magmaus3/continuwuity
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

slightly optimize request signing/verifying

Browse source 
Signed-off-by: Jason Volk <jason@zemos.net>
This commit is contained in:
Jason Volk 2024-10-29 23:31:53 +00:00
parent ed76797b55
commit a7cb1c5951
2 changed files with 86 additions and 71 deletions
Download patch file Download diff file Expand all files Collapse all files

40
src/api/router/auth.rs
View file

@ -220,20 +220,32 @@ async fn auth_server(services: &Services, request: &mut Request, body: Option<&C
.expect("all requests have a path") .expect("all requests have a path")
.to_string(); .to_string();
let signature: [Member; 1] = [(x_matrix.key.to_string(), Value::String(x_matrix.sig.to_string()))]; let signature: [Member; 1] = [(x_matrix.key.as_str().into(), Value::String(x_matrix.sig.to_string()))];
let signatures: [Member; 1] = [(origin.to_string(), Value::Object(signature.into()))];
let authorization: [Member; 5] = [
("destination".into(), Value::String(destination.into())),
("method".into(), Value::String(request.parts.method.to_string())),
("origin".into(), Value::String(origin.to_string())),
("signatures".into(), Value::Object(signatures.into())),
("uri".into(), Value::String(signature_uri)),
];
let mut authorization: Object = authorization.into(); let signatures: [Member; 1] = [(origin.as_str().into(), Value::Object(signature.into()))];
if let Some(body) = body {
authorization.insert("content".to_owned(), body.clone()); let authorization: Object = if let Some(body) = body.cloned() {
} let authorization: [Member; 6] = [
("content".into(), body),
("destination".into(), Value::String(destination.into())),
("method".into(), Value::String(request.parts.method.as_str().into())),
("origin".into(), Value::String(origin.as_str().into())),
("signatures".into(), Value::Object(signatures.into())),
("uri".into(), Value::String(signature_uri)),
];
authorization.into()
} else {
let authorization: [Member; 5] = [
("destination".into(), Value::String(destination.into())),
("method".into(), Value::String(request.parts.method.as_str().into())),
("origin".into(), Value::String(origin.as_str().into())),
("signatures".into(), Value::Object(signatures.into())),
("uri".into(), Value::String(signature_uri)),
];
authorization.into()
};
let key = services let key = services
.server_keys .server_keys
@ -242,7 +254,7 @@ async fn auth_server(services: &Services, request: &mut Request, body: Option<&C
.map_err(|e| err!(Request(Forbidden(warn!("Failed to fetch signing keys: {e}")))))?; .map_err(|e| err!(Request(Forbidden(warn!("Failed to fetch signing keys: {e}")))))?;
let keys: PubKeys = [(x_matrix.key.to_string(), key.key)].into(); let keys: PubKeys = [(x_matrix.key.to_string(), key.key)].into();
let keys: PubKeyMap = [(origin.to_string(), keys)].into(); let keys: PubKeyMap = [(origin.as_str().into(), keys)].into();
if let Err(e) = ruma::signatures::verify_json(&keys, authorization) { if let Err(e) = ruma::signatures::verify_json(&keys, authorization) {
debug_error!("Failed to verify federation request from {origin}: {e}"); debug_error!("Failed to verify federation request from {origin}: {e}");
if request.parts.uri.to_string().contains('@') { if request.parts.uri.to_string().contains('@') {

