Make aggregator register_signatures route check signature authenticity

Alenar · Alenar · commit 2d6e9ebc01f6 · 2024-09-19T10:32:41.000+02:00
diff --git a/mithril-aggregator/src/http_server/routes/middlewares.rs b/mithril-aggregator/src/http_server/routes/middlewares.rs
@@ -12,7 +12,7 @@ use crate::event_store::{EventMessage, TransmitterService};
 use crate::services::{CertifierService, MessageService, ProverService, SignedEntityService};
 use crate::{
     CertificatePendingStore, Configuration, DependencyContainer, SignerRegisterer,
-    VerificationKeyStorer,
+    SingleSignatureAuthenticator, VerificationKeyStorer,
 };
 
 /// With certificate pending store
@@ -113,6 +113,13 @@ pub fn with_prover_service(
     warp::any().map(move || dependency_manager.prover_service.clone())
 }
 
+/// With Single Signature Authenticator
+pub fn with_single_signature_authenticator(
+    dependency_manager: Arc<DependencyContainer>,
+) -> impl Filter<Extract = (Arc<SingleSignatureAuthenticator>,), Error = Infallible> + Clone {
+    warp::any().map(move || dependency_manager.single_signer_authenticator.clone())
+}
+
 pub mod validators {
     use crate::http_server::validators::ProverTransactionsHashValidator;
 
diff --git a/mithril-aggregator/src/http_server/routes/signatures_routes.rs b/mithril-aggregator/src/http_server/routes/signatures_routes.rs
@@ -19,6 +19,9 @@ fn register_signatures(
         .and(middlewares::with_certifier_service(
             dependency_manager.clone(),
         ))
+        .and(middlewares::with_single_signature_authenticator(
+            dependency_manager,
+        ))
         .and_then(handlers::register_signatures)
 }
 
@@ -34,19 +37,22 @@ mod handlers {
         http_server::routes::reply,
         message_adapters::FromRegisterSingleSignatureAdapter,
         services::{CertifierService, CertifierServiceError, RegistrationStatus},
+        unwrap_to_internal_server_error, SingleSignatureAuthenticator,
     };
 
     /// Register Signatures
     pub async fn register_signatures(
         message: RegisterSignatureMessage,
         certifier_service: Arc<dyn CertifierService>,
+        single_signer_authenticator: Arc<SingleSignatureAuthenticator>,
     ) -> Result<impl warp::Reply, Infallible> {
         debug!("⇄ HTTP SERVER: register_signatures/{:?}", message);
         trace!("⇄ HTTP SERVER: register_signatures"; "complete_message" => #?message );
 
         let signed_entity_type = message.signed_entity_type.clone();
+        let signed_message = message.signed_message.clone();
 
-        let signatures = match FromRegisterSingleSignatureAdapter::try_adapt(message) {
+        let mut signatures = match FromRegisterSingleSignatureAdapter::try_adapt(message) {
             Ok(signature) => signature,
             Err(err) => {
                 warn!("register_signatures::payload decoding error"; "error" => ?err);
@@ -58,6 +64,15 @@ mod handlers {
             }
         };
 
+        if let Some(signed_message) = signed_message {
+            unwrap_to_internal_server_error!(
+                single_signer_authenticator
+                    .authenticate(&mut signatures, &signed_message)
+                    .await,
+                "single_signer_authenticator::error"
+            );
+        }
+
         match certifier_service
             .register_single_signature(&signed_entity_type, &signatures)
             .await
@@ -97,6 +112,7 @@ mod tests {
         http_server::SERVER_BASE_PATH,
         initialize_dependencies,
         services::{CertifierServiceError, MockCertifierService, RegistrationStatus},
+        SingleSignatureAuthenticator,
     };
 
     use super::*;
@@ -114,6 +130,64 @@ mod tests {
             .and(routes(dependency_manager).with(cors))
     }
 
