fix: Endpoint pre-registration should return GATEWAY_NOT_REGISTERED i…

…f gateway's certificate is expired (#731)
relaycorp · Feb 29, 2024 · 5f56d23 · 5f56d23
1 parent afbadd8
commit 5f56d23
Show file tree

Hide file tree

Showing 2 changed files with 73 additions and 2 deletions.
diff --git a/...est/java/tech/relaycorp/gateway/background/endpoint/EndpointPreRegistrationServiceTest.kt b/...est/java/tech/relaycorp/gateway/background/endpoint/EndpointPreRegistrationServiceTest.kt
@@ -22,8 +22,14 @@ import tech.relaycorp.gateway.domain.LocalConfig
 import tech.relaycorp.gateway.test.AppTestProvider
 import tech.relaycorp.gateway.test.KeystoreResetTestRule
 import tech.relaycorp.gateway.test.WaitAssertions.waitFor
+import tech.relaycorp.relaynet.issueGatewayCertificate
+import tech.relaycorp.relaynet.keystores.CertificateStore
 import tech.relaycorp.relaynet.messages.control.PrivateNodeRegistrationAuthorization
+import tech.relaycorp.relaynet.testing.pki.KeyPairSet
+import tech.relaycorp.relaynet.testing.pki.PDACertPath
+import tech.relaycorp.relaynet.wrappers.nodeId
 import java.nio.charset.Charset
+import java.time.ZonedDateTime
 import javax.inject.Inject
 
 class EndpointPreRegistrationServiceTest {
@@ -40,6 +46,9 @@ class EndpointPreRegistrationServiceTest {
     @Inject
     lateinit var localConfig: LocalConfig
 
+    @Inject
+    lateinit var certificateStore: CertificateStore
+
     @Inject
     lateinit var internetGatewayPreferences: InternetGatewayPreferences
 
@@ -51,13 +60,19 @@ class EndpointPreRegistrationServiceTest {
         AppTestProvider.component.inject(this)
         runTest(coroutineContext) {
             internetGatewayPreferences.setRegistrationState(RegistrationState.Done)
+            certificateStore.delete(
+                localConfig.getIdentityKey().nodeId,
+                internetGatewayPreferences.getId(),
+            )
         }
     }
 
     @Test
     fun requestPreRegistration() = runTest(coroutineContext) {
+        setIdentityCertificate(ZonedDateTime.now().plusMinutes(1))
+
         val serviceIntent = Intent(
-            getApplicationContext<Context>(),
+            getApplicationContext(),
             EndpointPreRegistrationService::class.java,
         )
         val binder = serviceRule.bindService(serviceIntent)
@@ -100,7 +115,7 @@ class EndpointPreRegistrationServiceTest {
     @Test
     fun invalidRequestIsIgnored() {
         val serviceIntent = Intent(
-            getApplicationContext<Context>(),
+            getApplicationContext(),
             EndpointPreRegistrationService::class.java,
         )
         val binder = serviceRule.bindService(serviceIntent)
@@ -142,4 +157,51 @@ class EndpointPreRegistrationServiceTest {
             resultMessage!!.what,
         )
     }
+
+    @Test
+    fun errorReturnedWhenGatewaysCertificateIsExpired() = runTest(coroutineContext) {
+        val serviceIntent = Intent(
+            getApplicationContext(),
+            EndpointPreRegistrationService::class.java,
+        )
+        val binder = serviceRule.bindService(serviceIntent)
+
+        // Deleting all our certificates it's the same as having only expired certificates
+        certificateStore.delete(
+            localConfig.getIdentityKey().nodeId,
+            internetGatewayPreferences.getId(),
+        )
+
+        var resultMessage: Message? = null
+
+        val messenger = Messenger(binder)
+        val handler = object : Handler(Looper.getMainLooper()) {
+            override fun handleMessage(msg: Message) {
+                resultMessage = Message.obtain().also { it.copyFrom(msg) }
+            }
+        }
+        val requestMessage =
+            Message.obtain(handler, EndpointPreRegistrationService.PRE_REGISTRATION_REQUEST)
+        requestMessage.replyTo = Messenger(handler)
+        messenger.send(requestMessage)
+
+        waitFor {
+            assertNotNull("We should have got a reply", resultMessage)
+        }
+        assertEquals(
+            EndpointPreRegistrationService.GATEWAY_NOT_REGISTERED,
+            resultMessage!!.what,
+        )
+    }
+
+    private suspend fun setIdentityCertificate(validityEndDate: ZonedDateTime) {
+        val expiredCertificate = issueGatewayCertificate(
+            KeyPairSet.PRIVATE_GW.public,
+            KeyPairSet.INTERNET_GW.private,
+            validityEndDate = validityEndDate,
+            PDACertPath.INTERNET_GW,
+            validityStartDate = ZonedDateTime.now().minusMinutes(1),
+        )
+        localConfig.setIdentityCertificate(expiredCertificate)
+    }
 }
diff --git a/...rc/main/java/tech/relaycorp/gateway/background/endpoint/EndpointPreRegistrationService.kt b/...rc/main/java/tech/relaycorp/gateway/background/endpoint/EndpointPreRegistrationService.kt
@@ -16,6 +16,7 @@ import tech.relaycorp.gateway.background.component
 import tech.relaycorp.gateway.common.Logging.logger
 import tech.relaycorp.gateway.data.model.RegistrationState
 import tech.relaycorp.gateway.data.preference.InternetGatewayPreferences
+import tech.relaycorp.gateway.domain.LocalConfig
 import tech.relaycorp.gateway.domain.endpoint.EndpointRegistration
 import java.util.logging.Level
 import javax.inject.Inject
@@ -26,6 +27,9 @@ class EndpointPreRegistrationService : Service() {
     @Inject
     lateinit var internetGatewayPreferences: InternetGatewayPreferences
 
+    @Inject
+    lateinit var localConfig: LocalConfig
+
     @Inject
     lateinit var endpointRegistration: EndpointRegistration
 
@@ -69,6 +73,11 @@ class EndpointPreRegistrationService : Service() {
                 Message.obtain(null, GATEWAY_NOT_REGISTERED)
             }
 
+            localConfig.getAllValidIdentityCertificates().isEmpty() -> {
+                logger.log(Level.WARNING, "Gateway's certificate has expired")
+                Message.obtain(null, GATEWAY_NOT_REGISTERED)
+            }
+
             else -> {
                 val authSerialized = endpointRegistration.authorize(endpointApplicationId)
                 Message.obtain(null, REGISTRATION_AUTHORIZATION).also {