Added preflight outbound check to local pairing

This commit is contained in:
Samuel Hawksby-Robinson 2023-06-02 03:44:24 +01:00
parent 5935339c19
commit 9a2e9fbc3c
5 changed files with 187 additions and 28 deletions

View File

@ -916,7 +916,7 @@ func ConvertToRegularAccount(mnemonic, currPassword, newPassword string) string
}
func ImageServerTLSCert() string {
cert, err := server.PublicTLSCert()
cert, err := server.PublicMediaTLSCert()
if err != nil {
return makeJSONResponse(err)

View File

@ -13,8 +13,8 @@ import (
"time"
)
var globalCertificate *tls.Certificate = nil
var globalPem string
var globalMediaCertificate *tls.Certificate = nil
var globalMediaPem string
func makeRandomSerialNumber() (*big.Int, error) {
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
@ -59,47 +59,52 @@ func GenerateX509PEMs(cert *x509.Certificate, key *ecdsa.PrivateKey) (certPem, k
return
}
func generateTLSCert() error {
if globalCertificate != nil {
return nil
}
func GenerateTLSCert(notBefore, notAfter time.Time, hostname string) (*tls.Certificate, []byte, error) {
priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
return err
return nil, nil, err
}
sn, err := makeRandomSerialNumber()
if err != nil {
return nil, nil, err
}
cert := GenerateX509Cert(sn, notBefore, notAfter, hostname)
certPem, keyPem, err := GenerateX509PEMs(cert, priv)
if err != nil {
return nil, nil, err
}
finalCert, err := tls.X509KeyPair(certPem, keyPem)
return &finalCert, certPem, err
}
func generateMediaTLSCert() error {
if globalMediaCertificate != nil {
return nil
}
notBefore := time.Now()
notAfter := notBefore.Add(365 * 24 * time.Hour)
sn, err := makeRandomSerialNumber()
finalCert, certPem, err := GenerateTLSCert(notBefore, notAfter, Localhost)
if err != nil {
return err
}
cert := GenerateX509Cert(sn, notBefore, notAfter, Localhost)
certPem, keyPem, err := GenerateX509PEMs(cert, priv)
if err != nil {
return err
}
finalCert, err := tls.X509KeyPair(certPem, keyPem)
if err != nil {
return err
}
globalCertificate = &finalCert
globalPem = string(certPem)
globalMediaCertificate = finalCert
globalMediaPem = string(certPem)
return nil
}
func PublicTLSCert() (string, error) {
err := generateTLSCert()
func PublicMediaTLSCert() (string, error) {
err := generateMediaTLSCert()
if err != nil {
return "", err
}
return globalPem, nil
return globalMediaPem, nil
}
// ToECDSA takes a []byte of D and uses it to create an ecdsa.PublicKey on the elliptic.P256 curve

View File

@ -0,0 +1,142 @@
package preflight
import (
"crypto/tls"
"crypto/x509"
"fmt"
"net"
"net/http"
"net/url"
"strconv"
"time"
"github.com/status-im/status-go/logutils"
"github.com/status-im/status-go/protocol/common"
"github.com/status-im/status-go/server"
)
const (
outboundCheck = "/outbound_check"
headerPing = "ping"
headerPong = "pong"
)
func preflightHandler(w http.ResponseWriter, r *http.Request) {
ping := r.Header.Get(headerPing)
if ping == "" {
http.Error(w, "no value in 'ping' header", http.StatusBadRequest)
}
w.Header().Set(headerPong, ping)
}
func makeCert(address net.IP) (*tls.Certificate, []byte, error) {
notBefore := time.Now()
notAfter := notBefore.Add(time.Minute)
return server.GenerateTLSCert(notBefore, notAfter, address.String())
}
func makeAndStartServer(cert *tls.Certificate, address net.IP) (string, func() error, error) {
s := server.NewServer(
cert,
address.String(),
nil,
logutils.ZapLogger().Named("Preflight Server"),
)
s.SetHandlers(server.HandlerPatternMap{outboundCheck: preflightHandler})
err := s.Start()
if err != nil {
return "", nil, err
}
// hack : sleep to give server time
// TODO something funky with the afterPortChanged func. Maybe waitgroup magic
time.Sleep(500 * time.Millisecond)
return s.GetHostname() + ":" + strconv.Itoa(s.GetPort()), s.Stop, nil
}
func makeClient(certPem []byte) (*http.Client, error) {
rootCAs, err := x509.SystemCertPool()
if err != nil {
return nil, err
}
if ok := rootCAs.AppendCertsFromPEM(certPem); !ok {
return nil, fmt.Errorf("failed to append certPem to rootCAs")
}
tr := &http.Transport{
TLSClientConfig: &tls.Config{
MinVersion: tls.VersionTLS12,
InsecureSkipVerify: false, // MUST BE FALSE
RootCAs: rootCAs,
},
}
return &http.Client{Transport: tr}, nil
}
func makeOutboundCheck(c *http.Client, host string) error {
u := url.URL{
Scheme: "https",
Host: host,
Path: outboundCheck,
}
req, err := http.NewRequest("GET", u.String(), nil)
if err != nil {
return err
}
ping, err := common.RandomAlphanumericString(64)
if err != nil {
return err
}
req.Header.Set(headerPing, ping)
resp, err := c.Do(req)
if err != nil {
return err
}
if resp.StatusCode != http.StatusOK {
return fmt.Errorf("response status not ok, received '%d' : '%s'", resp.StatusCode, resp.Status)
}
pong := resp.Header.Get(headerPong)
if pong != ping {
return fmt.Errorf("ping should match pong: ping '%s', pong '%s'", ping, pong)
}
return nil
}
func CheckOutbound() error {
// cert stuff
outboundIP, err := server.GetOutboundIP()
if err != nil {
return err
}
cert, certPem, err := makeCert(outboundIP)
if err != nil {
return err
}
// server stuff
host, stop, err := makeAndStartServer(cert, outboundIP)
if err != nil {
return err
}
defer func() {
stop()
}()
// Client stuff
c, err := makeClient(certPem)
if err != nil {
return err
}
return makeOutboundCheck(c, host)
}

View File

@ -0,0 +1,12 @@
package preflight
import (
"testing"
)
func TestCheckOutbound(t *testing.T) {
err := CheckOutbound()
if err != nil {
t.Fatal(err)
}
}

View File

@ -20,14 +20,14 @@ type MediaServer struct {
// NewMediaServer returns a *MediaServer
func NewMediaServer(db *sql.DB, downloader *ipfs.Downloader, multiaccountsDB *multiaccounts.Database) (*MediaServer, error) {
err := generateTLSCert()
err := generateMediaTLSCert()
if err != nil {
return nil, err
}
s := &MediaServer{
Server: NewServer(
globalCertificate,
globalMediaCertificate,
Localhost,
signal.SendMediaServerStarted,
logutils.ZapLogger().Named("MediaServer"),