primary.js

/* ***** BEGIN LICENSE BLOCK *****
 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
 *
 * The contents of this file are subject to the Mozilla Public License Version
 * 1.1 (the "License"); you may not use this file except in compliance with
 * the License. You may obtain a copy of the License at
 * http://www.mozilla.org/MPL/
 *
 * Software distributed under the License is distributed on an "AS IS" basis,
 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
 * for the specific language governing rights and limitations under the
 * License.
 *
 * The Original Code is Mozilla BrowserID.
 *
 * The Initial Developer of the Original Code is Mozilla.
 * Portions created by the Initial Developer are Copyright (C) 2011
 * the Initial Developer. All Rights Reserved.
 *
 * Contributor(s):
 *  Lloyd Hilaiel <lloyd@hilaiel.com>
 *
 * Alternatively, the contents of this file may be used under the terms of
 * either the GNU General Public License Version 2 or later (the "GPL"), or
 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
 * in which case the provisions of the GPL or the LGPL are applicable instead
 * of those above. If you wish to allow use of your version of this file only
 * under the terms of either the GPL or the LGPL, and not to allow others to
 * use your version of this file under the terms of the MPL, indicate your
 * decision by deleting the provisions above and replace them with the notice
 * and other provisions required by the GPL or the LGPL. If you do not delete
 * the provisions above, a recipient may use your version of this file under
 * the terms of any one of the MPL, the GPL or the LGPL.
 *
 * ***** END LICENSE BLOCK ***** */

// this file is an abstraction around "primary identity authority" support,
// specifically checks and a cache to see if a primary supports browserid
// natively.

const
https = require('https'),
http = require('http'),
logger = require('./logging.js').logger,
urlparse = require('urlparse'),
jwk = require('jwcrypto/jwk'),
jwcert = require("jwcrypto/jwcert"),
vep = require("jwcrypto/vep"),
jwt = require("jwcrypto/jwt"),
config = require("./configuration.js");

const WELL_KNOWN_URL = "/.well-known/browserid";

// cache .well-known/browserid for six hours
const MAX_CACHE_MS = (6 * 60 * 60 * 1000);

function parseWellKnownBody(body, domain) {
  var v = JSON.parse(body);

  const want = [ 'public-key', 'authentication', 'provisioning' ];
  var got = Object.keys(v);

  want.forEach(function(k) {
    if (-1 === got.indexOf(k)) throw "missing required key: " + k;
  });

  var urls = {
    auth: 'https://' + domain + v.authentication,
    prov: 'https://' + domain + v.provisioning,
  };

  // validate the urls
  urlparse(urls.auth).validate();
  urlparse(urls.prov).validate();

  // parse the public key
  return {
    publicKey: jwk.PublicKey.fromSimpleObject(v['public-key']),
    urls: urls
  };
}

// a cache of network responses.  We want to move this into
// fast and efficient external key/value storage as we scale
var g_cache = { };

exports.checkSupport = function(domain, cb) {
  if (!cb) throw "missing required callback function";

  if (config.get('disable_primary_support')) {
    return process.nextTick(function() { cb(null, false); });
  }

  if (typeof domain !== 'string' || !domain.length) {
    return process.nextTick(function() { cb("invalid domain"); });
  }

  // check cache age
  if (g_cache[domain]) {
    if (!g_cache[domain].when || (new Date() - g_cache[domain].when) > MAX_CACHE_MS) {
      delete g_cache[domain];
    }

    if (g_cache[domain]) {
      logger.debug("returning primary support status for '" + domain + "' from cache");
      return process.nextTick(function() { cb(null, g_cache[domain].status); });
    }
  }

  function cacheAndReturn(cacheValue, publicKey) {
    g_cache[domain] = {
      when: new Date(),
      status: cacheValue,
      publicKey: publicKey
    };
    cb(null, cacheValue);
  }

  function handleResponse(res) {
    if (res.statusCode !== 200) {
      logger.debug(domain + ' is not a browserid primary - non-200 response code to ' + WELL_KNOWN_URL);
      return cacheAndReturn(false);
    }
    if (res.headers['content-type'].indexOf('application/json') !== 0) {
      logger.debug(domain + ' is not a browserid primary - non "application/json" response to ' + WELL_KNOWN_URL);
      return cacheAndReturn(false);
    }

    var body = "";
    res.on('data', function(chunk) { body += chunk; });
    res.on('end', function() {
      try {
        var r = parseWellKnownBody(body, domain);
        logger.info(domain + ' is a valid browserid primary');
        return cacheAndReturn(r.urls, r.publicKey);
      } catch(e) {
        logger.debug(domain + ' is a broken browserid primary, malformed dec of support: ' + e.toString());
        return cacheAndReturn(false);
      }
    });
  };

  // now we need to check to see if domain purports to being a primary for browserid
  var httpProxy = config.get('http_proxy');

  var req;
  if (httpProxy && httpProxy.port && httpProxy.host) {
    req = http.get({
      host: httpProxy.host,
      port: httpProxy.port,
      path: 'https://' + domain + WELL_KNOWN_URL,
      headers: {
        host: domain
      }
    }, handleResponse);
  } else {
    req = https.get({
      host: domain,
      path: WELL_KNOWN_URL,
      agent: false
    }, handleResponse);
  }

  req.on('error', function(e) {
    logger.debug(domain + ' is not a browserid primary: ' + e.toString());
    cacheAndReturn(false);
  });
};

// Support "shimmed primaries" for local development.  That is an environment variable that is any number of
// CSV values of the form:
//  <domain>|<origin>|<path to .well-known/browserid>,
// where 'domain' is the domain that we would like to shim.  'origin' is the origin to which traffic should
// be directed, and 'path to .well-known/browserid' is a path to the browserid file for the domain
//
// defining this env var will pre-seed the cache so local testing can take place.  example:
//
// SHIMMED_PRIMARIES=eyedee.me|http://127.0.0.1:10005|example/primary/.well-known/browserid

if (process.env['SHIMMED_PRIMARIES']) {
  var shims = process.env['SHIMMED_PRIMARIES'].split(',');
  shims.forEach(function(shim) {
    var a = shim.split('|');
    var domain = a[0], origin = a[1], path = a[2];
    var body = require('fs').readFileSync(path);
    var r = parseWellKnownBody(body, domain);
    r.urls.auth = r.urls.auth.replace('https://' + domain, origin);
    r.urls.prov = r.urls.prov.replace('https://' + domain, origin);

    g_cache[domain] = {
      when: new Date(),
      status: r.urls,
      publicKey: r.publicKey
    };

    logger.info("inserted primary info for '" + domain + "' into cache, pointed at '" + origin + "'");
  });
}

exports.getPublicKey = function(domain, cb) {
  exports.checkSupport(domain, function(err, rv) {
    if (err) return cb(err);
    var pubKey;
    if (rv) pubKey = g_cache[domain].publicKey;
    if (!pubKey) return cb("can't get public key for " + domain);
    cb(null, pubKey);
  });
};

// verify an assertion generated to authenticate to browserid
exports.verifyAssertion = function(assertion, cb) {
  if (config.get('disable_primary_support')) {
    return process.nextTick(function() { cb("primary support disabled") });
  }

  try {
    var bundle = vep.unbundleCertsAndAssertion(assertion);
  } catch(e) {
    return process.nextTick(function() { cb("malformed assertion: " + e); });
  }

  jwcert.JWCert.verifyChain(
    bundle.certificates,
    new Date(), function(issuer, next) {
      // issuer cannot be the browserid
      if (issuer === config.get('hostname')) {
        cb("cannot authenticate to browserid with a certificate issued by it.");
      } else {
        exports.getPublicKey(issuer, function(err, pubKey) {
          if (err) return cb(err);
          next(pubKey);
        });
      }
    }, function(pk, principal) {
      try {
        var tok = new jwt.JWT();
        tok.parse(bundle.assertion);

        // audience must be browserid itself
        var want = urlparse(config.get('URL')).originOnly();
        var got = urlparse(tok.audience).originOnly();

        if (want.toString() !== got.toString()) {
          return cb("can't log in with an assertion for '" + got.toString() + "'");
        }
        if (!tok.verify(pk)) throw "verification failure";
        cb(null, principal.email);
      } catch(e) {
        cb("can't verify assertion: " + e.toString());
      }
    }, cb);
};