2024-04-13 21:22:19 +02:00
|
|
|
use std::collections::BTreeMap;
|
|
|
|
|
|
2024-04-13 05:26:50 +02:00
|
|
|
use axum::{extract::{FromRef, FromRequestParts}, http::{header, request::Parts}};
|
2024-04-13 01:49:23 +02:00
|
|
|
use base64::Engine;
|
|
|
|
|
use openssl::{hash::MessageDigest, pkey::PKey, sign::Verifier};
|
2024-04-14 16:05:44 +02:00
|
|
|
use reqwest::StatusCode;
|
2024-03-25 01:58:30 +01:00
|
|
|
use sea_orm::{ColumnTrait, Condition, EntityTrait, QueryFilter};
|
|
|
|
|
|
2024-04-13 01:49:23 +02:00
|
|
|
use crate::{errors::UpubError, model, server::Context};
|
2024-03-25 01:58:30 +01:00
|
|
|
|
2024-04-18 05:25:56 +02:00
|
|
|
use super::fetcher::Fetcher;
|
|
|
|
|
|
2024-03-25 01:58:30 +01:00
|
|
|
#[derive(Debug, Clone)]
|
|
|
|
|
pub enum Identity {
|
|
|
|
|
Anonymous,
|
2024-03-25 05:12:49 +01:00
|
|
|
Local(String),
|
|
|
|
|
Remote(String),
|
2024-03-25 01:58:30 +01:00
|
|
|
}
|
|
|
|
|
|
2024-04-12 19:36:00 +02:00
|
|
|
impl Identity {
|
|
|
|
|
pub fn filter_condition(&self) -> Condition {
|
2024-04-12 21:18:01 +02:00
|
|
|
let base_cond = Condition::any().add(model::addressing::Column::Actor.eq(apb::target::PUBLIC));
|
2024-04-12 19:36:00 +02:00
|
|
|
match self {
|
|
|
|
|
Identity::Anonymous => base_cond,
|
|
|
|
|
Identity::Remote(server) => base_cond.add(model::addressing::Column::Server.eq(server)),
|
|
|
|
|
// TODO should we allow all users on same server to see? or just specific user??
|
2024-04-24 04:08:07 +02:00
|
|
|
Identity::Local(uid) => base_cond
|
|
|
|
|
.add(model::addressing::Column::Actor.eq(uid))
|
|
|
|
|
.add(model::activity::Column::Actor.eq(uid))
|
|
|
|
|
.add(model::object::Column::AttributedTo.eq(uid)),
|
2024-04-12 19:36:00 +02:00
|
|
|
}
|
|
|
|
|
}
|
2024-04-18 03:06:40 +02:00
|
|
|
|
|
|
|
|
pub fn is_anon(&self) -> bool {
|
2024-04-18 03:41:27 +02:00
|
|
|
matches!(self, Self::Anonymous)
|
2024-04-18 03:06:40 +02:00
|
|
|
}
|
|
|
|
|
|
2024-04-18 04:48:49 +02:00
|
|
|
pub fn is_local(&self) -> bool {
|
|
|
|
|
matches!(self, Self::Local(_))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pub fn is_remote(&self) -> bool {
|
|
|
|
|
matches!(self, Self::Remote(_))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pub fn is_local_user(&self, uid: &str) -> bool {
|
2024-04-18 03:06:40 +02:00
|
|
|
match self {
|
|
|
|
|
Self::Local(x) => x == uid,
|
|
|
|
|
_ => false,
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2024-04-18 04:48:49 +02:00
|
|
|
pub fn is_remote_server(&self, uid: &str) -> bool {
|
2024-04-18 03:06:40 +02:00
|
|
|
match self {
|
|
|
|
|
Self::Remote(x) => x == uid,
|
|
|
|
|
_ => false,
|
|
|
|
|
}
|
|
|
|
|
}
|
2024-04-12 19:36:00 +02:00
|
|
|
}
|
|
|
|
|
|
2024-03-25 01:58:30 +01:00
|
|
|
pub struct AuthIdentity(pub Identity);
|
|
|
|
|
|
|
|
|
|
#[axum::async_trait]
|
|
|
|
|
impl<S> FromRequestParts<S> for AuthIdentity
|
|
|
|
|
where
|
|
|
|
|
Context: FromRef<S>,
|
|
|
|
|
S: Send + Sync,
|
|
|
|
|
{
|
2024-04-13 01:49:23 +02:00
|
|
|
type Rejection = UpubError;
|
2024-03-25 01:58:30 +01:00
|
|
|
|
|
|
|
|
async fn from_request_parts(parts: &mut Parts, state: &S) -> Result<Self, Self::Rejection> {
|
|
|
|
|
let ctx = Context::from_ref(state);
|
|
|
|
|
let mut identity = Identity::Anonymous;
|
|
|
|
|
|
|
|
|
|
let auth_header = parts
|
|
|
|
|
.headers
|
|
|
|
|
.get(header::AUTHORIZATION)
|
|
|
|
|
.map(|v| v.to_str().unwrap_or(""))
|
|
|
|
|
.unwrap_or("");
|
|
|
|
|
|
|
|
|
|
if auth_header.starts_with("Bearer ") {
|
|
|
|
|
match model::session::Entity::find_by_id(auth_header.replace("Bearer ", ""))
|
2024-04-19 03:28:39 +02:00
|
|
|
.filter(model::session::Column::Expires.gt(chrono::Utc::now()))
|
2024-03-25 01:58:30 +01:00
|
|
|
.one(ctx.db())
|
|
|
|
|
.await
|
|
|
|
|
{
|
2024-03-25 05:12:49 +01:00
|
|
|
Ok(Some(x)) => identity = Identity::Local(x.actor),
|
2024-04-13 01:49:23 +02:00
|
|
|
Ok(None) => return Err(UpubError::unauthorized()),
|
2024-03-25 01:58:30 +01:00
|
|
|
Err(e) => {
|
|
|
|
|
tracing::error!("failed querying user session: {e}");
|
2024-04-13 01:49:23 +02:00
|
|
|
return Err(UpubError::internal_server_error())
|
2024-03-25 01:58:30 +01:00
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2024-04-13 01:49:23 +02:00
|
|
|
if let Some(sig) = parts
|
|
|
|
|
.headers
|
|
|
|
|
.get("Signature")
|
|
|
|
|
.map(|v| v.to_str().unwrap_or(""))
|
|
|
|
|
{
|
2024-04-13 21:22:19 +02:00
|
|
|
let mut http_signature = HttpSignature::parse(sig);
|
2024-04-13 05:26:50 +02:00
|
|
|
|
2024-04-13 21:22:19 +02:00
|
|
|
// TODO assert payload's digest is equal to signature's
|
2024-04-16 19:19:49 +02:00
|
|
|
let user_id = http_signature.key_id
|
|
|
|
|
.split('#')
|
|
|
|
|
.next().ok_or(UpubError::bad_request())?
|
|
|
|
|
.to_string();
|
2024-04-13 21:22:19 +02:00
|
|
|
|
2024-04-18 05:25:56 +02:00
|
|
|
match ctx.fetch_user(&user_id).await {
|
2024-04-13 21:22:19 +02:00
|
|
|
Ok(user) => match http_signature
|
|
|
|
|
.build_from_parts(parts)
|
|
|
|
|
.verify(&user.public_key)
|
|
|
|
|
{
|
2024-04-13 05:26:50 +02:00
|
|
|
Ok(true) => identity = Identity::Remote(Context::server(&user_id)),
|
2024-04-23 05:19:24 +02:00
|
|
|
Ok(false) => tracing::warn!("invalid signature: {http_signature:?}"),
|
2024-04-13 05:26:50 +02:00
|
|
|
Err(e) => tracing::error!("error verifying signature: {e}"),
|
2024-04-13 21:22:19 +02:00
|
|
|
},
|
2024-04-14 16:05:44 +02:00
|
|
|
Err(e) => {
|
|
|
|
|
// since most activities are deletions for users we never saw, let's handle this case
|
|
|
|
|
// if while fetching we receive a GONE, it means we didn't have this user and it doesn't
|
|
|
|
|
// exist anymore, so it must be a deletion we can ignore
|
|
|
|
|
if let UpubError::Reqwest(ref x) = e {
|
|
|
|
|
if let Some(StatusCode::GONE) = x.status() {
|
|
|
|
|
return Err(UpubError::not_modified());
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
