mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2025-07-07 09:55:41 +02:00
Some checks are pending
/ release (push) Waiting to run
testing-integration / test-unit (push) Waiting to run
testing-integration / test-sqlite (push) Waiting to run
testing / backend-checks (push) Waiting to run
testing / frontend-checks (push) Waiting to run
testing / test-unit (push) Blocked by required conditions
testing / test-e2e (push) Blocked by required conditions
testing / test-remote-cacher (redis) (push) Blocked by required conditions
testing / test-remote-cacher (valkey) (push) Blocked by required conditions
testing / test-remote-cacher (garnet) (push) Blocked by required conditions
testing / test-remote-cacher (redict) (push) Blocked by required conditions
testing / test-mysql (push) Blocked by required conditions
testing / test-pgsql (push) Blocked by required conditions
testing / test-sqlite (push) Blocked by required conditions
testing / security-check (push) Blocked by required conditions
This PR is part of https://codeberg.org/forgejo/forgejo/pulls/4767 It improves the signature handling: 1. move logic to a service (might be used from other services as well) 2. make a clear difference between ` ReqHTTPUserSignature` and `ReqHTTPUserOrInstanceSignature` 3. improve test ability (activitypub/client & distant_federation_server_mock Adjust instance actor 1. name & 2. webfinger ## Strategy for next PRs is Integration tests are in the driving seat. I will step by step add integration tests form original PR and add code required by the integration test changes. ## Meta Proposal howto process large PRs can be discussed here: https://codeberg.org/forgejo-contrib/federation/pulls/37 Current state with rendered diagrams can be found here: https://codeberg.org/meissa/federation/src/branch/merge-large-pr/doc/merge-large-pr.md Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8275 Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org> Co-authored-by: Michael Jerger <michael.jerger@meissa-gmbh.de> Co-committed-by: Michael Jerger <michael.jerger@meissa-gmbh.de>
94 lines
2.6 KiB
Go
94 lines
2.6 KiB
Go
// Copyright 2022 The Gitea Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package activitypub
|
|
|
|
import (
|
|
"net/http"
|
|
|
|
"forgejo.org/modules/log"
|
|
"forgejo.org/modules/setting"
|
|
gitea_context "forgejo.org/services/context"
|
|
"forgejo.org/services/federation"
|
|
|
|
"github.com/42wim/httpsig"
|
|
)
|
|
|
|
func verifyHTTPUserOrInstanceSignature(ctx *gitea_context.APIContext) (authenticated bool, err error) {
|
|
if !setting.Federation.SignatureEnforced {
|
|
return true, nil
|
|
}
|
|
|
|
r := ctx.Req
|
|
|
|
// 1. Figure out what key we need to verify
|
|
v, err := httpsig.NewVerifier(r)
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
|
|
signatureAlgorithm := httpsig.Algorithm(setting.Federation.SignatureAlgorithms[0])
|
|
pubKey, err := federation.FindOrCreateFederatedUserKey(ctx.Base, v.KeyId())
|
|
if err != nil || pubKey == nil {
|
|
pubKey, err = federation.FindOrCreateFederationHostKey(ctx.Base, v.KeyId())
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
}
|
|
|
|
err = v.Verify(pubKey, signatureAlgorithm)
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
return true, nil
|
|
}
|
|
|
|
func verifyHTTPUserSignature(ctx *gitea_context.APIContext) (authenticated bool, err error) {
|
|
if !setting.Federation.SignatureEnforced {
|
|
return true, nil
|
|
}
|
|
|
|
r := ctx.Req
|
|
|
|
// 1. Figure out what key we need to verify
|
|
v, err := httpsig.NewVerifier(r)
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
|
|
signatureAlgorithm := httpsig.Algorithm(setting.Federation.SignatureAlgorithms[0])
|
|
pubKey, err := federation.FindOrCreateFederatedUserKey(ctx.Base, v.KeyId())
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
|
|
err = v.Verify(pubKey, signatureAlgorithm)
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
return true, nil
|
|
}
|
|
|
|
// ReqHTTPSignature function
|
|
func ReqHTTPUserOrInstanceSignature() func(ctx *gitea_context.APIContext) {
|
|
return func(ctx *gitea_context.APIContext) {
|
|
if authenticated, err := verifyHTTPUserOrInstanceSignature(ctx); err != nil {
|
|
log.Warn("verifyHttpSignatures failed: %v", err)
|
|
ctx.Error(http.StatusBadRequest, "reqSignature", "request signature verification failed")
|
|
} else if !authenticated {
|
|
ctx.Error(http.StatusForbidden, "reqSignature", "request signature verification failed")
|
|
}
|
|
}
|
|
}
|
|
|
|
// ReqHTTPSignature function
|
|
func ReqHTTPUserSignature() func(ctx *gitea_context.APIContext) {
|
|
return func(ctx *gitea_context.APIContext) {
|
|
if authenticated, err := verifyHTTPUserSignature(ctx); err != nil {
|
|
log.Warn("verifyHttpSignatures failed: %v", err)
|
|
ctx.Error(http.StatusBadRequest, "reqSignature", "request signature verification failed")
|
|
} else if !authenticated {
|
|
ctx.Error(http.StatusForbidden, "reqSignature", "request signature verification failed")
|
|
}
|
|
}
|
|
}
|