microblog.pub/app/httpsig.py

import base64
import hashlib
import json
import typing
from dataclasses import dataclass
from datetime import datetime
from datetime import timedelta
from datetime import timezone
from typing import Any
from typing import Dict
from typing import MutableMapping
from typing import Optional
from urllib.parse import urlparse

import fastapi
import httpx
from cachetools import LFUCache
from Crypto.Hash import SHA256
from Crypto.Signature import PKCS1_v1_5
from dateutil.parser import parse
from loguru import logger
from sqlalchemy import select

from app import activitypub as ap
from app import config
from app.config import KEY_PATH
from app.database import AsyncSession
from app.database import get_db_session
from app.key import Key
from app.utils.datetime import now
from app.utils.url import is_hostname_blocked

_KEY_CACHE: MutableMapping[str, Key] = LFUCache(256)


def _build_signed_string(
    signed_headers: str,
    method: str,
    path: str,
    headers: Any,
    body_digest: str | None,
    sig_data: dict[str, Any],
) -> tuple[str, datetime | None]:
    signature_date: datetime | None = None
    out = []
    for signed_header in signed_headers.split(" "):
        if signed_header == "(created)":
            signature_date = datetime.fromtimestamp(int(sig_data["created"])).replace(
                tzinfo=timezone.utc
            )
        elif signed_header == "date":
            signature_date = parse(headers["date"])

        if signed_header == "(request-target)":
            out.append("(request-target): " + method.lower() + " " + path)
        elif signed_header == "digest" and body_digest:
            out.append("digest: " + body_digest)
        elif signed_header in ["(created)", "(expires)"]:
            out.append(
                signed_header
                + ": "
                + sig_data[signed_header[1 : len(signed_header) - 1]]
            )
        else:
            out.append(signed_header + ": " + headers[signed_header])
    return "\n".join(out), signature_date


def _parse_sig_header(val: Optional[str]) -> Optional[Dict[str, str]]:
    if not val:
        return None
    out = {}
    for data in val.split(","):
        k, v = data.split("=", 1)
        out[k] = v[1 : len(v) - 1]  # noqa: black conflict
    return out


def _verify_h(signed_string, signature, pubkey):
    signer = PKCS1_v1_5.new(pubkey)
    digest = SHA256.new()
    digest.update(signed_string.encode("utf-8"))
    return signer.verify(digest, signature)


def _body_digest(body: bytes) -> str:
    h = hashlib.new("sha256")
    h.update(body)  # type: ignore
    return "SHA-256=" + base64.b64encode(h.digest()).decode("utf-8")


async def _get_public_key(
    db_session: AsyncSession,
    key_id: str,
    should_skip_cache: bool = False,
) -> Key:
    if not should_skip_cache and (cached_key := _KEY_CACHE.get(key_id)):
        logger.info(f"Key {key_id} found in cache")
        return cached_key

    # Check if the key belongs to an actor already in DB
    from app import models

    existing_actor = (
        await db_session.scalars(
            select(models.Actor).where(models.Actor.ap_id == key_id.split("#")[0])
        )
    ).one_or_none()
    if not should_skip_cache:
        if existing_actor and existing_actor.public_key_id == key_id:
            k = Key(existing_actor.ap_id, key_id)
            k.load_pub(existing_actor.public_key_as_pem)
            logger.info(f"Found {key_id} on an existing actor")
            _KEY_CACHE[key_id] = k
            return k

    # Fetch it
    from app import activitypub as ap
    from app.actor import RemoteActor
    from app.actor import update_actor_if_needed

    # Without signing the request as if it's the first contact, the 2 servers
    # might race to fetch each other key
    try:
        actor = await ap.fetch(key_id, disable_httpsig=True)
    except ap.ObjectUnavailableError:
        actor = await ap.fetch(key_id, disable_httpsig=False)

    if actor["type"] == "Key":
        # The Key is not embedded in the Person
        k = Key(actor["owner"], actor["id"])
        k.load_pub(actor["publicKeyPem"])
    else:
        k = Key(actor["id"], actor["publicKey"]["id"])
        k.load_pub(actor["publicKey"]["publicKeyPem"])

