Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-10-15 06:15:43 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Bug 986664 - Make Android FxAccountClient* HAWK requests always include request payload hash. r=rnewman

Browse Source 
Relanding with correct bug number.
This commit is contained in:
Nick Alexander 2014-04-17 12:04:17 -07:00
parent ea420338b4
commit 912a5c0cf2
4 changed files with 63 additions and 217 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
mobile/android/base/background/fxa/FxAccountClient10.java
View File

@ -176,32 +176,35 @@ public class FxAccountClient10 {
protected final byte[] tokenId;
protected final byte[] reqHMACKey;
protected final boolean payload;
protected final SkewHandler skewHandler;
/**
* Create a delegate for an un-authenticated resource.
*/
public ResourceDelegate(final Resource resource, final RequestDelegate<T> delegate) {
this(resource, delegate, null, null, false);
this(resource, delegate, null, null);
}
/**
* Create a delegate for a Hawk-authenticated resource.
* <p>
* Every Hawk request that encloses an entity (PATCH, POST, and PUT) will
* include the payload verification hash.
*/
public ResourceDelegate(final Resource resource, final RequestDelegate<T> delegate, final byte[] tokenId, final byte[] reqHMACKey, final boolean authenticatePayload) {
public ResourceDelegate(final Resource resource, final RequestDelegate<T> delegate, final byte[] tokenId, final byte[] reqHMACKey) {
super(resource);
this.delegate = delegate;
this.reqHMACKey = reqHMACKey;
this.tokenId = tokenId;
this.payload = authenticatePayload;
this.skewHandler = SkewHandler.getSkewHandlerForResource(resource);
}
@Override
public AuthHeaderProvider getAuthHeaderProvider() {
if (tokenId != null && reqHMACKey != null) {
return new HawkAuthHeaderProvider(Utils.byte2Hex(tokenId), reqHMACKey, payload, skewHandler.getSkewInSeconds());
// We always include the payload verification hash for FxA Hawk-authenticated requests.
final boolean includePayloadVerificationHash = true;
return new HawkAuthHeaderProvider(Utils.byte2Hex(tokenId), reqHMACKey, includePayloadVerificationHash, skewHandler.getSkewInSeconds());
}
return super.getAuthHeaderProvider();
}
@ -483,7 +486,7 @@ public class FxAccountClient10 {
return;
}
resource.delegate = new ResourceDelegate<TwoTokens>(resource, delegate, tokenId, reqHMACKey, false) {
resource.delegate = new ResourceDelegate<TwoTokens>(resource, delegate, tokenId, reqHMACKey) {
@Override
public void handleSuccess(int status, HttpResponse response, ExtendedJSONObject body) {
try {
@ -519,7 +522,7 @@ public class FxAccountClient10 {
return;
}
resource.delegate = new ResourceDelegate<Void>(resource, delegate, tokenId, reqHMACKey, false) {
resource.delegate = new ResourceDelegate<Void>(resource, delegate, tokenId, reqHMACKey) {
@Override
public void handleSuccess(int status, HttpResponse response, ExtendedJSONObject body) {
delegate.handleSuccess(null);
@ -608,7 +611,7 @@ public class FxAccountClient10 {
return;
}
resource.delegate = new ResourceDelegate<TwoKeys>(resource, delegate, tokenId, reqHMACKey, false) {
resource.delegate = new ResourceDelegate<TwoKeys>(resource, delegate, tokenId, reqHMACKey) {
@Override
public void handleSuccess(int status, HttpResponse response, ExtendedJSONObject body) {
try {
@ -670,7 +673,7 @@ public class FxAccountClient10 {
return;
}
resource.delegate = new ResourceDelegate<StatusResponse>(resource, delegate, tokenId, reqHMACKey, false) {
resource.delegate = new ResourceDelegate<StatusResponse>(resource, delegate, tokenId, reqHMACKey) {
@Override
public void handleSuccess(int status, HttpResponse response, ExtendedJSONObject body) {
try {
@ -712,7 +715,7 @@ public class FxAccountClient10 {
return;
}
resource.delegate = new ResourceDelegate<String>(resource, delegate, tokenId, reqHMACKey, true) {
resource.delegate = new ResourceDelegate<String>(resource, delegate, tokenId, reqHMACKey) {
@Override
public void handleSuccess(int status, HttpResponse response, ExtendedJSONObject body) {
String cert = body.getString("cert");
@ -753,7 +756,7 @@ public class FxAccountClient10 {
return;
}
resource.delegate = new ResourceDelegate<Void>(resource, delegate, tokenId, reqHMACKey, false) {
resource.delegate = new ResourceDelegate<Void>(resource, delegate, tokenId, reqHMACKey) {
@Override
public void handleSuccess(int status, HttpResponse response, ExtendedJSONObject body) {
try {

