indymedia
/
epicyon
mirror of https://gitlab.com/bashrc2/epicyon
7
4
Fork 1
Code Issues 14 Releases Wiki Activity

Allow incoming posts with failing http signatures provided that they have a json signature which passes 

This provides the same level of assurance, but allows posts to arrive via relays
merge-requests/18/head
Bob Mottram 2021-02-14 15:22:03 +00:00
parent 1efec2d8ac
commit e6b9382a0a
2 changed files with 39 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

69
inbox.py
View File

@ -2726,6 +2726,7 @@ def runInboxQueue(recentPostsCache: {}, maxRecentPosts: int,
print('DEBUG: checking http header signature')
pprint(queueJson['httpHeaders'])
postStr = json.dumps(queueJson['post'])
httpSignatureFailed = False
if not verifyPostHeaders(httpPrefix,
pubKey,
queueJson['httpHeaders'],
@ -2733,19 +2734,15 @@ def runInboxQueue(recentPostsCache: {}, maxRecentPosts: int,
queueJson['digest'],
postStr,
debug):
httpSignatureFailed = True
print('Queue: Header signature check failed')
pprint(queueJson['httpHeaders'])
if os.path.isfile(queueFilename):
os.remove(queueFilename)
if len(queue) > 0:
queue.pop(0)
continue
if debug:
print('DEBUG: http header signature check success')
else:
if debug:
print('DEBUG: http header signature check success')
# check if a json signature exists on this post
checkJsonSignature = False
hasJsonSignature = False
originalJson = queueJson['original']
if originalJson.get('@context') and \
originalJson.get('signature'):
@ -2756,39 +2753,49 @@ def runInboxQueue(recentPostsCache: {}, maxRecentPosts: int,
if jwebsig.get('type') and jwebsig.get('signatureValue'):
if jwebsig['type'] == 'RsaSignature2017':
if hasValidContext(originalJson):
checkJsonSignature = True
hasJsonSignature = True
else:
print('unrecognised @context: ' +
str(originalJson['@context']))
# strict enforcement of json signatures
if verifyAllSignatures and \
not checkJsonSignature:
print('inbox post does not have a jsonld signature ' +
keyId + ' ' + str(originalJson))
if os.path.isfile(queueFilename):
os.remove(queueFilename)
if len(queue) > 0:
queue.pop(0)
continue
if not hasJsonSignature:
if httpSignatureFailed:
print('Queue: Header signature check failed and ' +
'unable to check json signature')
if checkJsonSignature and verifyAllSignatures:
# use the original json message received, not one which may have
# been modified along the way
if not verifyJsonSignature(originalJson, pubKey):
if debug:
print('WARN: jsonld inbox signature check failed ' +
keyId + ' ' + pubKey + ' ' + str(originalJson))
else:
print('WARN: jsonld inbox signature check failed ' +
keyId)
if verifyAllSignatures:
print('Queue: inbox post does not have a jsonld signature ' +
keyId + ' ' + str(originalJson))
if httpSignatureFailed or verifyAllSignatures:
if os.path.isfile(queueFilename):
os.remove(queueFilename)
if len(queue) > 0:
queue.pop(0)
continue
else:
print('jsonld inbox signature check success ' + keyId)
else:
if httpSignatureFailed or verifyAllSignatures:
# use the original json message received, not one which
# may have been modified along the way
if not verifyJsonSignature(originalJson, pubKey):
if debug:
print('WARN: jsonld inbox signature check failed ' +
keyId + ' ' + pubKey + ' ' + str(originalJson))
else:
print('WARN: jsonld inbox signature check failed ' +
keyId)
if os.path.isfile(queueFilename):
os.remove(queueFilename)
if len(queue) > 0:
queue.pop(0)
continue
else:
if httpSignatureFailed:
print('jsonld inbox signature check success ' +
'via relay ' + keyId)
else:
print('jsonld inbox signature check success ' + keyId)
# set the id to the same as the post filename
# This makes the filename and the id consistent

2
session.py
View File

@ -72,7 +72,7 @@ def urlExists(session, url: str, timeoutSec=3,
result = session.get(url, headers=sessionHeaders,
params=sessionParams,
timeout=timeoutSec)
if result:
if result:
if result.status_code == 200 or \
result.status_code == 304:
return True