Async enrollement postgresql implementation

Author: touilleMan

server/parsec/components/async_enrollment.py

@@ -3,6 +3,8 @@
 
 from dataclasses import dataclass
 from enum import auto
+from hashlib import sha256
+from typing import Literal
 
 from parsec._parsec import (
     AsyncEnrollmentAcceptPayload,
@@ -15,6 +17,7 @@
     PkiSignatureAlgorithm,
     UserCertificate,
     VerifyKey,
+    X509Certificate,
     anonymous_cmds,
     authenticated_cmds,
 )
@@ -49,8 +52,8 @@ class AsyncEnrollmentSubmitBadOutcome(BadOutcomeEnum):
 class AsyncEnrollmentSubmitValidateBadOutcome(BadOutcomeEnum):
     INVALID_SUBMIT_PAYLOAD = auto()
     INVALID_SUBMIT_PAYLOAD_SIGNATURE = auto()  # TODO: server-side validation not yet implemented
-    INVALID_DER_X509_CERTIFICATE = auto()  # TODO: server-side validation not yet implemented
-    INVALID_X509_TRUSTCHAIN = auto()  # TODO: server-side validation not yet implemented
+    INVALID_DER_X509_CERTIFICATE = auto()
+    INVALID_X509_TRUSTCHAIN = auto()
 
 
 class AsyncEnrollmentInfoBadOutcome(BadOutcomeEnum):
@@ -165,21 +168,104 @@ class AsyncEnrollmentListItem:
     submit_payload_signature: AsyncEnrollmentPayloadSignature
 
 
+# TODO: `X509Certificate` is error prone since it's validation is currently lazy
+# (see https://github.com/Scille/parsec-cloud/issues/12012).
+@dataclass(slots=True, frozen=True)
+class X509Certificate2:
+    der: bytes
+    issuer: bytes
+    subject: bytes
+    sha256_fingerprint: bytes
+
+    @classmethod
+    def from_der(cls, der: bytes) -> X509Certificate2:
+        certificate = X509Certificate.from_der(der)
+        return X509Certificate2(
+            der=der,
+            # Raises `PkiInvalidCertificateDER` which is a subclass of `ValueError`
+            issuer=certificate.issuer(),
+            subject=certificate.subject(),
+            sha256_fingerprint=sha256(der).digest(),
+        )
+
+    def __repr__(self) -> str:
+        return f"{self.__class__.__qualname__}(subject={self.subject}, issuer={self.issuer})"
+
+
+def _validate_x509_trustchain(
+    leaf: bytes, intermediates: list[bytes]
+) -> (
+    list[X509Certificate2]
+    | Literal["INVALID_DER_X509_CERTIFICATE"]
+    | Literal["INVALID_X509_TRUSTCHAIN"]
+):
+    # Validate format for each x509 certificate
+    try:
+        author_der_x509_certificate = X509Certificate2.from_der(leaf)
+        intermediate_der_x509_certificates = [
+            X509Certificate2.from_der(certif) for certif in intermediates
+        ]
+    except ValueError:
+        return "INVALID_DER_X509_CERTIFICATE"
+    x509_trustchain = [author_der_x509_certificate, *intermediate_der_x509_certificates]
+
+    # Validate the x509 trustchain:
+    # - Should not be longer than 10 items (including leaf and root)
+    # - Each intermediate certificate should be used exactly once
+
+    if len(intermediate_der_x509_certificates) > 8:  # 8 since we exclude leaf and root
+        return "INVALID_X509_TRUSTCHAIN"
+
+    current = author_der_x509_certificate
+    while True:
+        try:
+            i, current = next(
+                (i, c)
+                for i, c in enumerate(intermediate_der_x509_certificates)
+                if c.subject == current.issuer
+            )
+            intermediate_der_x509_certificates.pop(i)
+        except StopIteration:  # Parent not found, we should have reached the root
+            if intermediate_der_x509_certificates:
+                # Unused intermediate certificates is not allowed!
+                return "INVALID_X509_TRUSTCHAIN"
+            break
+
+    return x509_trustchain
+
+
 def async_enrollment_submit_validate(
     now: DateTime,
     submit_payload: bytes,
     submit_payload_signature: AsyncEnrollmentPayloadSignature,
-) -> tuple[AsyncEnrollmentSubmitPayload] | AsyncEnrollmentSubmitValidateBadOutcome:
+) -> (
+    tuple[AsyncEnrollmentSubmitPayload, list[X509Certificate2] | None]
+    | AsyncEnrollmentSubmitValidateBadOutcome
+):
     try:
         p_data = AsyncEnrollmentSubmitPayload.load(submit_payload)
     except ValueError:
         return AsyncEnrollmentSubmitValidateBadOutcome.INVALID_SUBMIT_PAYLOAD
 
