From 9923d4d107583cabadd426eaf9243c1b1012d119 Mon Sep 17 00:00:00 2001 From: asonix Date: Wed, 23 Dec 2020 12:30:19 -0600 Subject: [PATCH] Add allow/block check to verifier middleware before key validation --- src/config.rs | 12 +++++++++--- src/main.rs | 6 +++++- src/middleware/verifier.rs | 21 +++++++++++++++++++-- 3 files changed, 33 insertions(+), 6 deletions(-) diff --git a/src/config.rs b/src/config.rs index 160ad56..2a7dd5b 100644 --- a/src/config.rs +++ b/src/config.rs @@ -1,4 +1,9 @@ -use crate::{data::ActorCache, error::MyError, middleware::MyVerify, requests::Requests}; +use crate::{ + data::{ActorCache, State}, + error::MyError, + middleware::MyVerify, + requests::Requests, +}; use activitystreams::{uri, url::Url}; use config::Environment; use http_signature_normalization_actix::prelude::{VerifyDigest, VerifySignature}; @@ -109,11 +114,12 @@ impl Config { &self, requests: Requests, actors: ActorCache, + state: State, ) -> VerifySignature { if self.validate_signatures { - VerifySignature::new(MyVerify(requests, actors), Default::default()) + VerifySignature::new(MyVerify(requests, actors, state), Default::default()) } else { - VerifySignature::new(MyVerify(requests, actors), Default::default()).optional() + VerifySignature::new(MyVerify(requests, actors, state), Default::default()).optional() } } diff --git a/src/main.rs b/src/main.rs index f3aa48a..8e6d2ff 100644 --- a/src/main.rs +++ b/src/main.rs @@ -133,7 +133,11 @@ async fn main() -> Result<(), anyhow::Error> { .service( web::resource("/inbox") .wrap(config.digest_middleware()) - .wrap(config.signature_middleware(state.requests(), actors.clone())) + .wrap(config.signature_middleware( + state.requests(), + actors.clone(), + state.clone(), + )) .wrap(DebugPayload(config.debug())) .route(web::post().to(inbox)), ) diff --git a/src/middleware/verifier.rs b/src/middleware/verifier.rs index b140518..3c21aef 100644 --- a/src/middleware/verifier.rs +++ b/src/middleware/verifier.rs @@ -1,6 +1,11 @@ -use crate::{data::ActorCache, error::MyError, requests::Requests}; +use crate::{ + data::{ActorCache, State}, + error::MyError, + requests::Requests, +}; use activitystreams::uri; use actix_web::web; +use futures::join; use http_signature_normalization_actix::{prelude::*, verify::DeprecatedAlgorithm}; use log::error; use rsa::{hash::Hash, padding::PaddingScheme, PublicKey, RSAPublicKey}; @@ -9,7 +14,7 @@ use sha2::{Digest, Sha256}; use std::{future::Future, pin::Pin}; #[derive(Clone)] -pub struct MyVerify(pub Requests, pub ActorCache); +pub struct MyVerify(pub Requests, pub ActorCache, pub State); impl MyVerify { async fn verify( @@ -20,6 +25,18 @@ impl MyVerify { signing_string: String, ) -> Result { let mut uri = uri!(key_id); + + let (is_blocked, is_whitelisted) = + join!(self.2.is_blocked(&uri), self.2.is_whitelisted(&uri)); + + if is_blocked { + return Err(MyError::Blocked(key_id)); + } + + if !is_whitelisted { + return Err(MyError::Whitelist(key_id)); + } + uri.set_fragment(None); let actor = self.1.get(&uri, &self.0).await?; let was_cached = actor.is_cached();