO_LINK "${OPENSSL_LIBRARIES}")
link_shared_dependencies() link_shared_dependencies()

130
domain-server/src/DomainServer.cpp
View file

@ -9,6 +9,9 @@
// See the accompanying file LICENSE or http://www.apache.org/licenses/LICENSE-2.0.html // See the accompanying file LICENSE or http://www.apache.org/licenses/LICENSE-2.0.html
// //
#include <openssl/err.h>
#include <openssl/rsa.h>
#include <QtCore/QDir> #include <QtCore/QDir>
#include <QtCore/QJsonDocument> #include <QtCore/QJsonDocument>
#include <QtCore/QJsonObject> #include <QtCore/QJsonObject>
@ -558,48 +561,14 @@ void DomainServer::handleConnectRequest(const QByteArray& packet, const HifiSock
packetStream >> nodeInterestList >> username >> usernameSignature; packetStream >> nodeInterestList >> username >> usernameSignature;
static const QVariant* allowedUsersVariant = valueForKeyPath(_settingsManager.getSettingsMap(), if (!isAssignment && !shouldAllowConnectionFromNode(username, usernameSignature, senderSockAddr)) {
ALLOWED_USERS_SETTINGS_KEYPATH); // this is an agent and we've decided we won't let them connect - send them a packet to deny connection
static QStringList allowedUsers = allowedUsersVariant ? allowedUsersVariant->toStringList() : QStringList(); QByteArray usernameRequestByteArray = byteArrayWithPopulatedHeader(PacketTypeDomainConnectionDenied);
if (!isAssignment && allowedUsers.count() > 0) { // send this oauth request datagram back to the client
// this is an agent, we need to ask them to provide us with their signed username to see if they are allowed in LimitedNodeList::getInstance()->writeUnverifiedDatagram(usernameRequestByteArray, senderSockAddr);
// we always let in a user who is sending a packet from our local socket or from the localhost address
return;
// if (senderSockAddr.getAddress() != LimitedNodeList::getInstance()->getLocalSockAddr().getAddress()
// && senderSockAddr.getAddress() != QHostAddress::LocalHost) {
if (true) {
bool canConnect = false;
if (allowedUsers.contains(username)) {
// it's possible this user can be allowed to connect, but we need to check their username signature
// even if we have a public key for them right now, request a new one in case it has just changed
JSONCallbackParameters callbackParams;
callbackParams.jsonCallbackReceiver = this;
callbackParams.jsonCallbackMethod = "publicKeyJSONCallback";
const QString USER_PUBLIC_KEY_PATH = "api/v1/users/%1/public_key";
qDebug() << "Requesting public key for user" << username;
AccountManager::getInstance().unauthenticatedRequest(USER_PUBLIC_KEY_PATH.arg(username),
QNetworkAccessManager::GetOperation, callbackParams);
if (_userPublicKeys.contains(username)) {
// if we do have a public key for the user, check for a signature match
}
}
if (!canConnect) {
QByteArray usernameRequestByteArray = byteArrayWithPopulatedHeader(PacketTypeDomainConnectionDenied);
// send this oauth request datagram back to the client
LimitedNodeList::getInstance()->writeUnverifiedDatagram(usernameRequestByteArray, senderSockAddr);
return;
}
}
} }
if ((!isAssignment && !STATICALLY_ASSIGNED_NODES.contains(nodeType)) if ((!isAssignment && !STATICALLY_ASSIGNED_NODES.contains(nodeType))
@ -640,6 +609,83 @@ void DomainServer::handleConnectRequest(const QByteArray& packet, const HifiSock
} }
} }
bool DomainServer::shouldAllowConnectionFromNode(const QString& username,
const QByteArray& usernameSignature,
const HifiSockAddr& senderSockAddr) {
static const QVariant* allowedUsersVariant = valueForKeyPath(_settingsManager.getSettingsMap(),
ALLOWED_USERS_SETTINGS_KEYPATH);
static QStringList allowedUsers = allowedUsersVariant ? allowedUsersVariant->toStringList() : QStringList();
if (allowedUsers.count() > 0) {
// this is an agent, we need to ask them to provide us with their signed username to see if they are allowed in
// we always let in a user who is sending a packet from our local socket or from the localhost address
if (senderSockAddr.getAddress() != LimitedNodeList::getInstance()->getLocalSockAddr().getAddress()
&& senderSockAddr.getAddress() != QHostAddress::LocalHost) {
if (allowedUsers.contains(username)) {
// it's possible this user can be allowed to connect, but we need to check their username signature
QByteArray publicKeyArray = _userPublicKeys.value(username);
if (!publicKeyArray.isEmpty()) {
// if we do have a public key for the user, check for a signature match
const unsigned char* publicKeyData = reinterpret_cast<const unsigned char*>(publicKeyArray.constData());
// first load up the public key into an RSA struct
RSA* rsaPublicKey = d2i_RSAPublicKey(NULL, &publicKeyData, publicKeyArray.size());
if (rsaPublicKey) {
QByteArray decryptedArray(RSA_size(rsaPublicKey), 0);
int decryptResult = RSA_public_decrypt(usernameSignature.size(),
reinterpret_cast<const unsigned char*>(usernameSignature.constData()),
reinterpret_cast<unsigned char*>(decryptedArray.data()),
rsaPublicKey, RSA_PKCS1_PADDING);
if (decryptResult != -1) {
if (username == decryptedArray) {
qDebug() << "Username signature matches for" << username << "- allowing connection.";
// free up the public key before we return
RSA_free(rsaPublicKey);
return true;
} else {
qDebug() << "Username signature did not match for" << username << "- denying connection.";
}
} else {
qDebug() << "Couldn't decrypt user signature for" << username << "- denying connection.";
}
// free up the public key, we don't need it anymore
RSA_free(rsaPublicKey);
} else {
// we can't let this user in since we couldn't convert their public key to an RSA key we could use
qDebug() << "Couldn't convert data to RSA key for" << username << "- denying connection.";
}
}
// even if we have a public key for them right now, request a new one in case it has just changed
JSONCallbackParameters callbackParams;
callbackParams.jsonCallbackReceiver = this;
callbackParams.jsonCallbackMethod = "publicKeyJSONCallback";
const QString USER_PUBLIC_KEY_PATH = "api/v1/users/%1/public_key";
qDebug() << "Requesting public key for user" << username;
AccountManager::getInstance().unauthenticatedRequest(USER_PUBLIC_KEY_PATH.arg(username),
QNetworkAccessManager::GetOperation, callbackParams);
}
}
} else {
// since we have no allowed user list, let them all in
return true;
}
return false;
}
QUrl DomainServer::oauthRedirectURL() { QUrl DomainServer::oauthRedirectURL() {
return QString("https://%1:%2/oauth").arg(_hostname).arg(_httpsManager->serverPort()); return QString("https://%1:%2/oauth").arg(_hostname).arg(_httpsManager->serverPort());
} }