tracing::warn!("could not fetch user (won't verify): {e}");
|
|
|
|
|
}
|
2024-04-13 03:31:37 +02:00
|
|
|
}
|
2024-04-13 01:49:23 +02:00
|
|
|
}
|
2024-03-25 05:12:49 +01:00
|
|
|
|
2024-03-25 01:58:30 +01:00
|
|
|
Ok(AuthIdentity(identity))
|
|
|
|
|
}
|
|
|
|
|
}
|
2024-03-25 21:19:25 +01:00
|
|
|
|
2024-04-13 05:26:50 +02:00
|
|
|
|
|
|
|
|
#[derive(Debug, Clone, Default)]
|
2024-03-25 21:19:25 +01:00
|
|
|
pub struct HttpSignature {
|
2024-04-13 21:22:19 +02:00
|
|
|
pub key_id: String,
|
|
|
|
|
pub algorithm: String,
|
|
|
|
|
pub headers: Vec<String>,
|
|
|
|
|
pub signature: String,
|
|
|
|
|
pub control: String,
|
2024-03-25 21:19:25 +01:00
|
|
|
}
|
|
|
|
|
|
2024-03-26 00:49:27 +01:00
|
|
|
impl HttpSignature {
|
2024-04-13 21:22:19 +02:00
|
|
|
pub fn new(key_id: String, algorithm: String, headers: &[&str]) -> Self {
|
|
|
|
|
HttpSignature {
|
|
|
|
|
key_id, algorithm,
|
|
|
|
|
headers: headers.iter().map(|x| x.to_string()).collect(),
|
|
|
|
|
signature: String::new(),
|
|
|
|
|
control: String::new(),
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2024-04-13 05:26:50 +02:00
|
|
|
pub fn parse(header: &str) -> Self {
|
|
|
|
|
let mut sig = HttpSignature::default();
|
|
|
|
|
header.split(',')
|
|
|
|
|
.filter_map(|x| x.split_once('='))
|
|
|
|
|
.map(|(k, v)| (k, v.trim_end_matches('"').trim_matches('"')))
|
|
|
|
|
.for_each(|(k, v)| match k {
|
|
|
|
|
"keyId" => sig.key_id = v.to_string(),
|
|
|
|
|
"algorithm" => sig.algorithm = v.to_string(),
|
|
|
|
|
"signature" => sig.signature = v.to_string(),
|
|
|
|
|
"headers" => sig.headers = v.split(' ').map(|x| x.to_string()).collect(),
|
|
|
|
|
_ => tracing::warn!("unexpected field in http signature: '{k}=\"{v}\"'"),
|
|
|
|
|
});
|
|
|
|
|
sig
|
|
|
|
|
}
|
|
|
|
|
|
2024-04-13 21:22:19 +02:00
|
|
|
pub fn header(&self) -> String {
|
|
|
|
|
format!(
|
|
|
|
|
"keyId=\"{}\",algorithm=\"{}\",headers=\"{}\",signature=\"{}\"",
|
|
|
|
|
self.key_id, self.algorithm, self.headers.join(" "), self.signature,
|
|
|
|
|
)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pub fn build_manually(&mut self, method: &str, target: &str, mut headers: BTreeMap<String, String>) -> &mut Self {
|
|
|
|
|
let mut out = Vec::new();
|
|
|
|
|
for header in &self.headers {
|
2024-04-13 21:35:53 +02:00
|
|
|
match header.as_str() {
|
|
|
|
|
"(request-target)" => out.push(format!("(request-target): {method} {target}")),
|
|
|
|
|
// TODO other pseudo-headers
|
|
|
|
|
_ => out.push(
|
|
|
|
|
format!("{header}: {}", headers.remove(header).unwrap_or_default())
|
|
|
|
|
),
|
|
|
|
|
}
|
2024-04-13 21:22:19 +02:00
|
|
|
}
|
|
|
|
|
self.control = out.join("\n");
|
|
|
|
|
self
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pub fn build_from_parts(&mut self, parts: &Parts) -> &mut Self {
|
2024-04-13 05:26:50 +02:00
|
|
|
let mut out = Vec::new();
|
|
|
|
|
for header in self.headers.iter() {
|
|
|
|
|
