diff --git a/.env.example b/.env.example index 3000097..65364c5 100644 --- a/.env.example +++ b/.env.example @@ -2,3 +2,5 @@ FAB_HOST=localhost FAB_PORT=59661 FAB_USER=Testuser FAB_PASS=secret +DID_URL="https://did.dyne.org/dids/did:dyne:ifacer.test:" +DELTA_TIMESTAMP=10 diff --git a/example/command.sh b/example/command.sh new file mode 100755 index 0000000..1ca12e3 --- /dev/null +++ b/example/command.sh @@ -0,0 +1,40 @@ +#!/bin/sh + +source "../zenflows-crypto/test/utils.sh" + +sk="Cwj9CcqHNoBnXBo8iDfnhFkQeDun4Y4LStd2m3TEAYAg" + +cmd="$1" + +if [[ "$cmd" != "ON" && "$cmd" != "OFF" ]]; then + echo "Unknown command $cmd (known commands are ON and OFF)" + exit 1 +fi + +echo "SIGNING COMMAND" + +cat <not_signed.json +{ + "command": "$cmd", + "service": "urn:fabaccess:resource:Another", + "timestamp": "`date +%s`", + "token": "bm90LWltcGxlbWVudGVk", + "keyring": { + "eddsa": "$sk" + } +} +EOF + +ts_source='../zenflows-crypto/src/sign_fabaccess_cmd' +echo "$ts_source" +zen_source=`getscript $ts_source` + +echo "$zen_source" +zenroom -a not_signed.json -z "$zen_source" >signed.json + +cat signed.json + +echo "SEND COMMAND" + +curl -X POST -H 'Content-Type:application/json' -d "@signed.json" "http://localhost:8000/command" +echo diff --git a/example/new_session.sh b/example/new_session.sh deleted file mode 100755 index 7df665b..0000000 --- a/example/new_session.sh +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh - -curl -X POST -H 'Content-Type:application/json' -d "@session.json" http://localhost:8000/new-session diff --git a/example/send_off.json b/example/send_off.json deleted file mode 100644 index 83e21c2..0000000 --- a/example/send_off.json +++ /dev/null @@ -1,8 +0,0 @@ -{ - "command": "OFF", - "eddsa_public_key": "BmW1a6x43P4Rae9B4hS67PhHTCUShXAGy4K8tQtUfa8L", - "eddsa_signature": "3YUhX39JihVQySNAQVD4zS1PMhjsVdyndffoZmBQGUiKEH8EuAU4b2hF9fYSYutjPGdVnHtNhq3fgo9PChsp1455", - "service": "urn:fabaccess:resource:Another", - "timestamp": "1675964281", - "token": "todo" -} diff --git a/example/send_off.sh b/example/send_off.sh deleted file mode 100755 index cbbe722..0000000 --- a/example/send_off.sh +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh - -curl -X POST -H 'Content-Type:application/json' -d "@send_off.json" "http://localhost:8000/command" diff --git a/example/send_on.json b/example/send_on.json deleted file mode 100644 index 61caa90..0000000 --- a/example/send_on.json +++ /dev/null @@ -1,8 +0,0 @@ -{ - "command": "ON", - "eddsa_public_key": "BmW1a6x43P4Rae9B4hS67PhHTCUShXAGy4K8tQtUfa8L", - "eddsa_signature": "GJxBHa1wtb2WhnwPZjs4tCTavy7tQAA7py46xMtTfDtuqwUhMHdzmfqoKCbMzUHJvbcRxkcJD7Zz1qP3d6AETMc", - "service": "urn:fabaccess:resource:Another", - "timestamp": "1675964281", - "token": "todo" -} diff --git a/example/send_on.sh b/example/send_on.sh deleted file mode 100755 index ef3e063..0000000 --- a/example/send_on.sh +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh - -curl -X POST -H 'Content-Type:application/json' -d "@send_on.json" "http://localhost:8000/command" diff --git a/example/session.json b/example/session.json deleted file mode 100644 index 59d3e1c..0000000 --- a/example/session.