    # Ensure the right key was fetch
    # TODO: some server have the key ID `http://` but fetching it return `https`
    if key_id not in [k.key_id(), k.owner]:
        raise ValueError(
            f"failed to fetch requested key {key_id}: got {actor['publicKey']}"
        )

    if should_skip_cache and actor["type"] != "Key" and existing_actor:
        # We had to skip the cache, which means the actor key probably changed
        # and we want to update our cached version
        await update_actor_if_needed(db_session, existing_actor, RemoteActor(actor))
        await db_session.commit()

    _KEY_CACHE[key_id] = k
    return k


@dataclass(frozen=True)
class HTTPSigInfo:
    has_valid_signature: bool
    signed_by_ap_actor_id: str | None = None

    is_ap_actor_gone: bool = False
    is_unsupported_algorithm: bool = False
    is_expired: bool = False
    is_from_blocked_server: bool = False

    server: str | None = None


async def httpsig_checker(
    request: fastapi.Request,
    db_session: AsyncSession = fastapi.Depends(get_db_session),
) -> HTTPSigInfo:
    body = await request.body()

    hsig = _parse_sig_header(request.headers.get("Signature"))
    if not hsig:
        logger.info("No HTTP signature found")
        return HTTPSigInfo(has_valid_signature=False)

    try:
        key_id = hsig["keyId"]
    except KeyError:
        logger.info("Missing keyId")
        return HTTPSigInfo(
            has_valid_signature=False,
        )

    server = urlparse(key_id).hostname
    if is_hostname_blocked(server):
        return HTTPSigInfo(
            has_valid_signature=False,
            server=server,
            is_from_blocked_server=True,
        )

    if alg := hsig.get("algorithm") not in ["rsa-sha256", "hs2019"]:
        logger.info(f"Unsupported HTTP sig algorithm: {alg}")
        return HTTPSigInfo(
            has_valid_signature=False,
            is_unsupported_algorithm=True,
            server=server,
        )

    # Try to drop Delete activity spams early on, this prevent making an extra
    # HTTP requests trying to fetch an unavailable actor to verify the HTTP sig
    try:
        if request.method == "POST" and request.url.path.endswith("/inbox"):
            from app import models  # TODO: solve this circular import

            activity = json.loads(body)
            actor_id = ap.get_id(activity["actor"])
            if (
                ap.as_list(activity["type"])[0] == "Delete"
                and actor_id == ap.get_id(activity["object"])
                and not (
                    await db_session.scalars(
                        select(models.Actor).where(
                            models.Actor.ap_id == actor_id,
                        )
                    )
                ).one_or_none()
            ):
                logger.info(f"Dropping Delete activity early for {body=}")
                raise fastapi.HTTPException(status_code=202)
    except fastapi.HTTPException as http_exc:
        raise http_exc
    except Exception:
        logger.exception("Failed to check for Delete spam")

    # logger.debug(f"hsig={hsig}")
    signed_string, signature_date = _build_signed_string(
        hsig["headers"],
        request.method,
        request.url.path,
        request.headers,
        _body_digest(body) if body else None,
        hsig,
    )

    # Sanity checks on the signature date
    if signature_date is None or now() - signature_date > timedelta(hours=12):
        logger.info(f"Signature expired: {signature_date=}")
        return HTTPSigInfo(
            has_valid_signature=False,
            is_expired=True,
            server=server,
        )

    try:
        k = await _get_public_key(db_session, hsig["keyId"])
    except (ap.ObjectIsGoneError, ap.ObjectNotFoundError):
        logger.info("Actor is gone or not found")
        return HTTPSigInfo(has_valid_signature=False, is_ap_actor_gone=True)
    except Exception:
        logger.exception(f'Failed to fetch HTTP sig key {hsig["keyId"]}')
        return HTTPSigInfo(has_valid_signature=False)

    has_valid_signature = _verify_h(
        signed_string, base64.b64decode(hsig["signature"]), k.pubkey
    )