2
domain-server/src/DomainServer.h
View file

@ -83,6 +83,8 @@ private:
void processDatagram(const QByteArray& receivedPacket, const HifiSockAddr& senderSockAddr); void processDatagram(const QByteArray& receivedPacket, const HifiSockAddr& senderSockAddr);
void handleConnectRequest(const QByteArray& packet, const HifiSockAddr& senderSockAddr); void handleConnectRequest(const QByteArray& packet, const HifiSockAddr& senderSockAddr);
bool shouldAllowConnectionFromNode(const QString& username, const QByteArray& usernameSignature,
const HifiSockAddr& senderSockAddr);
int parseNodeDataFromByteArray(QDataStream& packetStream, int parseNodeDataFromByteArray(QDataStream& packetStream,
NodeType_t& nodeType, NodeType_t& nodeType,
HifiSockAddr& publicSockAddr, HifiSockAddr& publicSockAddr,

3
libraries/networking/src/DataServerAccountInfo.cpp
View file

@ -143,6 +143,9 @@ const QByteArray& DataServerAccountInfo::getUsernameSignature() {
qDebug() << "Will re-attempt on next domain-server check in."; qDebug() << "Will re-attempt on next domain-server check in.";
_usernameSignature = QByteArray(); _usernameSignature = QByteArray();
} }
// free the private key RSA struct now that we are done with it
RSA_free(rsaPrivateKey);
} else { } else {
qDebug() << "Could not create RSA struct from QByteArray private key."; qDebug() << "Could not create RSA struct from QByteArray private key.";
qDebug() << "Will re-attempt on next domain-server check in."; qDebug() << "Will re-attempt on next domain-server check in.";

2
libraries/networking/src/RSAKeypairGenerator.cpp
View file

@ -51,7 +51,7 @@ void RSAKeypairGenerator::generateKeypair() {
// grab the public key and private key from the file // grab the public key and private key from the file
unsigned char* publicKeyDER = NULL; unsigned char* publicKeyDER = NULL;
int publicKeyLength = i2d_RSA_PUBKEY(keyPair, &publicKeyDER); int publicKeyLength = i2d_RSAPublicKey(keyPair, &publicKeyDER);
unsigned char* privateKeyDER = NULL; unsigned char* privateKeyDER = NULL;
int privateKeyLength = i2d_RSAPrivateKey(keyPair, &privateKeyDER); int privateKeyLength = i2d_RSAPrivateKey(keyPair, &privateKeyDER);