From 6c236867ce33c0c16b102e02a08226d7eb9b2046 Mon Sep 17 00:00:00 2001
From: Greg Steuck <gnezdo@google.com>
Date: Wed, 28 Jul 2021 15:34:03 -0700
Subject: syz-manager: support oauth when calling syz-hub

Permit empty hub_key to indicate oauth.
---
 dashboard/dashapi/dashapi.go |  8 ++++----
 pkg/auth/jwt.go              |  5 +++--
 pkg/mgrconfig/load.go        |  1 -
 syz-hub/hub.go               |  2 ++
 syz-manager/hub.go           | 34 +++++++++++++++++++++++++++++++---
 syz-manager/manager.go       |  2 +-
 tools/syz-hubtool/hubtool.go | 20 +++++++++++++++++---
 7 files changed, 58 insertions(+), 14 deletions(-)

diff --git a/dashboard/dashapi/dashapi.go b/dashboard/dashapi/dashapi.go
index 14fa44faa..a78e25073 100644
--- a/dashboard/dashapi/dashapi.go
+++ b/dashboard/dashapi/dashapi.go
@@ -53,12 +53,12 @@ func NewCustom(client, addr, key string, ctor RequestCtor, doer RequestDoer,
 			return nil, err
 		}
 		wrappedDoer = func(req *http.Request) (*http.Response, error) {
-			if token, err := tokenCache.Get(time.Now()); err == nil {
-				req.Header.Add("Authorization", "Bearer "+token)
-				return doer(req)
-			} else {
+			token, err := tokenCache.Get(time.Now())
+			if err != nil {
 				return nil, err
 			}
+			req.Header.Add("Authorization", token)
+			return doer(req)
 		}
 	}
 	return &Dashboard{
diff --git a/pkg/auth/jwt.go b/pkg/auth/jwt.go
index 3e2313d11..f6d219323 100644
--- a/pkg/auth/jwt.go
+++ b/pkg/auth/jwt.go
@@ -101,7 +101,8 @@ func MakeCache(ctor func(method, url string, body io.Reader) (*http.Request, err
 
 // Get returns a potentially cached value of the token or renews as
 // necessary. The now parameter provides the current time for cache
-// expiration.
+// expiration. The returned value is suitable for Authorization header
+// and syz-hub Key requests.
 func (cache *TokenCache) Get(now time.Time) (string, error) {
 	cache.lock.Lock()
 	defer cache.lock.Unlock()
@@ -118,5 +119,5 @@ func (cache *TokenCache) Get(now time.Time) (string, error) {
 		}
 		cache.token = t
 	}
-	return cache.token.value, nil
+	return "Bearer " + cache.token.value, nil
 }
diff --git a/pkg/mgrconfig/load.go b/pkg/mgrconfig/load.go
index b16e72540..f26b26124 100644
--- a/pkg/mgrconfig/load.go
+++ b/pkg/mgrconfig/load.go
@@ -151,7 +151,6 @@ func Complete(cfg *Config) error {
 		if err := checkNonEmpty(
 			cfg.Name, "name",
 			cfg.HubAddr, "hub_addr",
-			cfg.HubKey, "hub_key",
 		); err != nil {
 			return err
 		}
diff --git a/syz-hub/hub.go b/syz-hub/hub.go
index 195ab74d7..187d4a1eb 100644
--- a/syz-hub/hub.go
+++ b/syz-hub/hub.go
@@ -135,6 +135,8 @@ func (hub *Hub) verifyKey(key, expectedKey string) error {
 		if subj != expectedKey {
 			return fmt.Errorf("bad token")
 		}
+		// Success due to correct token.
+		return nil
 	}
 	if key != expectedKey {
 		return fmt.Errorf("bad password")
diff --git a/syz-manager/hub.go b/syz-manager/hub.go
index f42c71206..25c628580 100644
--- a/syz-manager/hub.go
+++ b/syz-manager/hub.go
@@ -4,9 +4,11 @@
 package main
 
 import (
+	"net/http"
 	"strings"
 	"time"
 
+	"github.com/google/syzkaller/pkg/auth"
 	"github.com/google/syzkaller/pkg/hash"
 	"github.com/google/syzkaller/pkg/host"
 	"github.com/google/syzkaller/pkg/log"
@@ -16,7 +18,23 @@ import (
 	"github.com/google/syzkaller/prog"
 )
 
