Add error type for AP authentication errors
This commit is contained in:
silverpill
parent
b345cb4a77
commit
077d942573
3 changed files with 37 additions and 27 deletions
|
|
@ -2,10 +2,11 @@ use actix_web::HttpRequest;
|
|||
use tokio_postgres::GenericClient;
|
||||
|
||||
use crate::config::Config;
|
||||
use crate::errors::DatabaseError;
|
||||
use crate::http_signatures::verify::{
|
||||
parse_http_signature,
|
||||
verify_http_signature,
|
||||
VerificationError,
|
||||
HttpSignatureVerificationError as HttpSignatureError,
|
||||
};
|
||||
use crate::models::profiles::queries::get_profile_by_remote_actor_id;
|
||||
use crate::models::profiles::types::DbActorProfile;
|
||||
|
|
@ -13,7 +14,28 @@ use crate::utils::crypto::deserialize_public_key;
|
|||
use super::fetcher::helpers::get_or_import_profile_by_actor_id;
|
||||
use super::receiver::HandlerError;
|
||||
|
||||
fn key_id_to_actor_id(key_id: &str) -> Result<String, VerificationError> {
|
||||
#[derive(thiserror::Error, Debug)]
|
||||
pub enum AuthenticationError {
|
||||
#[error(transparent)]
|
||||
HttpSignatureError(#[from] HttpSignatureError),
|
||||
|
||||
#[error("invalid key ID")]
|
||||
InvalidKeyId(#[from] url::ParseError),
|
||||
|
||||
#[error("database error")]
|
||||
DatabaseError(#[from] DatabaseError),
|
||||
|
||||
#[error("{0}")]
|
||||
ActorError(String),
|
||||
|
||||
#[error("invalid public key")]
|
||||
InvalidPublicKey(#[from] rsa::pkcs8::Error),
|
||||
|
||||
#[error("actor and request signer do not match")]
|
||||
InvalidSigner,
|
||||
}
|
||||
|
||||
fn key_id_to_actor_id(key_id: &str) -> Result<String, AuthenticationError> {
|
||||
let key_url = url::Url::parse(key_id)?;
|
||||
// Strip #main-key (works with most AP servers)
|
||||
let actor_id = &key_url[..url::Position::BeforeQuery];
|
||||
|
|
@ -28,7 +50,7 @@ pub async fn verify_signed_request(
|
|||
db_client: &impl GenericClient,
|
||||
request: &HttpRequest,
|
||||
no_fetch: bool,
|
||||
) -> Result<DbActorProfile, VerificationError> {
|
||||
) -> Result<DbActorProfile, AuthenticationError> {
|
||||
let signature_data = parse_http_signature(
|
||||
request.method(),
|
||||
request.uri(),
|
||||
|
|
@ -48,12 +70,12 @@ pub async fn verify_signed_request(
|
|||
Ok(profile) => profile,
|
||||
Err(HandlerError::DatabaseError(error)) => return Err(error.into()),
|
||||
Err(other_error) => {
|
||||
return Err(VerificationError::ActorError(other_error.to_string()));
|
||||
return Err(AuthenticationError::ActorError(other_error.to_string()));
|
||||
},
|
||||
}
|
||||
};
|
||||
let actor = actor_profile.actor_json.as_ref()
|
||||
.ok_or(VerificationError::ActorError("invalid profile".to_string()))?;
|
||||
.ok_or(AuthenticationError::ActorError("invalid profile".to_string()))?;
|
||||
let public_key = deserialize_public_key(&actor.public_key.public_key_pem)?;
|
||||
|
||||
verify_http_signature(&signature_data, &public_key)?;
|
||||
|
|
|
|||
|
|
@ -10,9 +10,11 @@ use crate::errors::{
|
|||
HttpError,
|
||||
ValidationError,
|
||||
};
|
||||
use crate::http_signatures::verify::VerificationError;
|
||||
use super::activity::{Activity, Object};
|
||||
use super::authentication::verify_signed_request;
|
||||
use super::authentication::{
|
||||
verify_signed_request,
|
||||
AuthenticationError,
|
||||
};
|
||||
use super::fetcher::{
|
||||
fetchers::FetchError,
|
||||
helpers::import_post,
|
||||
|
|
@ -49,7 +51,7 @@ pub enum HandlerError {
|
|||
DatabaseError(#[from] DatabaseError),
|
||||
|
||||
#[error(transparent)]
|
||||
AuthError(#[from] VerificationError),
|
||||
AuthError(#[from] AuthenticationError),
|
||||
}
|
||||
|
||||
impl From<HandlerError> for HttpError {
|
||||
|
|
@ -129,7 +131,7 @@ pub fn find_object_id(object: &Value) -> Result<String, ValidationError> {
|
|||
}
|
||||
|
||||
fn require_actor_signature(actor_id: &str, signer_id: &str)
|
||||
-> Result<(), VerificationError>
|
||||
-> Result<(), AuthenticationError>
|
||||
{
|
||||
if actor_id != signer_id {
|
||||
// Forwarded activity
|
||||
|
|
@ -138,7 +140,7 @@ fn require_actor_signature(actor_id: &str, signer_id: &str)
|
|||
signer_id,
|
||||
actor_id,
|
||||
);
|
||||
return Err(VerificationError::InvalidSigner);
|
||||
return Err(AuthenticationError::InvalidSigner);
|
||||
};
|
||||
Ok(())
|
||||
}
|
||||
|
|
|
|||
|
|
@ -5,39 +5,25 @@ use chrono::{DateTime, TimeZone, Utc};
|
|||
use regex::Regex;
|
||||
use rsa::RsaPublicKey;
|
||||
|
||||
use crate::errors::DatabaseError;
|
||||
use crate::utils::crypto::verify_signature;
|
||||
|
||||
#[derive(thiserror::Error, Debug)]
|
||||
pub enum VerificationError {
|
||||
pub enum HttpSignatureVerificationError {
|
||||
#[error("{0}")]
|
||||
HeaderError(&'static str),
|
||||
|
||||
#[error("{0}")]
|
||||
ParseError(&'static str),
|
||||
|
||||
#[error("invalid key ID")]
|
||||
UrlError(#[from] url::ParseError),
|
||||
|
||||
#[error("database error")]
|
||||
DatabaseError(#[from] DatabaseError),
|
||||
|
||||
#[error("{0}")]
|
||||
ActorError(String),
|
||||
|
||||
#[error("invalid public key")]
|
||||
InvalidPublicKey(#[from] rsa::pkcs8::Error),
|
||||
|
||||
#[error("invalid encoding")]
|
||||
InvalidEncoding(#[from] base64::DecodeError),
|
||||
|
||||
#[error("invalid signature")]
|
||||
InvalidSignature,
|
||||
|
||||
#[error("actor and request signer do not match")]
|
||||
InvalidSigner,
|
||||
}
|
||||
|
||||
type VerificationError = HttpSignatureVerificationError;
|
||||
|
||||
pub struct HttpSignatureData {
|
||||
pub key_id: String,
|
||||
pub message: String, // reconstructed message
|
||||
|
|
|
|||
Loading…
Reference in a new issue