feat: verify token in ping and newworkconn

2020-02-25 12:50:24 -05:00 · 2020-02-25 12:50:24 -05:00 · a4a3d16570
commit a4a3d16570
parent 18c31c0f16
3 changed files with 37 additions and 10 deletions
--- a/client/control.go
+++ b/client/control.go
@ -140,7 +140,8 @@ func (ctl *Control) HandleReqWorkConn(inMsg *msg.ReqWorkConn) {
 	}

 	m := &msg.NewWorkConn{
-		RunId: ctl.runId,
+		RunId:     ctl.runId,
+		Timestamp: time.Now().Unix(),
 	}
 	if err = ctl.authSetter.SetNewWorkConn(m); err != nil {
 		xl.Warn("error during NewWorkConn authentication: %v", err)
@ -292,7 +293,9 @@ func (ctl *Control) msgHandler() {
 		case <-hbSend.C:
 			// send heartbeat to server
 			xl.Debug("send heartbeat to server")
-			pingMsg := &msg.Ping{}
+			pingMsg := &msg.Ping{
+				Timestamp: time.Now().Unix(),
+			}
 			if err := ctl.authSetter.SetPing(pingMsg); err != nil {
 				xl.Warn("error during ping authentication: %v", err)
 				return
--- a/models/auth/token.go
+++ b/models/auth/token.go
@ -69,13 +69,21 @@ func (auth *TokenAuthSetterVerifier) SetLogin(loginMsg *msg.Login) (err error) {
 	return nil
 }

-func (auth *TokenAuthSetterVerifier) SetPing(*msg.Ping) error {
-	// Ping doesn't include authentication in token method
+func (auth *TokenAuthSetterVerifier) SetPing(pingMsg *msg.Ping) error {
+	if !auth.AuthenticateHeartBeats {
+		return nil
+	}
+
+	pingMsg.PrivilegeKey = util.GetAuthKey(auth.token, pingMsg.Timestamp)
 	return nil
 }

-func (auth *TokenAuthSetterVerifier) SetNewWorkConn(*msg.NewWorkConn) error {
-	// NewWorkConn doesn't include authentication in token method
+func (auth *TokenAuthSetterVerifier) SetNewWorkConn(newWorkConnMsg *msg.NewWorkConn) error {
+	if !auth.AuthenticateHeartBeats {
+		return nil
+	}
+
+	newWorkConnMsg.PrivilegeKey = util.GetAuthKey(auth.token, newWorkConnMsg.Timestamp)
 	return nil
 }

@ -86,12 +94,24 @@ func (auth *TokenAuthSetterVerifier) VerifyLogin(loginMsg *msg.Login) error {
 	return nil
 }

-func (auth *TokenAuthSetterVerifier) VerifyPing(*msg.Ping) error {
-	// Ping doesn't include authentication in token method
+func (auth *TokenAuthSetterVerifier) VerifyPing(pingMsg *msg.Ping) error {
+	if !auth.AuthenticateHeartBeats {
+		return nil
+	}
+
+	if util.GetAuthKey(auth.token, pingMsg.Timestamp) != pingMsg.PrivilegeKey {
+		return fmt.Errorf("token in heartbeat doesn't match token from configuration")
+	}
 	return nil
 }

-func (auth *TokenAuthSetterVerifier) VerifyNewWorkConn(*msg.NewWorkConn) error {
-	// NewWorkConn doesn't include authentication in token method
+func (auth *TokenAuthSetterVerifier) VerifyNewWorkConn(newWorkConnMsg *msg.NewWorkConn) error {
+	if !auth.AuthenticateNewWorkConns {
+		return nil
+	}
+
+	if util.GetAuthKey(auth.token, newWorkConnMsg.Timestamp) != newWorkConnMsg.PrivilegeKey {
+		return fmt.Errorf("token in NewWorkConn doesn't match token from configuration")
+	}
 	return nil
 }
--- a/models/msg/msg.go
+++ b/models/msg/msg.go
@ -122,6 +122,7 @@ type CloseProxy struct {
 type NewWorkConn struct {
 	RunId        string `json:"run_id"`
 	PrivilegeKey string `json:"privilege_key"`
+	Timestamp    int64  `json:"timestamp"`
 }

 type ReqWorkConn struct {
@ -133,6 +134,7 @@ type StartWorkConn struct {
 	DstAddr   string `json:"dst_addr"`
 	SrcPort   uint16 `json:"src_port"`
 	DstPort   uint16 `json:"dst_port"`
+	Error     string `json:"error"`
 }

 type NewVisitorConn struct {
@ -150,9 +152,11 @@ type NewVisitorConnResp struct {

 type Ping struct {
 	PrivilegeKey string `json:"privilege_key"`
+	Timestamp    int64  `json:"timestamp"`
 }

 type Pong struct {
+	Error string `json:"error"`
 }

 type UdpPacket struct {