distraction.party/lib/pleroma/web/http_signatures/http_signatures.ex

# https://tools.ietf.org/html/draft-cavage-http-signatures-08
defmodule Pleroma.Web.HTTPSignatures do
  alias Pleroma.User
  alias Pleroma.Web.ActivityPub.ActivityPub
  require Logger

  def split_signature(sig) do
    default = %{"headers" => "date"}

    sig =
      sig
      |> String.trim()
      |> String.split(",")
      |> Enum.reduce(default, fn part, acc ->
        [key | rest] = String.split(part, "=")
        value = Enum.join(rest, "=")
        Map.put(acc, key, String.trim(value, "\""))
      end)

    Map.put(sig, "headers", String.split(sig["headers"], ~r/\s/))
  end

  def validate(headers, signature, public_key) do
    sigstring = build_signing_string(headers, signature["headers"])
    Logger.debug("Signature: #{signature["signature"]}")
    Logger.debug("Sigstring: #{sigstring}")
    {:ok, sig} = Base.decode64(signature["signature"])
    :public_key.verify(sigstring, :sha256, sig, public_key)
  end

  def validate_conn(conn) do
    # TODO: How to get the right key and see if it is actually valid for that request.
    # For now, fetch the key for the actor.
    with actor_id <- conn.params["actor"],
         {:ok, public_key} <- User.get_public_key_for_ap_id(actor_id) do
      if validate_conn(conn, public_key) do
        true
      else
        Logger.debug("Could not validate, re-fetching user and trying one more time")
        # Fetch user anew and try one more time
        with actor_id <- conn.params["actor"],
             {:ok, _user} <- ActivityPub.make_user_from_ap_id(actor_id),
             {:ok, public_key} <- User.get_public_key_for_ap_id(actor_id) do
          validate_conn(conn, public_key)
        end
      end
    else
      e ->
        Logger.debug("Could not public key!")
        false
    end
  end

  def validate_conn(conn, public_key) do
    headers = Enum.into(conn.req_headers, %{})
    signature = split_signature(headers["signature"])
    validate(headers, signature, public_key)
  end

  def build_signing_string(headers, used_headers) do
    used_headers
    |> Enum.map(fn header -> "#{header}: #{headers[header]}" end)
    |> Enum.join("\n")
  end

  def sign(user, headers) do
    with {:ok, %{info: %{"keys" => keys}}} <- Pleroma.Web.WebFinger.ensure_keys_present(user),
         {:ok, private_key, _} = Pleroma.Web.Salmon.keys_from_pem(keys) do
      sigstring = build_signing_string(headers, Map.keys(headers))

      signature =
        :public_key.sign(sigstring, :sha256, private_key)
        |> Base.encode64()

      [
        keyId: user.ap_id <> "#main-key",
        algorithm: "rsa-sha256",
        headers: Map.keys(headers) |> Enum.join(" "),
        signature: signature
      ]
      |> Enum.map(fn {k, v} -> "#{k}=\"#{v}\"" end)
      |> Enum.join(",")
    end
  end
end
Start of HTTP Signatures. 2017-09-18 09:39:57 +00:00			`# https://tools.ietf.org/html/draft-cavage-http-signatures-08`
			`defmodule Pleroma.Web.HTTPSignatures do`
Add plug to validate signed http requests. 2017-12-12 09:17:21 +00:00			`alias Pleroma.User`
ActivityPub: Basic note federation with Mastodon. 2018-02-11 19:43:33 +00:00			`alias Pleroma.Web.ActivityPub.ActivityPub`
More logging for signature problems. 2018-02-24 16:36:26 +00:00			`require Logger`
Add plug to validate signed http requests. 2017-12-12 09:17:21 +00:00
Start of HTTP Signatures. 2017-09-18 09:39:57 +00:00			`def split_signature(sig) do`
HTTP Signatures: Work with all test vectors. 2017-09-18 16:10:21 +00:00			`default = %{"headers" => "date"}`
Start of HTTP Signatures. 2017-09-18 09:39:57 +00:00
More signature debugging. 2018-03-11 13:37:23 +00:00			`sig =`
			`sig`
			`\|> String.trim()`
			`\|> String.split(",")`
			`\|> Enum.reduce(default, fn part, acc ->`
			`[key \| rest] = String.split(part, "=")`
			`value = Enum.join(rest, "=")`
			`Map.put(acc, key, String.trim(value, "\""))`
			`end)`
HTTP Signatures: Work with all test vectors. 2017-09-18 16:10:21 +00:00
			`Map.put(sig, "headers", String.split(sig["headers"], ~r/\s/))`
Start of HTTP Signatures. 2017-09-18 09:39:57 +00:00			`end`

