Skip to content

Commit

Permalink
Checking that the sas token is not set to an invalid value (#857)
Browse files Browse the repository at this point in the history
  • Loading branch information
@jebrando
jebrando authored Feb 11, 2019
1 parent 499744e commit 0502342
Show file tree
Hide file tree
Showing 2 changed files with 92 additions and 83 deletions.
149 changes: 77 additions & 72 deletions iothub_client/src/iothub_client_authorization.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@

#define DEFAULT_SAS_TOKEN_EXPIRY_TIME_SECS 3600
#define INDEFINITE_TIME ((time_t)(-1))
#define MIN_SAS_EXPIRY_TIME 5 // 5 seconds

typedef struct IOTHUB_AUTHORIZATION_DATA_TAG
{
Expand Down Expand Up @@ -51,6 +52,44 @@ static int get_seconds_since_epoch(size_t* seconds)
return result;
}

static IOTHUB_AUTHORIZATION_DATA* initialize_auth_client(const char* device_id, const char* module_id)
{
IOTHUB_AUTHORIZATION_DATA* result;

/* Codes_SRS_IoTHub_Authorization_07_002: [IoTHubClient_Auth_Create shall allocate a IOTHUB_AUTHORIZATION_HANDLE that is needed for subsequent calls. ] */
result = (IOTHUB_AUTHORIZATION_DATA*)malloc(sizeof(IOTHUB_AUTHORIZATION_DATA) );
if (result == NULL)
{
/* Codes_SRS_IoTHub_Authorization_07_019: [ On error IoTHubClient_Auth_Create shall return NULL. ] */
LogError("Failed allocating IOTHUB_AUTHORIZATION_DATA");
result = NULL;
}
else
{
memset(result, 0, sizeof(IOTHUB_AUTHORIZATION_DATA) );
if (mallocAndStrcpy_s(&result->device_id, device_id) != 0)
{
/* Codes_SRS_IoTHub_Authorization_07_019: [ On error IoTHubClient_Auth_Create shall return NULL. ] */
LogError("Failed allocating device_key");
free(result);
result = NULL;
}
else if (module_id != NULL && mallocAndStrcpy_s(&result->module_id, module_id) != 0)
{
/* Codes_SRS_IoTHub_Authorization_07_019: [ On error IoTHubClient_Auth_Create shall return NULL. ] */
LogError("Failed allocating module_id");
free(result->device_id);
free(result);
result = NULL;
}
else
{
result->token_expiry_time_sec = DEFAULT_SAS_TOKEN_EXPIRY_TIME_SECS;
}
}
return result;
}

IOTHUB_AUTHORIZATION_HANDLE IoTHubClient_Auth_Create(const char* device_key, const char* device_id, const char* device_sas_token, const char *module_id)
{
IOTHUB_AUTHORIZATION_DATA* result;
Expand All @@ -62,70 +101,46 @@ IOTHUB_AUTHORIZATION_HANDLE IoTHubClient_Auth_Create(const char* device_key, con
}
else
{
/* Codes_SRS_IoTHub_Authorization_07_002: [IoTHubClient_Auth_Create shall allocate a IOTHUB_AUTHORIZATION_HANDLE that is needed for subsequent calls. ] */
result = (IOTHUB_AUTHORIZATION_DATA*)malloc(sizeof(IOTHUB_AUTHORIZATION_DATA) );
result = initialize_auth_client(device_id, module_id);
if (result == NULL)
{
LogError("Failure initializing auth client");
}
else if (device_key != NULL && mallocAndStrcpy_s(&result->device_key, device_key) != 0)
{
/* Codes_SRS_IoTHub_Authorization_07_019: [ On error IoTHubClient_Auth_Create shall return NULL. ] */
LogError("Failed allocating IOTHUB_AUTHORIZATION_DATA");
LogError("Failed allocating device_key");
free(result->device_id);
free(result->module_id);
free(result);
result = NULL;
}
else
{
memset(result, 0, sizeof(IOTHUB_AUTHORIZATION_DATA) );
result->token_expiry_time_sec = DEFAULT_SAS_TOKEN_EXPIRY_TIME_SECS;

