Fix short notation paths being unauthorized [VPNWIN-2627]

Author: eaproton

src/IssueReporting/ProtonVPN.IssueReporting/SentryInitializer.cs

@@ -19,6 +19,7 @@
 
 using System.Collections.Generic;
 using System.Diagnostics;
+using System.Linq;
 using System.Reflection;
 using System.Text;
 using ProtonVPN.Builds.Variables;
@@ -113,7 +114,7 @@ private static void LogSentryEvent(SentryEvent e)
 
         private static string GetLogs()
         {
-            IList<string> logs = _logger?.GetRecentLogs() ?? new List<string>();
+            IList<string> logs = _logger?.GetRecentLogs().Reverse().ToList() ?? [];
             StringBuilder sb = new();
             foreach (string log in logs)
             {

src/Logging/ProtonVPN.Logging/Log4Net/Log4NetLogger.cs

@@ -26,6 +26,8 @@ namespace ProtonVPN.Logging.Log4Net
 {
     public class Log4NetLogger : Log4NetLoggerInitializer, ILogger
     {
+        private const int MAX_RECENT_LOG_LINES = 100;
+
         private readonly IList<string> _recentLogs = new List<string>();
 
         public Log4NetLogger(ILoggerConfiguration loggerConfiguration)
@@ -150,7 +152,7 @@ private void AddMessageToRecentLogs(string message, Exception exception = null,
             }
             _recentLogs.Add(message);
 
-            while (_recentLogs.Count > 100)
+            while (_recentLogs.Count > MAX_RECENT_LOG_LINES)
             {
                 _recentLogs.RemoveAt(0);
             }

src/OperatingSystems/Processes/ProtonVPN.OperatingSystems.Processes.Contracts/IPipeStreamProcessIdentifier.cs

@@ -23,6 +23,6 @@ namespace ProtonVPN.OperatingSystems.Processes.Contracts;
 
 public interface IPipeStreamProcessIdentifier
 {
-    string? GetClientProcessFileName(PipeStream pipeStream);
-    string? GetServerProcessFileName(PipeStream pipeStream);
+    string? GetClientProcessFullFilePath(PipeStream pipeStream);
+    string? GetServerProcessFullFilePath(PipeStream pipeStream);
 }

src/OperatingSystems/Processes/ProtonVPN.OperatingSystems.Processes/PipeStreamProcessIdentifier.cs

@@ -35,18 +35,19 @@ public PipeStreamProcessIdentifier(ILogger logger)
         _logger = logger;
     }
 
-    public string? GetClientProcessFileName(PipeStream pipeStream)
+    public string? GetClientProcessFullFilePath(PipeStream pipeStream)
     {
-        return GetProcessFileName(GetClientProcessId, pipeStream);
+        return GetProcessFullFilePath(GetClientProcessId, pipeStream);
     }
 
-    private string? GetProcessFileName(Func<PipeStream, int> processIdRequester, PipeStream pipeStream)
+    private string? GetProcessFullFilePath(Func<PipeStream, int> processIdRequester, PipeStream pipeStream)
     {
         try
         {
             int processId = processIdRequester(pipeStream);
             Process? process = processId == 0 ? null : Process.GetProcessById(processId);
-            return process?.MainModule?.FileName;
+            string? filePath = process?.MainModule?.FileName;
+            return string.IsNullOrWhiteSpace(filePath) ? null : Path.GetFullPath(filePath);
         }
         catch (Exception ex)
         {
@@ -68,9 +69,9 @@ private int GetClientProcessId(PipeStream pipeStream)
     [return: MarshalAs(UnmanagedType.Bool)]
     private static extern bool GetNamedPipeClientProcessId(IntPtr hNamedPipe, out uint clientProcessId);
 
-    public string? GetServerProcessFileName(PipeStream pipeStream)
+    public string? GetServerProcessFullFilePath(PipeStream pipeStream)
     {
-        return GetProcessFileName(GetServerProcessId, pipeStream);
+        return GetProcessFullFilePath(GetServerProcessId, pipeStream);
     }
 
     private int GetServerProcessId(PipeStream pipeStream)

src/ProcessCommunication/Client/ProtonVPN.ProcessCommunication.Client/ResponseHandler.cs

