SystemUIs authorization (#1233)

* Initial implementation of AuthCodeStore for SystemUIs

* SystemUIs authorization

* Renaming SystemUI -> SignerUI

* Fixing clippy warnings

* Lowering time threshold

* Bumping sysui

* Fixing test

signer/Cargo.toml

@@ -11,6 +11,7 @@ build = "build.rs"
 rustc_version = "0.1"
 
 [dependencies]
+rand = "0.3.14"
 jsonrpc-core = "2.0"
 log = "0.3"
 env_logger = "0.3"

signer/src/authcode_store.rs

@@ -0,0 +1,187 @@
+// Copyright 2015, 2016 Ethcore (UK) Ltd.
+// This file is part of Parity.
+
+// Parity is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+
+// Parity is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+
+// You should have received a copy of the GNU General Public License
+// along with Parity.  If not, see <http://www.gnu.org/licenses/>.
+
+use rand::Rng;
+use rand::os::OsRng;
+use std::io;
+use std::io::{Read, Write};
+use std::fs;
+use std::path::Path;
+use std::time;
+use util::{H256, Hashable};
+
+/// Providing current time in seconds
+pub trait TimeProvider {
+	/// Returns timestamp (in seconds since epoch)
+	fn now(&self) -> u64;
+}
+
+impl<F : Fn() -> u64> TimeProvider for F {
+	fn now(&self) -> u64 {
+		self()
+	}
+}
+
+/// Default implementation of `TimeProvider` using system time.
+#[derive(Default)]
+pub struct DefaultTimeProvider;
+
+impl TimeProvider for DefaultTimeProvider {
+	fn now(&self) -> u64 {
+		time::UNIX_EPOCH.elapsed().expect("Valid time has to be set in your system.").as_secs()
+	}
+}
+
+/// No of seconds the hash is valid
+const TIME_THRESHOLD: u64 = 2;
+const TOKEN_LENGTH: usize = 16;
+
+/// Manages authorization codes for `SignerUIs`
+pub struct AuthCodes<T: TimeProvider = DefaultTimeProvider> {
+	codes: Vec<String>,
+	now: T,
+}
+
+impl AuthCodes<DefaultTimeProvider> {
+
+	/// Reads `AuthCodes` from file and creates new instance using `DefaultTimeProvider`.
+	pub fn from_file(file: &Path) -> io::Result<AuthCodes> {
+		let content = {
+			if let Ok(mut file) = fs::File::open(file) {
+				let mut s = String::new();
+				let _ = try!(file.read_to_string(&mut s));
+				s
+			} else {
+				"".into()
+			}
+		};
+		let codes = content.lines()
+			.filter(|f| f.len() >= TOKEN_LENGTH)
+			.map(String::from)
+			.collect();
+		Ok(AuthCodes {
+			codes: codes,
+			now: DefaultTimeProvider::default(),
+		})
+	}
+
+}
+
+impl<T: TimeProvider> AuthCodes<T> {
+
+	/// Writes all `AuthCodes` to a disk.
+	pub fn to_file(&self, file: &Path) -> io::Result<()> {
+		let mut file = try!(fs::File::create(file));
+		let content = self.codes.join("\n");
+		file.write_all(content.as_bytes())
+	}
+
+	/// Creates a new `AuthCodes` store with given `TimeProvider`.
+	pub fn new(codes: Vec<String>, now: T) -> Self {
+		AuthCodes {
+			codes: codes,
+			now: now,
+		}
+	}
+
+	/// Checks if given hash is correct identifier of `SignerUI`
+	pub fn is_valid(&self, hash: &H256, time: u64) -> bool {
+		let now = self.now.now();
+		// check time
+		if time >= now + TIME_THRESHOLD || time <= now - TIME_THRESHOLD {
+			warn!(target: "signer", "Received old authentication request.");
+			return false;
+		}
+
+		// look for code
+		self.codes.iter()
+			.any(|code| &format!("{}:{}", code, time).sha3() == hash)
+	}
+
+	/// Generates and returns a new code that can be used by `SignerUIs`
+	pub fn generate_new(&mut self) -> io::Result<String> {
+		let mut rng = try!(OsRng::new());
+		let code = rng.gen_ascii_chars().take(TOKEN_LENGTH).collect::<String>();
+		let readable_code = code.as_bytes()
+			.chunks(4)
+			.filter_map(|f| String::from_utf8(f.to_vec()).ok())
+			.collect::<Vec<String>>()
+			.join("-");
+		info!(target: "signer", "New authentication token generated.");
+		self.codes.push(code);
+		Ok(readable_code)
+	}
+}
+
+
+#[cfg(test)]
+mod tests {
+
+	use util::{H256, Hashable};
+	use super::*;
+
+	fn generate_hash(val: &str, time: u64) -> H256 {
+		format!("{}:{}", val, time).sha3()
+	}
+
+	#[test]
+	fn should_return_true_if_hash_is_valid() {
+		// given
+		let code = "23521352asdfasdfadf";
+		let time = 99;
+		let codes = AuthCodes::new(vec![code.into()], || 100);
+
+		// when
+		let res = codes.is_valid(&generate_hash(code, time), time);
+
+		// then
+		assert_eq!(res, true);
+	}
+
+	#[test]
+	fn should_return_false_if_code_is_unknown() {
+		// given
+		let code = "23521352asdfasdfadf";
+		let time = 99;
+		let codes = AuthCodes::new(vec!["1".into()], || 100);
+
+		// when
+		let res = codes.is_valid(&generate_hash(code, time), time);
+
+		// then
+		assert_eq!(res, false);
+	}
+
+	#[test]
+	fn should_return_false_if_hash_is_valid_but_time_is_invalid() {
+		// given
+		let code = "23521352asdfasdfadf";
+		let time = 105;
+		let time2 = 95;
+		let codes = AuthCodes::new(vec![code.into()], || 100);
+
+		// when
+		let res1 = codes.is_valid(&generate_hash(code, time), time);
+		let res2 = codes.is_valid(&generate_hash(code, time2), time2);
+
+		// then
+		assert_eq!(res1, false);
+		assert_eq!(res2, false);
+	}
+
+}
+
+

