mirror of https://gitlab.com/bashrc2/epicyon
Allow incoming posts with failing http signatures provided that they have a json signature which passes
This provides the same level of assurance, but allows posts to arrive via relaysmerge-requests/30/head
parent
1efec2d8ac
commit
e6b9382a0a
69
inbox.py
69
inbox.py
|
|
@ -2726,6 +2726,7 @@ def runInboxQueue(recentPostsCache: {}, maxRecentPosts: int,
|
||||||
print('DEBUG: checking http header signature')
|
print('DEBUG: checking http header signature')
|
||||||
pprint(queueJson['httpHeaders'])
|
pprint(queueJson['httpHeaders'])
|
||||||
postStr = json.dumps(queueJson['post'])
|
postStr = json.dumps(queueJson['post'])
|
||||||
|
httpSignatureFailed = False
|
||||||
if not verifyPostHeaders(httpPrefix,
|
if not verifyPostHeaders(httpPrefix,
|
||||||
pubKey,
|
pubKey,
|
||||||
queueJson['httpHeaders'],
|
queueJson['httpHeaders'],
|
||||||
|
|
@ -2733,19 +2734,15 @@ def runInboxQueue(recentPostsCache: {}, maxRecentPosts: int,
|
||||||
queueJson['digest'],
|
queueJson['digest'],
|
||||||
postStr,
|
postStr,
|
||||||
debug):
|
debug):
|
||||||
|
httpSignatureFailed = True
|
||||||
print('Queue: Header signature check failed')
|
print('Queue: Header signature check failed')
|
||||||
pprint(queueJson['httpHeaders'])
|
pprint(queueJson['httpHeaders'])
|
||||||
if os.path.isfile(queueFilename):
|
else:
|
||||||
os.remove(queueFilename)
|
if debug:
|
||||||
if len(queue) > 0:
|
print('DEBUG: http header signature check success')
|
||||||
queue.pop(0)
|
|
||||||
continue
|
|
||||||
|
|
||||||
if debug:
|
|
||||||
print('DEBUG: http header signature check success')
|
|
||||||
|
|
||||||
# check if a json signature exists on this post
|
# check if a json signature exists on this post
|
||||||
checkJsonSignature = False
|
hasJsonSignature = False
|
||||||
originalJson = queueJson['original']
|
originalJson = queueJson['original']
|
||||||
if originalJson.get('@context') and \
|
if originalJson.get('@context') and \
|
||||||
originalJson.get('signature'):
|
originalJson.get('signature'):
|
||||||
|
|
@ -2756,39 +2753,49 @@ def runInboxQueue(recentPostsCache: {}, maxRecentPosts: int,
|
||||||
if jwebsig.get('type') and jwebsig.get('signatureValue'):
|
if jwebsig.get('type') and jwebsig.get('signatureValue'):
|
||||||
if jwebsig['type'] == 'RsaSignature2017':
|
if jwebsig['type'] == 'RsaSignature2017':
|
||||||
if hasValidContext(originalJson):
|
if hasValidContext(originalJson):
|
||||||
checkJsonSignature = True
|
hasJsonSignature = True
|
||||||
else:
|
else:
|
||||||
print('unrecognised @context: ' +
|
print('unrecognised @context: ' +
|
||||||
str(originalJson['@context']))
|
str(originalJson['@context']))
|
||||||
|
|
||||||
# strict enforcement of json signatures
|
# strict enforcement of json signatures
|
||||||
if verifyAllSignatures and \
|
if not hasJsonSignature:
|
||||||
not checkJsonSignature:
|
if httpSignatureFailed:
|
||||||
print('inbox post does not have a jsonld signature ' +
|
print('Queue: Header signature check failed and ' +
|
||||||
keyId + ' ' + str(originalJson))
|
'unable to check json signature')
|
||||||
if os.path.isfile(queueFilename):
|
|
||||||
os.remove(queueFilename)
|
|
||||||
if len(queue) > 0:
|
|
||||||
queue.pop(0)
|
|
||||||
continue
|
|
||||||
|
|
||||||
if checkJsonSignature and verifyAllSignatures:
|
if verifyAllSignatures:
|
||||||
# use the original json message received, not one which may have
|
print('Queue: inbox post does not have a jsonld signature ' +
|
||||||
# been modified along the way
|
keyId + ' ' + str(originalJson))
|
||||||
if not verifyJsonSignature(originalJson, pubKey):
|
|
||||||
if debug:
|
if httpSignatureFailed or verifyAllSignatures:
|
||||||
print('WARN: jsonld inbox signature check failed ' +
|
|
||||||
keyId + ' ' + pubKey + ' ' + str(originalJson))
|
|
||||||
else:
|
|
||||||
print('WARN: jsonld inbox signature check failed ' +
|
|
||||||
keyId)
|
|
||||||
if os.path.isfile(queueFilename):
|
if os.path.isfile(queueFilename):
|
||||||
os.remove(queueFilename)
|
os.remove(queueFilename)
|
||||||
if len(queue) > 0:
|
if len(queue) > 0:
|
||||||
queue.pop(0)
|
queue.pop(0)
|
||||||
continue
|
continue
|
||||||
else:
|
else:
|
||||||
print('jsonld inbox signature check success ' + keyId)
|
if httpSignatureFailed or verifyAllSignatures:
|
||||||
|
# use the original json message received, not one which
|
||||||
|
# may have been modified along the way
|
||||||
|
if not verifyJsonSignature(originalJson, pubKey):
|
||||||
|
if debug:
|
||||||
|
print('WARN: jsonld inbox signature check failed ' +
|
||||||
|
keyId + ' ' + pubKey + ' ' + str(originalJson))
|
||||||
|
else:
|
||||||
|
print('WARN: jsonld inbox signature check failed ' +
|
||||||
|
keyId)
|
||||||
|
if os.path.isfile(queueFilename):
|
||||||
|
os.remove(queueFilename)
|
||||||
|
if len(queue) > 0:
|
||||||
|
queue.pop(0)
|
||||||
|
continue
|
||||||
|
else:
|
||||||
|
if httpSignatureFailed:
|
||||||
|
print('jsonld inbox signature check success ' +
|
||||||
|
'via relay ' + keyId)
|
||||||
|
else:
|
||||||
|
print('jsonld inbox signature check success ' + keyId)
|
||||||
|
|
||||||
# set the id to the same as the post filename
|
# set the id to the same as the post filename
|
||||||
# This makes the filename and the id consistent
|
# This makes the filename and the id consistent
|
||||||
|
|
|
||||||
|
|
@ -72,7 +72,7 @@ def urlExists(session, url: str, timeoutSec=3,
|
||||||
result = session.get(url, headers=sessionHeaders,
|
result = session.get(url, headers=sessionHeaders,
|
||||||
params=sessionParams,
|
params=sessionParams,
|
||||||
timeout=timeoutSec)
|
timeout=timeoutSec)
|
||||||
if result:
|
if result:
|
||||||
if result.status_code == 200 or \
|
if result.status_code == 200 or \
|
||||||
result.status_code == 304:
|
result.status_code == 304:
|
||||||
return True
|
return True
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue