Merge pull request #6622 from TheThingsNetwork/feature/pba-tokens-minify

Remove legacy token unwrapping

pkg/packetbrokeragent/agent.go

@@ -45,7 +45,6 @@ import (
 	"go.thethings.network/lorawan-stack/v3/pkg/unique"
 	"go.thethings.network/lorawan-stack/v3/pkg/workerpool"
 	"google.golang.org/grpc"
-	"gopkg.in/square/go-jose.v2"
 )
 
 const (
@@ -271,26 +270,11 @@ func New(c *component.Component, conf *Config, opts ...Option) (*Agent, error) {
 			a.forwarderConfig.TokenKey = random.Bytes(16)
 			logger.WithField("token_key", hex.EncodeToString(a.forwarderConfig.TokenKey)).Warn("No token key configured, generated a random one")
 		}
-		var (
-			legacyEncryption   jose.ContentEncryption
-			legacyKeyAlgorithm jose.KeyAlgorithm
-		)
 		switch l := len(a.forwarderConfig.TokenKey); l {
-		case 16:
-			legacyEncryption, legacyKeyAlgorithm = jose.A128GCM, jose.A128GCMKW
-		case 32:
-			legacyEncryption, legacyKeyAlgorithm = jose.A256GCM, jose.A256GCMKW
+		case 16, 32:
 		default:
 			return nil, errTokenKey.WithAttributes("length", l).New()
 		}
-		var err error
-		a.forwarderConfig.LegacyTokenEncrypter, err = jose.NewEncrypter(legacyEncryption, jose.Recipient{
-			Algorithm: legacyKeyAlgorithm,
-			Key:       a.forwarderConfig.TokenKey,
-		}, nil)
-		if err != nil {
-			return nil, errTokenKey.WithCause(err)
-		}
 		blockCipher, err := aes.NewCipher(a.forwarderConfig.TokenKey)
 		if err != nil {
 			return nil, errTokenKey.WithCause(err)

pkg/packetbrokeragent/config.go

@@ -20,7 +20,6 @@ import (
 
 	"go.thethings.network/lorawan-stack/v3/pkg/ttnpb"
 	"go.thethings.network/lorawan-stack/v3/pkg/types"
-	"gopkg.in/square/go-jose.v2"
 )
 
 // Config configures Packet Broker clients.
@@ -75,15 +74,14 @@ type OAuth2Config struct {
 
 // ForwarderConfig defines configuration of the Forwarder role.
 type ForwarderConfig struct {
-	Enable               bool             `name:"enable" description:"Enable Forwarder role"`
-	WorkerPool           WorkerPoolConfig `name:"worker-pool" description:"Workers pool configuration"`
-	TokenKey             []byte           `name:"token-key" description:"AES 128 or 256-bit key for encrypting tokens"`
-	LegacyTokenEncrypter jose.Encrypter   `name:"-"`
-	TokenAEAD            cipher.AEAD      `name:"-"`
-	IncludeGatewayEUI    bool             `name:"include-gateway-eui" description:"Include the gateway EUI in forwarded metadata"`          // nolint:lll
-	IncludeGatewayID     bool             `name:"include-gateway-id" description:"Include the gateway ID in forwarded metadata"`            // nolint:lll
-	HashGatewayID        bool             `name:"hash-gateway-id" description:"Hash the gateway ID (if forwarded in the metadata)"`         // nolint:lll
-	GatewayOnlineTTL     time.Duration    `name:"gateway-online-ttl" description:"Time-to-live of online status reported to Packet Broker"` // nolint:lll
+	Enable            bool             `name:"enable" description:"Enable Forwarder role"`
+	WorkerPool        WorkerPoolConfig `name:"worker-pool" description:"Workers pool configuration"`
+	TokenKey          []byte           `name:"token-key" description:"AES 128 or 256-bit key for encrypting tokens"`
+	TokenAEAD         cipher.AEAD      `name:"-"`
+	IncludeGatewayEUI bool             `name:"include-gateway-eui" description:"Include the gateway EUI in forwarded metadata"`          // nolint:lll
+	IncludeGatewayID  bool             `name:"include-gateway-id" description:"Include the gateway ID in forwarded metadata"`            // nolint:lll
+	HashGatewayID     bool             `name:"hash-gateway-id" description:"Hash the gateway ID (if forwarded in the metadata)"`         // nolint:lll
+	GatewayOnlineTTL  time.Duration    `name:"gateway-online-ttl" description:"Time-to-live of online status reported to Packet Broker"` // nolint:lll
 }
 
 // HomeNetworkConfig defines the configuration of the Home Network role.

pkg/packetbrokeragent/translation.go

@@ -20,7 +20,6 @@ import (
 	"crypto/rand"
 	"crypto/sha256"
 	"encoding/base64"
-	"encoding/json"
 	"io"
 	"time"
 
@@ -39,7 +38,6 @@ import (
 	"google.golang.org/protobuf/types/known/durationpb"
 	"google.golang.org/protobuf/types/known/timestamppb"
 	"google.golang.org/protobuf/types/known/wrapperspb"
-	"gopkg.in/square/go-jose.v2"
 )
 
 var toPBRegion = map[string]packetbroker.Region{
@@ -164,18 +162,6 @@ func toPBTerrestrialAntennaPlacement(p ttnpb.GatewayAntennaPlacement) packetbrok
 	return packetbroker.TerrestrialAntennaPlacement(p)
 }
 
