Implement methods for generating and writing a realm broker note and …

…token.
tozny · Aug 30, 2020 · 10f5644 · 10f5644
1 parent 8fa3514
commit 10f5644
Show file tree

Hide file tree

Showing 3 changed files with 103 additions and 3 deletions.
diff --git a/client.go b/client.go
@@ -37,6 +37,9 @@ import (
 	"github.com/tozny/e3db-clients-go"
 	"github.com/tozny/e3db-clients-go/accountClient"
 	"github.com/tozny/e3db-clients-go/identityClient"
+	"github.com/tozny/e3db-clients-go/pdsClient"
+	"github.com/tozny/e3db-clients-go/storageClient"
+
 	"golang.org/x/oauth2/clientcredentials"
 )
 
@@ -645,6 +648,8 @@ type ToznySDKV3 struct {
 	// e.g. toznySDK.CreateAccount(ctx context.Context, params accountClient.CreateAccountRequest)
 	*accountClient.E3dbAccountClient
 	*identityClient.E3dbIdentityClient
+	*storageClient.StorageClient
+	*pdsClient.E3dbPDSClient
 	// Account public authentication material for creating and deriving account credentials
 	AccountUsername string
 	// Account private authentication material for creating and deriving account credentials
@@ -666,9 +671,14 @@ type ToznySDKConfig struct {
 func NewToznySDKV3(config ToznySDKConfig) (*ToznySDKV3, error) {
 	accountServiceClient := accountClient.New(config.ClientConfig)
 	identityClient := identityClient.New(config.ClientConfig)
+	storageClient := storageClient.New(config.ClientConfig)
+	pdsClient := pdsClient.New(config.ClientConfig)
+
 	return &ToznySDKV3{
 		E3dbAccountClient:  &accountServiceClient,
 		E3dbIdentityClient: &identityClient,
+		StorageClient:      &storageClient,
+		E3dbPDSClient:      &pdsClient,
 		AccountUsername:    config.AccountUsername,
 		AccountPassword:    config.AccountPassword,
 		APIEndpoint:        config.APIEndpoint,
@@ -1026,3 +1036,93 @@ func (c *ToznySDKV3) Login(ctx context.Context, email string, password string, s
 	account.Config = clientConfig
 	return account, nil
 }
+
+// ConvertBrokerIdentityToClientConfig converts a broker identity to raw Tozny client credentials.
+func ConvertBrokerIdentityToClientConfig(broker identityClient.Identity, clientURL string) ClientConfig {
+	return ClientConfig{
+		APIKeyID:          broker.APIKeyID,
+		APISecret:         broker.APIKeySecret,
+		APIURL:            clientURL,
+		ClientEmail:       "",
+		ClientID:          broker.ToznyID.String(),
+		PrivateKey:        broker.PrivateEncryptionKeys[e3dbClients.DefaultEncryptionKeyType],
+		PrivateSigningKey: broker.PrivateSigningKeys[e3dbClients.DefaultSigningKeyType],
+		PublicKey:         broker.PublicKeys[e3dbClients.DefaultEncryptionKeyType],
+		PublicSigningKey:  broker.SigningKeys[e3dbClients.DefaultSigningKeyType],
+		Version:           2,
+	}
+}
+
+type NoteBody map[string]string
+
+// GenerateRealmBrokerNoteToken writes a note with the broker identity credentials
+// and returns a token that can be used to fetch and decrypt
+// the note with the broker identity client or error (if any).
+func (c *ToznySDKV3) GenerateRealmBrokerNoteToken(ctx context.Context, broker identityClient.Identity) (string, error) {
+	serializedBrokerCredentialsBytes, err := json.Marshal(ConvertBrokerIdentityToClientConfig(broker, c.APIEndpoint))
+
+	if err != nil {
+		return "", err
+	}
+
+	notePassword := e3dbClients.RandomSymmetricKey()
+
+	encodingNonce := e3dbClients.RandomNonce()
+
+	signingNone := e3dbClients.RandomNonce()
+
+	tokenSeed := e3dbClients.Base64Encode(notePassword[:]) + e3dbClients.Base64Encode(encodingNonce[:]) + e3dbClients.Base64Encode(signingNone[:])
+
+	publicEncryptionKey, privateEncryptionKey := e3dbClients.DeriveCryptoKey(notePassword[:], encodingNonce[:], e3dbClients.AccountDerivationRounds)
+
+	publicSigningKey, _ := e3dbClients.DeriveSigningKey(notePassword[:], signingNone[:], e3dbClients.AccountDerivationRounds)
+
+	noteBody := NoteBody{
+		"realmId":   fmt.Sprintf("%d", broker.RealmID),
+		"realmName": broker.RealmName,
+		"client":    string(serializedBrokerCredentialsBytes),
+		"publicKey": e3dbClients.Base64Encode(publicEncryptionKey[:]),
+	}
+
+	accessKey := e3dbClients.RandomSymmetricKey()
+
+	encryptedAccessKey, err := e3dbClients.EncryptAccessKey(accessKey, e3dbClients.EncryptionKeys{
+		Private: e3dbClients.Key{
+			Type:     e3dbClients.DefaultEncryptionKeyType,
+			Material: e3dbClients.Base64Encode(publicEncryptionKey[:]),
+		},
+		Public: e3dbClients.Key{
+			Type:     e3dbClients.DefaultEncryptionKeyType,
+			Material: e3dbClients.Base64Encode(privateEncryptionKey[:]),
+		},
+	})
+
+	if err != nil {
+		return "", err
+	}
+
+	encryptedData := e3dbClients.EncryptData(noteBody, accessKey)
+
+	noteToWrite := storageClient.Note{
+		Mode:                e3dbClients.DefaultCryptographicMode,
+		RecipientSigningKey: e3dbClients.Base64Encode(publicSigningKey[:]),
+		WriterSigningKey:    c.StorageClient.SigningKeys.Public.Material,
+		WriterEncryptionKey: c.StorageClient.EncryptionKeys.Public.Material,
+		EncryptedAccessKey:  encryptedAccessKey,
+		Type:                "Realm Broker Note",
+		Data:                *encryptedData,
+		Signature:           "unsigned",
+		MaxViews:            -1,
+		Expires:             false,
+	}
+
+	note, err := c.WriteNote(ctx, noteToWrite)
+
+	if err != nil {
+		return "", err
+	}
+
+	brokerNoteToken := tokenSeed + note.NoteID
+
+	return brokerNoteToken, err
+}
diff --git a/go.mod b/go.mod
@@ -6,7 +6,7 @@ require (
 	github.com/jawher/mow.cli v1.0.4
 	github.com/mitchellh/go-homedir v1.0.0
 	github.com/stretchr/testify v1.6.1 // indirect
-	github.com/tozny/e3db-clients-go v0.0.97-0.20200829035037-c00b27b88700
+	github.com/tozny/e3db-clients-go v0.0.97-0.20200830024204-08048d95f250
 	golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2
 	golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421
 	google.golang.org/appengine v1.6.6 // indirect