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "command": "OPEN", - "eddsa_public_key": "EdDja2UdyPPEduFhXLEzzRHuW9TdaG7g16oVFAXWYvHt", - "eddsa_signature": "4YApLBq9KMytJZmcRUdU2Ltn6QqLiDCPWshziBJymeP88vRg63VNWL19PM8TxZjcQvkBU6g7ABmwXdCyPnzWsNjM", - "timestamp": "1234567" -} diff --git a/main.py b/main.py index cb65cec..601b876 100644 --- a/main.py +++ b/main.py @@ -10,8 +10,10 @@ from pydantic import BaseModel from zenroom import zencode_exec import json +import datetime import os +import requests from dotenv import load_dotenv load_dotenv() @@ -21,12 +23,16 @@ class Config: fab_port: int fab_user: str fab_pass: str + did_url: str + delta_timestamp: str def __init__(self): self.fab_host = os.getenv("FAB_HOST") self.fab_port = int(os.getenv("FAB_PORT")) self.fab_user = os.getenv("FAB_USER") self.fab_pass = os.getenv("FAB_PASS") + self.did_url = os.getenv("DID_URL") + self.delta_timestamp = int(os.getenv("DELTA_TIMESTAMP")) with open('zenflows-crypto/src/verify_fabaccess_open.zen','r') as file: zen_verify_open = file.read() @@ -34,12 +40,6 @@ with open('zenflows-crypto/src/verify_fabaccess_open.zen','r') as file: with open('zenflows-crypto/src/verify_fabaccess_cmd.zen','r') as file: zen_verify_cmd = file.read() -class NewSession(BaseModel): - timestamp: str - command: str - eddsa_public_key: str - eddsa_signature: str - class Command(BaseModel): timestamp: str token: str @@ -51,23 +51,16 @@ class Command(BaseModel): app = FastAPI() conf = Config() -# Maybe the session is useless -@app.post("/new-session") -async def new_session(cmd: NewSession): - zen_result = zencode_exec(zen_verify_open, keys=cmd.json()) - - if zen_result.output == '': - raise HTTPException(status_code=500, detail="Invalid signature") - - res = json.loads(zen_result.output) - - if res["output"][0] != 'ok': - raise HTTPException(status_code=500, detail="Invalid signature") - - return {"token": "todo"} - @app.post("/command") async def read_root(cmd: Command): + # Verify DID exits on DID controller + + did_request = requests.get(f"{conf.did_url}{cmd.eddsa_public_key}") + if did_request.status_code != 200: + raise HTTPException(status_code=500, detail="Could not fetch did") + + # Verify signature with zenroom + zen_result = zencode_exec(zen_verify_cmd, keys=cmd.json()) if zen_result.output == '': @@ -78,6 +71,18 @@ async def read_root(cmd: Command): if res["output"][0] != 'ok': raise HTTPException(status_code=500, detail="Invalid signature") + # Verify timestamp + + now_time = datetime.datetime.now() + cmd_timestamp = int(cmd.timestamp) + delta_t = int(datetime.datetime.timestamp(now_time)) - cmd_timestamp + if delta_t < 0: + raise HTTPException(status_code=500, detail="Command from the future...") + + if delta_t > conf.delta_timestamp: + raise HTTPException(status_code=500, detail="Signature expired") + + # Connect to fabaccess and send command session = await fabapi.connect(conf.fab_host, conf.fab_port, conf.fab_user, conf.fab_pass) if session == None: diff --git a/requirements.txt b/requirements.txt index 392b3db..e8517b5 100644 --- a/requirements.txt +++ b/requirements.txt @@ -6,3 +6,4 @@ pydantic==1.10.4 python-dotenv==0.21.1 uvicorn==0.20.0 zenroom==2.16.4 +requests==2.28.2