Start extracting device auth for an rpc experiment

joshk · joshk · commit 8644397dec90 · 2025-01-29T15:56:09.000+13:00
diff --git a/lib/nerves_hub/products.ex b/lib/nerves_hub/products.ex
@@ -313,4 +313,11 @@ defmodule NervesHub.Products do
         :nope
     end)
   end
+
+  def shared_secrets_enabled?() do
+    # NervesHubWeb.DeviceSocket should really be :device_auth or :product_auth
+    Application.get_env(:nerves_hub, NervesHubWeb.DeviceSocket, [])
+    |> Keyword.get(:shared_secrets, [])
+    |> Keyword.get(:enabled, false)
+  end
 end
diff --git a/lib/nerves_hub/rpc/device_auth.ex b/lib/nerves_hub/rpc/device_auth.ex
@@ -0,0 +1,88 @@
+defmodule NervesHub.RPC.DeviceAuth do
+  @moduledoc false
+
+  alias NervesHub.Devices
+  alias NervesHub.Products
+
+  alias Plug.Crypto
+
+  # Default 90 seconds max age for the signature
+  @default_max_hmac_age 90
+
+  def connect_device({:shared_secrets, x_headers}) do
+    headers = Map.new(x_headers)
+
+    with :ok <- check_shared_secret_enabled(),
+         {:ok, key, salt, verification_opts} <- decode_from_headers(headers),
+         {:ok, auth} <- get_shared_secret_auth(key),
+         {:ok, signature} <- Map.fetch(headers, "x-nh-signature"),
+         {:ok, identifier} <- Crypto.verify(auth.secret, salt, signature, verification_opts),
+         {:ok, device} <- get_or_maybe_create_device(auth, identifier) do
+      {:ok, Devices.preload_product(device)}
+    else
+      error ->
+        :telemetry.execute([:nerves_hub, :devices, :invalid_auth], %{count: 1}, %{
+          auth: :shared_secrets,
+          reason: error,
+          product_key: Map.get(headers, "x-nh-key", "*empty*")
+        })
+
+        {:error, :invalid_auth}
+    end
+  end
+
+  defp decode_from_headers(%{"x-nh-alg" => "NH1-HMAC-" <> alg} = headers) do
+    with [digest_str, iter_str, klen_str] <- String.split(alg, "-"),
+         digest <- String.to_existing_atom(String.downcase(digest_str)),
+         {iterations, ""} <- Integer.parse(iter_str),
+         {key_length, ""} <- Integer.parse(klen_str),
+         {signed_at, ""} <- Integer.parse(headers["x-nh-time"]),
+         {:ok, key} <- Map.fetch(headers, "x-nh-key") do
+      expected_salt = """
+      NH1:device-socket:shared-secret:connect
+
+      x-nh-alg=NH1-HMAC-#{alg}
+      x-nh-key=#{key}
+      x-nh-time=#{signed_at}
+      """
+
+      opts = [
+        key_length: key_length,
+        key_iterations: iterations,
+        key_digest: digest,
+        signed_at: signed_at,
+        max_age: max_hmac_age()
+      ]
+
+      {:ok, key, expected_salt, opts}
+    end
+  end
+
+  defp decode_from_headers(_headers), do: {:error, :headers_decode_failed}
+
+  defp get_shared_secret_auth("nhp_" <> _ = key), do: Products.get_shared_secret_auth(key)
+  defp get_shared_secret_auth(key), do: Devices.get_shared_secret_auth(key)
+
+  defp get_or_maybe_create_device(%Products.SharedSecretAuth{} = auth, identifier) do
+    # TODO: Support JITP profile here to decide if enabled or what tags to use
+    Devices.get_or_create_device(auth, identifier)
+  end
+
+  defp get_or_maybe_create_device(%{device: %{identifier: identifier} = device}, identifier),
+    do: {:ok, device}
+
+  defp get_or_maybe_create_device(_auth, _identifier), do: {:error, :bad_identifier}
+
+  defp max_hmac_age() do
+    Application.get_env(:nerves_hub, __MODULE__, [])
+    |> Keyword.get(:max_age, @default_max_hmac_age)
+  end
+
+  defp check_shared_secret_enabled() do
+    if Products.shared_secrets_enabled?() do
+      :ok
+    else
+      {:error, :shared_secrets_not_enabled}
+    end
+  end
+end
diff --git a/lib/nerves_hub_web/channels/device_socket.ex b/lib/nerves_hub_web/channels/device_socket.ex
@@ -7,18 +7,14 @@ defmodule NervesHubWeb.DeviceSocket do
   alias NervesHub.Devices
   alias NervesHub.Devices.Connections
   alias NervesHub.Devices.DeviceConnection
-  alias NervesHub.Products
   alias NervesHub.Tracker
 
-  alias Plug.Crypto
+  alias NervesHub.RPC.DeviceAuth
 
   channel("console", NervesHubWeb.ConsoleChannel)
   channel("device", NervesHubWeb.DeviceChannel)
   channel("extensions", NervesHubWeb.ExtensionsChannel)
 
-  # Default 90 seconds max age for the signature
-  @default_max_hmac_age 90
-
   defoverridable init: 1, handle_in: 2, terminate: 2
 
