Add certificate approval flow

This commit is contained in:
Drew DeVault 2018-01-31 21:54:52 -05:00
parent a21afdaa6b
commit 3139148c7b
3 changed files with 91 additions and 41 deletions

View file

@ -5,8 +5,6 @@ import (
tb "github.com/nsf/termbox-go" tb "github.com/nsf/termbox-go"
"github.com/davecgh/go-spew/spew"
"git.sr.ht/~sircmpwn/aerc2/config" "git.sr.ht/~sircmpwn/aerc2/config"
"git.sr.ht/~sircmpwn/aerc2/worker" "git.sr.ht/~sircmpwn/aerc2/worker"
"git.sr.ht/~sircmpwn/aerc2/worker/types" "git.sr.ht/~sircmpwn/aerc2/worker/types"
@ -64,12 +62,25 @@ func (acc *AccountTab) GetChannel() chan types.WorkerMessage {
return acc.Worker.GetMessages() return acc.Worker.GetMessages()
} }
func (acc *AccountTab) postAction(msg types.WorkerMessage) {
acc.logger.Printf("-> %T\n", msg)
acc.Worker.PostAction(msg)
}
func (acc *AccountTab) HandleMessage(msg types.WorkerMessage) { func (acc *AccountTab) HandleMessage(msg types.WorkerMessage) {
switch msg.InResponseTo().(type) { acc.logger.Printf("<- %T\n", msg)
case types.Configure: switch msg.(type) {
// Avoid printing passwords case types.Ack:
acc.logger.Printf("<- %T\n", msg) // no-op
case types.ApproveCertificate:
// TODO: Ask the user
acc.logger.Println("Approving certificate")
acc.postAction(types.Ack{
Message: types.RespondTo(msg),
})
default: default:
acc.logger.Printf("<- %s", spew.Sdump(msg)) acc.postAction(types.Unsupported{
Message: types.RespondTo(msg),
})
} }
} }