    # If the signature is not valid, we may have to update the cached actor
    if not has_valid_signature:
        logger.info("Invalid signature, trying to refresh actor")
        try:
            k = await _get_public_key(db_session, hsig["keyId"], should_skip_cache=True)
            has_valid_signature = _verify_h(
                signed_string, base64.b64decode(hsig["signature"]), k.pubkey
            )
        except Exception:
            logger.exception("Failed to refresh actor")

    httpsig_info = HTTPSigInfo(
        has_valid_signature=has_valid_signature,
        signed_by_ap_actor_id=k.owner,
        server=server,
    )
    logger.info(f"Valid HTTP signature for {httpsig_info.signed_by_ap_actor_id}")
    return httpsig_info


async def enforce_httpsig(
    request: fastapi.Request,
    httpsig_info: HTTPSigInfo = fastapi.Depends(httpsig_checker),
) -> HTTPSigInfo:
    """FastAPI Depends"""
    if httpsig_info.is_from_blocked_server:
        logger.warning(f"{httpsig_info.server} is blocked")
        raise fastapi.HTTPException(status_code=403, detail="Blocked")

    if not httpsig_info.has_valid_signature:
        logger.warning(f"Invalid HTTP sig {httpsig_info=}")
        body = await request.body()
        logger.info(f"{body=}")

        # Special case for Mastoodon instance that keep resending Delete
        # activities for actor we don't know about if we raise a 401
        if httpsig_info.is_ap_actor_gone:
            logger.info("Let's make Mastodon happy, returning a 202")
            raise fastapi.HTTPException(status_code=202)

        detail = "Invalid HTTP sig"
        if httpsig_info.is_unsupported_algorithm:
            detail = "Unsupported signature algorithm, must be rsa-sha256 or hs2019"
        elif httpsig_info.is_expired:
            detail = "Signature expired"

        raise fastapi.HTTPException(status_code=401, detail=detail)

    return httpsig_info


class HTTPXSigAuth(httpx.Auth):
    def __init__(self, key: Key) -> None:
        self.key = key

    def auth_flow(
        self, r: httpx.Request
    ) -> typing.Generator[httpx.Request, httpx.Response, None]:
        logger.info(f"keyid={self.key.key_id()}")

        bodydigest = None
        if r.content:
            bh = hashlib.new("sha256")
            bh.update(r.content)
            bodydigest = "SHA-256=" + base64.b64encode(bh.digest()).decode("utf-8")

        date = datetime.utcnow().strftime("%a, %d %b %Y %H:%M:%S GMT")
        r.headers["Date"] = date
        if bodydigest:
            r.headers["Digest"] = bodydigest
            sigheaders = "(request-target) user-agent host date digest content-type"
        else:
            sigheaders = "(request-target) user-agent host date accept"

        to_be_signed, _ = _build_signed_string(
            sigheaders, r.method, r.url.path, r.headers, bodydigest, {}
        )
        if not self.key.privkey:
            raise ValueError("Should never happen")
        signer = PKCS1_v1_5.new(self.key.privkey)
        digest = SHA256.new()
        digest.update(to_be_signed.encode("utf-8"))
        sig = base64.b64encode(signer.sign(digest)).decode()

        key_id = self.key.key_id()
        sig_value = f'keyId="{key_id}",algorithm="rsa-sha256",headers="{sigheaders}",signature="{sig}"'  # noqa: E501
        logger.debug(f"signed request {sig_value=}")
        r.headers["Signature"] = sig_value
        yield r


