X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=server%2Fmiddlewares%2Factivitypub.ts;h=261b9f690981370a38affc1eb580c6d00acaca8e;hb=cffef25313bdf7a6c435f56ac6715fdd91acf7b3;hp=580606a68387067186565384432261e91d3f8f5d;hpb=8dc8a34ee8428e7657414115d1c137592efa174d;p=github%2FChocobozzz%2FPeerTube.git diff --git a/server/middlewares/activitypub.ts b/server/middlewares/activitypub.ts index 580606a68..261b9f690 100644 --- a/server/middlewares/activitypub.ts +++ b/server/middlewares/activitypub.ts @@ -1,12 +1,12 @@ import { NextFunction, Request, Response } from 'express' -import { ActivityDelete, ActivityPubSignature } from '../../shared' +import { isActorDeleteActivityValid } from '@server/helpers/custom-validators/activitypub/actor' +import { getAPId } from '@server/lib/activitypub/activity' +import { wrapWithSpanAndContext } from '@server/lib/opentelemetry/tracing' +import { ActivityDelete, ActivityPubSignature, HttpStatusCode } from '@shared/models' import { logger } from '../helpers/logger' import { isHTTPSignatureVerified, isJsonLDSignatureVerified, parseHTTPSignature } from '../helpers/peertube-crypto' import { ACCEPT_HEADERS, ACTIVITY_PUB, HTTP_SIGNATURE } from '../initializers/constants' -import { getOrCreateActorAndServerAndModel } from '../lib/activitypub/actor' -import { loadActorUrlOrGetFromWebfinger } from '../helpers/webfinger' -import { isActorDeleteActivityValid } from '@server/helpers/custom-validators/activitypub/actor' -import { getAPId } from '@server/helpers/activitypub' +import { getOrCreateAPActor, loadActorUrlOrGetFromWebfinger } from '../lib/activitypub/actors' async function checkSignature (req: Request, res: Response, next: NextFunction) { try { @@ -28,11 +28,14 @@ async function checkSignature (req: Request, res: Response, next: NextFunction) const activity: ActivityDelete = req.body if (isActorDeleteActivityValid(activity) && activity.object === activity.actor) { logger.debug('Handling signature error on actor delete activity', { err }) - return res.sendStatus(204) + return res.status(HttpStatusCode.NO_CONTENT_204).end() } logger.warn('Error in ActivityPub signature checker.', { err }) - return res.sendStatus(403) + return res.fail({ + status: HttpStatusCode.FORBIDDEN_403, + message: 'ActivityPub signature could not be checked' + }) } } @@ -59,63 +62,95 @@ export { // --------------------------------------------------------------------------- async function checkHttpSignature (req: Request, res: Response) { - // FIXME: compatibility with http-signature < v1.3 - const sig = req.headers[HTTP_SIGNATURE.HEADER_NAME] as string - if (sig && sig.startsWith('Signature ') === true) req.headers[HTTP_SIGNATURE.HEADER_NAME] = sig.replace(/^Signature /, '') - - const parsed = parseHTTPSignature(req, HTTP_SIGNATURE.CLOCK_SKEW_SECONDS) + return wrapWithSpanAndContext('peertube.activitypub.checkHTTPSignature', async () => { + // FIXME: compatibility with http-signature < v1.3 + const sig = req.headers[HTTP_SIGNATURE.HEADER_NAME] as string + if (sig && sig.startsWith('Signature ') === true) req.headers[HTTP_SIGNATURE.HEADER_NAME] = sig.replace(/^Signature /, '') + + let parsed: any + + try { + parsed = parseHTTPSignature(req, HTTP_SIGNATURE.CLOCK_SKEW_SECONDS) + } catch (err) { + logger.warn('Invalid signature because of exception in signature parser', { reqBody: req.body, err }) + + res.fail({ + status: HttpStatusCode.FORBIDDEN_403, + message: err.message + }) + return false + } - const keyId = parsed.keyId - if (!keyId) { - res.sendStatus(403) - return false - } + const keyId = parsed.keyId + if (!keyId) { + res.fail({ + status: HttpStatusCode.FORBIDDEN_403, + message: 'Invalid key ID', + data: { + keyId + } + }) + return false + } - logger.debug('Checking HTTP signature of actor %s...', keyId) + logger.debug('Checking HTTP signature of actor %s...', keyId) - let [ actorUrl ] = keyId.split('#') - if (actorUrl.startsWith('acct:')) { - actorUrl = await loadActorUrlOrGetFromWebfinger(actorUrl.replace(/^acct:/, '')) - } + let [ actorUrl ] = keyId.split('#') + if (actorUrl.startsWith('acct:')) { + actorUrl = await loadActorUrlOrGetFromWebfinger(actorUrl.replace(/^acct:/, '')) + } - const actor = await getOrCreateActorAndServerAndModel(actorUrl) + const actor = await getOrCreateAPActor(actorUrl) - const verified = isHTTPSignatureVerified(parsed, actor) - if (verified !== true) { - logger.warn('Signature from %s is invalid', actorUrl, { parsed }) + const verified = isHTTPSignatureVerified(parsed, actor) + if (verified !== true) { + logger.warn('Signature from %s is invalid', actorUrl, { parsed }) - res.sendStatus(403) - return false - } - - res.locals.signature = { actor } + res.fail({ + status: HttpStatusCode.FORBIDDEN_403, + message: 'Invalid signature', + data: { + actorUrl + } + }) + return false + } - return true + res.locals.signature = { actor } + return true + }) } async function checkJsonLDSignature (req: Request, res: Response) { - const signatureObject: ActivityPubSignature = req.body.signature - - if (!signatureObject || !signatureObject.creator) { - res.sendStatus(403) - return false - } - - const [ creator ] = signatureObject.creator.split('#') + return wrapWithSpanAndContext('peertube.activitypub.JSONLDSignature', async () => { + const signatureObject: ActivityPubSignature = req.body.signature + + if (!signatureObject?.creator) { + res.fail({ + status: HttpStatusCode.FORBIDDEN_403, + message: 'Object and creator signature do not match' + }) + return false + } - logger.debug('Checking JsonLD signature of actor %s...', creator) + const [ creator ] = signatureObject.creator.split('#') - const actor = await getOrCreateActorAndServerAndModel(creator) - const verified = await isJsonLDSignatureVerified(actor, req.body) + logger.debug('Checking JsonLD signature of actor %s...', creator) - if (verified !== true) { - logger.warn('Signature not verified.', req.body) + const actor = await getOrCreateAPActor(creator) + const verified = await isJsonLDSignatureVerified(actor, req.body) - res.sendStatus(403) - return false - } + if (verified !== true) { + logger.warn('Signature not verified.', req.body) - res.locals.signature = { actor } + res.fail({ + status: HttpStatusCode.FORBIDDEN_403, + message: 'Signature could not be verified' + }) + return false + } - return true + res.locals.signature = { actor } + return true + }) }