fix: separating the websockets code to its own domain

[ci skip]

Author: tegefaulkes

src/clientRPC/errors.ts

@@ -1,66 +1,28 @@
 import { ErrorPolykey, sysexits } from '../errors';
 
-class ErrorClient<T> extends ErrorPolykey<T> {}
+class ErrorRPC<T> extends ErrorPolykey<T> {}
 
-class ErrorClientClient<T> extends ErrorClient<T> {}
+class ErrorRPCClient<T> extends ErrorRPC<T> {}
 
-class ErrorClientDestroyed<T> extends ErrorClientClient<T> {
-  static description = 'ClientClient has been destroyed';
-  exitCode = sysexits.USAGE;
-}
-
-class ErrorClientInvalidHost<T> extends ErrorClientClient<T> {
-  static description = 'Host must be a valid IPv4 or IPv6 address string';
-  exitCode = sysexits.USAGE;
-}
-
-class ErrorClientConnectionFailed<T> extends ErrorClientClient<T> {
-  static description = 'Failed to establish connection to server';
-  exitCode = sysexits.UNAVAILABLE;
-}
-
-class ErrorClientConnectionTimedOut<T> extends ErrorClientClient<T> {
-  static description = 'Connection timed out';
-  exitCode = sysexits.UNAVAILABLE;
-}
-
-class ErrorClientConnectionEndedEarly<T> extends ErrorClientClient<T> {
-  static description = 'Connection ended before stream ended';
-  exitCode = sysexits.UNAVAILABLE;
-}
-
-class ErrorClientServer<T> extends ErrorClient<T> {}
-
-class ErrorServerPortUnavailable<T> extends ErrorClientServer<T> {
-  static description = 'Failed to bind a free port';
-  exitCode = sysexits.UNAVAILABLE;
-}
-
-class ErrorServerSendFailed<T> extends ErrorClientServer<T> {
-  static description = 'Failed to send message';
-  exitCode = sysexits.UNAVAILABLE;
+class ErrorClientAuthMissing<T> extends ErrorRPCClient<T> {
+  static description = 'Authorisation metadata is required but missing';
+  exitCode = sysexits.NOPERM;
 }
 
-class ErrorServerReadableBufferLimit<T> extends ErrorClientServer<T> {
-  static description = 'Readable buffer is full, messages received too quickly';
+class ErrorClientAuthFormat<T> extends ErrorRPCClient<T> {
+  static description = 'Authorisation metadata has invalid format';
   exitCode = sysexits.USAGE;
 }
 
-class ErrorServerConnectionEndedEarly<T> extends ErrorClientServer<T> {
-  static description = 'Connection ended before stream ended';
-  exitCode = sysexits.UNAVAILABLE;
+class ErrorClientAuthDenied<T> extends ErrorRPCClient<T> {
+  static description = 'Authorisation metadata is incorrect or expired';
+  exitCode = sysexits.NOPERM;
 }
 
 export {
-  ErrorClientClient,
-  ErrorClientDestroyed,
-  ErrorClientInvalidHost,
-  ErrorClientConnectionFailed,
-  ErrorClientConnectionTimedOut,
-  ErrorClientConnectionEndedEarly,
-  ErrorClientServer,
-  ErrorServerPortUnavailable,
-  ErrorServerSendFailed,
-  ErrorServerReadableBufferLimit,
-  ErrorServerConnectionEndedEarly,
+  ErrorRPC,
+  ErrorRPCClient,
+  ErrorClientAuthMissing,
+  ErrorClientAuthFormat,
+  ErrorClientAuthDenied,
 };

src/clientRPC/utils.ts

@@ -1,15 +1,9 @@
-import type { SessionToken } from '../sessions/types';
-import type KeyRing from '../keys/KeyRing';
-import type SessionManager from '../sessions/SessionManager';
 import type { RPCRequestParams } from './types';
-import type { JsonRpcRequest } from '../RPC/types';
-import type { Certificate } from 'keys/types';
-import type { DetailedPeerCertificate } from 'tls';
-import type { NodeId } from 'ids/index';
-import * as x509 from '@peculiar/x509';
-import * as clientErrors from '../client/errors';
-import * as networkErrors from '../network/errors';
-import * as keysUtils from '../keys/utils/index';
+import type SessionManager from 'sessions/SessionManager';
+import type KeyRing from 'keys/KeyRing';
+import type { JsonRpcRequest } from 'RPC/types';
+import type { SessionToken } from 'sessions/types';
+import * as clientErrors from './errors';
 
 async function authenticate(
   sessionManager: SessionManager,
@@ -60,149 +54,4 @@ function encodeAuthFromPassword(password: string): string {
   return `Basic ${encoded}`;
 }
 
-function detailedToCertChain(
-  cert: DetailedPeerCertificate,
-): Array<Certificate> {
-  const certChain: Array<Certificate> = [];
-  let currentCert = cert;
-  while (true) {
-    certChain.unshift(new x509.X509Certificate(currentCert.raw));
-    if (currentCert === currentCert.issuerCertificate) break;
-    currentCert = currentCert.issuerCertificate;
-  }
-  return certChain;
-}
-
-/**
- * Verify the server certificate chain when connecting to it from a client
- * This is a custom verification intended to verify that the server owned
- * the relevant NodeId.
- * It is possible that the server has a new NodeId. In that case we will
- * verify that the new NodeId is the true descendant of the target NodeId.
- */
-async function verifyServerCertificateChain(
-  nodeIds: Array<NodeId>,
-  certChain: Array<Certificate>,
-): Promise<NodeId> {
-  if (!certChain.length) {
-    throw new networkErrors.ErrorCertChainEmpty(
-      'No certificates available to verify',
-    );
-  }
-  if (!nodeIds.length) {
-    throw new networkErrors.ErrorConnectionNodesEmpty(
-      'No nodes were provided to verify against',
-    );
-  }
-  const now = new Date();
-  let certClaim: Certificate | null = null;
-  let certClaimIndex: number | null = null;
-  let verifiedNodeId: NodeId | null = null;
-  for (let certIndex = 0; certIndex < certChain.length; certIndex++) {
-    const cert = certChain[certIndex];
-    if (now < cert.notBefore || now > cert.notAfter) {
-      throw new networkErrors.ErrorCertChainDateInvalid(
-        'Chain certificate date is invalid',
-        {
-          data: {
-            cert,
-            certIndex,
-            notBefore: cert.notBefore,
-            notAfter: cert.notAfter,
-            now,
-          },
-        },
-      );
-    }
-    const certNodeId = keysUtils.certNodeId(cert);
-    if (certNodeId == null) {
-      throw new networkErrors.ErrorCertChainNameInvalid(
-        'Chain certificate common name attribute is missing',
-        {
-          data: {
-            cert,
-            certIndex,
-          },
-        },
-      );
-    }
-    const certPublicKey = keysUtils.certPublicKey(cert);
-    if (certPublicKey == null) {
-      throw new networkErrors.ErrorCertChainKeyInvalid(
-        'Chain certificate public key is missing',
-        {
-          data: {
-            cert,
-            certIndex,
-          },
-        },
-      );
-    }
-    if (!(await keysUtils.certNodeSigned(cert))) {
-      throw new networkErrors.ErrorCertChainSignatureInvalid(
-        'Chain certificate does not have a valid node-signature',
-        {
-          data: {
-            cert,
-            certIndex,
-            nodeId: keysUtils.publicKeyToNodeId(certPublicKey),
-            commonName: certNodeId,
-          },
-        },
-      );
-    }
-    for (const nodeId of nodeIds) {
-      if (certNodeId.equals(nodeId)) {
-        // Found the certificate claiming the nodeId
-        certClaim = cert;
-        certClaimIndex = certIndex;
-        verifiedNodeId = nodeId;
-      }
-    }
-    // If cert is found then break out of loop
-    if (verifiedNodeId != null) break;
-  }
-  if (certClaimIndex == null || certClaim == null || verifiedNodeId == null) {
-    throw new networkErrors.ErrorCertChainUnclaimed(
-      'Node IDs is not claimed by any certificate',
-      {
-        data: { nodeIds },
-      },
-    );
-  }
-  if (certClaimIndex > 0) {
-    let certParent: Certificate;
-    let certChild: Certificate;
-    for (let certIndex = certClaimIndex; certIndex > 0; certIndex--) {
-      certParent = certChain[certIndex];
-      certChild = certChain[certIndex - 1];
-      if (
-        !keysUtils.certIssuedBy(certParent, certChild) ||
-        !(await keysUtils.certSignedBy(
-          certParent,
-          keysUtils.certPublicKey(certChild)!,
-        ))
-      ) {
-        throw new networkErrors.ErrorCertChainBroken(
-          'Chain certificate is not signed by parent certificate',
-          {
-            data: {
-              cert: certChild,
-              certIndex: certIndex - 1,
-              certParent,
-            },
-          },
-        );
-      }
-    }
-  }
-  return verifiedNodeId;
-}
-
-export {
-  authenticate,
-  decodeAuth,
-  encodeAuthFromPassword,
-  detailedToCertChain,
-  verifyServerCertificateChain,
-};
+export { authenticate, decodeAuth, encodeAuthFromPassword };

src/clientRPC/WebSocketClient.ts src/websockets/WebSocketClient.tssrc/clientRPC/WebSocketClient.ts renamed to src/websockets/WebSocketClient.ts

@@ -0,0 +1,119 @@
+import { ErrorPolykey, sysexits } from '../errors';
+
+class ErrorWebSocket<T> extends ErrorPolykey<T> {}
+
+class ErrorWebSocketClient<T> extends ErrorWebSocket<T> {}
+
+class ErrorClientDestroyed<T> extends ErrorWebSocketClient<T> {
+  static description = 'ClientClient has been destroyed';
+  exitCode = sysexits.USAGE;
+}
+
+class ErrorClientInvalidHost<T> extends ErrorWebSocketClient<T> {
+  static description = 'Host must be a valid IPv4 or IPv6 address string';
+  exitCode = sysexits.USAGE;
+}
+
+class ErrorClientConnectionFailed<T> extends ErrorWebSocketClient<T> {
+  static description = 'Failed to establish connection to server';
+  exitCode = sysexits.UNAVAILABLE;
+}
+
+class ErrorClientConnectionTimedOut<T> extends ErrorWebSocketClient<T> {
+  static description = 'Connection timed out';
+  exitCode = sysexits.UNAVAILABLE;
+}
+
+class ErrorClientConnectionEndedEarly<T> extends ErrorWebSocketClient<T> {
+  static description = 'Connection ended before stream ended';
+  exitCode = sysexits.UNAVAILABLE;
+}
+
+class ErrorWebSocketServer<T> extends ErrorWebSocket<T> {}
+
+class ErrorServerPortUnavailable<T> extends ErrorWebSocketServer<T> {
+  static description = 'Failed to bind a free port';
+  exitCode = sysexits.UNAVAILABLE;
+}
+
+class ErrorServerSendFailed<T> extends ErrorWebSocketServer<T> {
+  static description = 'Failed to send message';
+  exitCode = sysexits.UNAVAILABLE;
+}
+
+class ErrorServerReadableBufferLimit<T> extends ErrorWebSocketServer<T> {
+  static description = 'Readable buffer is full, messages received too quickly';
+  exitCode = sysexits.USAGE;
+}
+
+class ErrorServerConnectionEndedEarly<T> extends ErrorWebSocketServer<T> {
+  static description = 'Connection ended before stream ended';
+  exitCode = sysexits.UNAVAILABLE;
+}
+
+/**
+ * Used for certificate verification
+ */
+class ErrorCertChain<T> extends ErrorWebSocket<T> {}
+
+class ErrorCertChainEmpty<T> extends ErrorCertChain<T> {
+  static description = 'Certificate chain is empty';
+  exitCode = sysexits.PROTOCOL;
+}
+
+class ErrorCertChainUnclaimed<T> extends ErrorCertChain<T> {
+  static description = 'The target node id is not claimed by any certificate';
+  exitCode = sysexits.PROTOCOL;
+}
+
+class ErrorCertChainBroken<T> extends ErrorCertChain<T> {
+  static description = 'The signature chain is broken';
+  exitCode = sysexits.PROTOCOL;
+}
+
+class ErrorCertChainDateInvalid<T> extends ErrorCertChain<T> {
+  static description = 'Certificate in the chain is expired';
+  exitCode = sysexits.PROTOCOL;
+}
+
+class ErrorCertChainNameInvalid<T> extends ErrorCertChain<T> {
+  static description = 'Certificate is missing the common name';
+  exitCode = sysexits.PROTOCOL;
+}
+
+class ErrorCertChainKeyInvalid<T> extends ErrorCertChain<T> {
+  static description = 'Certificate public key does not generate the Node ID';
+  exitCode = sysexits.PROTOCOL;
+}
+
+class ErrorCertChainSignatureInvalid<T> extends ErrorCertChain<T> {
+  static description = 'Certificate self-signed signature is invalid';
+  exitCode = sysexits.PROTOCOL;
+}
+
+class ErrorConnectionNodesEmpty<T> extends ErrorWebSocket<T> {
+  static description = 'Nodes list to verify against was empty';
+  exitCode = sysexits.USAGE;
+}
+
+export {
+  ErrorWebSocketClient,
+  ErrorClientDestroyed,
+  ErrorClientInvalidHost,
+  ErrorClientConnectionFailed,
+  ErrorClientConnectionTimedOut,
+  ErrorClientConnectionEndedEarly,
+  ErrorWebSocketServer,
+  ErrorServerPortUnavailable,
+  ErrorServerSendFailed,
+  ErrorServerReadableBufferLimit,
+  ErrorServerConnectionEndedEarly,
+  ErrorCertChainEmpty,
+  ErrorCertChainUnclaimed,
+  ErrorCertChainBroken,
+  ErrorCertChainDateInvalid,
+  ErrorCertChainNameInvalid,
+  ErrorCertChainKeyInvalid,
+  ErrorCertChainSignatureInvalid,
+  ErrorConnectionNodesEmpty,
+};