git.squeep.com Git - akkoma/blob - lib/pleroma/web/http_signatures/http_signatures.ex

   1 # https://tools.ietf.org/html/draft-cavage-http-signatures-08
   2 defmodule Pleroma.Web.HTTPSignatures do
   3   alias Pleroma.User
   4   alias Pleroma.Web.ActivityPub.ActivityPub
   5
   6   def split_signature(sig) do
   7     default = %{"headers" => "date"}
   8
   9     sig = sig
  10     |> String.trim()
  11     |> String.split(",")
  12     |> Enum.reduce(default, fn(part, acc) ->
  13       [key | rest] = String.split(part, "=")
  14       value = Enum.join(rest, "=")
  15       Map.put(acc, key, String.trim(value, "\""))
  16     end)
  17
  18     Map.put(sig, "headers", String.split(sig["headers"], ~r/\s/))
  19   end
  20
  21   def validate(headers, signature, public_key) do
  22     sigstring = build_signing_string(headers, signature["headers"])
  23     {:ok, sig} = Base.decode64(signature["signature"])
  24     :public_key.verify(sigstring, :sha256, sig, public_key)
  25   end
  26
  27   def validate_conn(conn) do
  28     # TODO: How to get the right key and see if it is actually valid for that request.
  29     # For now, fetch the key for the actor.
  30     with actor_id <- conn.params["actor"],
  31          {:ok, public_key} <- User.get_public_key_for_ap_id(actor_id) do
  32       if validate_conn(conn, public_key) do
  33         true
  34       else
  35         # Fetch user anew and try one more time
  36         with actor_id <- conn.params["actor"],
  37              {:ok, _user} <- ActivityPub.make_user_from_ap_id(actor_id),
  38              {:ok, public_key} <- User.get_public_key_for_ap_id(actor_id) do
  39           validate_conn(conn, public_key)
  40         end
  41       end
  42     else
  43       _ -> false
  44     end
  45   end
  46
  47   def validate_conn(conn, public_key) do
  48     headers = Enum.into(conn.req_headers, %{})
  49     signature = split_signature(headers["signature"])
  50     validate(headers, signature, public_key)
  51   end
  52
  53   def build_signing_string(headers, used_headers) do
  54     used_headers
  55     |> Enum.map(fn (header) -> "#{header}: #{headers[header]}" end)
  56     |> Enum.join("\n")
  57   end
  58
  59   def sign(user, headers) do
  60     with {:ok, %{info: %{"keys" => keys}}} <- Pleroma.Web.WebFinger.ensure_keys_present(user),
  61          {:ok, private_key, _} = Pleroma.Web.Salmon.keys_from_pem(keys) do
  62       sigstring = build_signing_string(headers, Map.keys(headers))
  63       signature = :public_key.sign(sigstring, :sha256, private_key)
  64       |> Base.encode64()
  65
  66       [
  67         keyId: user.ap_id <> "#main-key",
  68         algorithm: "rsa-sha256",
  69         headers: Map.keys(headers) |> Enum.join(" "),
  70         signature: signature
  71       ]
  72       |> Enum.map(fn({k, v}) -> "#{k}=\"#{v}\"" end)
  73       |> Enum.join(",")
  74     end
  75   end
  76 end