commit 5daf0a78d141596896ca6890e2ae575658f12784 Author: asonix Date: Wed Sep 11 00:17:30 2019 -0500 Initial commit diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..6936990 --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +/target +**/*.rs.bk +Cargo.lock diff --git a/Cargo.toml b/Cargo.toml new file mode 100644 index 0000000..0f6b980 --- /dev/null +++ b/Cargo.toml @@ -0,0 +1,15 @@ +[package] +name = "http-signature-normalization" +description = "An HTTP Signatures library that leaves the signing to you" +version = "0.1.0" +authors = ["asonix "] +license-file = "./LICENSE" +readme = "./README.md" +edition = "2018" + +# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html + +[dependencies] +base64 = "0.10" +chrono = "0.4" +http = "0.1.18" diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..c4ecef9 --- /dev/null +++ b/LICENSE @@ -0,0 +1,417 @@ +Http Signature Normalization +Copyright Riley Trautman 2019 + +COOPERATIVE SOFTWARE LICENSE + +THE WORK (AS DEFINED BELOW) IS PROVIDED UNDER THE TERMS OF THIS +COPYFARLEFT PUBLIC LICENSE ("LICENSE"). THE WORK IS PROTECTED BY +COPYRIGHT AND ALL OTHER APPLICABLE LAWS. ANY USE OF THE WORK OTHER THAN +AS AUTHORIZED UNDER THIS LICENSE OR COPYRIGHT LAW IS PROHIBITED. BY +EXERCISING ANY RIGHTS TO THE WORK PROVIDED IN THIS LICENSE, YOU AGREE +TO BE BOUND BY THE TERMS OF THIS LICENSE. TO THE EXTENT THIS LICENSE +MAY BE CONSIDERED TO BE A CONTRACT, THE LICENSOR GRANTS YOU THE RIGHTS +CONTAINED HERE IN AS CONSIDERATION FOR ACCEPTING THE TERMS AND +CONDITIONS OF THIS LICENSE AND FOR AGREEING TO BE BOUND BY THE TERMS +AND CONDITIONS OF THIS LICENSE. + +1. DEFINITIONS + + a. "Adaptation" means a work based upon the Work, or upon the + Work and other pre-existing works, such as a translation, + adaptation, derivative work, arrangement of music or other + alterations of a literary or artistic work, or phonogram or + performance and includes cinematographic adaptations or any + other form in which the Work may be recast, transformed, or + adapted including in any form recognizably derived from the + original, except that a work that constitutes a Collection will + not be considered an Adaptation for the purpose of this License. + For the avoidance of doubt, where the Work is a musical work, + performance or phonogram, the synchronization of the Work in + timed-relation with a moving image ("synching") will be + considered an Adaptation for the purpose of this License. + + b. "Collection" means a collection of literary or artistic + works, such as encyclopedias and anthologies, or performances, + phonograms or broadcasts, or other works or subject matter other + than works listed in Section 1(f) below, which, by reason of the + selection and arrangement of their contents, constitute + intellectual creations, in which the Work is included in its + entirety in unmodified form along with one or more other + contributions, each constituting separate and independent works + in themselves, which together are assembled into a collective + whole. A work that constitutes a Collection will not be + considered an Adaptation (as defined above) for the purposes of + this License. + + c. "Distribute" means to make available to the public the + original and copies of the Work or Adaptation, as appropriate, + through sale, gift or any other transfer of possession or + ownership. + + d. "Licensor" means the individual, individuals, entity or + entities that offer(s) the Work under the terms of this License. + + e. "Original Author" means, in the case of a literary or + artistic work, the individual, individuals, entity or entities + who created the Work or if no individual or entity can be + identified, the publisher; and in addition (i) in the case of a + performance the actors, singers, musicians, dancers, and other + persons who act, sing, deliver, declaim, play in, interpret or + otherwise perform literary or artistic works or expressions of + folklore; (ii) in the case of a phonogram the producer being the + person or legal entity who first fixes the sounds of a + performance or other sounds; and, (iii) in the case of + broadcasts, the