k = Key(config.ID, f"{config.ID}#main-key")
k.load(KEY_PATH.read_text())
auth = HTTPXSigAuth(k)
Initial commit for new v2 2022-06-22 18:11:22 +00:00			`import base64`
			`import hashlib`
Hack in HTTP sig to drop Delete requests early on 2022-11-21 20:43:12 +00:00			`import json`
Initial commit for new v2 2022-06-22 18:11:22 +00:00			`import typing`
			`from dataclasses import dataclass`
			`from datetime import datetime`
Improve HTTP signature handling 2022-07-21 19:49:42 +00:00			`from datetime import timedelta`
			`from datetime import timezone`
Initial commit for new v2 2022-06-22 18:11:22 +00:00			`from typing import Any`
			`from typing import Dict`
Improve caching (HTTP sig and thumbnails) 2022-06-30 07:43:28 +00:00			`from typing import MutableMapping`
Initial commit for new v2 2022-06-22 18:11:22 +00:00			`from typing import Optional`
Start supporting a server blocklist 2022-08-15 08:15:00 +00:00			`from urllib.parse import urlparse`
Initial commit for new v2 2022-06-22 18:11:22 +00:00
			`import fastapi`
			`import httpx`
Improve caching 2022-06-30 07:25:13 +00:00			`from cachetools import LFUCache`
Initial commit for new v2 2022-06-22 18:11:22 +00:00			`from Crypto.Hash import SHA256`
			`from Crypto.Signature import PKCS1_v1_5`
Improve HTTP signature handling 2022-07-21 19:49:42 +00:00			`from dateutil.parser import parse`
Initial commit for new v2 2022-06-22 18:11:22 +00:00			`from loguru import logger`
Improve caching 2022-06-30 07:25:13 +00:00			`from sqlalchemy import select`
Initial commit for new v2 2022-06-22 18:11:22 +00:00
First shot at parsing replies tree 2022-06-24 20:41:43 +00:00			`from app import activitypub as ap`
Initial commit for new v2 2022-06-22 18:11:22 +00:00			`from app import config`
Fix config wizard 2022-07-04 18:25:27 +00:00			`from app.config import KEY_PATH`
Improve caching 2022-06-30 07:25:13 +00:00			`from app.database import AsyncSession`
			`from app.database import get_db_session`
Initial commit for new v2 2022-06-22 18:11:22 +00:00			`from app.key import Key`
Improve HTTP signature handling 2022-07-21 19:49:42 +00:00			`from app.utils.datetime import now`
Blocking server also blocks subdomains 2022-12-04 10:51:52 +00:00			`from app.utils.url import is_hostname_blocked`
Initial commit for new v2 2022-06-22 18:11:22 +00:00
Improve caching (HTTP sig and thumbnails) 2022-06-30 07:43:28 +00:00			`_KEY_CACHE: MutableMapping[str, Key] = LFUCache(256)`
Improve caching 2022-06-30 07:25:13 +00:00
Initial commit for new v2 2022-06-22 18:11:22 +00:00
			`def _build_signed_string(`
Add support for hs2019 HTTP sig 2022-07-20 18:29:49 +00:00			`signed_headers: str,`
			`method: str,`
			`path: str,`
			`headers: Any,`
			`body_digest: str \| None,`
			`sig_data: dict[str, Any],`
Improve HTTP signature handling 2022-07-21 19:49:42 +00:00			`) -> tuple[str, datetime \| None]:`
			`signature_date: datetime \| None = None`
Initial commit for new v2 2022-06-22 18:11:22 +00:00			`out = []`
			`for signed_header in signed_headers.split(" "):`
Improve HTTP signature handling 2022-07-21 19:49:42 +00:00			`if signed_header == "(created)":`
			`signature_date = datetime.fromtimestamp(int(sig_data["created"])).replace(`
			`tzinfo=timezone.utc`
			`)`
			`elif signed_header == "date":`
			`signature_date = parse(headers["date"])`

Initial commit for new v2 2022-06-22 18:11:22 +00:00			`if signed_header == "(request-target)":`
			`out.append("(request-target): " + method.lower() + " " + path)`
			`elif signed_header == "digest" and body_digest:`
			`out.append("digest: " + body_digest)`
Add support for hs2019 HTTP sig 2022-07-20 18:29:49 +00:00			`elif signed_header in ["(created)", "(expires)"]:`
			`out.append(`
			`signed_header`
			`+ ": "`
			`+ sig_data[signed_header[1 : len(signed_header) - 1]]`
			`)`
Initial commit for new v2 2022-06-22 18:11:22 +00:00			`else:`
			`out.append(signed_header + ": " + headers[signed_header])`
Improve HTTP signature handling 2022-07-21 19:49:42 +00:00			`return "\n".join(out), signature_date`
Initial commit for new v2 2022-06-22 18:11:22 +00:00

