Fix bug allowing unauthorized access to a client

Additionally token authentication is now used whenever the client is online
2020-10-22 23:05:51 +02:00
parent b2c3cf62c8
commit 44d3082958
9 changed files with 179 additions and 57 deletions
--- a/server/src/main/java/envoy/server/net/ObjectMessageProcessor.java
+++ b/server/src/main/java/envoy/server/net/ObjectMessageProcessor.java
@ -6,9 +6,12 @@ import java.util.Set;
 import java.util.logging.*;

 import com.jenkov.nioserver.*;
+import com.jenkov.nioserver.Message;

+import envoy.data.AuthenticatedRequest;
 import envoy.util.EnvoyLog;

+import envoy.server.data.*;
 import envoy.server.processors.ObjectProcessor;

 /**
@ -33,7 +36,6 @@ public final class ObjectMessageProcessor implements IMessageProcessor {
 		this.processors = processors;
 	}

-	@SuppressWarnings("unchecked")
 	@Override
 	public void process(Message message, WriteProxy writeProxy) {
 		try (ObjectInputStream in =
@ -45,23 +47,63 @@ public final class ObjectMessageProcessor implements IMessageProcessor {
 				return;
 			}

-			logger.fine("Received " + obj);
+			// authenticate requests if necessary
+			boolean authenticated = false;

-			// Get processor and input class and process object
-			for (@SuppressWarnings("rawtypes")
-			ObjectProcessor p : processors) {
-				Class<?> c = (Class<?>) ((ParameterizedType) p.getClass().getGenericInterfaces()[0])
-					.getActualTypeArguments()[0];
-				if (c.equals(obj.getClass()))
-					try {
-						p.process(c.cast(obj), message.socketId, new ObjectWriteProxy(writeProxy));
-						break;
-					} catch (IOException e) {
-						logger.log(Level.SEVERE, "Exception during processor execution: ", e);
-					}
-			}
+			if (obj instanceof AuthenticatedRequest) {
+				Contact contact = PersistenceManager.getInstance()
+					.getContactByID(((AuthenticatedRequest<?>) obj).getUserID());
+
+				// Validating the authenticity of the request
+				if (contact == null || contact instanceof Group
+					|| !((AuthenticatedRequest<?>) obj).getAuthentication()
+						.equals(((User) contact).getAuthToken())) {
+
+					// Invalid request
+					logger.log(Level.INFO,
+						"A user tried to perform an authenticated request but could not identify himself. Discarding request.");
+					return;
+				}
+
+				// Valid request
+				logger.log(Level.INFO, "A user successfully authenticated a request for " + obj);
+				authenticated	= true;
+				obj				= ((AuthenticatedRequest<?>) obj).getRequest();
+			} else
+				logger.log(Level.FINE, "Received unauthenticated " + obj);
+
+			refer(message.socketId, writeProxy, obj, authenticated);
 		} catch (IOException | ClassNotFoundException e) {
 			e.printStackTrace();
 		}
 	}
+
+	/**
+	 * Executes the appropriate {@link ObjectProcessor} for the given input ({@code obj}), if any is
+	 * present.
+	 */
+	@SuppressWarnings("unchecked")
+	private void refer(long socketID, WriteProxy writeProxy, Object obj, boolean authenticated) {
+
+		// Get processor and input class and process object
+		for (@SuppressWarnings("rawtypes")
+		ObjectProcessor p : processors) {
+			Class<?> c = (Class<?>) ((ParameterizedType) p.getClass().getGenericInterfaces()[0])
+				.getActualTypeArguments()[0];
+			if (c.equals(obj.getClass())) {
+				if (!authenticated && p.isAuthenticationRequired()) {
+					logger.log(Level.INFO,
+						"Discarding request as no authentication has been provided");
+					return;
+				}
+
+				try {
+					p.process(c.cast(obj), socketID, new ObjectWriteProxy(writeProxy));
+					break;
+				} catch (IOException e) {
+					logger.log(Level.SEVERE, "Exception during processor execution: ", e);
+				}
+			}
+		}
+	}
 }
--- a/server/src/main/java/envoy/server/processors/IssueProposalProcessor.java
+++ b/server/src/main/java/envoy/server/processors/IssueProposalProcessor.java
@ -22,6 +22,9 @@ public final class IssueProposalProcessor implements ObjectProcessor<IssuePropos

 	private static final Logger logger = EnvoyLog.getLogger(IssueProposalProcessor.class);

+	@Override
+	public boolean isAuthenticationRequired() { return false; }
+
 	@Override
 	public void process(IssueProposal issueProposal, long socketID, ObjectWriteProxy writeProxy)
 		throws IOException {
--- a/server/src/main/java/envoy/server/processors/LoginCredentialProcessor.java
+++ b/server/src/main/java/envoy/server/processors/LoginCredentialProcessor.java
@ -34,6 +34,9 @@ public final class LoginCredentialProcessor implements ObjectProcessor<LoginCred

 	private static final Logger logger = EnvoyLog.getLogger(LoginCredentialProcessor.class);

+	@Override
+	public boolean isAuthenticationRequired() { return false; }
+
 	@Override
 	public void process(LoginCredentials credentials, long socketID, ObjectWriteProxy writeProxy) {

@ -121,24 +124,21 @@ public final class LoginCredentialProcessor implements ObjectProcessor<LoginCred
 		UserStatusChangeProcessor.updateUserStatus(user, ONLINE);

 		// Process token request
-		if (credentials.requestToken()) {
-			String token;
+		String token;
+		if (user.getAuthToken() != null && user.getAuthTokenExpiration().isAfter(Instant.now()))

-			if (user.getAuthToken() != null && user.getAuthTokenExpiration().isAfter(Instant.now()))
+			// Reuse existing token and delay expiration date
+			token = user.getAuthToken();
+		else {

-				// Reuse existing token and delay expiration date
-				token = user.getAuthToken();
-			else {
-
-				// Generate new token
-				token = AuthTokenGenerator.nextToken();
-				user.setAuthToken(token);
-			}
-			user.setAuthTokenExpiration(Instant.now().plus(
-				ServerConfig.getInstance().getAuthTokenExpiration().longValue(), ChronoUnit.DAYS));
-			persistenceManager.updateContact(user);
-			writeProxy.write(socketID, new NewAuthToken(token));
+			// Generate new token
+			token = AuthTokenGenerator.nextToken();
+			user.setAuthToken(token);
 		}
+		user.setAuthTokenExpiration(Instant.now().plus(
+			ServerConfig.getInstance().getAuthTokenExpiration().longValue(), ChronoUnit.DAYS));
+		persistenceManager.updateContact(user);
+		writeProxy.write(socketID, new NewAuthToken(token));

 		final var pendingMessages =
 			PersistenceManager.getInstance().getPendingMessages(user, credentials.getLastSync());
--- a/server/src/main/java/envoy/server/processors/ObjectProcessor.java
+++ b/server/src/main/java/envoy/server/processors/ObjectProcessor.java
@ -21,4 +21,10 @@ public interface ObjectProcessor<T> {
 	 * @since Envoy Server Standalone v0.1-alpha
 	 */
 	void process(T input, long socketID, ObjectWriteProxy writeProxy) throws IOException;
+
+	/**
+	 * @return whether authentication is required for the given processor. Defaults to {@code true}.
+	 * @since Envoy Server v0.3-beta
+	 */
+	default boolean isAuthenticationRequired() { return true; }
 }