191
mobile/android/base/fxa/activities/FxAccountCreateAccountFragment.java
View File

@ -1,191 +0,0 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
package org.mozilla.gecko.fxa.activities;
import android.support.v4.app.Fragment;
public class FxAccountCreateAccountFragment extends Fragment { // implements OnClickListener {
protected static final String LOG_TAG = FxAccountCreateAccountFragment.class.getSimpleName();
//
// protected FxAccountSetupActivity activity;
//
// protected EditText emailEdit;
// protected EditText passwordEdit;
// protected EditText password2Edit;
// protected Button button;
//
// protected TextView emailError;
// protected TextView passwordError;
//
// protected TextChangedListener textChangedListener;
// protected EditorActionListener editorActionListener;
// protected OnFocusChangeListener focusChangeListener;
// @Override
// public void onCreate(Bundle savedInstanceState) {
// super.onCreate(savedInstanceState);
// // Retain this fragment across configuration changes. See, for example,
// // http://www.androiddesignpatterns.com/2013/04/retaining-objects-across-config-changes.html
// // This fragment will own AsyncTask instances which should not be
// // interrupted by configuration changes (and activity changes).
// setRetainInstance(true);
// }
// @Override
// public View onCreateView(LayoutInflater inflater, ViewGroup container,
// Bundle savedInstanceState) {
// View v = inflater.inflate(R.layout.fxaccount_create_account_fragment, container, false);
//
// FxAccountSetupActivity.linkifyTextViews(v, new int[] { R.id.description, R.id.policy });
//
// emailEdit = (EditText) ensureFindViewById(v, R.id.email, "email");
// passwordEdit = (EditText) ensureFindViewById(v, R.id.password, "password");
// // Second password can be null.
// password2Edit = (EditText) v.findViewById(R.id.password2);
//
// emailError = (TextView) ensureFindViewById(v, R.id.email_error, "email error");
// passwordError = (TextView) ensureFindViewById(v, R.id.password_error, "password error");
//
// textChangedListener = new TextChangedListener();
// editorActionListener = new EditorActionListener();
// focusChangeListener = new FocusChangeListener();
//
// addListeners(emailEdit);
// addListeners(passwordEdit);
// if (password2Edit != null) {
// addListeners(password2Edit);
// }
//
// button = (Button) ensureFindViewById(v, R.id.create_account_button, "button");
// button.setOnClickListener(this);
// return v;
// }
// protected void onCreateAccount(View button) {
// Logger.debug(LOG_TAG, "onCreateAccount: Asking for username/password for new account.");
// String email = emailEdit.getText().toString();
// String password = passwordEdit.getText().toString();
// activity.signUp(email, password);
// }
//
// @Override
// public void onClick(View v) {
// switch (v.getId()) {
// case R.id.create_account_button:
// if (!validate(false)) {
// return;
// }
// onCreateAccount(v);
// break;
// }
// }
//
// protected void addListeners(EditText editText) {
// editText.addTextChangedListener(textChangedListener);
