diff options
| author | Greg Steuck <gnezdo@google.com> | 2021-07-28 11:11:03 -0700 |
|---|---|---|
| committer | Dmitry Vyukov <dvyukov@google.com> | 2021-07-30 18:21:17 +0200 |
| commit | a31eceb86df9acc2a471945de8e17fd53091f149 (patch) | |
| tree | 289502087386a48293339cb071f277bf8f36e4b7 /syz-hub | |
| parent | 5bfcec7dfd4ba51d38b41cea770ecc96e7e59d4d (diff) | |
syz-hub: support oauth authentication
Diffstat (limited to 'syz-hub')
| -rw-r--r-- | syz-hub/hub.go | 35 | ||||
| -rw-r--r-- | syz-hub/hub_test.go | 2 |
2 files changed, 32 insertions, 5 deletions
diff --git a/syz-hub/hub.go b/syz-hub/hub.go index 5db4d0088..195ab74d7 100644 --- a/syz-hub/hub.go +++ b/syz-hub/hub.go @@ -8,7 +8,9 @@ import ( "fmt" "strings" "sync" + "time" + "github.com/google/syzkaller/pkg/auth" "github.com/google/syzkaller/pkg/config" "github.com/google/syzkaller/pkg/log" "github.com/google/syzkaller/pkg/rpctype" @@ -33,6 +35,7 @@ type Hub struct { mu sync.Mutex st *state.State keys map[string]string + auth auth.Endpoint } func main() { @@ -50,6 +53,7 @@ func main() { hub := &Hub{ st: st, keys: make(map[string]string), + auth: auth.MakeEndpoint(auth.GoogleTokenInfoEndpoint), } for _, mgr := range cfg.Clients { hub.keys[mgr.Name] = mgr.Key @@ -66,7 +70,7 @@ func main() { } func (hub *Hub) Connect(a *rpctype.HubConnectArgs, r *int) error { - name, err := hub.auth(a.Client, a.Key, a.Manager) + name, err := hub.checkManager(a.Client, a.Key, a.Manager) if err != nil { return err } @@ -83,7 +87,7 @@ func (hub *Hub) Connect(a *rpctype.HubConnectArgs, r *int) error { } func (hub *Hub) Sync(a *rpctype.HubSyncArgs, r *rpctype.HubSyncRes) error { - name, err := hub.auth(a.Client, a.Key, a.Manager) + name, err := hub.checkManager(a.Client, a.Key, a.Manager) if err != nil { return err } @@ -122,8 +126,31 @@ func (hub *Hub) Sync(a *rpctype.HubSyncArgs, r *rpctype.HubSyncRes) error { return nil } -func (hub *Hub) auth(client, key, manager string) (string, error) { - if expectedKey, ok := hub.keys[client]; !ok || key != expectedKey { +func (hub *Hub) verifyKey(key, expectedKey string) error { + if strings.HasPrefix(expectedKey, auth.OauthMagic) { + subj, err := hub.auth.DetermineAuthSubj(time.Now(), []string{key}) + if err != nil { + return err + } + if subj != expectedKey { + return fmt.Errorf("bad token") + } + } + if key != expectedKey { + return fmt.Errorf("bad password") + } + // Success due to correct password. + return nil +} + +// Returns the verified manager identity or error. +func (hub *Hub) checkManager(client, key, manager string) (string, error) { + expectedKey, ok := hub.keys[client] + if !ok { + log.Logf(0, "connect from unauthorized client %v", client) + return "", fmt.Errorf("unauthorized manager") + } + if err := hub.verifyKey(key, expectedKey); err != nil { log.Logf(0, "connect from unauthorized client %v", client) return "", fmt.Errorf("unauthorized manager") } diff --git a/syz-hub/hub_test.go b/syz-hub/hub_test.go index ec9350798..f7d1a12c4 100644 --- a/syz-hub/hub_test.go +++ b/syz-hub/hub_test.go @@ -88,7 +88,7 @@ func TestAuth(t *testing.T) { } for _, test := range tests { t.Run(fmt.Sprintf("%q/%q/%q", test.client, test.key, test.manager), func(t *testing.T) { - manager, err := hub.auth(test.client, test.key, test.manager) + manager, err := hub.checkManager(test.client, test.key, test.manager) if !test.ok && err == nil { t.Fatalf("auth is expected to fail, but it did not") } |