organization that transmits the broadcast. + + f. "Work" means the literary and/or artistic work offered under + the terms of this License including without limitation any + production in the literary, scientific and artistic domain, + whatever may be the mode or form of its expression including + digital form, such as a book, pamphlet and other writing; a + lecture, address, sermon or other work of the same nature; a + dramatic or dramatico-musical work; a choreographic work or + entertainment in dumb show; a musical composition with or + without words; a cinematographic work to which are assimilated + works expressed by a process analogous to cinematography; a work + of drawing, painting, architecture, sculpture, engraving or + lithography; a photographic work to which are assimilated works + expressed by a process analogous to photography; a work of + applied art; an illustration, map, plan, sketch or + three-dimensional work relative to geography, topography, + architecture or science; a performance; a broadcast; a + phonogram; a compilation of data to the extent it is protected + as a copyrightable work; or a work performed by a variety or + circus performer to the extent it is not otherwise considered a + literary or artistic work. + + g. "You" means an individual or entity exercising rights under + this License who has not previously violated the terms of this + License with respect to the Work, or who has received express + permission from the Licensor to exercise rights under this + License despite a previous violation. + + h. "Publicly Perform" means to perform public recitations of the + Work and to communicate to the public those public recitations, + by any means or process, including by wire or wireless means or + public digital performances; to make available to the public + Works in such a way that members of the public may access these + Works from a place and at a place individually chosen by them; + to perform the Work to the public by any means or process and + the communication to the public of the performances of the Work, + including by public digital performance; to broadcast and + rebroadcast the Work by any means including signs, sounds or + images. + + i. "Reproduce" means to make copies of the Work by any means + including without limitation by sound or visual recordings and + the right of fixation and reproducing fixations of the Work, + including storage of a protected performance or phonogram in + digital form or other electronic medium. + + j. "Software" means any digital Work which, through use of a + third-party piece of Software or through the direct usage of + itself on a computer system, the memory of the computer is + modified dynamically or semi-dynamically. "Software", + secondly, processes or interprets information. + + k. "Source Code" means the human-readable form of Software + through which the Original Author and/or Distributor originally + created, derived, and/or modified it. + + l. "Web Service" means the use of a piece of Software to + interpret or modify information that is subsequently and directly + served to users over the Internet. + +2. FAIR DEALING RIGHTS + + Nothing in this License is intended to reduce, limit, or restrict any + uses free from copyright or rights arising from limitations or + exceptions that are provided for in connection with the copyright + protection under copyright law or other applicable laws. + +3. LICENSE GRANT + + Subject to the terms and conditions of this License, Licensor hereby + grants You a worldwide, royalty-free, non-exclusive, perpetual (for the + duration of the applicable copyright) license to exercise the rights in + the Work as stated below: + + a. to Reproduce the Work, to incorporate the Work into one or + more Collections, and to Reproduce the Work as incorporated in + the Collections; + + b. to create and Reproduce Adaptations provided that any such + Adaptation, including any translation in any medium, takes + reasonable steps to clearly label, demarcate or otherwise + identify that changes were made to the original Work. For + example, a translation could be marked "The original