mirror of
https://git.asonix.dog/asonix/http-signature-normalization.git
synced 2024-11-21 08:51:00 +00:00
Add experimental extractor library for actix-web
This commit is contained in:
parent
08e5013296
commit
8c9e7af2b9
5 changed files with 479 additions and 4 deletions
|
@ -13,10 +13,11 @@ edition = "2021"
|
|||
|
||||
[workspace]
|
||||
members = [
|
||||
"http-signature-normalization-actix",
|
||||
"http-signature-normalization-http",
|
||||
"http-signature-normalization-reqwest",
|
||||
# "http-signature-normalization-warp",
|
||||
"http-signature-normalization-actix",
|
||||
"http-signature-normalization-actix-extractor",
|
||||
"http-signature-normalization-http",
|
||||
"http-signature-normalization-reqwest",
|
||||
# "http-signature-normalization-warp",
|
||||
]
|
||||
|
||||
[dependencies]
|
||||
|
|
22
http-signature-normalization-actix-extractor/Cargo.toml
Normal file
22
http-signature-normalization-actix-extractor/Cargo.toml
Normal file
|
@ -0,0 +1,22 @@
|
|||
[package]
|
||||
name = "http-signature-normalization-actix-extractor"
|
||||
version = "0.1.0"
|
||||
edition = "2021"
|
||||
|
||||
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
|
||||
[features]
|
||||
default = ["sha-2"]
|
||||
sha-2 = ["base64", "sha2", "subtle"]
|
||||
|
||||
[dependencies]
|
||||
base64 = { version = "0.13", optional = true }
|
||||
actix-web = { version = "4", default-features = false }
|
||||
actix-web-lab = "0.18.5"
|
||||
async-trait = "0.1.58"
|
||||
http-signature-normalization = { version = "0.6", path = "../" }
|
||||
sha2 = { version = "0.10", optional = true }
|
||||
subtle = { version = "2.4.1", optional = true }
|
||||
|
||||
[dev-dependencies]
|
||||
actix-web = { version = "4", features = ["macros"] }
|
||||
thiserror = "1"
|
|
@ -0,0 +1,88 @@
|
|||
use actix_web::{http::StatusCode, web, App, HttpRequest, HttpResponse, HttpServer, ResponseError};
|
||||
use http_signature_normalization_actix_extractor::{
|
||||
Algorithm, Config, ConfigGenerator, PrivateKey, Signed,
|
||||
};
|
||||
use sha2::Sha256;
|
||||
|
||||
#[actix_web::main]
|
||||
async fn main() -> std::io::Result<()> {
|
||||
HttpServer::new(|| App::new().route("/", web::post().to(protected)))
|
||||
.bind("127.0.0.1:8010")?
|
||||
.run()
|
||||
.await
|
||||
}
|
||||
|
||||
async fn protected(signed_request: Signed<String, Cfg, Sha256, Key>) -> &'static str {
|
||||
let (value, signature) = signed_request.into_parts();
|
||||
|
||||
println!("{}", value);
|
||||
println!("{:#?}", signature);
|
||||
|
||||
"hewwo, mr obama"
|
||||
}
|
||||
|
||||
pub struct Cfg;
|
||||
|
||||
impl ConfigGenerator for Cfg {
|
||||
fn config() -> Config {
|
||||
Config::new().require_header("accept")
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Debug)]
|
||||
pub struct Key;
|
||||
|
||||
#[async_trait::async_trait(?Send)]
|
||||
impl PrivateKey for Key {
|
||||
type Error = MyError;
|
||||
|
||||
async fn init(
|
||||
_: &HttpRequest,
|
||||
key_id: &str,
|
||||
algorithm: Option<&Algorithm>,
|
||||
) -> Result<Self, Self::Error> {
|
||||
match algorithm {
|
||||
Some(Algorithm::Hs2019) => (),
|
||||
_ => return Err(MyError::Algorithm),
|
||||
};
|
||||
|
||||
if key_id != "my-key-id" {
|
||||
return Err(MyError::Key);
|
||||
}
|
||||
|
||||
Ok(Key)
|
||||
}
|
||||
|
||||
fn verify(&mut self, signature: &str, signing_string: &str) -> Result<bool, Self::Error> {
|
||||
use subtle::ConstantTimeEq;
|
||||
|
||||
