implement #6161

2020-12-26 15:55:34 +01:00 · 2020-12-26 15:55:34 +01:00 · 57c9054784
commit 57c9054784
parent 32da815427
6 changed files with 127 additions and 17 deletions
--- a/src/auditor/Makefile.am
+++ b/src/auditor/Makefile.am
@ -148,6 +148,7 @@ taler_auditor_httpd_LDADD = \
  $(top_builddir)/src/util/libtalerutil.la \
  $(top_builddir)/src/json/libtalerjson.la \
  $(top_builddir)/src/auditordb/libtalerauditordb.la \
+  $(top_builddir)/src/exchangedb/libtalerexchangedb.la \
  -lmicrohttpd \
  -ljansson \
  -lgnunetjson \
--- a/src/auditor/taler-auditor-httpd.c
+++ b/src/auditor/taler-auditor-httpd.c
@ -29,6 +29,7 @@
 #include <sys/resource.h>
 #include "taler_mhd_lib.h"
 #include "taler_auditordb_lib.h"
+#include "taler_exchangedb_lib.h"
 #include "taler-auditor-httpd_deposit-confirmation.h"
 #include "taler-auditor-httpd_exchanges.h"
 #include "taler-auditor-httpd_mhd.h"
@ -69,6 +70,11 @@ static struct GNUNET_CONFIGURATION_Handle *cfg;
 */
 struct TALER_AUDITORDB_Plugin *TAH_plugin;

+/**
+ * Our DB plugin to talk to the *exchange* database.
+ */
+struct TALER_EXCHANGEDB_Plugin *TAH_eplugin;
+
 /**
 * Public key of this auditor.
 */
@ -434,7 +440,14 @@ auditor_serve_process_config (void)
      (TAH_plugin = TALER_AUDITORDB_plugin_load (cfg)))
  {
    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
-                "Failed to initialize DB subsystem\n");
+                "Failed to initialize DB subsystem to interact with auditor database\n");
+    return GNUNET_SYSERR;
+  }
+  if (NULL ==
+      (TAH_eplugin = TALER_EXCHANGEDB_plugin_load (cfg)))
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                "Failed to initialize DB subsystem to query exchange database\n");
    return GNUNET_SYSERR;
  }
  if (GNUNET_OK !=
@ -729,6 +742,8 @@ main (int argc,
  }
  TALER_AUDITORDB_plugin_unload (TAH_plugin);
  TAH_plugin = NULL;
+  TALER_EXCHANGEDB_plugin_unload (TAH_eplugin);
+  TAH_eplugin = NULL;
  TEAH_DEPOSIT_CONFIRMATION_done ();
  return (GNUNET_SYSERR == ret) ? 1 : 0;
 }
--- a/src/auditor/taler-auditor-httpd.h
+++ b/src/auditor/taler-auditor-httpd.h
@ -25,6 +25,7 @@

 #include <microhttpd.h>
 #include "taler_auditordb_plugin.h"
+#include "taler_exchangedb_plugin.h"


 /**
@ -32,6 +33,11 @@
 */
 extern struct TALER_AUDITORDB_Plugin *TAH_plugin;

+/**
+ * Our DB plugin to talk to the *exchange* database.
+ */
+extern struct TALER_EXCHANGEDB_Plugin *TAH_eplugin;
+

 /**
 * @brief Struct describing an URL and the handler for it.
--- a/src/auditor/taler-auditor-httpd_deposit-confirmation.c
+++ b/src/auditor/taler-auditor-httpd_deposit-confirmation.c
@ -35,7 +35,7 @@
 /**
 * Cache of already verified exchange signing keys.  Maps the hash of the
 * `struct TALER_ExchangeSigningKeyValidityPS` to the (static) string
- * "verified".  Access to this map is guarded by the #lock.
+ * "verified" or "revoked".  Access to this map is guarded by the #lock.
 */
 static struct GNUNET_CONTAINER_MultiHashMap *cache;

@ -66,7 +66,7 @@ verify_and_execute_deposit_confirmation (
  enum GNUNET_DB_QueryStatus qs;
  struct GNUNET_TIME_Absolute now;
  struct GNUNET_HashCode h;
-  int cached;
+  const char *cached;
  struct TALER_ExchangeSigningKeyValidityPS skv = {
    .purpose.purpose = htonl (TALER_SIGNATURE_MASTER_SIGNING_KEY_VALIDITY),
    .purpose.size = htonl (sizeof (struct TALER_ExchangeSigningKeyValidityPS)),
@ -94,10 +94,9 @@ verify_and_execute_deposit_confirmation (
                      sizeof (skv),
                      &h);
  GNUNET_assert (0 == pthread_mutex_lock (&lock));
-  cached = GNUNET_CONTAINER_multihashmap_contains (cache,
-                                                   &h);
+  cached = GNUNET_CONTAINER_multihashmap_get (cache,
+                                              &h);
  GNUNET_assert (0 == pthread_mutex_unlock (&lock));
-
  session = TAH_plugin->get_session (TAH_plugin->cls);
  if (NULL == session)
  {
@ -107,7 +106,7 @@ verify_and_execute_deposit_confirmation (
                                       TALER_EC_GENERIC_DB_SETUP_FAILED,
                                       NULL);
  }
-  if (! cached)
+  if (NULL == cached)
  {
    /* Not in cache, need to verify the signature, persist it, and possibly cache it */
    if (GNUNET_OK !=
@ -139,18 +138,43 @@ verify_and_execute_deposit_confirmation (
                                         TALER_EC_GENERIC_DB_STORE_FAILED,
                                         "exchange signing key");
    }
-
-    /* Cache it, due to concurreny it might already be in the cache,
-       so we do not cache it twice but also don't insist on the 'put' to
-       succeed. */
-    GNUNET_assert (0 == pthread_mutex_lock (&lock));
-    (void) GNUNET_CONTAINER_multihashmap_put (cache,
-                                              &h,
-                                              "verified",
-                                              GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY);
-    GNUNET_assert (0 == pthread_mutex_unlock (&lock));
+    cached = "verified";
  }