work was + translated from English to Spanish," or a modification could + indicate "The original work has been modified."; + + c. to Distribute and Publicly Perform the Work including as + incorporated in Collections; and, + + d. to Distribute and Publicly Perform Adaptations. The above + rights may be exercised in all media and formats whether now + known or hereafter devised. The above rights include the right + to make such modifications as are technically necessary to + exercise the rights in other media and formats. Subject to + Section 8(g), all rights not expressly granted by Licensor are + hereby reserved, including but not limited to the rights set + forth in Section 4(h). + +4. RESTRICTIONS + + The license granted in Section 3 above is expressly made subject to and + limited by the following restrictions: + + a. You may Distribute or Publicly Perform the Work only under + the terms of this License. You must include a copy of, or the + Uniform Resource Identifier (URI) for, this License with every + copy of the Work You Distribute or Publicly Perform. You may not + offer or impose any terms on the Work that restrict the terms of + this License or the ability of the recipient of the Work to + exercise the rights granted to that recipient under the terms of + the License. You may not sublicense the Work. You must keep + intact all notices that refer to this License and to the + disclaimer of warranties with every copy of the Work You + Distribute or Publicly Perform. When You Distribute or Publicly + Perform the Work, You may not impose any effective technological + measures on the Work that restrict the ability of a recipient of + the Work from You to exercise the rights granted to that + recipient under the terms of the License. This Section 4(a) + applies to the Work as incorporated in a Collection, but this + does not require the Collection apart from the Work itself to be + made subject to the terms of this License. If You create a + Collection, upon notice from any Licensor You must, to the + extent practicable, remove from the Collection any credit as + required by Section 4(f), as requested. If You create an + Adaptation, upon notice from any Licensor You must, to the + extent practicable, remove from the Adaptation any credit as + required by Section 4(f), as requested. + + b. Subject to the exception in Section 4(e), you may not + exercise any of the rights granted to You in Section 3 above in + any manner that is primarily intended for or directed toward + commercial advantage or private monetary compensation. The + exchange of the Work for other copyrighted works by means of + digital file-sharing or otherwise shall not be considered to be + intended for or directed toward commercial advantage or private + monetary compensation, provided there is no payment of any + monetary compensation in connection with the exchange of + copyrighted works. + + c. If the Work meets the definition of Software, You may exercise + the rights granted in Section 3 only if You provide a copy of the + corresponding Source Code from which the Work was derived in digital + form, or You provide a URI for the corresponding Source Code of + the Work, to any recipients upon request. + + d. If the Work is used as or for a Web Service, You may exercise + the rights granted in Section 3 only if You provide a copy of the + corresponding Source Code from which the Work was derived in digital + form, or You provide a URI for the corresponding Source Code to the + Work, to any recipients of the data served or modified by the Web + Service. + + e. You may exercise the rights granted in Section 3 for + commercial purposes only if you satisfy any of the following: + + i. You are a worker-owned business or worker-owned + collective; and + ii. after tax, all financial gain, surplus, profits and + benefits produced by the business or collective are + distributed among the worker-owners + iii. You are not using such rights on behalf of a business + other than those specified in 4(e.i) and elaborated upon in + 4(e.ii), nor are using such rights as a proxy on behalf of a + business with the