brunorijsman
diff --git a/‎TODO‎
Lines changed: 2 additions & 36 deletions b/‎TODO‎
Lines changed: 2 additions & 36 deletions
diff --git a/‎client/__main__.py‎
Lines changed: 56 additions & 9 deletions b/‎client/__main__.py‎
Lines changed: 56 additions & 9 deletions
diff --git a/‎client/client.py‎
Lines changed: 49 additions & 16 deletions b/‎client/client.py‎
Lines changed: 49 additions & 16 deletions
diff --git a/‎client/http_client.py‎
Lines changed: 12 additions & 1 deletion b/‎client/http_client.py‎
Lines changed: 12 additions & 1 deletion
@@ -4,12 +4,6 @@ TODO: Make dske.yaml the default configuration file, and add a --config option t
 
 TODO: Cleanup Shamir's Secret Sharing (SSS) code (no back-and-forth conversion to RawShare)
 
-TODO: Better error response if authentication key is bad (and return to pool if allocated)
-      - Bad block uuid
-      - Start and end of range
-      - Already allocated
-      - Etc.
-
 TODO: Move code coverage data files to subdirectory
 
 TODO: Stop all nodes after each test (to make sure they are stopped if test case fails)
@@ -18,23 +12,11 @@ TODO: Add a test cases with a netcat (nc) listener squatting the port
 
 TODO: Make sure key has unique key UUID
 
-TODO: Key initiator: Select N peer hub (initially: all peer hubs)
-
-TODO: Allow a client to register itself again (after a restart). Done; just need to test.
-
-TODO: Add statistics management API and topology command to query it.
-
-TODO: More unit test cases to get code coverage up
-
 TODO: Add Sphinx documentation
       Use https://github.com/tox-dev/sphinx-autodoc-typehints 
 
 TODO: Cleanup share after all clients have retrieved it, or after timeout.
 
-TODO: Request new PSRD blocks when they run low (have a threshold)
-
-TODO: Better way to avoid circular imports that then current # type: ignore
-
 TODO: Make the swagger docs also work off-line
 
 TODO: Type annotations everywhere
@@ -49,18 +31,11 @@ TODO: Put .out files in a sub-directory
 
 TODO: OpenAPI (Swagger) documentation should show proper type for request and response data
 
-TODO: Error if get-key-with-key-ids if the API is invoked on client which is not actually one of the
-      slaves for that key.
-
 TODO: Use data (instead of value) in Fragment for consistency. Also in documentation (including
       figures)
 
 TODO: Avoid usage: __main__.py in --help output for client / hub
 
-TODO: Add site map to Google Search Console
-
-TODO: Consistently use httpx for client side (not requests for synchronous calls)
-
 TODO: Add test case: start hub later than client (registration retry logic in client)
 
 TODO: Forbid extra query parameters for API calls
@@ -72,12 +47,6 @@ TODO: Fix crash in shamir code when key size 8 is used (don't allow too small ke
 
 TODO: Time-out shares on hubs and remove them if they have not been retrieved after the time-out
 
-TODO: When I ask for a 20,000 bytes key, it fails (as expected). But the attempted allocation for
-      the encryption key of each share is only 2,500 bytes which seems wrong:
-      5 hubs x 2,500 bytes per share = 12,500 bytes (I expected at least 20,000)
-      Note: it's because key size is in bits and pool size is in bytes. Add size_in_bits where
-      appropriate.
-
 TODO: Have an option to use PSRD data as the key instead of a random number generator.
       Explain pros and cons of each approach (forward secrecy if PSRD is compromised) in docs.
 
