Skip to content

Fix/known hosts fingerprint duplication error/upstream 1.0 #110

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Jul 26, 2016
Merged

Fix/known hosts fingerprint duplication error/upstream 1.0 #110

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
124047f
Fix: if there are duplicate hosts in the known_hosts file, we return …
Jul 22, 2016
6723da8
FIx: host fingerprint same tick duplication
Jul 22, 2016
2e93d80
Fix: tests were not properly implemented
Jul 25, 2016
6e38ec1
Update: `should not duplicate fingerprint entries` test reworked to l…
Jul 25, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 20 additions & 2 deletions src/v1/internal/ch-node.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ function loadFingerprint( serverId, knownHostsPath, cb ) {
require('readline').createInterface({
input: fs.createReadStream(knownHostsPath)
}).on('line', (line) => {
if( line.startsWith( serverId )) {
if( !found && line.startsWith( serverId )) {
found = true;
cb( line.split(" ")[1] );
}
Expand All @@ -56,12 +56,30 @@ function loadFingerprint( serverId, knownHostsPath, cb ) {
});
}

function storeFingerprint(serverId, knownHostsPath, fingerprint) {
const _lockFingerprintFromAppending = {};
function storeFingerprint( serverId, knownHostsPath, fingerprint ) {
// we check if the serverId has been appended
if(!!_lockFingerprintFromAppending[serverId]){
// if it has, we ignore it
return;
}

// we make the line as appended
// ( 1 is more efficient to store than true because true is an oddball )
_lockFingerprintFromAppending[serverId] = 1;

// we append to file
fs.appendFile(knownHostsPath, serverId + " " + fingerprint + EOL, "utf8", (err) => {
if (err) {
console.log(err);
}
});

// since the error occurs in the span of one tick
// after one tick we clean up to not interfere with anything else
setImmediate(() => {
delete _lockFingerprintFromAppending[serverId];
});
}

const TrustStrategy = {
Expand Down
91 changes: 91 additions & 0 deletions test/internal/tls.test.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,44 @@ describe('trust-on-first-use', function() {

var driver;

it('should not throw an error if the host file contains two host duplicates', function(done) {
'use strict';
// Assuming we only run this test on NodeJS with TOFU support
if( !hasFeature("trust_on_first_use") ) {
done();
return;
}

// Given
var knownHostsPath = "build/known_hosts";
if( fs.existsSync(knownHostsPath) ) {
fs.unlinkSync(knownHostsPath);
}

driver = neo4j.driver("bolt://localhost", neo4j.auth.basic("neo4j", "neo4j"), {
encrypted: true,
trust: "TRUST_ON_FIRST_USE",
knownHosts: knownHostsPath
});

driver.session(); // write into the knownHost file

// duplicate the same serverId twice
setTimeout(function() {
var text = fs.readFileSync(knownHostsPath, 'utf8');
fs.writeFileSync(knownHostsPath, text + text);
}, 1000);

// When
setTimeout(function() {
driver.session().run("RETURN true AS a").then( function(data) {
// Then we get to here.
expect( data.records[0].get('a') ).toBe( true );
done();
});
}, 2000);
});

it('should accept previously un-seen hosts', function(done) {
// Assuming we only run this test on NodeJS with TOFU support
if( !hasFeature("trust_on_first_use") ) {
Expand Down Expand Up @@ -104,6 +142,59 @@ describe('trust-on-first-use', function() {
});
});

it('should not duplicate fingerprint entries', function(done) {
// Assuming we only run this test on NodeJS with TOFU support
if( !hasFeature("trust_on_first_use") ) {
done();
return;
}

// Given
var knownHostsPath = "build/known_hosts";
if( fs.existsSync(knownHostsPath) ) {
fs.unlinkSync(knownHostsPath);
}
fs.writeFileSync(knownHostsPath, '');

driver = neo4j.driver("bolt://localhost", neo4j.auth.basic("neo4j", "neo4j"), {
encrypted: true,
trust: "TRUST_ON_FIRST_USE",
knownHosts: knownHostsPath
});

// When
driver.session();
driver.session();

setTimeout(function() {
var lines = {};
fs.readFileSync(knownHostsPath, 'utf8')
.split('\n')
.filter(function(line) {
return !! (line.trim());
})
.forEach(function(line) {
if (!lines[line]) {
lines[line] = 0;
}
lines[line]++;
});

var duplicatedLines = Object
.keys(lines)
.map(function(line) {
return lines[line];
})
.filter(function(count) {
return count > 1;
})
.length;

expect( duplicatedLines ).toBe( 0 );
done();
}, 1000);
});

it('should should give helpful error if database cert does not match stored certificate', function(done) {
// Assuming we only run this test on NodeJS with TOFU support
if( !hasFeature("trust_on_first_use") ) {
Expand Down