resources/cryptotoken/signer.js

// Copyright 2014 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

/**
 * @fileoverview Handles web page requests for gnubby sign requests.
 */

'use strict';

var signRequestQueue = new OriginKeyedRequestQueue();

/**
 * Handles a sign request.
 * @param {!SignHelperFactory} factory Factory to create a sign helper.
 * @param {MessageSender} sender The sender of the message.
 * @param {Object} request The web page's sign request.
 * @param {Function} sendResponse Called back with the result of the sign.
 * @param {boolean} toleratesMultipleResponses Whether the sendResponse
 *     callback can be called more than once, e.g. for progress updates.
 * @return {Closeable} Request handler that should be closed when the browser
 *     message channel is closed.
 */
function handleSignRequest(factory, sender, request, sendResponse,
    toleratesMultipleResponses) {
  var sentResponse = false;
  function sendResponseOnce(r) {
    if (queuedSignRequest) {
      queuedSignRequest.close();
      queuedSignRequest = null;
    }
    if (!sentResponse) {
      sentResponse = true;
      try {
        // If the page has gone away or the connection has otherwise gone,
        // sendResponse fails.
        sendResponse(r);
      } catch (exception) {
        console.warn('sendResponse failed: ' + exception);
      }
    } else {
      console.warn(UTIL_fmt('Tried to reply more than once! Juan, FIX ME'));
    }
  }

  function sendErrorResponse(code) {
    var response = formatWebPageResponse(GnubbyMsgTypes.SIGN_WEB_REPLY, code);
    sendResponseOnce(response);
  }

  function sendSuccessResponse(challenge, info, browserData) {
    var responseData = {};
    for (var k in challenge) {
      responseData[k] = challenge[k];
    }
    responseData['browserData'] = B64_encode(UTIL_StringToBytes(browserData));
    responseData['signatureData'] = info;
    var response = formatWebPageResponse(GnubbyMsgTypes.SIGN_WEB_REPLY,
        GnubbyCodeTypes.OK, responseData);
    sendResponseOnce(response);
  }

  var origin = getOriginFromUrl(/** @type {string} */ (sender.url));
  if (!origin) {
    sendErrorResponse(GnubbyCodeTypes.BAD_REQUEST);
    return null;
  }
  // More closure type inference fail.
  var nonNullOrigin = /** @type {string} */ (origin);

  if (!isValidSignRequest(request)) {
    sendErrorResponse(GnubbyCodeTypes.BAD_REQUEST);
    return null;
  }

  var signData = request['signData'];
  // A valid sign data has at least one challenge, so get the first appId from
  // the first challenge.
  var firstAppId = signData[0]['appId'];
  var timeoutMillis = Signer.DEFAULT_TIMEOUT_MILLIS;
  if (request['timeout']) {
    // Request timeout is in seconds.
    timeoutMillis = request['timeout'] * 1000;
  }
  var timer = new CountdownTimer(timeoutMillis);
  var logMsgUrl = request['logMsgUrl'];

  // Queue sign requests from the same origin, to protect against simultaneous
  // sign-out on many tabs resulting in repeated sign-in requests.
  var queuedSignRequest = new QueuedSignRequest(signData, factory, timer,
      nonNullOrigin, sendErrorResponse, sendSuccessResponse,
      sender.tlsChannelId, logMsgUrl);
  var requestToken = signRequestQueue.queueRequest(firstAppId, nonNullOrigin,
      queuedSignRequest.begin.bind(queuedSignRequest), timer);
  queuedSignRequest.setToken(requestToken);
  return queuedSignRequest;
}

/**
 * Returns whether the request appears to be a valid sign request.
 * @param {Object} request the request.
 * @return {boolean} whether the request appears valid.
 */
function isValidSignRequest(request) {
  if (!request.hasOwnProperty('signData'))
    return false;
  var signData = request['signData'];
  // If a sign request contains an empty array of challenges, it could never
  // be fulfilled. Fail.
  if (!signData.length)
    return false;
  return isValidSignData(signData);
}

