chore: enable tunnel binary verification

deansheather · deansheather · commit 34793f0b3adc · 2025-03-01T15:21:45.000+11:00
diff --git a/Vpn.Service/Downloader.cs b/Vpn.Service/Downloader.cs
@@ -78,22 +78,47 @@ public async Task ValidateAsync(string path, CancellationToken ct = default)
 
 public class AssemblyVersionDownloadValidator : IDownloadValidator
 {
-    private readonly string _expectedAssemblyVersion;
+    private readonly int _expectedMajor;
+    private readonly int _expectedMinor;
+    private readonly int _expectedBuild;
+    private readonly int _expectedRevision;
+
+    private readonly Version _expectedVersion;
 
     // ReSharper disable once ConvertToPrimaryConstructor
-    public AssemblyVersionDownloadValidator(string expectedAssemblyVersion)
+    public AssemblyVersionDownloadValidator(int expectedMajor, int expectedMinor, int expectedBuild,
+        int expectedRevision)
     {
-        _expectedAssemblyVersion = expectedAssemblyVersion;
+        _expectedMajor = expectedMajor;
+        _expectedMinor = expectedMinor;
+        _expectedBuild = expectedBuild < 0 ? -1 : expectedBuild;
+        _expectedRevision = expectedRevision < 0 ? -1 : expectedRevision;
+        if (_expectedBuild == -1 && _expectedRevision != -1)
+            throw new ArgumentException("Build must be set if Revision is set", nameof(expectedRevision));
+
+        if (_expectedBuild == -1)
+            _expectedVersion = new Version(_expectedMajor, _expectedMinor);
+        else if (_expectedRevision == -1)
+            _expectedVersion = new Version(_expectedMajor, _expectedMinor, _expectedBuild);
+        else
+            _expectedVersion = new Version(_expectedMajor, _expectedMinor, _expectedBuild, _expectedRevision);
     }
 
     public Task ValidateAsync(string path, CancellationToken ct = default)
     {
         var info = FileVersionInfo.GetVersionInfo(path);
         if (string.IsNullOrEmpty(info.ProductVersion))
             throw new Exception("File ProductVersion is empty or null, was the binary compiled correctly?");
-        if (info.ProductVersion != _expectedAssemblyVersion)
+        if (!Version.TryParse(info.ProductVersion, out var productVersion))
+            throw new Exception($"File ProductVersion '{info.ProductVersion}' is not a valid version string");
+
+        // If the build or revision are -1 on the expected version, they are ignored.
+        if (productVersion.Major != _expectedMajor || productVersion.Minor != _expectedMinor ||
+            (_expectedBuild != -1 && productVersion.Build != _expectedBuild) ||
+            (_expectedRevision != -1 && productVersion.Revision != _expectedRevision))
             throw new Exception(
-                $"File ProductVersion is '{info.ProductVersion}', but expected '{_expectedAssemblyVersion}'");
+                $"File ProductVersion is '{info.ProductVersion}', but expected '{_expectedVersion}'");
+
         return Task.CompletedTask;
     }
 }
@@ -103,19 +128,24 @@ public Task ValidateAsync(string path, CancellationToken ct = default)
 /// </summary>
 public class CombinationDownloadValidator : IDownloadValidator
 {
-    private readonly IDownloadValidator[] _validators;
+    private readonly List<IDownloadValidator> _validators;
 
     /// <param name="validators">Validators to run</param>
     public CombinationDownloadValidator(params IDownloadValidator[] validators)
     {
-        _validators = validators;
+        _validators = validators.ToList();
     }
 
     public async Task ValidateAsync(string path, CancellationToken ct = default)
     {
         foreach (var validator in _validators)
             await validator.ValidateAsync(path, ct);
     }
+
+    public void Add(IDownloadValidator validator)
+    {
+        _validators.Add(validator);
+    }
 }
 