@@ -72,33 +72,36 @@ private async Task HandleResponseAsync(HttpResponseMessage response)
             string serviceProcessVersion = GetHeaderValue(response.Headers, HttpConfiguration.SERVICE_PROCESS_VERSION);
             string installedServiceVersion = GetHeaderValue(response.Headers, HttpConfiguration.INSTALLED_SERVICE_VERSION);
 
-            _logger.Error<ProcessCommunicationErrorLog>(
-                $"Received HTTP status code {response.StatusCode} from gRPC server. " +
-                $"Client Process Path: '{clientProcessPath}' Version '{clientProcessVersion}'), " +
-                $"Service Process Path: '{serviceProcessPath}' Version '{serviceProcessVersion}'), " +
-                $"Installed Service Path: '{installedServicePath}' Version '{installedServiceVersion}')");
+            _logger.Error<ProcessCommunicationErrorLog>($"Received HTTP status code {response.StatusCode} from gRPC server. " +
+                $"Client Process Path: '{clientProcessPath}' Version '{clientProcessVersion}', " +
+                $"Service Process Path: '{serviceProcessPath}' Version '{serviceProcessVersion}', " +
+                $"Installed Service Path: '{installedServicePath}' Version '{installedServiceVersion}'");
 
             if (response.StatusCode == HttpStatusCode.Unauthorized)
             {
-                await Handle401UnauthorizedAsync(clientProcessVersion, serviceProcessVersion);
+                string logMessageDetails =
+                    $"Client Process Path: '{clientProcessPath}', " +
+                    $"Service Process Path: '{serviceProcessPath}', " +
+                    $"Installed Service Path: '{installedServicePath}'";
+                await Handle401UnauthorizedAsync(clientProcessVersion, serviceProcessVersion, logMessageDetails);
             }
         }
     }
 
-    private async Task Handle401UnauthorizedAsync(string clientProcessVersion, string serviceProcessVersion)
+    private async Task Handle401UnauthorizedAsync(string clientProcessVersion, string serviceProcessVersion, string logMessageDetails)
     {
         await _semaphore.WaitAsync();
         try
         {
-            Handle401Unauthorized(clientProcessVersion, serviceProcessVersion);
+            Handle401Unauthorized(clientProcessVersion, serviceProcessVersion, logMessageDetails);
         }
         finally
         {
             _semaphore.Release();
         }
     }
 
-    private void Handle401Unauthorized(string clientProcessVersionString, string serviceProcessVersionString)
+    private void Handle401Unauthorized(string clientProcessVersionString, string serviceProcessVersionString, string logMessageDetails)
     {
         string versions = $"ClientProcessVersion: {clientProcessVersionString}, ServiceProcessVersion: {serviceProcessVersionString}";
 
@@ -116,7 +119,7 @@ private void Handle401Unauthorized(string clientProcessVersionString, string ser
 
             if (!_is401UnauthorizedWithoutBeingBelowServiceVersionHandled)
             {
-                _issueReporter.CaptureMessage(logExplanation, versions);
+                _issueReporter.CaptureMessage(logExplanation, logMessageDetails);
                 _is401UnauthorizedWithoutBeingBelowServiceVersionHandled = true;
             }
         }

src/ProcessCommunication/Server/ProtonVPN.ProcessCommunication.Server/NamedPipeAuthorizationMiddleware.cs

@@ -79,7 +79,7 @@ public async Task InvokeAsync(HttpContext context)
         {
             context.Response.StatusCode = authorizationResult.StatusCode;
 
-            string installedServicePath = _registryEditor.ReadString(_registryUri);
+            string installedServicePath = Path.GetFullPath(_registryEditor.ReadString(_registryUri));
 
             string clientProcessVersionString = GetVersionFromFilePath(authorizationResult.ClientProcessFileName);
             string serviceProcessVersionString = GetVersionFromFilePath(authorizationResult.ServerProcessFileName);
@@ -91,17 +91,17 @@ public async Task InvokeAsync(HttpContext context)
                 Version.TryParse(installedServiceVersionString, out Version installedServiceVersion) &&
                 installedServiceVersion > serviceProcessVersion)
             {
-                string serviceStopDescription = $"Client Process Path: '{authorizationResult.ClientProcessFileName}' Version '{clientProcessVersionString}'), " +
-                    $"Service Process Path: '{authorizationResult.ServerProcessFileName}' Version '{serviceProcessVersionString}'), " +
-                    $"Installed Service Path: '{installedServicePath}' Version '{installedServiceVersionString}')";
+                string serviceStopDescription = $"Client Process Path: '{authorizationResult.ClientProcessFileName}' Version '{clientProcessVersionString}', " +
+                    $"Service Process Path: '{authorizationResult.ServerProcessFileName}' Version '{serviceProcessVersionString}', " +
+                    $"Installed Service Path: '{installedServicePath}' Version '{installedServiceVersionString}'";
                 await StopServiceAsync(serviceStopDescription);
                 context.Response.StatusCode = StatusCodes.Status409Conflict;
             }
 
