Guard against changing consumer key. Fixes #1.

micromdm · Jul 20, 2022 · 3edfc1f · 3edfc1f
1 parent a23cfee
commit 3edfc1f
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 2 deletions.
diff --git a/cmd/depserver/main.go b/cmd/depserver/main.go
@@ -72,7 +72,7 @@ func main() {
 	}
 
 	tokensMux := dephttp.NewMethodMux()
-	tokensMux.Handle("PUT", api.StoreAuthTokensHandler(storage, logger.With("handler", "store-auth-tokens")))
+	tokensMux.Handle("PUT", api.StoreAuthTokensHandler(api.NewCKCheck(storage), logger.With("handler", "store-auth-tokens")))
 	tokensMux.Handle("GET", api.RetrieveAuthTokensHandler(storage, logger.With("handler", "retrieve-auth-tokens")))
 	handleStrippedAPI(tokensMux, endpointTokens)
 
@@ -83,7 +83,7 @@ func main() {
 
 	tokenPKIMux := dephttp.NewMethodMux()
 	tokenPKIMux.Handle("GET", api.GetCertTokenPKIHandler(storage, logger.With("handler", "get-token-pki")))
-	tokenPKIMux.Handle("PUT", api.DecryptTokenPKIHandler(storage, storage, logger.With("handler", "put-token-pki")))
+	tokenPKIMux.Handle("PUT", api.DecryptTokenPKIHandler(storage, api.NewCKCheck(storage), logger.With("handler", "put-token-pki")))
 	handleStrippedAPI(tokenPKIMux, endpointTokenPKI)
 
 	assignerMux := dephttp.NewMethodMux()

diff --git a/http/api/ckcheck.go b/http/api/ckcheck.go
@@ -0,0 +1,42 @@
+package api
+
+import (
+	"context"
+	"errors"
+	"fmt"
+
+	"github.com/micromdm/nanodep/client"
+)
+
+var CKMismatch = errors.New("mismatched consumer key")
+
+// CKCheck is a wrapper around token storage to validate the consumer key.
+// This attempts to prevent overwriting of incorrect auth tokens.
+type CKCheck struct {
+	client.AuthTokensRetriever
+	AuthTokensStorer
+}
+
+type AuthTokensStore interface {
+	client.AuthTokensRetriever
+	AuthTokensStorer
+}
+
+// NewCKCheck creates a new CKCheck.
+func NewCKCheck(store AuthTokensStore) *CKCheck {
+	return &CKCheck{store, store}
+}
+
+// StoreAuthTokens first retrieves the existing auth tokens and checks to make
+// sure the consumer key of the provided auth tokens match before then storing
+// the provided auth tokens.
+func (t *CKCheck) StoreAuthTokens(ctx context.Context, name string, tokens *client.OAuth1Tokens) error {
+	prevTokens, err := t.AuthTokensRetriever.RetrieveAuthTokens(ctx, name)
+	if err != nil {
+		return fmt.Errorf("retrieving auth tokens: %w", err)
+	}
+	if prevTokens.ConsumerKey != tokens.ConsumerKey {
+		return CKMismatch
+	}
+	return t.AuthTokensStorer.StoreAuthTokens(ctx, name, tokens)
+}