 /// <summary>
diff --git a/Vpn.Service/Manager.cs b/Vpn.Service/Manager.cs
@@ -417,15 +417,30 @@ private async Task DownloadTunnelBinaryAsync(string baseUrl, SemVersion expected
         _logger.LogInformation("Downloading VPN binary from '{url}' to '{DestinationPath}'", url,
             _config.TunnelBinaryPath);
         var req = new HttpRequestMessage(HttpMethod.Get, url);
-        var validators = new NullDownloadValidator();
-        // TODO: re-enable when the binaries are signed and have versions
-        /*
-        var validators = new CombinationDownloadValidator(
-            AuthenticodeDownloadValidator.Coder,
-            new AssemblyVersionDownloadValidator(
-                $"{expectedVersion.Major}.{expectedVersion.Minor}.{expectedVersion.Patch}.0")
-        );
-        */
+
+        var validators = new CombinationDownloadValidator();
+        if (!string.IsNullOrEmpty(_config.TunnelBinarySignatureSigner))
+        {
+            _logger.LogDebug("Adding Authenticode signature validator for signer '{Signer}'",
+                _config.TunnelBinarySignatureSigner);
+            validators.Add(new AuthenticodeDownloadValidator(_config.TunnelBinarySignatureSigner));
+        }
+        else
+        {
+            _logger.LogDebug("Skipping Authenticode signature validation");
+        }
+
+        if (!_config.TunnelBinaryAllowVersionMismatch)
+        {
+            _logger.LogDebug("Adding version validator for version '{ExpectedVersion}'", expectedVersion);
+            validators.Add(new AssemblyVersionDownloadValidator((int)expectedVersion.Major, (int)expectedVersion.Minor,
+                (int)expectedVersion.Patch, -1));
+        }
+        else
+        {
+            _logger.LogDebug("Skipping tunnel binary version validation");
+        }
+
         var downloadTask = await _downloader.StartDownloadAsync(req, _config.TunnelBinaryPath, validators, ct);
 
         // TODO: monitor and report progress when we have a mechanism to do so
diff --git a/Vpn.Service/ManagerConfig.cs b/Vpn.Service/ManagerConfig.cs
@@ -11,4 +11,9 @@ public class ManagerConfig
     [Required] public string TunnelBinaryPath { get; set; } = @"C:\coder-vpn.exe";
 
     [Required] public string LogFileLocation { get; set; } = @"C:\coder-desktop-service.log";
+
+    // If empty, signatures will not be verified.
+    [Required] public string TunnelBinarySignatureSigner { get; set; } = "Coder Technologies Inc.";
+
+    [Required] public bool TunnelBinaryAllowVersionMismatch { get; set; } = false;
 }
diff --git a/Vpn.Service/Program.cs b/Vpn.Service/Program.cs
@@ -10,8 +10,10 @@ public static class Program
 {
 #if !DEBUG
     private const string ServiceName = "Coder Desktop";
+    private const string ManagerConfigSection = "Manager";
 #else
     private const string ServiceName = "Coder Desktop (Debug)";
+    private const string ManagerConfigSection = "DebugManager";
 #endif
 
     private const string ConsoleOutputTemplate =
@@ -61,7 +63,7 @@ private static async Task BuildAndRun(string[] args)
 
         // Options types (these get registered as IOptions<T> singletons)
         builder.Services.AddOptions<ManagerConfig>()
-            .Bind(builder.Configuration.GetSection("Manager"))
+            .Bind(builder.Configuration.GetSection(ManagerConfigSection))
             .ValidateDataAnnotations()
             .PostConfigure(config =>
             {

Original file line number	Diff line number	Diff line change
`@@ -11,4 +11,9 @@ public class ManagerConfig`
`11`	`11`	`[Required] public string TunnelBinaryPath { get; set; } = @"C:\coder-vpn.exe";`
`12`	`12`
`13`	`13`	`[Required] public string LogFileLocation { get; set; } = @"C:\coder-desktop-service.log";`
	`14`	`+`
	`15`	`+ // If empty, signatures will not be verified.`
	`16`	`+ [Required] public string TunnelBinarySignatureSigner { get; set; } = "Coder Technologies Inc.";`
	`17`	`+`
	`18`	`+ [Required] public bool TunnelBinaryAllowVersionMismatch { get; set; } = false;`
`14`	`19`	`}`