Added auth key generation for encrypted communication of sensitive information.

Author: sebinside

src/main/scala/org/codeoverflow/chatoverflow/ChatOverflow.scala

@@ -30,6 +30,14 @@ class ChatOverflow(val pluginFolderPath: String,
   val typeRegistry = new TypeRegistry(requirementPackage)
   val credentialsService = new CredentialsService(s"$configFolderPath/credentials")
   val configService = new ConfigurationService(s"$configFolderPath/config.xml")
+  private var loaded = false
+
+  /**
+    * Returns if configs and credentials had been loaded.
+    *
+    * @return true, if has been called successfully in this run of the framework.
+    */
+  def isLoaded: Boolean = loaded
 
   /**
     * Initializes all parts of chat overflow. These can be accessed trough the public variables.
@@ -54,7 +62,7 @@ class ChatOverflow(val pluginFolderPath: String,
     ConnectorRegistry.setTypeRegistry(typeRegistry)
     logger debug "Finished updating type registry."
 
-    if (requirePasswordOnStartup) {
+    if (requirePasswordOnStartup && !loaded) {
       logger debug "Loading configs and credentials."
       askForPassword()
       load()
@@ -66,24 +74,32 @@ class ChatOverflow(val pluginFolderPath: String,
 
   /**
     * Loads all config settings and credentials from the config folder.
+    * Note that its only possible once per run to load everything successfully.
     */
   def load(): Boolean = {
-    val currentTime = System.currentTimeMillis()
-    var success = true
+    if (loaded) {
+      false
+    } else {
+      val currentTime = System.currentTimeMillis()
+      var success = true
+
+      // Start by loading connectors
+      if (!configService.loadConnectors())
+        success = false
 
-    // Start by loading connectors
-    if (!configService.loadConnectors())
-      success = false
+      // Then load credentials that can be put into the connectors
+      if (success && !credentialsService.load())
+        success = false
 
-    // Then load credentials that can be put into the connectors
-    if (!credentialsService.load())
-      success = false
+      // Finish by loading plugin instances
+      if (success && !configService.loadPluginInstances(pluginInstanceRegistry, pluginFramework, typeRegistry))
+        success = false
 
-    // Finish by loading plugin instances
-    configService.loadPluginInstances(pluginInstanceRegistry, pluginFramework, typeRegistry)
+      logger info s"Loading took ${System.currentTimeMillis() - currentTime} ms."
 
-    logger info s"Loading took ${System.currentTimeMillis() - currentTime} ms."
-    success
+      loaded = success
+      success
+    }
   }
 
   private def enableFrameworkSecurity(): Unit = {

src/main/scala/org/codeoverflow/chatoverflow/configuration/CredentialsService.scala

@@ -15,6 +15,15 @@ import scala.collection.mutable
 class CredentialsService(val credentialsFilePath: String) extends WithLogger {
   private[this] var password = Array[Char]()
 
+  /**
+    * Generates a authentication key using the password of the framework.
+    *
+    * @return an auth key based the password an an random array
+    */
+  def generateAuthKey(): String = {
+    CryptoUtil.generateAuthKey(this.password.mkString)
+  }
+
   /**
     * Sets the password. Needed to load or save credentials.
     *
@@ -23,12 +32,20 @@ class CredentialsService(val credentialsFilePath: String) extends WithLogger {
   def setPassword(password: Array[Char]): Unit = this.password = password
 
   /**
-    * Returns true, if a password is set. Note that this says nothing about the correctness of it.
+    * Checks if the specified password is correct by trying to decrypt the saved credentials.
     *
-    * @return true, if the password length is greater than zero
+    * @param password the password to test
+    * @return true, if the credentials file exists and could be decrypted
     */
-  def isLoggedIn: Boolean = {
-    password.length > 0
+  def checkPasswordCorrectness(password: Array[Char]): Boolean = {
+    try {
+      val encrypted = scala.io.Source.fromFile(credentialsFilePath)
+      val decrypted = CryptoUtil.decrypt(password, encrypted.getLines().mkString)
+      encrypted.close
+      decrypted.isDefined
+    } catch {
+      case _: Exception => false
+    }
   }
 
   /**

src/main/scala/org/codeoverflow/chatoverflow/configuration/CryptoUtil.scala

@@ -1,6 +1,7 @@
 package org.codeoverflow.chatoverflow.configuration
 
-import java.security.SecureRandom
+import java.nio.charset.StandardCharsets
+import java.security.{MessageDigest, SecureRandom}
 
 import javax.crypto.spec.{IvParameterSpec, PBEKeySpec, SecretKeySpec}
 import javax.crypto.{Cipher, SecretKeyFactory}
@@ -14,6 +15,23 @@ object CryptoUtil {
 
   // TODO: This code should be reviewed by an expert to find potential security issues.
 
