mnemonic-hash-checker: add back postgres support with fail-early integrity check

This commit is contained in:
Ryan Heywood 2023-08-08 10:21:23 -05:00
parent a8213519e0
commit 6028c4794f
Signed by: ryan
GPG Key ID: 8E401478A3FBEF72
3 changed files with 386 additions and 12 deletions

293
Cargo.lock generated
View File

@ -129,6 +129,12 @@ version = "0.13.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9e1b586273c5702936fe7b7d6896644d8be71e6314cfe09d3167c95f712589e8"
[[package]]
name = "base64"
version = "0.21.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "604178f6c5c21f02dc555784810edfb88d34ac2c73b2eae109655649ee73ce3d"
[[package]]
name = "bit-vec"
version = "0.6.3"
@ -179,6 +185,12 @@ dependencies = [
"siphasher",
]
[[package]]
name = "byteorder"
version = "1.4.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "14c189c53d098945499cdfa7ecc63567cf3886b3332b312a5b4585d8d3a6a610"
[[package]]
name = "bytes"
version = "1.4.0"
@ -326,6 +338,40 @@ dependencies = [
"typenum",
]
[[package]]
name = "deadpool"
version = "0.9.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "421fe0f90f2ab22016f32a9881be5134fdd71c65298917084b0c7477cbc3856e"
dependencies = [
"async-trait",
"deadpool-runtime",
"num_cpus",
"retain_mut",
"tokio",
]
[[package]]
name = "deadpool-postgres"
version = "0.10.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "836a24a9d49deefe610b8b60c767a7412e9a931d79a89415cd2d2d71630ca8d7"
dependencies = [
"deadpool",
"log",
"tokio",
"tokio-postgres",
]
[[package]]
name = "deadpool-runtime"
version = "0.1.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "eaa37046cc0f6c3cc6090fbdbf73ef0b8ef4cfcc37f6befc0020f63e8cf121e1"
dependencies = [
"tokio",
]
[[package]]
name = "digest"
version = "0.10.7"
@ -334,6 +380,7 @@ checksum = "9ed9a281f7bc9b7576e61468ba615a66a5c8cfdff42420a70aa82701a3b1e292"
dependencies = [
"block-buffer",
"crypto-common",
"subtle",
]
[[package]]
@ -373,6 +420,12 @@ dependencies = [
"once_cell",
]
[[package]]
name = "fallible-iterator"
version = "0.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4443176a9f2c162692bd3d352d745ef9413eec5782a80d8fd6f8a1ac692a07f7"
[[package]]
name = "fnv"
version = "1.0.7"
@ -395,6 +448,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "955518d47e09b25bbebc7a18df10b81f0c766eaf4c4f1cccef2fca5f2a4fb5f2"
dependencies = [
"futures-core",
"futures-sink",
]
[[package]]
@ -403,6 +457,23 @@ version = "0.3.28"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4bca583b7e26f571124fe5b7561d49cb2868d79116cfa0eefce955557c6fee8c"
[[package]]
name = "futures-macro"
version = "0.3.28"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "89ca545a94061b6365f2c7355b4b32bd20df3ff95f02da9329b34ccc3bd6ee72"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.28",
]
[[package]]
name = "futures-sink"
version = "0.3.28"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f43be4fe21a13b9781a69afa4985b0f6ee0e1afab2c6f454a8cf30e2b2237b6e"
[[package]]
name = "futures-task"
version = "0.3.28"
@ -416,6 +487,8 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "26b01e40b772d54cf6c6d721c1d1abd0647a0106a12ecaa1c186273392a69533"
dependencies = [
"futures-core",
"futures-macro",
"futures-sink",
"futures-task",
"pin-project-lite",
"pin-utils",
@ -455,7 +528,7 @@ version = "0.3.8"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f3e372db8e5c0d213e0cd0b9be18be2aca3d44cf2fe30a9d46a65581cd454584"
dependencies = [
"base64",
"base64 0.13.1",
