From dda470fc934c51be99d0727de9a2c9151f9e3745 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?B=C3=A1lint=20Bokros?= Date: Tue, 13 Feb 2018 13:39:27 +0100 Subject: [PATCH] Validate token in controller's HTTP handlers --- lib/tfw/networking/server/controller_responder.py | 2 +- src/controller/handlers/solution_check_handler.py | 10 +++++++--- src/controller/handlers/test_handler.py | 10 +++++++--- 3 files changed, 15 insertions(+), 7 deletions(-) diff --git a/lib/tfw/networking/server/controller_responder.py b/lib/tfw/networking/server/controller_responder.py index 16a405a..a0924e7 100644 --- a/lib/tfw/networking/server/controller_responder.py +++ b/lib/tfw/networking/server/controller_responder.py @@ -17,7 +17,7 @@ class ControllerResponder: def handle_controller_request(self, stream, msg_parts): key, data = deserialize_all(*msg_parts) response = self.controller_request_handlers[key](data) - stream.send_multipart(serialize_all(key, response)) + stream.send_multipart(serialize_all(self.token, response)) def handle_test_request(self, data): return 'OK' diff --git a/src/controller/handlers/solution_check_handler.py b/src/controller/handlers/solution_check_handler.py index cfe2c1c..e84dc80 100644 --- a/src/controller/handlers/solution_check_handler.py +++ b/src/controller/handlers/solution_check_handler.py @@ -1,15 +1,19 @@ -from tornado.web import RequestHandler +import secrets +from tornado.web import RequestHandler, HTTPError from tfw.config.logs import logging log = logging.getLogger(__name__) class SolutionCheckHandler(RequestHandler): - def initialize(self, solvable_connector): + def initialize(self, solvable_connector, token): self.solvable_connector = solvable_connector + self.token = token async def get(self): log.debug('Sending request to solvable') self.solvable_connector.send('solution_check', {}) - resp_key, resp_data = await self.solvable_connector.recv() + resp_token, resp_data = await self.solvable_connector.recv() + if not secrets.compare_digest(self.token, resp_token): + raise HTTPError(500, 'Solvable didn\'t provide initial token.') log.debug('Received answer from solvable') self.write(resp_data) diff --git a/src/controller/handlers/test_handler.py b/src/controller/handlers/test_handler.py index 564bcdc..85c675c 100644 --- a/src/controller/handlers/test_handler.py +++ b/src/controller/handlers/test_handler.py @@ -1,11 +1,15 @@ -from tornado.web import RequestHandler +import secrets +from tornado.web import RequestHandler, HTTPError class TestHandler(RequestHandler): - def initialize(self, solvable_connector): + def initialize(self, solvable_connector, token): self.solvable_connector = solvable_connector + self.token = token async def get(self): self.solvable_connector.send('test', {}) - resp_key, resp_data = await self.solvable_connector.recv() + resp_token, resp_data = await self.solvable_connector.recv() + if not secrets.compare_digest(self.token, resp_token): + raise HTTPError(500, 'Solvable didn\'t provide initial token.') self.write(resp_data)