fix(auth): Include state in authentication requests

py/CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## Unreleased
+
+- Updates the authentication mechanism by introducing a signed register state. Signatures of `create_register_challenge` and `validate_register_response` now take a mandatory `secret` parameter, and the public key is encoded into the state. ([#743](https://github.com/getsentry/relay/pull/743))
+
 ## 0.5.13
 
 *Note: This accidentally got released as 0.15.13 as well, which has since been yanked.*

py/sentry_relay/auth.py

@@ -18,7 +18,6 @@
     "SecretKey",
     "generate_key_pair",
     "create_register_challenge",
-    "get_register_response_relay_id",
     "validate_register_response",
     "is_version_supported",
 ]
@@ -91,39 +90,37 @@ def generate_relay_id():
     return decode_uuid(rustcall(lib.relay_generate_relay_id))
 
 
-def create_register_challenge(data, signature, max_age=60 * 15):
+def create_register_challenge(data, signature, secret, max_age=60):
     challenge_json = rustcall(
         lib.relay_create_register_challenge,
         make_buf(data),
         encode_str(signature),
+        encode_str(secret),
         max_age,
     )
 
     challenge = json.loads(decode_str(challenge_json, free=True))
     return {
         "relay_id": uuid.UUID(challenge["relay_id"]),
-        "public_key": PublicKey.parse(challenge["public_key"]),
         "token": challenge["token"],
     }
 
 
-def get_register_response_relay_id(data):
-    return decode_uuid(
-        rustcall(lib.relay_get_register_response_relay_id, make_buf(data))
-    )
-
-
-def validate_register_response(public_key, data, signature, max_age=60 * 15):
+def validate_register_response(data, signature, secret, max_age=60):
     response_json = rustcall(
         lib.relay_validate_register_response,
-        public_key._objptr,
         make_buf(data),
         encode_str(signature),
+        encode_str(secret),
         max_age,
     )
 
     response = json.loads(decode_str(response_json, free=True))
-    return {"relay_id": uuid.UUID(response["relay_id"]), "token": response["token"]}
+    return {
+        "relay_id": uuid.UUID(response["relay_id"]),
+        "token": response["token"],
+        "public_key": response["public_key"],
+    }
 
 
 def is_version_supported(version):

py/tests/test_auth.py

@@ -3,6 +3,17 @@
 import pytest
 
 
+UPSTREAM_SECRET = "secret"
+
+RELAY_ID = b"6b7d15b8-cee2-4354-9fee-dae7ef43e434"
+RELAY_KEY = b"kMpGbydHZSvohzeMlghcWwHd8MkreKGzl_ncdkZSOMg"
+REQUEST = b'{"relay_id":"6b7d15b8-cee2-4354-9fee-dae7ef43e434","public_key":"kMpGbydHZSvohzeMlghcWwHd8MkreKGzl_ncdkZSOMg","version":"20.8.0"}'
+REQUEST_SIG = "JIwzIb3kuOaVwgq_DRuPpquGVIIu0plfpOSvz_ixzfw_RmdyHr35cJrna7Jg_uXqNHQbSP1Yj0-4X5Omk9jcBA.eyJ0IjoiMjAyMC0wOS0wMVQxMzozNzoxNC40Nzk0NjVaIn0"
+TOKEN = "eyJ0aW1lc3RhbXAiOjE1OTg5Njc0MzQsInJlbGF5X2lkIjoiNmI3ZDE1YjgtY2VlMi00MzU0LTlmZWUtZGFlN2VmNDNlNDM0IiwicHVibGljX2tleSI6ImtNcEdieWRIWlN2b2h6ZU1sZ2hjV3dIZDhNa3JlS0d6bF9uY2RrWlNPTWciLCJyYW5kIjoiLUViNG9Hal80dUZYOUNRRzFBVmdqTjRmdGxaNU9DSFlNOFl2d1podmlyVXhUY0tFSWYtQzhHaldsZmgwQTNlMzYxWE01dVh0RHhvN00tbWhZeXpWUWcifQ:KJUDXlwvibKNQmex-_Cu1U0FArlmoDkyqP7bYIDGrLXudfjGfCjH-UjNsUHWVDnbM28YdQ-R2MBSyF51aRLQcw"
+RESPONSE = b'{"relay_id":"6b7d15b8-cee2-4354-9fee-dae7ef43e434","token":"eyJ0aW1lc3RhbXAiOjE1OTg5Njc0MzQsInJlbGF5X2lkIjoiNmI3ZDE1YjgtY2VlMi00MzU0LTlmZWUtZGFlN2VmNDNlNDM0IiwicHVibGljX2tleSI6ImtNcEdieWRIWlN2b2h6ZU1sZ2hjV3dIZDhNa3JlS0d6bF9uY2RrWlNPTWciLCJyYW5kIjoiLUViNG9Hal80dUZYOUNRRzFBVmdqTjRmdGxaNU9DSFlNOFl2d1podmlyVXhUY0tFSWYtQzhHaldsZmgwQTNlMzYxWE01dVh0RHhvN00tbWhZeXpWUWcifQ:KJUDXlwvibKNQmex-_Cu1U0FArlmoDkyqP7bYIDGrLXudfjGfCjH-UjNsUHWVDnbM28YdQ-R2MBSyF51aRLQcw"}'
+RESPONSE_SIG = "HUp3eybT_5AmRJ_QzutfvStKTeE-cgD_reLPjIf4OpoOJT_Hln8ThrFqGyT_C6P8qF1LHbFLcrYFvQy4iNaqAQ.eyJ0IjoiMjAyMC0wOS0wMVQxMzozNzoxNC40ODEwNTNaIn0"
+
+
 def test_basic_key_functions():
     sk, pk = sentry_relay.generate_key_pair()
     signature = sk.sign(b"some secret data")
@@ -17,43 +28,34 @@ def test_basic_key_functions():
 
