APリファクタとLD-Signatureの検証に対応 (misskey-dev#6300)

* DbResolver * inbox types * 認証順を変更 * User/Keyあたりをまとめる * LD-Signatue * Validate contexts url * LD-Signature DocumentLoaderにProxyとTimeout
backrunner · May 8, 2020 · 070f1f3 · 070f1f3
1 parent 234294d
commit 070f1f3
Show file tree

Hide file tree

Showing 20 changed files with 1,049 additions and 230 deletions.
diff --git a/COPYING b/COPYING
@@ -13,3 +13,7 @@ https://github.com/twitter/twemoji-parser/blob/master/LICENSE.md
 Emoji keywords for Unicode 11 and below by Mu-An Chiou
 License: MIT
 https://github.com/muan/emojilib/blob/master/LICENSE
+
+RsaSignature2017 implementation by Transmute Industries Inc
+License: MIT
+https://github.com/transmute-industries/RsaSignature2017/blob/master/LICENSE
diff --git a/package.json b/package.json
@@ -53,13 +53,15 @@
 		"@types/cbor": "5.0.0",
 		"@types/dateformat": "3.0.1",
 		"@types/double-ended-queue": "2.1.1",
+		"@types/escape-regexp": "0.0.0",
 		"@types/glob": "7.1.1",
 		"@types/gulp": "4.0.6",
 		"@types/gulp-rename": "0.0.33",
 		"@types/gulp-replace": "0.0.31",
 		"@types/is-url": "1.2.28",
 		"@types/js-yaml": "3.12.3",
 		"@types/jsdom": "16.2.1",
+		"@types/jsonld": "1.5.1",
 		"@types/katex": "0.11.0",
 		"@types/koa": "2.11.3",
 		"@types/koa-bodyparser": "4.3.0",
@@ -126,6 +128,7 @@
 		"dateformat": "3.0.3",
 		"diskusage": "1.1.3",
 		"double-ended-queue": "2.1.0-0",
+		"escape-regexp": "0.0.1",
 		"eslint": "6.8.0",
 		"eslint-plugin-vue": "6.2.2",
 		"eventemitter3": "4.0.0",
@@ -156,6 +159,7 @@
 		"jsdom": "16.2.2",
 		"json5": "2.1.3",
 		"json5-loader": "4.0.0",
+		"jsonld": "3.1.0",
 		"jsrsasign": "8.0.15",
 		"katex": "0.11.1",
 		"koa": "2.11.0",

diff --git a/src/@types/http-signature.d.ts b/src/@types/http-signature.d.ts
@@ -19,10 +19,12 @@ declare module 'http-signature' {
 		clockSkew?: number;
 	}
 
-	interface IParsedSignature  {
+	interface IParsedSignature {
 		scheme: string;
 		params: ISignature;
 		signingString: string;
+		algorithm: string;
+		keyId: string;
 	}
 
 	type RequestSignerConstructorOptions =

diff --git a/src/queue/index.ts b/src/queue/index.ts
@@ -12,6 +12,7 @@ import procesObjectStorage from './processors/object-storage';
 import { queueLogger } from './logger';
 import { DriveFile } from '../models/entities/drive-file';
 import { getJobInfo } from './get-job-info';
+import { IActivity } from '../remote/activitypub/type';
 
 function initializeQueue(name: string, limitPerSec = -1) {
 	return new Queue(name, {
@@ -29,6 +30,12 @@ function initializeQueue(name: string, limitPerSec = -1) {
 	});
 }
 
+export type InboxJobData = {
+	activity: IActivity,
+	/** HTTP-Signature */
+	signature: httpSignature.IParsedSignature
+};
+
 function renderError(e: Error): any {
 	return {
 		stack: e?.stack,