intent to circumvent the aforementioned + restrictions on such a business. + + f. Any use by a business that is privately owned and managed, + and that seeks to generate profit from the labor of employees + paid by salary or other wages, is not permitted under this + license. + + g. If You Distribute, or Publicly Perform the Work or any + Adaptations or Collections, You must, unless a request has been + made pursuant to Section 4(a), keep intact all copyright notices + for the Work and provide, reasonable to the medium or means You + are utilizing: (i) the name of the Original Author (or + pseudonym, if applicable) if supplied, and/or if the Original + Author and/or Licensor designate another party or parties (e.g., + a sponsor institute, publishing entity, journal) for attribution + ("Attribution Parties") in Licensor!s copyright notice, terms of + service or by other reasonable means, the name of such party or + parties; (ii) the title of the Work if supplied; (iii) to the + extent reasonably practicable, the URI, if any, that Licensor + specifies to be associated with the Work, unless such URI does + not refer to the copyright notice or licensing information for + the Work; and, (iv) consistent with Section 3(b), in the case of + an Adaptation, a credit identifying the use of the Work in the + Adaptation (e.g., "French translation of the Work by Original + Author," or "Screenplay based on original Work by Original + Author"). The credit required by this Section 4(f) may be + implemented in any reasonable manner; provided, however, that in + the case of a Adaptation or Collection, at a minimum such credit + will appear, if a credit for all contributing authors of the + Adaptation or Collection appears, then as part of these credits + and in a manner at least as prominent as the credits for the + other contributing authors. For the avoidance of doubt, You may + only use the credit required by this Section for the purpose of + attribution in the manner set out above and, by exercising Your + rights under this License, You may not implicitly or explicitly + assert or imply any connection with, sponsorship or endorsement + by the Original Author, Licensor and/or Attribution Parties, as + appropriate, of You or Your use of the Work, without the + separate, express prior written permission of the Original + Author, Licensor and/or Attribution Parties. + + h. For the avoidance of doubt: + + i. Non-waivable Compulsory License Schemes. In those + jurisdictions in which the right to collect royalties + through any statutory or compulsory licensing scheme + cannot be waived, the Licensor reserves the exclusive + right to collect such royalties for any exercise by You of + the rights granted under this License; + + ii. Waivable Compulsory License Schemes. In those + jurisdictions in which the right to collect royalties + through any statutory or compulsory licensing scheme can + be waived, the Licensor reserves the exclusive right to + collect such royalties for any exercise by You of the + rights granted under this License if Your exercise of such + rights is for a purpose or use which is otherwise than + noncommercial as permitted under Section 4(b) and + otherwise waives the right to collect royalties through + any statutory or compulsory licensing scheme; and, + iii.Voluntary License Schemes. The Licensor reserves the + right to collect royalties, whether individually or, in + the event that the Licensor is a member of a collecting + society that administers voluntary licensing schemes, via + that society, from any exercise by You of the rights + granted under this License that is for a purpose or use + which is otherwise than noncommercial as permitted under + Section 4(b). + + i. Except as otherwise agreed in writing by the Licensor or as + may be otherwise permitted by applicable law, if You Reproduce, + Distribute or Publicly Perform the Work either by itself or as + part of any Adaptations or Collections, You must not distort, + mutilate, modify or take other derogatory action in relation to + the Work which would be prejudicial to the Original Author's + honor or reputation. Licensor agrees that in those jurisdictions + (e.g. Japan), in which any exercise of the right granted in + Section 3(b) of this License (the right to make Adaptations) + would be deemed to be a distortion, mutilation, modification or + other derogatory action prejudicial to the Original Author's + honor and reputation, the Licensor will waive or not assert, as + appropriate, this Section, to the fullest extent permitted by + the applicable national law, to enable You to reasonably + exercise Your right under Section 3(b) of this License (right to + make Adaptations) but not otherwise. + +5. REPRESENTATIONS, WARRANTIES AND DISCLAIMER + + UNLESS OTHERWISE MUTUALLY AGREED TO BY THE PARTIES IN WRITING, LICENSOR + OFFERS THE WORK AS-IS AND MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY + KIND CONCERNING THE WORK, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, + INCLUDING, WITHOUT LIMITATION, WARRANTIES OF TITLE, MERCHANTIBILITY, + FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, OR THE ABSENCE OF + LATENT OR OTHER DEFECTS, ACCURACY, OR THE PRESENCE OF ABSENCE OF + ERRORS, WHETHER OR NOT DISCOVERABLE. SOME JURISDICTIONS DO NOT ALLOW + THE EXCLUSION OF IMPLIED WARRANTIES, SO SUCH EXCLUSION MAY NOT APPLY TO + YOU. + +6. LIMITATION ON LIABILITY + + EXCEPT TO THE EXTENT REQUIRED BY APPLICABLE LAW, IN NO EVENT WILL + LICENSOR BE LIABLE TO YOU ON ANY LEGAL THEORY FOR ANY SPECIAL, + INCIDENTAL, CONSEQUENTIAL, PUNITIVE OR EXEMPLARY DAMAGES ARISING OUT OF + THIS LICENSE OR THE USE OF THE WORK, EVEN IF LICENSOR HAS BEEN ADVISED + OF THE POSSIBILITY OF SUCH DAMAGES. + +7. TERMINATION + + a. This License and the rights granted hereunder will terminate + automatically upon any breach by You of the terms of this + License. Individuals or entities who have received Adaptations + or Collections from You under this License, however, will not + have their licenses terminated provided such individuals or + entities remain in full compliance with those licenses. Sections + 1, 2, 5, 6, 7, and 8 will survive any termination of this + License. + + b. Subject to the above terms and conditions, the license + granted here is perpetual (for the duration of the applicable + copyright in the Work). Notwithstanding the above, Licensor + reserves the right to release the Work under different license + terms or to stop distributing the Work at any time; provided, + however that any such election will not serve to withdraw this + License (or any other license that has been, or is required to + be, granted under the terms of this License), and this License + will continue in full force and effect unless terminated as + stated above. + +8. MISCELLANEOUS + + a. Each time You Distribute or Publicly Perform the Work or a + Collection, the Licensor offers to the recipient a license to + the Work on the same terms and conditions as the license granted + to You under this License. + + b. Each time You Distribute or Publicly Perform an Adaptation, + Licensor offers to the recipient a license to the original Work + on the same terms and conditions as the license granted to You + under this License. + + c. If the Work is classified as Software, each time You Distribute + or Publicly Perform an Adaptation, Licensor offers to the recipient + a copy and/or URI of the corresponding Source Code on the same + terms and conditions as the license granted to You under this License. + + d. If the Work is used as a Web Service, each time You Distribute + or Publicly Perform an Adaptation, or serve data derived from the + Software, the Licensor offers to any recipients of the data a copy + and/or URI of the corresponding Source Code on the same terms and + conditions as the license granted to You under this License. + + e. If any provision of this License is invalid or unenforceable + under applicable law, it shall not affect the validity or + enforceability of the remainder of the terms of this License, + and without further action by the parties to this agreement, + such provision shall be reformed to the minimum extent necessary + to make such provision valid and enforceable. + + f. No term or provision