feat: nodesNetworkVerifyClaim test

MatrixAI · Aug 20, 2024 · 1eadd20 · 1eadd20
1 parent a401b04
commit 1eadd20
Show file tree

Hide file tree

Showing 4 changed files with 353 additions and 11 deletions.
diff --git a/src/nodes/NodeManager.ts b/src/nodes/NodeManager.ts
@@ -1560,30 +1560,71 @@ class NodeManager {
     }
     const signedClaim = claimsUtils.parseSignedClaim(input.signedTokenEncoded);
     const token = Token.fromSigned(signedClaim);
-    const tokenEncodedSignatures = token.signaturesEncoded.map((e) => e.signature);
+    assertClaimNetworkAccess(token.payload);
     // Verify if the token is signed
     if (
       !token.verifyWithPublicKey(
         keysUtils.publicKeyFromNodeId(requestingNodeId),
+      ) ||
+      !token.verifyWithPublicKey(
+        keysUtils.publicKeyFromNodeId(
+          nodesUtils.decodeNodeId(token.payload.iss)!,
+        ),
       )
     ) {
-      throw new claimsErrors.ErrorSinglySignedClaimVerificationFailed();
+      throw new claimsErrors.ErrorDoublySignedClaimVerificationFailed();
+    }
+    const authorityToken = Token.fromEncoded(token.payload.signedClaimNetworkAuthorityEncoded);
+    // Verify if the token is signed
+    if (
+      token.payload.iss !== authorityToken.payload.sub ||
+      !authorityToken.verifyWithPublicKey(
+        keysUtils.publicKeyFromNodeId(
+          nodesUtils.decodeNodeId(authorityToken.payload.sub)!,
+        ),
+      ) ||
+      !authorityToken.verifyWithPublicKey(
+        keysUtils.publicKeyFromNodeId(
+          nodesUtils.decodeNodeId(authorityToken.payload.iss)!,
+        ),
+      )
+    ) {
+      throw new claimsErrors.ErrorDoublySignedClaimVerificationFailed();
     }
 
     let isAuthenticated = false;
     for await (const [_, claim] of this.sigchain.getSignedClaims({})) {
+      const tokenNetworkAccess = Token.fromSigned(claim);
       try {
-        assertClaimNetworkAccess(claim.payload);
-        const signedClaimNetworkAuthority = Token.fromSigned(claimsUtils.parseSignedClaim(claim.payload.signedClaimNetworkAuthorityEncoded));
-        assertClaimNetworkAuthority(signedClaimNetworkAuthority.payload);
-        if (signedClaimNetworkAuthority.signaturesEncoded.findIndex((sig) => tokenEncodedSignatures.includes(sig.signature)) !== -1) {
-          isAuthenticated = true;
-          break;
-        }
+        assertClaimNetworkAccess(tokenNetworkAccess.payload);
+      }
+      catch {
+        continue;
+      }
+      const tokenNetworkAuthority = Token.fromEncoded(tokenNetworkAccess.payload.signedClaimNetworkAuthorityEncoded);
+      try {
+        assertClaimNetworkAuthority(tokenNetworkAuthority.payload);
       }
       catch {
         continue;
       }
+      if (!tokenNetworkAuthority.verifyWithPublicKey(
+        keysUtils.publicKeyFromNodeId(
+          nodesUtils.decodeNodeId(tokenNetworkAccess.payload.iss)!,
+        ),
+      )) {
+        continue;
+      }
+      if (
+        authorityToken.verifyWithPublicKey(
+          keysUtils.publicKeyFromNodeId(
+            nodesUtils.decodeNodeId(tokenNetworkAccess.payload.iss)!,
+          )
+        )
+      ) {
+        isAuthenticated = true;
+        break;
+      }
     }
 
     return {

diff --git a/src/nodes/agent/callers/index.ts b/src/nodes/agent/callers/index.ts
@@ -5,6 +5,7 @@ import nodesConnectionSignalFinal from './nodesConnectionSignalFinal';
 import nodesConnectionSignalInitial from './nodesConnectionSignalInitial';
 import nodesCrossSignClaim from './nodesCrossSignClaim';
 import nodesNetworkSignClaim from './nodesNetworkSignClaim';
+import nodesNetworkVerifyClaim from './nodesNetworkVerifyClaim';
 import notificationsSend from './notificationsSend';
 import vaultsGitInfoGet from './vaultsGitInfoGet';
 import vaultsGitPackGet from './vaultsGitPackGet';
@@ -21,6 +22,7 @@ const manifestClient = {
   nodesConnectionSignalInitial,
   nodesCrossSignClaim,
   nodesNetworkSignClaim,
+  nodesNetworkVerifyClaim,
   notificationsSend,
   vaultsGitInfoGet,
   vaultsGitPackGet,
@@ -39,6 +41,7 @@ export {
   nodesConnectionSignalInitial,
   nodesCrossSignClaim,
   nodesNetworkSignClaim,
+  nodesNetworkVerifyClaim,
   notificationsSend,
   vaultsGitInfoGet,
   vaultsGitPackGet,

diff --git a/src/nodes/agent/handlers/NodesNetworkVerifyClaim.ts b/src/nodes/agent/handlers/NodesNetworkVerifyClaim.ts
@@ -18,8 +18,8 @@ class NodesNetworkVerifyClaim extends UnaryHandler<
   {
     nodeManager: NodeManager;
   },
-  AgentRPCRequestParams<{}>,
-  AgentRPCResponseResult<{}>
+  AgentRPCRequestParams<AgentClaimMessage>,
+  AgentRPCResponseResult<{ success: boolean }>
 > {
   public handle = async (
     input: AgentRPCRequestParams<AgentClaimMessage>,