mysteriumnetwork · tadovas · Feb 1, 2018 · Jan 25, 2018 · Jan 25, 2018 · Jan 26, 2018
@@ -7,6 +7,7 @@ import (
 	"github.com/mysterium/node/openvpn"
 	"github.com/mysterium/node/openvpn/middlewares/client/auth"
 	"github.com/mysterium/node/openvpn/middlewares/client/bytescount"
+	openvpnSession "github.com/mysterium/node/openvpn/session"
 	"github.com/mysterium/node/server"
 	"github.com/mysterium/node/session"
 	"path/filepath"
@@ -141,14 +142,16 @@ func ConfigureVpnClientFactory(mysteriumAPIClient server.Client, vpnClientRuntim
 			return nil, err
 		}
 
+		signer := signerFactory(id)
+
 		statsSaver := bytescount.NewSessionStatsSaver(statsKeeper)
-		statsSender := bytescount.NewSessionStatsSender(mysteriumAPIClient, vpnSession.ID, signerFactory(id))
+		statsSender := bytescount.NewSessionStatsSender(mysteriumAPIClient, vpnSession.ID, signer)
 		statsHandler := bytescount.NewCompositeStatsHandler(statsSaver, statsSender)
 
-		authenticator := auth.NewAuthenticatorFake()
+		credentialsProvider := openvpnSession.SignatureCredentialsProvider(vpnSession.ID, signer)
 		vpnMiddlewares := []openvpn.ManagementMiddleware{
 			bytescount.NewMiddleware(statsHandler, 1*time.Minute),
-			auth.NewMiddleware(authenticator),
+			auth.NewMiddleware(credentialsProvider),
 		}
 		return openvpn.NewClient(
 			vpnConfig,

@@ -167,12 +167,18 @@ func (foc *fakeOpenvpnClient) resumeAction() {
 }
 
 type fakeDialog struct {
+	peerId identity.Identity
 }
 
 func (fd *fakeDialog) CreateDialog(peerID identity.Identity, peerContact dto_discovery.Contact) (communication.Dialog, error) {
+	fd.peerId = peerID
 	return fd, nil
 }
 
+func (fd *fakeDialog) PeerID() identity.Identity {
+	return fd.peerId
+}
+
 func (fd *fakeDialog) Close() error {
 	return nil
 }

@@ -28,9 +28,9 @@ type CommandRun struct {
 	dialogWaiterFactory func(identity identity.Identity) communication.DialogWaiter
 	dialogWaiter        communication.DialogWaiter
 
-	sessionManagerFactory func(serverIP string) session.ManagerInterface
+	sessionManagerFactory func(serverIP string) session.Manager
 
-	vpnServerFactory func() *openvpn.Server
+	vpnServerFactory func(sessionManager session.Manager) *openvpn.Server
 	vpnServer        *openvpn.Server
 }
 
@@ -64,12 +64,14 @@ func (cmd *CommandRun) Run() (err error) {
 	}
 	proposal := discovery.NewServiceProposalWithLocation(providerID, providerContact, serviceLocation)
 
-	dialogHandler := session.NewDialogHandler(proposal.ID, cmd.sessionManagerFactory(vpnServerIP))
+	sessionManager := cmd.sessionManagerFactory(vpnServerIP)
+
+	dialogHandler := session.NewDialogHandler(proposal.ID, sessionManager)
 	if err := cmd.dialogWaiter.ServeDialogs(dialogHandler); err != nil {
 		return err
 	}
 
-	cmd.vpnServer = cmd.vpnServerFactory()
+	cmd.vpnServer = cmd.vpnServerFactory(sessionManager)
 	if err := cmd.vpnServer.Start(); err != nil {
 		return err
 	}

@@ -73,14 +73,17 @@ func NewCommandWith(
 				identity.NewSigner(keystoreInstance, myID),
 			)
 		},
-		sessionManagerFactory: func(vpnServerIP string) session.ManagerInterface {
-			return openvpn_session.NewManager(openvpn.NewClientConfig(
-				vpnServerIP,
-				filepath.Join(options.DirectoryConfig, "ca.crt"),
-				filepath.Join(options.DirectoryConfig, "ta.key"),
-			))
+		sessionManagerFactory: func(vpnServerIP string) session.Manager {
+			return openvpn_session.NewManager(
+				openvpn.NewClientConfig(
+					vpnServerIP,
+					filepath.Join(options.DirectoryConfig, "ca.crt"),
+					filepath.Join(options.DirectoryConfig, "ta.key"),
+				),
+				&session.UUIDGenerator{},
+			)
 		},
-		vpnServerFactory: func() *openvpn.Server {
+		vpnServerFactory: func(manager session.Manager) *openvpn.Server {
 			vpnServerConfig := openvpn.NewServerConfig(
 				"10.8.0.0", "255.255.255.0",
 				filepath.Join(options.DirectoryConfig, "ca.crt"),
@@ -90,9 +93,12 @@ func NewCommandWith(
 				filepath.Join(options.DirectoryConfig, "crl.pem"),
 				filepath.Join(options.DirectoryConfig, "ta.key"),
 			)
-			authenticator := auth.NewCheckerFake()
+			sessionValidator := openvpn_session.NewSessionValidator(
+				manager.FindSession,
+				identity.NewExtractor(),
+			)
 			vpnMiddlewares := []openvpn.ManagementMiddleware{
-				auth.NewMiddleware(authenticator),
+				auth.NewMiddleware(sessionValidator),
 			}
 			return openvpn.NewServer(vpnServerConfig, options.DirectoryRuntime, vpnMiddlewares...)
 		},

