SERVER HANDSHAKES ARE WORKING

2024-01-19 00:28:02 +01:00 · 2024-01-19 00:28:02 +01:00 · bfb0a1d1b0
commit bfb0a1d1b0
parent 041531e88a
7 changed files with 157 additions and 42 deletions
--- a/chat/Cargo.toml
+++ b/chat/Cargo.toml
@ -22,3 +22,5 @@ tokio = { version = "1.35.1", features = ["macros", "rt-multi-thread"] }
 tracing-subscriber = "0.3.18"
 tracing = "0.1.40"
 tower-http = { version = "0.5.1", features = ["trace"] }
+chrono = "0.4.31"
+reqwest = { version = "0.11.23", features = ["json"] }
--- a/chat/src/fed/mod.rs
+++ b/chat/src/fed/mod.rs
@ -9,6 +9,7 @@ use axum::{
    },
    Extension,
 };
+use chrono::{DateTime, Utc};
 use foxchat::{
    fed::{SERVER_HEADER, SIGNATURE_HEADER, USER_HEADER},
    http::ApiError,
@ -19,6 +20,7 @@ use tracing::error;

 use crate::{app_state::AppState, model::identity_instance::IdentityInstance};

+/// A parsed and validated federation signature.
 pub struct FoxRequestData {
    pub instance: IdentityInstance,
    pub user_id: Option<String>,
@ -32,17 +34,68 @@ where
    type Rejection = ApiError;

    async fn from_request_parts(parts: &mut Parts, state: &S) -> Result<Self, Self::Rejection> {
+        let signature = FoxSignatureData::from_request_parts(parts, state).await?;
        let state: Extension<Arc<AppState>> = Extension::from_request_parts(parts, state)
            .await
            .expect("AppState was not added as an extension");

+        let instance = IdentityInstance::get(state.0.clone(), &signature.domain).await?;
+        let public_key = instance.parse_public_key()?;
+        if state.config.domain.clone() != signature.host {
+            return Err(FoxError::InvalidHeader.into());
+        }
+
+        if let Err(e) = verify_signature(
+            &public_key,
+            signature.signature,
+            signature.date,
+            &signature.host,
+            &signature.request_path,
+            signature.content_length,
+            signature.user_id.clone(),
+        ) {
+            error!(
+                "Verifying signature from request for {} from {}: {}",
+                parts.uri.path(),
+                signature.domain,
+                e
+            );
+
+            return Err(FoxError::InvalidSignature.into());
+        }
+
+        Ok(FoxRequestData {
+            instance,
+            user_id: signature.user_id,
+        })
+    }
+}
+
+// An unvalidated federation signature. Use with caution, you should almost always use `FoxRequestData` instead.
+pub struct FoxSignatureData {
+    pub domain: String,
+    pub signature: String,
+    pub date: DateTime<Utc>,
+    pub host: String,
+    pub request_path: String,
+    pub content_length: Option<usize>,
+    pub user_id: Option<String>,
+}
+
+#[async_trait]
+impl<S> FromRequestParts<S> for FoxSignatureData
+where
+    S: Send + Sync,
+{
+    type Rejection = ApiError;
+
+    async fn from_request_parts(parts: &mut Parts, _state: &S) -> Result<Self, Self::Rejection> {
        let domain = parts
            .headers
            .get(SERVER_HEADER)
            .ok_or(FoxError::InvalidHeader)?
-            .to_str()?;
-        let instance = IdentityInstance::get(state.0, domain).await?;
-        let public_key = instance.parse_public_key()?;
+            .to_str()?
+            .to_string();

        let date = parse_date(
            parts
@ -61,7 +114,8 @@ where
            .headers
            .get(HOST)
            .ok_or(FoxError::InvalidHeader)?
-            .to_str()?;
+            .to_str()?
+            .to_string();

        let content_length = if let Some(raw_length) = parts.headers.get(CONTENT_LENGTH) {
            Some(raw_length.to_str()?.parse::<usize>()?)
@ -70,33 +124,19 @@ where
        };

        let user_id = if let Some(raw_id) = parts.headers.get(USER_HEADER) {
-            Some(raw_id.to_str()?)
+            Some(raw_id.to_str()?.to_string())
        } else {
            None
        };