/**
 * Adapter class representing a queued sign request.
 * @param {!SignData} signData Signature data
 * @param {!SignHelperFactory} factory Factory for SignHelper instances
 * @param {Countdown} timer Timeout timer
 * @param {string} origin Signature origin
 * @param {function(number)} errorCb Error callback
 * @param {function(SignChallenge, string, string)} successCb Success callback
 * @param {string|undefined} opt_tlsChannelId TLS Channel Id
 * @param {string|undefined} opt_logMsgUrl Url to post log messages to
 * @constructor
 * @implements {Closeable}
 */
function QueuedSignRequest(signData, factory, timer, origin, errorCb, successCb,
    opt_tlsChannelId, opt_logMsgUrl) {
  /** @private {!SignData} */
  this.signData_ = signData;
  /** @private {!SignHelperFactory} */
  this.factory_ = factory;
  /** @private {Countdown} */
  this.timer_ = timer;
  /** @private {string} */
  this.origin_ = origin;
  /** @private {function(number)} */
  this.errorCb_ = errorCb;
  /** @private {function(SignChallenge, string, string)} */
  this.successCb_ = successCb;
  /** @private {string|undefined} */
  this.tlsChannelId_ = opt_tlsChannelId;
  /** @private {string|undefined} */
  this.logMsgUrl_ = opt_logMsgUrl;
  /** @private {boolean} */
  this.begun_ = false;
  /** @private {boolean} */
  this.closed_ = false;
}

/** Closes this sign request. */
QueuedSignRequest.prototype.close = function() {
  if (this.closed_) return;
  if (this.begun_ && this.signer_) {
    this.signer_.close();
  }
  if (this.token_) {
    this.token_.complete();
  }
  this.closed_ = true;
};

/**
 * @param {QueuedRequestToken} token Token for this sign request.
 */
QueuedSignRequest.prototype.setToken = function(token) {
  /** @private {QueuedRequestToken} */
  this.token_ = token;
};

/**
 * Called when this sign request may begin work.
 * @param {QueuedRequestToken} token Token for this sign request.
 */
QueuedSignRequest.prototype.begin = function(token) {
  this.begun_ = true;
  this.setToken(token);
  this.signer_ = new Signer(this.factory_, this.timer_, this.origin_,
      this.signerFailed_.bind(this), this.signerSucceeded_.bind(this),
      this.tlsChannelId_, this.logMsgUrl_);
  if (!this.signer_.setChallenges(this.signData_)) {
    token.complete();
    this.errorCb_(GnubbyCodeTypes.BAD_REQUEST);
  }
};

/**
 * Called when this request's signer fails.
 * @param {number} code The failure code reported by the signer.
 * @private
 */
QueuedSignRequest.prototype.signerFailed_ = function(code) {
  this.token_.complete();
  this.errorCb_(code);
};

/**
 * Called when this request's signer succeeds.
 * @param {SignChallenge} challenge The challenge that was signed.
 * @param {string} info The sign result.
 * @param {string} browserData Browser data JSON
 * @private
 */
QueuedSignRequest.prototype.signerSucceeded_ =
    function(challenge, info, browserData) {
  this.token_.complete();
  this.successCb_(challenge, info, browserData);
};

/**
 * Creates an object to track signing with a gnubby.
 * @param {!SignHelperFactory} helperFactory Factory to create a sign helper.
 * @param {Countdown} timer Timer for sign request.
 * @param {string} origin The origin making the request.
 * @param {function(number)} errorCb Called when the sign operation fails.
 * @param {function(SignChallenge, string, string)} successCb Called when the
 *     sign operation succeeds.
 * @param {string=} opt_tlsChannelId the TLS channel ID, if any, of the origin
 *     making the request.
 * @param {string=} opt_logMsgUrl The url to post log messages to.
 * @constructor
 */
function Signer(helperFactory, timer, origin, errorCb, successCb,
    opt_tlsChannelId, opt_logMsgUrl) {
  /** @private {Countdown} */
  this.timer_ = timer;
  /** @private {string} */
  this.origin_ = origin;
  /** @private {function(number)} */
  this.errorCb_ = errorCb;
  /** @private {function(SignChallenge, string, string)} */
  this.successCb_ = successCb;
  /** @private {string|undefined} */
  this.tlsChannelId_ = opt_tlsChannelId;
  /** @private {string|undefined} */
  this.logMsgUrl_ = opt_logMsgUrl;