+    if isinstance(submit_payload_signature, AsyncEnrollmentPayloadSignaturePKI):
+        match _validate_x509_trustchain(
+            submit_payload_signature.author_der_x509_certificate,
+            submit_payload_signature.intermediate_der_x509_certificates,
+        ):
+            case list() as x509_trustchain:
+                pass
+            case "INVALID_DER_X509_CERTIFICATE":
+                return AsyncEnrollmentSubmitValidateBadOutcome.INVALID_DER_X509_CERTIFICATE
+            case "INVALID_X509_TRUSTCHAIN":
+                return AsyncEnrollmentSubmitValidateBadOutcome.INVALID_X509_TRUSTCHAIN
+    else:
+        x509_trustchain = None
+
     # TODO: Payload signature is currently not validated.
     #       Note this has no big impact on security since the client always
     #       validate the payload signature on its end.
 
-    return (p_data,)
+    return (p_data, x509_trustchain)
 
 
 def async_enrollment_accept_validate(
@@ -193,7 +279,12 @@ def async_enrollment_accept_validate(
     redacted_user_certificate: bytes,
     redacted_device_certificate: bytes,
 ) -> (
-    tuple[AsyncEnrollmentAcceptPayload, UserCertificate, DeviceCertificate]
+    tuple[
+        AsyncEnrollmentAcceptPayload,
+        UserCertificate,
+        DeviceCertificate,
+        list[X509Certificate2] | None,
+    ]
     | TimestampOutOfBallpark
     | AsyncEnrollmentAcceptValidateBadOutcome
 ):
@@ -202,6 +293,20 @@ def async_enrollment_accept_validate(
     except ValueError:
         return AsyncEnrollmentAcceptValidateBadOutcome.INVALID_ACCEPT_PAYLOAD
 
+    if isinstance(accept_payload_signature, AsyncEnrollmentPayloadSignaturePKI):
+        match _validate_x509_trustchain(
+            accept_payload_signature.author_der_x509_certificate,
+            accept_payload_signature.intermediate_der_x509_certificates,
+        ):
+            case list() as x509_trustchain:
+                pass
+            case "INVALID_DER_X509_CERTIFICATE":
+                return AsyncEnrollmentAcceptValidateBadOutcome.INVALID_DER_X509_CERTIFICATE
+            case "INVALID_X509_TRUSTCHAIN":
+                return AsyncEnrollmentAcceptValidateBadOutcome.INVALID_X509_TRUSTCHAIN
+    else:
+        x509_trustchain = None
+
     # TODO: Payload signature is currently not validated.
     #       Note this has no big impact on security since the client always
     #       validate the payload signature on its end.
@@ -255,7 +360,7 @@ def async_enrollment_accept_validate(
     if not d_data.redacted_compare(rd_data):
         return AsyncEnrollmentAcceptValidateBadOutcome.CERTIFICATES_REDACTED_MISMATCH
 
