2 files changed, 32 insertions, 5 deletions

diff --git a/syz-hub/hub.go b/syz-hub/hub.go
index 5db4d0088..195ab74d7 100644
--- a/syz-hub/hub.go
+++ b/syz-hub/hub.go
@@ -8,7 +8,9 @@ import (
 	"fmt"
 	"strings"
 	"sync"
+	"time"
 
+	"github.com/google/syzkaller/pkg/auth"
 	"github.com/google/syzkaller/pkg/config"
 	"github.com/google/syzkaller/pkg/log"
 	"github.com/google/syzkaller/pkg/rpctype"
@@ -33,6 +35,7 @@ type Hub struct {
 	mu   sync.Mutex
 	st   *state.State
 	keys map[string]string
+	auth auth.Endpoint
 }
 
 func main() {
@@ -50,6 +53,7 @@ func main() {
 	hub := &Hub{
 		st:   st,
 		keys: make(map[string]string),
+		auth: auth.MakeEndpoint(auth.GoogleTokenInfoEndpoint),
 	}
 	for _, mgr := range cfg.Clients {
 		hub.keys[mgr.Name] = mgr.Key
@@ -66,7 +70,7 @@ func main() {
 }
 
 func (hub *Hub) Connect(a *rpctype.HubConnectArgs, r *int) error {
-	name, err := hub.auth(a.Client, a.Key, a.Manager)
+	name, err := hub.checkManager(a.Client, a.Key, a.Manager)
 	if err != nil {
 		return err
 	}
@@ -83,7 +87,7 @@ func (hub *Hub) Connect(a *rpctype.HubConnectArgs, r *int) error {
 }
 
 func (hub *Hub) Sync(a *rpctype.HubSyncArgs, r *rpctype.HubSyncRes) error {
-	name, err := hub.auth(a.Client, a.Key, a.Manager)
+	name, err := hub.checkManager(a.Client, a.Key, a.Manager)
 	if err != nil {
 		return err
 	}
@@ -122,8 +126,31 @@ func (hub *Hub) Sync(a *rpctype.HubSyncArgs, r *rpctype.HubSyncRes) error {
 	return nil
 }
 
-func (hub *Hub) auth(client, key, manager string) (string, error) {
-	if expectedKey, ok := hub.keys[client]; !ok || key != expectedKey {
+func (hub *Hub) verifyKey(key, expectedKey string) error {
+	if strings.HasPrefix(expectedKey, auth.OauthMagic) {
+		subj, err := hub.auth.DetermineAuthSubj(time.Now(), []string{key})
+		if err != nil {
+			return err
+		}
+		if subj != expectedKey {
+			return fmt.Errorf("bad token")
+		}
+	}
+	if key != expectedKey {
+		return fmt.Errorf("bad password")
+	}
+	// Success due to correct password.
+	return nil
+}
+
+// Returns the verified manager identity or error.
+func (hub *Hub) checkManager(client, key, manager string) (string, error) {
+	expectedKey, ok := hub.keys[client]
+	if !ok {
+		log.Logf(0, "connect from unauthorized client %v", client)
+		return "", fmt.Errorf("unauthorized manager")
+	}
+	if err := hub.verifyKey(key, expectedKey); err != nil {
 		log.Logf(0, "connect from unauthorized client %v", client)
 		return "", fmt.Errorf("unauthorized manager")
 	}
diff --git a/syz-hub/hub_test.go b/syz-hub/hub_test.go
index ec9350798..f7d1a12c4 100644
--- a/syz-hub/hub_test.go
+++ b/syz-hub/hub_test.go
@@ -88,7 +88,7 @@ func TestAuth(t *testing.T) {
 	}
 	for _, test := range tests {
 		t.Run(fmt.Sprintf("%q/%q/%q", test.client, test.key, test.manager), func(t *testing.T) {
-			manager, err := hub.auth(test.client, test.key, test.manager)
+			manager, err := hub.checkManager(test.client, test.key, test.manager)
 			if !test.ok && err == nil {
 				t.Fatalf("auth is expected to fail, but it did not")
 			}