diff --git a/pkg/packetbrokeragent/agent.go b/pkg/packetbrokeragent/agent.go index 6d3fa2d3f0..41884e1d07 100644 --- a/pkg/packetbrokeragent/agent.go +++ b/pkg/packetbrokeragent/agent.go @@ -45,7 +45,6 @@ import ( "go.thethings.network/lorawan-stack/v3/pkg/unique" "go.thethings.network/lorawan-stack/v3/pkg/workerpool" "google.golang.org/grpc" - "gopkg.in/square/go-jose.v2" ) const ( @@ -271,26 +270,11 @@ func New(c *component.Component, conf *Config, opts ...Option) (*Agent, error) { a.forwarderConfig.TokenKey = random.Bytes(16) logger.WithField("token_key", hex.EncodeToString(a.forwarderConfig.TokenKey)).Warn("No token key configured, generated a random one") } - var ( - legacyEncryption jose.ContentEncryption - legacyKeyAlgorithm jose.KeyAlgorithm - ) switch l := len(a.forwarderConfig.TokenKey); l { - case 16: - legacyEncryption, legacyKeyAlgorithm = jose.A128GCM, jose.A128GCMKW - case 32: - legacyEncryption, legacyKeyAlgorithm = jose.A256GCM, jose.A256GCMKW + case 16, 32: default: return nil, errTokenKey.WithAttributes("length", l).New() } - var err error - a.forwarderConfig.LegacyTokenEncrypter, err = jose.NewEncrypter(legacyEncryption, jose.Recipient{ - Algorithm: legacyKeyAlgorithm, - Key: a.forwarderConfig.TokenKey, - }, nil) - if err != nil { - return nil, errTokenKey.WithCause(err) - } blockCipher, err := aes.NewCipher(a.forwarderConfig.TokenKey) if err != nil { return nil, errTokenKey.WithCause(err) diff --git a/pkg/packetbrokeragent/config.go b/pkg/packetbrokeragent/config.go index 80f5894462..0d9a07cdf2 100644 --- a/pkg/packetbrokeragent/config.go +++ b/pkg/packetbrokeragent/config.go @@ -20,7 +20,6 @@ import ( "go.thethings.network/lorawan-stack/v3/pkg/ttnpb" "go.thethings.network/lorawan-stack/v3/pkg/types" - "gopkg.in/square/go-jose.v2" ) // Config configures Packet Broker clients. @@ -75,15 +74,14 @@ type OAuth2Config struct { // ForwarderConfig defines configuration of the Forwarder role. type ForwarderConfig struct { - Enable bool `name:"enable" description:"Enable Forwarder role"` - WorkerPool WorkerPoolConfig `name:"worker-pool" description:"Workers pool configuration"` - TokenKey []byte `name:"token-key" description:"AES 128 or 256-bit key for encrypting tokens"` - LegacyTokenEncrypter jose.Encrypter `name:"-"` - TokenAEAD cipher.AEAD `name:"-"` - IncludeGatewayEUI bool `name:"include-gateway-eui" description:"Include the gateway EUI in forwarded metadata"` // nolint:lll - IncludeGatewayID bool `name:"include-gateway-id" description:"Include the gateway ID in forwarded metadata"` // nolint:lll - HashGatewayID bool `name:"hash-gateway-id" description:"Hash the gateway ID (if forwarded in the metadata)"` // nolint:lll - GatewayOnlineTTL time.Duration `name:"gateway-online-ttl" description:"Time-to-live of online status reported to Packet Broker"` // nolint:lll + Enable bool `name:"enable" description:"Enable Forwarder role"` + WorkerPool WorkerPoolConfig `name:"worker-pool" description:"Workers pool configuration"` + TokenKey []byte `name:"token-key" description:"AES 128 or 256-bit key for encrypting tokens"` + TokenAEAD cipher.AEAD `name:"-"` + IncludeGatewayEUI bool `name:"include-gateway-eui" description:"Include the gateway EUI in forwarded metadata"` // nolint:lll + IncludeGatewayID bool `name:"include-gateway-id" description:"Include the gateway ID in forwarded metadata"` // nolint:lll + HashGatewayID bool `name:"hash-gateway-id" description:"Hash the gateway ID (if forwarded in the metadata)"` // nolint:lll + GatewayOnlineTTL time.Duration `name:"gateway-online-ttl" description:"Time-to-live of online status reported to Packet Broker"` // nolint:lll } // HomeNetworkConfig defines the configuration of the Home Network role. diff --git a/pkg/packetbrokeragent/translation.go b/pkg/packetbrokeragent/translation.go index 5c2e2d4d45..085f821a37 100644 --- a/pkg/packetbrokeragent/translation.go +++ b/pkg/packetbrokeragent/translation.go @@ -20,7 +20,6 @@ import ( "crypto/rand" "crypto/sha256" "encoding/base64" - "encoding/json" "io" "time" @@ -39,7 +38,6 @@ import ( "google.golang.org/protobuf/types/known/durationpb" "google.golang.org/protobuf/types/known/timestamppb" "google.golang.org/protobuf/types/known/wrapperspb" - "gopkg.in/square/go-jose.v2" ) var