let decoded = match base64::decode(&signature) {
|
||||
Ok(decoded) => decoded,
|
||||
Err(_) => return Err(MyError::Decode),
|
||||
};
|
||||
|
||||
Ok(decoded.ct_eq(signing_string.as_bytes()).into())
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Debug, thiserror::Error)]
|
||||
pub enum MyError {
|
||||
#[error("Unsupported algorithm")]
|
||||
Algorithm,
|
||||
|
||||
#[error("Couldn't decode signature")]
|
||||
Decode,
|
||||
|
||||
#[error("Invalid key")]
|
||||
Key,
|
||||
}
|
||||
|
||||
impl ResponseError for MyError {
|
||||
fn status_code(&self) -> StatusCode {
|
||||
StatusCode::BAD_REQUEST
|
||||
}
|
||||
|
||||
fn error_response(&self) -> HttpResponse {
|
||||
HttpResponse::BadRequest().finish()
|
||||
}
|
||||
}
|
286
http-signature-normalization-actix-extractor/src/lib.rs
Normal file
286
http-signature-normalization-actix-extractor/src/lib.rs
Normal file
|
@ -0,0 +1,286 @@
|
|||
// #![deny(missing_docs)]
|
||||
|
||||
//! Experimental Extractor for request signatures
|
||||
|
||||
pub use actix_web_lab::extract::RequestSignature;
|
||||
pub use http_signature_normalization::{verify::Algorithm, Config};
|
||||
|
||||
pub type Signed<Extractor, Config, Digest, PrivateKey> =
|
||||
RequestSignature<Extractor, SignatureScheme<Config, Digest, PrivateKey>>;
|
||||
|
||||
#[cfg(feature = "sha-2")]
|
||||
mod sha2_digest;
|
||||
|
||||
#[derive(Debug)]
|
||||
pub enum Error {
|
||||
Digest,
|
||||
Signature,
|
||||
InvalidHeaderValue,
|
||||
PrepareVerify(http_signature_normalization::PrepareVerifyError),
|
||||
}
|
||||
|
||||
impl std::fmt::Display for Error {
|
||||
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
|
||||
match self {
|
||||
Self::Digest => write!(f, "Digest is inavlid"),
|
||||
Self::Signature => write!(f, "Signature is invalid"),
|
||||
Self::InvalidHeaderValue => write!(f, "Invalid header value"),
|
||||
Self::PrepareVerify(_) => write!(f, "Error preparint verification"),
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
impl std::error::Error for Error {
|
||||
fn source(&self) -> Option<&(dyn std::error::Error + 'static)> {
|
||||
match self {
|
||||
Self::PrepareVerify(ref e) => Some(e),
|
||||
Self::Digest => None,
|
||||
Self::Signature => None,
|
||||
Self::InvalidHeaderValue => None,
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
impl actix_web::ResponseError for Error {
|
||||
fn status_code(&self) -> actix_web::http::StatusCode {
|
||||
actix_web::http::StatusCode::BAD_REQUEST
|
||||
}
|
||||
|
||||
fn error_response(&self) -> actix_web::HttpResponse<actix_web::body::BoxBody> {
|
||||
actix_web::HttpResponse::build(self.status_code()).finish()
|
||||
}
|
||||
}
|
||||
|
||||
impl From<http_signature_normalization::PrepareVerifyError> for Error {
|
||||
fn from(e: http_signature_normalization::PrepareVerifyError) -> Self {
|
||||
Error::PrepareVerify(e)
|
||||
}
|
||||
}
|
||||
|
||||
impl From<actix_web::http::header::ToStrError> for Error {
|
||||
fn from(_: actix_web::http::header::ToStrError) -> Self {
|
||||
Error::InvalidHeaderValue
|
||||
}
|
||||
}
|
||||
|
||||
pub struct SignatureScheme<C, D, K> {
|
||||
config_generator: std::marker::PhantomData<C>,
|
||||
key: std::marker::PhantomData<K>,
|
||||
digest_verifier: Option<D>,
|
||||
unverified: http_signature_normalization::verify::Unverified,
|
||||
}
|
||||
|
||||
#[derive(Debug)]
|
||||
pub struct DigestPart {
|
||||
pub algorithm: String,
|
||||
pub digest: String,
|
||||
}
|
||||
|
||||
