From 503ddc8c41a73188678511b2e65630f64ca08482 Mon Sep 17 00:00:00 2001 From: Alex Bezdieniezhnykh Date: Wed, 26 Feb 2025 16:02:09 +0200 Subject: [PATCH] don't send hardware hash, calc on the api --- Azaion.Api/Program.cs | 10 ++---- Azaion.Common/Database/AzaionDbShemaHolder.cs | 1 + Azaion.Common/Entities/HardwareInfo.cs | 2 -- Azaion.Common/Entities/User.cs | 3 +- Azaion.Services/Security.cs | 6 +++- Azaion.Services/UserService.cs | 34 +++++++++---------- Azaion.Test/SecurityTest.cs | 4 +-- docker.test/Dockerfile | 2 ++ env/api/02-nginx-docker-registry.sh | 12 ------- 9 files changed, 32 insertions(+), 42 deletions(-) create mode 100644 docker.test/Dockerfile diff --git a/Azaion.Api/Program.cs b/Azaion.Api/Program.cs index d06ae17..80f5fb4 100644 --- a/Azaion.Api/Program.cs +++ b/Azaion.Api/Program.cs @@ -151,9 +151,9 @@ app.MapPost("/resources/get/{dataFolder?}", //Need to have POST method for secur if (user == null) throw new UnauthorizedAccessException(); - await userService.CheckHardware(user, request); + var hwHash = await userService.CheckHardwareHash(user, request); - var key = Security.MakeEncryptionKey(user.Email, request.Password, request.Hardware.Hash); + var key = Security.GetApiEncryptionKey(user.Email, request.Password, hwHash); var stream = await resourcesService.GetEncryptedResource(dataFolder, request.FileName, key, cancellationToken); return Results.File(stream, "application/octet-stream", request.FileName); @@ -162,11 +162,7 @@ app.MapPost("/resources/get/{dataFolder?}", //Need to have POST method for secur app.MapPut("/resources/reset-hardware", async (string email, IUserService userService, ICache cache, CancellationToken cancellationToken) => - { - await userService.UpdateHardware(email, new HardwareInfo(), cancellationToken); - var user = await userService.GetByEmail(email, cancellationToken); - cache.Invalidate($"{nameof(User)}.{user?.Id}"); - }) + await userService.UpdateHardware(email, new HardwareInfo(), cancellationToken)) .RequireAuthorization(apiAdminPolicy) .WithOpenApi(op => new OpenApiOperation(op){ Summary = "Resets hardware id in case of hardware change"}); diff --git a/Azaion.Common/Database/AzaionDbShemaHolder.cs b/Azaion.Common/Database/AzaionDbShemaHolder.cs index afa5d83..822a67d 100644 --- a/Azaion.Common/Database/AzaionDbShemaHolder.cs +++ b/Azaion.Common/Database/AzaionDbShemaHolder.cs @@ -30,6 +30,7 @@ public static class AzaionDbSchemaHolder .HasDataType(DataType.Text) .HasConversion(v => v.ToString(), v => (RoleEnum)Enum.Parse(typeof(RoleEnum), v)); + builder.Build(); } } \ No newline at end of file diff --git a/Azaion.Common/Entities/HardwareInfo.cs b/Azaion.Common/Entities/HardwareInfo.cs index 2fac438..c135e20 100644 --- a/Azaion.Common/Entities/HardwareInfo.cs +++ b/Azaion.Common/Entities/HardwareInfo.cs @@ -6,6 +6,4 @@ public class HardwareInfo public string GPU { get; set; } = null!; public string MacAddress { get; set; } = null!; public string Memory { get; set; } = null!; - - public string? Hash { get; set; } = null!; } \ No newline at end of file diff --git a/Azaion.Common/Entities/User.cs b/Azaion.Common/Entities/User.cs index cf7308c..44c88fc 100644 --- a/Azaion.Common/Entities/User.cs +++ b/Azaion.Common/Entities/User.cs @@ -6,6 +6,7 @@ public class User public string Email { get; set; } = null!; public string PasswordHash { get; set; } = null!; public string? Hardware { get; set; } - public string? HardwareHash { get; set; } public RoleEnum Role { get; set; } + + public static string GetCacheKey(string email) => $"{nameof(User)}.{email}"; } \ No newline at end of file diff --git a/Azaion.Services/Security.cs b/Azaion.Services/Security.cs index dd28668..d84233e 100644 --- a/Azaion.Services/Security.cs +++ b/Azaion.Services/Security.cs @@ -1,5 +1,6 @@ using System.Security.Cryptography; using System.Text; +using Azaion.Common.Entities; namespace Azaion.Services; @@ -10,7 +11,10 @@ public static class Security public static string ToHash(this string str) => Convert.ToBase64String(SHA384.HashData(Encoding.UTF8.GetBytes(str))); - public static string MakeEncryptionKey(string email, string password, string? hardwareHash) => + public static string GetHWHash(HardwareInfo hardware) => + $"Azaion_{hardware.MacAddress}_{hardware.CPU}_{hardware.GPU}".ToHash(); + + public static string GetApiEncryptionKey(string email, string password, string? hardwareHash) => $"{email}-{password}-{hardwareHash}-#%@AzaionKey@%#---".ToHash(); public static async Task EncryptTo(this Stream stream, Stream toStream, string key, CancellationToken cancellationToken = default) diff --git a/Azaion.Services/UserService.cs