Enforce sig is from correct actor

This commit is contained in:
asonix 2020-03-17 14:52:33 -05:00
parent 86a760a8e4
commit 9642e357e5
4 changed files with 17 additions and 3 deletions

4
Cargo.lock generated
View file

@ -1079,9 +1079,9 @@ dependencies = [
[[package]] [[package]]
name = "http-signature-normalization-actix" name = "http-signature-normalization-actix"
version = "0.3.0-alpha.2" version = "0.3.0-alpha.3"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e3f035288c367f436250512a6e7efba4636d3354c0200baa2fdc0f5f1bb72b1a" checksum = "36b2d8e485a1403413d543ccaa5bb02be59d1ef93e0ecb97314bfdf2573b2ba7"
dependencies = [ dependencies = [
"actix-http", "actix-http",
"actix-web", "actix-web",

View file

@ -17,7 +17,7 @@ base64 = "0.12"
bb8-postgres = "0.4.0" bb8-postgres = "0.4.0"
dotenv = "0.15.0" dotenv = "0.15.0"
futures = "0.3.4" futures = "0.3.4"
http-signature-normalization-actix = { version = "0.3.0-alpha.2", default-features = false, features = ["sha-2"] } http-signature-normalization-actix = { version = "0.3.0-alpha.3", default-features = false, features = ["sha-2"] }
log = "0.4" log = "0.4"
lru = "0.4.3" lru = "0.4.3"
pretty_env_logger = "0.4.0" pretty_env_logger = "0.4.0"

View file

@ -30,6 +30,9 @@ pub enum MyError {
#[error("Couldn't decode base64")] #[error("Couldn't decode base64")]
Base64(#[from] base64::DecodeError), Base64(#[from] base64::DecodeError),
#[error("Actor tried to submit another actor's payload")]
BadActor,
#[error("Invalid algorithm provided to verifier")] #[error("Invalid algorithm provided to verifier")]
Algorithm, Algorithm,

View file

@ -15,6 +15,7 @@ use activitystreams::{
use actix::Addr; use actix::Addr;
use actix_web::{client::Client, web, HttpResponse}; use actix_web::{client::Client, web, HttpResponse};
use futures::join; use futures::join;
use http_signature_normalization_actix::middleware::SignatureVerified;
use log::error; use log::error;
pub async fn inbox( pub async fn inbox(
@ -22,9 +23,19 @@ pub async fn inbox(
state: web::Data<State>, state: web::Data<State>,
client: web::Data<Client>, client: web::Data<Client>,
input: web::Json<AcceptedObjects>, input: web::Json<AcceptedObjects>,
verified: SignatureVerified,
) -> Result<HttpResponse, MyError> { ) -> Result<HttpResponse, MyError> {
let input = input.into_inner(); let input = input.into_inner();
if input.actor.as_str() != verified.key_id() {
error!(
"Request payload and requestor disagree on actor, {} != {}",
input.actor,
verified.key_id()
);
return Err(MyError::BadActor);
}
let actor = fetch_actor( let actor = fetch_actor(
state.clone().into_inner(), state.clone().into_inner(),
client.clone().into_inner(), client.clone().into_inner(),