#[derive(Debug)]
|
||||
pub struct Signature<D, K> {
|
||||
key: K,
|
||||
unverified: http_signature_normalization::verify::Unverified,
|
||||
digest_verifier: D,
|
||||
digest_parts: Option<Vec<DigestPart>>,
|
||||
}
|
||||
|
||||
pub trait DigestName {
|
||||
const NAME: &'static str;
|
||||
}
|
||||
|
||||
pub trait ConfigGenerator {
|
||||
fn config() -> Config;
|
||||
}
|
||||
|
||||
#[async_trait::async_trait(?Send)]
|
||||
pub trait PrivateKey: Sized + Send {
|
||||
type Error: Into<actix_web::Error>;
|
||||
|
||||
async fn init(
|
||||
req: &actix_web::HttpRequest,
|
||||
key_id: &str,
|
||||
algorithm: Option<&Algorithm>,
|
||||
) -> Result<Self, Self::Error>;
|
||||
|
||||
fn verify(&mut self, signature: &str, signing_string: &str) -> Result<bool, Self::Error>;
|
||||
}
|
||||
|
||||
pub trait VerifyDigest: Default + Send + 'static {
|
||||
const REQUIRED: bool = true;
|
||||
|
||||
fn update(&mut self, bytes: &[u8]);
|
||||
|
||||
fn verify(&mut self, parts: &[DigestPart]) -> bool;
|
||||
}
|
||||
|
||||
#[async_trait::async_trait(?Send)]
|
||||
impl<C, D, K> actix_web_lab::extract::RequestSignatureScheme for SignatureScheme<C, D, K>
|
||||
where
|
||||
C: ConfigGenerator,
|
||||
D: VerifyDigest,
|
||||
K: PrivateKey,
|
||||
{
|
||||
type Signature = Signature<D, K>;
|
||||
|
||||
type Error = actix_web::Error;
|
||||
|
||||
async fn init(req: &actix_web::HttpRequest) -> Result<Self, Self::Error> {
|
||||
let config = C::config();
|
||||
|
||||
let unverified = begin_verify(
|
||||
&config,
|
||||
req.method(),
|
||||
req.uri().path_and_query(),
|
||||
req.headers(),
|
||||
)?;
|
||||
|
||||
Ok(SignatureScheme {
|
||||
config_generator: std::marker::PhantomData,
|
||||
key: std::marker::PhantomData,
|
||||
digest_verifier: Some(D::default()),
|
||||
unverified,
|
||||
})
|
||||
}
|
||||
|
||||
async fn consume_chunk(
|
||||
&mut self,
|
||||
_: &actix_web::HttpRequest,
|
||||
chunk: actix_web::web::Bytes,
|
||||
) -> Result<(), Self::Error> {
|
||||
if D::REQUIRED {
|
||||
let mut verifier = self
|
||||
.digest_verifier
|
||||
.take()
|
||||
.expect("consume_chunk polled concurrently");
|
||||
|
||||
self.digest_verifier = Some(
|
||||
actix_web::web::block(move || {
|
||||
verifier.update(&chunk);
|
||||
verifier
|
||||
})
|
||||
.await
|
||||
.expect("Panic in verifier update"),
|
||||
);
|
||||
}
|
||||
|
||||
Ok(())
|
||||
}
|
||||
|
||||
async fn finalize(
|
||||
mut self,
|
||||
req: &actix_web::HttpRequest,
|
||||
) -> Result<Self::Signature, Self::Error> {
|
||||
let key = K::init(req, self.unverified.key_id(), self.unverified.algorithm())
|
||||
.await
|
||||
.map_err(Into::into)?;
|
||||
|
||||
let digest_parts = if D::REQUIRED {
|
||||
req.headers()
|
||||
.get("digest")
|
||||
.and_then(|digest| parse_digest(digest))
|
||||
} else {
|
||||
None
|
||||
};
|
||||
|
||||
Ok(Signature {
|
||||
key,
|
||||
unverified: self.unverified,
|
||||
digest_verifier: self
|
||||
.digest_verifier
|
||||
.take()
|
||||
.expect("finalize called more than once"),
|
||||
digest_parts,
|
||||
})
|
||||
}
|
||||
|
||||
fn verify(
|
||||
signature: Self::Signature,
|
||||
_: &actix_web::HttpRequest,
|
||||
) -> Result<Self::Signature, Self::Error> {
|
||||
let Signature {
|
||||
mut key,
|
||||
unverified,
|
||||
mut digest_verifier,
|
||||
digest_parts,
|
||||
} = signature;
|
||||
|
||||
if !unverified
|
||||
.verify(|sig, signing_string| key.verify(sig, signing_string))
|
||||
.map_err(Into::into)?
