1 files changed, 430 insertions, 0 deletions
diff --git a/services/fxaccounts/FxAccountsCommands.js b/services/fxaccounts/FxAccountsCommands.js
new file mode 100644
index 0000000000..2c0f4c5e9d
--- /dev/null
+++ b/services/fxaccounts/FxAccountsCommands.js
@@ -0,0 +1,430 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+const EXPORTED_SYMBOLS = ["SendTab", "FxAccountsCommands"];
+
+const {
+  COMMAND_SENDTAB,
+  COMMAND_SENDTAB_TAIL,
+  SCOPE_OLD_SYNC,
+  log,
+} = ChromeUtils.import("resource://gre/modules/FxAccountsCommon.js");
+ChromeUtils.defineModuleGetter(
+  this,
+  "PushCrypto",
+  "resource://gre/modules/PushCrypto.jsm"
+);
+const { Services } = ChromeUtils.import("resource://gre/modules/Services.jsm");
+const { XPCOMUtils } = ChromeUtils.import(
+  "resource://gre/modules/XPCOMUtils.jsm"
+);
+const { Observers } = ChromeUtils.import(
+  "resource://services-common/observers.js"
+);
+
+XPCOMUtils.defineLazyModuleGetters(this, {
+  BulkKeyBundle: "resource://services-sync/keys.js",
+  CommonUtils: "resource://services-common/utils.js",
+  CryptoUtils: "resource://services-crypto/utils.js",
+  CryptoWrapper: "resource://services-sync/record.js",
+});
+
+class FxAccountsCommands {
+  constructor(fxAccountsInternal) {
+    this._fxai = fxAccountsInternal;
+    this.sendTab = new SendTab(this, fxAccountsInternal);
+    this._invokeRateLimitExpiry = 0;
+  }
+
+  async availableCommands() {
+    if (
+      !Services.prefs.getBoolPref("identity.fxaccounts.commands.enabled", true)
+    ) {
+      return {};
+    }
+    const sendTabKey = await this.sendTab.getEncryptedKey();
+    if (!sendTabKey) {
+      // This will happen if the account is not verified yet.
+      return {};
+    }
+    return {
+      [COMMAND_SENDTAB]: sendTabKey,
+    };
+  }
+
+  async invoke(command, device, payload) {
+    const { sessionToken } = await this._fxai.getUserAccountData([
+      "sessionToken",
+    ]);
+    const client = this._fxai.fxAccountsClient;
+    const now = Date.now();
+    if (now < this._invokeRateLimitExpiry) {
+      const remaining = (this._invokeRateLimitExpiry - now) / 1000;
+      throw new Error(
+        `Invoke for ${command} is rate-limited for ${remaining} seconds.`
+      );
+    }
+    try {
+      let info = await client.invokeCommand(
+        sessionToken,
+        command,
+        device.id,
+        payload
+      );
+      if (!info.enqueued || !info.notified) {
+        // We want an error log here to help diagnose users who report failure.
+        log.error("Sending was only partially successful", info);
+      } else {
+        log.info("Successfully sent", info);
+      }
+    } catch (err) {
+      if (err.code && err.code === 429 && err.retryAfter) {
+        this._invokeRateLimitExpiry = Date.now() + err.retryAfter * 1000;
+      }
+      throw err;
+    }
+    log.info(`Payload sent to device ${device.id}.`);
+  }
+
+  /**
+   * Poll and handle device commands for the current device.
+   * This method can be called either in response to a Push message,
+   * or by itself as a "commands recovery" mechanism.
+   *
+   * @param {Number} notifiedIndex "Command received" push messages include
+   * the index of the command that triggered the message. We use it as a
+   * hint when we have no "last command index" stored.
+   */
+  async pollDeviceCommands(notifiedIndex = 0) {
+    // Whether the call to `pollDeviceCommands` was initiated by a Push message from the FxA
+    // servers in response to a message being received or simply scheduled in order
+    // to fetch missed messages.