"bitflags 1.3.2",
"bytes",
"headers-core",
@ -492,6 +565,15 @@ version = "0.4.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70"
[[package]]
name = "hmac"
version = "0.12.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6c49c37c09c17a53d937dfbb742eb3a961d65a994e6bcdcf37e7399d0cc8ab5e"
dependencies = [
"digest",
]
[[package]]
name = "http"
version = "0.2.9"
@ -548,7 +630,7 @@ dependencies = [
"httpdate",
"itoa",
"pin-project-lite",
"socket2",
"socket2 0.4.9",
"tokio",
"tower-service",
"tracing",
@ -627,6 +709,15 @@ version = "0.7.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ed1202b2a6f884ae56f04cff409ab315c5ce26b5e58d7412e484f01fd52f52ef"
[[package]]
name = "md-5"
version = "0.10.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6365506850d44bff6e2fbcb5176cf63650e48bd45ef2fe2665ae1570e0f4b9ca"
dependencies = [
"digest",
]
[[package]]
name = "memchr"
version = "2.5.0"
@ -676,8 +767,10 @@ dependencies = [
"bloomfilter",
"clap",
"color-eyre",
"deadpool-postgres",
"serde",
"tokio",
"tokio-postgres",
"tower-http",
"tracing",
"tracing-error",
@ -766,6 +859,24 @@ version = "2.3.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9b2a4787296e9989611394c33f193f676704af1686e70b8f8033ab5ba9a35a94"
[[package]]
name = "phf"
version = "0.11.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ade2d8b8f33c7333b51bcf0428d37e217e9f32192ae4772156f65063b8ce03dc"
dependencies = [
"phf_shared",
]
[[package]]
name = "phf_shared"
version = "0.11.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "90fcb95eef784c2ac79119d1dd819e162b5da872ce6f3c3abe1e8ca1c082f72b"
dependencies = [
"siphasher",
]
[[package]]
name = "pin-project"
version = "1.1.3"
@ -798,6 +909,41 @@ version = "0.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184"
[[package]]
name = "postgres-protocol"
version = "0.6.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "78b7fa9f396f51dffd61546fd8573ee20592287996568e6175ceb0f8699ad75d"
dependencies = [
"base64 0.21.2",
"byteorder",
"bytes",
"fallible-iterator",
"hmac",
"md-5",
"memchr",
"rand",
"sha2",
"stringprep",
]
[[package]]
name = "postgres-types"
version = "0.2.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f028f05971fe20f512bcc679e2c10227e57809a3af86a7606304435bc8896cd6"
dependencies = [
"bytes",
"fallible-iterator",
"postgres-protocol",
]
[[package]]
name = "ppv-lite86"
version = "0.2.17"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5b40af805b3121feab8a3c29f04d8ad262fa8e0561883e7653e024ae4479e6de"
[[package]]
name = "proc-macro-error"
version = "1.0.4"
@ -840,6 +986,36 @@ dependencies = [
"proc-macro2",
]
[[package]]
name = "rand"
version = "0.8.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404"
dependencies = [
"libc",
"rand_chacha",
"rand_core",
]
[[package]]
name = "rand_chacha"
version = "0.3.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e6c10a63a0fa32252be49d21e7709d4d4baf8d231c2dbce1eaa8141b9b127d88"
dependencies = [
"ppv-lite86",
"rand_core",
]
[[package]]
name = "rand_core"
version = "0.6.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ec0be4795e2f6a28069bec0b5ff3e2ac9bafc99e6a9a7dc3547996c5c816922c"
dependencies = [
"getrandom",
]
[[package]]
name = "rayon"
version = "1.7.0"
@ -915,6 +1091,12 @@ version = "0.7.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e5ea92a5b6195c6ef2a0295ea818b312502c6fc94dde986c5553242e18fd4ce2"
[[package]]
name = "retain_mut"