-    return p_data, u_data, d_data
+    return p_data, u_data, d_data, x509_trustchain
 
 
 class BaseAsyncEnrollmentComponent:
@@ -303,6 +408,7 @@ async def accept(
         now: DateTime,
         organization_id: OrganizationID,
         author: DeviceID,
+        author_verify_key: VerifyKey,
         enrollment_id: AsyncEnrollmentID,
         accept_payload: bytes,
         accept_payload_signature: AsyncEnrollmentPayloadSignature,
@@ -549,6 +655,7 @@ async def api_async_enrollment_accept(
             now=DateTime.now(),
             organization_id=client_ctx.organization_id,
             author=client_ctx.device_id,
+            author_verify_key=client_ctx.device_verify_key,
             enrollment_id=req.enrollment_id,
             accept_payload=req.accept_payload,
             accept_payload_signature=accept_payload_signature,

server/parsec/components/memory/async_enrollment.py

@@ -11,6 +11,7 @@
     OrganizationID,
     UserCertificate,
     UserProfile,
+    VerifyKey,
 )
 from parsec.ballpark import (
     RequireGreaterTimestamp,
@@ -86,7 +87,7 @@ async def submit(
             submit_payload=submit_payload,
             submit_payload_signature=submit_payload_signature,
         ):
-            case (s_payload,):
+            case (s_payload, _):
                 pass
             case error:
                 return error
@@ -259,6 +260,7 @@ async def accept(
         now: DateTime,
         organization_id: OrganizationID,
         author: DeviceID,
+        author_verify_key: VerifyKey,
         enrollment_id: AsyncEnrollmentID,
         accept_payload: bytes,
         accept_payload_signature: AsyncEnrollmentPayloadSignature,
@@ -317,15 +319,15 @@ async def accept(
             match async_enrollment_accept_validate(
                 now=now,
                 expected_author=author,
-                author_verify_key=author_device.cooked.verify_key,
+                author_verify_key=author_verify_key,
                 accept_payload=accept_payload,
                 accept_payload_signature=accept_payload_signature,
                 user_certificate=submitter_user_certificate,
                 device_certificate=submitter_device_certificate,
                 redacted_user_certificate=submitter_redacted_user_certificate,
                 redacted_device_certificate=submitter_redacted_device_certificate,
             ):
-                case (a_payload, u_certif, d_certif):
+                case (a_payload, u_certif, d_certif, _):
                     pass
                 case error:
                     return error

server/parsec/components/postgresql/async_enrollment.py

@@ -1,12 +1,152 @@
 # Parsec Cloud (https://parsec.cloud) Copyright (c) BUSL-1.1 2016-present Scille SAS
 from __future__ import annotations
 
+from typing import override
+
+from parsec._parsec import (
+    AsyncEnrollmentID,
+    DateTime,
+    DeviceCertificate,
+    DeviceID,
+    OrganizationID,
+    UserCertificate,
+    VerifyKey,
+)
+from parsec.ballpark import RequireGreaterTimestamp, TimestampOutOfBallpark
 from parsec.components.async_enrollment import (
+    AsyncEnrollmentAcceptBadOutcome,
+    AsyncEnrollmentAcceptValidateBadOutcome,
+    AsyncEnrollmentEmailAlreadySubmitted,
+    AsyncEnrollmentInfo,
+    AsyncEnrollmentInfoBadOutcome,
+    AsyncEnrollmentListBadOutcome,
+    AsyncEnrollmentListItem,
+    AsyncEnrollmentPayloadSignature,
+    AsyncEnrollmentRejectBadOutcome,
+    AsyncEnrollmentSubmitBadOutcome,
+    AsyncEnrollmentSubmitValidateBadOutcome,
     BaseAsyncEnrollmentComponent,
 )
-from parsec.components.postgresql import AsyncpgPool
+from parsec.components.postgresql import AsyncpgConnection, AsyncpgPool
+from parsec.components.postgresql.async_enrollment_accept import async_enrollment_accept
+from parsec.components.postgresql.async_enrollment_info import async_enrollment_info
+from parsec.components.postgresql.async_enrollment_list import async_enrollment_list
+from parsec.components.postgresql.async_enrollment_reject import async_enrollment_reject
+from parsec.components.postgresql.async_enrollment_submit import async_enrollment_submit
+from parsec.components.postgresql.utils import no_transaction, transaction
 
