rafaelcaricio/relay
1
0
Fork 0
forked from mirrors/relay
Code Pull requests Activity

Add allow/block check to verifier middleware before key validation

Browse source
This commit is contained in:
asonix 2020-12-23 12:30:19 -06:00
parent e2da563a1c
commit 9923d4d107
3 changed files with 33 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
src/config.rs
View file

@ -1,4 +1,9 @@
use crate::{data::ActorCache, error::MyError, middleware::MyVerify, requests::Requests}; use crate::{
data::{ActorCache, State},
error::MyError,
middleware::MyVerify,
requests::Requests,
};
use activitystreams::{uri, url::Url}; use activitystreams::{uri, url::Url};
use config::Environment; use config::Environment;
use http_signature_normalization_actix::prelude::{VerifyDigest, VerifySignature}; use http_signature_normalization_actix::prelude::{VerifyDigest, VerifySignature};
@ -109,11 +114,12 @@ impl Config {
&self, &self,
requests: Requests, requests: Requests,
actors: ActorCache, actors: ActorCache,
state: State,
) -> VerifySignature<MyVerify> { ) -> VerifySignature<MyVerify> {
if self.validate_signatures { if self.validate_signatures {
VerifySignature::new(MyVerify(requests, actors), Default::default()) VerifySignature::new(MyVerify(requests, actors, state), Default::default())
} else { } else {
VerifySignature::new(MyVerify(requests, actors), Default::default()).optional() VerifySignature::new(MyVerify(requests, actors, state), Default::default()).optional()
} }
} }

6
src/main.rs
View file

@ -133,7 +133,11 @@ async fn main() -> Result<(), anyhow::Error> {
.service( .service(
web::resource("/inbox") web::resource("/inbox")
.wrap(config.digest_middleware()) .wrap(config.digest_middleware())
.wrap(config.signature_middleware(state.requests(), actors.clone())) .wrap(config.signature_middleware(
state.requests(),
actors.clone(),
state.clone(),
))
.wrap(DebugPayload(config.debug())) .wrap(DebugPayload(config.debug()))
.route(web::post().to(inbox)), .route(web::post().to(inbox)),
) )

21
src/middleware/verifier.rs
View file

@ -1,6 +1,11 @@
use crate::{data::ActorCache, error::MyError, requests::Requests}; use crate::{
data::{ActorCache, State},
error::MyError,
requests::Requests,
};
use activitystreams::uri; use activitystreams::uri;
use actix_web::web; use actix_web::web;
use futures::join;
use http_signature_normalization_actix::{prelude::*, verify::DeprecatedAlgorithm}; use http_signature_normalization_actix::{prelude::*, verify::DeprecatedAlgorithm};
use log::error; use log::error;
use rsa::{hash::Hash, padding::PaddingScheme, PublicKey, RSAPublicKey}; use rsa::{hash::Hash, padding::PaddingScheme, PublicKey, RSAPublicKey};
@ -9,7 +14,7 @@ use sha2::{Digest, Sha256};
use std::{future::Future, pin::Pin}; use std::{future::Future, pin::Pin};
#[derive(Clone)] #[derive(Clone)]
pub struct MyVerify(pub Requests, pub ActorCache); pub struct MyVerify(pub Requests, pub ActorCache, pub State);
impl MyVerify { impl MyVerify {
async fn verify( async fn verify(
@ -20,6 +25,18 @@ impl MyVerify {
signing_string: String, signing_string: String,
) -> Result<bool, MyError> { ) -> Result<bool, MyError> {
let mut uri = uri!(key_id); let mut uri = uri!(key_id);
let (is_blocked, is_whitelisted) =
join!(self.2.is_blocked(&uri), self.2.is_whitelisted(&uri));
if is_blocked {
return Err(MyError::Blocked(key_id));
}
if !is_whitelisted {
return Err(MyError::Whitelist(key_id));
}
uri.set_fragment(None); uri.set_fragment(None);
let actor = self.1.get(&uri, &self.0).await?; let actor = self.1.get(&uri, &self.0).await?;
let was_cached = actor.is_cached(); let was_cached = actor.is_cached();