+    #[tokio::test]
+    async fn test_register_signatures_try_to_authenticate_signature_with_signed_message() {
+        let mut mock_certifier_service = MockCertifierService::new();
+        mock_certifier_service
+            .expect_register_single_signature()
+            .withf(|_, signature| signature.is_authenticated())
+            .once()
+            .return_once(move |_, _| Ok(RegistrationStatus::Registered));
+        let mut dependency_manager = initialize_dependencies().await;
+        dependency_manager.certifier_service = Arc::new(mock_certifier_service);
+        dependency_manager.single_signer_authenticator =
+            Arc::new(SingleSignatureAuthenticator::new_that_authenticate_everything());
+
+        let message = RegisterSignatureMessage {
+            signed_message: Some("message".to_string()),
+            ..RegisterSignatureMessage::dummy()
+        };
+
+        let method = Method::POST.as_str();
+        let path = "/register-signatures";
+
+        request()
+            .method(method)
+            .path(&format!("/{SERVER_BASE_PATH}{path}"))
+            .json(&message)
+            .reply(&setup_router(Arc::new(dependency_manager)))
+            .await;
+    }
+
+    #[tokio::test]
+    async fn test_register_signatures_send_unauthenticated_signature_if_authentication_fail() {
+        let mut mock_certifier_service = MockCertifierService::new();
+        mock_certifier_service
+            .expect_register_single_signature()
+            .withf(|_, signature| !signature.is_authenticated())
+            .once()
+            .return_once(move |_, _| Ok(RegistrationStatus::Registered));
+        let mut dependency_manager = initialize_dependencies().await;
+        dependency_manager.certifier_service = Arc::new(mock_certifier_service);
+        dependency_manager.single_signer_authenticator =
+            Arc::new(SingleSignatureAuthenticator::new_that_reject_everything());
+
+        let message = RegisterSignatureMessage {
+            signed_message: Some("message".to_string()),
+            ..RegisterSignatureMessage::dummy()
+        };
+
+        let method = Method::POST.as_str();
+        let path = "/register-signatures";
+
+        request()
+            .method(method)
+            .path(&format!("/{SERVER_BASE_PATH}{path}"))
+            .json(&message)
+            .reply(&setup_router(Arc::new(dependency_manager)))
+            .await;
+    }
+
     #[tokio::test]
     async fn test_register_signatures_post_ok_201() {
         let mut mock_certifier_service = MockCertifierService::new();
diff --git a/mithril-aggregator/src/tools/single_signature_authenticator.rs b/mithril-aggregator/src/tools/single_signature_authenticator.rs
@@ -76,6 +76,39 @@ impl SingleSignatureAuthenticator {
     }
 }
 
+#[cfg(test)]
+impl SingleSignatureAuthenticator {
+    pub(crate) fn new_that_authenticate_everything() -> Self {
+        let mut multi_signer = crate::multi_signer::MockMultiSigner::new();
+        multi_signer
+            .expect_verify_single_signature()
+            .returning(|_, _| Ok(()));
+        multi_signer
+            .expect_verify_single_signature_for_next_epoch()
+            .returning(|_, _| Ok(()));
+
+        Self {
+            multi_signer: Arc::new(multi_signer),
+            logger: crate::test_tools::TestLogger::stdout(),
+        }
+    }
+
+    pub(crate) fn new_that_reject_everything() -> Self {
+        let mut multi_signer = crate::multi_signer::MockMultiSigner::new();
+        multi_signer
+            .expect_verify_single_signature()
+            .returning(|_, _| Err(anyhow::anyhow!("error")));
+        multi_signer
+            .expect_verify_single_signature_for_next_epoch()
+            .returning(|_, _| Err(anyhow::anyhow!("error")));
+
+        Self {
+            multi_signer: Arc::new(multi_signer),
+            logger: crate::test_tools::TestLogger::stdout(),
+        }
+    }
+}
+
 #[cfg(test)]
 mod tests {
     use anyhow::anyhow;
