Remove dynamic authentication

ff981d6b · Josh Brooks · ff226b00 · ff981d6b · ff981d6b · ff981d6b
Commit ff981d6b authored Aug 6, 2021 by Josh Brooks
--- a/connect/auth.go
+++ b/connect/auth.go
@@ -10,7 +10,6 @@
 package connect

 import (
-	"bytes"
 	"context"
 	"crypto/rand"
 	"encoding/base64"
@@ -22,7 +21,6 @@ import (
 	"gitlab.com/xx_network/comms/connect/token"
 	pb "gitlab.com/xx_network/comms/messages"
 	"gitlab.com/xx_network/crypto/signature/rsa"
-	"gitlab.com/xx_network/crypto/xx"
 	"gitlab.com/xx_network/primitives/id"
 	"google.golang.org/grpc/metadata"
 )
@@ -164,63 +162,18 @@ func (c *ProtoComms) GenerateToken() ([]byte, error) {
 	return c.tokens.Generate().Marshal(), nil
 }

-// Performs the dynamic authentication process such that Hosts that were not
-// already added to the Manager can establish authentication
-func (c *ProtoComms) dynamicAuth(msg *pb.AuthenticatedMessage) (
-	host *Host, err error) {
-
-	// Verify the client is attempting a dynamic authentication
-	if msg.Client == nil || msg.Client.PublicKey == "" || msg.Client.Salt == nil {
-		return nil, errors.New("Invalid dynamic authentication attempt!")
-	}
-
-	// Process the public key
-	pubKey, err := rsa.LoadPublicKeyFromPem([]byte(msg.Client.PublicKey))
-	if err != nil {
-		return nil, errors.New(err.Error())
-	}
-
-	// Generate the user's ID from supplied Client information
-	uid, err := xx.NewID(pubKey, msg.Client.Salt, id.User)
-	if err != nil {
-		return nil, err
-	}
-
-	// Verify the ID provided correctly matches the generated ID
-	if !bytes.Equal(msg.ID, uid.Marshal()) {
-		return nil, errors.Errorf(
-			"Provided ID does not match. Expected: %s, Actual: %s",
-			uid.String(), msg.ID)
-	}
-
-	// Create and add the new host to the manager
-	host, err = newDynamicHost(uid, []byte(msg.Client.PublicKey))
-	if err != nil {
-		return
-	}
-	c.addHost(host)
-	return
-}
-
 // Validates a signed token using internal state
 func (c *ProtoComms) ValidateToken(msg *pb.AuthenticatedMessage) (err error) {
 	// Convert EntityID to ID
-	msgID, err := id.Unmarshal(msg.ID)
+	senderId, err := id.Unmarshal(msg.ID)
 	if err != nil {
 		return err
 	}

 	// Verify the Host exists for the provided ID
-	host, ok := c.GetHost(msgID)
+	host, ok := c.GetHost(senderId)
 	if !ok {
-
-		// If the host does not already exist, attempt dynamic authentication
-		jww.DEBUG.Printf("Attempting dynamic authentication: %s", msgID.String())
-		host, err = c.dynamicAuth(msg)
-		if err != nil {
-			return errors.Errorf(
-				"Unable to complete dynamic authentication: %+v", err)
-		}
+		return errors.Errorf("No host set up with %s, refusing contact", senderId)
 	}

 	// Get the signed token

--- a/connect/auth_test.go
+++ b/connect/auth_test.go
@@ -14,9 +14,7 @@ import (
 	token "gitlab.com/xx_network/comms/connect/token"
 	pb "gitlab.com/xx_network/comms/messages"
 	"gitlab.com/xx_network/comms/testkeys"
-	"gitlab.com/xx_network/crypto/csprng"
 	"gitlab.com/xx_network/crypto/signature/rsa"
-	"gitlab.com/xx_network/crypto/xx"
 	"gitlab.com/xx_network/primitives/id"
 	"google.golang.org/grpc/peer"
 	"net"
@@ -345,86 +343,6 @@ func TestProtoComms_ValidateToken_BadId(t *testing.T) {

