1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
|
/*
* Copyright (c) 2024 Vaughn Nugent
*
* Library: VNLib
* Package: ObjectCacheServer
* File: CacheNegotationManager.cs
*
* CacheNegotationManager.cs is part of ObjectCacheServer which is part of the larger
* VNLib collection of libraries and utilities.
*
* ObjectCacheServer is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* ObjectCacheServer is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see https://www.gnu.org/licenses/.
*/
using System;
using System.Net;
using System.Text.Json;
using VNLib.Hashing;
using VNLib.Hashing.IdentityUtility;
using VNLib.Net.Messaging.FBM.Client;
using VNLib.Plugins;
using VNLib.Plugins.Extensions.Loading;
using VNLib.Data.Caching.Extensions;
using VNLib.Data.Caching.ObjectCache.Server.Cache;
namespace VNLib.Data.Caching.ObjectCache.Server.Endpoints
{
internal class ClientNegotiationState
{
public string? Challenge { get; set; }
public string? NodeId { get; set; }
public bool IsPeer { get; set; }
}
internal sealed class CacheNegotationManager(PluginBase plugin)
{
/*
* Cache keys are centralized and may be shared between all cache server nodes. This means
* that any client would be able to get a signed negotiation from any server and use it to
* upgrade a connection to any other server. This is property is to be avoided because servers
* may have different configurations that a malicious client could exploit. To prevent that
* a unique server generated Audience ID is used in the negotiation token and verified when
* an upgrade is requested. This ensures that the client is connecting to the same server
* that issued the negotiation token.
*
* With this operational theory, someone has to expose their buffer configuration. At the moment
* I think it would be best for servers to keep their buffer configuration private, as it could
* cause more damage to the network. This is not really a protection measure because a malicious
* client could use trial and error to find the servers buffer configuration.
*/
private readonly string AudienceLocalServerId = Guid.NewGuid().ToString("N");
private readonly ObjectCacheSystemState _sysState = plugin.GetOrCreateSingleton<ObjectCacheSystemState>();
private CacheMemoryConfiguration CacheConfig => _sysState.MemoryConfiguration;
public bool IsClientNegotiationValid(string authToken, out ClientNegotiationState state)
{
state = new();
// Parse jwt
using JsonWebToken jwt = JsonWebToken.Parse(authToken);
//verify signature for client
if (_sysState.KeyStore.VerifyJwt(jwt, false))
{
//Validated as normal client
}
//May be signed by a cache server
else if (_sysState.KeyStore.VerifyJwt(jwt, true))
{
//Set peer and verified flag since the another cache server signed the request
state.IsPeer = true;
}
else
{
return false;
}
//Recover json body
using JsonDocument doc = jwt.GetPayload();
if (doc.RootElement.TryGetProperty("sub", out JsonElement servIdEl))
{
state.NodeId = servIdEl.GetString();
}
//Challenge is required
state.Challenge = doc.RootElement.GetProperty("chl").GetString()!;
return true;
}
public JsonWebToken ConfirmClientNegotiation(ClientNegotiationState state, IPAddress clientIp, DateTimeOffset now)
{
//Verified, now we can create an auth message with a short expiration
JsonWebToken auth = new();
auth.WriteHeader(_sysState.KeyStore.GetJwtHeader());
auth.InitPayloadClaim()
.AddClaim("aud", AudienceLocalServerId)
.AddClaim("iat", now.ToUnixTimeSeconds())
.AddClaim("exp", now.Add(CacheConstants.ClientAuthTokenExpiration).ToUnixTimeSeconds())
.AddClaim("nonce", RandomHash.GetRandomBase32(8))
.AddClaim("chl", state.Challenge!)
//Set the ispeer flag if the request was signed by a cache server
.AddClaim("isPeer", state.IsPeer)
//Specify the server's node id if set
.AddClaim("sub", state.NodeId)
//Set ip address
.AddClaim("ip", clientIp.ToString())
//Add negotiaion args
.AddClaim(FBMClient.REQ_HEAD_BUF_QUERY_ARG, CacheConfig.MaxHeaderBufferSize)
.AddClaim(FBMClient.REQ_RECV_BUF_QUERY_ARG, CacheConfig.MaxRecvBufferSize)
.AddClaim(FBMClient.REQ_MAX_MESS_QUERY_ARG, CacheConfig.MaxMessageSize)
.CommitClaims();
//Sign the auth message from our private key
_sysState.KeyStore.SignJwt(auth);
return auth;
}
public bool ValidateUpgrade(string? upgradeToken, string? tokenSignature, DateTimeOffset now, IPAddress connectionIp, ref string? nodeId, ref bool isPeer)
{
if(string.IsNullOrWhiteSpace(upgradeToken) || string.IsNullOrWhiteSpace(tokenSignature))
{
return false;
}
//Parse jwt
using JsonWebToken jwt = JsonWebToken.Parse(upgradeToken);
//verify signature against the cache public key, since this server must have signed it
if (!_sysState.KeyStore.VerifyCachePeer(jwt))
{
return false;
}
//Recover json body
using JsonDocument doc = jwt.GetPayload();
//Verify audience, expiration
if (!doc.RootElement.TryGetProperty("aud", out JsonElement audEl)
|| !string.Equals(AudienceLocalServerId, audEl.GetString(), StringComparison.OrdinalIgnoreCase))
{
return false;
}
if (!doc.RootElement.TryGetProperty("exp", out JsonElement expEl)
|| DateTimeOffset.FromUnixTimeSeconds(expEl.GetInt64()) < now)
{
return false;
}
//Check node ip address matches if required
if (_sysState.ClusterConfig.VerifyIp)
{
if (!doc.RootElement.TryGetProperty("ip", out JsonElement ipEl))
{
return false;
}
string? clientIp = ipEl.GetString();
//Verify the client ip address matches the one in the token
if (clientIp == null || !IPAddress.TryParse(clientIp, out IPAddress? clientIpAddr) || !clientIpAddr.Equals(connectionIp))
{
return false;
}
}
//Check if the client is a peer
isPeer = doc.RootElement.TryGetProperty("isPeer", out JsonElement isPeerEl) && isPeerEl.GetBoolean();
//The node id is optional and stored in the 'sub' field, ignore if the client is not a peer
if (isPeer && doc.RootElement.TryGetProperty("sub", out JsonElement servIdEl))
{
nodeId = servIdEl.GetString();
}
//Verify token signature against a fellow cache public key
return _sysState.KeyStore.VerifyUpgradeToken(tokenSignature, upgradeToken, isPeer);
}
}
}
|
