architex/lib/architex_web/federation/authenticate_server.ex

defmodule ArchitexWeb.Federation.AuthenticateServer do
  import ArchitexWeb.Error

  alias Architex.{SigningKey, ServerKeyInfo}

  @auth_header_regex ~r/^X-Matrix origin=(?<origin>.*),key="(?<key>.*)",sig="(?<sig>.*)"$/

  def authenticate(%Plug.Conn{
        body_params: body_params,
        req_headers: headers,
        request_path: path,
        method: method,
        query_string: query_string
      }) do
    # TODO: This will break if request ends with '?'.
    uri = URI.decode_www_form(path)

    uri =
      if String.length(query_string) > 0 do
        uri <> "?" <> URI.decode_www_form(query_string)
      else
        uri
      end

    object_to_sign = %{
      uri: uri,
      method: method,
      destination: Architex.server_name()
    }

    object_to_sign =
      if method != "GET", do: Map.put(object_to_sign, :content, body_params), else: object_to_sign

    object_fun = &Map.put(object_to_sign, :origin, &1)

    authenticate_with_headers(headers, object_fun)
  end

  defp authenticate_with_headers(headers, object_fun) do
    # TODO: Only query once per origin.
    headers
    |> parse_authorization_headers()
    |> Enum.find(:error, fn {origin, _, sig} ->
      object = object_fun.(origin)

      with {:ok, raw_sig} <- Architex.decode_base64(sig),
           {:ok, encoded_object} <- Architex.encode_canonical_json(object),
           {:ok, %ServerKeyInfo{signing_keys: keys}} <-
             ServerKeyInfo.with_fresh_signing_keys(origin) do
        Enum.find_value(keys, false, fn %SigningKey{signing_key: signing_key} ->
          with {:ok, decoded_key} <- Architex.decode_base64(signing_key) do
            Architex.sign_verify(raw_sig, encoded_object, decoded_key)
          else
            _ -> false
          end
        end)
      else
        _ -> false
      end
    end)
  end

  def parse_authorization_headers(headers) do
    headers
    |> Enum.filter(&(elem(&1, 0) == "authorization"))
    |> Enum.map(fn {_, auth_header} ->
      Regex.named_captures(@auth_header_regex, auth_header)
    end)
    |> Enum.reject(&Kernel.is_nil/1)
    |> Enum.map(fn %{"origin" => origin, "key" => key, "sig" => sig} ->
      {origin, key, sig}
    end)
    |> Enum.filter(fn {_, key, _} -> String.starts_with?(key, "ed25519:") end)
  end

  defmacro __using__(opts) do
    except = Keyword.get(opts, :except) || []

    quote do
      def action(conn, _) do
        action = action_name(conn)

        if action not in unquote(except) do
          case ArchitexWeb.Federation.AuthenticateServer.authenticate(conn) do
            {origin, _key, _sig} ->
              conn = Plug.Conn.assign(conn, :origin, origin)
              apply(__MODULE__, action, [conn, conn.params])

            :error ->
              put_error(conn, :unauthorized, "Signature verification failed.")
          end
        else
          apply(__MODULE__, action, [conn, conn.params])
        end
      end
    end
  end
end
Rename repository 2021-09-01 12:43:55 +00:00			`defmodule ArchitexWeb.Federation.AuthenticateServer do`
			`import ArchitexWeb.Error`
Add code for verifying homeservers' signatures on API requests 2021-08-08 17:20:10 +00:00
Rename repository 2021-09-01 12:43:55 +00:00			`alias Architex.{SigningKey, ServerKeyInfo}`
Add code for verifying homeservers' signatures on API requests 2021-08-08 17:20:10 +00:00
			`@auth_header_regex ~r/^X-Matrix origin=(?<origin>.),key="(?<key>.)",sig="(?<sig>.*)"$/`

Add schemas and functions to query signing keys from servers 2021-08-12 22:45:07 +00:00			`def authenticate(%Plug.Conn{`
			`body_params: body_params,`
			`req_headers: headers,`
			`request_path: path,`
			`method: method,`
			`query_string: query_string`
			`}) do`
Implement retrieving a single event over federation Fix url encoding during homeserver signature check 2021-08-21 09:25:36 +00:00			`# TODO: This will break if request ends with '?'.`
			`uri = URI.decode_www_form(path)`

			`uri =`
			`if String.length(query_string) > 0 do`
			`uri <> "?" <> URI.decode_www_form(query_string)`
			`else`
			`uri`
			`end`

