Mirroristas/gun
2
0
Fork 0
mirror of https://github.com/amark/gun.git synced 2025-11-26 23:46:10 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1034 from mimiza/master

Browse Source 
change SEA.certify() && check.pub()
This commit is contained in:
Mark Nadal 2020-12-14 23:09:07 -08:00 committed by GitHub
commit be0b1cefb2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 13 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
sea.js
View File

@ -694,7 +694,7 @@
const expiry = opt.expiry && (typeof opt.expiry === 'number' || typeof opt.expiry === 'string') ? parseFloat(opt.expiry) : null const expiry = opt.expiry && (typeof opt.expiry === 'number' || typeof opt.expiry === 'string') ? parseFloat(opt.expiry) : null
const readPolicy = (policy || {}).read ? policy.read : null const readPolicy = (policy || {}).read ? policy.read : null
const writePolicy = (policy || {}).write ? policy.write : typeof policy === 'string' || Array.isArray(policy) || (policy["?"] || policy["#"] || policy["."] || policy["="] || policy["*"] || policy[">"] || policy["<"]) ? policy : null const writePolicy = (policy || {}).write ? policy.write : typeof policy === 'string' || Array.isArray(policy) || policy["+"] || policy["#"] || policy["."] || policy["="] || policy["*"] || policy[">"] || policy["<"] ? policy : null
const readBlacklist = ((opt || {}).blacklist || {}).read && (typeof opt.blacklist.read === 'string' || opt.blacklist.read['#']) ? opt.blacklist.read : null const readBlacklist = ((opt || {}).blacklist || {}).read && (typeof opt.blacklist.read === 'string' || opt.blacklist.read['#']) ? opt.blacklist.read : null
const writeBlacklist = typeof (opt || {}).blacklist === 'string' || (((opt || {}).blacklist || {}).write || {})['#'] ? opt.blacklist : ((opt || {}).blacklist || {}).write && (typeof opt.blacklist.write === 'string' || opt.blacklist.write['#']) ? opt.blacklist.write : null const writeBlacklist = typeof (opt || {}).blacklist === 'string' || (((opt || {}).blacklist || {}).write || {})['#'] ? opt.blacklist : ((opt || {}).blacklist || {}).write && (typeof opt.blacklist.write === 'string' || opt.blacklist.write['#']) ? opt.blacklist.write : null
@ -1331,7 +1331,7 @@
check.pub = function(eve, msg, val, key, soul, at, no, user, pub){ var tmp // Example: {_:#~asdf, hello:'world'~fdsa}} check.pub = function(eve, msg, val, key, soul, at, no, user, pub){ var tmp // Example: {_:#~asdf, hello:'world'~fdsa}}
const raw = S.parse(val) || {} const raw = S.parse(val) || {}
const verify = (certificate, certificant, cb) => { const verify = (certificate, certificant, cb) => {
if (certificate.m && certificate.s && certificant && pub) { if (certificate.m && certificate.s && certificant && pub)
// now verify certificate // now verify certificate
return SEA.verify(certificate, pub, data => { // check if "pub" (of the graph owner) really issued this cert return SEA.verify(certificate, pub, data => { // check if "pub" (of the graph owner) really issued this cert
if (u !== data && u !== data.e && msg.put['>'] && msg.put['>'] > parseFloat(data.e)) return no("Certificate expired.") // certificate expired if (u !== data && u !== data.e && msg.put['>'] && msg.put['>'] > parseFloat(data.e)) return no("Certificate expired.") // certificate expired
@ -1345,7 +1345,7 @@
for (const lex of w) { for (const lex of w) {
if ((String.match(path, lex['#']) && String.match(key, lex['.'])) || (!lex['.'] && String.match(path, lex['#'])) || (!lex['#'] && String.match(key, lex['.'])) || String.match((path ? path + '/' + key : key), lex['#'] || lex)) { if ((String.match(path, lex['#']) && String.match(key, lex['.'])) || (!lex['.'] && String.match(path, lex['#'])) || (!lex['#'] && String.match(key, lex['.'])) || String.match((path ? path + '/' + key : key), lex['#'] || lex)) {
// is Certificant forced to present in Path // is Certificant forced to present in Path
if (lex['?'] && lex['?'].indexOf('*') > -1 && path && path.indexOf(certificant) == -1 && key.indexOf(certificant) == -1) return no("Key not same as certificant pub.") if (lex['+'] && lex['+'].indexOf('*') > -1 && path && path.indexOf(certificant) == -1 && key.indexOf(certificant) == -1) return no(`Path "${path}" or key "${key}" must contain string "${certificant}".`)
// path is allowed, but is there any WRITE blacklist? Check it out // path is allowed, but is there any WRITE blacklist? Check it out
if (data.wb && (typeof data.wb === 'string' || ((data.wb || {})['#']))) { // "data.wb" = path to the WRITE blacklist if (data.wb && (typeof data.wb === 'string' || ((data.wb || {})['#']))) { // "data.wb" = path to the WRITE blacklist