-func (mgr *Manager) hubSyncLoop() {
+type keyGetter func() (string, error)
+
+func pickGetter(key string) keyGetter {
+	if key != "" {
+		return func() (string, error) { return key, nil }
+	}
+	// Attempts oauth when the configured hub_key is empty.
+	tokenCache, err := auth.MakeCache(http.NewRequest, http.DefaultClient.Do)
+	if err != nil {
+		log.Fatalf("failed to make auth cache %v", err)
+	}
+	return func() (string, error) {
+		return tokenCache.Get(time.Now())
+	}
+}
+
+func (mgr *Manager) hubSyncLoop(keyGet keyGetter) {
 	hc := &HubConnector{
 		mgr:           mgr,
 		cfg:           mgr.cfg,
@@ -27,6 +45,7 @@ func (mgr *Manager) hubSyncLoop() {
 		leak:          mgr.checkResult.Features[host.FeatureLeak].Enabled,
 		fresh:         mgr.fresh,
 		hubReproQueue: mgr.hubReproQueue,
+		keyGet:        keyGet,
 	}
 	if mgr.cfg.Reproduce && mgr.dash != nil {
 		hc.needMoreRepros = mgr.needMoreRepros
@@ -47,6 +66,7 @@ type HubConnector struct {
 	newRepros      [][]byte
 	hubReproQueue  chan *Crash
 	needMoreRepros chan chan bool
+	keyGet         keyGetter
 }
 
 // HubManagerView restricts interface between HubConnector and Manager.
@@ -77,9 +97,13 @@ func (hc *HubConnector) loop() {
 }
 
 func (hc *HubConnector) connect(corpus [][]byte) (*rpctype.RPCClient, error) {
+	key, err := hc.keyGet()
+	if err != nil {
+		return nil, err
+	}
 	a := &rpctype.HubConnectArgs{
 		Client:  hc.cfg.HubClient,
-		Key:     hc.cfg.HubKey,
+		Key:     key,
 		Manager: hc.cfg.Name,
 		Domain:  hc.domain,
 		Fresh:   hc.fresh,
@@ -114,9 +138,13 @@ func (hc *HubConnector) connect(corpus [][]byte) (*rpctype.RPCClient, error) {
 }
 
 func (hc *HubConnector) sync(hub *rpctype.RPCClient, corpus [][]byte) error {
+	key, err := hc.keyGet()
+	if err != nil {
+		return err
+	}
 	a := &rpctype.HubSyncArgs{
 		Client:  hc.cfg.HubClient,
-		Key:     hc.cfg.HubKey,
+		Key:     key,
 		Manager: hc.cfg.Name,
 	}
 	sigs := make(map[hash.Sig]bool)
diff --git a/syz-manager/manager.go b/syz-manager/manager.go
index 47f066780..add89116e 100644
--- a/syz-manager/manager.go
+++ b/syz-manager/manager.go
@@ -1138,7 +1138,7 @@ func (mgr *Manager) candidateBatch(size int) []rpctype.RPCCandidate {
 		if mgr.phase == phaseLoadedCorpus {
 			if mgr.cfg.HubClient != "" {
 				mgr.phase = phaseTriagedCorpus
-				go mgr.hubSyncLoop()
+				go mgr.hubSyncLoop(pickGetter(mgr.cfg.HubKey))
 			} else {
 				mgr.phase = phaseTriagedHub
 			}
diff --git a/tools/syz-hubtool/hubtool.go b/tools/syz-hubtool/hubtool.go
index 491191a4c..916c7e9ab 100644
--- a/tools/syz-hubtool/hubtool.go
+++ b/tools/syz-hubtool/hubtool.go
@@ -8,9 +8,12 @@ import (
 	"flag"
 	"io/ioutil"
 	"log"
+	"net/http"
 	"path/filepath"
 	"runtime"
+	"time"
 
+	"github.com/google/syzkaller/pkg/auth"
 	"github.com/google/syzkaller/pkg/db"
 	"github.com/google/syzkaller/pkg/rpctype"
 	"github.com/google/syzkaller/prog"
@@ -55,9 +58,20 @@ func main() {
 	if err != nil {
 		log.Fatalf("failed to connect to hub: %v", err)
 	}
+	key := *flagHubKey
+	if *flagHubKey == "" {
+		tokenCache, err := auth.MakeCache(http.NewRequest, http.DefaultClient.Do)
+		if err != nil {
+			log.Fatalf("failed to make auth cache %v", err)
+		}
+		key, err = tokenCache.Get(time.Now())
+		if err != nil {
+			log.Fatalf("failed to get a token %v", err)
+		}
+	}
 	connectArgs := &rpctype.HubConnectArgs{
 		Client:  *flagHubClient,
-		Key:     *flagHubKey,
+		Key:     key,
 		Manager: *flagHubManager,
 		Fresh:   false,
 		Calls:   nil,
@@ -70,7 +84,7 @@ func main() {
 	if len(repros) != 0 {
 		syncArgs := &rpctype.HubSyncArgs{
 			Client:  *flagHubClient,
-			Key:     *flagHubKey,
+			Key:     key,
 			Manager: *flagHubManager,
 			Repros:  repros,
 		}
@@ -82,7 +96,7 @@ func main() {
 	for *flagDrain {
 		syncArgs := &rpctype.HubSyncArgs{
 			Client:     *flagHubClient,
-			Key:        *flagHubKey,
+			Key:        key,
 			Manager:    *flagHubManager,
 			NeedRepros: true,
 		}
-- 
cgit mrf-deployment