jael, eyre: Add a way to reset the web login code

Jael now stores a `step` that is combined with the original salt to
produce a new code.  A `%step` card is used to increment that value,
and effectively resetting the keys.  Because the first `step` is zero,
the first code is the same as before.

Eyre was changed to be notified with `%code-changed` so it can forget
old cookies, sessions and discard all the existing channels.

A new generator was added |code, that does both querying and
resetting the code

    |code             :: shows current code, step and help
    |code %reset      :: changes the code

The old +code generator still works correctly.
This commit is contained in:
Caio Marcelo de Oliveira Filho 2020-07-29 09:14:18 -07:00
parent 3ab634a788
commit df868e2c4f
5 changed files with 130 additions and 12 deletions

View File

@ -0,0 +1,30 @@
:: Helm: query or reset login code for web
::
:::: /hoon/code/hood/gen
::
/? 310
::
::::
::
:- %say
|= $: [now=@da eny=@uvJ bec=beak]
[arg=?(~ [%reset ~]) ~]
==
=* our p.bec
:- %helm-code
?~ arg
=/ code=tape
%+ slag 1
%+ scow %p
.^(@p %j /(scot %p our)/code/(scot %da now)/(scot %p our))
=/ step=tape
%+ scow %ud
.^(@ud %j /(scot %p our)/step/(scot %da now)/(scot %p our))
%- %- slog
:~ [%leaf code]
[%leaf (weld "current step=" step)]
[%leaf "use |code %reset to invalidate this and generate a new code"]
==
~
?> =(%reset -.arg)
%reset

View File

@ -79,6 +79,13 @@
this
(emit %pass / %arvo %j %moon u.sed)
::
++ poke-code
|= act=?(~ %reset)
=< abet
?~ act
this
(emit %pass / %arvo %j %step ~)
::
++ poke-mass
|= ~ =< abet
(emit %pass /heft %arvo %d %flog %heft ~)
@ -213,6 +220,7 @@
%helm-atom =;(f (f !<(_+<.f vase)) poke-atom)
%helm-automass =;(f (f !<(_+<.f vase)) poke-automass)
%helm-cancel-automass =;(f (f !<(_+<.f vase)) poke-cancel-automass)
%helm-code =;(f (f !<(_+<.f vase)) poke-code)
%helm-hi =;(f (f !<(_+<.f vase)) poke-hi)
%helm-knob =;(f (f !<(_+<.f vase)) poke-knob)
%helm-mass =;(f (f !<(_+<.f vase)) poke-mass)

View File

@ -1960,6 +1960,31 @@
::
closed-connections
==
::
?: ?=(%code-changed -.task)
~> %slog.[0 leaf+"eyre: code-changed: throwing away old cookies"]
=. authentication-state.server-state.ax *authentication-state
::
=/ event-args [[our eny duct now scry-gate] server-state.ax]
=* by-channel by-channel:(per-server-event event-args)
=* channel-state channel-state.server-state.ax
::
=/ channel-ids=(list @t) ~(tap in ~(key by session.channel-state))
?: =(~ channel-ids)
[~ http-server-gate]
::
=/ len=tape (scow %ud (lent channel-ids))
~> %slog.[0 leaf+"eyre: code-changed: closing {len} channels"]
::
=| moves=(list (list move))
|- ^- [(list move) _http-server-gate]
?~ channel-ids
[(zing (flop moves)) http-server-gate]
:: discard channel state, and cancel any active gall subscriptions
::
=^ mov server-state.ax (discard-channel:by-channel i.channel-ids |)
$(moves [mov moves], channel-ids t.channel-ids)
::
:: all other commands operate on a per-server-event
::
=/ event-args [[our eny duct now scry-gate] server-state.ax]

