git.squeep.com Git - akkoma/blob - lib/pleroma/web/http_signatures/http_signatures.ex

   1 # https://tools.ietf.org/html/draft-cavage-http-signatures-08
   2 defmodule Pleroma.Web.HTTPSignatures do
   3   alias Pleroma.User
   4   alias Pleroma.Web.ActivityPub.ActivityPub
   5   require Logger
   6
   7   def split_signature(sig) do
   8     default = %{"headers" => "date"}
   9
  10     sig = sig
  11     |> String.trim()
  12     |> String.split(",")
  13     |> Enum.reduce(default, fn(part, acc) ->
  14       [key | rest] = String.split(part, "=")
  15       value = Enum.join(rest, "=")
  16       Map.put(acc, key, String.trim(value, "\""))
  17     end)
  18
  19     Map.put(sig, "headers", String.split(sig["headers"], ~r/\s/))
  20   end
  21
  22   def validate(headers, signature, public_key) do
  23     sigstring = build_signing_string(headers, signature["headers"])
  24     {:ok, sig} = Base.decode64(signature["signature"])
  25     :public_key.verify(sigstring, :sha256, sig, public_key)
  26   end
  27
  28   def validate_conn(conn) do
  29     # TODO: How to get the right key and see if it is actually valid for that request.
  30     # For now, fetch the key for the actor.
  31     with actor_id <- conn.params["actor"],
  32          {:ok, public_key} <- User.get_public_key_for_ap_id(actor_id) do
  33       if validate_conn(conn, public_key) do
  34         true
  35       else
  36         Logger.debug("Could not validate, re-fetching user and trying one more time.")
  37         # Fetch user anew and try one more time
  38         with actor_id <- conn.params["actor"],
  39              {:ok, _user} <- ActivityPub.make_user_from_ap_id(actor_id),
  40              {:ok, public_key} <- User.get_public_key_for_ap_id(actor_id) do
  41           validate_conn(conn, public_key)
  42         end
  43       end
  44     else
  45       e ->
  46         Logger.debug("Could not public key!")
  47     end
  48   end
  49
  50   def validate_conn(conn, public_key) do
  51     headers = Enum.into(conn.req_headers, %{})
  52     signature = split_signature(headers["signature"])
  53     validate(headers, signature, public_key)
  54   end
  55
  56   def build_signing_string(headers, used_headers) do
  57     used_headers
  58     |> Enum.map(fn (header) -> "#{header}: #{headers[header]}" end)
  59     |> Enum.join("\n")
  60   end
  61
  62   def sign(user, headers) do
  63     with {:ok, %{info: %{"keys" => keys}}} <- Pleroma.Web.WebFinger.ensure_keys_present(user),
  64          {:ok, private_key, _} = Pleroma.Web.Salmon.keys_from_pem(keys) do
  65       sigstring = build_signing_string(headers, Map.keys(headers))
  66       signature = :public_key.sign(sigstring, :sha256, private_key)
  67       |> Base.encode64()
  68
  69       [
  70         keyId: user.ap_id <> "#main-key",
  71         algorithm: "rsa-sha256",
  72         headers: Map.keys(headers) |> Enum.join(" "),
  73         signature: signature
  74       ]
  75       |> Enum.map(fn({k, v}) -> "#{k}=\"#{v}\"" end)
  76       |> Enum.join(",")
  77     end
  78   end
  79 end