diff --git a/src/queue/processors/inbox.ts b/src/queue/processors/inbox.ts
@@ -1,95 +1,111 @@
 import * as Bull from 'bull';
 import * as httpSignature from 'http-signature';
-import { IRemoteUser } from '../../models/entities/user';
 import perform from '../../remote/activitypub/perform';
-import { resolvePerson, updatePerson } from '../../remote/activitypub/models/person';
 import Logger from '../../services/logger';
 import { registerOrFetchInstanceDoc } from '../../services/register-or-fetch-instance-doc';
-import { Instances, Users, UserPublickeys } from '../../models';
+import { Instances } from '../../models';
 import { instanceChart } from '../../services/chart';
-import { UserPublickey } from '../../models/entities/user-publickey';
 import { fetchMeta } from '../../misc/fetch-meta';
-import { toPuny } from '../../misc/convert-host';
-import { validActor } from '../../remote/activitypub/type';
-import { ensure } from '../../prelude/ensure';
+import { toPuny, extractDbHost } from '../../misc/convert-host';
+import { getApId } from '../../remote/activitypub/type';
 import { fetchNodeinfo } from '../../services/fetch-nodeinfo';
+import { InboxJobData } from '..';
+import DbResolver from '../../remote/activitypub/db-resolver';
+import { resolvePerson } from '../../remote/activitypub/models/person';
+import { LdSignature } from '../../remote/activitypub/misc/ld-signature';
 
 const logger = new Logger('inbox');
 
 // ユーザーのinboxにアクティビティが届いた時の処理
-export default async (job: Bull.Job): Promise<void> => {
-	const signature = job.data.signature;
+export default async (job: Bull.Job<InboxJobData>): Promise<string> => {
+	const signature = job.data.signature;	// HTTP-signature
 	const activity = job.data.activity;
 
 	//#region Log
 	const info = Object.assign({}, activity);
 	delete info['@context'];
-	delete info['signature'];
 	logger.debug(JSON.stringify(info, null, 2));
 	//#endregion
 
-	const keyIdLower = signature.keyId.toLowerCase();
-	let user: IRemoteUser;
-	let key: UserPublickey;
-
-	if (keyIdLower.startsWith('acct:')) {
-		logger.warn(`Old keyId is no longer supported. ${keyIdLower}`);
-		return;
-	}
-
-	// アクティビティ内のホストの検証
 	const host = toPuny(new URL(signature.keyId).hostname);
-	try {
-		ValidateActivity(activity, host);
-	} catch (e) {
-		logger.warn(e.message);
-		return;
-	}
 
 	// ブロックしてたら中断
 	const meta = await fetchMeta();
 	if (meta.blockedHosts.includes(host)) {
-		logger.info(`Blocked request: ${host}`);
-		return;
+		return `Blocked request: ${host}`;
 	}
 
-	const _key = await UserPublickeys.findOne({
-		keyId: signature.keyId
-	});
+	const keyIdLower = signature.keyId.toLowerCase();
+	if (keyIdLower.startsWith('acct:')) {
+		return `Old keyId is no longer supported. ${keyIdLower}`;
+	}
 
-	if (_key) {
-		// 登録済みユーザー
-		user = await Users.findOne(_key.userId) as IRemoteUser;
-		key = _key;
-	} else {
-		// 未登録ユーザーの場合はリモート解決
-		user = await resolvePerson(activity.actor) as IRemoteUser;
-		if (user == null) {
-			throw new Error('failed to resolve user');
-		}
+	const dbResolver = new DbResolver();
+
+	// HTTP-Signature keyIdを元にDBから取得
+	let authUser = await dbResolver.getAuthUserFromKeyId(signature.keyId);
 
-		key = await UserPublickeys.findOne(user.id).then(ensure);
+	// keyIdでわからなければ、activity.actorを元にDBから取得 || activity.actorを元にリモートから取得
+	if (authUser == null) {
+		authUser = await dbResolver.getAuthUserFromApId(getApId(activity.actor));
 	}
 
