0ad/source/ps/ModIo.h

/* Copyright (C) 2021 Wildfire Games.
 *
 * Permission is hereby granted, free of charge, to any person obtaining
 * a copy of this software and associated documentation files (the
 * "Software"), to deal in the Software without restriction, including
 * without limitation the rights to use, copy, modify, merge, publish,
 * distribute, sublicense, and/or sell copies of the Software, and to
 * permit persons to whom the Software is furnished to do so, subject to
 * the following conditions:
 *
 * The above copyright notice and this permission notice shall be included
 * in all copies or substantial portions of the Software.
 *
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
 * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
 * CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
 * TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
 * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 */

#ifndef INCLUDED_MODIO
#define INCLUDED_MODIO

#include "lib/external_libraries/curl.h"
#include "lib/os_path.h"
#include "scriptinterface/ScriptForward.h"

#include <map>
#include <sodium.h>
#include <string>
#include <vector>

// TODO: Allocate instance of the below two using sodium_malloc?
struct PKStruct
{
	unsigned char sig_alg[2] = {}; // == "Ed"
	unsigned char keynum[8] = {}; // should match the keynum in the sigstruct, else this is the wrong key
	unsigned char pk[crypto_sign_PUBLICKEYBYTES] = {};
};

struct SigStruct
{
	unsigned char sig_alg[2] = {}; // "ED" (since we only support the hashed mode)
	unsigned char keynum[8] = {}; // should match the keynum in the PKStruct
	unsigned char sig[crypto_sign_BYTES] = {};
};

struct ModIoModData
{
	std::map<std::string, std::string> properties;
	std::vector<std::string> dependencies;
	SigStruct sig;
};

enum class DownloadProgressStatus {
	NONE, // Default state
	GAMEID, // The game ID is being downloaded
	READY, // The game ID has been downloaded
	LISTING, // The mod list is being downloaded
	LISTED, // The mod list has been downloaded
	DOWNLOADING, // A mod file is being downloaded
	SUCCESS, // A mod file has been downloaded

	FAILED_GAMEID, // Game ID couldn't be retrieved
	FAILED_LISTING, // Mod list couldn't be retrieved
	FAILED_DOWNLOADING, // File couldn't be retrieved
	FAILED_FILECHECK // The file is corrupted
};

struct DownloadProgressData
{
	DownloadProgressStatus status;
	double progress;
	std::string error;
};

struct DownloadCallbackData;

/**
 * mod.io API interfacing code.
 *
 * Overview
 *
 * This class interfaces with a remote API provider that returns a list of mod files.
 * These can then be downloaded after some cursory checking of well-formedness of the returned
 * metadata.
 * Downloaded files are checked for well formedness by validating that they fit the size and hash
 * indicated by the API, then we check if the file is actually signed by a trusted key, and only
 * if all of that is success the file is actually possible to be loaded as a mod.
 *
 * Security considerations
 *
 * This both distrusts the loaded JS mods, and the API as much as possible.
 * We do not want a malicious mod to use this to download arbitrary files, nor do we want the API
 * to make us download something we have not verified.
 * Therefore we only allow mods to download one of the mods returned by this class (using indices).
 *
 * This (mostly) necessitates parsing the API responses here, as opposed to in JS.
 * One could alternatively parse the responses in a locked down JS context, but that would require
 * storing that code in here, or making sure nobody can overwrite it. Also this would possibly make
 * some of the needed accesses for downloading and verifying files a bit more complicated.
 *
 * Everything downloaded from the API has its signature verified against our public key.
 * This is a requirement, as otherwise a compromise of the API would result in users installing
 * possibly malicious files.
 * So a compromised API can just serve old files that we signed, so in that case there would need
 * to be an issue in that old file that was missed.
 *
 * To limit the extend to how old those files could be the signing key should be rotated
 * regularly (e.g. every release). To allow old versions of the engine to still use the API
 * files can be signed by both the old and the new key for some amount of time, that however
 * only makes sense in case a mod is compatible with both engine versions.
 *
 * Note that this does not prevent all possible attacks a package manager/update system should
 * defend against. This is intentionally not an update system since proper package managers already
 * exist. However there is some possible overlap in attack vectors and these should be evalutated
 * whether they apply and to what extend we can fix that on our side (or how to get the API provider
 * to help us do so). For a list of some possible issues see:
 * https://github.com/theupdateframework/specification/blob/master/tuf-spec.md
 *
 * The mod.io settings are also locked down such that only mods that have been authorized by us
 * show up in API queries. This is both done so that all required information (dependencies)
 * are stored for the files, and that only mods that have been checked for being ok are actually
 * shown to users.
 */
class ModIo
{
	NONCOPYABLE(ModIo);
public:
	ModIo();
	~ModIo();

	// Async requests
	void StartGetGameId();
	void StartListMods();
	void StartDownloadMod(u32 idx);

	/**
	 * Advance the current async request and perform final steps if the download is complete.
	 *
	 * @param scriptInterface used for parsing the data and possibly install the mod.
	 * @return true if the download is complete (successful or not), false otherwise.
	 */
	bool AdvanceRequest(const ScriptInterface& scriptInterface);

	/**
	 * Cancel the current async request and clean things up
	 */
	void CancelRequest();

	const std::vector<ModIoModData>& GetMods() const
	{
		return m_ModData;
	}
	const DownloadProgressData& GetDownloadProgress() const
	{
		return m_DownloadProgressData;
	}

private:
	static size_t ReceiveCallback(void* buffer, size_t size, size_t nmemb, void* userp);
	static size_t DownloadCallback(void* buffer, size_t size, size_t nmemb, void* userp);
	static int DownloadProgressCallback(void* clientp, curl_off_t dltotal, curl_off_t dlnow, curl_off_t ultotal, curl_off_t ulnow);

	CURLMcode SetupRequest(const std::string& url, bool fileDownload);
	void TearDownRequest();

	bool ParseGameId(const ScriptInterface& scriptInterface, std::string& err);
	bool ParseMods(const ScriptInterface& scriptInterface, std::string& err);

	void DeleteDownloadedFile();
	bool VerifyDownloadedFile(std::string& err);

	// Utility methods for parsing mod.io responses and metadata
	static bool ParseGameIdResponse(const ScriptInterface& scriptInterface, const std::string& responseData, int& id, std::string& err);
	static bool ParseModsResponse(const ScriptInterface& scriptInterface, const std::string& responseData, std::vector<ModIoModData>& modData, const PKStruct& pk, std::string& err);
	static bool ParseSignature(const std::vector<std::string>& minisigs, SigStruct& sig, const PKStruct& pk, std::string& err);

	// Url parts
	std::string m_BaseUrl;
	std::string m_GamesRequest;
	std::string m_GameId;

	// Query parameters
	std::string m_ApiKey;
	std::string m_IdQuery;

	CURL* m_Curl;
	CURLM* m_CurlMulti;
	curl_slist* m_Headers;
	char m_ErrorBuffer[CURL_ERROR_SIZE];
	std::string m_ResponseData;

	// Current mod download
	int m_DownloadModID;
	OsPath m_DownloadFilePath;
	DownloadCallbackData* m_CallbackData;
	DownloadProgressData m_DownloadProgressData;

	PKStruct m_pk;

	std::vector<ModIoModData> m_ModData;

	friend class TestModIo;
};

extern ModIo* g_ModIo;

#endif // INCLUDED_MODIO