diff --git a/.github/workflows/integration-test.yml b/.github/workflows/integration-test.yml index 1788e609..ca866978 100644 --- a/.github/workflows/integration-test.yml +++ b/.github/workflows/integration-test.yml @@ -64,4 +64,4 @@ jobs: uses: mikepenz/action-junit-report@v2 if: always() with: - report_paths: '**/build/test-results/test/TEST-*.xml' + report_paths: '**/build/test-results/integrationTest/TEST-*.xml' diff --git a/src/intTest/kotlin/activitypub/inbox/InboxTest.kt b/src/intTest/kotlin/activitypub/inbox/InboxTest.kt index 92fe3aa2..080639b4 100644 --- a/src/intTest/kotlin/activitypub/inbox/InboxTest.kt +++ b/src/intTest/kotlin/activitypub/inbox/InboxTest.kt @@ -45,6 +45,7 @@ class InboxTest { content = "{}" contentType = MediaType.APPLICATION_JSON } + .asyncDispatch() .andExpect { status { isUnauthorized() } } } @@ -55,6 +56,7 @@ class InboxTest { .post("/inbox") { content = "{}" contentType = MediaType.APPLICATION_JSON + header("Signature", "") } .asyncDispatch() .andExpect { status { isAccepted() } } @@ -68,6 +70,7 @@ class InboxTest { content = "{}" contentType = MediaType.APPLICATION_JSON } + .asyncDispatch() .andExpect { status { isUnauthorized() } } } @@ -78,6 +81,7 @@ class InboxTest { .post("/users/hoge/inbox") { content = "{}" contentType = MediaType.APPLICATION_JSON + header("Signature", "") } .asyncDispatch() .andExpect { status { isAccepted() } } diff --git a/src/main/kotlin/dev/usbharu/hideout/activitypub/domain/model/Delete.kt b/src/main/kotlin/dev/usbharu/hideout/activitypub/domain/model/Delete.kt index f2142722..6f691492 100644 --- a/src/main/kotlin/dev/usbharu/hideout/activitypub/domain/model/Delete.kt +++ b/src/main/kotlin/dev/usbharu/hideout/activitypub/domain/model/Delete.kt @@ -43,8 +43,8 @@ open class Delete : Object, HasId, HasActor { override fun hashCode(): Int { var result = super.hashCode() - result = 31 * result + (apObject?.hashCode() ?: 0) - result = 31 * result + (published?.hashCode() ?: 0) + result = 31 * result + apObject.hashCode() + result = 31 * result + published.hashCode() result = 31 * result + actor.hashCode() result = 31 * result + id.hashCode() return result diff --git a/src/main/kotlin/dev/usbharu/hideout/activitypub/domain/model/Undo.kt b/src/main/kotlin/dev/usbharu/hideout/activitypub/domain/model/Undo.kt index d02ccc4d..01dbc17c 100644 --- a/src/main/kotlin/dev/usbharu/hideout/activitypub/domain/model/Undo.kt +++ b/src/main/kotlin/dev/usbharu/hideout/activitypub/domain/model/Undo.kt @@ -30,14 +30,13 @@ open class Undo( override fun hashCode(): Int { var result = super.hashCode() - result = 31 * result + (`object`?.hashCode() ?: 0) - result = 31 * result + (published?.hashCode() ?: 0) + result = 31 * result + `object`.hashCode() + result = 31 * result + published.hashCode() result = 31 * result + actor.hashCode() result = 31 * result + id.hashCode() return result } - override fun toString(): String { - return "Undo(`object`=$`object`, published=$published, actor='$actor', id='$id') ${super.toString()}" - } + override fun toString(): String = + "Undo(`object`=$`object`, published=$published, actor='$actor', id='$id') ${super.toString()}" } diff --git a/src/main/kotlin/dev/usbharu/hideout/activitypub/interfaces/api/inbox/InboxControllerImpl.kt b/src/main/kotlin/dev/usbharu/hideout/activitypub/interfaces/api/inbox/InboxControllerImpl.kt index 1ad9062c..d87d045a 100644 --- a/src/main/kotlin/dev/usbharu/hideout/activitypub/interfaces/api/inbox/InboxControllerImpl.kt +++ b/src/main/kotlin/dev/usbharu/hideout/activitypub/interfaces/api/inbox/InboxControllerImpl.kt @@ -5,6 +5,7 @@ import dev.usbharu.httpsignature.common.HttpHeaders import dev.usbharu.httpsignature.common.HttpMethod import dev.usbharu.httpsignature.common.HttpRequest import org.slf4j.LoggerFactory +import org.springframework.http.HttpHeaders.WWW_AUTHENTICATE import org.springframework.http.HttpStatus import org.springframework.http.ResponseEntity import org.springframework.web.bind.annotation.RequestBody @@ -21,6 +22,16 @@ class InboxControllerImpl(private val apService: APService) : InboxController { ): ResponseEntity { val request = (requireNotNull(RequestContextHolder.getRequestAttributes()) as ServletRequestAttributes).request + val headersList = request.headerNames?.toList().orEmpty() + if (headersList.contains("Signature").not()) { + return ResponseEntity.status(HttpStatus.UNAUTHORIZED) + .header( + WWW_AUTHENTICATE, + "Signature realm=\"Example\",headers=\"(request-target) date host digest\"" + ) + .build() + } + val parseActivity = try { apService.parseActivity(string) } catch (e: Exception) { @@ -31,7 +42,6 @@ class InboxControllerImpl(private val apService: APService) : InboxController { try { val url = request.requestURL.toString() - val headersList = request.headerNames?.toList().orEmpty() val headers = headersList.associateWith { header -> request.getHeaders(header)?.toList().orEmpty() } @@ -43,8 +53,6 @@ class InboxControllerImpl(private val apService: APService) : InboxController { } } - println(headers) - apService.processActivity( string, parseActivity, diff --git a/src/main/kotlin/dev/usbharu/hideout/activitypub/service/inbox/InboxJobProcessor.kt b/src/main/kotlin/dev/usbharu/hideout/activitypub/service/inbox/InboxJobProcessor.kt index 1e4aeb2d..1ca31144 100644 --- a/src/main/kotlin/dev/usbharu/hideout/activitypub/service/inbox/InboxJobProcessor.kt +++ b/src/main/kotlin/dev/usbharu/hideout/activitypub/service/inbox/InboxJobProcessor.kt @@ -14,6 +14,7 @@ import dev.usbharu.hideout.core.query.UserQueryService import dev.usbharu.hideout.core.service.job.JobProcessor import dev.usbharu.hideout.util.RsaUtil import dev.usbharu.httpsignature.common.HttpHeaders +import dev.usbharu.httpsignature.common.HttpMethod import dev.usbharu.httpsignature.common.HttpRequest import dev.usbharu.httpsignature.common.PublicKey import dev.usbharu.httpsignature.verify.HttpSignatureVerifier @@ -34,6 +35,14 @@ class InboxJobProcessor( ) : JobProcessor { private suspend fun verifyHttpSignature(httpRequest: HttpRequest, signature: Signature): Boolean { + val requiredHeaders = when (httpRequest.method) { + HttpMethod.GET -> getRequiredHeaders + HttpMethod.POST -> postRequiredHeaders + } + if (signature.headers.containsAll(requiredHeaders).not()) { + return false + } + val user = try { userQueryService.findByKeyId(signature.keyId) } catch (_: FailedToGetResourcesException) { @@ -96,5 +105,7 @@ class InboxJobProcessor( companion object { private val logger = LoggerFactory.getLogger(InboxJobProcessor::class.java) + private val postRequiredHeaders = listOf("(request-target)", "date", "host", "digest") + private val getRequiredHeaders = listOf("(request-target)", "date", "host") } } diff --git a/src/main/kotlin/dev/usbharu/hideout/application/config/SecurityConfig.kt