| 
									
										
										
										
											2017-07-14 20:41:49 +02:00
										 |  |  | # frozen_string_literal: true | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # Implemented according to HTTP signatures (Draft 6) | 
					
						
							|  |  |  | # <https://tools.ietf.org/html/draft-cavage-http-signatures-06> | 
					
						
							|  |  |  | module SignatureVerification | 
					
						
							|  |  |  |   extend ActiveSupport::Concern | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |   def signed_request? | 
					
						
							|  |  |  |     request.headers['Signature'].present? | 
					
						
							|  |  |  |   end | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2017-10-03 23:21:19 +02:00
										 |  |  |   def signature_verification_failure_reason | 
					
						
							|  |  |  |     return @signature_verification_failure_reason if defined?(@signature_verification_failure_reason) | 
					
						
							|  |  |  |   end | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2017-07-14 20:41:49 +02:00
										 |  |  |   def signed_request_account | 
					
						
							|  |  |  |     return @signed_request_account if defined?(@signed_request_account) | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     unless signed_request? | 
					
						
							| 
									
										
										
										
											2017-10-03 23:21:19 +02:00
										 |  |  |       @signature_verification_failure_reason = 'Request not signed' | 
					
						
							| 
									
										
										
										
											2017-07-14 20:41:49 +02:00
										 |  |  |       @signed_request_account = nil | 
					
						
							|  |  |  |       return | 
					
						
							|  |  |  |     end | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2018-10-12 00:15:55 +02:00
										 |  |  |     if request.headers['Date'].present? && !matches_time_window? | 
					
						
							|  |  |  |       @signature_verification_failure_reason = 'Signed request date outside acceptable time window' | 
					
						
							|  |  |  |       @signed_request_account = nil | 
					
						
							|  |  |  |       return | 
					
						
							|  |  |  |     end | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2017-07-14 20:41:49 +02:00
										 |  |  |     raw_signature    = request.headers['Signature'] | 
					
						
							|  |  |  |     signature_params = {} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     raw_signature.split(',').each do |part| | 
					
						
							|  |  |  |       parsed_parts = part.match(/([a-z]+)="([^"]+)"/i) | 
					
						
							|  |  |  |       next if parsed_parts.nil? || parsed_parts.size != 3
 | 
					
						
							|  |  |  |       signature_params[parsed_parts[1]] = parsed_parts[2] | 
					
						
							|  |  |  |     end | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     if incompatible_signature?(signature_params) | 
					
						
							| 
									
										
										
										
											2017-10-03 23:21:19 +02:00
										 |  |  |       @signature_verification_failure_reason = 'Incompatible request signature' | 
					
						
							| 
									
										
										
										
											2017-07-14 20:41:49 +02:00
										 |  |  |       @signed_request_account = nil | 
					
						
							|  |  |  |       return | 
					
						
							|  |  |  |     end | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2017-08-09 23:54:14 +02:00
										 |  |  |     account = account_from_key_id(signature_params['keyId']) | 
					
						
							| 
									
										
										
										
											2017-07-14 20:41:49 +02:00
										 |  |  | 
 | 
					
						
							|  |  |  |     if account.nil? | 
					
						
							| 
									
										
										
										
											2017-10-03 23:21:19 +02:00
										 |  |  |       @signature_verification_failure_reason = "Public key not found for key #{signature_params['keyId']}" | 
					
						
							| 
									
										
										
										
											2017-07-14 20:41:49 +02:00
										 |  |  |       @signed_request_account = nil | 
					
						
							|  |  |  |       return | 
					
						
							|  |  |  |     end | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     signature             = Base64.decode64(signature_params['signature']) | 
					
						
							|  |  |  |     compare_signed_string = build_signed_string(signature_params['headers']) | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     if account.keypair.public_key.verify(OpenSSL::Digest::SHA256.new, signature, compare_signed_string) | 
					
						
							|  |  |  |       @signed_request_account = account | 
					
						
							|  |  |  |       @signed_request_account | 
					
						
							| 
									
										
										
										
											2017-09-28 17:50:14 +02:00
										 |  |  |     elsif account.possibly_stale? | 
					
						
							|  |  |  |       account = account.refresh! | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |       if account.keypair.public_key.verify(OpenSSL::Digest::SHA256.new, signature, compare_signed_string) | 
					
						
							|  |  |  |         @signed_request_account = account | 
					
						
							|  |  |  |         @signed_request_account | 
					
						
							|  |  |  |       else | 
					
						
							| 
									
										
										
										
											2018-06-30 04:11:38 -07:00
										 |  |  |         @signature_verification_failure_reason = "Verification failed for #{account.username}@#{account.domain} #{account.uri}" | 
					
						
							| 
									
										
										
