From 6c06e49fc3405e76924cc9b8afb0c313b70c52d0 Mon Sep 17 00:00:00 2001 From: Amy Yan Date: Mon, 2 Sep 2024 14:54:20 +1000 Subject: [PATCH] wip --- src/claims/payloads/claimNetworkAccess.ts | 3 +- src/nodes/NodeConnection.ts | 1 - src/nodes/NodeManager.ts | 31 +++++++----- src/nodes/agent/errors.ts | 2 +- .../agent/handlers/NodesClaimNetworkVerify.ts | 10 ++-- .../handlers/nodesClaimNetworkVerify.test.ts | 47 +++++++++++-------- 6 files changed, 53 insertions(+), 41 deletions(-) diff --git a/src/claims/payloads/claimNetworkAccess.ts b/src/claims/payloads/claimNetworkAccess.ts index e7f339701..7ad8acaf8 100644 --- a/src/claims/payloads/claimNetworkAccess.ts +++ b/src/claims/payloads/claimNetworkAccess.ts @@ -54,7 +54,8 @@ function assertClaimNetworkAccess( ); } if ( - claimNetworkAccess['signedClaimNetworkAuthorityEncoded'] != null && typeof claimNetworkAccess['signedClaimNetworkAuthorityEncoded'] !== 'string' + claimNetworkAccess['signedClaimNetworkAuthorityEncoded'] != null && + typeof claimNetworkAccess['signedClaimNetworkAuthorityEncoded'] !== 'string' ) { throw new validationErrors.ErrorParse( '`signedClaimNetworkAuthorityEncoded` property must be an encoded signed token', diff --git a/src/nodes/NodeConnection.ts b/src/nodes/NodeConnection.ts index 8b059f511..095379c06 100644 --- a/src/nodes/NodeConnection.ts +++ b/src/nodes/NodeConnection.ts @@ -25,7 +25,6 @@ import * as nodesUtils from '../nodes/utils'; import { never } from '../utils'; import config from '../config'; import * as networkUtils from '../network/utils'; -import * as keysUtils from '../keys/utils'; type AgentClientManifest = typeof agentClientManifest; diff --git a/src/nodes/NodeManager.ts b/src/nodes/NodeManager.ts index f751f5228..710716824 100644 --- a/src/nodes/NodeManager.ts +++ b/src/nodes/NodeManager.ts @@ -50,6 +50,7 @@ import * as nodesEvents from './events'; import * as nodesErrors from './errors'; import * as agentErrors from './agent/errors'; import NodeConnectionQueue from './NodeConnectionQueue'; +import { assertClaimNetworkAuthority } from '../claims/payloads/claimNetworkAuthority'; import Token from '../tokens/Token'; import * as keysUtils from '../keys/utils'; import * as tasksErrors from '../tasks/errors'; @@ -58,8 +59,9 @@ import * as claimsErrors from '../claims/errors'; import * as utils from '../utils/utils'; import config from '../config'; import * as networkUtils from '../network/utils'; -import { ClaimNetworkAccess, assertClaimNetworkAccess } from '../claims/payloads/claimNetworkAccess'; -import { ClaimNetworkAuthority, assertClaimNetworkAuthority } from '@/claims/payloads/claimNetworkAuthority'; +import { + assertClaimNetworkAccess, +} from '../claims/payloads/claimNetworkAccess'; const abortEphemeralTaskReason = Symbol('abort ephemeral task reason'); const abortSingletonTaskReason = Symbol('abort singleton task reason'); @@ -1575,13 +1577,18 @@ class NodeManager { ) { throw new claimsErrors.ErrorDoublySignedClaimVerificationFailed(); } - if (token.payload.network === 'testnet.polykey.com' || token.payload.network === 'mainnet.polykey.com') { + if ( + token.payload.network === 'testnet.polykey.com' || + token.payload.network === 'mainnet.polykey.com' + ) { return { success: true }; } if (token.payload.signedClaimNetworkAuthorityEncoded == null) { throw new claimsErrors.ErrorDoublySignedClaimVerificationFailed(); } - const authorityToken = Token.fromEncoded(token.payload.signedClaimNetworkAuthorityEncoded); + const authorityToken = Token.fromEncoded( + token.payload.signedClaimNetworkAuthorityEncoded, + ); // Verify if the token is signed if ( token.payload.iss !