117
src/service/sending/send.rs
View file

@ -14,7 +14,7 @@ use ruma::{
}, },
serde::Base64, serde::Base64,
server_util::authorization::XMatrix, server_util::authorization::XMatrix,
ServerName, CanonicalJsonObject, CanonicalJsonValue, ServerName, ServerSigningKeyId,
}; };
use crate::{ use crate::{
@ -74,7 +74,7 @@ impl super::Service {
.try_into_http_request::<Vec<u8>>(actual.string().as_str(), SATIR, &VERSIONS) .try_into_http_request::<Vec<u8>>(actual.string().as_str(), SATIR, &VERSIONS)
.map_err(|e| err!(BadServerResponse("Invalid destination: {e:?}")))?; .map_err(|e| err!(BadServerResponse("Invalid destination: {e:?}")))?;
self.sign_request::<T>(dest, &mut http_request); self.sign_request(&mut http_request, dest);
let request = Request::try_from(http_request)?; let request = Request::try_from(http_request)?;
self.validate_url(request.url())?; self.validate_url(request.url())?;
@ -178,68 +178,71 @@ where
} }
#[implement(super::Service)] #[implement(super::Service)]
fn sign_request<T>(&self, dest: &ServerName, http_request: &mut http::Request<Vec<u8>>) fn sign_request(&self, http_request: &mut http::Request<Vec<u8>>, dest: &ServerName) {
where type Member = (String, Value);
T: OutgoingRequest + Debug + Send, type Value = CanonicalJsonValue;
{ type Object = CanonicalJsonObject;
let mut req_map = serde_json::Map::with_capacity(8);
if !http_request.body().is_empty() { let origin = self.services.globals.server_name();
req_map.insert( let body = http_request.body();
"content".to_owned(), let uri = http_request
serde_json::from_slice(http_request.body()).expect("body is valid json, we just created it"), .uri()
); .path_and_query()
.expect("http::Request missing path_and_query");
let mut req: Object = if !body.is_empty() {
let content: CanonicalJsonValue = serde_json::from_slice(body).expect("failed to serialize body");
let authorization: [Member; 5] = [
("content".into(), content),
("destination".into(), dest.as_str().into()),
("method".into(), http_request.method().as_str().into()),
("origin".into(), origin.as_str().into()),
("uri".into(), uri.to_string().into()),
];
authorization.into()
} else {
let authorization: [Member; 4] = [
("destination".into(), dest.as_str().into()),
("method".into(), http_request.method().as_str().into()),
("origin".into(), origin.as_str().into()),
("uri".into(), uri.to_string().into()),
];
authorization.into()
}; };
req_map.insert("method".to_owned(), T::METADATA.method.to_string().into());
req_map.insert(
"uri".to_owned(),
http_request
.uri()
.path_and_query()
.expect("all requests have a path")
.to_string()
.into(),
);
req_map.insert("origin".to_owned(), self.services.globals.server_name().to_string().into());
req_map.insert("destination".to_owned(), dest.as_str().into());
let mut req_json = serde_json::from_value(req_map.into()).expect("valid JSON is valid BTreeMap");
self.services self.services
.server_keys .server_keys
.sign_json(&mut req_json) .sign_json(&mut req)
.expect("our request json is what ruma expects"); .expect("request signing failed");
let req_json: serde_json::Map<String, serde_json::Value> = let signatures = req["signatures"]
serde_json::from_slice(&serde_json::to_vec(&req_json).unwrap()).unwrap();
let signatures = req_json["signatures"]
.as_object() .as_object()
.expect("signatures object") .and_then(|object| object[origin.as_str()].as_object())
.expect("origin signatures object");
let key: &ServerSigningKeyId = signatures
.keys()
.next()
.map(|k| k.as_str().try_into())
.expect("at least one signature from this origin")
.expect("keyid is json string");
let sig: Base64 = signatures
.values() .values()
.map(|v| { .next()
v.as_object() .map(|s| s.as_str().map(Base64::parse))
.expect("server signatures object") .expect("at least one signature from this origin")
.iter() .expect("signature is json string")
.map(|(k, v)| (k, v.as_str().expect("server signature string"))) .expect("signature is valid base64");
});
for signature_server in signatures { let x_matrix = XMatrix::new(origin.into(), dest.into(), key.into(), sig);
for s in signature_server { let authorization = HeaderValue::from(&x_matrix);
let key = let authorization = http_request
s.0.as_str() .headers_mut()
.try_into() .insert(AUTHORIZATION, authorization);
.expect("valid homeserver signing key ID");
let sig = Base64::parse(s.1).expect("valid base64");
http_request.headers_mut().insert( debug_assert!(authorization.is_none(), "Authorization header already present");
AUTHORIZATION,
HeaderValue::from(&XMatrix::new(
self.services.globals.server_name().to_owned(),
dest.to_owned(),
key,
sig,
)),
);
}
}
} }