2019-09-21 16:26:11 +00:00
|
|
|
//! Types for setting up Digest middleware verification
|
|
|
|
|
2020-03-20 02:36:10 +00:00
|
|
|
use super::{DigestPart, DigestVerify};
|
2019-09-13 01:12:35 +00:00
|
|
|
use actix_web::{
|
2020-03-25 16:00:37 +00:00
|
|
|
dev::{MessageBody, Payload, Service, ServiceRequest, ServiceResponse, Transform},
|
2019-09-13 01:12:35 +00:00
|
|
|
error::PayloadError,
|
2020-03-16 00:29:47 +00:00
|
|
|
http::{header::HeaderValue, StatusCode},
|
2019-09-13 23:27:04 +00:00
|
|
|
FromRequest, HttpMessage, HttpRequest, HttpResponse, ResponseError,
|
2019-09-13 01:12:35 +00:00
|
|
|
};
|
2020-03-16 00:29:47 +00:00
|
|
|
use bytes::{Bytes, BytesMut};
|
2019-09-13 01:12:35 +00:00
|
|
|
use futures::{
|
2020-03-25 16:00:37 +00:00
|
|
|
channel::mpsc,
|
2020-03-16 00:29:47 +00:00
|
|
|
future::{err, ok, ready, Ready},
|
|
|
|
Stream, StreamExt,
|
|
|
|
};
|
2020-03-20 02:36:10 +00:00
|
|
|
use log::{debug, warn};
|
2020-03-16 00:29:47 +00:00
|
|
|
use std::{
|
|
|
|
future::Future,
|
|
|
|
pin::Pin,
|
|
|
|
task::{Context, Poll},
|
2019-09-13 01:12:35 +00:00
|
|
|
};
|
|
|
|
|
2019-09-13 23:27:04 +00:00
|
|
|
#[derive(Copy, Clone, Debug)]
|
2019-09-21 16:26:11 +00:00
|
|
|
/// A type implementing FromRequest that can be used in route handler to guard for verified
|
|
|
|
/// digests
|
|
|
|
///
|
|
|
|
/// This is only required when the [`VerifyDigest`] middleware is set to optional
|
2019-09-13 23:27:04 +00:00
|
|
|
pub struct DigestVerified;
|
2019-09-21 16:26:11 +00:00
|
|
|
|
|
|
|
/// The VerifyDigest middleware
|
|
|
|
///
|
|
|
|
/// ```rust,ignore
|
|
|
|
/// let middleware = VerifyDigest::new(MyVerify::new())
|
|
|
|
/// .optional();
|
|
|
|
///
|
|
|
|
/// HttpServer::new(move || {
|
|
|
|
/// App::new()
|
|
|
|
/// .wrap(middleware.clone())
|
|
|
|
/// .route("/protected", web::post().to(|_: DigestVerified| "Verified Digest Header"))
|
|
|
|
/// .route("/unprotected", web::post().to(|| "No verification required"))
|
|
|
|
/// })
|
|
|
|
/// ```
|
2019-09-13 01:12:35 +00:00
|
|
|
pub struct VerifyDigest<T>(bool, T);
|
2019-09-21 16:26:11 +00:00
|
|
|
|
|
|
|
#[doc(hidden)]
|
2020-03-25 16:00:37 +00:00
|
|
|
pub struct VerifyMiddleware<T, S>(S, bool, T);
|
2019-09-21 16:26:11 +00:00
|
|
|
|
2020-03-16 00:29:47 +00:00
|
|
|
#[derive(Debug, thiserror::Error)]
|
|
|
|
#[error("Error verifying digest")]
|
2019-09-21 16:26:11 +00:00
|
|
|
#[doc(hidden)]
|
2019-09-13 01:12:35 +00:00
|
|
|
pub struct VerifyError;
|
|
|
|
|
|
|
|
impl<T> VerifyDigest<T>
|
|
|
|
where
|
|
|
|
T: DigestVerify + Clone,
|
|
|
|
{
|
2019-09-21 16:26:11 +00:00
|
|
|
/// Produce a new VerifyDigest with a user-provided [`Digestverify`] type
|
2019-09-13 01:12:35 +00:00
|
|
|
pub fn new(verify_digest: T) -> Self {
|
|
|
|
VerifyDigest(true, verify_digest)
|
|
|
|
}
|
|
|
|
|
2019-09-21 16:26:11 +00:00
|
|
|
/// Mark verifying the Digest as optional
|
|
|
|
///
|
|
|
|
/// If a digest is present in the request, it will be verified, but it is not required to be
|
|
|
|
/// present
|
2019-09-13 01:12:35 +00:00
|
|
|
pub fn optional(self) -> Self {
|
|
|
|
VerifyDigest(false, self.1)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-09-13 23:27:04 +00:00
