mirror of
https://github.com/mastodon/mastodon.git
synced 2025-01-17 15:47:15 +01:00
77 lines
2.4 KiB
Ruby
77 lines
2.4 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
class Api::Fasp::BaseController < ApplicationController
|
|
class Error < ::StandardError; end
|
|
|
|
DIGEST_PATTERN = /sha-256=:(.*?):/
|
|
KEYID_PATTERN = /keyid="(.*?)"/
|
|
|
|
attr_reader :current_provider
|
|
|
|
skip_forgery_protection
|
|
|
|
before_action :require_authentication
|
|
after_action :sign_response
|
|
|
|
private
|
|
|
|
def require_authentication
|
|
validate_content_digest!
|
|
validate_signature!
|
|
rescue Error, Linzer::Error, ActiveRecord::RecordNotFound => e
|
|
logger.debug("FASP Authentication error: #{e}")
|
|
authentication_error
|
|
end
|
|
|
|
def authentication_error
|
|
respond_to do |format|
|
|
format.json { head 401 }
|
|
end
|
|
end
|
|
|
|
def validate_content_digest!
|
|
content_digest_header = request.headers['content-digest']
|
|
raise Error, 'content-digest missing' if content_digest_header.blank?
|
|
|
|
digest_received = content_digest_header.match(DIGEST_PATTERN)[1]
|
|
|
|
digest_computed = OpenSSL::Digest.base64digest('sha256', request.body&.string || '')
|
|
|
|
raise Error, 'content-digest does not match' if digest_received != digest_computed
|
|
end
|
|
|
|
def validate_signature!
|
|
signature_input = request.headers['signature-input']&.encode('UTF-8')
|
|
raise Error, 'signature-input is missing' if signature_input.blank?
|
|
|
|
keyid = signature_input.match(KEYID_PATTERN)[1]
|
|
provider = Fasp::Provider.find(keyid)
|
|
linzer_request = Linzer.new_request(
|
|
request.method,
|
|
request.original_url,
|
|
{},
|
|
{
|
|
'content-digest' => request.headers['content-digest'],
|
|
'signature-input' => signature_input,
|
|
'signature' => request.headers['signature'],
|
|
}
|
|
)
|
|
message = Linzer::Message.new(linzer_request)
|
|
key = Linzer.new_ed25519_public_key(provider.provider_public_key_raw, keyid)
|
|
signature = Linzer::Signature.build(message.headers)
|
|
Linzer.verify(key, message, signature)
|
|
@current_provider = provider
|
|
end
|
|
|
|
def sign_response
|
|
response.headers['content-digest'] = "sha-256=:#{OpenSSL::Digest.base64digest('sha256', response.body || '')}:"
|
|
|
|
linzer_response = Linzer.new_response(response.body, response.status, { 'content-digest' => response.headers['content-digest'] })
|
|
message = Linzer::Message.new(linzer_response)
|
|
key = Linzer.new_ed25519_key(current_provider.server_private_key.raw_private_key)
|
|
signature = Linzer.sign(key, message, %w(@status content-digest))
|
|
|
|
response.headers.merge!(signature.to_h)
|
|
end
|
|
end
|