-	// Update Person activityの場合は、ここで署名検証/更新処理まで実施して終了
-	if (activity.type === 'Update') {
-		if (activity.object && validActor.includes(activity.object.type)) {
-			if (!httpSignature.verifySignature(signature, key.keyPem)) {
-				logger.warn('Update activity received, but signature verification failed.');
-			} else {
-				updatePerson(activity.actor, null, activity.object);
+	// それでもわからなければ終了
+	if (authUser == null) {
+		return `skip: failed to resolve user`;
+	}
+
+	// HTTP-Signatureの検証
+	if (!httpSignature.verifySignature(signature, authUser.key.keyPem)) {
+		return 'signature verification failed';
+	}
+
+	// signatureのsignerは、activity.actorと一致する必要がある
+	if (authUser.user.uri !== activity.actor) {
+		// 一致しなくても、でもLD-Signatureがありそうならそっちも見る
+		if (activity.signature) {
+			if (activity.signature.type !== 'RsaSignature2017') {
+				return `skip: unsupported LD-signature type ${activity.signature.type}`;
+			}
+
+			// activity.signature.creator: https://example.oom/users/user#main-key
+			// みたいになっててUserを引っ張れば公開キーも入ることを期待する
+			if (activity.signature.creator) {
+				const candicate = activity.signature.creator.replace(/#.*/, '');
+				await resolvePerson(candicate).catch(() => null);
+			}
+
+			// keyIdからLD-Signatureのユーザーを取得
+			authUser = await dbResolver.getAuthUserFromKeyId(activity.signature.creator);
+			if (authUser == null) {
+				return `skip: LD-Signatureのユーザーが取得できませんでした`;
+			}
+
+			// LD-Signature検証
+			const ldSignature = new LdSignature();
+			const verified = await ldSignature.verifyRsaSignature2017(activity, authUser.key.keyPem).catch(() => false);
+			if (!verified) {
+				return `skip: LD-Signatureの検証に失敗しました`;
+			}
+
+			// もう一度actorチェック
+			if (authUser.user.uri !== activity.actor) {
+				return `skip: LD-Signature user(${authUser.user.uri}) !== activity.actor(${activity.actor})`;
 			}
-			return;
 		}
 	}
 
-	if (!httpSignature.verifySignature(signature, key.keyPem)) {
-		logger.error('signature verification failed');
-		return;
+	// activity.idがあればホストが署名者のホストであることを確認する
+	if (typeof activity.id === 'string') {
+		const signerHost = extractDbHost(authUser.user.uri!);
+		const activityIdHost = extractDbHost(activity.id);
+		if (signerHost !== activityIdHost) {
+			return `skip: signerHost(${signerHost}) !== activity.id host(${activityIdHost}`;
+		}
 	}
 
 	// Update stats
-	registerOrFetchInstanceDoc(user.host).then(i => {
+	registerOrFetchInstanceDoc(authUser.user.host).then(i => {
 		Instances.update(i.id, {
 			latestRequestReceivedAt: new Date(),
 			lastCommunicatedAt: new Date(),
@@ -102,42 +118,6 @@ export default async (job: Bull.Job): Promise<void> => {
 	});
 
 	// アクティビティを処理
-	await perform(user, activity);
+	await perform(authUser.user, activity);
+	return `ok`;
 };
-
-/**
- * Validate host in activity
- * @param activity Activity
- * @param host Expect host
- */
-function ValidateActivity(activity: any, host: string) {
-	// id (if exists)
-	if (typeof activity.id === 'string') {
-		const uriHost = toPuny(new URL(activity.id).hostname);
-		if (host !== uriHost) {
-			const diag = activity.signature ? '. Has LD-Signature. Forwarded?' : '';
-			throw new Error(`activity.id(${activity.id}) has different host(${host})${diag}`);
-		}
-	}
-
-	// actor (if exists)
-	if (typeof activity.actor === 'string') {
-		const uriHost = toPuny(new URL(activity.actor).hostname);
-		if (host !== uriHost) throw new Error('activity.actor has different host');
-	}
-
-	// For Create activity
-	if (activity.type === 'Create' && activity.object) {
-		// object.id (if exists)
-		if (typeof activity.object.id === 'string') {
-			const uriHost = toPuny(new URL(activity.object.id).hostname);
-			if (host !== uriHost) throw new Error('activity.object.id has different host');
-		}
-
-		// object.attributedTo (if exists)
-		if (typeof activity.object.attributedTo === 'string') {
-			const uriHost = toPuny(new URL(activity.object.attributedTo).hostname);
-			if (host !== uriHost) throw new Error('activity.object.attributedTo has different host');
-		}
-	}
-}