// editText.setOnEditorActionListener(editorActionListener);
// editText.setOnFocusChangeListener(focusChangeListener);
// }
//
// protected class FocusChangeListener implements OnFocusChangeListener {
// @Override
// public void onFocusChange(View v, boolean hasFocus) {
// if (hasFocus) {
// return;
// }
// validate(false);
// }
// }
//
// protected class EditorActionListener implements OnEditorActionListener {
// @Override
// public boolean onEditorAction(TextView v, int actionId, KeyEvent event) {
// validate(false);
// return false;
// }
// }
//
// protected class TextChangedListener implements TextWatcher {
// @Override
// public void afterTextChanged(Editable s) {
// validate(true);
// }
//
// @Override
// public void beforeTextChanged(CharSequence s, int start, int count, int after) {
// // Do nothing.
// }
//
// @Override
// public void onTextChanged(CharSequence s, int start, int before, int count) {
// // Do nothing.
// }
// }
//
// /**
// * Show or hide error messaging.
// *
// * @param removeOnly
// * if true, possibly remove existing error messages but do not set an
// * error message if one was not present.
// * @param errorResourceId
// * of error string, or -1 to hide.
// * @param errorView
// * <code>TextView</code> instance to display error message in.
// * @param edits
// * <code>EditText</code> instances to style.
// */
// protected void setError(boolean removeOnly, int errorResourceId, TextView errorView, EditText... edits) {
// if (removeOnly && errorResourceId != -1) {
// return;
// }
//
// int res = errorResourceId == -1 ? R.drawable.fxaccount_textfield_background : R.drawable.fxaccount_textfield_error_background;
// for (EditText edit : edits) {
// if (edit == null) {
// continue;
// }
// edit.setBackgroundResource(res);
// }
// if (errorResourceId == -1) {
// errorView.setVisibility(View.GONE);
// errorView.setText(null);
// } else {
// errorView.setText(errorResourceId);
// errorView.setVisibility(View.VISIBLE);
// }
// }
//
// protected boolean validate(boolean removeOnly) {
// boolean enabled = true;
// final String email = emailEdit.getText().toString();
// final String password = passwordEdit.getText().toString();
//
// if (email.length() == 0 || Patterns.EMAIL_ADDRESS.matcher(email).matches()) {
// setError(removeOnly, -1, emailError, emailEdit);
// } else {
// enabled = false;
// setError(removeOnly, R.string.fxaccount_bad_email, emailError, emailEdit);
// }
//
// if (password2Edit != null) {
// final String password2 = password2Edit.getText().toString();
// enabled = enabled && password2.length() > 0;
//
// boolean passwordsMatch = password.equals(password2);
// if (passwordsMatch) {
// setError(removeOnly, -1, passwordError, passwordEdit, password2Edit);
// } else {
// enabled = false;
// setError(removeOnly, R.string.fxaccount_bad_passwords, passwordError, passwordEdit, password2Edit);
// }
// }
//
// if (enabled != button.isEnabled()) {
// Logger.debug(LOG_TAG, (enabled ? "En" : "Dis") + "abling button.");
// button.setEnabled(enabled);
// }
//
// return enabled;
// }
}

