Merge pull request #256 from Plume-org/verify-signature

Verify activity's signature
This commit is contained in:
Baptiste Gelez
2018-10-10 21:31:11 +01:00
committed by GitHub
9 changed files with 202 additions and 17 deletions
+12 -2
View File
@@ -4,15 +4,17 @@ use rocket_contrib::{Json, Template};
use serde_json;
use validator::{Validate};
use plume_common::activity_pub::sign::{Signable,
verify_http_headers};
use plume_models::{
admin::Admin,
comments::Comment,
db_conn::DbConn,
headers::Headers,
posts::Post,
users::User,
safe_string::SafeString,
instance::*
};
use inbox::Inbox;
use routes::Page;
@@ -194,12 +196,20 @@ fn ban(_admin: Admin, conn: DbConn, id: i32) -> Redirect {
}
#[post("/inbox", data = "<data>")]
fn shared_inbox(conn: DbConn, data: String) -> String {
fn shared_inbox(conn: DbConn, data: String, headers: Headers) -> String {
let act: serde_json::Value = serde_json::from_str(&data[..]).unwrap();
let activity = act.clone();
let actor_id = activity["actor"].as_str()
.unwrap_or_else(|| activity["actor"]["id"].as_str().expect("No actor ID for incoming activity, blocks by panicking"));
let actor = User::from_url(&conn, actor_id.to_owned()).unwrap();
if !verify_http_headers(&actor, headers.0.clone(), data).is_secure() &&
!act.clone().verify(&actor) {
println!("Rejected invalid activity supposedly from {}, with headers {:?}", actor.username, headers.0);
return "invalid signature".to_owned();
}
if Instance::is_blocked(&*conn, actor_id.to_string()) {
return String::new();
}
+12 -2
View File
@@ -16,13 +16,15 @@ use workerpool::thunk::*;
use plume_common::activity_pub::{
ActivityStream, broadcast, Id, IntoId, ApRequest,
inbox::{FromActivity, Notify, Deletable}
inbox::{FromActivity, Notify, Deletable},
sign::{Signable, verify_http_headers}
};
use plume_common::utils;
use plume_models::{
blogs::Blog,
db_conn::DbConn,
follows,
headers::Headers,
instance::Instance,
posts::Post,
reshares::Reshare,
@@ -295,13 +297,21 @@ fn outbox(name: String, conn: DbConn) -> ActivityStream<OrderedCollection> {
}
#[post("/@/<name>/inbox", data = "<data>")]
fn inbox(name: String, conn: DbConn, data: String) -> String {
fn inbox(name: String, conn: DbConn, data: String, headers: Headers) -> String {
let user = User::find_local(&*conn, name).unwrap();
let act: serde_json::Value = serde_json::from_str(&data[..]).unwrap();
let activity = act.clone();
let actor_id = activity["actor"].as_str()
.unwrap_or_else(|| activity["actor"]["id"].as_str().expect("User: No actor ID for incoming activity, blocks by panicking"));
let actor = User::from_url(&conn, actor_id.to_owned()).unwrap();
if !verify_http_headers(&actor, headers.0.clone(), data).is_secure() &&
!act.clone().verify(&actor) {
println!("Rejected invalid activity supposedly from {}, with headers {:?}", actor.username, headers.0);
return "invalid signature".to_owned();
}
if Instance::is_blocked(&*conn, actor_id.to_string()) {
return String::new();
}