diff --git a/services/identity/Cargo.lock b/services/identity/Cargo.lock --- a/services/identity/Cargo.lock +++ b/services/identity/Cargo.lock @@ -74,7 +74,7 @@ dependencies = [ "proc-macro2", "quote", - "syn 2.0.13", + "syn 2.0.28", ] [[package]] @@ -852,7 +852,7 @@ "proc-macro2", "quote", "scratch", - "syn 2.0.13", + "syn 2.0.28", ] [[package]] @@ -869,7 +869,7 @@ dependencies = [ "proc-macro2", "quote", - "syn 2.0.13", + "syn 2.0.28", ] [[package]] @@ -1147,7 +1147,7 @@ dependencies = [ "proc-macro2", "quote", - "syn 2.0.13", + "syn 2.0.28", ] [[package]] @@ -1468,6 +1468,7 @@ "tonic-web", "tracing", "tracing-subscriber", + "tunnelbroker_messages", "uuid", ] @@ -1949,9 +1950,9 @@ [[package]] name = "proc-macro2" -version = "1.0.56" +version = "1.0.66" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2b63bdb0cd06f1f4dedf69b254734f9b45af66e4a031e42a7480257d9898b435" +checksum = "18fb31db3f9bddb2ea821cde30a9f70117e3f119938b5ee630b7403aa6e2ead9" dependencies = [ "unicode-ident", ] @@ -2039,9 +2040,9 @@ [[package]] name = "quote" -version = "1.0.26" +version = "1.0.32" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4424af4bf778aae2051a77b60283332f386554255d722233d09fbfc7e30da2fc" +checksum = "50f3b39ccfb720540debaa0164757101c08ecb8d326b15358ce76a62c7e85965" dependencies = [ "proc-macro2", ] @@ -2355,29 +2356,29 @@ [[package]] name = "serde" -version = "1.0.159" +version = "1.0.182" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3c04e8343c3daeec41f58990b9d77068df31209f2af111e059e9fe9646693065" +checksum = "bdb30a74471f5b7a1fa299f40b4bf1be93af61116df95465b2b5fc419331e430" dependencies = [ "serde_derive", ] [[package]] name = "serde_derive" -version = "1.0.159" +version = "1.0.182" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4c614d17805b093df4b147b51339e7e44bf05ef59fba1e45d83500bcfb4d8585" +checksum = "6f4c2c6ea4bc09b5c419012eafcdb0fcef1d9119d626c8f3a0708a5b92d38a70" dependencies = [ "proc-macro2", "quote", - "syn 2.0.13", + "syn 2.0.28", ] [[package]] name = "serde_json" -version = "1.0.95" +version = "1.0.104" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d721eca97ac802aa7777b701877c8004d950fc142651367300d21c1cc0194744" +checksum = "076066c5f1078eac5b722a31827a8832fe108bed65dfa75e233c89f8206e976c" dependencies = [ "itoa", "ryu", @@ -2526,9 +2527,9 @@ [[package]] name = "syn" -version = "2.0.13" +version = "2.0.28" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4c9da457c5285ac1f936ebd076af6dac17a61cfe7826f2076b4d015cf47bc8ec" +checksum = "04361975b3f5e348b2189d8dc55bc942f278b2d482a6a0365de5bdd62d351567" dependencies = [ "proc-macro2", "quote", @@ -2592,7 +2593,7 @@ dependencies = [ "proc-macro2", "quote", - "syn 2.0.13", + "syn 2.0.28", ] [[package]] @@ -2677,7 +2678,7 @@ dependencies = [ "proc-macro2", "quote", - "syn 2.0.13", + "syn 2.0.28", ] [[package]] @@ -2902,6 +2903,14 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3528ecfd12c466c6f163363caf2d02a71161dd5e1cc6ae7b34207ea2d42d81ed" +[[package]] +name = "tunnelbroker_messages" +version = "0.1.0" +dependencies = [ + "serde", + "serde_json", +] + [[package]] name = "typenum" version = "1.16.0" @@ -3326,5 +3335,5 @@ dependencies = [ "proc-macro2", "quote", - "syn 2.0.13", + "syn 2.0.28", ] diff --git a/services/identity/Cargo.toml b/services/identity/Cargo.toml --- a/services/identity/Cargo.toml +++ b/services/identity/Cargo.toml @@ -25,6 +25,7 @@ tonic-web = "0.9.1" serde = { version = "1.0.159", features = [ "derive" ] } serde_json = "1.0.95" +tunnelbroker_messages = { path = "../../shared/tunnelbroker_messages" } moka = { version = "0.10", features = ["future"] } uuid = { version = "1.3", features = [ "v4" ] } base64 = "0.21.2" diff --git a/services/identity/build.rs b/services/identity/build.rs --- a/services/identity/build.rs +++ b/services/identity/build.rs @@ -9,5 +9,12 @@ ], &["../../shared/protos/"], )?; + tonic_build::configure() + .build_server(false) + .build_client(true) + .compile( + &["../../shared/protos/tunnelbroker.proto"], + &["../../shared/protos/"], + )?; Ok(()) } diff --git a/services/identity/src/config.rs b/services/identity/src/config.rs --- a/services/identity/src/config.rs +++ b/services/identity/src/config.rs @@ -4,8 +4,9 @@ use tracing::{error, info}; use crate::constants::{ - KEYSERVER_PUBLIC_KEY, LOCALSTACK_ENDPOINT, OPAQUE_SERVER_SETUP, - SECRETS_DIRECTORY, SECRETS_SETUP_FILE, + DEFAULT_TUNNELBROKER_ENDPOINT, KEYSERVER_PUBLIC_KEY, LOCALSTACK_ENDPOINT, + OPAQUE_SERVER_SETUP, SECRETS_DIRECTORY, SECRETS_SETUP_FILE, + TUNNELBROKER_GRPC_ENDPOINT, }; pub static CONFIG: Lazy = @@ -23,11 +24,30 @@ // Reserved usernames pub reserved_usernames: HashSet, pub keyserver_public_key: Option, + pub tunnelbroker_endpoint: String, } impl Config { fn load() -> Result { let localstack_endpoint = env::var(LOCALSTACK_ENDPOINT).ok(); + let tunnelbroker_endpoint = match env::var(TUNNELBROKER_GRPC_ENDPOINT) { + Ok(val) => { + info!("Using tunnelbroker endpoint from env var: {}", val); + val + } + Err(std::env::VarError::NotPresent) => { + let val = DEFAULT_TUNNELBROKER_ENDPOINT; + info!("Falling back to default tunnelbroker endpoint: {}", val); + val.to_string() + } + Err(e) => { + error!( + "Failed to read environment variable {}: {:?}", + TUNNELBROKER_GRPC_ENDPOINT, e + ); + return Err(Error::Env(e)); + } + }; let mut path_buf = path::PathBuf::new(); path_buf.push(SECRETS_DIRECTORY); @@ -44,6 +64,7 @@ server_setup, reserved_usernames, keyserver_public_key, + tunnelbroker_endpoint, }) } } diff --git a/services/identity/src/constants.rs b/services/identity/src/constants.rs --- a/services/identity/src/constants.rs +++ b/services/identity/src/constants.rs @@ -122,3 +122,14 @@ // OPAQUE Server Setup pub const OPAQUE_SERVER_SETUP: &str = "OPAQUE_SERVER_SETUP"; + +// Tunnelbroker +pub const TUNNELBROKER_GRPC_ENDPOINT: &str = "TUNNELBROKER_GRPC_ENDPOINT"; +pub const DEFAULT_TUNNELBROKER_ENDPOINT: &str = "http://localhost:50051"; + +// X3DH key management + +// Threshold for requesting more onetime keys +pub const ONETIME_KEY_MINIMUM_THRESHOLD: usize = 5; +// Number of keys to be refreshed when below the threshold +pub const ONETIME_KEY_REFRESH_NUMBER: u32 = 5; diff --git a/services/identity/src/database.rs b/services/identity/src/database.rs --- a/services/identity/src/database.rs +++ b/services/identity/src/database.rs @@ -7,7 +7,7 @@ use crate::ddb_utils::{ create_onetime_key_partition_key, into_onetime_put_requests, OlmAccountType, }; -use crate::error::{DBItemAttributeError, DBItemError, Error}; +use crate::error::{consume_error, DBItemAttributeError, DBItemError, Error}; use aws_config::SdkConfig; use aws_sdk_dynamodb::model::{AttributeValue, PutRequest, WriteRequest}; use aws_sdk_dynamodb::output::{ @@ -370,6 +370,7 @@ account_type: OlmAccountType, ) -> Result, Error> { use crate::constants::one_time_keys_table as otk_table; + use crate::constants::ONETIME_KEY_MINIMUM_THRESHOLD; let query_result = self.get_onetime_keys(device_id, account_type).await?; let items = match query_result.items() { @@ -380,6 +381,13 @@ } }; + if items.len() < ONETIME_KEY_MINIMUM_THRESHOLD { + debug!