mirror of
https://github.com/anyproto/any-sync.git
synced 2025-06-08 05:57:03 +09:00
secure service: config for identity check
This commit is contained in:
Sergey Cherepanov
parent
7f969a891f
commit
c6f5b3491c
2 changed files with 38 additions and 2 deletions
30
net/secureservice/config.go
Normal file
30
net/secureservice/config.go
Normal file
|
|
@ -0,0 +1,30 @@
|
|||
package secureservice
|
||||
|
||||
import "context"
|
||||
|
||||
type ctxKey int
|
||||
|
||||
const (
|
||||
allowAccountCheck ctxKey = iota
|
||||
)
|
||||
|
||||
type configGetter interface {
|
||||
GetSecureService() Config
|
||||
}
|
||||
|
||||
type Config struct {
|
||||
RequireClientAuth bool `yaml:"requireClientAuth"`
|
||||
}
|
||||
|
||||
// CtxAllowAccountCheck upgrades the context to allow identity check on handshake
|
||||
func CtxAllowAccountCheck(ctx context.Context) context.Context {
|
||||
return context.WithValue(ctx, allowAccountCheck, true)
|
||||
}
|
||||
|
||||
// CtxIsAccountCheckAllowed checks if the "allowAccountCheck" flag is set to true in the provided context.
|
||||
func CtxIsAccountCheckAllowed(ctx context.Context) bool {
|
||||
if v, ok := ctx.Value(allowAccountCheck).(bool); ok {
|
||||
return v
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
|
@ -72,6 +72,12 @@ func (s *secureService) Init(a *app.App) (err error) {
|
|||
s.compatibleVersions = compatibleVersions
|
||||
}
|
||||
account := a.MustComponent(commonaccount.CName).(commonaccount.Service)
|
||||
|
||||
var conf Config
|
||||
if cg, ok := a.Component("config").(configGetter); ok {
|
||||
conf = cg.GetSecureService()
|
||||
}
|
||||
|
||||
peerKey, err := account.Account().PeerKey.Raw()
|
||||
if err != nil {
|
||||
return
|
||||
|
|
@ -86,7 +92,7 @@ func (s *secureService) Init(a *app.App) (err error) {
|
|||
|
||||
s.inboundChecker = s.noVerifyChecker
|
||||
confTypes := s.nodeconf.NodeTypes(account.Account().PeerId)
|
||||
if len(confTypes) > 0 {
|
||||
if conf.RequireClientAuth || len(confTypes) > 0 {
|
||||
// require identity verification if we are node
|
||||
s.inboundChecker = s.peerSignVerifier
|
||||
}
|
||||
|
|
@ -137,7 +143,7 @@ func (s *secureService) SecureOutbound(ctx context.Context, conn net.Conn) (cctx
|
|||
func (s *secureService) HandshakeOutbound(ctx context.Context, conn io.ReadWriteCloser, peerId string) (cctx context.Context, err error) {
|
||||
confTypes := s.nodeconf.NodeTypes(peerId)
|
||||
var checker handshake.CredentialChecker
|
||||
if len(confTypes) > 0 {
|
||||
if CtxIsAccountCheckAllowed(ctx) || len(confTypes) > 0 {
|
||||
checker = s.peerSignVerifier
|
||||
} else {
|
||||
checker = s.noVerifyChecker
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue