Add schemas and functions to query signing keys from servers

lib/matrix_server_web/authenticate_server.ex

@@ -1,19 +1,17 @@
 defmodule MatrixServerWeb.AuthenticateServer do
   import MatrixServerWeb.Plug.Error
 
-  alias MatrixServer.SigningServer
+  alias MatrixServer.SigningKey
 
   @auth_header_regex ~r/^X-Matrix origin=(?<origin>.*),key="(?<key>.*)",sig="(?<sig>.*)"$/
 
-  def authenticate(
-        %Plug.Conn{
-          body_params: body_params,
-          req_headers: headers,
-          request_path: path,
-          method: method,
-          query_string: query_string
-        }
-      ) do
+  def authenticate(%Plug.Conn{
+        body_params: body_params,
+        req_headers: headers,
+        request_path: path,
+        method: method,
+        query_string: query_string
+      }) do
     object_to_sign = %{
       uri: path <> "?" <> URI.decode_www_form(query_string),
       method: method,
@@ -32,13 +30,16 @@ defmodule MatrixServerWeb.AuthenticateServer do
     headers
     |> parse_authorization_headers()
     |> Enum.find(:error, fn {origin, _, sig} ->
-      # TODO: fetch actual signing keys for origin from cache/key store.
-      {_, signing_key} = SigningServer.get_signing_keys() |> hd()
       object = object_fun.(origin)
 
       with {:ok, raw_sig} <- MatrixServer.decode_base64(sig),
            {:ok, encoded_object} <- MatrixServer.encode_canonical_json(object) do
-        :enacl.sign_verify_detached(raw_sig, encoded_object, signing_key)
+        # TODO: Only query once per origin.
+        # TODO: Handle expired keys.
+        SigningKey.for_server(origin)
+        |> Enum.find_value(false, fn %SigningKey{signing_key: signing_key} ->
+          :enacl.sign_verify_detached(raw_sig, encoded_object, signing_key)
+        end)
       else
         _ -> false
       end
@@ -70,6 +71,7 @@ defmodule MatrixServerWeb.AuthenticateServer do
             {origin, _key, _sig} ->
               conn = Plug.Conn.assign(conn, :origin, origin)
               apply(__MODULE__, action, [conn, conn.params])
+
             :error ->
               put_error(conn, :unauthorized, "Signature verification failed.")
           end

lib/matrix_server_web/federation/key_controller.ex

@@ -3,13 +3,13 @@ defmodule MatrixServerWeb.Federation.KeyController do
 
   import MatrixServerWeb.Plug.Error
 
-  alias MatrixServer.SigningServer
+  alias MatrixServer.KeyServer
 
   @key_valid_time_ms 1000 * 60 * 24 * 30
 
   def get_signing_keys(conn, _params) do
     keys =
-      SigningServer.get_signing_keys(true)
+      KeyServer.get_own_signing_keys()
       |> Enum.into(%{}, fn {key_id, key} ->
         {key_id, %{"key" => key}}
       end)
@@ -21,13 +21,15 @@ defmodule MatrixServerWeb.Federation.KeyController do
       valid_until_ts: System.os_time(:millisecond) + @key_valid_time_ms
     }
 
-    case SigningServer.sign_object(data) do
-      {:ok, signed_data} ->
+    case KeyServer.sign_object(data) do
+      {:ok, sig, key_id} ->
+        signed_data = MatrixServer.add_signature(data, key_id, sig)
+
         conn
         |> put_status(200)
         |> json(signed_data)
 
-      {:error, _msg} ->
+      :error ->
         put_error(conn, :unknown, "Error signing object.")
     end
   end

lib/matrix_server_web/federation/request/get_signing_keys.ex

@@ -0,0 +1,36 @@
+defmodule MatrixServerWeb.Federation.Request.GetSigningKeys do
+  use Ecto.Schema
+
+  import Ecto.Changeset
+
+  @primary_key false
+  embedded_schema do
+    field :server_name, :string
+    field :verify_keys, {:map, {:map, :string}}
+    field :old_verify_keys, {:map, :map}
+    field :signatures, {:map, {:map, :string}}
+    field :valid_until_ts, :integer
+  end
+
+  def changeset(params) do
+    # TODO: There must be a better way to validate embedded maps?
+    %__MODULE__{}
+    |> cast(params, [:server_name, :verify_keys, :old_verify_keys, :signatures, :valid_until_ts])
+    |> validate_required([:server_name, :verify_keys, :valid_until_ts])
+    |> MatrixServer.validate_change_simple(:verify_keys, fn map ->
+      Enum.all?(map, fn {_, map} ->
+        is_map_key(map, "key")
+      end)
+    end)
+    |> MatrixServer.validate_change_simple(:old_verify_keys, fn map ->
+      Enum.all?(map, fn
+        {_, %{"key" => key, "expired_ts" => expired_ts}}
+        when is_binary(key) and is_integer(expired_ts) ->
+          true
+
+        _ ->
+          false
+      end)
+    end)
+  end
+end

lib/matrix_server_web/federation_client.ex

@@ -2,6 +2,7 @@ defmodule MatrixServerWeb.FederationClient do
   use Tesla
 
   alias MatrixServerWeb.Endpoint
+  alias MatrixServerWeb.Federation.Request.GetSigningKeys
   alias MatrixServerWeb.Router.Helpers, as: RouteHelpers
 
   # TODO: Maybe create database-backed homeserver struct to pass to client function.
@@ -17,7 +18,15 @@ defmodule MatrixServerWeb.FederationClient do
   end
 
   def get_signing_keys(client) do
-    Tesla.get(client, RouteHelpers.key_path(Endpoint, :get_signing_keys))
+    # TODO: Extract into seperate function.
+    # TODO: Check signatures for each verify key.
+    with {:ok, %Tesla.Env{body: body}} <-
+           Tesla.get(client, RouteHelpers.key_path(Endpoint, :get_signing_keys)),
+         %Ecto.Changeset{valid?: true} = cs <- GetSigningKeys.changeset(body) do
+      {:ok, Ecto.Changeset.apply_changes(cs)}
+    else
+      _ -> :error
+    end
   end
 
   # TODO: Create tesla middleware to add signature and headers.
@@ -33,7 +42,7 @@ defmodule MatrixServerWeb.FederationClient do
       destination: server_name
     }
 
-    {:ok, signature, key_id} = MatrixServer.SigningServer.sign_object(object_to_sign)
+    {:ok, signature, key_id} = MatrixServer.KeyServer.sign_object(object_to_sign)
     signatures = %{origin => %{key_id => signature}}
     auth_headers = create_signature_authorization_headers(signatures, origin)