Add support for signature verification on pseudo header

Add support for pseudo-header '(request-target)'
Add some logging for denied request
This commit is contained in:
Trinity Pointard 2018-10-10 21:10:43 +02:00
parent 0d6a2af851
commit ba4695f490
3 changed files with 15 additions and 3 deletions

View File

@ -1,5 +1,5 @@
use rocket::request::{self, FromRequest, Request}; use rocket::request::{self, FromRequest, Request};
use rocket::{http::HeaderMap, Outcome}; use rocket::{http::{Header, HeaderMap}, Outcome};
pub struct Headers<'r>(pub HeaderMap<'r>); pub struct Headers<'r>(pub HeaderMap<'r>);
@ -12,6 +12,16 @@ impl<'a, 'r> FromRequest<'a, 'r> for Headers<'r> {
for header in request.headers().clone().into_iter() { for header in request.headers().clone().into_iter() {
headers.add(header); headers.add(header);
} }
let ori = request.uri();
let uri = if let Some(query) = ori.query() {
format!("{}?{}", ori.path(), query)
} else {
ori.path().to_owned()
};
headers.add(Header::new("(request-target)",
format!("{} {}",
request.method().as_str().to_lowercase(),
uri.to_lowercase())));
Outcome::Success(Headers(headers)) Outcome::Success(Headers(headers))
} }
} }

View File

@ -200,8 +200,9 @@ fn shared_inbox(conn: DbConn, data: String, headers: Headers) -> String {
.unwrap_or_else(|| activity["actor"]["id"].as_str().expect("No actor ID for incoming activity, blocks by panicking")); .unwrap_or_else(|| activity["actor"]["id"].as_str().expect("No actor ID for incoming activity, blocks by panicking"));
let actor = User::from_url(&conn, actor_id.to_owned()).unwrap(); let actor = User::from_url(&conn, actor_id.to_owned()).unwrap();
if !verify_http_headers(&actor, headers.0, data).is_secure() && if !verify_http_headers(&actor, headers.0.clone(), data).is_secure() &&
!act.clone().verify(&actor) { !act.clone().verify(&actor) {
println!("Rejected invalid activity supposedly from {}, with headers {:?}", actor.username, headers.0);
return "invalid signature".to_owned(); return "invalid signature".to_owned();
} }

View File

@ -306,8 +306,9 @@ fn inbox(name: String, conn: DbConn, data: String, headers: Headers) -> String {
.unwrap_or_else(|| activity["actor"]["id"].as_str().expect("User: No actor ID for incoming activity, blocks by panicking")); .unwrap_or_else(|| activity["actor"]["id"].as_str().expect("User: No actor ID for incoming activity, blocks by panicking"));
let actor = User::from_url(&conn, actor_id.to_owned()).unwrap(); let actor = User::from_url(&conn, actor_id.to_owned()).unwrap();
if !verify_http_headers(&actor, headers.0, data).is_secure() && if !verify_http_headers(&actor, headers.0.clone(), data).is_secure() &&
!act.clone().verify(&actor) { !act.clone().verify(&actor) {
println!("Rejected invalid activity supposedly from {}, with headers {:?}", actor.username, headers.0);
return "invalid signature".to_owned(); return "invalid signature".to_owned();
} }