3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-08-06 10:21:05 +02:00
Code Issues Projects Releases Packages Wiki Activity

devices: shrink credentials by removing unnecessary data (#2951)

Browse source
This commit is contained in:
Caleb Doxsey 2022-01-21 09:32:33 -07:00 committed by GitHub
parent 6574926c42
commit 9f4fc986ee
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 138 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

32
pkg/grpc/device/device.go
View file

@ -170,6 +170,8 @@ func PutCredential(
client databroker.DataBrokerServiceClient, client databroker.DataBrokerServiceClient,
credential *Credential, credential *Credential,
) error { ) error {
shrinkCredential(credential)
any := protoutil.NewAny(credential) any := protoutil.NewAny(credential)
_, err := client.Put(ctx, &databroker.PutRequest{ _, err := client.Put(ctx, &databroker.PutRequest{
Record: &databroker.Record{ Record: &databroker.Record{
@ -214,3 +216,33 @@ func PutOwnerCredentialRecord(
}) })
return err return err
} }
var maxCredentialSize = 256 * 1024
// shrinkCredential shrinks a credential object by removing unnecessary responses and options
// until its within the max credential size
func shrinkCredential(credential *Credential) {
for len(protoutil.NewAny(credential).GetValue()) > maxCredentialSize {
if specifier := credential.Specifier.(*Credential_Webauthn); specifier != nil {
// (1) remove authenticate responses
if len(specifier.Webauthn.AuthenticateResponse) > 0 {
specifier.Webauthn.AuthenticateResponse = specifier.Webauthn.AuthenticateResponse[1:]
continue
}
// (2) remove register response
if len(specifier.Webauthn.RegisterResponse) > 0 {
specifier.Webauthn.RegisterResponse = nil
continue
}
// (3) remove register options
if len(specifier.Webauthn.RegisterOptions) > 0 {
specifier.Webauthn.RegisterOptions = nil
continue
}
}
break
}
}

106
pkg/grpc/device/device_test.go Normal file
View file

@ -0,0 +1,106 @@
package device
import (
"bytes"
"testing"
"github.com/stretchr/testify/assert"
)
func TestShrinkCredential(t *testing.T) {
t.Run("authenticate response", func(t *testing.T) {
credential := &Credential{
Id: "c1",
TypeId: "t1",
EnrollmentId: "e1",
UserId: "u1",
Specifier: &Credential_Webauthn{
Webauthn: &Credential_WebAuthn{
Id: []byte{0, 1, 2},
PublicKey: []byte{3, 4, 5},
RegisterOptions: bytes.Repeat([]byte{1}, 10),
RegisterResponse: bytes.Repeat([]byte{2}, 10),
AuthenticateResponse: [][]byte{
bytes.Repeat([]byte{3}, 64*1024),
bytes.Repeat([]byte{4}, 64*1024),
bytes.Repeat([]byte{5}, 64*1024),
bytes.Repeat([]byte{6}, 64*1024),
bytes.Repeat([]byte{7}, 64*1024),
bytes.Repeat([]byte{8}, 64*1024),
},
},
},
}
shrinkCredential(credential)
assert.Equal(t, "c1", credential.GetId())
assert.Equal(t, "t1", credential.GetTypeId())
assert.Equal(t, "e1", credential.GetEnrollmentId())
assert.Equal(t, "u1", credential.GetUserId())
assert.Equal(t, []byte{0, 1, 2}, credential.GetWebauthn().GetId())
assert.Equal(t, []byte{3, 4, 5}, credential.GetWebauthn().GetPublicKey())
assert.Equal(t, bytes.Repeat([]byte{1}, 10), credential.GetWebauthn().GetRegisterOptions())
assert.Equal(t, bytes.Repeat([]byte{2}, 10), credential.GetWebauthn().GetRegisterResponse())
assert.Equal(t, [][]byte{
bytes.Repeat([]byte{6}, 64*1024),
bytes.Repeat([]byte{7}, 64*1024),
bytes.Repeat([]byte{8}, 64*1024),
}, credential.GetWebauthn().GetAuthenticateResponse())
})
t.Run("register response", func(t *testing.T) {
credential := &Credential{
Id: "c1",
TypeId: "t1",
EnrollmentId: "e1",
UserId: "u1",
Specifier: &Credential_Webauthn{
Webauthn: &Credential_WebAuthn{
Id: []byte{0, 1, 2},
PublicKey: []byte{3, 4, 5},
RegisterOptions: bytes.Repeat([]byte{1}, 10),
RegisterResponse: bytes.Repeat([]byte{2}, 256*1024),
},
},
}
shrinkCredential(credential)
assert.Equal(t, "c1", credential.GetId())
assert.Equal(t, "t1", credential.GetTypeId())
assert.Equal(t, "e1", credential.GetEnrollmentId())
assert.Equal(t, "u1", credential.GetUserId())
assert.Equal(t, []byte{0, 1, 2}, credential.GetWebauthn().GetId())
assert.Equal(t, []byte{3, 4, 5}, credential.GetWebauthn().GetPublicKey())
assert.Equal(t, bytes.Repeat([]byte{1}, 10), credential.GetWebauthn().GetRegisterOptions())
assert.Empty(t, credential.GetWebauthn().GetRegisterResponse())
assert.Empty(t, credential.GetWebauthn().GetAuthenticateResponse())
})
t.Run("register options", func(t *testing.T) {
credential := &Credential{
Id: "c1",
TypeId: "t1",
EnrollmentId: "e1",
UserId: "u1",
Specifier: &Credential_Webauthn{
Webauthn: &Credential_WebAuthn{
Id: []byte{0, 1, 2},
PublicKey: []byte{3, 4, 5},
RegisterOptions: bytes.Repeat([]byte{1}, 256*1024),
},
},
}
shrinkCredential(credential)
assert.Equal(t, "c1", credential.GetId())
assert.Equal(t, "t1", credential.GetTypeId())
assert.Equal(t, "e1", credential.GetEnrollmentId())
assert.Equal(t, "u1", credential.GetUserId())
assert.Equal(t, []byte{0, 1, 2}, credential.GetWebauthn().GetId())
assert.Equal(t, []byte{3, 4, 5}, credential.GetWebauthn().GetPublicKey())
assert.Empty(t, credential.GetWebauthn().GetRegisterOptions())
assert.Empty(t, credential.GetWebauthn().GetRegisterResponse())
assert.Empty(t, credential.GetWebauthn().GetAuthenticateResponse())
})
}