toPBRegion = map[string]packetbroker.Region{ @@ -164,18 +162,6 @@ func toPBTerrestrialAntennaPlacement(p ttnpb.GatewayAntennaPlacement) packetbrok return packetbroker.TerrestrialAntennaPlacement(p) } -type legacyAgentUplinkToken struct { - ForwarderNetID types.NetID `json:"fnid"` - ForwarderTenantID string `json:"ftid,omitempty"` - ForwarderClusterID string `json:"fcid,omitempty"` -} - -type legacyCompoundUplinkToken struct { - Gateway []byte `json:"g,omitempty"` - Forwarder []byte `json:"f,omitempty"` - Agent *legacyAgentUplinkToken `json:"a,omitempty"` -} - func wrapUplinkTokens(gateway, forwarder []byte, agent *ttnpb.PacketBrokerAgentUplinkToken) ([]byte, error) { return proto.Marshal(&ttnpb.PacketBrokerAgentCompoundUplinkToken{ Gateway: gateway, @@ -184,25 +170,9 @@ func wrapUplinkTokens(gateway, forwarder []byte, agent *ttnpb.PacketBrokerAgentU }) } -func unwrapLegacyUplinkTokens(token []byte) (gateway, forwarder []byte, agent *legacyAgentUplinkToken, err error) { - var t legacyCompoundUplinkToken - if err := json.Unmarshal(token, &t); err != nil { - return nil, nil, nil, err - } - return t.Gateway, t.Forwarder, t.Agent, nil -} - func unwrapUplinkTokens( token []byte, ) (gateway, forwarder []byte, agent *ttnpb.PacketBrokerAgentUplinkToken, err error) { - if gateway, forwarder, agent, err := unwrapLegacyUplinkTokens(token); err == nil { - agent := &ttnpb.PacketBrokerAgentUplinkToken{ - ForwarderNetId: agent.ForwarderNetID[:], - ForwarderTenantId: agent.ForwarderTenantID, - ForwarderClusterId: agent.ForwarderClusterID, - } - return gateway, forwarder, agent, nil - } var t ttnpb.PacketBrokerAgentCompoundUplinkToken if err := proto.Unmarshal(token, &t); err != nil { return nil, nil, nil, err @@ -210,11 +180,6 @@ func unwrapUplinkTokens( return t.Gateway, t.Forwarder, t.Agent, nil } -type legacyGatewayUplinkToken struct { - GatewayUID string `json:"uid"` - Token []byte `json:"t"` -} - func encryptPlaintext(plaintext []byte, aead cipher.AEAD) ([]byte, error) { nonce := make([]byte, aead.NonceSize()) if _, err := io.ReadFull(rand.Reader, nonce); err != nil { @@ -247,26 +212,7 @@ func wrapGatewayUplinkToken( return encryptPlaintext(plaintext, aead) } -func unwrapLegacyGatewayUplinkToken(token, key []byte) (string, []byte, error) { - obj, err := jose.ParseEncrypted(string(token)) - if err != nil { - return "", nil, err - } - plaintext, err := obj.Decrypt(key) - if err != nil { - return "", nil, err - } - var t legacyGatewayUplinkToken - if err := json.Unmarshal(plaintext, &t); err != nil { - return "", nil, err - } - return t.GatewayUID, t.Token, nil -} - -func unwrapGatewayUplinkToken(token []byte, aead cipher.AEAD, legacyKey []byte) (string, []byte, error) { - if uid, token, err := unwrapLegacyGatewayUplinkToken(token, legacyKey); err == nil { - return uid, token, nil - } +func unwrapGatewayUplinkToken(token []byte, aead cipher.AEAD) (string, []byte, error) { plaintext, err := decryptCiphertext(token, aead) if err != nil { return "", nil, err @@ -739,7 +685,7 @@ var ( ) func fromPBDownlink(ctx context.Context, msg *packetbroker.DownlinkMessage, receivedAt time.Time, conf ForwarderConfig) (uid string, res *ttnpb.DownlinkMessage, err error) { - uid, token, err := unwrapGatewayUplinkToken(msg.GatewayUplinkToken, conf.TokenAEAD, conf.TokenKey) + uid, token, err := unwrapGatewayUplinkToken(msg.GatewayUplinkToken, conf.TokenAEAD) if err != nil { return "", nil, errUnwrapGatewayUplinkToken.WithCause(err) } diff --git a/pkg/packetbrokeragent/translation_internal_test.go b/pkg/packetbrokeragent/translation_internal_test.go index 7e60e171ed..248ff9dc66 100644 --- a/pkg/packetbrokeragent/translation_internal_test.go +++ b/pkg/packetbrokeragent/translation_internal_test.go @@ -51,7 +51,7 @@ func TestWrapGatewayUplinkToken(t *testing.T) { } t.Logf("Wrapped token: %q", base64.RawStdEncoding.EncodeToString(wrappedToken)) - uid, gtwToken, err := unwrapGatewayUplinkToken(wrappedToken, aead, nil) + uid, gtwToken, err := unwrapGatewayUplinkToken(wrappedToken, aead) if !a.So(err, should.BeNil) { t.FailNow() }