abunchtell
/
mastodon
1
0
Fork 0
Code Issues 0 Activity
The code powering m.abunchtell.com https://m.abunchtell.com
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6665 Commits
1 Branch
94 MiB
 
 
 
 
Tree: 7cfc852a59
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '7cfc852a59'
${ noResults }
mastodon/app/controllers/concerns/signature_verification.rb

152 lines
4.8 KiB
Raw Blame History 

  1. # frozen_string_literal: true

  2. 

  3. # Implemented according to HTTP signatures (Draft 6)

  4. # <https://tools.ietf.org/html/draft-cavage-http-signatures-06>

  5. module SignatureVerification

  6.   extend ActiveSupport::Concern

  7. 

  8.   def signed_request?

  9.     request.headers['Signature'].present?

  10.   end

  11. 

  12.   def signature_verification_failure_reason

  13.     return @signature_verification_failure_reason if defined?(@signature_verification_failure_reason)

  14.   end

  15. 

  16.   def signed_request_account

  17.     return @signed_request_account if defined?(@signed_request_account)

  18. 

  19.     unless signed_request?

  20.       @signature_verification_failure_reason = 'Request not signed'

  21.       @signed_request_account = nil

  22.       return

  23.     end

  24. 

  25.     if request.headers['Date'].present? && !matches_time_window?

  26.       @signature_verification_failure_reason = 'Signed request date outside acceptable time window'

  27.       @signed_request_account = nil

  28.       return

  29.     end

  30. 

  31.     raw_signature    = request.headers['Signature']

  32.     signature_params = {}

  33. 

  34.     raw_signature.split(',').each do |part|

  35.       parsed_parts = part.match(/([a-z]+)="([^"]+)"/i)

  36.       next if parsed_parts.nil? || parsed_parts.size != 3

  37.       signature_params[parsed_parts[1]] = parsed_parts[2]

  38.     end

  39. 

  40.     if incompatible_signature?(signature_params)

  41.       @signature_verification_failure_reason = 'Incompatible request signature'

  42.       @signed_request_account = nil

  43.       return

  44.     end

  45. 

  46.     account_stoplight = Stoplight("source:#{request.ip}") { account_from_key_id(signature_params['keyId']) }

  47.       .with_fallback { nil }

  48.       .with_threshold(1)

  49.       .with_cool_off_time(5.minutes.seconds)

  50.       .with_error_handler { |error, handle| error.is_a?(HTTP::Error) ? handle.call(error) : raise(error) }

  51. 

  52.     account = account_stoplight.run

  53. 

  54.     if account.nil?

  55.       @signature_verification_failure_reason = "Public key not found for key #{signature_params['keyId']}"

  56.       @signed_request_account = nil

  57.       return

  58.     end

  59. 

  60.     signature             = Base64.decode64(signature_params['signature'])

  61.     compare_signed_string = build_signed_string(signature_params['headers'])

  62. 

  63.     return account unless verify_signature(account, signature, compare_signed_string).nil?

  64. 

  65.     account_stoplight = Stoplight("source:#{request.ip}") { account.possibly_stale? ? account.refresh! : account_refresh_key(account) }

  66.       .with_fallback { nil }

  67.       .with_threshold(1)

  68.       .with_cool_off_time(5.minutes.seconds)

  69.       .with_error_handler { |error, handle| error.is_a?(HTTP::Error) ? handle.call(error) : raise(error) }

  70. 

  71.     account = account_stoplight.run

  72. 

  73.     if account.nil?

  74.       @signature_verification_failure_reason = "Public key not found for key #{signature_params['keyId']}"

  75.       @signed_request_account = nil

  76.       return

  77.     end

  78. 

  79.     return account unless verify_signature(account, signature, compare_signed_string).nil?

  80. 

  81.     @signature_verification_failure_reason = "Verification failed for #{account.username}@#{account.domain} #{account.uri}"

  82.     @signed_request_account = nil

  83.   end

  84. 

  85.   def request_body

  86.     @request_body ||= request.raw_post

  87.   end

  88. 

  89.   private

  90. 

  91.   def verify_signature(account, signature, compare_signed_string)

  92.     if account.keypair.public_key.verify(OpenSSL::Digest::SHA256.new, signature, compare_signed_string)

  93.       @signed_request_account = account

  94.       @signed_request_account

  95.     end

  96.   rescue OpenSSL::PKey::RSAError

  97.     nil

  98.   end

  99. 

  100.   def build_signed_string(signed_headers)

  101.     signed_headers = 'date' if signed_headers.blank?

  102. 

  103.     signed_headers.downcase.split(' ').map do |signed_header|

  104.       if signed_header == Request::REQUEST_TARGET

  105.         "#{Request::REQUEST_TARGET}: #{request.method.downcase} #{request.path}"

  106.       elsif signed_header == 'digest'

  107.         "digest: #{body_digest}"

  108.       else

  109.         "#{signed_header}: #{request.headers[to_header_name(signed_header)]}"

  110.       end

  111.     end.join("\n")

  112.   end

  113. 

  114.   def matches_time_window?

  115.     begin

  116.       time_sent = Time.httpdate(request.headers['Date'])

  117.     rescue ArgumentError

  118.       return false

  119.     end

  120. 

  121.     (Time.now.utc - time_sent).abs <= 12.hours

  122.   end

  123. 

  124.   def body_digest

  125.     "SHA-256=#{Digest::SHA256.base64digest(request_body)}"

  126.   end

  127. 

  128.   def to_header_name(name)

  129.     name.split(/-/).map(&:capitalize).join('-')

  130.   end

  131. 

  132.   def incompatible_signature?(signature_params)

  133.     signature_params['keyId'].blank? ||

  134.       signature_params['signature'].blank?

  135.   end

  136. 

  137.   def account_from_key_id(key_id)

  138.     if key_id.start_with?('acct:')

  139.       ResolveAccountService.new.call(key_id.gsub(/\Aacct:/, ''))

  140.     elsif !ActivityPub::TagManager.instance.local_uri?(key_id)

  141.       account   = ActivityPub::TagManager.instance.uri_to_resource(key_id, Account)

  142.       account ||= ActivityPub::FetchRemoteKeyService.new.call(key_id, id: false)

  143.       account

  144.     end

  145.   end

  146. 

  147.   def account_refresh_key(account)

  148.     return if account.local? || !account.activitypub?

  149.     ActivityPub::FetchRemoteAccountService.new.call(account.uri, only_key: true)

  150.   end

  151. end