match header.as_str() {
|
|
|
|
|
"(request-target)" => out.push(
|
2024-04-13 05:36:29 +02:00
|
|
|
format!(
|
|
|
|
|
"(request-target): {} {}",
|
|
|
|
|
parts.method.to_string().to_lowercase(),
|
|
|
|
|
parts.uri.path_and_query().map(|x| x.as_str()).unwrap_or("/")
|
|
|
|
|
)
|
2024-04-13 05:26:50 +02:00
|
|
|
),
|
|
|
|
|
// TODO other pseudo-headers,
|
|
|
|
|
_ => out.push(format!("{}: {}",
|
|
|
|
|
header.to_lowercase(),
|
|
|
|
|
parts.headers.get(header).map(|x| x.to_str().unwrap_or("")).unwrap_or("")
|
|
|
|
|
)),
|
|
|
|
|
}
|
|
|
|
|
}
|
2024-04-13 21:22:19 +02:00
|
|
|
self.control = out.join("\n");
|
|
|
|
|
self
|
2024-04-13 05:26:50 +02:00
|
|
|
}
|
|
|
|
|
|
2024-04-13 21:22:19 +02:00
|
|
|
pub fn verify(&self, key: &str) -> crate::Result<bool> {
|
|
|
|
|
let pubkey = PKey::public_key_from_pem(key.as_bytes())?;
|
|
|
|
|
let mut verifier = Verifier::new(MessageDigest::sha256(), &pubkey)?;
|
|
|
|
|
let signature = base64::prelude::BASE64_STANDARD.decode(&self.signature)?;
|
|
|
|
|
Ok(verifier.verify_oneshot(&signature, self.control.as_bytes())?)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pub fn sign(&mut self, key: &str) -> crate::Result<&str> {
|
|
|
|
|
let privkey = PKey::private_key_from_pem(key.as_bytes())?;
|
|
|
|
|
let mut signer = openssl::sign::Signer::new(MessageDigest::sha256(), &privkey)?;
|
|
|
|
|
signer.update(self.control.as_bytes())?;
|
|
|
|
|
self.signature = base64::prelude::BASE64_STANDARD.encode(signer.sign_to_vec()?);
|
|
|
|
|
Ok(&self.signature)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#[cfg(test)]
|
|
|
|
|
mod test {
|
|
|
|
|
#[test]
|
|
|
|
|
fn http_signature_signs_and_verifies() {
|
|
|
|
|
let key = openssl::rsa::Rsa::generate(2048).unwrap();
|
|
|
|
|
let private_key = std::str::from_utf8(&key.private_key_to_pem().unwrap()).unwrap().to_string();
|
|
|
|
|
let public_key = std::str::from_utf8(&key.public_key_to_pem().unwrap()).unwrap().to_string();
|
|
|
|
|
let mut signer = super::HttpSignature {
|
|
|
|
|
key_id: "test".to_string(),
|
|
|
|
|
algorithm: "rsa-sha256".to_string(),
|
|
|
|
|
headers: vec![
|
|
|
|
|
"(request-target)".to_string(),
|
|
|
|
|
"host".to_string(),
|
|
|
|
|
"date".to_string(),
|
|
|
|
|
],
|
|
|
|
|
signature: String::new(),
|
|
|
|
|
control: String::new(),
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
signer
|
|
|
|
|
.build_manually("get", "/actor/inbox", [("host".into(), "example.net".into()), ("date".into(), "Sat, 13 Apr 2024 13:36:23 GMT".into())].into())
|
|
|
|
|
.sign(&private_key)
|
|
|
|
|
.unwrap();
|
|
|
|
|
|
|
|
|
|
let mut verifier = super::HttpSignature::parse(&signer.header());
|
|
|
|
|
verifier.build_manually("get", "/actor/inbox", [("host".into(), "example.net".into()), ("date".into(), "Sat, 13 Apr 2024 13:36:23 GMT".into())].into());
|
|
|
|
|
|
|
|
|
|
assert!(verifier.verify(&public_key).unwrap());
|
2024-03-26 00:49:27 +01:00
|
|
|
}
|
|
|
|
|
}
|