 def test_challenge_response():
     resp = sentry_relay.create_register_challenge(
-        b'{"relay_id":"95dc7c80-6db7-4505-8969-3a0927bfb85d","public_key":"KXxwPvbhadLYTglsiGnQe2lxKLCT4VB2qEDd-OQVLbQ"}',
-        "EQXKqDYLei5XhDucMDIR3n1khdcOqGWmUWDYhcnvi-OBkW92qfcAMSjSn8xPYDmkB2kLnNNsaFeBx1VifD3TCw.eyJ0IjoiMjAxOC0wMy0wMVQwOTo0NjowNS41NDA0NzdaIn0",
-        max_age=0xFFFFFFFF,
+        REQUEST, REQUEST_SIG, UPSTREAM_SECRET, max_age=0,
     )
-    assert str(resp["public_key"]) == "KXxwPvbhadLYTglsiGnQe2lxKLCT4VB2qEDd-OQVLbQ"
-    assert resp["relay_id"] == uuid.UUID("95dc7c80-6db7-4505-8969-3a0927bfb85d")
+    assert resp["relay_id"] == uuid.UUID(RELAY_ID.decode("utf8"))
     assert len(resp["token"]) > 40
+    assert ":" in resp["token"]
 
 
 def test_challenge_response_validation_errors():
     with pytest.raises(sentry_relay.UnpackErrorSignatureExpired):
         sentry_relay.create_register_challenge(
-            b'{"relay_id":"95dc7c80-6db7-4505-8969-3a0927bfb85d","public_key":"KXxwPvbhadLYTglsiGnQe2lxKLCT4VB2qEDd-OQVLbQ"}',
-            "EQXKqDYLei5XhDucMDIR3n1khdcOqGWmUWDYhcnvi-OBkW92qfcAMSjSn8xPYDmkB2kLnNNsaFeBx1VifD3TCw.eyJ0IjoiMjAxOC0wMy0wMVQwOTo0NjowNS41NDA0NzdaIn0",
-            max_age=1,
+            REQUEST, REQUEST_SIG, UPSTREAM_SECRET, max_age=1,
         )
     with pytest.raises(sentry_relay.UnpackErrorBadPayload):
         sentry_relay.create_register_challenge(
-            b'{"relay_id":"95dc7c80-6db7-4505-8969-3a0927bfb85d","public_key":"KXxwPvbhadLYTglsiGnQe2lxKLCT4VB2qEDd-OQVLbQ"}glumpat',
-            "EQXKqDYLei5XhDucMDIR3n1khdcOqGWmUWDYhcnvi-OBkW92qfcAMSjSn8xPYDmkB2kLnNNsaFeBx1VifD3TCw.eyJ0IjoiMjAxOC0wMy0wMVQwOTo0NjowNS41NDA0NzdaIn0",
-            max_age=1,
+            REQUEST + b"__broken", REQUEST_SIG, UPSTREAM_SECRET, max_age=0,
+        )
+    with pytest.raises(sentry_relay.UnpackErrorBadSignature):
+        sentry_relay.create_register_challenge(
+            REQUEST, REQUEST_SIG + "__broken", UPSTREAM_SECRET, max_age=0,
         )
 
 
 def test_register_response():
-    pk = sentry_relay.PublicKey.parse("sFTtnMGut3xR_EqP1hSmyfBc6590wDQzHFGWj5nEG18")
     resp = sentry_relay.validate_register_response(
-        pk,
-        b'{"relay_id":"2ffe6ba6-3a27-4936-b30f-d6944a4f1216","token":"iiWGyrgBZDOOclHjnQILU6zHL1Mjl-yXUpjHOIaArowhrZ2djSUkzPuH_l7UF6sKYpbKD4C2nZWCBhuULLJE-w"}',
-        "uLvKHrTtFohGVMLDxlMZythEXmTJTx8DCT2VwZ_x5Aw0UzTzoastrn2tFy4I8jeTYzS-N8D-PZ_khfVzfFZHBg.eyJ0IjoiMjAxOC0wMy0wMVQwOTo0ODo1OC41ODMzNTRaIn0",
-        max_age=0xFFFFFFFF,
-    )
-    assert (
-        resp["token"]
-        == "iiWGyrgBZDOOclHjnQILU6zHL1Mjl-yXUpjHOIaArowhrZ2djSUkzPuH_l7UF6sKYpbKD4C2nZWCBhuULLJE-w"
+        RESPONSE, RESPONSE_SIG, UPSTREAM_SECRET, max_age=0,
     )
-    assert resp["relay_id"] == uuid.UUID("2ffe6ba6-3a27-4936-b30f-d6944a4f1216")
+    assert resp["token"] == TOKEN
+    assert resp["relay_id"] == uuid.UUID(RELAY_ID.decode("utf8"))
 
 
 def test_is_version_supported():

relay-auth/Cargo.toml

@@ -15,6 +15,7 @@ base64 = "0.10.1"
 chrono = "0.4.11"
 ed25519-dalek = "0.9.1"
 failure = "0.1.8"
+hmac = "0.7.1"
 rand = "0.6.5"
 relay-common = { path = "../relay-common" }
 serde = { version = "1.0.114", features = ["derive"] }