of this License shall be deemed waived + and no breach consented to unless such waiver or consent shall + be in writing and signed by the party to be charged with such + waiver or consent. + + g. This License constitutes the entire agreement between the + parties with respect to the Work licensed here. There are no + understandings, agreements or representations with respect to + the Work not specified here. Licensor shall not be bound by any + additional provisions that may appear in any communication from + You. This License may not be modified without the mutual written + agreement of the Licensor and You. + + h. The rights granted under, and the subject matter referenced, + in this License were drafted utilizing the terminology of the + Berne Convention for the Protection of Literary and Artistic + Works (as amended on September 28, 1979), the Rome Convention of + 1961, the WIPO Copyright Treaty of 1996, the WIPO Performances + and Phonograms Treaty of 1996 and the Universal Copyright + Convention (as revised on July 24, 1971). These rights and + subject matter take effect in the relevant jurisdiction in which + the License terms are sought to be enforced according to the + corresponding provisions of the implementation of those treaty + provisions in the applicable national law. If the standard suite + of rights granted under applicable copyright law includes + additional rights not granted under this License, such + additional rights are deemed to be included in the License; this + License is not intended to restrict the license of any rights + under applicable law. + + diff --git a/README.md b/README.md new file mode 100644 index 0000000..3974edc --- /dev/null +++ b/README.md @@ -0,0 +1,2 @@ +HTTP Signature Normaliztion +_An HTTP Signatures library that leaves the signing to you_ diff --git a/src/create.rs b/src/create.rs new file mode 100644 index 0000000..3ecf6d7 --- /dev/null +++ b/src/create.rs @@ -0,0 +1,74 @@ +use chrono::{DateTime, Utc}; +use http::header::{HeaderMap, HeaderName, HeaderValue, InvalidHeaderValue, AUTHORIZATION}; + +use crate::{ + ALGORITHM_FIELD, ALGORITHM_VALUE, CREATED_FIELD, EXPIRES_FIELD, HEADERS_FIELD, KEY_ID_FIELD, + SIGNATURE_FIELD, +}; + +const SIGNATURE_HEADER: &'static str = "Signature"; + +pub struct Signed { + signature: String, + sig_headers: Vec, + created: DateTime, + expires: DateTime, + key_id: String, +} + +pub struct Unsigned { + pub(crate) signing_string: String, + pub(crate) sig_headers: Vec, + pub(crate) created: DateTime, + pub(crate) expires: DateTime, +} + +impl Signed { + pub fn signature_header(self, hm: &mut HeaderMap) -> Result<(), InvalidHeaderValue> { + hm.insert( + AUTHORIZATION, + HeaderValue::from_str(&format!("Signature {}", self.into_header()))?, + ); + Ok(()) + } + + pub fn authorization_header(self, hm: &mut HeaderMap) -> Result<(), InvalidHeaderValue> { + hm.insert( + HeaderName::from_static(SIGNATURE_HEADER), + HeaderValue::from_str(&self.into_header())?, + ); + Ok(()) + } + + fn into_header(self) -> String { + let header_parts = [ + (KEY_ID_FIELD, self.key_id), + (ALGORITHM_FIELD, ALGORITHM_VALUE.to_owned()), + (CREATED_FIELD, self.created.timestamp().to_string()), + (EXPIRES_FIELD, self.expires.timestamp().to_string()), + (HEADERS_FIELD, self.sig_headers.join(" ")), + (SIGNATURE_FIELD, self.signature), + ]; + + header_parts + .iter() + .map(|(k, v)| format!("{}=\"{}\"", k, v)) + .collect::>() + .join(",") + } +} + +impl Unsigned { + pub fn sign(self, key_id: String, f: F) -> Result + where + F: FnOnce(&str) -> Result, E>, + { + (f)(&self.signing_string).map(|v| Signed { + signature: base64::encode(&v), + sig_headers: self.sig_headers, + created: self.created, + expires: self.expires, + key_id, + }) + } +} diff --git a/src/lib.rs b/src/lib.rs new file mode 100644 index 0000000..7996a54 --- /dev/null +++ b/src/lib.rs @@ -0,0 +1,149 @@ +use chrono::{DateTime, Duration, Utc}; +use http::{ + header::{HeaderMap, ToStrError}, + method::Method, + uri::PathAndQuery, +}; +use std::collections::BTreeMap; + +pub mod create; +pub mod verify; + +use self::{ + create::Unsigned, + verify::{Unvalidated, ValidateError}, +}; + +const