|
|
|
impl FromRequest for DigestVerified {
|
|
|
|
type Error = VerifyError;
|
2020-03-16 00:29:47 +00:00
|
|
|
type Future = Ready<Result<Self, Self::Error>>;
|
2019-09-13 23:27:04 +00:00
|
|
|
type Config = ();
|
|
|
|
|
|
|
|
fn from_request(req: &HttpRequest, _: &mut Payload) -> Self::Future {
|
2020-03-20 02:36:10 +00:00
|
|
|
let res = req
|
|
|
|
.extensions()
|
|
|
|
.get::<Self>()
|
|
|
|
.map(|s| *s)
|
|
|
|
.ok_or(VerifyError);
|
|
|
|
|
|
|
|
if res.is_err() {
|
|
|
|
debug!("Failed to fetch DigestVerified from request");
|
|
|
|
}
|
|
|
|
|
|
|
|
ready(res)
|
2019-09-13 23:27:04 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-03-25 16:00:37 +00:00
|
|
|
impl<T, S, B> Transform<S> for VerifyDigest<T>
|
2019-09-13 01:12:35 +00:00
|
|
|
where
|
|
|
|
T: DigestVerify + Clone + 'static,
|
2020-03-25 16:00:37 +00:00
|
|
|
S: Service<Request = ServiceRequest, Response = ServiceResponse<B>, Error = actix_web::Error>
|
|
|
|
+ 'static,
|
2019-09-13 01:12:35 +00:00
|
|
|
S::Error: 'static,
|
2020-03-25 16:00:37 +00:00
|
|
|
B: MessageBody + 'static,
|
2019-09-13 01:12:35 +00:00
|
|
|
{
|
|
|
|
type Request = ServiceRequest;
|
2020-03-25 16:00:37 +00:00
|
|
|
type Response = ServiceResponse<B>;
|
2019-09-13 01:12:35 +00:00
|
|
|
type Error = actix_web::Error;
|
|
|
|
type Transform = VerifyMiddleware<T, S>;
|
|
|
|
type InitError = ();
|
2020-03-16 00:29:47 +00:00
|
|
|
type Future = Ready<Result<Self::Transform, Self::InitError>>;
|
2019-09-13 01:12:35 +00:00
|
|
|
|
|
|
|
fn new_transform(&self, service: S) -> Self::Future {
|
2020-03-25 16:00:37 +00:00
|
|
|
ok(VerifyMiddleware(service, self.0, self.1.clone()))
|
2019-09-13 01:12:35 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-03-25 16:00:37 +00:00
|
|
|
impl<T, S, B> Service for VerifyMiddleware<T, S>
|
2019-09-13 01:12:35 +00:00
|
|
|
where
|
|
|
|
T: DigestVerify + Clone + 'static,
|
2020-03-25 16:00:37 +00:00
|
|
|
S: Service<Request = ServiceRequest, Response = ServiceResponse<B>, Error = actix_web::Error>
|
|
|
|
+ 'static,
|
2019-09-13 01:12:35 +00:00
|
|
|
S::Error: 'static,
|
2020-03-25 16:00:37 +00:00
|
|
|
B: MessageBody + 'static,
|
2019-09-13 01:12:35 +00:00
|
|
|
{
|
|
|
|
type Request = ServiceRequest;
|
2020-03-25 16:00:37 +00:00
|
|
|
type Response = ServiceResponse<B>;
|
2019-09-13 01:12:35 +00:00
|
|
|
type Error = actix_web::Error;
|
2020-03-16 00:29:47 +00:00
|
|
|
type Future = Pin<Box<dyn Future<Output = Result<Self::Response, Self::Error>>>>;
|
2019-09-13 01:12:35 +00:00
|
|
|
|
2020-03-16 00:29:47 +00:00
|
|
|
fn poll_ready(&mut self, cx: &mut Context) -> Poll<Result<(), Self::Error>> {
|
2020-03-25 16:00:37 +00:00
|
|
|
self.0.poll_ready(cx)
|
2019-09-13 01:12:35 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
fn call(&mut self, mut req: ServiceRequest) -> Self::Future {
|
|
|
|
if let Some(digest) = req.headers().get("Digest") {
|
|
|
|
let vec = match parse_digest(digest) {
|
|
|
|
Some(vec) => vec,
|
2020-03-20 02:36:10 +00:00
|
|
|
None => {
|
|
|
|
warn!("Digest header could not be parsed");
|
|
|
|
return Box::pin(err(VerifyError.into()));
|
|
|
|
}
|