signer/src/lib.rs

@@ -23,8 +23,8 @@
 //! This module manages your private keys and accounts/identities
 //! that can be used within Dapps.
 //!
-//! It exposes API (over `WebSockets`) accessed by System UIs.
-//! Each transaction sent by Dapp is broadcasted to System UIs
+//! It exposes API (over `WebSockets`) accessed by Signer UIs.
+//! Each transaction sent by Dapp is broadcasted to Signer UIs
 //! and their responsibility is to confirm (or confirm and sign)
 //! the transaction for you.
 //!
@@ -38,13 +38,14 @@
 //!
 //!	fn main() {
 //!	 let queue = Arc::new(ConfirmationsQueue::default());
-//!	 let _server = ServerBuilder::new(queue).start("127.0.0.1:8084".parse().unwrap());
+//!	 let _server = ServerBuilder::new(queue, "/tmp/authcodes".into()).start("127.0.0.1:8084".parse().unwrap());
 //!	}
 //! ```
 
 #[macro_use]
 extern crate log;
 extern crate env_logger;
+extern crate rand;
 
 extern crate ethcore_util as util;
 extern crate ethcore_rpc as rpc;
@@ -52,7 +53,10 @@ extern crate jsonrpc_core;
 extern crate ws;
 extern crate parity_minimal_sysui as sysui;
 
+mod authcode_store;
 mod ws_server;
+
+pub use authcode_store::*;
 pub use ws_server::*;
 
 #[cfg(test)]

signer/src/ws_server/mod.rs

@@ -19,6 +19,7 @@
 use ws;
 use std;
 use std::thread;
+use std::path::PathBuf;
 use std::default::Default;
 use std::ops::Drop;
 use std::sync::Arc;
@@ -51,6 +52,7 @@ impl From<ws::Error> for ServerError {
 pub struct ServerBuilder {
 	queue: Arc<ConfirmationsQueue>,
 	handler: Arc<IoHandler>,
+	authcodes_path: PathBuf,
 }
 
 impl Extendable for ServerBuilder {
@@ -61,17 +63,18 @@ impl Extendable for ServerBuilder {
 
 impl ServerBuilder {
 	/// Creates new `ServerBuilder`
-	pub fn new(queue: Arc<ConfirmationsQueue>) -> Self {
+	pub fn new(queue: Arc<ConfirmationsQueue>, authcodes_path: PathBuf) -> Self {
 		ServerBuilder {
 			queue: queue,
 			handler: Arc::new(IoHandler::new()),
+			authcodes_path: authcodes_path,
 		}
 	}
 
 	/// Starts a new `WebSocket` server in separate thread.
 	/// Returns a `Server` handle which closes the server when droped.
 	pub fn start(self, addr: SocketAddr) -> Result<Server, ServerError> {
-		Server::start(addr, self.handler, self.queue)
+		Server::start(addr, self.handler, self.queue, self.authcodes_path)
 	}
 }
 
@@ -86,7 +89,7 @@ pub struct Server {
 impl Server {
 	/// Starts a new `WebSocket` server in separate thread.
 	/// Returns a `Server` handle which closes the server when droped.
-	fn start(addr: SocketAddr, handler: Arc<IoHandler>, queue: Arc<ConfirmationsQueue>) -> Result<Server, ServerError> {
+	fn start(addr: SocketAddr, handler: Arc<IoHandler>, queue: Arc<ConfirmationsQueue>, authcodes_path: PathBuf) -> Result<Server, ServerError> {
 		let config = {
 			let mut config = ws::Settings::default();
 			config.max_connections = 10;
@@ -96,7 +99,7 @@ impl Server {
 