@@ -30,6 +30,7 @@ type DialogEstablisher interface {
 // Dialog represent established connection between 2 peers in network.
 // Enables bidirectional communication with another peer.
 type Dialog interface {
+	PeerID() identity.Identity
 	Sender
 	Receiver
 	Close() error

@@ -2,13 +2,19 @@ package dialog
 
 import (
 	"github.com/mysterium/node/communication"
+	"github.com/mysterium/node/identity"
 )
 
 type dialog struct {
 	communication.Sender
 	communication.Receiver
+	peerID identity.Identity
 }
 
 func (dialog *dialog) Close() error {
 	return nil
 }
+
+func (dialog *dialog) PeerID() identity.Identity {
+	return dialog.peerID
+}
@@ -55,7 +55,7 @@ func (establisher *dialogEstablisher) CreateDialog(
 		return dialog, err
 	}
 
-	dialog = establisher.newDialogToPeer(peerAddress, peerCodec)
+	dialog = establisher.newDialogToPeer(peerID, peerAddress, peerCodec)
 	log.Info(establisherLogPrefix, fmt.Sprintf("Dialog established with: %#v", peerContact))
 
 	return dialog, nil
@@ -99,12 +99,14 @@ func (establisher *dialogEstablisher) newSenderToPeer(
 }
 
 func (establisher *dialogEstablisher) newDialogToPeer(
+	peerID identity.Identity,
 	peerAddress *discovery.AddressNATS,
 	peerCodec *codecSecured,
 ) *dialog {
 
 	subTopic := peerAddress.GetTopic() + "." + establisher.myID.Address
 	return &dialog{
+		peerID:   peerID,
 		Sender:   nats.NewSender(peerAddress.GetConnection(), peerCodec, subTopic),
 		Receiver: nats.NewReceiver(peerAddress.GetConnection(), peerCodec, subTopic),
 	}

@@ -88,6 +88,7 @@ func (waiter *dialogWaiter) newDialogToPeer(peerID identity.Identity, peerCodec
 	subTopic := waiter.myAddress.GetTopic() + "." + peerID.Address
 
 	return &dialog{
+		peerID:   peerID,
 		Sender:   nats.NewSender(waiter.myAddress.GetConnection(), peerCodec, subTopic),
 		Receiver: nats.NewReceiver(waiter.myAddress.GetConnection(), peerCodec, subTopic),
 	}

@@ -7,25 +7,28 @@ import (
 	"regexp"
 )
 
+// CredentialsProvider returns client's current auth primitives (i.e. customer identity signature / node's sessionId)
+type CredentialsProvider func() (username string, password string, err error)
+
 type middleware struct {
-	authenticator Authenticator
-	connection    net.Conn
-	lastUsername  string
-	lastPassword  string
-	state         openvpn.State
+	fetchCredentials CredentialsProvider
+	connection       net.Conn
+	lastUsername     string
+	lastPassword     string
+	state            openvpn.State
 }
 
 // NewMiddleware creates client user_auth challenge authentication middleware
-func NewMiddleware(authenticator Authenticator) *middleware {
+func NewMiddleware(credentials CredentialsProvider) *middleware {
 	return &middleware{
-		authenticator: authenticator,
-		connection:    nil,
+		fetchCredentials: credentials,
+		connection:       nil,
 	}
 }
 
 func (m *middleware) Start(connection net.Conn) error {
 	m.connection = connection
-	log.Info("starting client user-pass authenticator middleware")
+	log.Info("starting client user-pass provider middleware")
 	return nil
 }
 
@@ -43,7 +46,7 @@ func (m *middleware) ConsumeLine(line string) (consumed bool, err error) {
 	if len(match) > 0 {
 		m.Reset()
 		m.state = openvpn.STATE_AUTH
-		username, password, err := m.authenticator()
+		username, password, err := m.fetchCredentials()
 		log.Info("authenticating user ", username, " with pass: ", password)
 
 		_, err = m.connection.Write([]byte("password 'Auth' " + password + "\n"))

@@ -9,21 +9,24 @@ import (
 	"strconv"
 )
 