@@ -90,9 +59,6 @@ TODO: Testcase for invalid signature
       - Signature is incorrect
       - Make sure bytes taken from pool are returned (to defend against DOS attack)
 
-TODO: Do we need the owner field in class Block? We known the owner by virtue of which pool
-      it is in.
-
-TODO: If signature validation fails, return fragment to pool
+TODO: Test case for: if signature validation fails, return fragment to pool
 
-TODO: Test case for this
+TODO: Error message if --client or --hub does not exist in topology
@@ -6,11 +6,12 @@
 import contextlib
 import os
 import signal
+from typing import Annotated
 import fastapi
 import uvicorn
 from common import configuration
 from common import utils
-from common.exceptions import DSKEException
+from common.exceptions import DSKEException, MissingAuthorizationHeaderError
 from .client import Client
 
 
@@ -29,6 +30,12 @@ def parse_command_line_arguments():
         type=str,
         help=f"Base URLs for hubs (e.g., http://127.0.0.1:{configuration.DEFAULT_BASE_PORT})",
     )
+    parser.add_argument(
+        "--encryptors",
+        nargs="+",
+        type=str,
+        help="Names (SAE IDs) of encryptors consuming keys from this client (KME).",
+    )
     args = parser.parse_args()
     return args
 
@@ -37,7 +44,11 @@ def parse_command_line_arguments():
 peer_hub_urls = _ARGS.hubs
 if peer_hub_urls is None:
     peer_hub_urls = []
-_CLIENT = Client(_ARGS.name, peer_hub_urls)
+if _ARGS.encryptors is None:
+    encryptor_names = []
+else:
+    encryptor_names = _ARGS.encryptors
+_CLIENT = Client(_ARGS.name, encryptor_names, peer_hub_urls)
 
 
 @contextlib.asynccontextmanager
@@ -65,29 +76,43 @@ async def dske_exception_handler(_request: fastapi.Request, exc: DSKEException):
 
 
 @_APP.get(f"/client/{_CLIENT.name}/etsi/api/v1/keys/{{slave_sae_id}}/status")
-async def get_etsi_status(slave_sae_id: str):
+async def get_etsi_status(
+    slave_sae_id: str,
+    authorization: Annotated[str | None, fastapi.Header()] = None,
+):
     """
     ETSI QKD 014 API: Status.
     """
-    return await _CLIENT.etsi_status(slave_sae_id)
+    master_sae_id = calling_sae_id(authorization)
+    return await _CLIENT.etsi_status(master_sae_id, slave_sae_id)
 
 
 @_APP.get(f"/client/{_CLIENT.name}/etsi/api/v1/keys/{{slave_sae_id}}/enc_keys")
-async def get_etsi_get_key(slave_sae_id: str, size: int | None = None):
+async def get_etsi_get_key(
+    slave_sae_id: str,
+    size: int | None = None,
+    authorization: Annotated[str | None, fastapi.Header()] = None,
+):
     """
     ETSI QKD 014 API: Get Key.
     """
-    return await _CLIENT.etsi_get_key(slave_sae_id, size=size)
+    master_sae_id = calling_sae_id(authorization)
+    return await _CLIENT.etsi_get_key(master_sae_id, slave_sae_id, size)
 
 
 @_APP.get(f"/client/{_CLIENT.name}/etsi/api/v1/keys/{{master_sae_id}}/dec_keys")
-async def get_eti_get_key_with_key_ids(master_sae_id: str, key_ID: str):
+async def get_eti_get_key_with_key_ids(
+    master_sae_id: str,
+    key_ID: str,
+    authorization: Annotated[str | None, fastapi.Header()] = None,
+):
     """
     ETSI QKD 014 API: Get Key with Key IDs.
     """
     # ETSI QKD 014 says that ID in key_ID has to be upper case, which lint doesn't like.
     # pylint: disable=invalid-name
-    return await _CLIENT.etsi_get_key_with_key_ids(master_sae_id, key_ID)
+    slave_sae_id = calling_sae_id(authorization)
+    return await _CLIENT.etsi_get_key_with_key_ids(master_sae_id, slave_sae_id, key_ID)
 
 
 @_APP.get(f"/client/{_CLIENT.name}/mgmt/v1/status")
@@ -108,9 +133,31 @@ async def post_mgmt_stop():
     return {"result": "Client stopped"}
 