version = "0.1.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4389f1d5789befaf6029ebd9f7dac4af7f7e3d61b69d4f30e2ac02b57e7712b0"
[[package]]
name = "rustc-demangle"
version = "0.1.23"
@ -1016,6 +1198,17 @@ dependencies = [
"digest",
]
[[package]]
name = "sha2"
version = "0.10.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "479fb9d862239e610720565ca91403019f2f00410f1864c5aa7479b950a76ed8"
dependencies = [
"cfg-if",
"cpufeatures",
"digest",
]
[[package]]
name = "sharded-slab"
version = "0.1.4"
@ -1065,12 +1258,38 @@ dependencies = [
"winapi",
]
[[package]]
name = "socket2"
version = "0.5.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2538b18701741680e0322a2302176d3253a35388e2e62f172f64f4f16605f877"
dependencies = [
"libc",
"windows-sys",
]
[[package]]
name = "stringprep"
version = "0.1.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "db3737bde7edce97102e0e2b15365bf7a20bfdb5f60f4f9e8d7004258a51a8da"
dependencies = [
"unicode-bidi",
"unicode-normalization",
]
[[package]]
name = "strsim"
version = "0.10.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "73473c0e59e6d5812c5dfe2a064a6444949f089e20eec9a2e5506596494e4623"
[[package]]
name = "subtle"
version = "2.5.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "81cdd64d312baedb58e21336b31bc043b77e01cc99033ce76ef539f78e965ebc"
[[package]]
name = "syn"
version = "1.0.109"
@ -1118,6 +1337,21 @@ dependencies = [
"once_cell",
]
[[package]]
name = "tinyvec"
version = "1.6.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "87cc5ceb3875bb20c2890005a4e226a4651264a5c75edb2421b52861a0a0cb50"
dependencies = [
"tinyvec_macros",
]
[[package]]
name = "tinyvec_macros"
version = "0.1.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20"
[[package]]
name = "tokio"
version = "1.29.1"
@ -1133,7 +1367,7 @@ dependencies = [
"parking_lot",
"pin-project-lite",
"signal-hook-registry",
"socket2",
"socket2 0.4.9",
"tokio-macros",
"tracing",
"windows-sys",
@ -1150,6 +1384,44 @@ dependencies = [
"syn 2.0.28",
]
[[package]]
name = "tokio-postgres"
version = "0.7.8"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6e89f6234aa8fd43779746012fcf53603cdb91fdd8399aa0de868c2d56b6dde1"
dependencies = [
"async-trait",
"byteorder",
"bytes",
"fallible-iterator",
"futures-channel",
"futures-util",
"log",
"parking_lot",
"percent-encoding",
"phf",
"pin-project-lite",
"postgres-protocol",
"postgres-types",
"socket2 0.5.3",
"tokio",
"tokio-util",
]
[[package]]
name = "tokio-util"
version = "0.7.8"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "806fe8c2c87eccc8b3267cbae29ed3ab2d0bd37fca70ab622e46aaa9375ddb7d"
dependencies = [
"bytes",
"futures-core",
"futures-sink",
"pin-project-lite",
"tokio",
"tracing",
]
[[package]]
name = "tower"
version = "0.4.13"
@ -1295,12 +1567,27 @@ version = "1.16.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "497961ef93d974e23eb6f433eb5fe1b7930b659f06d12dec6fc44a8f554c0bba"
[[package]]
name = "unicode-bidi"
version = "0.3.13"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "92888ba5573ff080736b3648696b70cafad7d250551175acbaa4e0385b3e1460"
[[package]]
name = "unicode-ident"
version = "1.0.11"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "301abaae475aa91687eb82514b328ab47a211a533026cb25fc3e519b86adfc3c"
[[package]]
name = "unicode-normalization"
version = "0.1.22"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5c5713f0fc4b5db668a2ac63cdb7bb4469d8c9fed047b1d0292cc7b0ce2ba921"
dependencies = [
"tinyvec",
]
[[package]]
name = "valuable"
version = "0.1.0"