 
 class PGAsyncEnrollmentComponent(BaseAsyncEnrollmentComponent):
     def __init__(self, pool: AsyncpgPool) -> None:
         self.pool = pool
+
+    @override
+    @transaction
+    async def submit(
+        self,
+        conn: AsyncpgConnection,
+        now: DateTime,
+        organization_id: OrganizationID,
+        enrollment_id: AsyncEnrollmentID,
+        force: bool,
+        submit_payload: bytes,
+        submit_payload_signature: AsyncEnrollmentPayloadSignature,
+    ) -> (
+        None
+        | AsyncEnrollmentSubmitValidateBadOutcome
+        | AsyncEnrollmentEmailAlreadySubmitted
+        | AsyncEnrollmentSubmitBadOutcome
+    ):
+        return await async_enrollment_submit(
+            conn,
+            now,
+            organization_id,
+            enrollment_id,
+            force,
+            submit_payload,
+            submit_payload_signature,
+        )
+
+    @override
+    @no_transaction
+    async def info(
+        self,
+        conn: AsyncpgConnection,
+        organization_id: OrganizationID,
+        enrollment_id: AsyncEnrollmentID,
+    ) -> AsyncEnrollmentInfo | AsyncEnrollmentInfoBadOutcome:
+        return await async_enrollment_info(
+            conn,
+            organization_id,
+            enrollment_id,
+        )
+
+    @override
+    @no_transaction
+    async def list(
+        self,
+        conn: AsyncpgConnection,
+        organization_id: OrganizationID,
+        author: DeviceID,
+    ) -> list[AsyncEnrollmentListItem] | AsyncEnrollmentListBadOutcome:
+        return await async_enrollment_list(
+            conn,
+            organization_id,
+            author,
+        )
+
+    @override
+    @transaction
+    async def reject(
+        self,
+        conn: AsyncpgConnection,
+        now: DateTime,
+        organization_id: OrganizationID,
+        author: DeviceID,
+        enrollment_id: AsyncEnrollmentID,
+    ) -> None | AsyncEnrollmentRejectBadOutcome:
+        return await async_enrollment_reject(
+            conn,
+            now,
+            organization_id,
+            author,
+            enrollment_id,
+        )
+
+    @override
+    @transaction
+    async def accept(
+        self,
+        conn: AsyncpgConnection,
+        now: DateTime,
+        organization_id: OrganizationID,
+        author: DeviceID,
+        author_verify_key: VerifyKey,
+        enrollment_id: AsyncEnrollmentID,
+        accept_payload: bytes,
+        accept_payload_signature: AsyncEnrollmentPayloadSignature,
+        submitter_user_certificate: bytes,
+        submitter_redacted_user_certificate: bytes,
+        submitter_device_certificate: bytes,
+        submitter_redacted_device_certificate: bytes,
+    ) -> (
+        tuple[UserCertificate, DeviceCertificate]
+        | AsyncEnrollmentAcceptValidateBadOutcome
+        | AsyncEnrollmentAcceptBadOutcome
+        | RequireGreaterTimestamp
+        | TimestampOutOfBallpark
+    ):
+        return await async_enrollment_accept(
+            conn,
+            now,
+            organization_id,
+            author,
+            author_verify_key,
+            enrollment_id,
+            accept_payload,
+            accept_payload_signature,
+            submitter_user_certificate,
+            submitter_redacted_user_certificate,
+            submitter_device_certificate,
+            submitter_redacted_device_certificate,
+        )