var root = user.back(-1) var root = user.back(-1)
@ -1361,24 +1361,23 @@
return no("Certificate verification fail.") return no("Certificate verification fail.")
} }
}) })
}
return return
} }
if ('pub' === key && '~'+pub === soul) { if ('pub' === key && '~' + pub === soul) {
if(val === pub){ return eve.to.next(msg) } // the account MUST match `pub` property that equals the ID of the public key. if (val === pub) return eve.to.next(msg) // the account MUST match `pub` property that equals the ID of the public key.
return no("Account not same!") return no("Account not same!")
} }
if ((tmp = user.is) && tmp.pub && !raw['*'] && !raw['+'] && (pub === tmp.pub || (pub !== tmp.pub && ((msg._.out || {}).opt || {}).cert))){ if ((tmp = user.is) && tmp.pub && !raw['*'] && !raw['+'] && (pub === tmp.pub || (pub !== tmp.pub && ((msg._.out || {}).opt || {}).cert))){
SEA.sign(SEA.opt.pack(msg.put), (user._).sea, function(data){ SEA.sign(SEA.opt.pack(msg.put), (user._).sea, function(data){
if(u === data){ return no(SEA.err || 'Signature fail.') } if (u === data) return no(SEA.err || 'Signature fail.')
msg.put[':'] = {':': tmp = SEA.opt.unpack(data.m), '~': data.s} msg.put[':'] = {':': tmp = SEA.opt.unpack(data.m), '~': data.s}
msg.put['='] = tmp msg.put['='] = tmp
// if writing to own graph, just allow it // if writing to own graph, just allow it
if (pub === user.is.pub) { if (pub === user.is.pub) {
if (tmp = link_is(val)) { (at.sea.own[tmp] = at.sea.own[tmp] || {})[pub] = 1 } if (tmp = link_is(val)) (at.sea.own[tmp] = at.sea.own[tmp] || {})[pub] = 1
msg.put[':'] = JSON.stringify(msg.put[':']) msg.put[':'] = JSON.stringify(msg.put[':'])
return eve.to.next(msg) return eve.to.next(msg)
} }
@ -1387,14 +1386,13 @@
if (pub !== user.is.pub && ((msg._.out || {}).opt || {}).cert) { if (pub !== user.is.pub && ((msg._.out || {}).opt || {}).cert) {
const cert = S.parse(msg._.out.opt.cert) const cert = S.parse(msg._.out.opt.cert)
// even if cert exists, we must verify it // even if cert exists, we must verify it
if (cert && cert.m && cert.s) { if (cert && cert.m && cert.s)
verify(cert, user.is.pub, _ => { verify(cert, user.is.pub, _ => {
msg.put[':']['+'] = cert // '+' is a certificate msg.put[':']['+'] = cert // '+' is a certificate
msg.put[':']['*'] = user.is.pub // '*' is pub of the user who puts msg.put[':']['*'] = user.is.pub // '*' is pub of the user who puts
msg.put[':'] = JSON.stringify(msg.put[':']) msg.put[':'] = JSON.stringify(msg.put[':'])
return eve.to.next(msg) return eve.to.next(msg)
}) })
}
} }
}, {raw: 1}) }, {raw: 1})
return; return;
@ -1402,17 +1400,16 @@
SEA.verify(SEA.opt.pack(msg.put), raw['*'] || pub, function(data){ var tmp; SEA.verify(SEA.opt.pack(msg.put), raw['*'] || pub, function(data){ var tmp;
data = SEA.opt.unpack(data); data = SEA.opt.unpack(data);
if(u === data){ return no("Unverified data.") } // make sure the signature matches the account it claims to be on. // reject any updates that are signed with a mismatched account. if (u === data) return no("Unverified data.") // make sure the signature matches the account it claims to be on. // reject any updates that are signed with a mismatched account.
if((tmp = link_is(data)) && pub === SEA.opt.pub(tmp)){ (at.sea.own[tmp] = at.sea.own[tmp] || {})[pub] = 1 } if ((tmp = link_is(data)) && pub === SEA.opt.pub(tmp)) (at.sea.own[tmp] = at.sea.own[tmp] || {})[pub] = 1
// check if cert ('+') and putter's pub ('*') exist // check if cert ('+') and putter's pub ('*') exist
if (raw['+'] && raw['+']['m'] && raw['+']['s'] && raw['*']) { if (raw['+'] && raw['+']['m'] && raw['+']['s'] && raw['*'])
// now verify certificate // now verify certificate
verify(raw['+'], raw['*'], _ => { verify(raw['+'], raw['*'], _ => {
msg.put['='] = data; msg.put['='] = data;
return eve.to.next(msg); return eve.to.next(msg);
}) })
}
else { else {
msg.put['='] = data; msg.put['='] = data;
return eve.to.next(msg); return eve.to.next(msg);

4
test/sea/sea.js
View File

@ -606,10 +606,10 @@ describe('SEA', function(){
}) })
}())}) }())})
it('Certify: Path must contain Certificant Pub', function(done){(async function(){ it('Certify: Path or Key must contain Certificant Pub', function(done){(async function(){
var alice = await SEA.pair() var alice = await SEA.pair()
var bob = await SEA.pair() var bob = await SEA.pair()
var cert = await SEA.certify(bob, {"*": "private", "?": "*"}, alice) var cert = await SEA.certify(bob, {"*": "private", "+": "*"}, alice)
user.auth(bob, () => { user.auth(bob, () => {
var data = Gun.state.lex() var data = Gun.state.lex()