7
mobile/android/base/fxa/sync/FxAccountSyncAdapter.java
View File

@ -365,7 +365,12 @@ public class FxAccountSyncAdapter extends AbstractThreadedSyncAdapter {
// global session.
final SkewHandler storageServerSkewHandler = SkewHandler.getSkewHandlerForHostname(storageHostname);
final long storageServerSkew = storageServerSkewHandler.getSkewInSeconds();
final AuthHeaderProvider authHeaderProvider = new HawkAuthHeaderProvider(token.id, token.key.getBytes("UTF-8"), false, storageServerSkew);
// We expect Sync to upload large sets of records. Calculating the
// payload verification hash for these record sets could be expensive,
// so we explicitly do not send payload verification hashes to the
// Sync storage endpoint.
final boolean includePayloadVerificationHash = false;
final AuthHeaderProvider authHeaderProvider = new HawkAuthHeaderProvider(token.id, token.key.getBytes("UTF-8"), includePayloadVerificationHash, storageServerSkew);
final Context context = getContext();
final SyncConfiguration syncConfig = new SyncConfiguration(token.uid, authHeaderProvider, sharedPrefs, syncKeyBundle);

57
mobile/android/base/sync/net/HawkAuthHeaderProvider.java
View File

@ -18,6 +18,7 @@ import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import org.mozilla.apache.commons.codec.binary.Base64;
import org.mozilla.gecko.background.common.log.Logger;
import org.mozilla.gecko.sync.Utils;
import ch.boye.httpclientandroidlib.Header;
@ -55,6 +56,12 @@ public class HawkAuthHeaderProvider implements AuthHeaderProvider {
* <p>
* Hawk specifies no mechanism by which a client receives an
* identifier-and-key pair from the server.
* <p>
* Hawk requests can include a payload verification hash with requests that
* enclose an entity (PATCH, POST, and PUT requests). <b>You should default
* to including the payload verification hash<b> unless you have a good reason
* not to -- the server can always ignore payload verification hashes provided
* by the client.
*
* @param id
* to name requests with.
@ -62,7 +69,7 @@ public class HawkAuthHeaderProvider implements AuthHeaderProvider {
* to sign request with.
*
* @param includePayloadHash
* true if message integrity hash should be included in signed
* true if payload verification hash should be included in signed
* request header. See <a href="https://github.com/hueniverse/hawk#payload-validation">https://github.com/hueniverse/hawk#payload-validation</a>.
*
* @param skewSeconds
@ -82,11 +89,6 @@ public class HawkAuthHeaderProvider implements AuthHeaderProvider {
this.skewSeconds = skewSeconds;
}
public HawkAuthHeaderProvider(String id, byte[] key, boolean includePayloadHash) {
this(id, key, includePayloadHash, 0L);
}
/**
* @return the current time in milliseconds.
*/
@ -141,14 +143,9 @@ public class HawkAuthHeaderProvider implements AuthHeaderProvider {
String payloadHash = null;
if (includePayloadHash) {
if (!(request instanceof HttpEntityEnclosingRequest)) {
throw new IllegalArgumentException("cannot specify payload for request without an entity");
}
HttpEntity entity = ((HttpEntityEnclosingRequest) request).getEntity();
if (entity == null) {
throw new IllegalArgumentException("cannot specify payload for request with a null entity");
}
payloadHash = Base64.encodeBase64String(getPayloadHash(entity));
payloadHash = getPayloadHashString(request);
} else {
Logger.debug(LOG_TAG, "Configured to not include payload hash for this request.");
}
String app = null;
@ -183,6 +180,38 @@ public class HawkAuthHeaderProvider implements AuthHeaderProvider {
return new BasicHeader("Authorization", sb.toString());
}
/**
* Get the payload verification hash for the given request, if possible.
* <p>
* Returns null if the request does not enclose an entity (is not an HTTP
* PATCH, POST, or PUT). Throws if the payload verification hash cannot be
* computed.
*
* @param request
* to compute hash for.
* @return verification hash, or null if the request does not enclose an entity.
* @throws IllegalArgumentException if the request does not enclose a valid non-null entity.
* @throws UnsupportedEncodingException
* @throws NoSuchAlgorithmException
* @throws IOException
*/
protected static String getPayloadHashString(HttpRequestBase request)
throws UnsupportedEncodingException, NoSuchAlgorithmException, IOException, IllegalArgumentException {
final boolean shouldComputePayloadHash = request instanceof HttpEntityEnclosingRequest;
if (!shouldComputePayloadHash) {
Logger.debug(LOG_TAG, "Not computing payload verification hash for non-enclosing request.");
return null;
}
if (!(request instanceof HttpEntityEnclosingRequest)) {
throw new IllegalArgumentException("Cannot compute payload verification hash for enclosing request without an entity");
}
final HttpEntity entity = ((HttpEntityEnclosingRequest) request).getEntity();
if (entity == null) {
throw new IllegalArgumentException("Cannot compute payload verification hash for enclosing request with a null entity");
}
return Base64.encodeBase64String(getPayloadHash(entity));
}
/**
* Escape the user-provided extra string for the ext="" header attribute.
* <p>