             _logger.Error<ProcessCommunicationErrorLog>($"Sending HTTP status code {context.Response.StatusCode} to gRPC client. " +
-                $"Client Process Path: '{authorizationResult.ClientProcessFileName}' Version '{clientProcessVersionString}'), " +
-                $"Service Process Path: '{authorizationResult.ServerProcessFileName}' Version '{serviceProcessVersionString}'), " +
-                $"Installed Service Path: '{installedServicePath}' Version '{installedServiceVersionString}')");
+                $"Client Process Path: '{authorizationResult.ClientProcessFileName}' Version '{clientProcessVersionString}', " +
+                $"Service Process Path: '{authorizationResult.ServerProcessFileName}' Version '{serviceProcessVersionString}', " +
+                $"Installed Service Path: '{installedServicePath}' Version '{installedServiceVersionString}'");
 
             context.Response.Headers[HttpConfiguration.CLIENT_PROCESS_PATH] = authorizationResult.ClientProcessFileName;
             context.Response.Headers[HttpConfiguration.SERVICE_PROCESS_PATH] = authorizationResult.ServerProcessFileName;
@@ -160,23 +160,25 @@ private async Task<AuthorizationResult> AuthorizeAsync(HttpContext context)
         {
             NamedPipeServerStream namedPipe = GetNamedPipe(context);
 
-            string clientProcessFileName = _pipeStreamProcessIdentifier.GetClientProcessFileName(namedPipe) ?? string.Empty;
-            string serverProcessFileName = _pipeStreamProcessIdentifier.GetServerProcessFileName(namedPipe) ?? string.Empty;
+            string clientProcessPath = _pipeStreamProcessIdentifier.GetClientProcessFullFilePath(namedPipe) ?? string.Empty;
+            string serverProcessPath = _pipeStreamProcessIdentifier.GetServerProcessFullFilePath(namedPipe) ?? string.Empty;
 
-            if (!_config.ServiceExePath.Equals(serverProcessFileName, StringComparison.InvariantCultureIgnoreCase))
+            string expectedServiceProcessPath = Path.GetFullPath(_config.ServiceExePath);
+            if (!expectedServiceProcessPath.Equals(serverProcessPath, StringComparison.InvariantCultureIgnoreCase))
             {
                 _logger.Warn<ProcessCommunicationErrorLog>($"The owner of the Named Pipe is not this Service. Dispose and recreate.");
                 await _recreateAndStartAsyncFunc();
-                return AuthorizationResult.Error(StatusCodes.Status409Conflict, clientProcessFileName, serverProcessFileName);
+                return AuthorizationResult.Error(StatusCodes.Status409Conflict, clientProcessPath, serverProcessPath);
             }
 
-            if (_config.AppExePath.Equals(clientProcessFileName, StringComparison.InvariantCultureIgnoreCase))
+            string expectedClientProcessPath = Path.GetFullPath(_config.AppExePath);
+            if (expectedClientProcessPath.Equals(clientProcessPath, StringComparison.InvariantCultureIgnoreCase))
             {
                 return AuthorizationResult.Ok();
             }
 
-            _logger.Warn<ProcessCommunicationErrorLog>($"The connected client is unauthorized. Client path: '{clientProcessFileName}'. Expected: '{_config.AppExePath}'.");
-            return AuthorizationResult.Error(StatusCodes.Status401Unauthorized, clientProcessFileName, serverProcessFileName);
+            _logger.Warn<ProcessCommunicationErrorLog>($"The connected client is unauthorized. Client path: '{clientProcessPath}'. Expected: '{expectedClientProcessPath}'.");
+            return AuthorizationResult.Error(StatusCodes.Status401Unauthorized, clientProcessPath, serverProcessPath);
         }
         catch (Exception ex)
         {