From 710aa95363bbd893d44eca39d3f7d5a101cb04b7 Mon Sep 17 00:00:00 2001 From: Vitaly Takmazov Date: Thu, 20 Dec 2018 09:26:12 +0300 Subject: SignatureManager refactoring --- .../java/com/juick/server/SignatureManager.java | 26 ++++++++++++++-------- .../com/juick/server/api/activity/Profile.java | 5 +++-- .../security/HashParamAuthenticationFilter.java | 7 +++--- 3 files changed, 24 insertions(+), 14 deletions(-) (limited to 'src/main/java/com/juick') diff --git a/src/main/java/com/juick/server/SignatureManager.java b/src/main/java/com/juick/server/SignatureManager.java index b3b7a301..26e482ad 100644 --- a/src/main/java/com/juick/server/SignatureManager.java +++ b/src/main/java/com/juick/server/SignatureManager.java @@ -1,11 +1,14 @@ package com.juick.server; import com.fasterxml.jackson.databind.ObjectMapper; +import com.juick.User; import com.juick.server.api.activity.model.Context; import com.juick.server.api.activity.model.objects.Person; import com.juick.server.api.webfinger.model.Account; import com.juick.server.api.webfinger.model.Link; +import com.juick.service.UserService; import com.juick.util.DateFormattersHolder; +import org.apache.commons.lang3.StringUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.context.ApplicationEventPublisher; @@ -41,7 +44,7 @@ public class SignatureManager { @Inject private ObjectMapper jsonMapper; @Inject - private ApplicationEventPublisher applicationEventPublisher; + private UserService userService; @Inject private RestTemplate apClient; @@ -70,23 +73,28 @@ public class SignatureManager { logger.info("accepted follower: {}", response.getStatusCodeValue()); } - public boolean verifySignature(String signatureString, URI actor, String method, String path, Map headers) { - Optional context = getContext(actor); + public User verifySignature(String method, String path, Map headers) throws IOException { + Signature signature = Signature.fromString(headers.get("signature")); + Optional context = getContext(URI.create(signature.getKeyId())); if (context.isPresent() && context.get() instanceof Person) { Person person = (Person) context.get(); Key key = KeystoreManager.publicKeyOf(person); - Verifier verifier = new Verifier(key, Signature.fromString(signatureString)); + + Verifier verifier = new Verifier(key, signature); try { boolean result = verifier.verify(method, path, headers); logger.info("signature is valid: {}", result); - return result; + User user = new User(); + user.setUri(URI.create(person.getId())); + if (key.equals(keystoreManager.getPublicKey())) { + return userService.getUserByName(person.getName()); + } + return user; } catch (NoSuchAlgorithmException | SignatureException | IOException e) { - logger.info("signature exception", e); - return false; + throw new IOException("Invalid signature"); } } - logger.info("person not found"); - return false; + throw new IOException("Person not found"); } public Optional getContext(URI contextUri) { Context context = apClient.getForEntity(contextUri, Context.class).getBody(); diff --git a/src/main/java/com/juick/server/api/activity/Profile.java b/src/main/java/com/juick/server/api/activity/Profile.java index 305b7c4a..2614cded 100644 --- a/src/main/java/com/juick/server/api/activity/Profile.java +++ b/src/main/java/com/juick/server/api/activity/Profile.java @@ -268,9 +268,10 @@ public class Profile { headers.put("content-type", contentType); headers.put("user-agent", userAgent); headers.put("accept-encoding", acceptEncoding); - boolean valid = signatureManager.verifySignature(signature, URI.create(activity.getActor()), "POST", + headers.put("signature", signature); + User signedUser = signatureManager.verifySignature( "POST", componentsBuilder.getPath(), headers); - if (valid) { + if ((StringUtils.isNotEmpty(signedUser.getUri().toString()) && signedUser.getUri().equals(URI.create(activity.getActor()))) || !signedUser.isAnonymous()) { if (activity instanceof Follow) { Follow followRequest = (Follow) activity; String actor = followRequest.getActor(); diff --git a/src/main/java/com/juick/service/security/HashParamAuthenticationFilter.java b/src/main/java/com/juick/service/security/HashParamAuthenticationFilter.java index 9215d09a..2fd5a2a7 100644 --- a/src/main/java/com/juick/service/security/HashParamAuthenticationFilter.java +++ b/src/main/java/com/juick/service/security/HashParamAuthenticationFilter.java @@ -30,6 +30,7 @@ import org.springframework.util.Assert; import org.springframework.web.filter.OncePerRequestFilter; import org.springframework.web.util.WebUtils; +import javax.annotation.Nonnull; import javax.servlet.FilterChain; import javax.servlet.ServletException; import javax.servlet.http.Cookie; @@ -59,9 +60,9 @@ public class HashParamAuthenticationFilter extends OncePerRequestFilter { @Override protected void doFilterInternal( - HttpServletRequest request, - HttpServletResponse response, - FilterChain filterChain) throws ServletException, IOException { + @Nonnull HttpServletRequest request, + @Nonnull HttpServletResponse response, + @Nonnull FilterChain filterChain) throws ServletException, IOException { String hash = getHashFromRequest(request); -- cgit v1.2.3