("Attempting to request more keys for device: {}", device_id); + let result = + crate::tunnelbroker::send_refresh_keys_request(device_id).await; + consume_error(result); + } + // Attempt to delete the onetime keys individually, a successful delete // mints the onetime key to the requester for item in items { diff --git a/services/identity/src/error.rs b/services/identity/src/error.rs --- a/services/identity/src/error.rs +++ b/services/identity/src/error.rs @@ -1,6 +1,7 @@ use aws_sdk_dynamodb::{model::AttributeValue, Error as DynamoDBError}; use std::collections::hash_map::HashMap; use std::fmt::{Display, Formatter, Result as FmtResult}; +use tracing::error; #[derive( Debug, derive_more::Display, derive_more::From, derive_more::Error, @@ -11,6 +12,10 @@ #[display(...)] Attribute(DBItemError), #[display(...)] + Transport(tonic::transport::Error), + #[display(...)] + Status(tonic::Status), + #[display(...)] MissingItem, } @@ -139,3 +144,12 @@ .to_vec(key) } } + +pub fn consume_error(result: Result) { + match result { + Ok(_) => return, + Err(e) => { + error!("{}", e); + } + } +} diff --git a/services/identity/src/main.rs b/services/identity/src/main.rs --- a/services/identity/src/main.rs +++ b/services/identity/src/main.rs @@ -18,6 +18,7 @@ mod reserved_users; mod siwe; mod token; +mod tunnelbroker; use config::load_config; use constants::{IDENTITY_SERVICE_SOCKET_ADDR, SECRETS_DIRECTORY}; diff --git a/services/identity/src/tunnelbroker.rs b/services/identity/src/tunnelbroker.rs new file mode 100644 --- /dev/null +++ b/services/identity/src/tunnelbroker.rs @@ -0,0 +1,48 @@ +mod proto { + tonic::include_proto!("tunnelbroker"); +} +use crate::config::CONFIG; +use proto::tunnelbroker_service_client::TunnelbrokerServiceClient; +use proto::{Empty, MessageToDevice}; +use tonic::transport::Channel; +use tonic::Response; +use tracing::error; +use tunnelbroker_messages as messages; + +use crate::error::Error; + +pub async fn create_tunnelbroker_client( +) -> Result, Error> { + TunnelbrokerServiceClient::connect(CONFIG.tunnelbroker_endpoint.to_string()) + .await + .map_err(|e| { + error!("Unable able to connect to tunnelbroker: {:?}", e); + e.into() + }) +} + +pub async fn send_refresh_keys_request( + device_id: &str, +) -> Result, Error> { + use crate::constants::ONETIME_KEY_REFRESH_NUMBER; + + let mut tunnelbroker_client = create_tunnelbroker_client().await?; + + let refresh_request = messages::RefreshKeyRequest { + device_id: device_id.to_string(), + number_of_keys: ONETIME_KEY_REFRESH_NUMBER, + }; + + let payload = serde_json::to_string(&refresh_request).unwrap(); + let request = MessageToDevice { + device_id: device_id.to_string(), + payload, + }; + + let grpc_message = tonic::Request::new(request); + Ok( + tunnelbroker_client + .send_message_to_device(grpc_message) + .await?, + ) +}