 
+def calling_sae_id(authorization_header: str | None) -> str:
+    """
+    Get the SAE ID of the calling entity from the request headers.
+    """
+    if authorization_header is None:
+        if len(_CLIENT.encryptor_names) == 1:
+            # If the client has exactly one encryptor, we assume that this is the one.
+            # This makes it easier for users to use curl for testing in simple topologies.
+            # It's okay because we only implement a subset of ETSI QKD 014: we are not really
+            # authenticating the clients, we are just using the Authorization header to
+            # determine which encryptor is calling.
+            master_sae_id = _CLIENT.encryptor_names[0]
+        else:
+            # There is more than one encryptor, so we cannot guess which one is calling.
+            raise MissingAuthorizationHeaderError(
+                client_name=_CLIENT.name,
+            )
+    else:
+        master_sae_id = authorization_header.strip()
+    return master_sae_id
+
+
 def main():
     """
-    Main entry point for the hub package.
+    Main entry point for the client package.
     """
     utils.create_pid_file("client", _CLIENT.name)
     config = uvicorn.Config(app=_APP, port=_ARGS.port)
 
@@ -28,10 +28,12 @@ class Client:
     _max_keys_per_request = 1  # TODO: Allow more than one
 
     _name: str
+    _encryptor_names: list[str]
     _peer_hubs: list[PeerHub]
 
-    def __init__(self, name: str, peer_hub_urls: list[str]):
+    def __init__(self, name: str, encryptor_names: list[str], peer_hub_urls: list[str]):
         self._name = name
+        self._encryptor_names = encryptor_names
         self._peer_hubs = []
         for peer_hub_url in peer_hub_urls:
             peer_hub = PeerHub(self, peer_hub_url)
@@ -44,22 +46,33 @@ def name(self):
         """
         return self._name
 
+    @property
+    def encryptor_names(self):
+        """
+        Get the encryptor names.
+        """
+        return self._encryptor_names
+
     def to_mgmt(self):
         """
         Get the management status.
         """
         peer_hubs_status = [peer_hub.to_mgmt() for peer_hub in self._peer_hubs]
-        return {"name": self._name, "peer_hubs": peer_hubs_status}
+        return {
+            "name": self._name,
+            "encryptor_names": self._encryptor_names,
+            "peer_hubs": peer_hubs_status,
+        }
 
-    async def etsi_status(self, slave_sae_id: str):
+    async def etsi_status(self, master_sae_id: str, slave_sae_id: str):
         """
         ETSI QKD 014 V1.1.1 Status API.
         """
         # See remark about ETSI QKD API in file TODO
         return {
             "source_kme_id": self._name,
-            "target_kme_id": slave_sae_id,
-            "master_sae_id": self._name,
+            "target_kme_id": "TODO",  # TODO: Determine slave KME ID from slave SAE ID
+            "master_sae_id": master_sae_id,
             "slave_sae_id": slave_sae_id,
             "key_size": self._default_key_size_in_bits,
             "stored_key_count": 25000,  # TODO
@@ -70,7 +83,12 @@ async def etsi_status(self, slave_sae_id: str):
             "max_sae_id_count": 0,
         }
 
-    async def etsi_get_key(self, _slave_sae_id: str, size: int | None = None):
+    async def etsi_get_key(
+        self,
+        master_sae_id: str,
+        slave_sae_id: str,
+        size: int | None = None,
+    ):
         """
         ETSI QKD 014 V1.1.1 Get key API.
         """
@@ -89,25 +107,25 @@ async def etsi_get_key(self, _slave_sae_id: str, size: int | None = None):
             )
         size_in_bytes = size // 8
         key = UserKey.create_random_key(size_in_bytes)
-        await self.scatter_key_amongst_peer_hubs(key)
+        await self.scatter_key_amongst_peer_hubs(master_sae_id, slave_sae_id, key)
         return {
             "keys": {
                 "key_ID": key.key_id,
                 "key": utils.bytes_to_str(key.value),
             }
         }
 
