http_signatures: ensure mandatory headers are set

Most headers are automatically checked by the library after this upgrade. But since digest is only required for requests with a body and body processing is handled outside the lib atm, we need to explicity pass the presence or absence along or not get feedback about creating broken signatures. This makes bugs in our signatures more apparent allowing faster discovery and fixing
2025-02-09 19:09:00 +01:00 · 2025-02-09 19:09:00 +01:00 · 2d5b0ba897
commit 2d5b0ba897
parent 6aaa727533
5 changed files with 21 additions and 13 deletions
--- a/lib/pleroma/signature.ex
+++ b/lib/pleroma/signature.ex
@ -62,12 +62,13 @@ defp handle_common_errors(error, kid, action_name) do
    end
  end

-  def sign(%User{} = user, headers) do
+  def sign(%User{} = user, headers, opts \\ []) do
    with {:ok, private_key} <- SigningKey.private_key(user) do
      HTTPSignatures.sign(
        %HTTPKey{key: private_key},
        SigningKey.local_key_id(user.ap_id),
-        headers
+        headers,
+        opts
      )
    end
  end
--- a/lib/pleroma/web/activity_pub/publisher.ex
+++ b/lib/pleroma/web/activity_pub/publisher.ex
@ -55,13 +55,17 @@ def publish_one(%{inbox: inbox, json: json, actor: %User{} = actor, id: id} = pa
    date = Pleroma.Signature.signed_date()

    signature =
-      Pleroma.Signature.sign(actor, %{
-        "(request-target)" => "post #{path}",
-        "host" => signature_host(uri),
-        "content-length" => byte_size(json),
-        "digest" => digest,
-        "date" => date
-      })
+      Pleroma.Signature.sign(
+        actor,
+        %{
+          "(request-target)" => "post #{path}",
+          "host" => signature_host(uri),
+          "content-length" => byte_size(json),
+          "digest" => digest,
+          "date" => date
+        },
+        has_body: true
+      )

    with {:ok, %{status: code}} = result when code in 200..299 <-
           HTTP.post(
--- a/mix.exs
+++ b/mix.exs
@ -162,7 +162,7 @@ defp deps do
      {:linkify, "~> 0.5.3"},
      {:http_signatures,
       git: "https://akkoma.dev/Oneric/http_signatures.git",
-       ref: "750f817fda9986bfc1e96b7d828b9a98950d60d9"},
+       ref: "2adf4c02142c9798abd3b607b7c3fa18493fa166"},
      {:telemetry, "~> 1.2"},
      {:telemetry_poller, "~> 1.0"},
      {:telemetry_metrics, "~> 0.6"},
--- a/mix.lock
+++ b/mix.lock
@ -58,7 +58,7 @@
  "hackney": {:hex, :hackney, "1.22.0", "4efc68df70322d4d2e3d2744e9bd191a39a0cb8d08c35379a08d9fb0f040d595", [:rebar3], [{:certifi, "~> 2.14.0", [hex: :certifi, repo: "hexpm", optional: false]}, {:idna, "~> 6.1.0", [hex: :idna, repo: "hexpm", optional: false]}, {:metrics, "~> 1.0.0", [hex: :metrics, repo: "hexpm", optional: false]}, {:mimerl, "~> 1.1", [hex: :mimerl, repo: "hexpm", optional: false]}, {:parse_trans, "3.4.1", [hex: :parse_trans, repo: "hexpm", optional: false]}, {:ssl_verify_fun, "~> 1.1.0", [hex: :ssl_verify_fun, repo: "hexpm", optional: false]}, {:unicode_util_compat, "~> 0.7.0", [hex: :unicode_util_compat, repo: "hexpm", optional: false]}], "hexpm", "628569e451820950382be3d3e6481d7c59997e606c7823bddb4ce5d10812dfcb"},
  "hpax": {:hex, :hpax, "0.1.2", "09a75600d9d8bbd064cdd741f21fc06fc1f4cf3d0fcc335e5aa19be1a7235c84", [:mix], [], "hexpm", "2c87843d5a23f5f16748ebe77969880e29809580efdaccd615cd3bed628a8c13"},
  "html_entities": {:hex, :html_entities, "0.5.2", "9e47e70598da7de2a9ff6af8758399251db6dbb7eebe2b013f2bbd2515895c3c", [:mix], [], "hexpm", "c53ba390403485615623b9531e97696f076ed415e8d8058b1dbaa28181f4fdcc"},
-  "http_signatures": {:git, "https://akkoma.dev/Oneric/http_signatures.git", "750f817fda9986bfc1e96b7d828b9a98950d60d9", [ref: "750f817fda9986bfc1e96b7d828b9a98950d60d9"]},
+  "http_signatures": {:git, "https://akkoma.dev/Oneric/http_signatures.git", "2adf4c02142c9798abd3b607b7c3fa18493fa166", [ref: "2adf4c02142c9798abd3b607b7c3fa18493fa166"]},
  "httpoison": {:hex, :httpoison, "1.8.2", "9eb9c63ae289296a544842ef816a85d881d4a31f518a0fec089aaa744beae290", [:mix], [{:hackney, "~> 1.17", [hex: :hackney, repo: "hexpm", optional: false]}], "hexpm", "2bb350d26972e30c96e2ca74a1aaf8293d61d0742ff17f01e0279fef11599921"},
  "idna": {:hex, :idna, "6.1.1", "8a63070e9f7d0c62eb9d9fcb360a7de382448200fbbd1b106cc96d3d8099df8d", [:rebar3], [{:unicode_util_compat, "~> 0.7.0", [hex: :unicode_util_compat, repo: "hexpm", optional: false]}], "hexpm", "92376eb7894412ed19ac475e4a86f7b413c1b9fbb5bd16dccd57934157944cea"},
  "igniter": {:hex, :igniter, "0.5.27", "7c633dd99150e9cad68285ec8ad7e15833ff0c72d46774ed3be7728c661ec4cb", [:mix], [{:glob_ex, "~> 0.1.7", [hex: :glob_ex, repo: "hexpm", optional: false]}, {:inflex, "~> 2.0", [hex: :inflex, repo: "hexpm", optional: false]}, {:jason, "~> 1.4", [hex: :jason, repo: "hexpm", optional: false]}, {:owl, "~> 0.11", [hex: :owl, repo: "hexpm", optional: false]}, {:phx_new, "~> 1.7", [hex: :phx_new, repo: "hexpm", optional: true]}, {:req, "~> 0.5", [hex: :req, repo: "hexpm", optional: false]}, {:rewrite, ">= 1.1.1 and < 2.0.0-0", [hex: :rewrite, repo: "hexpm", optional: false]}, {:sourceror, "~> 1.4", [hex: :sourceror, repo: "hexpm", optional: false]}, {:spitfire, ">= 0.1.3 and < 1.0.0-0", [hex: :spitfire, repo: "hexpm", optional: false]}], "hexpm", "3042a71d4466e9c9b98a23d182eb02014a1c4802a35de0fa8233263d27c99550"},
--- a/test/pleroma/signature_test.exs
+++ b/test/pleroma/signature_test.exs
@ -122,7 +122,10 @@ test "it returns signature headers" do

