From c4530219fd91f67682d0e82b67d88eae6c1a6b04 Mon Sep 17 00:00:00 2001 From: jeffgrunewald Date: Thu, 6 Apr 2023 12:26:32 -0400 Subject: [PATCH] specify admin-only api auth better where needed --- iot_config/src/admin_service.rs | 22 ++++++++++++++++++---- iot_config/src/org_service.rs | 20 +++++++++++++++----- 2 files changed, 33 insertions(+), 9 deletions(-) diff --git a/iot_config/src/admin_service.rs b/iot_config/src/admin_service.rs index 4abf6b1a9..933640fb2 100644 --- a/iot_config/src/admin_service.rs +++ b/iot_config/src/admin_service.rs @@ -49,7 +49,11 @@ impl AdminService { }) } - fn verify_request_signature(&self, signer: &PublicKey, request: &R) -> Result<(), Status> + fn verify_admin_request_signature( + &self, + signer: &PublicKey, + request: &R, + ) -> Result<(), Status> where R: MsgVerify, { @@ -59,6 +63,16 @@ impl AdminService { Ok(()) } + fn verify_request_signature(&self, signer: &PublicKey, request: &R) -> Result<(), Status> + where + R: MsgVerify, + { + self.auth_cache + .verify_signature(signer, request) + .map_err(|_| Status::permission_denied("invalid request signature"))?; + Ok(()) + } + fn verify_network(&self, public_key: PublicKey) -> Result { if self.required_network == public_key.network { Ok(public_key) @@ -91,7 +105,7 @@ impl iot_config::Admin for AdminService { let request = request.into_inner(); let signer = self.verify_public_key(&request.signer)?; - self.verify_request_signature(&signer, &request)?; + self.verify_admin_request_signature(&signer, &request)?; let key_type = request.key_type().into(); let pubkey = self @@ -137,7 +151,7 @@ impl iot_config::Admin for AdminService { let request = request.into_inner(); let signer = self.verify_public_key(&request.signer)?; - self.verify_request_signature(&signer, &request)?; + self.verify_admin_request_signature(&signer, &request)?; admin::remove_key(request.pubkey.clone().into(), &self.pool) .and_then(|deleted| async move { @@ -177,7 +191,7 @@ impl iot_config::Admin for AdminService { let request = request.into_inner(); let signer = self.verify_public_key(&request.signer)?; - self.verify_request_signature(&signer, &request)?; + self.verify_admin_request_signature(&signer, &request)?; let region = request.region(); diff --git a/iot_config/src/org_service.rs b/iot_config/src/org_service.rs index 64ff478f7..2aba3bb9c 100644 --- a/iot_config/src/org_service.rs +++ b/iot_config/src/org_service.rs @@ -60,7 +60,7 @@ impl OrgService { .map_err(|_| Status::invalid_argument(format!("invalid public key: {bytes:?}"))) } - async fn verify_request_signature( + fn verify_admin_request_signature( &self, signer: &PublicKey, request: &R, @@ -74,6 +74,16 @@ impl OrgService { Ok(()) } + fn verify_request_signature(&self, signer: &PublicKey, request: &R) -> Result<(), Status> + where + R: MsgVerify, + { + self.auth_cache + .verify_signature(signer, request) + .map_err(|_| Status::permission_denied("invalid request signature"))?; + Ok(()) + } + fn sign_response(&self, response: &R) -> Result, Status> where R: Message, @@ -147,7 +157,7 @@ impl iot_config::Org for OrgService { let request = request.into_inner(); let signer = self.verify_public_key(&request.signer)?; - self.verify_request_signature(&signer, &request).await?; + self.verify_admin_request_signature(&signer, &request)?; let mut verify_keys: Vec<&[u8]> = vec![request.owner.as_ref(), request.payer.as_ref()]; let mut verify_delegates: Vec<&[u8]> = request @@ -219,7 +229,7 @@ impl iot_config::Org for OrgService { let request = request.into_inner(); let signer = self.verify_public_key(&request.signer)?; - self.verify_request_signature(&signer, &request).await?; + self.verify_admin_request_signature(&signer, &request)?; let mut verify_keys: Vec<&[u8]> = vec![request.owner.as_ref(), request.payer.as_ref()]; let mut verify_delegates: Vec<&[u8]> = request @@ -286,7 +296,7 @@ impl iot_config::Org for OrgService { let request = request.into_inner(); let signer = self.verify_public_key(&request.signer)?; - self.verify_request_signature(&signer, &request).await?; + self.verify_request_signature(&signer, &request)?; if !org::is_locked(request.oui, &self.pool) .await @@ -351,7 +361,7 @@ impl iot_config::Org for OrgService { let request = request.into_inner(); let signer = self.verify_public_key(&request.signer)?; - self.verify_request_signature(&signer, &request).await?; + self.verify_request_signature(&signer, &request)?; if org::is_locked(request.oui, &self.pool) .await