  /** @private {boolean} */
  this.challengesSet_ = false;
  /** @private {Array.<SignHelperChallenge>} */
  this.pendingChallenges_ = [];
  /** @private {boolean} */
  this.done_ = false;

  /** @private {Object.<string, string>} */
  this.browserData_ = {};
  /** @private {Object.<string, SignChallenge>} */
  this.serverChallenges_ = {};
  // Allow http appIds for http origins. (Broken, but the caller deserves
  // what they get.)
  /** @private {boolean} */
  this.allowHttp_ = this.origin_ ? this.origin_.indexOf('http://') == 0 : false;

  // Protect against helper failure with a watchdog.
  this.createWatchdog_(timer);
  /** @private {SignHelper} */
  this.helper_ = helperFactory.createHelper(
      timer, this.helperError_.bind(this), this.helperSuccess_.bind(this),
          this.logMsgUrl_);
}

/**
 * Creates a timer with an expiry greater than the expiration time of the given
 * timer.
 * @param {Countdown} timer Timeout timer
 * @private
 */
Signer.prototype.createWatchdog_ = function(timer) {
  var millis = timer.millisecondsUntilExpired();
  millis += CountdownTimer.TIMER_INTERVAL_MILLIS;
  /** @private {Countdown|undefined} */
  this.watchdogTimer_ = new CountdownTimer(millis, this.timeout_.bind(this));
};

/**
 * Default timeout value in case the caller never provides a valid timeout.
 */
Signer.DEFAULT_TIMEOUT_MILLIS = 30 * 1000;

/**
 * Sets the challenges to be signed.
 * @param {SignData} signData The challenges to set.
 * @return {boolean} Whether the challenges could be set.
 */
Signer.prototype.setChallenges = function(signData) {
  if (this.challengesSet_ || this.done_)
    return false;
  /** @private {SignData} */
  this.signData_ = signData;
  /** @private {boolean} */
  this.challengesSet_ = true;

  this.checkAppIds_();
  return true;
};

/**
 * Adds new challenges to the challenges being signed.
 * @param {SignData} signData Challenges to add.
 * @param {boolean} finalChallenges Whether these are the final challenges.
 * @return {boolean} Whether the challenge could be added.
 */
Signer.prototype.addChallenges = function(signData, finalChallenges) {
  var newChallenges = this.encodeSignChallenges_(signData);
  for (var i = 0; i < newChallenges.length; i++) {
    this.pendingChallenges_.push(newChallenges[i]);
  }
  if (!finalChallenges) {
    return true;
  }
  return this.helper_.doSign(this.pendingChallenges_);
};

/**
 * Creates challenges for helper from challenges.
 * @param {Array.<SignChallenge>} challenges Challenges to add.
 * @return {Array.<SignHelperChallenge>} Encoded challenges
 * @private
 */
Signer.prototype.encodeSignChallenges_ = function(challenges) {
  var newChallenges = [];
  for (var i = 0; i < challenges.length; i++) {
    var incomingChallenge = challenges[i];
    var serverChallenge = incomingChallenge['challenge'];
    var appId = incomingChallenge['appId'];
    var encodedKeyHandle = incomingChallenge['keyHandle'];
    var version = incomingChallenge['version'];

    var browserData =
        makeSignBrowserData(serverChallenge, this.origin_, this.tlsChannelId_);
    var encodedChallenge = makeChallenge(browserData, appId, encodedKeyHandle,
        version);

    var key = encodedKeyHandle + encodedChallenge['challengeHash'];
    this.browserData_[key] = browserData;
    this.serverChallenges_[key] = incomingChallenge;

    newChallenges.push(encodedChallenge);
  }
  return newChallenges;
};

/**
 * Checks the app ids of incoming requests, and, when this signer is enforcing
 * that app ids are valid, adds successful challenges to those being signed.
 * @private
 */
Signer.prototype.checkAppIds_ = function() {
  // Check the incoming challenges' app ids.
  /** @private {Array.<[string, Array.<Request>]>} */
  this.orderedRequests_ = requestsByAppId(this.signData_);
  if (!this.orderedRequests_.length) {
    // Safety check: if the challenges are somehow empty, the helper will never
    // be fed any data, so the request could never be satisfied. You lose.
    this.notifyError_(GnubbyCodeTypes.BAD_REQUEST);
    return;
  }
  /** @private {number} */
  this.fetchedAppIds_ = 0;
  /** @private {number} */
  this.validAppIds_ = 0;
  for (var i = 0, appIdRequestsPair; i < this.orderedRequests_.length; i++) {
    var appIdRequestsPair = this.orderedRequests_[i];
    var appId = appIdRequestsPair[0];
    var requests = appIdRequestsPair[1];
    if (appId == this.origin_) {
      // Trivially allowed.
      this.fetchedAppIds_++;
      this.validAppIds_++;
      this.addChallenges(requests,
          this.fetchedAppIds_ == this.orderedRequests_.length);
    } else {
      var start = new Date();
      fetchAllowedOriginsForAppId(appId, this.allowHttp_,
          this.fetchedAllowedOriginsForAppId_.bind(this, appId, start,
              requests));
    }
  }
};

/**
 * Called with the result of an app id fetch.
 * @param {string} appId the app id that was fetched.
 * @param {Date} start the time the fetch request started.
 * @param {Array.<SignChallenge>} challenges Challenges for this app id.
 * @param {number} rc The HTTP response code for the app id fetch.
 * @param {!Array.<string>} allowedOrigins The origins allowed for this app id.
 * @private
 */
Signer.prototype.fetchedAllowedOriginsForAppId_ = function(appId, start,
    challenges, rc, allowedOrigins) {
  var end = new Date();
  logFetchAppIdResult(appId, end - start, allowedOrigins, this.logMsgUrl_);
  if (rc != 200 && !(rc >= 400 && rc < 500)) {
    if (this.timer_.expired()) {
      // Act as though the helper timed out.
      this.helperError_(DeviceStatusCodes.TIMEOUT_STATUS, false);
    } else {
      start = new Date();
      fetchAllowedOriginsForAppId(appId, this.allowHttp_,
          this.fetchedAllowedOriginsForAppId_.bind(this, appId, start,
              challenges));
    }
    return;
  }
  this.fetchedAppIds_++;
  var finalChallenges = (this.fetchedAppIds_ == this.orderedRequests_.length);
  if (isValidAppIdForOrigin(appId, this.origin_, allowedOrigins)) {
    this.validAppIds_++;
    this.addChallenges(challenges, finalChallenges);
  } else {
    logInvalidOriginForAppId(this.origin_, appId, this.logMsgUrl_);
    // If this is the final request, sign the valid challenges.
    if (finalChallenges) {
      if (!this.helper_.doSign(this.pendingChallenges_)) {
        this.notifyError_(GnubbyCodeTypes.BAD_REQUEST);
        return;
      }
    }
  }
  if (finalChallenges && !this.validAppIds_) {
    // If all app ids are invalid, notify the caller, otherwise implicitly
    // allow the helper to report whether any of the valid challenges succeeded.
    this.notifyError_(GnubbyCodeTypes.BAD_APP_ID);
  }
};

/**
 * Called when the timeout expires on this signer.
 * @private
 */
Signer.prototype.timeout_ = function() {
  this.watchdogTimer_ = undefined;
  // The web page gets grumpy if it doesn't get WAIT_TOUCH within a reasonable
  // time.
  this.notifyError_(GnubbyCodeTypes.WAIT_TOUCH);
};

/** Closes this signer. */
Signer.prototype.close = function() {
  if (this.helper_) this.helper_.close();
};

/**
 * Notifies the caller of error with the given error code.
 * @param {number} code Error code
 * @private
 */
Signer.prototype.notifyError_ = function(code) {
  if (this.done_)
    return;
  this.close();
  this.done_ = true;
  this.errorCb_(code);
};

/**
 * Notifies the caller of success.
 * @param {SignChallenge} challenge The challenge that was signed.
 * @param {string} info The sign result.
 * @param {string} browserData Browser data JSON
 * @private
 */
Signer.prototype.notifySuccess_ = function(challenge, info, browserData) {
  if (this.done_)
    return;
  this.close();
  this.done_ = true;
  this.successCb_(challenge, info, browserData);
};

/**
 * Maps a sign helper's error code namespace to the page's error code namespace.
 * @param {number} code Error code from DeviceStatusCodes namespace.
 * @param {boolean} anyGnubbies Whether any gnubbies were found.
 * @return {number} A GnubbyCodeTypes error code.
 * @private
 */
Signer.mapError_ = function(code, anyGnubbies) {
  var reportedError;
  switch (code) {
    case DeviceStatusCodes.WRONG_DATA_STATUS:
      reportedError = anyGnubbies ? GnubbyCodeTypes.NONE_PLUGGED_ENROLLED :
          GnubbyCodeTypes.NO_GNUBBIES;
      break;

    case DeviceStatusCodes.OK_STATUS:
      // If the error callback is called with OK, it means the signature was
      // empty, which we treat the same as...
    case DeviceStatusCodes.WAIT_TOUCH_STATUS:
      reportedError = GnubbyCodeTypes.WAIT_TOUCH;
      break;

    case DeviceStatusCodes.BUSY_STATUS:
      reportedError = GnubbyCodeTypes.BUSY;
      break;

    default:
      reportedError = GnubbyCodeTypes.UNKNOWN_ERROR;
      break;
  }
  return reportedError;
};

/**
 * Called by the helper upon error.
 * @param {number} code Error code
 * @param {boolean} anyGnubbies If any gnubbies were found
 * @private
 */
Signer.prototype.helperError_ = function(code, anyGnubbies) {
  this.clearTimeout_();
  var reportedError = Signer.mapError_(code, anyGnubbies);
  console.log(UTIL_fmt('helper reported ' + code.toString(16) +
      ', returning ' + reportedError));
  this.notifyError_(reportedError);
};

/**
 * Called by helper upon success.
 * @param {SignHelperChallenge} challenge The challenge that was signed.
 * @param {string} info The sign result.
 * @param {string=} opt_source The source, if any, if the signature.
 * @private
 */
Signer.prototype.helperSuccess_ = function(challenge, info, opt_source) {
  // Got a good reply, kill timer.
  this.clearTimeout_();

  if (this.logMsgUrl_ && opt_source) {
    var logMsg = 'signed&source=' + opt_source;
    logMessage(logMsg, this.logMsgUrl_);
  }

  var key = challenge['keyHandle'] + challenge['challengeHash'];
  var browserData = this.browserData_[key];
  // Notify with server-provided challenge, not the encoded one: the
  // server-provided challenge contains additional fields it relies on.
  var serverChallenge = this.serverChallenges_[key];
  this.notifySuccess_(serverChallenge, info, browserData);
};

/**
 * Clears the timeout for this signer.
 * @private
 */
Signer.prototype.clearTimeout_ = function() {
  if (this.watchdogTimer_) {
    this.watchdogTimer_.clearTimeout();
    this.watchdogTimer_ = undefined;
  }
};