-type legacyAgentUplinkToken struct {
-	ForwarderNetID     types.NetID `json:"fnid"`
-	ForwarderTenantID  string      `json:"ftid,omitempty"`
-	ForwarderClusterID string      `json:"fcid,omitempty"`
-}
-
-type legacyCompoundUplinkToken struct {
-	Gateway   []byte                  `json:"g,omitempty"`
-	Forwarder []byte                  `json:"f,omitempty"`
-	Agent     *legacyAgentUplinkToken `json:"a,omitempty"`
-}
-
 func wrapUplinkTokens(gateway, forwarder []byte, agent *ttnpb.PacketBrokerAgentUplinkToken) ([]byte, error) {
 	return proto.Marshal(&ttnpb.PacketBrokerAgentCompoundUplinkToken{
 		Gateway:   gateway,
@@ -184,37 +170,16 @@ func wrapUplinkTokens(gateway, forwarder []byte, agent *ttnpb.PacketBrokerAgentU
 	})
 }
 
-func unwrapLegacyUplinkTokens(token []byte) (gateway, forwarder []byte, agent *legacyAgentUplinkToken, err error) {
-	var t legacyCompoundUplinkToken
-	if err := json.Unmarshal(token, &t); err != nil {
-		return nil, nil, nil, err
-	}
-	return t.Gateway, t.Forwarder, t.Agent, nil
-}
-
 func unwrapUplinkTokens(
 	token []byte,
 ) (gateway, forwarder []byte, agent *ttnpb.PacketBrokerAgentUplinkToken, err error) {
-	if gateway, forwarder, agent, err := unwrapLegacyUplinkTokens(token); err == nil {
-		agent := &ttnpb.PacketBrokerAgentUplinkToken{
-			ForwarderNetId:     agent.ForwarderNetID[:],
-			ForwarderTenantId:  agent.ForwarderTenantID,
-			ForwarderClusterId: agent.ForwarderClusterID,
-		}
-		return gateway, forwarder, agent, nil
-	}
 	var t ttnpb.PacketBrokerAgentCompoundUplinkToken
 	if err := proto.Unmarshal(token, &t); err != nil {
 		return nil, nil, nil, err
 	}
 	return t.Gateway, t.Forwarder, t.Agent, nil
 }
 
-type legacyGatewayUplinkToken struct {
-	GatewayUID string `json:"uid"`
-	Token      []byte `json:"t"`
-}
-
 func encryptPlaintext(plaintext []byte, aead cipher.AEAD) ([]byte, error) {
 	nonce := make([]byte, aead.NonceSize())
 	if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
@@ -247,26 +212,7 @@ func wrapGatewayUplinkToken(
 	return encryptPlaintext(plaintext, aead)
 }
 
-func unwrapLegacyGatewayUplinkToken(token, key []byte) (string, []byte, error) {
-	obj, err := jose.ParseEncrypted(string(token))
-	if err != nil {
-		return "", nil, err
-	}
-	plaintext, err := obj.Decrypt(key)
-	if err != nil {
-		return "", nil, err
-	}
-	var t legacyGatewayUplinkToken
-	if err := json.Unmarshal(plaintext, &t); err != nil {
-		return "", nil, err
-	}
-	return t.GatewayUID, t.Token, nil
-}
-
-func unwrapGatewayUplinkToken(token []byte, aead cipher.AEAD, legacyKey []byte) (string, []byte, error) {
-	if uid, token, err := unwrapLegacyGatewayUplinkToken(token, legacyKey); err == nil {
-		return uid, token, nil
-	}
+func unwrapGatewayUplinkToken(token []byte, aead cipher.AEAD) (string, []byte, error) {
 	plaintext, err := decryptCiphertext(token, aead)
 	if err != nil {
 		return "", nil, err
@@ -739,7 +685,7 @@ var (
 )
 
 func fromPBDownlink(ctx context.Context, msg *packetbroker.DownlinkMessage, receivedAt time.Time, conf ForwarderConfig) (uid string, res *ttnpb.DownlinkMessage, err error) {
-	uid, token, err := unwrapGatewayUplinkToken(msg.GatewayUplinkToken, conf.TokenAEAD, conf.TokenKey)
+	uid, token, err := unwrapGatewayUplinkToken(msg.GatewayUplinkToken, conf.TokenAEAD)
 	if err != nil {
 		return "", nil, errUnwrapGatewayUplinkToken.WithCause(err)
 	}

pkg/packetbrokeragent/translation_internal_test.go

@@ -51,7 +51,7 @@ func TestWrapGatewayUplinkToken(t *testing.T) {
 	}
 	t.Logf("Wrapped token: %q", base64.RawStdEncoding.EncodeToString(wrappedToken))
 
-	uid, gtwToken, err := unwrapGatewayUplinkToken(wrappedToken, aead, nil)
+	uid, gtwToken, err := unwrapGatewayUplinkToken(wrappedToken, aead)
 	if !a.So(err, should.BeNil) {
 		t.FailNow()
 	}