View File

@ -10,8 +10,10 @@ axum = { version = "0.6.20", features = ["headers", "macros", "tracing"] }
bloomfilter = "1.0.9"
clap = { version = "=4.0.32", features = ["derive", "env"] }
color-eyre = "0.6.2"
deadpool-postgres = "0.10.5"
serde = { version = "1.0.181", features = ["serde_derive"] }
tokio = { version = "1.29.1", features = ["full", "fs", "tracing"] }
tokio-postgres = "0.7.8"
tower-http = { version = "0.4.3", features = ["trace", "catch-panic"] }
tracing = "0.1.37"
tracing-error = "0.2.0"

View File

@ -16,6 +16,9 @@ use color_eyre::eyre::Result;
use clap::Parser;
use deadpool_postgres::{Config, ManagerConfig, Pool, RecyclingMethod, Runtime};
use tokio_postgres::NoTls;
use serde::Deserialize;
use tower_http::catch_panic::CatchPanicLayer;
@ -25,7 +28,7 @@ use tracing_subscriber::filter::{EnvFilter, LevelFilter};
use tracing_subscriber::fmt::format::FmtSpan;
use tracing_subscriber::prelude::*;
use tracing::info;
use tracing::{error, info};
mod bloom;
@ -34,12 +37,35 @@ struct CliConfig {
#[clap(long, env)]
bloom_filter_path: PathBuf,
#[clap(long, env, default_value = "lookup")]
postgres_dbname: String,
#[clap(long, env, default_value = "localhost")]
postgres_host: String,
#[clap(long, env, default_value_t = 5432)]
postgres_port: u16,
#[clap(long, env = "USER", default_value = "postgres")]
postgres_user: String,
#[clap(long, env)]
postgres_password: Option<String>,
#[clap(long, env, default_value = "hashes")]
database_table: String,
#[clap(long, env, default_value = "hash")]
database_column: String,
#[clap(long, env)]
bind_address: Option<SocketAddr>,
}
struct AppState {
bloom_filter: Bloom<String>
pool: Pool,
database_query: String,
bloom_filter: Bloom<String>,
}
fn setup_registry() {
@ -61,9 +87,17 @@ async fn index() -> impl IntoResponse {
}
#[tracing::instrument(skip(state))]
async fn check_hash(hash: &str, state: &AppState) -> bool {
let bloom_filter = &state.bloom_filter;
bloom_filter.check(&hash.to_string())
async fn check_hash_in_db(hash: &str, state: &AppState) -> Result<bool> {
let client = state.pool.get().await?;
let query = client.prepare_cached(&state.database_query).await?;
let rows = client.query(&query, &[&hash]).await?;
if let Some(row) = rows.get(0) {
let retrieved_hash: String = row.try_get(0)?;
Ok(hash == retrieved_hash)
} else {
Ok(false)
}
}
#[derive(Deserialize)]
@ -71,18 +105,37 @@ struct CheckQuery {
sha256: String,
}
const VULNERABLE: &'static str = "vulnerable";
const NOT_FOUND: &'static str = "match not found";
// Note: Exposes *zero* information of potential errors to clients.
#[tracing::instrument(skip(query, state))]
async fn check_hash_slug(
query: Query<CheckQuery>,
State(state): State<Arc<AppState>>,
) -> (StatusCode, &'static str) {
match state.bloom_filter.check(&query.sha256.to_string()) {
true => (StatusCode::OK, "vulnerable"),
false => (StatusCode::NOT_FOUND, "match not found")
let hash = query.sha256.to_string();
match state.bloom_filter.check(&hash) {
true => {
info!("Found hash in bloom filter, looking in db");
match check_hash_in_db(&hash, &state).await {
Ok(true) => (StatusCode::OK, VULNERABLE),
Ok(false) => (StatusCode::NOT_FOUND, NOT_FOUND),
Err(e) => {
error!(%e, "Error while handling postgres lookup");
(StatusCode::NOT_FOUND, NOT_FOUND)
}
}
}
false => (StatusCode::NOT_FOUND, NOT_FOUND),
}
}
const MILK_SAD: &str = concat!(
"1f76da7a36fcacfe22b6c68d1acf6204",
"73744e78aa04242a40374953783706f0",
);
#[tokio::main]
async fn main() -> Result<()> {
setup_registry();
@ -93,10 +146,42 @@ async fn main() -> Result<()> {
.bind_address
.unwrap_or_else(|| (std::net::Ipv4Addr::new(127, 0, 0, 1), 8000).into());
info!("configuring database pool");
let mut db_config = Config::new();
db_config.dbname = Some(cli_config.postgres_dbname);
db_config.host = Some(cli_config.postgres_host);
db_config.password = cli_config.postgres_password;
db_config.port = Some(cli_config.postgres_port);
db_config.user = Some(cli_config.postgres_user);
db_config.manager = Some(ManagerConfig {
recycling_method: RecyclingMethod::Fast,
});
let pool = db_config.create_pool(Some(Runtime::Tokio1), NoTls)?;
info!("testing db connection");
let database_query = format!(
"SELECT encode({column}, 'hex') FROM {table} WHERE hash = decode($1, 'hex')",
column = cli_config.database_column,
table = cli_config.database_table
);
{
let client = pool.get().await?;
let query = client.prepare_cached(&database_query).await?;
let rows = client.query(&query, &[&MILK_SAD]).await?;
let row = rows.get(0).expect("db row");
let column: String = row.try_get(0).expect("db column");
assert_eq!(column, MILK_SAD);
}
info!("loading bloom filter");
let state = AppState {
bloom_filter: bloom::load(cli_config.bloom_filter_path.as_ref())?
bloom_filter: bloom::load(cli_config.bloom_filter_path.as_ref())?,
pool,
database_query,
};
let app = Router::new()