From 619bbbca965a37dfa0ebaa93fc75fd6c4c7830fc Mon Sep 17 00:00:00 2001
From: Jarrod Johnson <jjohnson2@lenovo.com>
Date: Wed, 25 Apr 2018 16:47:42 -0400
Subject: [PATCH] Provide more feedback and fix some flow issues

---
 confluent_server/confluent/collective/invites.py | 2 ++
 confluent_server/confluent/collective/manager.py | 9 +++++++--
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/confluent_server/confluent/collective/invites.py b/confluent_server/confluent/collective/invites.py
index ec1b1532..94c0906f 100644
--- a/confluent_server/confluent/collective/invites.py
+++ b/confluent_server/confluent/collective/invites.py
@@ -38,6 +38,8 @@ def check_server_proof(invitation, mycert, peercert, proof):
 
 def check_client_proof(servername, mycert, peercert, proof):
     servername = servername.encode('utf-8')
+    if servername not in pending_invites:
+        return False
     invitation = pending_invites[servername]
     validproof = hmac.new(invitation, mycert + peercert, hashlib.sha256
                           ).digest()
diff --git a/confluent_server/confluent/collective/manager.py b/confluent_server/confluent/collective/manager.py
index b61b51d2..d1f35049 100644
--- a/confluent_server/confluent/collective/manager.py
+++ b/confluent_server/confluent/collective/manager.py
@@ -43,7 +43,7 @@ def handle_connection(connection, cert, request, local=False):
         if 'join' == operation:
             invitation = request['invitation']
             invitation = base64.b64decode(invitation)
-            name, invitation = invitation.split('@')
+            name, invitation = invitation.split('@', 1)
             host = request['server']
             remote = socket.create_connection((host, 13001))
             # This isn't what it looks like.  We do CERT_NONE to disable
@@ -66,17 +66,22 @@ def handle_connection(connection, cert, request, local=False):
             proof = rsp['collective']['approval']
             j = invites.check_server_proof(invitation, mycert, cert, proof)
             if not j:
+                tlvdata.send(connection,
+                             {'errorcode': 500,
+                              'error': 'Response failed validation'})
                 return
+            tlvdata.send(remote, {'collective': 'success'})
     if 'joinchallenge' == operation:
         mycert = util.get_certificate_from_file('/etc/confluent/srvcert.pem')
         proof = base64.b64decode(request['hmac'])
         myrsp = invites.check_client_proof(request['name'], mycert,
                                            cert, proof)
         if not myrsp:
+            tlvdata.send(connection, {'error': 'Invalid token'})
             connection.close()
             return
         myrsp = base64.b64encode(myrsp)
-        collcerts[request['name']] = cert
         tlvdata.send(connection, {'collective': {'approval': myrsp}})
         clientready = tlvdata.recv(connection)
         print(repr(clientready))
+        collcerts[request['name']] = cert