2019-09-13 01:12:35 +00:00
|
|
|
};
|
2020-03-25 16:00:37 +00:00
|
|
|
let payload = req.take_payload();
|
2019-09-13 01:12:35 +00:00
|
|
|
|
2020-03-25 16:00:37 +00:00
|
|
|
let (tx, rx) = mpsc::channel(1);
|
|
|
|
let f1 = verify_payload(vec, self.2.clone(), payload, tx);
|
2020-03-16 00:29:47 +00:00
|
|
|
|
2020-03-25 16:00:37 +00:00
|
|
|
let payload: Pin<Box<dyn Stream<Item = Result<Bytes, PayloadError>> + 'static>> =
|
|
|
|
Box::pin(rx.map(|bytes| Ok(bytes)));
|
|
|
|
req.set_payload(payload.into());
|
|
|
|
req.extensions_mut().insert(DigestVerified);
|
2019-09-13 01:12:35 +00:00
|
|
|
|
2020-03-25 16:00:37 +00:00
|
|
|
let f2 = self.0.call(req);
|
2019-09-13 23:27:04 +00:00
|
|
|
|
2020-03-25 16:00:37 +00:00
|
|
|
Box::pin(async move {
|
|
|
|
f1.await?;
|
|
|
|
f2.await
|
2020-03-16 00:29:47 +00:00
|
|
|
})
|
2019-09-13 22:55:51 +00:00
|
|
|
} else if self.1 {
|
2020-03-16 00:29:47 +00:00
|
|
|
Box::pin(err(VerifyError.into()))
|
2019-09-13 01:12:35 +00:00
|
|
|
} else {
|
2020-03-25 16:00:37 +00:00
|
|
|
Box::pin(self.0.call(req))
|
2019-09-13 01:12:35 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-03-25 16:00:37 +00:00
|
|
|
async fn verify_payload<T>(
|
|
|
|
vec: Vec<DigestPart>,
|
|
|
|
mut verify_digest: T,
|
|
|
|
mut payload: Payload,
|
|
|
|
mut tx: mpsc::Sender<Bytes>,
|
|
|
|
) -> Result<(), actix_web::Error>
|
|
|
|
where
|
|
|
|
T: DigestVerify + Clone + 'static,
|
|
|
|
{
|
|
|
|
let mut output_bytes = BytesMut::new();
|
|
|
|
|
|
|
|
while let Some(res) = payload.next().await {
|
|
|
|
let bytes = res?;
|
|
|
|
output_bytes.extend(bytes);
|
|
|
|
|
|
|
|
if tx.is_closed() {
|
|
|
|
warn!("Payload dropped. If this was unexpected, it could be that the payload isn't required in the route this middleware is guarding");
|
|
|
|
return Err(VerifyError.into());
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
let bytes = output_bytes.freeze();
|
|
|
|
|
|
|
|
if verify_digest.verify(&vec, &bytes.as_ref()) {
|
|
|
|
tx.try_send(bytes).map_err(|_| VerifyError.into())
|
|
|
|
} else {
|
|
|
|
warn!("Digest could not be verified");
|
|
|
|
Err(VerifyError.into())
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-09-13 01:12:35 +00:00
|
|
|
fn parse_digest(h: &HeaderValue) -> Option<Vec<DigestPart>> {
|
|
|
|
let h = h.to_str().ok()?.split(";").next()?;
|
|
|
|
let v: Vec<_> = h
|
|
|
|
.split(",")
|
|
|
|
.filter_map(|p| {
|
|
|
|
let mut iter = p.splitn(2, "=");
|
|
|
|
iter.next()
|
|
|
|
.and_then(|alg| iter.next().map(|value| (alg, value)))
|
|
|
|
})
|
|
|
|
.map(|(alg, value)| DigestPart {
|
|
|
|
algorithm: alg.to_owned(),
|
|
|
|
digest: value.to_owned(),
|
|
|
|
})
|
|
|
|
.collect();
|
|
|
|
|
|
|
|
if v.is_empty() {
|
|
|
|
None
|
|
|
|
} else {
|
|
|
|
Some(v)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
impl ResponseError for VerifyError {
|
2020-03-16 00:29:47 +00:00
|
|
|
fn status_code(&self) -> StatusCode {
|
|
|
|
StatusCode::BAD_REQUEST
|
2019-09-13 01:12:35 +00:00
|
|
|
}
|
|
|
|
|
2020-03-16 00:29:47 +00:00
|
|
|
fn error_response(&self) -> HttpResponse {
|
|
|
|
HttpResponse::BadRequest().finish()
|
2019-09-13 01:12:35 +00:00
|
|
|
}
|
|
|
|
}
|