diff --git a/go.sum b/go.sum
@@ -39,8 +39,8 @@ github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/tozny/e3db-clients-go v0.0.97-0.20200829035037-c00b27b88700 h1:4sY0C2jlt1vtgBvon+vdzNVvlSdtxCDStA/4Y1+/Li4=
-github.com/tozny/e3db-clients-go v0.0.97-0.20200829035037-c00b27b88700/go.mod h1:q1Zu4VqAnV8g2wIQ4RTH8I0hHzth1L/sCdrVWc+BIAc=
+github.com/tozny/e3db-clients-go v0.0.97-0.20200830024204-08048d95f250 h1:KRyUjpIzymnRsM1rxxbyvr6SvQ+WYWhXcw4RAmA0owk=
+github.com/tozny/e3db-clients-go v0.0.97-0.20200830024204-08048d95f250/go.mod h1:q1Zu4VqAnV8g2wIQ4RTH8I0hHzth1L/sCdrVWc+BIAc=
 github.com/tozny/utils-go v0.0.35 h1:gPvhlQ8QCoLBUjIx1COfYy6o4dfSM8Lrh+2FV9Ask+g=
 github.com/tozny/utils-go v0.0.35/go.mod h1:SHi9wnpPEEzAxbwcBhRd+jW32r+gY6S+AcWweuGytRw=
 golang.org/x/crypto v0.0.0-20180910181607-0e37d006457b/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=