if (device_key != NULL && mallocAndStrcpy_s(&result->device_key, device_key) != 0)
{
/* Codes_SRS_IoTHub_Authorization_07_019: [ On error IoTHubClient_Auth_Create shall return NULL. ] */
LogError("Failed allocating device_key");
free(result);
result = NULL;
}
else if (mallocAndStrcpy_s(&result->device_id, device_id) != 0)
if (device_key != NULL)
{
/* Codes_SRS_IoTHub_Authorization_07_019: [ On error IoTHubClient_Auth_Create shall return NULL. ] */
LogError("Failed allocating device_key");
free(result->device_key);
free(result);
result = NULL;
/* Codes_SRS_IoTHub_Authorization_07_003: [ IoTHubClient_Auth_Create shall set the credential type to IOTHUB_CREDENTIAL_TYPE_DEVICE_KEY if the device_sas_token is NULL. ]*/
result->cred_type = IOTHUB_CREDENTIAL_TYPE_DEVICE_KEY;
}
else if (module_id != NULL && mallocAndStrcpy_s(&result->module_id, module_id) != 0)
else if (device_sas_token != NULL)
{
/* Codes_SRS_IoTHub_Authorization_07_019: [ On error IoTHubClient_Auth_Create shall return NULL. ] */
LogError("Failed allocating module_id");
free(result->device_id);
free(result->device_key);
free(result);
result = NULL;
/* Codes_SRS_IoTHub_Authorization_07_020: [ else IoTHubClient_Auth_Create shall set the credential type to IOTHUB_CREDENTIAL_TYPE_SAS_TOKEN. ] */
result->cred_type = IOTHUB_CREDENTIAL_TYPE_SAS_TOKEN;
if (mallocAndStrcpy_s(&result->device_sas_token, device_sas_token) != 0)
{
/* Codes_SRS_IoTHub_Authorization_07_019: [ On error IoTHubClient_Auth_Create shall return NULL. ] */
LogError("Failed allocating device_key");
free(result->device_key);
free(result->device_id);
free(result->module_id);
free(result);
result = NULL;
}
}
else
{
if (device_key != NULL)
{
/* Codes_SRS_IoTHub_Authorization_07_003: [ IoTHubClient_Auth_Create shall set the credential type to IOTHUB_CREDENTIAL_TYPE_DEVICE_KEY if the device_sas_token is NULL. ]*/
result->cred_type = IOTHUB_CREDENTIAL_TYPE_DEVICE_KEY;
}
else if (device_sas_token != NULL)
{
/* Codes_SRS_IoTHub_Authorization_07_020: [ else IoTHubClient_Auth_Create shall set the credential type to IOTHUB_CREDENTIAL_TYPE_SAS_TOKEN. ] */
result->cred_type = IOTHUB_CREDENTIAL_TYPE_SAS_TOKEN;
if (mallocAndStrcpy_s(&result->device_sas_token, device_sas_token) != 0)
{
/* Codes_SRS_IoTHub_Authorization_07_019: [ On error IoTHubClient_Auth_Create shall return NULL. ] */
LogError("Failed allocating device_key");
free(result->device_key);
free(result->device_id);
free(result->module_id);
free(result);
result = NULL;
}
}
else
{
/* Codes_SRS_IoTHub_Authorization_07_024: [ if device_sas_token and device_key are NULL IoTHubClient_Auth_Create shall set the credential type to IOTHUB_CREDENTIAL_TYPE_UNKNOWN. ] */
result->cred_type = IOTHUB_CREDENTIAL_TYPE_UNKNOWN;
}
/* Codes_SRS_IoTHub_Authorization_07_024: [ if device_sas_token and device_key are NULL IoTHubClient_Auth_Create shall set the credential type to IOTHUB_CREDENTIAL_TYPE_UNKNOWN. ] */
result->cred_type = IOTHUB_CREDENTIAL_TYPE_UNKNOWN;
}
}
}
Expand All @@ -144,35 +159,19 @@ IOTHUB_AUTHORIZATION_HANDLE IoTHubClient_Auth_CreateFromDeviceAuth(const char* d
else
{
#ifdef USE_PROV_MODULE
result = (IOTHUB_AUTHORIZATION_DATA*)malloc(sizeof(IOTHUB_AUTHORIZATION_DATA));
result = initialize_auth_client(device_id, module_id);
if (result == NULL)
{
LogError("Failed allocating IOTHUB_AUTHORIZATION_DATA");
result = NULL;
LogError("Failure initializing auth client");
}
else
{
memset(result, 0, sizeof(IOTHUB_AUTHORIZATION_DATA));

result->device_auth_handle = iothub_device_auth_create();
if (result->device_auth_handle == NULL)
{
LogError("Failed allocating IOTHUB_AUTHORIZATION_DATA");
free(result);
result = NULL;
}
else if (mallocAndStrcpy_s(&result->device_id, device_id) != 0)
{
LogError("Failed allocating device_id");
iothub_device_auth_destroy(result->device_auth_handle);
free(result);
result = NULL;
}
else if ((module_id != NULL) && (mallocAndStrcpy_s(&result->module_id, module_id) != 0))
{
LogError("Failed allocating module_id");
iothub_device_auth_destroy(result->device_auth_handle);
free(result->device_id);
free(result->module_id);
free(result);
result = NULL;
}
Expand Down Expand Up @@ -606,7 +605,7 @@ static char* read_ca_certificate_from_file(const char* certificate_file_name)
LogError("fseek on file %s fails, errno=%d", certificate_file_name, errno);
result = NULL;
}
else
else
{
long int file_size = ftell(file_stream);
if (file_size < 0)
Expand Down Expand Up @@ -646,7 +645,7 @@ static char* read_ca_certificate_from_file(const char* certificate_file_name)

// IoTHubClient_Auth_Get_TrustBundle retrieves a trust bundle - namely a PEM indicating the certificates the client should
// trust as root authorities - to caller. If certificate_file_name, we read this from a local file. This should in general
// be limited only to debugging modules on Edge. If certificate_file_name is NULL, we invoke into the underlying
// be limited only to debugging modules on Edge. If certificate_file_name is NULL, we invoke into the underlying
// HSM to retrieve this.
char* IoTHubClient_Auth_Get_TrustBundle(IOTHUB_AUTHORIZATION_HANDLE handle, const char* certificate_file_name)
{
Expand Down Expand Up @@ -676,6 +675,12 @@ int IoTHubClient_Auth_Set_SasToken_Expiry(IOTHUB_AUTHORIZATION_HANDLE handle, si
LogError("Invalid handle value handle: NULL");
result = __FAILURE__;
}
// Validate the expiry_time in seconds
else if (expiry_time_seconds < MIN_SAS_EXPIRY_TIME)
{
LogError("Failure setting expiry time to value %lu min value is %d", (unsigned long)expiry_time_seconds, MIN_SAS_EXPIRY_TIME);
result = __FAILURE__;
}
else
{
handle->token_expiry_time_sec = expiry_time_seconds;
Expand Down
26 changes: 15 additions & 11 deletions iothub_client/tests/iothub_client_authorization_ut/iothub_client_authorization_ut.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -198,28 +198,28 @@ TEST_FUNCTION_CLEANUP(method_cleanup)
static void setup_IoTHubClient_Auth_CreateFromDeviceAuth_mocks(bool module_id, DEVICE_AUTH_TYPE auth_type)
{
STRICT_EXPECTED_CALL(gballoc_malloc(IGNORED_NUM_ARG));
STRICT_EXPECTED_CALL(iothub_device_auth_create());
STRICT_EXPECTED_CALL(mallocAndStrcpy_s(IGNORED_PTR_ARG, DEVICE_ID));
if (module_id)
{
STRICT_EXPECTED_CALL(mallocAndStrcpy_s(IGNORED_PTR_ARG, MODULE_ID));
}
STRICT_EXPECTED_CALL(iothub_device_auth_create());
STRICT_EXPECTED_CALL(iothub_device_auth_get_type(IGNORED_PTR_ARG)).SetReturn(auth_type);
}
#endif

static void setup_IoTHubClient_Auth_Create_mocks(bool device_key, bool module_id)
{
STRICT_EXPECTED_CALL(gballoc_malloc(IGNORED_NUM_ARG));
if (device_key)
{
STRICT_EXPECTED_CALL(mallocAndStrcpy_s(IGNORED_PTR_ARG, DEVICE_KEY));
}
STRICT_EXPECTED_CALL(mallocAndStrcpy_s(IGNORED_PTR_ARG, DEVICE_ID));
if (module_id)
{
STRICT_EXPECTED_CALL(mallocAndStrcpy_s(IGNORED_PTR_ARG, MODULE_ID));
}
if (device_key)
{
STRICT_EXPECTED_CALL(mallocAndStrcpy_s(IGNORED_PTR_ARG, DEVICE_KEY));
}
}

static void setup_IoTHubClient_Auth_Get_ConnString_mocks()
Expand Down Expand Up @@ -392,8 +392,11 @@ TEST_FUNCTION(IoTHubClient_Auth_Create_fail)

IOTHUB_AUTHORIZATION_HANDLE handle = IoTHubClient_Auth_Create(DEVICE_KEY, DEVICE_ID, NULL, MODULE_ID);

char tmp_msg[64];
sprintf(tmp_msg, "IoTHubClient_Auth_Create failure in test %lu/%lu", (unsigned long)index, (unsigned long)count);

//assert
ASSERT_IS_NULL(handle, "IoTHubClient_Auth_Create failure in test %lu/%lu", (unsigned long)index, (unsigned long)count);
ASSERT_IS_NULL(handle, tmp_msg);
}
//cleanup
umock_c_negative_tests_deinit();
Expand All @@ -405,10 +408,10 @@ TEST_FUNCTION(IoTHubClient_Auth_CreateFromDeviceAuth_success)
//arrange
umock_c_reset_all_calls();

setup_IoTHubClient_Auth_CreateFromDeviceAuth_mocks(false, AUTH_TYPE_SAS);
setup_IoTHubClient_Auth_CreateFromDeviceAuth_mocks(true, AUTH_TYPE_SAS);

//act
IOTHUB_AUTHORIZATION_HANDLE handle = IoTHubClient_Auth_CreateFromDeviceAuth(DEVICE_ID, NULL);
IOTHUB_AUTHORIZATION_HANDLE handle = IoTHubClient_Auth_CreateFromDeviceAuth(DEVICE_ID, MODULE_ID);

//assert
ASSERT_IS_NOT_NULL(handle);
Expand Down Expand Up @@ -452,13 +455,13 @@ TEST_FUNCTION(IoTHubClient_Auth_CreateFromDeviceAuth_fail)
umock_c_negative_tests_reset();
umock_c_negative_tests_fail_call(index);

IOTHUB_AUTHORIZATION_HANDLE handle = IoTHubClient_Auth_CreateFromDeviceAuth(DEVICE_ID, MODULE_ID);

char tmp_msg[64];
sprintf(tmp_msg, "IoTHubClient_Auth_Create failure in test %lu/%lu", (unsigned long)index, (unsigned long)count);

IOTHUB_AUTHORIZATION_HANDLE handle = IoTHubClient_Auth_CreateFromDeviceAuth(DEVICE_ID, MODULE_ID);

//assert
ASSERT_IS_NULL(handle);
ASSERT_IS_NULL(handle, tmp_msg);
}

//cleanup
Expand Down Expand Up @@ -827,6 +830,7 @@ TEST_FUNCTION(IoTHubClient_Auth_Get_ModuleId_succeed)
setup_IoTHubClient_Auth_Create_mocks(false, true);
IOTHUB_AUTHORIZATION_HANDLE handle = IoTHubClient_Auth_Create(NULL, DEVICE_ID, NULL, MODULE_ID);
ASSERT_IS_NOT_NULL(handle);
umock_c_reset_all_calls();

//act
const char* module_id = IoTHubClient_Auth_Get_ModuleId(handle);
Expand Down

0 comments on commit 0502342

Please sign in to comment.