b/src/main/kotlin/dev/usbharu/hideout/application/config/SecurityConfig.kt index b29a8e94..837c1ea6 100644 --- a/src/main/kotlin/dev/usbharu/hideout/application/config/SecurityConfig.kt +++ b/src/main/kotlin/dev/usbharu/hideout/application/config/SecurityConfig.kt @@ -6,7 +6,6 @@ import com.nimbusds.jose.jwk.RSAKey import com.nimbusds.jose.jwk.source.ImmutableJWKSet import com.nimbusds.jose.jwk.source.JWKSource import com.nimbusds.jose.proc.SecurityContext -import dev.usbharu.hideout.activitypub.service.objects.user.APUserService import dev.usbharu.hideout.application.external.Transaction import dev.usbharu.hideout.core.infrastructure.springframework.httpsignature.HttpSignatureFilter import dev.usbharu.hideout.core.infrastructure.springframework.httpsignature.HttpSignatureUserDetailsService @@ -81,7 +80,7 @@ class SecurityConfig { ): SecurityFilterChain { val builder = MvcRequestMatcher.Builder(introspector) http - .securityMatcher("/inbox", "/outbox", "/users/*/inbox", "/users/*/outbox", "/users/*/posts/*") + .securityMatcher("/users/*/posts/*") .addFilter(httpSignatureFilter) .addFilterBefore( ExceptionTranslationFilter(HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED)), @@ -116,12 +115,9 @@ class SecurityConfig { @Bean fun getHttpSignatureFilter( authenticationManager: AuthenticationManager, - transaction: Transaction, - apUserService: APUserService, - userQueryService: UserQueryService ): HttpSignatureFilter { val httpSignatureFilter = - HttpSignatureFilter(DefaultSignatureHeaderParser(), transaction, apUserService, userQueryService) + HttpSignatureFilter(DefaultSignatureHeaderParser()) httpSignatureFilter.setAuthenticationManager(authenticationManager) httpSignatureFilter.setContinueFilterChainOnUnsuccessfulAuthentication(false) val authenticationEntryPointFailureHandler = @@ -134,18 +130,20 @@ class SecurityConfig { @Bean fun httpSignatureAuthenticationProvider(transaction: Transaction): PreAuthenticatedAuthenticationProvider { val provider = PreAuthenticatedAuthenticationProvider() + val signatureHeaderParser = DefaultSignatureHeaderParser() provider.setPreAuthenticatedUserDetailsService( HttpSignatureUserDetailsService( userQueryService, HttpSignatureVerifierComposite( mapOf( "rsa-sha256" to RsaSha256HttpSignatureVerifier( - DefaultSignatureHeaderParser(), RsaSha256HttpSignatureSigner() + signatureHeaderParser, RsaSha256HttpSignatureSigner() ) ), - DefaultSignatureHeaderParser() + signatureHeaderParser ), - transaction + transaction, + signatureHeaderParser ) ) provider.setUserDetailsChecker(AccountStatusUserDetailsChecker()) diff --git a/src/main/kotlin/dev/usbharu/hideout/core/domain/model/instance/Nodeinfo2_0.kt b/src/main/kotlin/dev/usbharu/hideout/core/domain/model/instance/Nodeinfo2_0.kt index 98247150..97478228 100644 --- a/src/main/kotlin/dev/usbharu/hideout/core/domain/model/instance/Nodeinfo2_0.kt +++ b/src/main/kotlin/dev/usbharu/hideout/core/domain/model/instance/Nodeinfo2_0.kt @@ -3,17 +3,17 @@ package dev.usbharu.hideout.core.domain.model.instance @Suppress("ClassNaming") -class Nodeinfo2_0() { +class Nodeinfo2_0 { var metadata: Metadata? = null var software: Software? = null } -class Metadata() { +class Metadata { var nodeName: String? = null var nodeDescription: String? = null } -class Software() { +class Software { var name: String? = null var version: String? = null } diff --git