From 39deede935fbadfbd6b68518249e04fb77306f23 Mon Sep 17 00:00:00 2001 From: Trinity Pointard Date: Tue, 4 Dec 2018 00:07:39 +0100 Subject: [PATCH] Verify signature date Fix #286 Remove indexed from post_id search field as it was added by mistake --- plume-common/src/activity_pub/sign.rs | 46 +++++++++++++++++++++++---- plume-models/src/search/searcher.rs | 4 +-- 2 files changed, 42 insertions(+), 8 deletions(-) diff --git a/plume-common/src/activity_pub/sign.rs b/plume-common/src/activity_pub/sign.rs index 6c8835ee..635ca357 100644 --- a/plume-common/src/activity_pub/sign.rs +++ b/plume-common/src/activity_pub/sign.rs @@ -1,6 +1,7 @@ use super::request; use base64; -use chrono::Utc; +use chrono::{DateTime, Duration, + naive::NaiveDateTime, Utc}; use hex; use openssl::{pkey::PKey, rsa::Rsa, sha::sha256}; use rocket::http::HeaderMap; @@ -86,10 +87,24 @@ impl Signable for serde_json::Value { let creation_date = &signature_obj["created"]; let options_hash = Self::hash( &json!({ - "@context": "https://w3id.org/identity/v1", - "created": creation_date - }).to_string(), + "@context": "https://w3id.org/identity/v1", + "created": creation_date + }).to_string(), ); + let creation_date = creation_date.as_str(); + if creation_date.is_none() { + return false; + } + let creation_date = DateTime::parse_from_rfc3339(creation_date.unwrap()); + if creation_date.is_err() { + return false; + } + let diff = creation_date.unwrap().signed_duration_since(Utc::now()); + let future = Duration::hours(12); + let past = Duration::hours(-12); + if !(diff < future && diff > past) { + return false; + } let document_hash = Self::hash(&self.to_string()); let to_be_signed = options_hash + &document_hash; creator.verify(&to_be_signed, &signature) @@ -102,6 +117,7 @@ pub enum SignatureValidity { ValidNoDigest, Valid, Absent, + Outdated, } impl SignatureValidity { @@ -162,8 +178,26 @@ pub fn verify_http_headers( let digest = request::Digest::from_header(digest); if !digest.map(|d| d.verify(&data)).unwrap_or(false) { // signature was valid, but body content does not match its digest - SignatureValidity::Invalid + return SignatureValidity::Invalid; + } + if !headers.contains(&"date") { + return SignatureValidity::Valid; //maybe we shouldn't trust a request without date? + } + + let date = all_headers.get_one("date"); + if date.is_none() { + return SignatureValidity::Outdated; + } + let date = NaiveDateTime::parse_from_str(date.unwrap(), "%a, %d %h %Y %T GMT"); + if date.is_err() { + return SignatureValidity::Outdated; + } + let diff = Utc::now().naive_utc() - date.unwrap(); + let future = Duration::hours(12); + let past = Duration::hours(-12); + if diff < future && diff > past { + SignatureValidity::Valid } else { - SignatureValidity::Valid // all check passed + SignatureValidity::Outdated } } diff --git a/plume-models/src/search/searcher.rs b/plume-models/src/search/searcher.rs index 22bfa20d..06898e6f 100644 --- a/plume-models/src/search/searcher.rs +++ b/plume-models/src/search/searcher.rs @@ -47,11 +47,11 @@ impl Searcher { let mut schema_builder = SchemaBuilder::default(); - schema_builder.add_i64_field("post_id", INT_STORED | INT_INDEXED); + schema_builder.add_i64_field("post_id", INT_STORED ); schema_builder.add_i64_field("creation_date", INT_INDEXED); schema_builder.add_text_field("instance", tag_indexing.clone()); - schema_builder.add_text_field("author", tag_indexing.clone());//todo move to a user_indexing with user_tokenizer function + schema_builder.add_text_field("author", tag_indexing.clone()); schema_builder.add_text_field("tag", tag_indexing); schema_builder.add_text_field("blog", content_indexing.clone());