+    if (
+      !Services.prefs.getBoolPref("identity.fxaccounts.commands.enabled", true)
+    ) {
+      return false;
+    }
+    log.info(`Polling device commands.`);
+    await this._fxai.withCurrentAccountState(async state => {
+      const { device } = await state.getUserAccountData(["device"]);
+      if (!device) {
+        throw new Error("No device registration.");
+      }
+      // We increment lastCommandIndex by 1 because the server response includes the current index.
+      // If we don't have a `lastCommandIndex` stored, we fall back on the index from the push message we just got.
+      const lastCommandIndex = device.lastCommandIndex + 1 || notifiedIndex;
+      // We have already received this message before.
+      if (notifiedIndex > 0 && notifiedIndex < lastCommandIndex) {
+        return;
+      }
+      const { index, messages } = await this._fetchDeviceCommands(
+        lastCommandIndex
+      );
+      if (messages.length) {
+        await state.updateUserAccountData({
+          device: { ...device, lastCommandIndex: index },
+        });
+        log.info(`Handling ${messages.length} messages`);
+        await this._handleCommands(messages, notifiedIndex);
+      }
+    });
+    return true;
+  }
+
+  async _fetchDeviceCommands(index, limit = null) {
+    const userData = await this._fxai.getUserAccountData();
+    if (!userData) {
+      throw new Error("No user.");
+    }
+    const { sessionToken } = userData;
+    if (!sessionToken) {
+      throw new Error("No session token.");
+    }
+    const client = this._fxai.fxAccountsClient;
+    const opts = { index };
+    if (limit != null) {
+      opts.limit = limit;
+    }
+    return client.getCommands(sessionToken, opts);
+  }
+
+  _getReason(notifiedIndex, messageIndex) {
+    // The returned reason value represents an explanation for why the command associated with the
+    // message of the given `messageIndex` is being handled. If `notifiedIndex` is zero the command
+    // is a part of a fallback polling process initiated by "Sync Now" ["poll"]. If `notifiedIndex` is
+    // greater than `messageIndex` this is a push command that was previously missed ["push-missed"],
+    // otherwise we assume this is a push command with no missed messages ["push"].
+    if (notifiedIndex == 0) {
+      return "poll";
+    } else if (notifiedIndex > messageIndex) {
+      return "push-missed";
+    }
+    // Note: The returned reason might be "push" in the case where a user sends multiple tabs
+    // in quick succession. We are not attempting to distinguish this from other push cases at
+    // present.
+    return "push";
+  }
+
+  async _handleCommands(messages, notifiedIndex) {
+    try {
+      await this._fxai.device.refreshDeviceList();
+    } catch (e) {
+      log.warn("Error refreshing device list", e);
+    }
+    // We debounce multiple incoming tabs so we show a single notification.
+    const tabsReceived = [];
+    for (const { index, data } of messages) {
+      const { command, payload, sender: senderId } = data;
+      const reason = this._getReason(notifiedIndex, index);
+      const sender =
+        senderId && this._fxai.device.recentDeviceList
+          ? this._fxai.device.recentDeviceList.find(d => d.id == senderId)
+          : null;
+      if (!sender) {
+        log.warn(
+          "Incoming command is from an unknown device (maybe disconnected?)"
+        );
+      }
+      switch (command) {
+        case COMMAND_SENDTAB:
+          try {
+            const { title, uri } = await this.sendTab.handle(
+              senderId,
+              payload,
+              reason
+            );
+            log.info(
+              `Tab received with FxA commands: ${title} from ${
+                sender ? sender.name : "Unknown device"
+              }.`
+            );
+            tabsReceived.push({ title, uri, sender });
+          } catch (e) {
+            log.error(`Error while handling incoming Send Tab payload.`, e);
+          }
+          break;
+        default:
+          log.info(`Unknown command: ${command}.`);
+      }
+    }
+    if (tabsReceived.length) {
+      Observers.notify("fxaccounts:commands:open-uri", tabsReceived);
+    }
+  }
+}
+
+/**
+ * Send Tab is built on top of FxA commands.
+ *
+ * Devices exchange keys wrapped in the oldsync key between themselves (getEncryptedKey)
+ * during the device registration flow. The FxA server can theorically never
+ * retrieve the send tab keys since it doesn't know the oldsync key.