a/src/main/kotlin/dev/usbharu/hideout/core/infrastructure/springframework/httpsignature/HttpSignatureFilter.kt b/src/main/kotlin/dev/usbharu/hideout/core/infrastructure/springframework/httpsignature/HttpSignatureFilter.kt index e814e568..d4332651 100644 --- a/src/main/kotlin/dev/usbharu/hideout/core/infrastructure/springframework/httpsignature/HttpSignatureFilter.kt +++ b/src/main/kotlin/dev/usbharu/hideout/core/infrastructure/springframework/httpsignature/HttpSignatureFilter.kt @@ -1,23 +1,15 @@ package dev.usbharu.hideout.core.infrastructure.springframework.httpsignature -import dev.usbharu.hideout.activitypub.service.objects.user.APUserService -import dev.usbharu.hideout.application.external.Transaction -import dev.usbharu.hideout.core.domain.exception.FailedToGetResourcesException -import dev.usbharu.hideout.core.query.UserQueryService import dev.usbharu.httpsignature.common.HttpHeaders import dev.usbharu.httpsignature.common.HttpMethod import dev.usbharu.httpsignature.common.HttpRequest import dev.usbharu.httpsignature.verify.SignatureHeaderParser import jakarta.servlet.http.HttpServletRequest -import kotlinx.coroutines.runBlocking import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter import java.net.URL class HttpSignatureFilter( - private val httpSignatureHeaderParser: SignatureHeaderParser, - private val transaction: Transaction, - private val apUserService: APUserService, - private val userQueryService: UserQueryService + private val httpSignatureHeaderParser: SignatureHeaderParser ) : AbstractPreAuthenticatedProcessingFilter() { override fun getPreAuthenticatedPrincipal(request: HttpServletRequest?): Any? { @@ -33,15 +25,6 @@ class HttpSignatureFilter( } catch (_: RuntimeException) { return "" } - runBlocking { - transaction.transaction { - try { - userQueryService.findByKeyId(signature.keyId) - } catch (_: FailedToGetResourcesException) { - apUserService.fetchPerson(signature.keyId) - } - } - } return signature.keyId } diff --git a/src/main/kotlin/dev/usbharu/hideout/core/infrastructure/springframework/httpsignature/HttpSignatureUserDetailsService.kt b/src/main/kotlin/dev/usbharu/hideout/core/infrastructure/springframework/httpsignature/HttpSignatureUserDetailsService.kt index a2e2a258..3acc12f6 100644 --- a/src/main/kotlin/dev/usbharu/hideout/core/infrastructure/springframework/httpsignature/HttpSignatureUserDetailsService.kt +++ b/src/main/kotlin/dev/usbharu/hideout/core/infrastructure/springframework/httpsignature/HttpSignatureUserDetailsService.kt @@ -5,10 +5,12 @@ import dev.usbharu.hideout.core.domain.exception.FailedToGetResourcesException import dev.usbharu.hideout.core.domain.exception.HttpSignatureVerifyException import dev.usbharu.hideout.core.query.UserQueryService import dev.usbharu.hideout.util.RsaUtil +import dev.usbharu.httpsignature.common.HttpMethod import dev.usbharu.httpsignature.common.HttpRequest import dev.usbharu.httpsignature.common.PublicKey import dev.usbharu.httpsignature.verify.FailedVerification import dev.usbharu.httpsignature.verify.HttpSignatureVerifier +import dev.usbharu.httpsignature.verify.SignatureHeaderParser import kotlinx.coroutines.runBlocking import org.slf4j.LoggerFactory import org.springframework.security.authentication.BadCredentialsException @@ -20,14 +22,16 @@ import org.springframework.security.web.authentication.preauth.PreAuthenticatedA class