   @impl Phoenix.Socket.Transport
@@ -96,14 +92,10 @@ defmodule NervesHubWeb.DeviceSocket do
       when is_list(x_headers) and length(x_headers) > 0 do
     headers = Map.new(x_headers)
 
-    with :ok <- check_shared_secret_enabled(),
-         {:ok, key, salt, verification_opts} <- decode_from_headers(headers),
-         {:ok, auth} <- get_shared_secret_auth(key),
-         {:ok, signature} <- Map.fetch(headers, "x-nh-signature"),
-         {:ok, identifier} <- Crypto.verify(auth.secret, salt, signature, verification_opts),
-         {:ok, device} <- get_or_maybe_create_device(auth, identifier) do
-      socket_and_assigns(socket, device)
-    else
+    case DeviceAuth.connect_device({:shared_secrets, x_headers}) do
+      {:ok, device} ->
+        socket_and_assigns(socket, Devices.preload_product(device))
+
       error ->
         :telemetry.execute([:nerves_hub, :devices, :invalid_auth], %{count: 1}, %{
           auth: :shared_secrets,
@@ -133,61 +125,6 @@ defmodule NervesHubWeb.DeviceSocket do
     ]
   end
 
-  defp decode_from_headers(%{"x-nh-alg" => "NH1-HMAC-" <> alg} = headers) do
-    with [digest_str, iter_str, klen_str] <- String.split(alg, "-"),
-         digest <- String.to_existing_atom(String.downcase(digest_str)),
-         {iterations, ""} <- Integer.parse(iter_str),
-         {key_length, ""} <- Integer.parse(klen_str),
-         {signed_at, ""} <- Integer.parse(headers["x-nh-time"]),
-         {:ok, key} <- Map.fetch(headers, "x-nh-key") do
-      expected_salt = """
-      NH1:device-socket:shared-secret:connect
-
-      x-nh-alg=NH1-HMAC-#{alg}
-      x-nh-key=#{key}
-      x-nh-time=#{signed_at}
-      """
-
-      opts = [
-        key_length: key_length,
-        key_iterations: iterations,
-        key_digest: digest,
-        signed_at: signed_at,
-        max_age: max_hmac_age()
-      ]
-
-      {:ok, key, expected_salt, opts}
-    end
-  end
-
-  defp decode_from_headers(_headers), do: {:error, :headers_decode_failed}
-
-  defp get_shared_secret_auth("nhp_" <> _ = key), do: Products.get_shared_secret_auth(key)
-  defp get_shared_secret_auth(key), do: Devices.get_shared_secret_auth(key)
-
-  defp get_or_maybe_create_device(%Products.SharedSecretAuth{} = auth, identifier) do
-    # TODO: Support JITP profile here to decide if enabled or what tags to use
-    Devices.get_or_create_device(auth, identifier)
-  end
-
-  defp get_or_maybe_create_device(%{device: %{identifier: identifier} = device}, identifier),
-    do: {:ok, device}
-
-  defp get_or_maybe_create_device(_auth, _identifier), do: {:error, :bad_identifier}
-
-  defp max_hmac_age() do
-    Application.get_env(:nerves_hub, __MODULE__, [])
-    |> Keyword.get(:max_age, @default_max_hmac_age)
-  end
-
-  defp check_shared_secret_enabled() do
-    if shared_secrets_enabled?() do
-      :ok
-    else
-      {:error, :shared_secrets_not_enabled}
-    end
-  end
-
   defp socket_and_assigns(socket, device) do
     # disconnect devices using the same identifier
     _ = socket.endpoint.broadcast_from(self(), "device_socket:#{device.id}", "disconnect", %{})
@@ -273,10 +210,4 @@ defmodule NervesHubWeb.DeviceSocket do
   defp last_seen_update_interval() do
     Application.get_env(:nerves_hub, :device_last_seen_update_interval_minutes)
   end
-
-  def shared_secrets_enabled?() do
-    Application.get_env(:nerves_hub, __MODULE__, [])
-    |> Keyword.get(:shared_secrets, [])
-    |> Keyword.get(:enabled, false)
-  end
 end
diff --git a/lib/nerves_hub_web/live/product/settings.ex b/lib/nerves_hub_web/live/product/settings.ex
@@ -3,7 +3,6 @@ defmodule NervesHubWeb.Live.Product.Settings do
 
   alias NervesHub.Extensions
   alias NervesHub.Products
-  alias NervesHubWeb.DeviceSocket
 
   def mount(_params, _session, socket) do
     product = Products.load_shared_secret_auth(socket.assigns.product)
@@ -14,7 +13,7 @@ defmodule NervesHubWeb.Live.Product.Settings do
       |> sidebar_tab(:settings)
       |> assign(:product, product)
       |> assign(:shared_secrets, product.shared_secret_auths)
-      |> assign(:shared_auth_enabled, DeviceSocket.shared_secrets_enabled?())
+      |> assign(:shared_auth_enabled, Products.shared_secrets_enabled?())
       |> assign(:form, to_form(Ecto.Changeset.change(product)))
       |> assign(:available_extensions, extensions())
 