 		// Create WebSocket
 		let origin = format!("{}", addr);
-		let ws = try!(ws::Builder::new().with_settings(config).build(session::Factory::new(handler, origin)));
+		let ws = try!(ws::Builder::new().with_settings(config).build(session::Factory::new(handler, origin, authcodes_path)));
 
 		let panic_handler = PanicHandler::new_in_arc();
 		let ph = panic_handler.clone();

signer/src/ws_server/session.rs

@@ -18,8 +18,12 @@
 
 use ws;
 use sysui;
+use authcode_store::AuthCodes;
+use std::path::{PathBuf, Path};
 use std::sync::Arc;
+use std::str::FromStr;
 use jsonrpc_core::IoHandler;
+use util::H256;
 
 fn origin_is_allowed(self_origin: &str, header: Option<&Vec<u8>>) -> bool {
 	match header {
@@ -36,13 +40,32 @@ fn origin_is_allowed(self_origin: &str, header: Option<&Vec<u8>>) -> bool {
 	}
 }
 
-fn auth_is_valid(_header: Option<&Vec<u8>>) -> bool {
-	true
+fn auth_is_valid(codes: &Path, protocols: ws::Result<Vec<&str>>) -> bool {
+	match protocols {
+		Ok(ref protocols) if protocols.len() == 1 => {
+			protocols.iter().any(|protocol| {
+				let mut split = protocol.split('_');
+				let auth = split.next().and_then(|v| H256::from_str(v).ok());
+				let time = split.next().and_then(|v| u64::from_str_radix(v, 10).ok());
+
+				if let (Some(auth), Some(time)) = (auth, time) {
+					// Check if the code is valid
+					AuthCodes::from_file(codes)
+						.map(|codes| codes.is_valid(&auth, time))
+						.unwrap_or(false)
+				} else {
+					false
+				}
+			})
+		},
+		_ => false
+	}
 }
 
 pub struct Session {
 	out: ws::Sender,
 	self_origin: String,
+	authcodes_path: PathBuf,
 	handler: Arc<IoHandler>,
 }
 
@@ -53,17 +76,25 @@ impl ws::Handler for Session {
 
 		// Check request origin and host header.
 		if !origin_is_allowed(&self.self_origin, origin) && !origin_is_allowed(&self.self_origin, host) {
+			warn!(target: "signer", "Blocked connection to Signer API from untrusted origin.");
 			return Ok(ws::Response::forbidden("You are not allowed to access system ui.".into()));
 		}
 
-		// Check authorization
-		if !auth_is_valid(req.header("authorization")) {
-			return Ok(ws::Response::forbidden("You are not authorized.".into()));
-		}
-
 		// Detect if it's a websocket request.
 		if req.header("sec-websocket-key").is_some() {
-			return ws::Response::from_request(req);
+			// Check authorization
+			if !auth_is_valid(&self.authcodes_path, req.protocols()) {
+				info!(target: "signer", "Unauthorized connection to Signer API blocked.");
+				return Ok(ws::Response::forbidden("You are not authorized.".into()));
+			}
+
+			let protocols = req.protocols().expect("Existence checked by authorization.");
+			let protocol = protocols.get(0).expect("Proved by authorization.");
+			return ws::Response::from_request(req).map(|mut res| {
+				// To make WebSockets connection successful we need to send back the protocol header.
+				res.set_protocol(protocol);
+				res
+			});
 		}
 
 		// Otherwise try to serve a page.
@@ -101,13 +132,15 @@ impl ws::Handler for Session {
 pub struct Factory {
 	handler: Arc<IoHandler>,
 	self_origin: String,
+	authcodes_path: PathBuf,
 }
 
 impl Factory {
-	pub fn new(handler: Arc<IoHandler>, self_origin: String) -> Self {
+	pub fn new(handler: Arc<IoHandler>, self_origin: String, authcodes_path: PathBuf) -> Self {
 		Factory {
 			handler: handler,
 			self_origin: self_origin,
+			authcodes_path: authcodes_path,
 		}
 	}
 }
@@ -118,8 +151,9 @@ impl ws::Factory for Factory {
 	fn connection_made(&mut self, sender: ws::Sender) -> Self::Handler {
 		Session {
 			out: sender,
-			self_origin: self.self_origin.clone(),
 			handler: self.handler.clone(),
+			self_origin: self.self_origin.clone(),
+			authcodes_path: self.authcodes_path.clone(),
 		}
 	}
 }