Validate origins when generating subdomain tokens

tools/origin_trials/generate_token.py

 #!/usr/bin/env python
 # Copyright (c) 2016 The Chromium Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
 """Utility for generating experimental API tokens
 
 usage: generate_token.py [-h] [--key-file KEY_FILE]
                          [--expire-days EXPIRE_DAYS |
                           --expire-timestamp EXPIRE_TIMESTAMP]
@@ skipping 68 matching lines @@
   if not port:
     port = {"https": 443, "http": 80}[origin.scheme]
   # Strip any extra components and return the origin URL:
   return "{0}://{1}:{2}".format(origin.scheme, origin.hostname, port)
 
 def ExpiryFromArgs(args):
   if args.expire_timestamp:
     return int(args.expire_timestamp)
   return (int(time.time()) + (int(args.expire_days) * 86400))
 
+def ValidateSubdomainTokenOrigin(origin):
+  """ Calls validate_subdomain_origin utility to check the origin
+
+  If the utility is not found, prints a warning for manual validation, and
+  returns True
+  """
+  utility_path = "bin/validate_subdomain_origin"

[iclelland, 2016/11/02 15:25:47]

How does this utility end up in a bin/ directory? I've tried running

ninja -c out/Default validate_subdomain_origin

and it builds, but it places the executable in my output directory, where the
script doesn't find it.

I don't think that the script should be in src/tools, since it's generated, but
maybe we could do something like what run-blink-tests does, and take a --target
parameter which points to the correct output directory (default to /out/Default,
but allow any other directory to be used)

[chasej, 2016/11/03 19:23:39]

I forgot to add instructions, but I just used a symbolic link (e.g. ln -s
path/to/out/Default/validate_subdomain_origin bin/validate_subdomain_origin).

Since the generate script is run manually, I thought a manual install step was
reasonable.

I do like your suggestion of --target parameter with a default. Changed to use
that approach.

+  if not os.path.exists(utility_path):
+    print "WARNING!"
+    print "Origin not validated for use in subdomain token"
+    print "  (missing '%s' utility)" % utility_path
+    print "Must manually check origin against the Public Suffix List"
+    print
+    return True
+
+  rc = os.system("%s %s >/dev/null 2>&1" % (utility_path, origin))
+  return rc == 0

[iclelland, 2016/11/02 15:25:47]

It is also possible for other non-zero status to be returned: I tried moving the
utility into a bin/ directory, and running it from there returns a 127 status,
as the shared libraries are not available (I built as a component build)

stderr there says "bin/validate_subdomain_origin: error while loading shared
libraries: libbase.so: cannot open shared object file: No such file or
directory"

Clearly my error, but the script silently interpreted this as "The specified
origin is not valid for use in a subdomain token." for every domain.

I think the simplest thing to do is to check for any out-of-bounds status here,
and sys.exit() with an error if we see one.

[chasej, 2016/11/03 19:23:39]

Done.

+
 def GenerateTokenData(origin, is_subdomain, feature_name, expiry):
   data = {"origin": origin,
           "feature": feature_name,
           "expiry": expiry}
   if is_subdomain is not None:
     data["isSubdomain"] = is_subdomain
   return json.dumps(data).encode('utf-8')
 
 def GenerateDataToSign(version, data):
   return version + struct.pack(">I",len(data)) + data
@@ skipping 53 matching lines @@
   private_key = key_file.read(64)
 
   # Validate that the key file read was a proper Ed25519 key -- running the
   # publickey method on the first half of the key should return the second
   # half.
   if (len(private_key) < 64 or
     ed25519.publickey(private_key[:32]) != private_key[32:]):
     print("Unable to use the specified private key file.")
     sys.exit(1)
 
+  # For subdomain tokens, validate that the origin is allowed
+  if args.is_subdomain:
+    if not ValidateSubdomainTokenOrigin(args.origin):
+      print "The specified origin is not valid for use in a subdomain token."
+      sys.exit(1)
+
   token_data = GenerateTokenData(args.origin, args.is_subdomain,
                                  args.trial_name, expiry)
   data_to_sign = GenerateDataToSign(VERSION, token_data)
   signature = Sign(private_key, data_to_sign)
 
   # Verify that that the signature is correct before printing it.
   try:
     ed25519.checkvalid(signature, data_to_sign, private_key[32:])
   except Exception, exc:
     print "There was an error generating the signature."
     print "(The original error was: %s)" % exc
     sys.exit(1)
 
 
   # Output the token details
   print "Token details:"
   print " Origin: %s" % args.origin
   print " Is Subdomain: %s" % args.is_subdomain
   print " Feature: %s" % args.trial_name
   print " Expiry: %d (%s UTC)" % (expiry, datetime.utcfromtimestamp(expiry))
   print
 
   # Output the properly-formatted token.
   print FormatToken(VERSION, signature, token_data)
 
 if __name__ == "__main__":
   main()