-    async def etsi_get_key_with_key_ids(self, _master_sae_id: str, key_id: str):
+    async def etsi_get_key_with_key_ids(
+        self, master_sae_id: str, slave_sae_id: str, key_id: str
+    ):
         """
         ETSI QKD 014 V1.1.1 Get key with key IDs API.
         """
-        # TODO: Pass the master SAE ID and the slave SAE ID along with the relayed shares
-        #       and check that they match here.
         try:
             key_id = UUID(key_id)
         except ValueError as exc:
             raise exceptions.InvalidKeyIDError(key_id) from exc
-        key = await self.gather_key_from_peer_hubs(key_id)
+        key = await self.gather_key_from_peer_hubs(master_sae_id, slave_sae_id, key_id)
         return {
             "keys": [
                 {
@@ -124,15 +142,22 @@ def start_all_peer_hubs(self) -> None:
         for peer_hub in self._peer_hubs:
             peer_hub.start_register_task()
 
-    async def scatter_key_amongst_peer_hubs(self, key: UserKey) -> None:
+    async def scatter_key_amongst_peer_hubs(
+        self,
+        master_sae_id: str,
+        slave_sae_id: str,
+        key: UserKey,
+    ) -> None:
         """
         Split the key into key shares, and send each key share to a peer hub.
         """
         nr_shares = len(self._peer_hubs)
-        shares = key.split_into_shares(nr_shares, _MIN_NR_SHARES)
+        shares = key.split_into_shares(
+            master_sae_id, slave_sae_id, nr_shares, _MIN_NR_SHARES
+        )
         assert len(shares) == nr_shares
         coroutines = [
-            peer_hub.post_share(share)
+            peer_hub.post_share(master_sae_id, slave_sae_id, share)
             for peer_hub, share in zip(self._peer_hubs, shares)
         ]
         results = await asyncio.gather(*coroutines, return_exceptions=True)
@@ -152,13 +177,21 @@ async def scatter_key_amongst_peer_hubs(self, key: UserKey) -> None:
                 key.key_id, nr_shares_successfully_scattered, _MIN_NR_SHARES, causes
             )
 
-    async def gather_key_from_peer_hubs(self, key_id: UUID) -> UserKey:
+    async def gather_key_from_peer_hubs(
+        self,
+        master_sae_id: str,
+        slave_sae_id: str,
+        key_id: UUID,
+    ) -> UserKey:
         """
         Gather key shares from the peer hubs, and reconstruct the key out of (a subset of)
         the key shares.
         """
         nr_shares_attempted_to_gather = len(self._peer_hubs)
-        coroutines = [peer_hub.get_share(key_id) for peer_hub in self._peer_hubs]
+        coroutines = [
+            peer_hub.get_share(master_sae_id, slave_sae_id, key_id)
+            for peer_hub in self._peer_hubs
+        ]
         results = await asyncio.gather(*coroutines, return_exceptions=True)
         shares = [result for result in results if not isinstance(result, Exception)]
         nr_shares_successfully_gathered = len(shares)
 
@@ -41,6 +41,12 @@ async def async_auth_flow(self, request):
             signature.add_to_headers(request.headers)
             response = yield request
             received_signature = Signature.from_headers(response.headers)
+            if received_signature is None:
+                # If the signature is missing on an error response, keep the original error response
+                # instead of raising an InvalidSignatureError which wipes out any useful error info.
+                if response.status_code < 400:
+                    raise InvalidSignatureError()
+                return
             allocation = Allocation.from_enc_str(
                 received_signature.signing_key_allocation_enc_str, self._peer_pool
             )
@@ -166,7 +172,12 @@ async def _put_or_post(
                     exception=str(exc),
                 ) from exc
             if response.status_code != 200:
-                LOGGER.error(f"Call {method} {url} {response.status_code}")
+                message = ""
+                try:
+                    message = " " + response.json().get("message")
+                except Exception:  # pylint: disable=broad-except
+                    pass
+                LOGGER.error(f"Call {method} {url} {response.status_code}{message}")
                 raise exceptions.HTTPError(
                     method=method,
                     url=url,