about summary refs log tree commit diff
path: root/app/controllers/concerns/signature_verification.rb
AgeCommit message (Collapse)Author
2023-02-08Apply Rubocop Performance/RedundantSplitRegexpArgument (#23443)Nick Schonning
* Apply Rubocop Performance/RedundantSplitRegexpArgument * Update app/controllers/concerns/signature_verification.rb
2023-01-18Add more specific error messages to HTTP signature verification (#21617)Claire
* Return specific error on failure to parse Date header * Add error message when preferredUsername is not set * Change error report to be JSON and include more details * Change error report to differentiate unknown account and failed refresh * Add tests
2022-12-15Fix single name variables on controller folder (#20092)David Vega
Co-authored-by: petrokoriakin1 <116151189+petrokoriakin1@users.noreply.github.com> Co-authored-by: petrokoriakin1 <116151189+petrokoriakin1@users.noreply.github.com> Co-authored-by: Effy Elden <effy@effy.space>
2022-09-21Refactor ActivityPub handling to prepare for non-Account actors (#19212)Claire
* Move ActivityPub::FetchRemoteAccountService to ActivityPub::FetchRemoteActorService ActivityPub::FetchRemoteAccountService is kept as a wrapper for when the actor is specifically required to be an Account * Refactor SignatureVerification to allow non-Account actors * fixup! Move ActivityPub::FetchRemoteAccountService to ActivityPub::FetchRemoteActorService * Refactor ActivityPub::FetchRemoteKeyService to potentially return non-Account actors * Refactor inbound ActivityPub payload processing to accept non-Account actors * Refactor inbound ActivityPub processing to accept activities relayed through non-Account * Refactor how Account key URIs are built * Refactor Request and drop unused key_id_format parameter * Rename ActivityPub::Dereferencer `signature_account` to `signature_actor`
2022-09-21Fix typo in SignatureVerification (#19209)Claire
Fix regression from #15605
2022-09-20Improve error reporting and logging when processing remote accounts (#15605)Claire
* Add a more descriptive PrivateNetworkAddressError exception class * Remove unnecessary exception class to rescue clause * Remove unnecessary include to JsonLdHelper * Give more neutral error message when too many webfinger redirects * Remove unnecessary guard condition * Rework how “ActivityPub::FetchRemoteAccountService” handles errors Add “suppress_errors” keyword argument to avoid raising errors in ActivityPub::FetchRemoteAccountService#call (default/previous behavior). * Rework how “ActivityPub::FetchRemoteKeyService” handles errors Add “suppress_errors” keyword argument to avoid raising errors in ActivityPub::FetchRemoteKeyService#call (default/previous behavior). * Fix Webfinger::RedirectError not being a subclass of Webfinger::Error * Add suppress_errors option to ResolveAccountService Defaults to true (to preserve previous behavior). If set to false, errors will be raised instead of caught, allowing the caller to be informed of what went wrong. * Return more precise error when failing to fetch account signing AP payloads * Add tests * Fixes * Refactor error handling a bit * Fix various issues * Add specific error when provided Digest is not 256 bits of base64-encoded data * Please CodeClimate * Improve webfinger error reporting
2021-02-26Fix crash on receiving requests with missing Digest header (#15782)Claire
* Fix crash on receiving requests with missing Digest header Return an error pointing out that Digest is missing, instead of crashing. Fixes #15743 * Fix from review feedback
2020-11-01Tweak signature verification (#15069)ThibG
* Add more specific error message when request body digest is invalid This may help other implementors debug their implementation. * Relax Host parameter requirement to GET requests The only POST requests processed by Mastodon need objects/actors (including their host) to be explicitly mentioned in the request's body, so replaying a legitimate request to another host should not be a security issue. * Support Digest headers using multiple algorithms or lowercase alogirthm names
2020-09-01Bump rubocop from 0.86.0 to 0.88.0 (#14412)dependabot[bot]
* Bump rubocop from 0.86.0 to 0.88.0 Bumps [rubocop](https://github.com/rubocop-hq/rubocop) from 0.86.0 to 0.88.0. - [Release notes](https://github.com/rubocop-hq/rubocop/releases) - [Changelog](https://github.com/rubocop-hq/rubocop/blob/master/CHANGELOG.md) - [Commits](https://github.com/rubocop-hq/rubocop/compare/v0.86.0...v0.88.0) Signed-off-by: dependabot[bot] <support@github.com> * Fix for latest RuboCop Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Yamagishi Kazutoshi <ykzts@desire.sh>
2020-08-24Add support for latest HTTP Signatures spec draft (#14556)ThibG
* Add support for latest HTTP Signatures spec draft https://www.ietf.org/id/draft-ietf-httpbis-message-signatures-00.html - add support for the “hs2019” signature algorithm (assumed to be equivalent to RSA-SHA256, since we do not have a mechanism to specify the algorithm within the key metadata yet) - add support for (created) and (expires) pseudo-headers and related signature parameters, when using the hs2019 signature algorithm - adjust default “headers” parameter while being backwards-compatible with previous implementation - change the acceptable time window logic from 12 hours surrounding the “date” header to accepting signatures created up to 1 hour in the future and expiring up to 1 hour in the past (but only allowing expiration dates up to 12 hours after the creation date) This doesn't conform with the current draft, as it doesn't permit accounting for clock skew. This, however, should be addressed in a next version of the draft: https://github.com/httpwg/http-extensions/pull/1235 * Add additional signature requirements * Rewrite signature params parsing using Parslet * Make apparent which signature algorithm Mastodon on verification failure Mastodon uses RSASSA-PKCS1-v1_5, which is not recommended for new applications, and new implementers may thus unknowingly use RSASSA-PSS. * Add workaround for PeerTube's invalid signature header The previous parser allowed incorrect Signature headers, such as those produced by old versions of the `http-signature` node.js package, and seemingly used by PeerTube. This commit adds a workaround for that. * Fix `signature_key_id` raising an exception Previously, parsing failures would result in `signature_key_id` being nil, but the parser changes made that result in an exception. This commit changes the `signature_key_id` method to return `nil` in case of parsing failures. * Move extra HTTP signature helper methods to private methods * Relax (request-target) requirement to (request-target) || digest This lets requests from Plume work without lowering security significantly.
2020-02-03Change signature verification to ignore signatures with invalid host (#13033)Eugen Rochko
Instead of returning a signature verification error, pretend there was no signature (i.e., this does not allow access to resources that need a valid signature), so public resources can still be fetched Fix #13011
2019-08-18Add HTTP signature keyId to request log (#11591)Eugen Rochko
2019-07-11Add ActivityPub secure mode (#11269)Eugen Rochko
* Add HTTP signature requirement for served ActivityPub resources * Change `SECURE_MODE` to `AUTHORIZED_FETCH` * Add 'Signature' to 'Vary' header and improve code style * Improve code style by adding `public_fetch_mode?` method
2019-07-09Refactor domain block checks (#11268)Eugen Rochko
2019-05-23Move signature verification stoplight to the requests themselves (#10813)ThibG
* Move signature verification stoplight to the requests themselves This avoids blocking messages from known keys for 5 minutes when only one fails… * Put the stoplight on the actual client IP, not a potential reverse proxy
2019-01-07Improvements to signature verification (#9667)ThibG
* Refactor signature verification a bit * Rescue signature verification if recorded public key is invalid Fixes #8822 * Always re-fetch AP signing key when HTTP Signature verification fails But when the account is not marked as stale, avoid fetching collections and media, and avoid webfinger round-trip. * Apply stoplight to key/account update as well as initial key retrieval
2018-12-26Fix signature verification stoplight triggering on non-timeout errors (#9617)Eugen Rochko
2018-11-08Reduce connect timeout limit and limit signature failures by source IP (#9236)Eugen Rochko