View file

@ -1,12 +1,13 @@
package imap package imap
import ( import (
"crypto/tls"
"crypto/x509"
"fmt" "fmt"
"log" "log"
"net/url" "net/url"
"strings" "strings"
"github.com/davecgh/go-spew/spew"
"github.com/emersion/go-imap" "github.com/emersion/go-imap"
"github.com/emersion/go-imap-idle" "github.com/emersion/go-imap-idle"
"github.com/emersion/go-imap/client" "github.com/emersion/go-imap/client"
@ -54,6 +55,45 @@ func (w *IMAPWorker) PostAction(msg types.WorkerMessage) {
w.actions <- msg w.actions <- msg
} }
func (w *IMAPWorker) postMessage(msg types.WorkerMessage) {
w.logger.Printf("=> %T\n", msg)
w.messages <- msg
}
func (w *IMAPWorker) verifyPeerCert(msg types.WorkerMessage) func(
rawCerts [][]byte, _ [][]*x509.Certificate) error {
return func(rawCerts [][]byte, _ [][]*x509.Certificate) error {
pool := x509.NewCertPool()
for _, rawCert := range rawCerts {
cert, err := x509.ParseCertificate(rawCert)
if err != nil {
return err
}
pool.AddCert(cert)
}
request := types.ApproveCertificate{
Message: types.RespondTo(msg),
CertPool: pool,
}
w.postMessage(request)
response := <-w.actions
if response.InResponseTo() != request {
return fmt.Errorf("Expected UI to answer cert request")
}
switch response.(type) {
case types.Ack:
return nil
case types.Disconnect:
return fmt.Errorf("UI rejected certificate")
default:
return fmt.Errorf("Expected UI to answer cert request")
}
}
}
func (w *IMAPWorker) handleMessage(msg types.WorkerMessage) error { func (w *IMAPWorker) handleMessage(msg types.WorkerMessage) error {
switch msg := msg.(type) { switch msg := msg.(type) {
case types.Ping: case types.Ping:
@ -78,12 +118,14 @@ func (w *IMAPWorker) handleMessage(msg types.WorkerMessage) error {
w.config.scheme = u.Scheme w.config.scheme = u.Scheme
w.config.user = u.User w.config.user = u.User
case types.Connect: case types.Connect:
// TODO: populate TLS config
var ( var (
c *client.Client c *client.Client
err error err error
) )
tlsConfig := &tls.Config{
InsecureSkipVerify: true,
VerifyPeerCertificate: w.verifyPeerCert(&msg),
}
switch w.config.scheme { switch w.config.scheme {
case "imap": case "imap":
c, err = client.Dial(w.config.addr) c, err = client.Dial(w.config.addr)
@ -92,12 +134,12 @@ func (w *IMAPWorker) handleMessage(msg types.WorkerMessage) error {
} }
if !w.config.insecure { if !w.config.insecure {
if err := c.StartTLS(nil); err != nil { if err := c.StartTLS(tlsConfig); err != nil {
return err return err
} }
} }
case "imaps": case "imaps":
c, err = client.DialTLS(w.config.addr, nil) c, err = client.DialTLS(w.config.addr, tlsConfig)
if err != nil { if err != nil {
return err return err
} }
@ -131,40 +173,27 @@ func (w *IMAPWorker) handleMessage(msg types.WorkerMessage) error {
return nil return nil
} }
// Logs an action but censors passwords
func (w *IMAPWorker) logAction(msg types.WorkerMessage) {
switch msg := msg.(type) {
case types.Configure:
src := msg.Config.Source
msg.Config.Source = "[obsfucated]"
w.logger.Printf("<= %s", spew.Sdump(msg))
msg.Config.Source = src
default:
w.logger.Printf("<= %s", spew.Sdump(msg))
}
}
func (w *IMAPWorker) Run() { func (w *IMAPWorker) Run() {
for { for {
select { select {
case msg := <-w.actions: case msg := <-w.actions:
w.logAction(msg) w.logger.Printf("<= %T\n", msg)
if err := w.handleMessage(msg); err == errUnsupported { if err := w.handleMessage(msg); err == errUnsupported {
w.messages <- types.Unsupported{ w.postMessage(types.Unsupported{
Message: types.RespondTo(msg), Message: types.RespondTo(msg),
} })
} else if err != nil { } else if err != nil {
w.messages <- types.Error{ w.postMessage(types.Error{
Message: types.RespondTo(msg), Message: types.RespondTo(msg),
Error: err, Error: err,
} })
} else { } else {
w.messages <- types.Ack{ w.postMessage(types.Ack{
Message: types.RespondTo(msg), Message: types.RespondTo(msg),
} })
} }
case update := <-w.updates: case update := <-w.updates:
w.logger.Printf("[= %s", spew.Sdump(update)) w.logger.Printf("[= %T", update)
} }
} }
} }

View file

@ -1,6 +1,8 @@
package types package types
import ( import (
"crypto/x509"
"git.sr.ht/~sircmpwn/aerc2/config" "git.sr.ht/~sircmpwn/aerc2/config"
) )
@ -12,6 +14,16 @@ type Message struct {
inResponseTo WorkerMessage inResponseTo WorkerMessage
} }
func RespondTo(msg WorkerMessage) Message {
return Message{
inResponseTo: msg,
}
}
func (m Message) InResponseTo() WorkerMessage {
return m.inResponseTo
}
// Meta-messages // Meta-messages
type Ack struct { type Ack struct {
@ -27,7 +39,7 @@ type Unsupported struct {
Message Message
} }
// Commands // Actions
type Ping struct { type Ping struct {
Message Message
@ -46,12 +58,10 @@ type Disconnect struct {
Message Message
} }
func RespondTo(msg WorkerMessage) Message { // Messages
return Message{
inResponseTo: msg,
}
}
func (m Message) InResponseTo() WorkerMessage { // Respond with an Ack to approve or Disconnect to reject
return m.inResponseTo type ApproveCertificate struct {
Message
CertPool *x509.CertPool
} }