|
||||
{
|
||||
return Err(Error::Signature.into());
|
||||
}
|
||||
|
||||
if D::REQUIRED {
|
||||
if !digest_verifier.verify(digest_parts.as_deref().unwrap_or(&[])) {
|
||||
return Err(Error::Digest.into());
|
||||
}
|
||||
}
|
||||
|
||||
let signature = Signature {
|
||||
key,
|
||||
unverified,
|
||||
digest_verifier,
|
||||
digest_parts,
|
||||
};
|
||||
|
||||
Ok(signature)
|
||||
}
|
||||
}
|
||||
|
||||
fn parse_digest(h: &actix_web::http::header::HeaderValue) -> Option<Vec<DigestPart>> {
|
||||
let h = h.to_str().ok()?.split(';').next()?;
|
||||
let v: Vec<_> = h
|
||||
.split(',')
|
||||
.filter_map(|p| {
|
||||
let mut iter = p.splitn(2, '=');
|
||||
iter.next()
|
||||
.and_then(|alg| iter.next().map(|value| (alg, value)))
|
||||
})
|
||||
.map(|(alg, value)| DigestPart {
|
||||
algorithm: alg.to_owned(),
|
||||
digest: value.to_owned(),
|
||||
})
|
||||
.collect();
|
||||
|
||||
if v.is_empty() {
|
||||
None
|
||||
} else {
|
||||
Some(v)
|
||||
}
|
||||
}
|
||||
|
||||
fn begin_verify(
|
||||
config: &Config,
|
||||
method: &actix_web::http::Method,
|
||||
path_and_query: Option<&actix_web::http::uri::PathAndQuery>,
|
||||
headers: &actix_web::http::header::HeaderMap,
|
||||
) -> Result<http_signature_normalization::verify::Unverified, Error> {
|
||||
let headers = headers
|
||||
.iter()
|
||||
.map(|(k, v)| v.to_str().map(|v| (k.to_string(), v.to_string())))
|
||||
.collect::<Result<std::collections::BTreeMap<_, _>, actix_web::http::header::ToStrError>>(
|
||||
)?;
|
||||
|
||||
let path_and_query = path_and_query
|
||||
.map(|p| p.to_string())
|
||||
.unwrap_or_else(|| "/".to_string());
|
||||
|
||||
let unverified = config.begin_verify(method.as_ref(), &path_and_query, headers)?;
|
||||
|
||||
Ok(unverified)
|
||||
}
|
||||
|
||||
impl ConfigGenerator for () {
|
||||
fn config() -> Config {
|
||||
Config::new()
|
||||
}
|
||||
}
|
||||
|
||||
impl VerifyDigest for () {
|
||||
const REQUIRED: bool = false;
|
||||
fn update(&mut self, _: &[u8]) {}
|
||||
fn verify(&mut self, _: &[DigestPart]) -> bool {
|
||||
true
|
||||
}
|
||||
}
|
|
@ -0,0 +1,78 @@
|
|||
use crate::{DigestName, DigestPart, VerifyDigest};
|
||||
use sha2::{Sha224, Sha256, Sha384, Sha512};
|
||||
|
||||
impl DigestName for Sha224 {
|
||||
const NAME: &'static str = "SHA-244";
|
||||
}
|
||||
|
||||
impl DigestName for Sha256 {
|
||||
const NAME: &'static str = "SHA-256";
|
||||
}
|
||||
|
||||
impl DigestName for Sha384 {
|
||||
const NAME: &'static str = "SHA-384";
|
||||
}
|
||||
|
||||
impl DigestName for Sha512 {
|
||||
const NAME: &'static str = "SHA-512";
|
||||
}
|
||||
|
||||
fn verify<D: sha2::Digest + sha2::digest::FixedOutputReset>(
|
||||
digest: &mut D,
|
||||
name: &str,
|
||||
parts: &[DigestPart],
|
||||
) -> bool {
|
||||
use subtle::ConstantTimeEq;
|
||||
|
||||
if let Some(decoded) = parts.iter().find_map(|p| {
|
||||
if p.algorithm.to_lowercase() == name.to_lowercase() {
|
||||
base64::decode(&p.digest).ok()
|
||||
} else {
|
||||
None
|
||||
}
|
||||
}) {
|
||||
return digest.finalize_reset().ct_eq(&decoded).into();
|
||||
}
|
||||
|
||||
false
|
||||
}
|
||||
|
||||
impl VerifyDigest for Sha224 {
|
||||
fn update(&mut self, part: &[u8]) {
|
||||
sha2::Digest::update(self, part);
|
||||
}
|
||||
|
||||
fn verify(&mut self, parts: &[DigestPart]) -> bool {
|
||||
verify(self, Self::NAME, parts)
|
||||
}
|
||||
}
|
||||
|
||||
impl VerifyDigest for Sha256 {
|
||||
fn update(&mut self, part: &[u8]) {
|
||||
sha2::Digest::update(self, part);
|
||||
}
|
||||
|
||||
fn verify(&mut self, parts: &[DigestPart]) -> bool {
|
||||
verify(self, Self::NAME, parts)
|
||||
}
|
||||
}
|
||||
|
||||
impl VerifyDigest for Sha384 {
|
||||
fn update(&mut self, part: &[u8]) {
|
||||
sha2::Digest::update(self, part);
|
||||
}
|
||||
|
||||
fn verify(&mut self, parts: &[DigestPart]) -> bool {
|
||||
verify(self, Self::NAME, parts)
|
||||
}
|
||||
}
|
||||
|
||||
impl VerifyDigest for Sha512 {
|
||||
fn update(&mut self, part: &[u8]) {
|
||||
sha2::Digest::update(self, part);
|
||||
}
|
||||
|
||||
fn verify(&mut self, parts: &[DigestPart]) -> bool {
|
||||
verify(self, Self::NAME, parts)
|
||||
}
|
||||
}
|
Loading…
Reference in a new issue