+  // Used for the run-unique auth key
+  private val runSpecificRandom = generateIV
+
+  /**
+    * Generates a run-unique authentication key using a supplied password.
+    *
+    * @param password a password to communicate with the framework
+    * @return an auth key based the password an an random array
+    */
+  def generateAuthKey(password: String): String = {
+
+    val authBase = runSpecificRandom.mkString + password
+
+    val digest = MessageDigest.getInstance("SHA-256")
+    digest.digest(authBase.getBytes(StandardCharsets.UTF_8)).mkString
+  }
+
   /**
     * Encrypts the provided plaintext using AES.
     *

src/main/scala/org/codeoverflow/chatoverflow/ui/web/rest/config/ConfigController.scala

@@ -2,6 +2,7 @@ package org.codeoverflow.chatoverflow.ui.web.rest.config
 
 import org.codeoverflow.chatoverflow.Launcher
 import org.codeoverflow.chatoverflow.api.APIVersion
+import org.codeoverflow.chatoverflow.configuration.CryptoUtil
 import org.codeoverflow.chatoverflow.ui.web.JsonServlet
 import org.codeoverflow.chatoverflow.ui.web.rest.DTOs.{ConfigInfo, Password, ResultMessage}
 import org.scalatra.swagger._
@@ -20,18 +21,32 @@ class ConfigController(implicit val swagger: Swagger) extends JsonServlet with C
   }
 
   get("/login", operation(getLogin)) {
-    chatOverflow.credentialsService.isLoggedIn
+    chatOverflow.isLoaded
   }
 
   post("/login", operation(postLogin)) {
     parsedAs[Password] {
       case Password(password) =>
-        chatOverflow.credentialsService.setPassword(password.toCharArray)
-        if (!chatOverflow.load()) {
-          // TODO: Could have more details with a more detailed loading process
-          ResultMessage(success = false, "Unable to load. Wrong password?")
+
+        // Check for password correctness first
+        if (!chatOverflow.credentialsService.checkPasswordCorrectness(password.toCharArray)) {
+          ResultMessage(success = false, "Unable to load. Wrong password!")
         } else {
-          ResultMessage(success = true)
+
+          // Password is correct. Login if first call.
+          if (!chatOverflow.isLoaded) {
+            chatOverflow.credentialsService.setPassword(password.toCharArray)
+            if (!chatOverflow.load()) {
+              ResultMessage(success = false, "Unable to load.")
+            } else {
+
+              // "Loading was successful, here is your auth key based on your supplied password"
+              ResultMessage(success = true, CryptoUtil.generateAuthKey(password))
+            }
+          } else {
+            // "Loading was not needed, but here is your key based on your password"
+            ResultMessage(success = true, CryptoUtil.generateAuthKey(password))
+          }
         }
     }
   }

src/main/scala/org/codeoverflow/chatoverflow/ui/web/rest/config/ConfigControllerDefinition.scala

@@ -18,14 +18,14 @@ trait ConfigControllerDefinition extends SwaggerSupport {
 
   val getLogin: OperationBuilder =
     (apiOperation[Boolean]("getLogin")
-      summary "Returns if the framework is already supplied with a password to decrypt its credentials."
-      description "Returns true, if a password has been set. Note that this says nothing about its correctness.")
+      summary "Returns if the framework is already loaded."
+      description "Returns true, if the framework had been loaded previously with success.")
 
   val postLogin: OperationBuilder =
     (apiOperation[ResultMessage]("postLogin")
       summary "Logs in the the framework with the given password, loads config and credentials."
-      description "Tries to decrypt the credentials using the provided password. Does load configuration and credentials."
-      parameter bodyParam[Password]("body").description("Requires the user framework password."))
+      description "Tries to decrypt the credentials using the provided password. If already loaded, does only return the communication auth key."
+      parameter bodyParam[Password]("body").description("Requires the user framework password. The auth key is based on this input."))
 
   override protected def applicationDescription: String = "Handles configuration and information retrieval."
 }

src/main/scala/org/codeoverflow/chatoverflow/ui/web/rest/connector/ConnectorController.scala

@@ -23,6 +23,7 @@ class ConnectorController(implicit val swagger: Swagger) extends JsonServlet wit
   }
 
   post("/", operation(postConnector)) {
+    // TODO: Should implicitly create the credentials object
     parsedAs[ConnectorRef] {
       case ConnectorRef(sourceIdentifier, uniqueTypeString) =>
         val connector = ConnectorRegistry.getConnector(sourceIdentifier, uniqueTypeString)
@@ -47,6 +48,7 @@ class ConnectorController(implicit val swagger: Swagger) extends JsonServlet wit
   }
 
   delete("/:sourceIdentifier/:qualifiedConnectorType", operation(deleteConnector)) {
+    // TODO: Should implicitly delete the credentials object
     val sourceIdentifier = params("sourceIdentifier")
     val qualifiedConnectorType = params("qualifiedConnectorType")