-        if let Err(e) = verify_signature(
-            &public_key,
-            signature,
+        Ok(FoxSignatureData {
+            domain,
            date,
+            signature,
            host,
-            parts.uri.path(),
+            request_path: parts.uri.path().to_string(),
            content_length,
            user_id,
-        ) {
-            error!(
-                "Verifying signature from request for {} from {}: {}",
-                parts.uri.path(),
-                domain,
-                e
-            );
-
-            return Err(FoxError::InvalidSignature.into());
-        }
-
-        Ok(FoxRequestData {
-            instance,
-            user_id: user_id.map(|v| v.to_string()),
        })
    }
 }
--- a/chat/src/http/hello.rs
+++ b/chat/src/http/hello.rs
@ -1,21 +1,77 @@
 use std::sync::Arc;

 use axum::{Extension, Json};
+use eyre::Context;
 use foxchat::{
+    fed,
    http::ApiError,
-    s2s::http::{HelloRequest, HelloResponse, NodeResponse}, fed,
+    s2s::http::{HelloRequest, HelloResponse, NodeResponse},
+    signature::verify_signature,
+    FoxError,
 };
+use rsa::{
+    pkcs1::{DecodeRsaPublicKey, EncodeRsaPublicKey},
+    RsaPublicKey,
+};
+use tracing::error;
+use ulid::Ulid;

-use crate::{app_state::AppState, model::instance::Instance};
+use crate::{app_state::AppState, fed::FoxSignatureData, model::instance::Instance};

 pub async fn post_hello(
    Extension(state): Extension<Arc<AppState>>,
+    signature: FoxSignatureData,
    Json(data): Json<HelloRequest>,
 ) -> Result<Json<HelloResponse>, ApiError> {
    let instance = Instance::get(&state.pool).await?;

-    let node = fed::get::<NodeResponse>(&instance.private_key, &state.config.domain, &data.host, "/_fox/ident/node", None).await?;
+    let node = fed::get::<NodeResponse>(
+        &instance.private_key,
+        &state.config.domain,
+        &data.host,
+        "/_fox/ident/node",
+        None,
+    )
+    .await?;
+    let public_key =
+        RsaPublicKey::from_pkcs1_pem(&node.public_key).wrap_err("parsing remote public key")?;

-    // TODO: validate identity server's signature, probably adapt FoxRequestData.from_request_parts() (or extract it into a separate function? not sure if that's possible though)
-    todo!()
+    if state.config.domain.clone() != signature.host {
+        return Err(FoxError::InvalidHeader.into());
+    }
+
+    if let Err(e) = verify_signature(
+        &public_key,
+        signature.signature,
+        signature.date,
+        &signature.host,
+        &signature.request_path,
+        signature.content_length,
+        signature.user_id,
+    ) {
+        error!(
+            "Verifying signature from hello request from {}: {}",
+            signature.domain, e
+        );
+
+        return Err(FoxError::InvalidSignature.into());
+    }
+
+    sqlx::query!(
+        "insert into identity_instances (id, domain, base_url, public_key) values ($1, $2, $3, $4)",
+        Ulid::new().to_string(),
+        signature.domain,
+        format!("https://{}", signature.domain),
+        node.public_key,
+    )
+    .execute(&state.pool)
+    .await?;
+
+    Ok(Json(HelloResponse {
+        public_key: instance
+            .public_key
+            .to_pkcs1_pem(rsa::pkcs8::LineEnding::CR)
+            .wrap_err("formatting instance public key")?,
+        host: state.config.domain.clone(),
+    }))
 }