b/Azaion.Services/UserService.cs index 23c03e7..54bf7a5 100644 --- a/Azaion.Services/UserService.cs +++ b/Azaion.Services/UserService.cs @@ -16,7 +16,7 @@ public interface IUserService Task GetByEmail(string email, CancellationToken cancellationToken = default); Task UpdateHardware(string email, HardwareInfo hardwareInfo, CancellationToken cancellationToken = default); Task> GetUsers(string? searchEmail, RoleEnum? searchRole, CancellationToken cancellationToken); - Task CheckHardware(User user, GetResourceRequest request); + Task CheckHardwareHash(User user, GetResourceRequest request); } public class UserService(IDbFactory dbFactory, ICache cache) : IUserService @@ -62,7 +62,8 @@ public class UserService(IDbFactory dbFactory, ICache cache) : IUserService }); - public async Task UpdateHardware(string email, HardwareInfo hardware, CancellationToken cancellationToken = default) => + public async Task UpdateHardware(string email, HardwareInfo hardware, CancellationToken cancellationToken = default) + { await dbFactory.RunAdmin(async db => { var hardwareStr = JsonConvert.SerializeObject(hardware); @@ -70,11 +71,11 @@ public class UserService(IDbFactory dbFactory, ICache cache) : IUserService await db.Users.UpdateAsync(x => x.Email == email, u => new User { - Hardware = hardwareStr, - HardwareHash = hardware.Hash + Hardware = hardwareStr }, token: cancellationToken); }); - + cache.Invalidate(User.GetCacheKey(email)); + } public async Task> GetUsers(string? searchEmail, RoleEnum? searchRole, CancellationToken cancellationToken) => await dbFactory.Run(async db => @@ -85,23 +86,22 @@ public class UserService(IDbFactory dbFactory, ICache cache) : IUserService u => u.Role == searchRole) .ToListAsync(token: cancellationToken)); - public async Task CheckHardware(User user, GetResourceRequest request) + public async Task CheckHardwareHash(User user, GetResourceRequest request) { - if (string.IsNullOrEmpty(user.HardwareHash)) + var requestHWHash = Security.GetHWHash(request.Hardware); + + //For the new users Hardware would be empty, fill it with actual hardware on the very first request + if (string.IsNullOrEmpty(user.Hardware)) { await UpdateHardware(user.Email, request.Hardware); - user.HardwareHash = request.Hardware.Hash; + cache.Invalidate(User.GetCacheKey(user.Email)); + return requestHWHash; } - var hwHash = await dbFactory.Run(async db => - await db.Users - .Where(x => x.Email == user.Email) - .Select(x => x.HardwareHash) - .FirstOrDefaultAsync()); - if (hwHash != user.HardwareHash) - user.HardwareHash = hwHash; - - if (user.HardwareHash != request.Hardware.Hash) + var userHW = JsonConvert.DeserializeObject(user.Hardware); + var userHWHash = Security.GetHWHash(userHW!); + if (userHWHash != requestHWHash) throw new BusinessException(ExceptionEnum.HardwareIdMismatch); + return userHWHash; } } diff --git a/Azaion.Test/SecurityTest.cs b/Azaion.Test/SecurityTest.cs index 4e1308e..a61424b 100644 --- a/Azaion.Test/SecurityTest.cs +++ b/Azaion.Test/SecurityTest.cs @@ -18,7 +18,7 @@ public class SecurityTest var password = "testpw"; var hardwareId = "test_hardware_id"; - var key = Security.MakeEncryptionKey(email, password, hardwareId); + var key = Security.GetApiEncryptionKey(email, password, hardwareId); var encryptedStream = new MemoryStream(); await StringToStream(testString).EncryptTo(encryptedStream, key); @@ -39,7 +39,7 @@ public class SecurityTest var password = "testpw"; var hardwareId = "test_hardware_id"; - var key = Security.MakeEncryptionKey(username, password, hardwareId); + var key = Security.GetApiEncryptionKey(username, password, hardwareId); var largeFilePath = "large.txt"; var largeFileDecryptedPath = "large_decrypted.txt"; diff --git a/docker.test/Dockerfile b/docker.test/Dockerfile new file mode 100644 index 0000000..72cdee7 --- /dev/null +++ b/docker.test/Dockerfile @@ -0,0 +1,2 @@ +FROM alpine:latest +CMD echo hello \ No newline at end of file diff --git a/env/api/02-nginx-docker-registry.sh b/env/api/02-nginx-docker-registry.sh index 3f78a26..e4a6ced 100644 --- a/env/api/02-nginx-docker-registry.sh +++ b/env/api/02-nginx-docker-registry.sh @@ -63,18 +63,6 @@ server { ssl_certificate /etc/letsencrypt/live/api.azaion.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/api.azaion.com/privkey.pem; - location /cdn/ { - alias /var/www/cdn.azaion.com/; - expires 3560d; - access_log_off; - log_not_found off; - gzip_static on; - - autoindex on; - autoindex_exact_size off; - autoindex_localtime on; - } - location / { proxy_pass http://localhost:4000; # API service running on port 4000 proxy_set_header Host \$host;