epicyon/securemode.py

__filename__ = "securemode.py"
__author__ = "Bob Mottram"
__license__ = "AGPL3+"
__version__ = "1.6.0"
__maintainer__ = "Bob Mottram"
__email__ = "bob@libreserver.org"
__status__ = "Production"
__module_group__ = "Security"

from httpsig import verify_post_headers
from session import establish_session
from flags import url_permitted
from httpsig import signed_get_key_id
from cache import get_person_pub_key


def secure_mode(curr_session, proxy_type: str,
                force: bool, server, headers: {}, path: str) -> bool:
    """http authentication (aka 'authorized fetch') of GET requests for json
    See AUTHORIZED_FETCH in https://docs.joinmastodon.org/admin/config
    """
    if not server.secure_mode and not force:
        return True

    key_id = signed_get_key_id(headers, server.debug)
    if not key_id:
        if server.debug:
            print('AUTH: secure mode, ' +
                  'failed to obtain key_id from signature')
        return False

    # is the key_id (actor) valid?
    if not url_permitted(key_id, server.federation_list):
        if server.debug:
            print('AUTH: Secure mode GET request not permitted: ' + key_id)
        return False

    if server.onion_domain:
        if '.onion/' in key_id:
            curr_session = server.session_onion
            proxy_type = 'tor'
    if server.i2p_domain:
        if '.i2p/' in key_id:
            curr_session = server.session_i2p
            proxy_type = 'i2p'

    curr_session = \
        establish_session("secure mode",
                          curr_session, proxy_type,
                          server)
    if not curr_session:
        return False

    # obtain the public key. key_id is the actor
    pub_key = \
        get_person_pub_key(server.base_dir,
                           curr_session, key_id,
                           server.person_cache, server.debug,
                           server.project_version,
                           server.http_prefix,
                           server.domain,
                           server.onion_domain,
                           server.i2p_domain,
                           server.signing_priv_key_pem,
                           server.mitm_servers)
    if not pub_key:
        if server.debug:
            print('AUTH: secure mode failed to ' +
                  'obtain public key for ' + key_id)
        return False

    # was an error http code returned?
    if isinstance(pub_key, dict):
        if server.debug:
            print('AUTH: failed to ' +
                  'obtain public key for ' + key_id +
                  ' ' + str(pub_key))
        return False

    # verify the GET request without any digest
    if verify_post_headers(server.http_prefix,
                           server.domain_full,
                           pub_key, headers,
                           path, True, None, '', server.debug):
        return True

    if server.debug:
        print('AUTH: secure mode authorization failed for ' + key_id)
    return False