+ */
+class SendTab {
+  constructor(commands, fxAccountsInternal) {
+    this._commands = commands;
+    this._fxai = fxAccountsInternal;
+  }
+  /**
+   * @param {Device[]} to - Device objects (typically returned by fxAccounts.getDevicesList()).
+   * @param {Object} tab
+   * @param {string} tab.url
+   * @param {string} tab.title
+   * @returns A report object, in the shape of
+   *          {succeded: [Device], error: [{device: Device, error: Exception}]}
+   */
+  async send(to, tab) {
+    log.info(`Sending a tab to ${to.length} devices.`);
+    const flowID = this._fxai.telemetry.generateFlowID();
+    const encoder = new TextEncoder("utf8");
+    const data = { entries: [{ title: tab.title, url: tab.url }] };
+    const report = {
+      succeeded: [],
+      failed: [],
+    };
+    for (let device of to) {
+      try {
+        const streamID = this._fxai.telemetry.generateFlowID();
+        const targetData = Object.assign({ flowID, streamID }, data);
+        const bytes = encoder.encode(JSON.stringify(targetData));
+        const encrypted = await this._encrypt(bytes, device);
+        // FxA expects an object as the payload, but we only have a single encrypted string; wrap it.
+        // If you add any plaintext items to this payload, please carefully consider the privacy implications
+        // of revealing that data to the FxA server.
+        const payload = { encrypted };
+        await this._commands.invoke(COMMAND_SENDTAB, device, payload);
+        this._fxai.telemetry.recordEvent(
+          "command-sent",
+          COMMAND_SENDTAB_TAIL,
+          this._fxai.telemetry.sanitizeDeviceId(device.id),
+          { flowID, streamID }
+        );
+        report.succeeded.push(device);
+      } catch (error) {
+        log.error("Error while invoking a send tab command.", error);
+        report.failed.push({ device, error });
+      }
+    }
+    return report;
+  }
+
+  // Returns true if the target device is compatible with FxA Commands Send tab.
+  isDeviceCompatible(device) {
+    return (
+      Services.prefs.getBoolPref(
+        "identity.fxaccounts.commands.enabled",
+        true
+      ) &&
+      device.availableCommands &&
+      device.availableCommands[COMMAND_SENDTAB]
+    );
+  }
+
+  // Handle incoming send tab payload, called by FxAccountsCommands.
+  async handle(senderID, { encrypted }, reason) {
+    const bytes = await this._decrypt(encrypted);
+    const decoder = new TextDecoder("utf8");
+    const data = JSON.parse(decoder.decode(bytes));
+    const { flowID, streamID, entries } = data;
+    const current = data.hasOwnProperty("current")
+      ? data.current
+      : entries.length - 1;
+    const { title, url: uri } = entries[current];
+    // `flowID` and `streamID` are in the top-level of the JSON, `entries` is
+    // an array of "tabs" with `current` being what index is the one we care
+    // about, or the last one if not specified.
+    this._fxai.telemetry.recordEvent(
+      "command-received",
+      COMMAND_SENDTAB_TAIL,
+      this._fxai.telemetry.sanitizeDeviceId(senderID),
+      { flowID, streamID, reason }
+    );
+
+    return {
+      title,
+      uri,
+    };
+  }
+
+  async _encrypt(bytes, device) {
+    let bundle = device.availableCommands[COMMAND_SENDTAB];
+    if (!bundle) {
+      throw new Error(`Device ${device.id} does not have send tab keys.`);
+    }
+    const oldsyncKey = await this._fxai.keys.getKeyForScope(SCOPE_OLD_SYNC);
+    // Older clients expect this to be hex, due to pre-JWK sync key ids :-(
+    const ourKid = this._fxai.keys.kidAsHex(oldsyncKey);
+    const { kid: theirKid } = JSON.parse(
+      device.availableCommands[COMMAND_SENDTAB]
+    );
+    if (theirKid != ourKid) {
+      throw new Error("Target Send Tab key ID is different from ours");
+    }
+    const json = JSON.parse(bundle);
+    const wrapper = new CryptoWrapper();
+    wrapper.deserialize({ payload: json });
+    const syncKeyBundle = BulkKeyBundle.fromJWK(oldsyncKey);
+    let { publicKey, authSecret } = await wrapper.decrypt(syncKeyBundle);
+    authSecret = urlsafeBase64Decode(authSecret);
+    publicKey = urlsafeBase64Decode(publicKey);
+
+    const { ciphertext: encrypted } = await PushCrypto.encrypt(
+      bytes,
+      publicKey,
+      authSecret
+    );
+    return urlsafeBase64Encode(encrypted);
+  }
+
+  async _getPersistedKeys() {
+    const { device } = await this._fxai.getUserAccountData(["device"]);
+    return device && device.sendTabKeys;
+  }
+
+  async _decrypt(ciphertext) {
+    let { privateKey, publicKey, authSecret } = await this._getPersistedKeys();
+    publicKey = urlsafeBase64Decode(publicKey);
+    authSecret = urlsafeBase64Decode(authSecret);
+    ciphertext = new Uint8Array(urlsafeBase64Decode(ciphertext));
+    return PushCrypto.decrypt(
+      privateKey,
+      publicKey,
+      authSecret,
+      // The only Push encoding we support.