+// CredentialsChecker callback checks given auth primitives (i.e. customer identity signature / node's sessionId)
+type CredentialsChecker func(username, password string) (bool, error)
+
 type middleware struct {
-	authenticator AuthenticatorChecker
-	connection    net.Conn
-	lastUsername  string
-	lastPassword  string
-	clientID      int
-	keyID         int
-	state         openvpn.State
+	checkCredentials CredentialsChecker
+	connection       net.Conn
+	lastUsername     string
+	lastPassword     string
+	clientID         int
+	keyID            int
+	state            openvpn.State
 }
 
 // NewMiddleware creates server user_auth challenge authentication middleware
-func NewMiddleware(authenticator AuthenticatorChecker) *middleware {
+func NewMiddleware(credentialsChecker CredentialsChecker) *middleware {
 	return &middleware{
-		authenticator: authenticator,
-		connection:    nil,
+		checkCredentials: credentialsChecker,
+		connection:       nil,
 	}
 }
 
@@ -165,31 +168,42 @@ func (m *middleware) authenticateClient() (consumed bool, err error) {
 	m.state = openvpn.STATE_UNDEFINED
 
 	if m.lastUsername == "" || m.lastPassword == "" {
-		return false, fmt.Errorf("missing username or password")
+		denyClientAuthWithMessage(m.connection, m.clientID, m.keyID, "missing username or password")
+		return true, nil
 	}
 
 	log.Info("authenticating user: ", m.lastUsername, " clientID: ", m.clientID, " keyID: ", m.keyID)
 
-	authenticated, err := m.authenticator(m.lastUsername, m.lastPassword)
+	authenticated, err := m.checkCredentials(m.lastUsername, m.lastPassword)
 	if err != nil {
-		return false, err
+		log.Error("Authentication error: ", err)
+		denyClientAuthWithMessage(m.connection, m.clientID, m.keyID, "internal error")
+		return true, nil
 	}
 
 	if authenticated {
-		_, err = m.connection.Write([]byte("client-auth-nt " + strconv.Itoa(m.clientID) + " " + strconv.Itoa(m.keyID) + "\n"))
-		if err != nil {
-			return false, err
-		}
+		approveClient(m.connection, m.clientID, m.keyID)
 	} else {
-		_, err = m.connection.Write([]byte("client-deny " + strconv.Itoa(m.clientID) + " " + strconv.Itoa(m.keyID) +
-			" wrong username or password \n"))
-		if err != nil {
-			return false, err
-		}
+		denyClientAuthWithMessage(m.connection, m.clientID, m.keyID, "wrong username or password")
 	}
 	return true, nil
 }
 
+func approveClient(conn net.Conn, clientID, keyID int) {
+	writeStringToConn(conn, "client-auth-nt "+strconv.Itoa(clientID)+" "+strconv.Itoa(keyID)+"\n")
+}
+
+func denyClientAuthWithMessage(conn net.Conn, clientID, keyID int, message string) {
+	writeStringToConn(conn, "client-deny "+strconv.Itoa(clientID)+" "+strconv.Itoa(keyID)+" "+message+"\n")
+}
+
+func writeStringToConn(conn net.Conn, message string) {
+	_, err := conn.Write([]byte(message + "\n"))
+	if err != nil {
+		log.Error("Management communication error: ", err)
+	}
+}
+
 func (m *middleware) Reset() {
 	m.lastUsername = ""
 	m.lastPassword = ""

@@ -0,0 +1,39 @@
+package session
+
+import (
+	"github.com/mysterium/node/identity"
+	client_auth "github.com/mysterium/node/openvpn/middlewares/client/auth"
+	server_auth "github.com/mysterium/node/openvpn/middlewares/server/auth"
+	"github.com/mysterium/node/session"
+)
+
+const sessionSignaturePrefix = "MystVpnSessionId:"
+
+// SignatureCredentialsProvider returns session id as username and id signed with given signer as password
+func SignatureCredentialsProvider(id session.SessionID, signer identity.Signer) client_auth.CredentialsProvider {
+	return func() (string, string, error) {
+		signature, err := signer.Sign([]byte(sessionSignaturePrefix + id))
+		return string(id), signature.Base64(), err
+	}
+}
+
+type sessionFinder func(session session.SessionID) (session.Session, bool)
+
+// NewSessionValidator provides glue code for openvpn management interface to validate incoming client login request,
+// it expects session id as username, and session signature signed by client as password
+func NewSessionValidator(findSession sessionFinder, extractor identity.Extractor) server_auth.CredentialsChecker {
+	return func(sessionString, signatureString string) (bool, error) {
+		sessionId := session.SessionID(sessionString)
+		currentSession, found := findSession(sessionId)
+		if !found {
+			return false, nil
+		}
+
+		signature := identity.SignatureBase64(signatureString)
+		extractedIdentity, err := extractor.Extract([]byte(sessionSignaturePrefix+sessionString), signature)
+		if err != nil {
+			return false, err
+		}
+		return currentSession.ConsumerID == extractedIdentity, nil
+	}
+}