REQUEST_TARGET: &'static str = "(request-target)"; +const CREATED: &'static str = "(crated)"; +const EXPIRES: &'static str = "(expires)"; + +const KEY_ID_FIELD: &'static str = "keyId"; +const ALGORITHM_FIELD: &'static str = "algorithm"; +const ALGORITHM_VALUE: &'static str = "hs2019"; +const CREATED_FIELD: &'static str = "created"; +const EXPIRES_FIELD: &'static str = "expires"; +const HEADERS_FIELD: &'static str = "headers"; +const SIGNATURE_FIELD: &'static str = "signature"; + +#[derive(Clone)] +pub struct Config { + pub expires: Duration, +} + +impl Config { + pub fn normalize( + &self, + method: Method, + path_and_query: &PathAndQuery, + headers: &HeaderMap, + ) -> Result { + let (sig_headers, mut btm) = build_headers_list(headers)?; + + let created = Utc::now(); + let expires = created + self.expires; + + let signing_string = build_signing_string( + method, + path_and_query, + Some(created), + Some(expires), + &sig_headers, + &mut btm, + ); + + Ok(Unsigned { + signing_string, + sig_headers, + created, + expires, + }) + } + + pub fn validate(&self, unvalidated: Unvalidated, f: F) -> Result + where + F: FnOnce(&[u8], &str) -> T, + { + if let Some(expires) = unvalidated.expires { + if expires < unvalidated.parsed_at { + return Err(ValidateError::Expired); + } + } + if let Some(created) = unvalidated.created { + if created + self.expires < unvalidated.parsed_at { + return Err(ValidateError::Expired); + } + } + + let v = base64::decode(&unvalidated.signature).map_err(|_| ValidateError::Decode)?; + + Ok((f)(&v, &unvalidated.signing_string)) + } +} + +fn build_headers_list( + headers: &HeaderMap, +) -> Result<(Vec, BTreeMap), ToStrError> { + let btm: BTreeMap = headers + .iter() + .map(|(k, v)| { + v.to_str() + .map(|v| (k.as_str().to_lowercase().to_owned(), v.to_owned())) + }) + .collect::, _>>()?; + + let http_header_keys: Vec = btm.keys().cloned().collect(); + + let mut sig_headers = vec![ + REQUEST_TARGET.to_owned(), + CREATED.to_owned(), + EXPIRES.to_owned(), + ]; + + sig_headers.extend(http_header_keys); + + Ok((sig_headers, btm)) +} + +fn build_signing_string( + method: Method, + path_and_query: &PathAndQuery, + created: Option>, + expires: Option>, + sig_headers: &[String], + btm: &mut BTreeMap, +) -> String { + let request_target = format!("{} {}", method.to_string().to_lowercase(), path_and_query); + + btm.insert(REQUEST_TARGET.to_owned(), request_target.clone()); + if let Some(created) = created { + btm.insert(CREATED.to_owned(), created.timestamp().to_string()); + } + if let Some(expires) = expires { + btm.insert(EXPIRES.to_owned(), expires.timestamp().to_string()); + } + + let signing_string = sig_headers + .iter() + .filter_map(|h| btm.remove(h).map(|v| format!("{}: {}", h, v))) + .collect::>() + .join("\n"); + + signing_string +} + +impl Default for Config { + fn default() -> Self { + Config { + expires: Duration::seconds(10), + } + } +} + +#[cfg(test)] +mod tests { + #[test] + fn it_works() { + assert_eq!(2 + 2, 4); + } +} diff --git a/src/verify.rs b/src/verify.rs new file mode 100644 index 0000000..d5bd900 --- /dev/null +++ b/src/verify.rs @@ -0,0 +1,221 @@ +use chrono::{DateTime, TimeZone, Utc}; +use http::{ + header::{HeaderMap, ToStrError}, + method::Method, + uri::PathAndQuery, +}; +use std::{collections::HashMap, error::Error, fmt, str::FromStr}; + +use crate::{ + build_headers_list, build_signing_string, ALGORITHM_FIELD, CREATED, CREATED_FIELD, + EXPIRES_FIELD, HEADERS_FIELD, KEY_ID_FIELD, SIGNATURE_FIELD, +}; + +pub struct Unvalidated { + pub(crate) key_id: String, + pub(crate) signature: String, + pub(crate) algorithm: Option, + pub(crate) created: Option>, + pub(crate) expires: Option>, + pub(crate) parsed_at: DateTime, + pub(crate) signing_string: String, +} + +pub struct ParsedHeader { + signature: String, + key_id: String, + headers: Vec, + algorithm: Option, + created: Option>, + expires: Option>, + parsed_at: DateTime, +} + +#[derive(Clone, Copy, Debug)] +pub enum DeprecatedAlgorithm { + HmacSha1, + HmacSha256, + HmacSha384, + HmacSha512, + RsaSha1, + RsaSha256, + RsaSha384, + RsaSha512, + EcdsaSha1, + EcdsaSha256, + EcdsaSha384, + EcdsaSha512, +} + +#[derive(Clone, Debug)] +pub