+      { encoding: "aes128gcm" },
+      ciphertext
+    );
+  }
+
+  async _generateAndPersistKeys() {
+    let [publicKey, privateKey] = await PushCrypto.generateKeys();
+    publicKey = urlsafeBase64Encode(publicKey);
+    let authSecret = PushCrypto.generateAuthenticationSecret();
+    authSecret = urlsafeBase64Encode(authSecret);
+    const sendTabKeys = {
+      publicKey,
+      privateKey,
+      authSecret,
+    };
+    await this._fxai.withCurrentAccountState(async state => {
+      const { device } = await state.getUserAccountData(["device"]);
+      await state.updateUserAccountData({
+        device: {
+          ...device,
+          sendTabKeys,
+        },
+      });
+    });
+    return sendTabKeys;
+  }
+
+  async getEncryptedKey() {
+    let sendTabKeys = await this._getPersistedKeys();
+    if (!sendTabKeys) {
+      sendTabKeys = await this._generateAndPersistKeys();
+    }
+    // Strip the private key from the bundle to encrypt.
+    const keyToEncrypt = {
+      publicKey: sendTabKeys.publicKey,
+      authSecret: sendTabKeys.authSecret,
+    };
+    // getEncryptedKey() will be called as part of device registration, which
+    // happens immediately after signup/signin, so there's a good chance we
+    // don't yet have the sync keys. Unverified users will be unable to fetch
+    // keys, meaning they will end up registering the device twice (once without
+    // sendtab support, then once with sendtab support when they verify), but
+    // that's OK.
+    // TODO: this will fail if master password is locked; should we prompt to unlock it here?
+    if (!(await this._fxai.keys.canGetKeyForScope(SCOPE_OLD_SYNC))) {
+      log.info("Can't fetch keys, so unable to determine sendtab keys");
+      return null;
+    }
+    let oldsyncKey;
+    try {
+      oldsyncKey = await this._fxai.keys.getKeyForScope(SCOPE_OLD_SYNC);
+    } catch (ex) {
+      log.warn("Failed to fetch keys, so unable to determine sendtab keys", ex);
+      return null;
+    }
+    const wrapper = new CryptoWrapper();
+    wrapper.cleartext = keyToEncrypt;
+    const keyBundle = BulkKeyBundle.fromJWK(oldsyncKey);
+    await wrapper.encrypt(keyBundle);
+    return JSON.stringify({
+      // Older clients expect this to be hex, due to pre-JWK sync key ids :-(
+      kid: this._fxai.keys.kidAsHex(oldsyncKey),
+      IV: wrapper.IV,
+      hmac: wrapper.hmac,
+      ciphertext: wrapper.ciphertext,
+    });
+  }
+}
+
+function urlsafeBase64Encode(buffer) {
+  return ChromeUtils.base64URLEncode(new Uint8Array(buffer), { pad: false });
+}
+
+function urlsafeBase64Decode(str) {
+  return ChromeUtils.base64URLDecode(str, { padding: "reject" });
+}