== authorityToken.payload.sub || @@ -1603,18 +1610,18 @@ class NodeManager { for await (const [_, claim] of this.sigchain.getSignedClaims({})) { try { assertClaimNetworkAccess(claim.payload); - } - catch { + } catch { continue; } if (claim.payload.signedClaimNetworkAuthorityEncoded == null) { throw new claimsErrors.ErrorDoublySignedClaimVerificationFailed(); } - const tokenNetworkAuthority = Token.fromEncoded(claim.payload.signedClaimNetworkAuthorityEncoded); + const tokenNetworkAuthority = Token.fromEncoded( + claim.payload.signedClaimNetworkAuthorityEncoded, + ); try { assertClaimNetworkAuthority(tokenNetworkAuthority.payload); - } - catch { + } catch { continue; } // No need to check if local claims are correctly signed by an Network Authority. @@ -1622,7 +1629,7 @@ class NodeManager { authorityToken.verifyWithPublicKey( keysUtils.publicKeyFromNodeId( nodesUtils.decodeNodeId(claim.payload.iss)!, - ) + ), ) ) { success = true; @@ -1636,7 +1643,7 @@ class NodeManager { return { success: true, - } + }; } /** @@ -1696,7 +1703,7 @@ class NodeManager { ); } - // need to await node connection verification, if fail, need to reject connection. + // Need to await node connection verification, if fail, need to reject connection. // When adding a node we need to handle 3 cases // 1. The node already exists. We need to update it's last updated field diff --git a/src/nodes/agent/errors.ts b/src/nodes/agent/errors.ts index 9a97f8fbb..7ff9bba44 100644 --- a/src/nodes/agent/errors.ts +++ b/src/nodes/agent/errors.ts @@ -24,7 +24,7 @@ class ErrorNodesConnectionSignalRelayVerificationFailed< class ErrorNodesClaimNetworkVerificationFailed extends ErrorAgent { static description = 'Failed to verify claim network message'; - exitCode = sysexits.UNAVAILABLE + exitCode = sysexits.UNAVAILABLE; } export { diff --git a/src/nodes/agent/handlers/NodesClaimNetworkVerify.ts b/src/nodes/agent/handlers/NodesClaimNetworkVerify.ts index d73bc5ef8..f5eaa9886 100644 --- a/src/nodes/agent/handlers/NodesClaimNetworkVerify.ts +++ b/src/nodes/agent/handlers/NodesClaimNetworkVerify.ts @@ -4,15 +4,10 @@ import type { AgentRPCResponseResult, } from '../types'; import type NodeManager from '../../../nodes/NodeManager'; -import type { Host, Port } from '../../../network/types'; import type { JSONValue } from '../../../types'; import { UnaryHandler } from '@matrixai/rpc'; -import * as x509 from '@peculiar/x509'; import * as agentErrors from '../errors'; import * as agentUtils from '../utils'; -import { never } from '../../../utils'; -import * as keysUtils from '../../../keys/utils'; -import * as ids from '../../../ids'; class NodesClaimNetworkVerify extends UnaryHandler< { @@ -30,7 +25,10 @@ class NodesClaimNetworkVerify extends UnaryHandler< if (requestingNodeId == null) { throw new agentErrors.ErrorAgentNodeIdMissing(); } - return this.container.nodeManager.handleVerifyClaimNetwork(requestingNodeId, input); + return this.container.nodeManager.handleVerifyClaimNetwork( + requestingNodeId, + input, + ); }; } diff --git a/tests/nodes/agent/handlers/nodesClaimNetworkVerify.test.ts b/tests/nodes/agent/handlers/nodesClaimNetworkVerify.test.ts index a7b14ba24..dbdfe22ea 100644 --- a/tests/nodes/agent/handlers/nodesClaimNetworkVerify.test.ts +++ b/tests/nodes/agent/handlers/nodesClaimNetworkVerify.test.ts @@ -1,8 +1,9 @@ import type NodeConnectionManager from '@/nodes/NodeConnectionManager'; -import type { AgentClaimMessage } from '@/nodes/agent/types'; import type { NodeId } from '@/ids'; -import type { ClaimLinkNode } from '@/claims/payloads'; import type { KeyPair } from '@/keys/types'; +import type { SignedTokenEncoded } from '@/tokens/types'; +import type { ClaimNetworkAuthority } from '@/claims/payloads/claimNetworkAuthority'; +import type { ClaimNetworkAccess } from '@/claims/payloads/claimNetworkAccess'; import fs from 'fs'; import path from 'path'; import os from 'os'; @@ -26,9 +27,6 @@ import * as nodesUtils from '@/nodes/utils'; import { generateKeyPair } from '@/keys/utils/generate'; import * as networkUtils from '@/network/utils'; import * as tlsTestsUtils from '../../../utils/tls'; -import { SignedTokenEncoded } from '@/tokens/types'; -import { ClaimNetworkAuthority } from '@/claims/payloads/claimNetworkAuthority'; -import { ClaimNetworkAccess } from '@/claims/payloads/claimNetworkAccess'; describe('nodesClaimNetworkVerify', () => { const logger = new Logger('nodesClaimNetworkVerify test', LogLevel.WARN, [ @@ -227,9 +225,10 @@ describe('nodesClaimNetworkVerify', () => { authorityNodeId = keysUtils.publicKeyToNodeId(authorityKeyPair.publicKey); seedKeyPair = generateKeyPair(); seedNodeId = keysUtils.publicKeyToNodeId(seedKeyPair.publicKey); - const authorityClaimId = claimsUtils.createClaimIdGenerator(authorityNodeId)(); + const authorityClaimId = + claimsUtils.createClaimIdGenerator(authorityNodeId)(); const authorityClaim: ClaimNetworkAuthority = { - typ: "ClaimNetworkAuthority", + typ: 'ClaimNetworkAuthority', iss: nodesUtils.encodeNodeId(authorityNodeId), sub: nodesUtils.encodeNodeId(seedNodeId), jti: claimsUtils.encodeClaimId(authorityClaimId), @@ -238,20 +237,27 @@ describe('nodesClaimNetworkVerify', () => { seq: 0, prevDigest: null, prevClaimId: null, - } + }; const authorityToken = Token.fromPayload(authorityClaim); authorityToken.signWithPrivateKey(authorityKeyPair.privateKey); authorityToken.signWithPrivateKey(seedKeyPair.privateKey); - signedClaimNetworkAuthorityEncoded = claimsUtils.generateSignedClaim(authorityToken.toSigned()) - await sigchain.addClaim({ - typ: "ClaimNetworkAccess", - iss: nodesUtils.encodeNodeId(seedNodeId), - sub: nodesUtils.encodeNodeId(remoteNodeId), - signedClaimNetworkAuthorityEncoded, - }, new Date(), async (token) => { - token.signWithPrivateKey(seedKeyPair.privateKey); - return token; - }); + signedClaimNetworkAuthorityEncoded = claimsUtils.generateSignedClaim( + authorityToken.toSigned(), + ); + await sigchain.addClaim( + { + typ: 'ClaimNetworkAccess', + iss: nodesUtils.encodeNodeId(seedNodeId), + sub: nodesUtils.encodeNodeId(remoteNodeId), + signedClaimNetworkAuthorityEncoded, + network: '', + }, + new Date(), + async (token) => { + token.signWithPrivateKey(seedKeyPair.privateKey); + return token; + }, + ); }); afterEach(async () => { await taskManager.stop(); @@ -276,7 +282,7 @@ describe('nodesClaimNetworkVerify', () => { }); const accessClaimId = claimsUtils.createClaimIdGenerator(authorityNodeId)(); const accessClaim: ClaimNetworkAccess = { - typ: "ClaimNetworkAccess", + typ: 'ClaimNetworkAccess', iss: nodesUtils.encodeNodeId(seedNodeId), sub: nodesUtils.encodeNodeId(localNodeId), jti: claimsUtils.encodeClaimId(accessClaimId), @@ -286,7 +292,8 @@ describe('nodesClaimNetworkVerify', () => { prevDigest: null, prevClaimId: null, signedClaimNetworkAuthorityEncoded, - } + network: '', + }; const accessToken = Token.fromPayload(accessClaim); accessToken.signWithPrivateKey(seedKeyPair.privateKey); accessToken.signWithPrivateKey(clientKeyPair.privateKey);