Change authorization info in handshake response

- Change AuthorizedAccessTypes to ActiveAuthorizationIDs,
  as the ID more uniquely identifies the actual
  authorization that was accetped.

psiphon/common/protocol/protocol.go

@@ -127,15 +127,15 @@ func UseClientTunnelProtocol(
 }
 
 type HandshakeResponse struct {
-	SSHSessionID          string              `json:"ssh_session_id"`
-	Homepages             []string            `json:"homepages"`
-	UpgradeClientVersion  string              `json:"upgrade_client_version"`
-	PageViewRegexes       []map[string]string `json:"page_view_regexes"`
-	HttpsRequestRegexes   []map[string]string `json:"https_request_regexes"`
-	EncodedServerList     []string            `json:"encoded_server_list"`
-	ClientRegion          string              `json:"client_region"`
-	ServerTimestamp       string              `json:"server_timestamp"`
-	AuthorizedAccessTypes []string            `json:"authorized_access_types"`
+	SSHSessionID           string              `json:"ssh_session_id"`
+	Homepages              []string            `json:"homepages"`
+	UpgradeClientVersion   string              `json:"upgrade_client_version"`
+	PageViewRegexes        []map[string]string `json:"page_view_regexes"`
+	HttpsRequestRegexes    []map[string]string `json:"https_request_regexes"`
+	EncodedServerList      []string            `json:"encoded_server_list"`
+	ClientRegion           string              `json:"client_region"`
+	ServerTimestamp        string              `json:"server_timestamp"`
+	ActiveAuthorizationIDs []string            `json:"active_authorization_ids"`
 }
 
 type ConnectedResponse struct {

psiphon/notice.go

@@ -711,11 +711,12 @@ func NoticeServerTimestamp(timestamp string) {
 		"timestamp", timestamp)
 }
 
-// NoticeAuthorizedAccessTypes reports the authorized access types the server has accepted.
-func NoticeAuthorizedAccessTypes(authorizedAccessTypes []string) {
+// NoticeActiveAuthorizationIDs reports the authorizations the server has accepted.
+// Each ID is a base64-encoded accesscontrol.Authorization.ID value.
+func NoticeActiveAuthorizationIDs(activeAuthorizationIDs []string) {
 	singletonNoticeLogger.outputNotice(
-		"AuthorizedAccessTypes", 0,
-		"accessTypes", authorizedAccessTypes)
+		"ActiveAuthorizationIDs", 0,
+		"IDs", activeAuthorizationIDs)
 }
 
 type repetitiveNoticeState struct {

psiphon/server/api.go

@@ -208,7 +208,7 @@ func handshakeAPIRequestHandler(
 	// TODO: in the case of SSH API requests, the actual sshClient could
 	// be passed in and used here. The session ID lookup is only strictly
 	// necessary to support web API requests.
-	authorizedAccessTypes, err := support.TunnelServer.SetClientHandshakeState(
+	activeAuthorizationIDs, authorizedAccessTypes, err := support.TunnelServer.SetClientHandshakeState(
 		sessionID,
 		handshakeState{
 			completed:   true,
@@ -234,15 +234,15 @@ func handshakeAPIRequestHandler(
 	// Note: no guarantee that PsinetDatabase won't reload between database calls
 	db := support.PsinetDatabase
 	handshakeResponse := protocol.HandshakeResponse{
-		SSHSessionID:          sessionID,
-		Homepages:             db.GetRandomizedHomepages(sponsorID, geoIPData.Country, isMobile),
-		UpgradeClientVersion:  db.GetUpgradeClientVersion(clientVersion, normalizedPlatform),
-		PageViewRegexes:       make([]map[string]string, 0),
-		HttpsRequestRegexes:   db.GetHttpsRequestRegexes(sponsorID),
-		EncodedServerList:     db.DiscoverServers(geoIPData.DiscoveryValue),
-		ClientRegion:          geoIPData.Country,
-		ServerTimestamp:       common.GetCurrentTimestamp(),
-		AuthorizedAccessTypes: authorizedAccessTypes,
+		SSHSessionID:           sessionID,
+		Homepages:              db.GetRandomizedHomepages(sponsorID, geoIPData.Country, isMobile),
+		UpgradeClientVersion:   db.GetUpgradeClientVersion(clientVersion, normalizedPlatform),
+		PageViewRegexes:        make([]map[string]string, 0),
+		HttpsRequestRegexes:    db.GetHttpsRequestRegexes(sponsorID),
+		EncodedServerList:      db.DiscoverServers(geoIPData.DiscoveryValue),
+		ClientRegion:           geoIPData.Country,
+		ServerTimestamp:        common.GetCurrentTimestamp(),
+		ActiveAuthorizationIDs: activeAuthorizationIDs,
 	}
 
 	responsePayload, err := json.Marshal(handshakeResponse)

psiphon/server/tunnelServer.go

@@ -22,7 +22,7 @@ package server
 import (
 	"context"
 	"crypto/subtle"
-	"encoding/hex"
+	"encoding/base64"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -228,11 +228,12 @@ func (server *TunnelServer) ResetAllClientOSLConfigs() {
 //
 // The authorizations received from the client handshake are verified and the
 // resulting list of authorized access types are applied to the client's tunnel
-// and traffic rules. A list of authorized access types is returned.
+// and traffic rules. A list of active authorization IDs and authorized access
+// types is returned for responding to the client and logging.
 func (server *TunnelServer) SetClientHandshakeState(
 	sessionID string,
 	state handshakeState,
-	authorizations [][]byte) ([]string, error) {
+	authorizations [][]byte) ([]string, []string, error) {
 
 	return server.sshServer.setClientHandshakeState(sessionID, state, authorizations)
 }
@@ -682,22 +683,23 @@ func (sshServer *sshServer) resetAllClientOSLConfigs() {
 func (sshServer *sshServer) setClientHandshakeState(
 	sessionID string,
 	state handshakeState,
-	authorizations [][]byte) ([]string, error) {
+	authorizations [][]byte) ([]string, []string, error) {
 
 	sshServer.clientsMutex.Lock()
 	client := sshServer.clients[sessionID]
 	sshServer.clientsMutex.Unlock()
 
 	if client == nil {
-		return nil, common.ContextError(errors.New("unknown session ID"))
+		return nil, nil, common.ContextError(errors.New("unknown session ID"))
 	}
 
-	authorizedAccessTypes, err := client.setHandshakeState(state, authorizations)
+	activeAuthorizationIDs, authorizedAccessTypes, err := client.setHandshakeState(
+		state, authorizations)
 	if err != nil {
-		return nil, common.ContextError(err)
+		return nil, nil, common.ContextError(err)
 	}
 
-	return authorizedAccessTypes, nil
+	return activeAuthorizationIDs, authorizedAccessTypes, nil
 }
 
 func (sshServer *sshServer) getClientHandshaked(
@@ -1726,7 +1728,7 @@ func (sshClient *sshClient) rejectNewChannel(newChannel ssh.NewChannel, reason s
 // sshClient.stop().
 func (sshClient *sshClient) setHandshakeState(
 	state handshakeState,
-	authorizations [][]byte) ([]string, error) {
+	authorizations [][]byte) ([]string, []string, error) {
 
 	sshClient.Lock()
 	completed := sshClient.handshakeState.completed
@@ -1737,7 +1739,7 @@ func (sshClient *sshClient) setHandshakeState(
 
 	// Client must only perform one handshake
 	if completed {
-		return nil, common.ContextError(errors.New("handshake already completed"))
+		return nil, nil, common.ContextError(errors.New("handshake already completed"))
 	}
 
 	// Verify the authorizations submitted by the client. Verified, active (non-expired)
@@ -1774,7 +1776,7 @@ func (sshClient *sshClient) setHandshakeState(
 			continue
 		}
 
-		authorizationID := hex.EncodeToString(verifiedAuthorization.ID)
+		authorizationID := base64.StdEncoding.EncodeToString(verifiedAuthorization.ID)
 
 		// A client may reconnect while the server still has an active sshClient for that
 		// client session. In this case, the previous sshClient is closed by the new
@@ -1834,7 +1836,7 @@ func (sshClient *sshClient) setHandshakeState(
 	sshClient.setTrafficRules()
 	sshClient.setOSLConfig()
 
-	return authorizedAccessTypes, nil
+	return authorizationIDs, authorizedAccessTypes, nil
 }
 
 // getHandshaked returns whether the client has completed a handshake API

psiphon/serverApi.go

@@ -229,7 +229,7 @@ func (serverContext *ServerContext) doHandshakeRequest(
 	serverContext.serverHandshakeTimestamp = handshakeResponse.ServerTimestamp
 	NoticeServerTimestamp(serverContext.serverHandshakeTimestamp)
 
-	NoticeAuthorizedAccessTypes(handshakeResponse.AuthorizedAccessTypes)
+	NoticeActiveAuthorizationIDs(handshakeResponse.ActiveAuthorizationIDs)
 
 	return nil
 }