+  if (0 == strcmp (cached,
+                   "verified"))
+  {
+    struct TALER_MasterSignatureP master_sig;
+
+    /* check for revocation */
+    qs = TAH_eplugin->lookup_signkey_revocation (TAH_eplugin->cls,
+                                                 NULL,
+                                                 &es->exchange_pub,
+                                                 &master_sig);
+    if (0 > qs)
+    {
+      GNUNET_break (GNUNET_DB_STATUS_HARD_ERROR == qs);
+      TALER_LOG_WARNING (
+        "Failed to check for signing key revocation in database\n");
+      return TALER_MHD_reply_with_error (connection,
+                                         MHD_HTTP_INTERNAL_SERVER_ERROR,
+                                         TALER_EC_GENERIC_DB_FETCH_FAILED,
+                                         "exchange signing key revocation");
+    }
+    if (0 < qs)
+      cached = "revoked";
+  }
+
+  /* Cache it, due to concurreny it might already be in the cache,
+     so we do not cache it twice but also don't insist on the 'put' to
+     succeed. */
+  GNUNET_assert (0 == pthread_mutex_lock (&lock));
+  (void) GNUNET_CONTAINER_multihashmap_put (cache,
+                                            &h,
+                                            (void *) cached,
+                                            GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY);
+  GNUNET_assert (0 == pthread_mutex_unlock (&lock));
+
  /* check deposit confirmation signature */
  {
    struct TALER_DepositConfirmationPS dcs = {
--- a/src/exchangedb/plugin_exchangedb_postgres.c
+++ b/src/exchangedb/plugin_exchangedb_postgres.c
@ -1555,6 +1555,13 @@ postgres_get_session (void *cls)
                              ") VALUES "
                              "($1, $2);",
                              2),
+      /* used in #postgres_insert_signkey_revocation() */
+      GNUNET_PQ_make_prepare ("lookup_signkey_revocation",
+                              "SELECT "
+                              " master_sig"
+                              " FROM signkey_revocations"
+                              " WHERE exchange_pub=$1;",
+                              1),
      /* used in #postgres_insert_signkey() */
      GNUNET_PQ_make_prepare ("insert_signkey",
                              "INSERT INTO exchange_sign_keys "
@ -8491,6 +8498,46 @@ postgres_insert_signkey_revocation (
 }


+/**
+ * Obtain information about a revoked online signing key.
+ *
+ * @param cls closure
+ * @param session a session (can be NULL)
+ * @param exchange_pub exchange online signing key
+ * @param[out] master_sig set to signature affirming the revocation (if revoked)
+ * @return transaction status code
+ */
+static enum GNUNET_DB_QueryStatus
+postgres_lookup_signkey_revocation (
+  void *cls,
+  struct TALER_EXCHANGEDB_Session *session,
+  const struct TALER_ExchangePublicKeyP *exchange_pub,
+  struct TALER_MasterSignatureP *master_sig)
+{
+  struct PostgresClosure *pg = cls;
+  struct GNUNET_PQ_QueryParam params[] = {
+    GNUNET_PQ_query_param_auto_from_type (exchange_pub),
+    GNUNET_PQ_query_param_end
+  };
+  struct GNUNET_PQ_ResultSpec rs[] = {
+    TALER_PQ_result_spec_auto_from_type ("master_sig",
+                                         master_sig),
+    GNUNET_PQ_result_spec_end
+  };
+
+  (void) cls;
+  if (NULL == session)
+    session = postgres_get_session (pg);
+  if (NULL == session)
+    return GNUNET_DB_STATUS_HARD_ERROR;
+
+  return GNUNET_PQ_eval_prepared_singleton_select (session->conn,
+                                                   "lookup_signkey_revocation",
+                                                   params,
+                                                   rs);
+}
+
+
 /**
 * Lookup information about current denomination key.
 *
--- a/src/include/taler_exchangedb_plugin.h
+++ b/src/include/taler_exchangedb_plugin.h
@ -3340,6 +3340,23 @@ struct TALER_EXCHANGEDB_Plugin
    const struct TALER_MasterSignatureP *master_sig);


+  /**
+   * Obtain information about a revoked online signing key.
+   *
+   * @param cls closure
+   * @param session a session (can be NULL)
+   * @param exchange_pub exchange online signing key that was revoked
+   * @param[out] master_sig signature affirming the revocation
+   * @return transaction status code
+   */
+  enum GNUNET_DB_QueryStatus
+  (*lookup_signkey_revocation)(
+    void *cls,
+    struct TALER_EXCHANGEDB_Session *session,
+    const struct TALER_ExchangePublicKeyP *exchange_pub,
+    struct TALER_MasterSignatureP *master_sig);
+
+
  /**
   * Lookup information about current denomination key.
   *