You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

128 lines
4.0 KiB

  1. # frozen_string_literal: true
  2. # Implemented according to HTTP signatures (Draft 6)
  3. # <https://tools.ietf.org/html/draft-cavage-http-signatures-06>
  4. module SignatureVerification
  5. extend ActiveSupport::Concern
  6. def signed_request?
  7. request.headers['Signature'].present?
  8. end
  9. def signature_verification_failure_reason
  10. return @signature_verification_failure_reason if defined?(@signature_verification_failure_reason)
  11. end
  12. def signed_request_account
  13. return @signed_request_account if defined?(@signed_request_account)
  14. unless signed_request?
  15. @signature_verification_failure_reason = 'Request not signed'
  16. @signed_request_account = nil
  17. return
  18. end
  19. if request.headers['Date'].present? && !matches_time_window?
  20. @signature_verification_failure_reason = 'Signed request date outside acceptable time window'
  21. @signed_request_account = nil
  22. return
  23. end
  24. raw_signature = request.headers['Signature']
  25. signature_params = {}
  26. raw_signature.split(',').each do |part|
  27. parsed_parts = part.match(/([a-z]+)="([^"]+)"/i)
  28. next if parsed_parts.nil? || parsed_parts.size != 3
  29. signature_params[parsed_parts[1]] = parsed_parts[2]
  30. end
  31. if incompatible_signature?(signature_params)
  32. @signature_verification_failure_reason = 'Incompatible request signature'
  33. @signed_request_account = nil
  34. return
  35. end
  36. account = account_from_key_id(signature_params['keyId'])
  37. if account.nil?
  38. @signature_verification_failure_reason = "Public key not found for key #{signature_params['keyId']}"
  39. @signed_request_account = nil
  40. return
  41. end
  42. signature = Base64.decode64(signature_params['signature'])
  43. compare_signed_string = build_signed_string(signature_params['headers'])
  44. if account.keypair.public_key.verify(OpenSSL::Digest::SHA256.new, signature, compare_signed_string)
  45. @signed_request_account = account
  46. @signed_request_account
  47. elsif account.possibly_stale?
  48. account = account.refresh!
  49. if account.keypair.public_key.verify(OpenSSL::Digest::SHA256.new, signature, compare_signed_string)
  50. @signed_request_account = account
  51. @signed_request_account
  52. else
  53. @signature_verification_failure_reason = "Verification failed for #{account.username}@#{account.domain} #{account.uri}"
  54. @signed_request_account = nil
  55. end
  56. else
  57. @signature_verification_failure_reason = "Verification failed for #{account.username}@#{account.domain} #{account.uri}"
  58. @signed_request_account = nil
  59. end
  60. end
  61. def request_body
  62. @request_body ||= request.raw_post
  63. end
  64. private
  65. def build_signed_string(signed_headers)
  66. signed_headers = 'date' if signed_headers.blank?
  67. signed_headers.downcase.split(' ').map do |signed_header|
  68. if signed_header == Request::REQUEST_TARGET
  69. "#{Request::REQUEST_TARGET}: #{request.method.downcase} #{request.path}"
  70. elsif signed_header == 'digest'
  71. "digest: #{body_digest}"
  72. else
  73. "#{signed_header}: #{request.headers[to_header_name(signed_header)]}"
  74. end
  75. end.join("\n")
  76. end
  77. def matches_time_window?
  78. begin
  79. time_sent = Time.httpdate(request.headers['Date'])
  80. rescue ArgumentError
  81. return false
  82. end
  83. (Time.now.utc - time_sent).abs <= 12.hours
  84. end
  85. def body_digest
  86. "SHA-256=#{Digest::SHA256.base64digest(request_body)}"
  87. end
  88. def to_header_name(name)
  89. name.split(/-/).map(&:capitalize).join('-')
  90. end
  91. def incompatible_signature?(signature_params)
  92. signature_params['keyId'].blank? ||
  93. signature_params['signature'].blank?
  94. end
  95. def account_from_key_id(key_id)
  96. if key_id.start_with?('acct:')
  97. ResolveAccountService.new.call(key_id.gsub(/\Aacct:/, ''))
  98. elsif !ActivityPub::TagManager.instance.local_uri?(key_id)
  99. account = ActivityPub::TagManager.instance.uri_to_resource(key_id, Account)
  100. account ||= ActivityPub::FetchRemoteKeyService.new.call(key_id, id: false)
  101. account
  102. end
  103. end
  104. end