enum Algorithm { + Hs2019, + Deprecated(DeprecatedAlgorithm), + Unknown(String), +} + +#[derive(Clone, Debug)] +pub enum ValidateError { + Expired, + Decode, +} + +#[derive(Clone, Debug)] +pub struct ParseSignatureError(&'static str); + +impl Unvalidated { + pub fn key_id(&self) -> &str { + &self.key_id + } + + pub fn algorithm(&self) -> Option<&Algorithm> { + self.algorithm.as_ref() + } +} + +impl ParsedHeader { + pub fn to_unvalidated( + self, + method: Method, + path_and_query: &PathAndQuery, + headers: &HeaderMap, + ) -> Result { + let (_, mut btm) = build_headers_list(headers)?; + + let signing_string = build_signing_string( + method, + path_and_query, + self.created, + self.expires, + &self.headers, + &mut btm, + ); + + Ok(Unvalidated { + key_id: self.key_id, + signature: self.signature, + parsed_at: self.parsed_at, + algorithm: self.algorithm, + created: self.created, + expires: self.expires, + signing_string, + }) + } +} + +impl FromStr for ParsedHeader { + type Err = ParseSignatureError; + + fn from_str(s: &str) -> Result { + let s = s.trim_start_matches("Signature").trim(); + let mut hm: HashMap = s + .split(',') + .filter_map(|part| { + let mut i = part.splitn(2, "="); + + if let Some(key) = i.next() { + if let Some(value) = i.next() { + return Some((key.to_owned(), value.to_owned())); + } + } + None + }) + .collect(); + + Ok(ParsedHeader { + signature: hm + .remove(SIGNATURE_FIELD) + .ok_or(ParseSignatureError(SIGNATURE_FIELD))?, + key_id: hm + .remove(KEY_ID_FIELD) + .ok_or(ParseSignatureError(KEY_ID_FIELD))?, + headers: hm + .remove(HEADERS_FIELD) + .map(|h| h.split_whitespace().map(|s| s.to_owned()).collect()) + .unwrap_or_else(|| vec![CREATED.to_owned()]), + algorithm: hm.remove(ALGORITHM_FIELD).map(Algorithm::from), + created: parse_time(&mut hm, CREATED_FIELD)?, + expires: parse_time(&mut hm, EXPIRES_FIELD)?, + parsed_at: Utc::now(), + }) + } +} + +fn parse_time( + hm: &mut HashMap, + key: &'static str, +) -> Result>, ParseSignatureError> { + let r = hm.remove(key).map(|s| { + Utc.datetime_from_str(&s, "%s") + .map_err(|_| ParseSignatureError(key)) + }); + + match r { + Some(Ok(t)) => Ok(Some(t)), + Some(Err(e)) => Err(e), + None => Ok(None), + } +} + +impl From for Algorithm { + fn from(d: DeprecatedAlgorithm) -> Algorithm { + Algorithm::Deprecated(d) + } +} + +impl From for Algorithm { + fn from(s: String) -> Self { + Algorithm::from(s.as_str()) + } +} + +impl From<&str> for Algorithm { + fn from(s: &str) -> Self { + match s { + "hmac-sha1" => DeprecatedAlgorithm::HmacSha1.into(), + "hmac-sha256" => DeprecatedAlgorithm::HmacSha256.into(), + "hmac-sha384" => DeprecatedAlgorithm::HmacSha384.into(), + "hmac-sha512" => DeprecatedAlgorithm::HmacSha512.into(), + "rsa-sha1" => DeprecatedAlgorithm::RsaSha1.into(), + "rsa-sha256" => DeprecatedAlgorithm::RsaSha256.into(), + "rsa-sha384" => DeprecatedAlgorithm::RsaSha384.into(), + "rsa-sha512" => DeprecatedAlgorithm::RsaSha512.into(), + "ecdsa-sha1" => DeprecatedAlgorithm::EcdsaSha1.into(), + "ecdsa-sha256" => DeprecatedAlgorithm::EcdsaSha256.into(), + "ecdsa-sha384" => DeprecatedAlgorithm::EcdsaSha384.into(), + "ecdsa-sha512" => DeprecatedAlgorithm::EcdsaSha512.into(), + "hs2019" => Algorithm::Hs2019, + other => Algorithm::Unknown(other.into()), + } + } +} + +impl fmt::Display for ValidateError { + fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { + match *self { + ValidateError::Expired => write!(f, "Http Signature is expired"), + ValidateError::Decode => write!(f, "Http Signature could not be decoded"), + } + } +} + +impl fmt::Display for ParseSignatureError { + fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { + write!(f, "Error when parsing {} from Http Signature", self.0) + } +} + +impl Error for ValidateError { + fn description(&self) -> &'static str { + match *self { + ValidateError::Expired => "Http Signature is expired", + ValidateError::Decode => "Http Signature could not be decoded", + } + } +} + +impl Error for ParseSignatureError { + fn description(&self) -> &'static str { + "There was an error parsing the Http Signature" + } +}