Merge pull request #394 from jpevarnek/cloud-provider-verification

jpevarnek · jpevarnek · commit 810afc4c3a60 · 2016-04-26T10:58:17.000-04:00
Add logic to verify the host key of a cloud server
diff --git a/src/cloud/social/provider.ts b/src/cloud/social/provider.ts
@@ -1,4 +1,5 @@
 /// <reference path='../../../../third_party/typings/browser.d.ts' />
+/// <reference path='../../../../third_party/sha1/sha1.d.ts' />
 
 require('../social/monkey/process');
 
@@ -8,6 +9,8 @@ import logging = require('../../logging/logging');
 import promises = require('../../promises/promises');
 import queue = require('../../handler/queue');
 
+import sha1 = require('crypto/sha1');
+
 // https://github.com/borisyankov/DefinitelyTyped/blob/master/ssh2/ssh2-tests.ts
 import * as ssh2 from 'ssh2';
 var Client = require('ssh2').Client;
@@ -44,6 +47,9 @@ interface Invite {
   key: string;
   // True iff uProxy has root access on the server, i.e. uProxy deployed it.
   isAdmin?: boolean;
+  // Host key that should be used to verify the server, base-64 encoded
+  // (from known_hosts file or public key)
+  hostKey?: string;
 }
 
 // Type of the object placed, in serialised form, in storage
@@ -474,6 +480,15 @@ class Connection {
       connectConfig['privateKey'] = new Buffer(this.invite_.key, 'base64');
     }
 
+    if (this.invite_.hostKey) {
+      connectConfig.hostHash = 'sha1';
+      let keyBuffer = new Buffer(this.invite_.hostKey, 'base64');
+      let expectedHash = sha1.hex_sha1(keyBuffer.toString('binary'));
+      connectConfig.hostVerifier = (keyHash :string) => {
+        return keyHash === expectedHash;
+      };
+    }
+
     return new Promise<void>((F, R) => {
       this.connection_.on('ready', () => {
         // TODO: set a timeout here, too
diff --git a/third_party/sha1/sha1.d.ts b/third_party/sha1/sha1.d.ts
@@ -1,15 +1,34 @@
 // TypeScript definitions for crypto's sha1 module.
 
 declare module 'crypto/sha1' {
+  /**
+   * All function arguments are interpreted as "binary strings" (e.g. as
+   * returned by Buffer.toString("binary")) so to supply binary data or key you
+   * can construct a string with the help of String.fromCharCode(), e.g. [0x44,
+   * 0x5d, 0x75] -> 'D]u'.
+   */
+
+  /**
+   * Computes the SHA1 hash of some data with the specified key.
+   * Returns a binary string.
+   */
+  function str_sha1(data:string) : string
+
+  /** As above but returns a hex-formatted string */
+  function hex_sha1(data:string) : string
+
+  /** As above but returns a base-64-formatted string */
+  function b64_sha1(data:string) : string
+
   /**
    * Computes the HMAC-SHA1 of some data, with the specified key.
-   * Both key and data are interpreted as "binary strings" so to supply binary
-   * data or key you can construct a string with the help of
-   * String.fromCharCode(), e.g. [0x44, 0x5d, 0x75] -> 'D]u'.
-   * Ditto for return type.
+   * Returns a binary string.
    */
   function str_hmac_sha1(key:string, data:string) : string
 
   /** As str_hmac_sha1 but returns a hex-formatted string. */
   function hex_hmac_sha1(key:string, data:string) : string
+
+  /** As above but returns a base-64-formatted string */
+  function b64_hmac_sha1(key:string, data:string) : string
 }