			`def _parse_sig_header(val: Optional[str]) -> Optional[Dict[str, str]]:`
			`if not val:`
			`return None`
			`out = {}`
			`for data in val.split(","):`
			`k, v = data.split("=", 1)`
			`out[k] = v[1 : len(v) - 1] # noqa: black conflict`
			`return out`


			`def _verify_h(signed_string, signature, pubkey):`
			`signer = PKCS1_v1_5.new(pubkey)`
			`digest = SHA256.new()`
			`digest.update(signed_string.encode("utf-8"))`
			`return signer.verify(digest, signature)`


			`def _body_digest(body: bytes) -> str:`
			`h = hashlib.new("sha256")`
			`h.update(body) # type: ignore`
			`return "SHA-256=" + base64.b64encode(h.digest()).decode("utf-8")`


Support actor refresh while checking HTTP sig 2022-10-07 10:05:28 +00:00			`async def _get_public_key(`
			`db_session: AsyncSession,`
			`key_id: str,`
			`should_skip_cache: bool = False,`
			`) -> Key:`
			`if not should_skip_cache and (cached_key := _KEY_CACHE.get(key_id)):`
Tweak logging 2022-07-15 11:05:08 +00:00			`logger.info(f"Key {key_id} found in cache")`
Improve caching 2022-06-30 07:25:13 +00:00			`return cached_key`

			`# Check if the key belongs to an actor already in DB`
			`from app import models`
Improve caching (HTTP sig and thumbnails) 2022-06-30 07:43:28 +00:00
Improve caching 2022-06-30 07:25:13 +00:00			`existing_actor = (`
			`await db_session.scalars(`
			`select(models.Actor).where(models.Actor.ap_id == key_id.split("#")[0])`
			`)`
			`).one_or_none()`
Support actor refresh while checking HTTP sig 2022-10-07 10:05:28 +00:00			`if not should_skip_cache:`
			`if existing_actor and existing_actor.public_key_id == key_id:`
			`k = Key(existing_actor.ap_id, key_id)`
			`k.load_pub(existing_actor.public_key_as_pem)`
			`logger.info(f"Found {key_id} on an existing actor")`
			`_KEY_CACHE[key_id] = k`
			`return k`
Improve caching 2022-06-30 07:25:13 +00:00
			`# Fetch it`
Initial commit for new v2 2022-06-22 18:11:22 +00:00			`from app import activitypub as ap`
Tweak HTTP sig handling 2022-10-07 17:00:18 +00:00			`from app.actor import RemoteActor`
More actor refresh improvements 2022-10-09 09:36:00 +00:00			`from app.actor import update_actor_if_needed`
Initial commit for new v2 2022-06-22 18:11:22 +00:00
Tweak HTTPsig 2022-07-14 17:43:02 +00:00			`# Without signing the request as if it's the first contact, the 2 servers`
			`# might race to fetch each other key`
Tweak key fetching 2022-07-18 19:02:46 +00:00			`try:`
			`actor = await ap.fetch(key_id, disable_httpsig=True)`
Improve fetch 2022-09-12 06:04:16 +00:00			`except ap.ObjectUnavailableError:`
			`actor = await ap.fetch(key_id, disable_httpsig=False)`
Improve HTTP signature handling 2022-07-21 19:49:42 +00:00
Initial commit for new v2 2022-06-22 18:11:22 +00:00			`if actor["type"] == "Key":`
			`# The Key is not embedded in the Person`
			`k = Key(actor["owner"], actor["id"])`
			`k.load_pub(actor["publicKeyPem"])`
			`else:`
			`k = Key(actor["id"], actor["publicKey"]["id"])`
			`k.load_pub(actor["publicKey"]["publicKeyPem"])`

			`# Ensure the right key was fetch`
Improve debug mode 2022-08-28 09:24:46 +00:00			# TODO: some server have the key ID `http://` but fetching it return `https`
Tweak HTTP sig key fetching 2022-07-10 17:29:36 +00:00			`if key_id not in [k.key_id(), k.owner]:`
Initial commit for new v2 2022-06-22 18:11:22 +00:00			`raise ValueError(`
Tweak HTTP sig key fetching 2022-07-10 17:29:36 +00:00			`f"failed to fetch requested key {key_id}: got {actor['publicKey']}"`
Initial commit for new v2 2022-06-22 18:11:22 +00:00			`)`

More actor refresh improvements 2022-10-09 09:36:00 +00:00			`if should_skip_cache and actor["type"] != "Key" and existing_actor:`
Support actor refresh while checking HTTP sig 2022-10-07 10:05:28 +00:00			`# We had to skip the cache, which means the actor key probably changed`
			`# and we want to update our cached version`
More actor refresh improvements 2022-10-09 09:36:00 +00:00			`await update_actor_if_needed(db_session, existing_actor, RemoteActor(actor))`
Support actor refresh while checking HTTP sig 2022-10-07 10:05:28 +00:00			`await db_session.commit()`

Improve caching 2022-06-30 07:25:13 +00:00			`_KEY_CACHE[key_id] = k`
Initial commit for new v2 2022-06-22 18:11:22 +00:00			`return k`


			`@dataclass(frozen=True)`
			`class HTTPSigInfo:`
			`has_valid_signature: bool`
			`signed_by_ap_actor_id: str \| None = None`
Tweak HTTP sig handling for blocked servers 2022-08-18 20:42:00 +00:00
Add support for forwarding activities 2022-07-06 17:04:38 +00:00			`is_ap_actor_gone: bool = False`
Improve HTTP signature handling 2022-07-21 19:49:42 +00:00			`is_unsupported_algorithm: bool = False`
			`is_expired: bool = False`
Tweak HTTP sig handling for blocked servers 2022-08-18 20:42:00 +00:00			`is_from_blocked_server: bool = False`

Start supporting a server blocklist 2022-08-15 08:15:00 +00:00			`server: str \| None = None`
Initial commit for new v2 2022-06-22 18:11:22 +00:00

			`async def httpsig_checker(`
			`request: fastapi.Request,`
Improve caching 2022-06-30 07:25:13 +00:00			`db_session: AsyncSession = fastapi.Depends(get_db_session),`
Initial commit for new v2 2022-06-22 18:11:22 +00:00			`) -> HTTPSigInfo:`
			`body = await request.body()`

			`hsig = _parse_sig_header(request.headers.get("Signature"))`
			`if not hsig:`
			`logger.info("No HTTP signature found")`
			`return HTTPSigInfo(has_valid_signature=False)`

Start supporting a server blocklist 2022-08-15 08:15:00 +00:00			`try:`
			`key_id = hsig["keyId"]`
			`except KeyError:`
			`logger.info("Missing keyId")`
			`return HTTPSigInfo(`
			`has_valid_signature=False,`
			`)`

			`server = urlparse(key_id).hostname`
Blocking server also blocks subdomains 2022-12-04 10:51:52 +00:00			`if is_hostname_blocked(server):`
Tweak HTTP sig handling for blocked servers 2022-08-18 20:42:00 +00:00			`return HTTPSigInfo(`
			`has_valid_signature=False,`
			`server=server,`
			`is_from_blocked_server=True,`
			`)`
Start supporting a server blocklist 2022-08-15 08:15:00 +00:00
Improve HTTP signature handling 2022-07-21 19:49:42 +00:00			`if alg := hsig.get("algorithm") not in ["rsa-sha256", "hs2019"]:`
			`logger.info(f"Unsupported HTTP sig algorithm: {alg}")`
			`return HTTPSigInfo(`
			`has_valid_signature=False,`
			`is_unsupported_algorithm=True,`
Start supporting a server blocklist 2022-08-15 08:15:00 +00:00			`server=server,`
Improve HTTP signature handling 2022-07-21 19:49:42 +00:00			`)`

Hack in HTTP sig to drop Delete requests early on 2022-11-21 20:43:12 +00:00			`# Try to drop Delete activity spams early on, this prevent making an extra`
			`# HTTP requests trying to fetch an unavailable actor to verify the HTTP sig`
			`try:`
			`if request.method == "POST" and request.url.path.endswith("/inbox"):`
			`from app import models # TODO: solve this circular import`