Fix server signature verification 2021-08-10 16:02:53 +00:00			`object_to_sign = %{`
Implement retrieving a single event over federation Fix url encoding during homeserver signature check 2021-08-21 09:25:36 +00:00			`uri: uri,`
Fix server signature verification 2021-08-10 16:02:53 +00:00			`method: method,`
Rename repository 2021-09-01 12:43:55 +00:00			`destination: Architex.server_name()`
Fix server signature verification 2021-08-10 16:02:53 +00:00			`}`
Add code for verifying homeservers' signatures on API requests 2021-08-08 17:20:10 +00:00
Fix server signature verification 2021-08-10 16:02:53 +00:00			`object_to_sign =`
			`if method != "GET", do: Map.put(object_to_sign, :content, body_params), else: object_to_sign`
Add code for verifying homeservers' signatures on API requests 2021-08-08 17:20:10 +00:00
Fix server signature verification 2021-08-10 16:02:53 +00:00			`object_fun = &Map.put(object_to_sign, :origin, &1)`
Add code for verifying homeservers' signatures on API requests 2021-08-08 17:20:10 +00:00
Fix server signature verification 2021-08-10 16:02:53 +00:00			`authenticate_with_headers(headers, object_fun)`
Add code for verifying homeservers' signatures on API requests 2021-08-08 17:20:10 +00:00			`end`

Fix server signature verification 2021-08-10 16:02:53 +00:00			`defp authenticate_with_headers(headers, object_fun) do`
Handle enacl exceptions during signature checks Fix usage of undecoded signing key during server authentication Fix several bugs in profile query endpoint 2021-08-13 15:36:34 +00:00			`# TODO: Only query once per origin.`
Fix server signature verification 2021-08-10 16:02:53 +00:00			`headers`
			`\|> parse_authorization_headers()`
			`\|> Enum.find(:error, fn {origin, _, sig} ->`
			`object = object_fun.(origin)`
Add code for verifying homeservers' signatures on API requests 2021-08-08 17:20:10 +00:00
Rename repository 2021-09-01 12:43:55 +00:00			`with {:ok, raw_sig} <- Architex.decode_base64(sig),`
			`{:ok, encoded_object} <- Architex.encode_canonical_json(object),`
Handle enacl exceptions during signature checks Fix usage of undecoded signing key during server authentication Fix several bugs in profile query endpoint 2021-08-13 15:36:34 +00:00			`{:ok, %ServerKeyInfo{signing_keys: keys}} <-`
			`ServerKeyInfo.with_fresh_signing_keys(origin) do`
			`Enum.find_value(keys, false, fn %SigningKey{signing_key: signing_key} ->`
Rename repository 2021-09-01 12:43:55 +00:00			`with {:ok, decoded_key} <- Architex.decode_base64(signing_key) do`
			`Architex.sign_verify(raw_sig, encoded_object, decoded_key)`
Handle enacl exceptions during signature checks Fix usage of undecoded signing key during server authentication Fix several bugs in profile query endpoint 2021-08-13 15:36:34 +00:00			`else`
			`_ -> false`
			`end`
Add schemas and functions to query signing keys from servers 2021-08-12 22:45:07 +00:00			`end)`
Add code for verifying homeservers' signatures on API requests 2021-08-08 17:20:10 +00:00			`else`
			`_ -> false`
			`end`
Fix server signature verification 2021-08-10 16:02:53 +00:00			`end)`
Add code for verifying homeservers' signatures on API requests 2021-08-08 17:20:10 +00:00			`end`

			`def parse_authorization_headers(headers) do`
			`headers`
			`\|> Enum.filter(&(elem(&1, 0) == "authorization"))`
			`\|> Enum.map(fn {_, auth_header} ->`
			`Regex.named_captures(@auth_header_regex, auth_header)`
			`end)`
			`\|> Enum.reject(&Kernel.is_nil/1)`
Fix server signature verification 2021-08-10 16:02:53 +00:00			`\|> Enum.map(fn %{"origin" => origin, "key" => key, "sig" => sig} ->`
			`{origin, key, sig}`
Add code for verifying homeservers' signatures on API requests 2021-08-08 17:20:10 +00:00			`end)`
Fix server signature verification 2021-08-10 16:02:53 +00:00			`\|> Enum.filter(fn {_, key, _} -> String.starts_with?(key, "ed25519:") end)`
Add code for verifying homeservers' signatures on API requests 2021-08-08 17:20:10 +00:00			`end`

			`defmacro __using__(opts) do`
			`except = Keyword.get(opts, :except) \|\| []`

			`quote do`
			`def action(conn, _) do`
			`action = action_name(conn)`

Fix server signature verification 2021-08-10 16:02:53 +00:00			`if action not in unquote(except) do`
Rename repository 2021-09-01 12:43:55 +00:00			`case ArchitexWeb.Federation.AuthenticateServer.authenticate(conn) do`
Fix server signature verification 2021-08-10 16:02:53 +00:00			`{origin, _key, _sig} ->`
			`conn = Plug.Conn.assign(conn, :origin, origin)`
			`apply(__MODULE__, action, [conn, conn.params])`
Add schemas and functions to query signing keys from servers 2021-08-12 22:45:07 +00:00
Fix server signature verification 2021-08-10 16:02:53 +00:00			`:error ->`
			`put_error(conn, :unauthorized, "Signature verification failed.")`
			`end`
Add code for verifying homeservers' signatures on API requests 2021-08-08 17:20:10 +00:00			`else`
			`apply(__MODULE__, action, [conn, conn.params])`
			`end`
			`end`
			`end`
			`end`
			`end`