View File

@ -35,12 +35,19 @@
:: manage subscriptions efficiently.
::
=> |%
+$ state :: all vane state
$: ver=$0 :: vane version
pki=state-pki ::
+$ any-state $%(state-0 state-1)
::
+$ state-0
$: %0
pki=state-pki-0 ::
etn=state-eth-node :: eth connection state
== ::
+$ state-pki :: urbit metadata
+$ state-1
$: %1
pki=state-pki-1 ::
etn=state-eth-node :: eth connection state
== ::
+$ state-pki-0 :: urbit metadata
$: $= own :: vault (vein)
$: yen=(set duct) :: trackers
sig=(unit oath) :: for a moon
@ -59,6 +66,26 @@
pos=(map ship point) :: on-chain ship state
== ::
== ::
+$ state-pki-1 :: urbit metadata
$: $= own :: vault (vein)
$: yen=(set duct) :: trackers
sig=(unit oath) :: for a moon
tuf=(list turf) :: domains
boq=@ud :: boot block
nod=purl:eyre :: eth gateway
fak=_| :: fake keys
lyf=life :: version
step=@ud :: login code step
jaw=(map life ring) :: private keys
== ::
$= zim :: public
$: yen=(jug duct ship) :: trackers
ney=(jug ship duct) :: reverse trackers
nel=(set duct) :: trackers of all
dns=dnses :: on-chain dns state
pos=(map ship point) :: on-chain ship state
== ::
== ::
+$ message :: message to her jael
$% [%nuke whos=(set ship)] :: cancel trackers
[%public-keys whos=(set ship)] :: view ethereum events
@ -80,6 +107,9 @@
$: %b :: to %behn
$>(%wait task:able:behn) :: set timer
== ::
$: %e :: to %eyre
[%code-changed ~] :: notify code changed
== ::
$: %g :: to %gall
$>(%deal task:able:gall) :: talk to app
== ::
@ -179,7 +209,7 @@
==
:: all vane state
::
state
state-1
==
:: lex: all durable state
:: moz: pending actions
@ -446,6 +476,14 @@
%- curd =< abet
(~(new-event su hen our now pki etn) [ship udiff]:tac)
::
:: rotate web login code
::
%step
%= +>.$
step.own.pki +(step.own.pki)
moz [[hen %pass / %e %code-changed ~] moz]
==
::
:: watch public keys
:: [%public-keys ships=(set ship)]
::
@ -578,7 +616,7 @@
:: :: ++curd:of
++ curd :: relative moves
|= $: moz/(list move)
pki/state-pki
pki/state-pki-1
etn/state-eth-node
==
+>(pki pki, etn etn, moz (weld (flop moz) ^moz))
@ -599,7 +637,7 @@
=| $: hen=duct
our=ship
now=@da
state-pki
state-pki-1
state-eth-node
==
:: moz: moves in reverse order
@ -955,7 +993,7 @@
::
:: lex: all durable %jael state
::
=| lex/state
=| lex/state-1
|= $: ::
:: our: identity
:: now: current time
@ -991,11 +1029,15 @@
|= $: :: old: previous state
::
:: old/*
old/state
old/any-state
==
^+ ..^$
:: ..^$
..^$(lex old)
=/ new=state-1
?- -.old
%0 old(- %1, |7.own.pki [step=0 |7.own.pki.old])
%1 old
==
..^$(lex new)
:: :: ++scry
++ scry :: inspect
|= $: :: fur: event security
@ -1025,6 +1067,14 @@
``mass+!>(maz)
?+ syd
~
::
%step
?. ?=([@ ~] tyl) [~ ~]
?. =([%& our] why)
[~ ~]
=/ who (slaw %p i.tyl)
?~ who [~ ~]
``[%noun !>(step.own.pki.lex)]
::
%code
?. ?=([@ ~] tyl) [~ ~]
@ -1036,7 +1086,8 @@
=/ cub (nol:nu:crub:crypto sec)
:: XX use pac:ex:cub?
::
``[%noun !>((end 6 1 (shaf %pass (shax sec:ex:cub))))]
=/ sal (add %pass step.own.pki.lex)
``[%noun !>((end 6 1 (shaf sal (shax sec:ex:cub))))]
::
%life
?. ?=([@ ~] tyl) [~ ~]

View File

@ -1268,6 +1268,9 @@
:: the first place.
::
[%disconnect =binding]
:: notifies us that web login code changed
::
[%code-changed ~]
==
::
--
@ -1953,6 +1956,7 @@
[%turf ~] :: view domains
$>(%vega vane-task) :: report upgrade
$>(%plea vane-task) :: ames request
[%step ~] :: reset web login code
== ::
::
+$ dawn-event