			`activity = json.loads(body)`
			`actor_id = ap.get_id(activity["actor"])`
			`if (`
			`ap.as_list(activity["type"])[0] == "Delete"`
			`and actor_id == ap.get_id(activity["object"])`
			`and not (`
			`await db_session.scalars(`
			`select(models.Actor).where(`
			`models.Actor.ap_id == actor_id,`
			`)`
			`)`
			`).one_or_none()`
			`):`
			`logger.info(f"Dropping Delete activity early for {body=}")`
			`raise fastapi.HTTPException(status_code=202)`
			`except fastapi.HTTPException as http_exc:`
			`raise http_exc`
			`except Exception:`
			`logger.exception("Failed to check for Delete spam")`

Tweak logging 2022-08-20 07:11:48 +00:00			`# logger.debug(f"hsig={hsig}")`
Improve HTTP signature handling 2022-07-21 19:49:42 +00:00			`signed_string, signature_date = _build_signed_string(`
Initial commit for new v2 2022-06-22 18:11:22 +00:00			`hsig["headers"],`
			`request.method,`
			`request.url.path,`
			`request.headers,`
			`_body_digest(body) if body else None,`
Add support for hs2019 HTTP sig 2022-07-20 18:29:49 +00:00			`hsig,`
Initial commit for new v2 2022-06-22 18:11:22 +00:00			`)`

Improve HTTP signature handling 2022-07-21 19:49:42 +00:00			`# Sanity checks on the signature date`
			`if signature_date is None or now() - signature_date > timedelta(hours=12):`
			`logger.info(f"Signature expired: {signature_date=}")`
			`return HTTPSigInfo(`
			`has_valid_signature=False,`
			`is_expired=True,`
Start supporting a server blocklist 2022-08-15 08:15:00 +00:00			`server=server,`
Improve HTTP signature handling 2022-07-21 19:49:42 +00:00			`)`

Initial commit for new v2 2022-06-22 18:11:22 +00:00			`try:`
Improve caching 2022-06-30 07:25:13 +00:00			`k = await _get_public_key(db_session, hsig["keyId"])`
HTTP clients tweaks 2022-07-13 18:05:15 +00:00			`except (ap.ObjectIsGoneError, ap.ObjectNotFoundError):`
			`logger.info("Actor is gone or not found")`
Add support for forwarding activities 2022-07-06 17:04:38 +00:00			`return HTTPSigInfo(has_valid_signature=False, is_ap_actor_gone=True)`
Initial commit for new v2 2022-06-22 18:11:22 +00:00			`except Exception:`
			`logger.exception(f'Failed to fetch HTTP sig key {hsig["keyId"]}')`
			`return HTTPSigInfo(has_valid_signature=False)`

Improve summary 2022-08-24 18:12:10 +00:00			`has_valid_signature = _verify_h(`
			`signed_string, base64.b64decode(hsig["signature"]), k.pubkey`
			`)`
Support actor refresh while checking HTTP sig 2022-10-07 10:05:28 +00:00
			`# If the signature is not valid, we may have to update the cached actor`
			`if not has_valid_signature:`
			`logger.info("Invalid signature, trying to refresh actor")`
			`try:`
			`k = await _get_public_key(db_session, hsig["keyId"], should_skip_cache=True)`
			`has_valid_signature = _verify_h(`
			`signed_string, base64.b64decode(hsig["signature"]), k.pubkey`
			`)`
			`except Exception:`
			`logger.exception("Failed to refresh actor")`
Improve summary 2022-08-24 18:12:10 +00:00
Initial commit for new v2 2022-06-22 18:11:22 +00:00			`httpsig_info = HTTPSigInfo(`
Improve summary 2022-08-24 18:12:10 +00:00			`has_valid_signature=has_valid_signature,`
Initial commit for new v2 2022-06-22 18:11:22 +00:00			`signed_by_ap_actor_id=k.owner,`
Start supporting a server blocklist 2022-08-15 08:15:00 +00:00			`server=server,`
Initial commit for new v2 2022-06-22 18:11:22 +00:00			`)`
			`logger.info(f"Valid HTTP signature for {httpsig_info.signed_by_ap_actor_id}")`
			`return httpsig_info`