      headers = %{
        "host" => "test.test",
-        "content-length" => "100"
+        "content-length" => "100",
+        "date" => "Fri, 23 Aug 2019 18:11:24 GMT",
+        "digest" => "SHA-256=a29cdd711788c5118a2256c00d31519e0a5a0d4b144214e012f81e67b80b0ec1",
+        "(request-target)" => "post https://example.com/inbox"
      }

      assert_signature_equal(
@ -130,7 +133,7 @@ test "it returns signature headers" do
          user,
          headers
        ),
-        "keyId=\"https://mastodon.social/users/lambadalambda#main-key\",algorithm=\"rsa-sha256\",headers=\"content-length host\",signature=\"sibUOoqsFfTDerquAkyprxzDjmJm6erYc42W5w1IyyxusWngSinq5ILTjaBxFvfarvc7ci1xAi+5gkBwtshRMWm7S+Uqix24Yg5EYafXRun9P25XVnYBEIH4XQ+wlnnzNIXQkU3PU9e6D8aajDZVp3hPJNeYt1gIPOA81bROI8/glzb1SAwQVGRbqUHHHKcwR8keiR/W2h7BwG3pVRy4JgnIZRSW7fQogKedDg02gzRXwUDFDk0pr2p3q6bUWHUXNV8cZIzlMK+v9NlyFbVYBTHctAR26GIAN6Hz0eV0mAQAePHDY1mXppbA8Gpp6hqaMuYfwifcXmcc+QFm4e+n3A==\""
+        ~s|keyId="https://mastodon.social/users/lambadalambda#main-key",algorithm="rsa-sha256",headers="(request-target) content-length date digest host",signature="fhOT6IBThnCo6rv2Tv8BRXLV7LvVf/7wTX/bbPLtdq5A4GUqrmXUcY5p77jQ6NU9IRIVczeeStxQV6TrHqk/qPdqQOzDcB6cWsSfrB1gsTinBbAWdPzQYqUOTl+Minqn2RERAfPebKYr9QGa0sTODDHvze/UFPuL8a1lDO2VQE0lRCdg49Igr8pGl/CupUx8Fb874omqP0ba3M+siuKEwo02m9hHcbZUeLSN0ZVdvyTMttyqPM1BfwnFXkaQRAblLTyzt4Fv2+fTN+zPipSxJl1YIo1TsmwNq9klqImpjh8NHM3MJ5eZxTZ109S6Q910n1Lm46V/SqByDaYeg9g7Jw=="|
      )
    end
  end