										
											2017-09-28 17:50:14 +02:00
										 |  |  |         @signed_request_account = nil | 
					
						
							|  |  |  |       end | 
					
						
							| 
									
										
										
										
											2017-07-14 20:41:49 +02:00
										 |  |  |     else | 
					
						
							| 
									
										
										
										
											2018-06-30 04:11:38 -07:00
										 |  |  |       @signature_verification_failure_reason = "Verification failed for #{account.username}@#{account.domain} #{account.uri}" | 
					
						
							| 
									
										
										
										
											2017-07-14 20:41:49 +02:00
										 |  |  |       @signed_request_account = nil | 
					
						
							|  |  |  |     end | 
					
						
							|  |  |  |   end | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2017-08-09 23:54:14 +02:00
										 |  |  |   def request_body | 
					
						
							|  |  |  |     @request_body ||= request.raw_post | 
					
						
							|  |  |  |   end | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2017-07-14 20:41:49 +02:00
										 |  |  |   private | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |   def build_signed_string(signed_headers) | 
					
						
							|  |  |  |     signed_headers = 'date' if signed_headers.blank? | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2018-10-12 00:15:55 +02:00
										 |  |  |     signed_headers.downcase.split(' ').map do |signed_header| | 
					
						
							| 
									
										
										
										
											2017-07-14 20:41:49 +02:00
										 |  |  |       if signed_header == Request::REQUEST_TARGET | 
					
						
							|  |  |  |         "#{Request::REQUEST_TARGET}: #{request.method.downcase} #{request.path}" | 
					
						
							| 
									
										
										
										
											2017-08-09 23:54:14 +02:00
										 |  |  |       elsif signed_header == 'digest' | 
					
						
							|  |  |  |         "digest: #{body_digest}" | 
					
						
							| 
									
										
										
										
											2017-07-14 20:41:49 +02:00
										 |  |  |       else | 
					
						
							|  |  |  |         "#{signed_header}: #{request.headers[to_header_name(signed_header)]}" | 
					
						
							|  |  |  |       end | 
					
						
							|  |  |  |     end.join("\n") | 
					
						
							|  |  |  |   end | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2018-10-12 00:15:55 +02:00
										 |  |  |   def matches_time_window? | 
					
						
							|  |  |  |     begin | 
					
						
							|  |  |  |       time_sent = Time.httpdate(request.headers['Date']) | 
					
						
							|  |  |  |     rescue ArgumentError | 
					
						
							|  |  |  |       return false | 
					
						
							|  |  |  |     end | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     (Time.now.utc - time_sent).abs <= 12.hours | 
					
						
							|  |  |  |   end | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2017-08-09 23:54:14 +02:00
										 |  |  |   def body_digest | 
					
						
							|  |  |  |     "SHA-256=#{Digest::SHA256.base64digest(request_body)}" | 
					
						
							|  |  |  |   end | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2017-07-14 20:41:49 +02:00
										 |  |  |   def to_header_name(name) | 
					
						
							|  |  |  |     name.split(/-/).map(&:capitalize).join('-') | 
					
						
							|  |  |  |   end | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |   def incompatible_signature?(signature_params) | 
					
						
							|  |  |  |     signature_params['keyId'].blank? || | 
					
						
							| 
									
										
										
										
											2018-05-17 04:03:28 +02:00
										 |  |  |       signature_params['signature'].blank? | 
					
						
							| 
									
										
										
										
											2017-08-09 23:54:14 +02:00
										 |  |  |   end | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |   def account_from_key_id(key_id) | 
					
						
							|  |  |  |     if key_id.start_with?('acct:') | 
					
						
							| 
									
										
										
										
											2018-01-22 22:25:09 +09:00
										 |  |  |       ResolveAccountService.new.call(key_id.gsub(/\Aacct:/, '')) | 
					
						
							| 
									
										
										
										
											2017-08-09 23:54:14 +02:00
										 |  |  |     elsif !ActivityPub::TagManager.instance.local_uri?(key_id) | 
					
						
							| 
									
										
										
										
											2017-08-21 22:57:34 +02:00
										 |  |  |       account   = ActivityPub::TagManager.instance.uri_to_resource(key_id, Account) | 
					
						
							| 
									
										
										
										
											2017-10-04 08:13:48 +09:00
										 |  |  |       account ||= ActivityPub::FetchRemoteKeyService.new.call(key_id, id: false) | 
					
						
							| 
									
										
										
										
											2017-08-21 22:57:34 +02:00
										 |  |  |       account | 
					
						
							| 
									
										
										
										
											2017-08-09 23:54:14 +02:00
										 |  |  |     end | 
					
						
							| 
									
										
										
										
											2017-07-14 20:41:49 +02:00
										 |  |  |   end | 
					
						
							|  |  |  | end |