Add allow/block check to verifier middleware before key validation

2024-11-14 05:31:02 +00:00 · 2020-12-23 12:30:19 -06:00 · 2020-12-23 12:30:19 -06:00 · 9923d4d107
commit 9923d4d107
parent e2da563a1c
3 changed files with 33 additions and 6 deletions
--- a/src/config.rs
+++ b/src/config.rs
@ -1,4 +1,9 @@
-use crate::{data::ActorCache, error::MyError, middleware::MyVerify, requests::Requests};
+use crate::{
+    data::{ActorCache, State},
+    error::MyError,
+    middleware::MyVerify,
+    requests::Requests,
+};
 use activitystreams::{uri, url::Url};
 use config::Environment;
 use http_signature_normalization_actix::prelude::{VerifyDigest, VerifySignature};
@ -109,11 +114,12 @@ impl Config {
        &self,
        requests: Requests,
        actors: ActorCache,
+        state: State,
    ) -> VerifySignature<MyVerify> {
        if self.validate_signatures {
-            VerifySignature::new(MyVerify(requests, actors), Default::default())
+            VerifySignature::new(MyVerify(requests, actors, state), Default::default())
        } else {
-            VerifySignature::new(MyVerify(requests, actors), Default::default()).optional()
+            VerifySignature::new(MyVerify(requests, actors, state), Default::default()).optional()
        }
    }

--- a/src/main.rs
+++ b/src/main.rs
@ -133,7 +133,11 @@ async fn main() -> Result<(), anyhow::Error> {
            .service(
                web::resource("/inbox")
                    .wrap(config.digest_middleware())
-                    .wrap(config.signature_middleware(state.requests(), actors.clone()))
+                    .wrap(config.signature_middleware(
+                        state.requests(),
+                        actors.clone(),
+                        state.clone(),
+                    ))
                    .wrap(DebugPayload(config.debug()))
                    .route(web::post().to(inbox)),
            )
--- a/src/middleware/verifier.rs
+++ b/src/middleware/verifier.rs
@ -1,6 +1,11 @@
-use crate::{data::ActorCache, error::MyError, requests::Requests};
+use crate::{
+    data::{ActorCache, State},
+    error::MyError,
+    requests::Requests,
+};
 use activitystreams::uri;
 use actix_web::web;
+use futures::join;
 use http_signature_normalization_actix::{prelude::*, verify::DeprecatedAlgorithm};
 use log::error;
 use rsa::{hash::Hash, padding::PaddingScheme, PublicKey, RSAPublicKey};
@ -9,7 +14,7 @@ use sha2::{Digest, Sha256};
 use std::{future::Future, pin::Pin};

 #[derive(Clone)]
-pub struct MyVerify(pub Requests, pub ActorCache);
+pub struct MyVerify(pub Requests, pub ActorCache, pub State);

 impl MyVerify {
    async fn verify(
@ -20,6 +25,18 @@ impl MyVerify {
        signing_string: String,
    ) -> Result<bool, MyError> {
        let mut uri = uri!(key_id);
+
+        let (is_blocked, is_whitelisted) =
+            join!(self.2.is_blocked(&uri), self.2.is_whitelisted(&uri));
+
+        if is_blocked {
+            return Err(MyError::Blocked(key_id));
+        }
+
+        if !is_whitelisted {
+            return Err(MyError::Whitelist(key_id));
+        }
+
        uri.set_fragment(None);
        let actor = self.1.get(&uri, &self.0).await?;
        let was_cached = actor.is_cached();