			`async def enforce_httpsig(`
			`request: fastapi.Request,`
			`httpsig_info: HTTPSigInfo = fastapi.Depends(httpsig_checker),`
			`) -> HTTPSigInfo:`
Improve HTTP signature handling 2022-07-21 19:49:42 +00:00			`"""FastAPI Depends"""`
Tweak HTTP sig handling for blocked servers 2022-08-18 20:42:00 +00:00			`if httpsig_info.is_from_blocked_server:`
Start supporting a server blocklist 2022-08-15 08:15:00 +00:00			`logger.warning(f"{httpsig_info.server} is blocked")`
			`raise fastapi.HTTPException(status_code=403, detail="Blocked")`

Initial commit for new v2 2022-06-22 18:11:22 +00:00			`if not httpsig_info.has_valid_signature:`
			`logger.warning(f"Invalid HTTP sig {httpsig_info=}")`
			`body = await request.body()`
			`logger.info(f"{body=}")`
Add support for forwarding activities 2022-07-06 17:04:38 +00:00
			`# Special case for Mastoodon instance that keep resending Delete`
			`# activities for actor we don't know about if we raise a 401`
			`if httpsig_info.is_ap_actor_gone:`
Bug fixes 2022-07-06 19:13:33 +00:00			`logger.info("Let's make Mastodon happy, returning a 202")`
			`raise fastapi.HTTPException(status_code=202)`
Add support for forwarding activities 2022-07-06 17:04:38 +00:00
Improve HTTP signature handling 2022-07-21 19:49:42 +00:00			`detail = "Invalid HTTP sig"`
			`if httpsig_info.is_unsupported_algorithm:`
			`detail = "Unsupported signature algorithm, must be rsa-sha256 or hs2019"`
			`elif httpsig_info.is_expired:`
			`detail = "Signature expired"`

			`raise fastapi.HTTPException(status_code=401, detail=detail)`
Initial commit for new v2 2022-06-22 18:11:22 +00:00
			`return httpsig_info`


			`class HTTPXSigAuth(httpx.Auth):`
			`def __init__(self, key: Key) -> None:`
			`self.key = key`

			`def auth_flow(`
			`self, r: httpx.Request`
			`) -> typing.Generator[httpx.Request, httpx.Response, None]:`
			`logger.info(f"keyid={self.key.key_id()}")`

			`bodydigest = None`
			`if r.content:`
			`bh = hashlib.new("sha256")`
			`bh.update(r.content)`
			`bodydigest = "SHA-256=" + base64.b64encode(bh.digest()).decode("utf-8")`

			`date = datetime.utcnow().strftime("%a, %d %b %Y %H:%M:%S GMT")`
			`r.headers["Date"] = date`
			`if bodydigest:`
			`r.headers["Digest"] = bodydigest`
			`sigheaders = "(request-target) user-agent host date digest content-type"`
			`else:`
			`sigheaders = "(request-target) user-agent host date accept"`

Improve HTTP signature handling 2022-07-21 19:49:42 +00:00			`to_be_signed, _ = _build_signed_string(`
Add support for hs2019 HTTP sig 2022-07-20 18:29:49 +00:00			`sigheaders, r.method, r.url.path, r.headers, bodydigest, {}`
Initial commit for new v2 2022-06-22 18:11:22 +00:00			`)`
			`if not self.key.privkey:`
			`raise ValueError("Should never happen")`
			`signer = PKCS1_v1_5.new(self.key.privkey)`
			`digest = SHA256.new()`
			`digest.update(to_be_signed.encode("utf-8"))`
			`sig = base64.b64encode(signer.sign(digest)).decode()`

			`key_id = self.key.key_id()`
			`sig_value = f'keyId="{key_id}",algorithm="rsa-sha256",headers="{sigheaders}",signature="{sig}"' # noqa: E501`
			`logger.debug(f"signed request {sig_value=}")`
			`r.headers["Signature"] = sig_value`
			`yield r`


			`k = Key(config.ID, f"{config.ID}#main-key")`
Fix config wizard 2022-07-04 18:25:27 +00:00			`k.load(KEY_PATH.read_text())`
Initial commit for new v2 2022-06-22 18:11:22 +00:00			`auth = HTTPXSigAuth(k)`