http-signature-normalization/http-signature-normalization-actix/src/digest/middleware.rs

//! Types for setting up Digest middleware verification

use actix_web::{
    dev::{Body, Payload, Service, ServiceRequest, ServiceResponse, Transform},
    error::PayloadError,
    http::header::HeaderValue,
    web::Bytes,
    FromRequest, HttpMessage, HttpRequest, HttpResponse, ResponseError,
};
use failure::Fail;
use futures::{
    future::{err, ok, Either, FutureResult},
    stream::once,
    Future, Poll, Stream,
};
use std::{cell::RefCell, rc::Rc};

use super::{DigestPart, DigestVerify};

#[derive(Copy, Clone, Debug)]
/// A type implementing FromRequest that can be used in route handler to guard for verified
/// digests
///
/// This is only required when the [`VerifyDigest`] middleware is set to optional
pub struct DigestVerified;

/// The VerifyDigest middleware
///
/// ```rust,ignore
/// let middleware = VerifyDigest::new(MyVerify::new())
///     .optional();
///
/// HttpServer::new(move || {
///     App::new()
///         .wrap(middleware.clone())
///         .route("/protected", web::post().to(|_: DigestVerified| "Verified Digest Header"))
///         .route("/unprotected", web::post().to(|| "No verification required"))
/// })
/// ```
pub struct VerifyDigest<T>(bool, T);

#[doc(hidden)]
pub struct VerifyMiddleware<T, S>(Rc<RefCell<S>>, bool, T);

#[derive(Debug, Fail)]
#[fail(display = "Error verifying digest")]
#[doc(hidden)]
pub struct VerifyError;

impl<T> VerifyDigest<T>
where
    T: DigestVerify + Clone,
{
    /// Produce a new VerifyDigest with a user-provided [`Digestverify`] type
    pub fn new(verify_digest: T) -> Self {
        VerifyDigest(true, verify_digest)
    }

    /// Mark verifying the Digest as optional
    ///
    /// If a digest is present in the request, it will be verified, but it is not required to be
    /// present
    pub fn optional(self) -> Self {
        VerifyDigest(false, self.1)
    }
}

impl FromRequest for DigestVerified {
    type Error = VerifyError;
    type Future = Result<Self, Self::Error>;
    type Config = ();

    fn from_request(req: &HttpRequest, _: &mut Payload) -> Self::Future {
        req.extensions()
            .get::<Self>()
            .map(|s| *s)
            .ok_or(VerifyError)
    }
}

impl<T, S> Transform<S> for VerifyDigest<T>
where
    T: DigestVerify + Clone + 'static,
    S: Service<
            Request = ServiceRequest,
            Response = ServiceResponse<Body>,
            Error = actix_web::Error,
        > + 'static,
    S::Error: 'static,
{
    type Request = ServiceRequest;
    type Response = ServiceResponse<Body>;
    type Error = actix_web::Error;
    type Transform = VerifyMiddleware<T, S>;
    type InitError = ();
    type Future = FutureResult<Self::Transform, Self::InitError>;

    fn new_transform(&self, service: S) -> Self::Future {
        ok(VerifyMiddleware(
            Rc::new(RefCell::new(service)),
            self.0,
            self.1.clone(),
        ))
    }
}

impl<T, S> Service for VerifyMiddleware<T, S>
where
    T: DigestVerify + Clone + 'static,
    S: Service<
            Request = ServiceRequest,
            Response = ServiceResponse<Body>,
            Error = actix_web::Error,
        > + 'static,
    S::Error: 'static,
{
    type Request = ServiceRequest;
    type Response = ServiceResponse<Body>;
    type Error = actix_web::Error;
    type Future = Box<dyn Future<Item = Self::Response, Error = Self::Error>>;

    fn poll_ready(&mut self) -> Poll<(), Self::Error> {
        self.0.borrow_mut().poll_ready()
    }

    fn call(&mut self, mut req: ServiceRequest) -> Self::Future {
        if let Some(digest) = req.headers().get("Digest") {
            let vec = match parse_digest(digest) {
                Some(vec) => vec,
                None => return Box::new(err(VerifyError.into())),
            };
            let payload = req.take_payload();
            let service = self.0.clone();
            let mut verify_digest = self.2.clone();

            Box::new(payload.concat2().from_err().and_then(move |bytes| {
                if verify_digest.verify(&vec, &bytes.as_ref()) {
                    req.set_payload(
                        (Box::new(once(Ok(bytes)))
                            as Box<dyn Stream<Item = Bytes, Error = PayloadError>>)
                            .into(),
                    );

                    req.extensions_mut().insert(DigestVerified);

                    Either::A(service.borrow_mut().call(req))
                } else {
                    Either::B(err(VerifyError.into()))
                }
            }))
        } else if self.1 {
            Box::new(err(VerifyError.into()))
        } else {
            Box::new(self.0.borrow_mut().call(req))
        }
    }
}

fn parse_digest(h: &HeaderValue) -> Option<Vec<DigestPart>> {
    let h = h.to_str().ok()?.split(";").next()?;
    let v: Vec<_> = h
        .split(",")
        .filter_map(|p| {
            let mut iter = p.splitn(2, "=");
            iter.next()
                .and_then(|alg| iter.next().map(|value| (alg, value)))
        })
        .map(|(alg, value)| DigestPart {
            algorithm: alg.to_owned(),
            digest: value.to_owned(),
        })
        .collect();

    if v.is_empty() {
        None
    } else {
        Some(v)
    }
}

impl ResponseError for VerifyError {
    fn error_response(&self) -> HttpResponse {
        HttpResponse::BadRequest().finish()
    }

    fn render_response(&self) -> HttpResponse {
        Self::error_response(self)
    }
}