2018-12-27 10:24:04 +00:00
|
|
|
|
# Portions of this file are derived from Pleroma:
|
|
|
|
|
# Copyright © 2017-2018 Pleroma Authors <https://pleroma.social>
|
|
|
|
|
# SPDX-License-Identifier: AGPL-3.0-only
|
|
|
|
|
# Upstream: https://git.pleroma.social/pleroma/pleroma/blob/develop/lib/pleroma/plugs/http_signature.ex
|
|
|
|
|
|
2020-01-26 20:36:50 +00:00
|
|
|
|
defmodule Mobilizon.Web.Plugs.HTTPSignatures do
|
2018-06-14 16:15:27 +00:00
|
|
|
|
@moduledoc """
|
|
|
|
|
Plug to check HTTP Signatures on every incoming request
|
|
|
|
|
"""
|
|
|
|
|
|
2021-09-24 14:46:42 +00:00
|
|
|
|
import Plug.Conn, only: [get_req_header: 2, put_req_header: 3, assign: 3]
|
2020-01-22 23:55:07 +00:00
|
|
|
|
|
2018-05-17 09:32:23 +00:00
|
|
|
|
require Logger
|
|
|
|
|
|
|
|
|
|
def init(options) do
|
|
|
|
|
options
|
|
|
|
|
end
|
|
|
|
|
|
2021-09-10 09:27:59 +00:00
|
|
|
|
@spec call(Plug.Conn.t(), any) :: Plug.Conn.t()
|
2018-05-17 09:32:23 +00:00
|
|
|
|
def call(%{assigns: %{valid_signature: true}} = conn, _opts) do
|
|
|
|
|
conn
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def call(conn, _opts) do
|
2021-09-24 14:46:42 +00:00
|
|
|
|
signature = conn |> get_req_header("signature") |> List.first()
|
2019-12-03 10:29:51 +00:00
|
|
|
|
|
2021-09-24 14:46:42 +00:00
|
|
|
|
if is_nil(signature) do
|
|
|
|
|
Logger.debug("No signature header!")
|
|
|
|
|
conn
|
|
|
|
|
else
|
|
|
|
|
# set (request-target) header to the appropriate value
|
|
|
|
|
# we also replace the digest header with the one we computed
|
|
|
|
|
conn =
|
|
|
|
|
conn
|
|
|
|
|
|> put_req_header(
|
|
|
|
|
"(request-target)",
|
|
|
|
|
String.downcase("#{conn.method}") <> " #{conn.request_path}"
|
|
|
|
|
)
|
2021-11-16 14:47:53 +00:00
|
|
|
|
|> maybe_put_digest_header()
|
2018-11-12 17:17:53 +00:00
|
|
|
|
|
2021-11-17 15:01:39 +00:00
|
|
|
|
signature_valid =
|
|
|
|
|
try do
|
|
|
|
|
HTTPSignatures.validate_conn(conn)
|
|
|
|
|
rescue
|
|
|
|
|
# Because if the actor is not found in
|
|
|
|
|
# Mobilizon.Federation.HTTPSignatures.Signature.get_public_key_for_url/1
|
|
|
|
|
# we return an empty string as key,
|
|
|
|
|
# to give an extra-chance of fetching new actor keys
|
|
|
|
|
# and :public_key.verify doesn't like this
|
|
|
|
|
ArgumentError -> false
|
|
|
|
|
end
|
|
|
|
|
|
2021-09-24 14:46:42 +00:00
|
|
|
|
Logger.debug("Is signature valid ? #{inspect(signature_valid)}")
|
|
|
|
|
date_valid = date_valid?(conn)
|
2021-11-13 17:45:01 +00:00
|
|
|
|
Logger.debug("Is date valid ? #{inspect(date_valid)}")
|
2021-09-24 14:46:42 +00:00
|
|
|
|
assign(conn, :valid_signature, signature_valid && date_valid)
|
2018-05-17 09:32:23 +00:00
|
|
|
|
end
|
|
|
|
|
end
|
2020-02-14 08:22:17 +00:00
|
|
|
|
|
2021-11-16 14:47:53 +00:00
|
|
|
|
defp maybe_put_digest_header(%Plug.Conn{assigns: %{digest: digest}} = conn),
|
|
|
|
|
do: put_req_header(conn, "digest", digest)
|
|
|
|
|
|
|
|
|
|
defp maybe_put_digest_header(%Plug.Conn{} = conn), do: conn
|
|
|
|
|
|
2020-02-14 08:22:17 +00:00
|
|
|
|
@spec date_valid?(Plug.Conn.t()) :: boolean()
|
|
|
|
|
defp date_valid?(conn) do
|
2021-09-24 14:46:42 +00:00
|
|
|
|
date = conn |> get_req_header("date") |> List.first()
|
|
|
|
|
|
|
|
|
|
if is_nil(date) do
|
|
|
|
|
false
|
2020-02-14 08:22:17 +00:00
|
|
|
|
else
|
2021-09-24 14:46:42 +00:00
|
|
|
|
case Timex.parse(date, "{WDshort}, {0D} {Mshort} {YYYY} {h24}:{m}:{s} GMT") do
|
|
|
|
|
{:ok, %NaiveDateTime{} = date} ->
|
|
|
|
|
date
|
|
|
|
|
|> DateTime.from_naive!("Etc/UTC")
|
|
|
|
|
|> date_diff_ok?()
|
|
|
|
|
|
|
|
|
|
{:ok, %DateTime{} = date} ->
|
|
|
|
|
date_diff_ok?(date)
|
|
|
|
|
|
|
|
|
|
{:error, _err} ->
|
|
|
|
|
false
|
|
|
|
|
end
|
2020-02-14 08:22:17 +00:00
|
|
|
|
end
|
|
|
|
|
end
|
2021-09-24 14:46:42 +00:00
|
|
|
|
|
|
|
|
|
@spec date_diff_ok?(DateTime.t()) :: boolean()
|
|
|
|
|
defp date_diff_ok?(%DateTime{} = date) do
|
|
|
|
|
DateTime.diff(date, DateTime.utc_now()) <= 12 * 3600 &&
|
|
|
|
|
DateTime.diff(date, DateTime.utc_now()) >= -12 * 3600
|
|
|
|
|
end
|
2018-05-17 09:32:23 +00:00
|
|
|
|
end
|