HttpSignatureUserDetailsService( private val userQueryService: UserQueryService, private val httpSignatureVerifier: HttpSignatureVerifier, - private val transaction: Transaction + private val transaction: Transaction, + private val httpSignatureHeaderParser: SignatureHeaderParser ) : AuthenticationUserDetailsService { override fun loadUserDetails(token: PreAuthenticatedAuthenticationToken): UserDetails = runBlocking { if (token.principal !is String) { throw IllegalStateException("Token is not String") } - if (token.credentials !is HttpRequest) { + val credentials = token.credentials + if (credentials !is HttpRequest) { throw IllegalStateException("Credentials is not HttpRequest") } @@ -40,10 +44,25 @@ class HttpSignatureUserDetailsService( } } + val signature = httpSignatureHeaderParser.parse(credentials.headers) + + val requiredHeaders = when (credentials.method) { + HttpMethod.GET -> getRequiredHeaders + HttpMethod.POST -> postRequiredHeaders + } + if (signature.headers.containsAll(requiredHeaders).not()) { + logger.warn( + "FAILED Verify HTTP Signature. required headers: {} but actual: {}", + requiredHeaders, + signature.headers + ) + throw BadCredentialsException("HTTP Signature. required headers: $requiredHeaders") + } + @Suppress("TooGenericExceptionCaught") val verify = try { httpSignatureVerifier.verify( - token.credentials as HttpRequest, + credentials, PublicKey(RsaUtil.decodeRsaPublicKeyPem(findByKeyId.publicKey), keyId) ) } catch (e: RuntimeException) { @@ -67,5 +86,7 @@ class HttpSignatureUserDetailsService( companion object { private val logger = LoggerFactory.getLogger(HttpSignatureUserDetailsService::class.java) + private val postRequiredHeaders = listOf("(request-target)", "date", "host", "digest") + private val getRequiredHeaders = listOf("(request-target)", "date", "host") } } diff --git a/src/test/kotlin/dev/usbharu/hideout/activitypub/interfaces/api/inbox/InboxControllerImplTest.kt b/src/test/kotlin/dev/usbharu/hideout/activitypub/interfaces/api/inbox/InboxControllerImplTest.kt index 4fe4a3b2..b1f0b0cc 100644 --- a/src/test/kotlin/dev/usbharu/hideout/activitypub/interfaces/api/inbox/InboxControllerImplTest.kt +++ b/src/test/kotlin/dev/usbharu/hideout/activitypub/interfaces/api/inbox/InboxControllerImplTest.kt @@ -54,6 +54,7 @@ class InboxControllerImplTest { .post("/inbox") { content = json contentType = MediaType.APPLICATION_JSON + header("Signature", "") } .asyncDispatch() .andExpect { @@ -71,6 +72,7 @@ class InboxControllerImplTest { .post("/inbox") { content = json contentType = MediaType.APPLICATION_JSON + header("Signature", "") } .asyncDispatch() .andExpect { @@ -96,6 +98,7 @@ class InboxControllerImplTest { .post("/inbox") { content = json contentType = MediaType.APPLICATION_JSON + header("Signature", "") } .asyncDispatch() .andExpect { @@ -123,6 +126,7 @@ class InboxControllerImplTest { .post("/users/hoge/inbox") { content = json contentType = MediaType.APPLICATION_JSON + header("Signature", "") } .asyncDispatch() .andExpect { @@ -140,6 +144,7 @@ class InboxControllerImplTest { .post("/users/hoge/inbox") { content = json contentType = MediaType.APPLICATION_JSON + header("Signature", "") } .asyncDispatch() .andExpect { @@ -165,6 +170,7 @@ class InboxControllerImplTest { .post("/users/hoge/inbox") { content = json contentType = MediaType.APPLICATION_JSON + header("Signature", "") } .asyncDispatch() .andExpect {