 }

-// Dynamic authentication happy path (e.g. host not pre-added)
-func TestProtoComms_ValidateTokenDynamic(t *testing.T) {
-	// All of this is setup for UID ----
-	privKey, err := rsa.GenerateKey(csprng.NewSystemRNG(), rsa.DefaultRSABitLen)
-	if err != nil {
-		t.Errorf("Could not generate private key: %+v", err)
-	}
-	pubKey := privKey.GetPublic()
-
-	salt := []byte("0123456789ABCDEF0123456789ABCDEF")
-	uid, err := xx.NewID(pubKey, salt, id.User)
-	if err != nil {
-		t.Errorf("Could not generate user ID: %+v", err)
-	}
-	testId := uid.String()
-	// ------
-
-	// Now we set up the client comms object
-	comm := ProtoComms{
-		Id:            uid,
-		ListeningAddr: "",
-		tokens:        token.NewMap(),
-		Manager:       newManager(),
-	}
-	err = comm.setPrivateKey(rsa.CreatePrivateKeyPem(privKey))
-	if err != nil {
-		t.Errorf("Expected to set private key: %+v", err)
-	}
-
-	tokenBytes, err := comm.GenerateToken()
-	if err != nil || tokenBytes == nil {
-		t.Errorf("Unable to generate token: %+v", err)
-	}
-	tkn := token.Token{}
-	copy(tkn[:], tokenBytes)
-
-	// For this test we won't addHost to Manager, we'll just create a host
-	// so we can compare to the dynamic one later
-	host, err := newDynamicHost(uid, rsa.CreatePublicKeyPem(pubKey))
-	if err != nil {
-		t.Errorf("Unable to create host: %+v", err)
-	}
-	host.transmissionToken.Set(tkn)
-	tokenMsg := &pb.AssignToken{
-		Token: tokenBytes,
-	}
-
-	// Set up auth msg
-	msg, err := comm.PackAuthenticatedMessage(tokenMsg, host, true)
-	if err != nil {
-		t.Errorf("Expected no error packing authenticated message: %+v", err)
-	}
-	msg.Client = &pb.ClientID{
-		Salt:      salt,
-		PublicKey: string(rsa.CreatePublicKeyPem(pubKey)),
-	}
-
-	// Here's the method we're testing
-	err = comm.ValidateToken(msg)
-	if err != nil {
-		t.Errorf("Expected to validate token: %+v", err)
-	}
-
-	// Check the output values behaved as expected
-	host, ok := comm.GetHost(uid)
-	if !ok {
-		t.Errorf("Expected dynamic auth to add host %s!", testId)
-	}
-	if !host.IsDynamicHost() {
-		t.Errorf("Expected host to be dynamic!")
-	}
-
-	if !bytes.Equal(msg.Token, host.receptionToken.GetBytes()) {
-		t.Errorf("Message token doesn't match message's token! "+
-			"Expected: %+v"+
-			"\n\tReceived: %+v", host.receptionToken, msg.Token)
-	}
-
-}
-
 func TestProtoComms_DisableAuth(t *testing.T) {
 	testId := id.NewIdFromString("test", id.Node, t)
 	comm := ProtoComms{

--- a/connect/host.go
+++ b/connect/host.go
@@ -60,10 +60,6 @@ type Host struct {
 	// RSA Public Key corresponding to the TLS Certificate
 	rsaPublicKey *rsa.PublicKey

-	// Indicates whether dynamic authentication was used for this Host
-	// This is useful for determining whether a Host's key was hardcoded
-	dynamicHost bool
-
 	// State tracking for host metric
 	metrics *Metric

@@ -121,32 +117,6 @@ func NewHost(id *id.ID, address string, cert []byte, params HostParams) (host *H
 	return
 }

-// Creates a new dynamic-authenticated Host object
-func newDynamicHost(id *id.ID, publicKey []byte) (host *Host, err error) {
-
-	// Initialize the Host object
-	// IMPORTANT: This flag must be set to true for all dynamic Hosts
-	//            because the security properties for these Hosts differ
-	host = &Host{
-		id:                id,
-		dynamicHost:       true,
-		transmissionToken: token.NewLive(),
-		receptionToken:    token.NewLive(),
-	}
-
-	// Create the RSA Public Key object
-	host.rsaPublicKey, err = rsa.LoadPublicKeyFromPem(publicKey)
-	if err != nil {
-		err = errors.Errorf("Error extracting PublicKey: %+v", err)
-	}
-	return
-}
-
-// Simple getter for the dynamicHost value
-func (h *Host) IsDynamicHost() bool {
-	return h.dynamicHost
-}
-
 // the amount of data, when streaming, that a sender can send before receiving an ACK
 // keep at zero to use the default GRPC algorithm to determine
 func (h *Host) SetWindowSize(size int32) {
@@ -476,16 +446,3 @@ func (h *Host) SetTestPublicKey(key *rsa.PublicKey, t interface{}) {
 	}
 	h.rsaPublicKey = key
 }
-
-// Set host to dynamic (for testing use)
-func (h *Host) SetTestDynamic(t interface{}) {
-	switch t.(type) {
-	case *testing.T:
-		break
-	case *testing.M:
-		break
-	default:
-		jww.FATAL.Panicf("SetTestDynamic is restricted to testing only. Got %T", t)
-	}
-	h.dynamicHost = true
-}
--- a/connect/host_test.go
+++ b/connect/host_test.go
@@ -96,24 +96,6 @@ func TestHost_UpdateAddress(t *testing.T) {
 	}
 }

-// Validate that dynamic host defaults to false and can be set to true
-func TestHost_IsDynamicHost(t *testing.T) {
-
-	host := Host{}
-
-	if host.IsDynamicHost() != false {
-		t.Errorf("Correct bool not returned. Expected false, got %v",
-			host.dynamicHost)
-	}
-
-	host.dynamicHost = true
-
-	if host.IsDynamicHost() != true {
-		t.Errorf("Correct bool not returned. Expected true, got %v",
-			host.dynamicHost)
-	}
-}
-
 // Full test
 func TestHost_IsOnline(t *testing.T) {
 	addr := "0.0.0.0:10234"