Add an authentication token to all client-server communication.

kpeeters · kpeeters · commit cc46332f93d1 · 2019-05-27T15:57:20.000+01:00
diff --git a/JUPYTER.rst b/JUPYTER.rst
@@ -102,3 +102,12 @@ kernel::
     ${HOME}/miniconda3/bin/jupyter notebook
 
 There is a sample `schwarzschild.ipynb` in the `examples` directory.	
+
+
+Setting up a Jupyterhub server for Cadabra
+------------------------------------------
+
+First install miniconda as per the instructions above. Then do::
+
+    conda install jupyterhub
+
diff --git a/client_server/ComputeThread.cc b/client_server/ComputeThread.cc
@@ -205,6 +205,11 @@ void ComputeThread::try_spawn_server()
 			throw std::logic_error("Failed to read port from server.");
 			}
 		port = atoi(buffer);
+		if(fscanf(f, "%100s", buffer)!=1) {
+			throw std::logic_error("Failed to read authentication token from server.");
+			}
+		authentication_token=std::string(buffer);
+		// std::cerr << "auth token: " << authentication_token << std::endl;
 		}
 	catch(Glib::SpawnError& err) {
 		std::cerr << "Failed to start server " << argv[0] << ": " << err.what() << std::endl;
@@ -424,8 +429,9 @@ void ComputeThread::execute_interactive(const std::string& code)
 	header["interactive"] = true;
 	content["code"] = code.c_str();
 
-	req["header"] = header;
-	req["content"] = content;
+	req["auth_token"] = authentication_token;
+	req["header"]     = header;
+	req["content"]    = content;
 
 	std::ostringstream oss;
 	oss << req << std::endl;
@@ -484,6 +490,7 @@ void ComputeThread::execute_cell(DTree::iterator it)
 		else
 			header["cell_origin"]="server";
 		header["msg_type"]="execute_request";
+		req["auth_token"]=authentication_token;
 		req["header"]=header;
 		content["code"]=dc.textbuf;
 		req["content"]=content;
@@ -522,6 +529,7 @@ void ComputeThread::stop()
 	Json::Value req, header, content;
 	header["uuid"]="none";
 	header["msg_type"]="execute_interrupt";
+	req["auth_token"]=authentication_token;
 	req["header"]=header;
 
 	std::ostringstream str;
@@ -550,6 +558,7 @@ void ComputeThread::restart_kernel()
 	header["uuid"]="none";
 	header["msg_type"]="exit";
 	header["from_server"] = true;
+	req["auth_token"]=authentication_token;
 	req["header"]=header;
 
 	std::ostringstream str;
diff --git a/client_server/ComputeThread.hh b/client_server/ComputeThread.hh
@@ -132,6 +132,7 @@ namespace cadabra {
 			Glib::Pid       server_pid;
 			int             server_stdout, server_stderr;
 			unsigned short  port;
+			std::string     authentication_token;
 			int             forced_server_port;
 		};
 
diff --git a/client_server/Server.cc b/client_server/Server.cc
@@ -31,6 +31,9 @@ Server::Server()
 	: return_cell_id(std::numeric_limits<uint64_t>::max()/2)
 	{
 	// FIXME: we do not actually do anything with this.
+	auto gen = boost::uuids::random_generator();
+	auto authentication_uuid = gen();
+	authentication_token = boost::uuids::to_string( authentication_uuid );
 	socket_name="tcp://localhost:5454";
 	init();
 	}
@@ -359,8 +362,15 @@ void Server::dispatch_message(websocketpp::connection_hdl hdl, const std::string
 		return;
 		}
 
-	const Json::Value content = root["content"];
-	const Json::Value header  = root["header"];
+	// Check that this message is authenticated.
+	std::string auth_token = root["auth_token"].asString();
+	if(auth_token!=authentication_token) {
+		std::cerr << "Received block with incorrect authentication token: " << auth_token << "." << std::endl;
+		return;
+		}
+
+	const Json::Value content    = root["content"];
+	const Json::Value header     = root["header"];
 	std::string msg_type = header["msg_type"].asString();
 	// std::cerr << "received msg_type |" << msg_type << "|" << std::endl;
 
@@ -521,6 +531,7 @@ void Server::run()
 		websocketpp::lib::asio::error_code ec;
 		auto p = wserver.get_local_endpoint(ec);
 		std::cout << p.port()  << std::endl;
+		std::cout << authentication_token << std::endl;
 
 		// std::cerr << "cadabra-server: spawning job thread "  << std::endl;
 		runner = std::thread(std::bind(&Server::wait_for_job, this));
diff --git a/client_server/Server.hh b/client_server/Server.hh
@@ -110,6 +110,7 @@ class Server {
 		// the server, but they all have access to the same Python
 		// scope. With multiple connections, one can inspect the Python
 		// stack from a different client (e.g. for debugging purposes).
+		// All connections share the same authentication token.
 
 		class Connection {
 			public:
@@ -122,6 +123,10 @@ class Server {
 		        std::owner_less<websocketpp::connection_hdl>> ConnectionMap;
 		ConnectionMap connections;
 
+		// Authentication token, needs to be sent along with any message.
+		// Gets set when the server announces its port.
+		std::string  authentication_token;
+
 		// Mutex to be able to use the websocket layer from both the
 		// main loop and the python-running thread.
 		std::mutex ws_mutex;