* Reduce connect timeout from 10s to 1s * Limit failing signature verifications per source IP
2018-10-12Improve signature verification safeguards (#8959)Eugen Rochko
* Downcase signed_headers string before building the signed string The HTTP Signatures draft does not mandate the “headers” field to be downcased, but mandates the header field names to be downcased in the signed string, which means that prior to this patch, Mastodon could fail to process signatures from some compliant clients. It also means that it would not actually check the Digest of non-compliant clients that wouldn't use a lowercased Digest field name. Thankfully, I don't know of any such client. * Revert "Remove dead code (#8919)" This reverts commit a00ce8c92c06f42109aad5cfe65d46862cf037bb. * Restore time window checking, change it to 12 hours By checking the Date header, we can prevent replaying old vulnerable signatures. The focus is to prevent replaying old vulnerable requests from software that has been fixed in the meantime, so a somewhat long window should be fine and accounts for timezone misconfiguration. * Escape users' URLs when formatting them Fixes possible HTML injection * Escape all string interpolations in Formatter class Slightly improve performance by reducing class allocations from repeated Formatter#encode calls * Fix code style issues
2018-10-08Remove dead code (#8919)Eugen Rochko
SignatureVerification#matches_time_window? is not called anywhere.
2018-06-30Typo in signature verification failure logging (#7916)Marty McGuire
`@signature_verification_failure_reason` is used in most places but`@signed_verification_failure_reason` appears in two places. Likely those errors are not returned.
2018-05-17HTTP signatures spec no longer requires algorithms field (#7525)Eugen Rochko
Fix #7520
2018-01-22Rename ResolveRemoteAccountService to ResolveAccountService (#6327)Akihiko Odaki
The service used to be named ResolveRemoteAccountService resolves local accounts as well.
2017-10-04Validate id of ActivityPub representations (#5114)Akihiko Odaki
Additionally, ActivityPub::FetchRemoteStatusService no longer parses activities. OStatus::Activity::Creation no longer delegates to ActivityPub because the provided ActivityPub representations are not signed while OStatus representations are.
2017-10-03Fix HTTP responses for salmon and ActivityPub inbox processing (#5200)ThibG
* Return sensible HTTP status for ActivityPub inbox processing * Return sensible HTTP status for salmon slap processing * Return additional information to debug signature verification failures
2017-09-28If HTTP signature is wrong and webfinger cache is stale, retry with resolve ↵Eugen Rochko
(#5129) If the signature could not be verified and the webfinger of the account was last retrieved longer than the cache period, try re-resolving the account and then attempting to verify the signature again
2017-08-21Support more variations of ActivityPub keyId in signature (#4630)Eugen Rochko
- Tries to avoid performing HTTP request if the keyId is an actor URI - Likewise if the URI is a fragment URI on top of actor URI - Resolves public key, returns owner if the owner links back to the key
2017-08-09Add Digest header to requests with body, handle acct and URI keyId (#4565)Eugen Rochko
2017-07-14HTTP signatures (#4146)Eugen Rochko
* Add Request class with HTTP signature generator Spec: https://tools.ietf.org/html/draft-cavage-http-signatures-06 * Add HTTP signature verification concern * Add test for SignatureVerification concern * Add basic test for Request class * Make PuSH subscribe/unsubscribe requests use new Request class Accidentally fix lease_seconds not being set and sent properly, and change the new minimum subscription duration to 1 day * Make all PuSH workers use new Request class * Make Salmon sender use new Request class * Make FetchLinkService use new Request class * Make FetchAtomService use the new Request class * Make Remotable use the new Request class * Make ResolveRemoteAccountService use the new Request class * Add more tests * Allow +-30 seconds window for signed request to remain valid * Disable time window validation for signed requests, restore 7 days as PuSH subscription duration (which was previous default due to a bug)