			`def validate(headers, signature, public_key) do`
			`sigstring = build_signing_string(headers, signature["headers"])`
More signature debugging. 2018-03-11 13:37:23 +00:00			`Logger.debug("Signature: #{signature["signature"]}")`
			`Logger.debug("Sigstring: #{sigstring}")`
Start of HTTP Signatures. 2017-09-18 09:39:57 +00:00			`{:ok, sig} = Base.decode64(signature["signature"])`
Add plug to validate signed http requests. 2017-12-12 09:17:21 +00:00			`:public_key.verify(sigstring, :sha256, sig, public_key)`
			`end`

			`def validate_conn(conn) do`
			`# TODO: How to get the right key and see if it is actually valid for that request.`
			`# For now, fetch the key for the actor.`
			`with actor_id <- conn.params["actor"],`
			`{:ok, public_key} <- User.get_public_key_for_ap_id(actor_id) do`
ActivityPub: Basic note federation with Mastodon. 2018-02-11 19:43:33 +00:00			`if validate_conn(conn, public_key) do`
			`true`
			`else`
Grammar consistency Most log messages are sentence fragments so make them consistent by removing periods. Log messages that are expressing urgency with ! or pending more work with "..." are OK. 2018-03-19 17:31:58 +00:00			`Logger.debug("Could not validate, re-fetching user and trying one more time")`
ActivityPub: Basic note federation with Mastodon. 2018-02-11 19:43:33 +00:00			`# Fetch user anew and try one more time`
			`with actor_id <- conn.params["actor"],`
			`{:ok, _user} <- ActivityPub.make_user_from_ap_id(actor_id),`
			`{:ok, public_key} <- User.get_public_key_for_ap_id(actor_id) do`
			`validate_conn(conn, public_key)`
			`end`
			`end`
Add plug to validate signed http requests. 2017-12-12 09:17:21 +00:00			`else`
More logging for signature problems. 2018-02-24 16:36:26 +00:00			`e ->`
			`Logger.debug("Could not public key!")`
Don't validate on missing public key. 2018-03-11 13:47:37 +00:00			`false`
Add plug to validate signed http requests. 2017-12-12 09:17:21 +00:00			`end`
Start of HTTP Signatures. 2017-09-18 09:39:57 +00:00			`end`

HTTPSig: Add method to validate conn 2017-12-11 09:37:40 +00:00			`def validate_conn(conn, public_key) do`
			`headers = Enum.into(conn.req_headers, %{})`
			`signature = split_signature(headers["signature"])`
			`validate(headers, signature, public_key)`
			`end`

Start of HTTP Signatures. 2017-09-18 09:39:57 +00:00			`def build_signing_string(headers, used_headers) do`
			`used_headers`
More signature debugging. 2018-03-11 13:37:23 +00:00			`\|> Enum.map(fn header -> "#{header}: #{headers[header]}" end)`
Start of HTTP Signatures. 2017-09-18 09:39:57 +00:00			`\|> Enum.join("\n")`
			`end`
ActivityPub: Basic note federation with Mastodon. 2018-02-11 19:43:33 +00:00
			`def sign(user, headers) do`
			`with {:ok, %{info: %{"keys" => keys}}} <- Pleroma.Web.WebFinger.ensure_keys_present(user),`
			`{:ok, private_key, _} = Pleroma.Web.Salmon.keys_from_pem(keys) do`
			`sigstring = build_signing_string(headers, Map.keys(headers))`
More signature debugging. 2018-03-11 13:37:23 +00:00
			`signature =`
			`:public_key.sign(sigstring, :sha256, private_key)`
			`\|> Base.encode64()`
ActivityPub: Basic note federation with Mastodon. 2018-02-11 19:43:33 +00:00
			`[`
			`keyId: user.ap_id <> "#main-key",`
			`algorithm: "rsa-sha256",`
			`headers: Map.keys(headers) \|> Enum.join(" "),`
			`signature: signature`
			`]`
More signature debugging. 2018-03-11 13:37:23 +00:00			`\|> Enum.map(fn {k, v} -> "#{k}=\"#{v}\"" end)`
ActivityPub: Basic note federation with Mastodon. 2018-02-11 19:43:33 +00:00			`\|> Enum.join(",")`
			`end`
			`end`
Start of HTTP Signatures. 2017-09-18 09:39:57 +00:00			`end`