Add digest, date and request-target in HTTP signature

2018-12-07 10:47:31 +01:00 · 2018-12-07 10:47:31 +01:00 · fa0f47d8e1
parent ace427c223
commit fa0f47d8e1
4 changed files with 55 additions and 6 deletions
--- a/lib/service/activity_pub/activity_pub.ex
+++ b/lib/service/activity_pub/activity_pub.ex
@ -15,6 +15,7 @@ defmodule Mobilizon.Service.ActivityPub do
  alias Mobilizon.Actors.Actor

  alias Mobilizon.Service.Federator
+  alias Mobilizon.Service.HTTPSignatures

  require Logger
  import Mobilizon.Service.ActivityPub.Utils
@ -277,18 +278,30 @@ defmodule Mobilizon.Service.ActivityPub do

  def publish_one(%{inbox: inbox, json: json, actor: actor, id: id}) do
    Logger.info("Federating #{id} to #{inbox}")
-    host = URI.parse(inbox).host
+    {host, path} = URI.parse(inbox)
+
+    digest = HTTPSignatures.build_digest(json)
+    date = HTTPSignatures.generate_date_header()
+    request_target = HTTPSignatures.generate_request_target("POST", path)

    signature =
-      Mobilizon.Service.HTTPSignatures.sign(actor, %{
+      HTTPSignatures.sign(actor, %{
        host: host,
-        "content-length": byte_size(json)
+        "content-length": byte_size(json),
+        "(request-target)": request_target,
+        digest: digest,
+        date: date
      })

    HTTPoison.post(
      inbox,
      json,
-      [{"Content-Type", "application/activity+json"}, {"signature", signature}],
+      [
+        {"Content-Type", "application/activity+json"},
+        {"signature", signature},
+        {"digest", digest},
+        {"date", date}
+      ],
      hackney: [pool: :default]
    )
  end
--- a/lib/service/http_signatures/http_signatures.ex
+++ b/lib/service/http_signatures/http_signatures.ex
@ -94,6 +94,24 @@ defmodule Mobilizon.Service.HTTPSignatures do
      err ->
        Logger.error("Unable to sign headers")
        Logger.error(inspect(err))
+        nil
    end
  end
+
+  def generate_date_header(date \\ Timex.now("GMT")) do
+    with {:ok, date} <- Timex.format(date, "%a, %d %b %Y %H:%M:%S %Z", :strftime) do
+      date
+    else
+      {:error, err} ->
+        Logger.error("Unable to generate date header")
+        Logger.error(inspect(err))
+        nil
+    end
+  end
+
+  def generate_request_target(method, path), do: "#{method} #{path}"
+
+  def build_digest(body) do
+    "SHA-256=" <> (:crypto.hash(:sha256, body) |> Base.encode64())
+  end
 end
--- a/mix.exs
+++ b/mix.exs
@ -35,7 +35,7 @@ defmodule Mobilizon.Mixfile do
  def application do
    [
      mod: {Mobilizon.Application, []},
-      extra_applications: [:logger, :runtime_tools, :guardian, :bamboo, :geolix]
+      extra_applications: [:logger, :runtime_tools, :guardian, :bamboo, :geolix, :crypto]
    ]
  end

--- a/test/mobilizon/service/activitypub/activitypub_test.exs
+++ b/test/mobilizon/service/activitypub/activitypub_test.exs
@ -6,6 +6,7 @@ defmodule Mobilizon.Service.Activitypub.ActivitypubTest do
  alias Mobilizon.Events
  alias Mobilizon.Actors.Actor
  alias Mobilizon.Actors
+  alias Mobilizon.Service.HTTPSignatures
  alias Mobilizon.Service.ActivityPub
  use ExVCR.Mock, adapter: ExVCR.Adapter.Hackney

@ -13,6 +14,23 @@ defmodule Mobilizon.Service.Activitypub.ActivitypubTest do
    HTTPoison.start()
  end

+  describe "setting HTTP signature" do
+    test "set http signature header" do
+      actor = insert(:actor)
+
+      signature =
+        HTTPSignatures.sign(actor, %{
+          host: "example.com",
+          "content-length": 15,
+          digest: Jason.encode!(%{id: "my_id"}) |> HTTPSignatures.build_digest(),
+          "(request-target)": HTTPSignatures.generate_request_target("POST", "/inbox"),
+          date: HTTPSignatures.generate_date_header()
+        })
+
+      assert signature =~ "headers=\"(request-target) content-length date digest host\""
+    end
+  end
+
  describe "fetching actor from it's url" do
    test "returns an actor from nickname" do
      use_cassette "activity_pub/fetch_tcit@framapiaf.org" do