afan
/
gitea
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
gitea源码
3 Commits
2 Branches
Branch: master
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'master'
${ noResults }
gitea/routers/api/v1/activitypub/reqsignature.go

reqsignature.go 2.7KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899 
  1. // Copyright 2022 The Gitea Authors. All rights reserved.

  2. // SPDX-License-Identifier: MIT

  3. 

  4. package activitypub

  5. 

  6. import (

  7. 	"crypto"

  8. 	"crypto/x509"

  9. 	"encoding/pem"

  10. 	"errors"

  11. 	"fmt"

  12. 	"io"

  13. 	"net/http"

  14. 	"net/url"

  15. 

  16. 	"code.gitea.io/gitea/modules/activitypub"

  17. 	"code.gitea.io/gitea/modules/httplib"

  18. 	"code.gitea.io/gitea/modules/setting"

  19. 	gitea_context "code.gitea.io/gitea/services/context"

  20. 

  21. 	"github.com/42wim/httpsig"

  22. 	ap "github.com/go-ap/activitypub"

  23. )

  24. 

  25. func getPublicKeyFromResponse(b []byte, keyID *url.URL) (p crypto.PublicKey, err error) {

  26. 	person := ap.PersonNew(ap.IRI(keyID.String()))

  27. 	err = person.UnmarshalJSON(b)

  28. 	if err != nil {

  29. 		return nil, fmt.Errorf("ActivityStreams type cannot be converted to one known to have publicKey property: %w", err)

  30. 	}

  31. 	pubKey := person.PublicKey

  32. 	if pubKey.ID.String() != keyID.String() {

  33. 		return nil, fmt.Errorf("cannot find publicKey with id: %s in %s", keyID, string(b))

  34. 	}

  35. 	pubKeyPem := pubKey.PublicKeyPem

  36. 	block, _ := pem.Decode([]byte(pubKeyPem))

  37. 	if block == nil || block.Type != "PUBLIC KEY" {

  38. 		return nil, errors.New("could not decode publicKeyPem to PUBLIC KEY pem block type")

  39. 	}

  40. 	p, err = x509.ParsePKIXPublicKey(block.Bytes)

  41. 	return p, err

  42. }

  43. 

  44. func fetch(iri *url.URL) (b []byte, err error) {

  45. 	req := httplib.NewRequest(iri.String(), http.MethodGet)

  46. 	req.Header("Accept", activitypub.ActivityStreamsContentType)

  47. 	req.Header("User-Agent", "Gitea/"+setting.AppVer)

  48. 	resp, err := req.Response()

  49. 	if err != nil {

  50. 		return nil, err

  51. 	}

  52. 	defer resp.Body.Close()

  53. 

  54. 	if resp.StatusCode != http.StatusOK {

  55. 		return nil, fmt.Errorf("url IRI fetch [%s] failed with status (%d): %s", iri, resp.StatusCode, resp.Status)

  56. 	}

  57. 	b, err = io.ReadAll(io.LimitReader(resp.Body, setting.Federation.MaxSize))

  58. 	return b, err

  59. }

  60. 

  61. func verifyHTTPSignatures(ctx *gitea_context.APIContext) (authenticated bool, err error) {

  62. 	r := ctx.Req

  63. 

  64. 	// 1. Figure out what key we need to verify

  65. 	v, err := httpsig.NewVerifier(r)

  66. 	if err != nil {

  67. 		return false, err

  68. 	}

  69. 	ID := v.KeyId()

  70. 	idIRI, err := url.Parse(ID)

  71. 	if err != nil {

  72. 		return false, err

  73. 	}

  74. 	// 2. Fetch the public key of the other actor

  75. 	b, err := fetch(idIRI)

  76. 	if err != nil {

  77. 		return false, err

  78. 	}

  79. 	pubKey, err := getPublicKeyFromResponse(b, idIRI)

  80. 	if err != nil {

  81. 		return false, err

  82. 	}

  83. 	// 3. Verify the other actor's key

  84. 	algo := httpsig.Algorithm(setting.Federation.Algorithms[0])

  85. 	authenticated = v.Verify(pubKey, algo) == nil

  86. 	return authenticated, err

  87. }

  88. 

  89. // ReqHTTPSignature function

  90. func ReqHTTPSignature() func(ctx *gitea_context.APIContext) {

  91. 	return func(ctx *gitea_context.APIContext) {

  92. 		if authenticated, err := verifyHTTPSignatures(ctx); err != nil {

  93. 			ctx.APIErrorInternal(err)

  94. 		} else if !authenticated {

  95. 			ctx.APIError(http.StatusForbidden, "request signature verification failed")

  96. 		}

  97. 	}

  98. }