Use own requests-http-signing to be compatible with Signature header

2018-03-30 21:59:58 +02:00 · 2018-03-30 21:59:58 +02:00 · c63b7f929d
parent 7191a2a2c0
commit c63b7f929d
4 changed files with 26 additions and 23 deletions
--- a/api/funkwhale_api/federation/factories.py
+++ b/api/funkwhale_api/federation/factories.py
@ -15,6 +15,7 @@ class SignatureAuthFactory(factory.Factory):
    algorithm = 'rsa-sha256'
    key = factory.LazyFunction(lambda: keys.get_key_pair()[0])
    key_id = factory.Faker('url')
+    use_auth_header = False

    class Meta:
        model = requests_http_signature.HTTPSignatureAuth
--- a/api/funkwhale_api/federation/signing.py
+++ b/api/funkwhale_api/federation/signing.py
@ -5,7 +5,8 @@ import requests_http_signature
 def verify(request, public_key):
    return requests_http_signature.HTTPSignatureAuth.verify(
        request,
-        key_resolver=lambda **kwargs: public_key
+        key_resolver=lambda **kwargs: public_key,
+        use_auth_header=False,
    )


@ -20,7 +21,7 @@ def verify_django(django_request, public_key):
        # with requests_http_signature
        headers[h.lower()] = v
    try:
-        signature = headers['authorization']
+        signature = headers['signature']
    except KeyError:
        raise exceptions.MissingSignature

--- a/api/requirements/base.txt
+++ b/api/requirements/base.txt
@ -61,4 +61,6 @@ django-cacheops>=4,<4.1

 daphne==2.0.4
 cryptography>=2,<3
-requests-http-signature==0.0.3
+# requests-http-signature==0.0.3
+# clone until the branch is merged and released upstream
+git+https://github.com/EliotBerriot/requests-http-signature.git@signature-header-support
--- a/api/tests/federation/test_signing.py
+++ b/api/tests/federation/test_signing.py
@ -7,23 +7,23 @@ from funkwhale_api.federation import signing
 from funkwhale_api.federation import keys


-def test_can_sign_and_verify_request(factories):
-    private, public = factories['federation.KeyPair']()
-    auth = factories['federation.SignatureAuth'](key=private)
-    request = factories['federation.SignedRequest'](
+def test_can_sign_and_verify_request(nodb_factories):
+    private, public = nodb_factories['federation.KeyPair']()
+    auth = nodb_factories['federation.SignatureAuth'](key=private)
+    request = nodb_factories['federation.SignedRequest'](
        auth=auth
    )
    prepared_request = request.prepare()
    assert 'date' in prepared_request.headers
-    assert 'authorization' in prepared_request.headers
-    assert prepared_request.headers['authorization'].startswith('Signature')
-    assert signing.verify(prepared_request, public) is None
+    assert 'signature' in prepared_request.headers
+    assert signing.verify(
+        prepared_request, public) is None


-def test_can_sign_and_verify_request_digest(factories):
-    private, public = factories['federation.KeyPair']()
-    auth = factories['federation.SignatureAuth'](key=private)
-    request = factories['federation.SignedRequest'](
+def test_can_sign_and_verify_request_digest(nodb_factories):
+    private, public = nodb_factories['federation.KeyPair']()
+    auth = nodb_factories['federation.SignatureAuth'](key=private)
+    request = nodb_factories['federation.SignedRequest'](
        auth=auth,
        method='post',
        data=b'hello=world'
@ -31,14 +31,13 @@ def test_can_sign_and_verify_request_digest(factories):
    prepared_request = request.prepare()
    assert 'date' in prepared_request.headers
    assert 'digest' in prepared_request.headers
-    assert 'authorization' in prepared_request.headers
-    assert prepared_request.headers['authorization'].startswith('Signature')
+    assert 'signature' in prepared_request.headers
    assert signing.verify(prepared_request, public) is None


-def test_verify_fails_with_wrong_key(factories):
-    wrong_private, wrong_public = factories['federation.KeyPair']()
-    request = factories['federation.SignedRequest']()
+def test_verify_fails_with_wrong_key(nodb_factories):
+    wrong_private, wrong_public = nodb_factories['federation.KeyPair']()
+    request = nodb_factories['federation.SignedRequest']()
    prepared_request = request.prepare()

    with pytest.raises(cryptography.exceptions.InvalidSignature):
@ -55,7 +54,7 @@ def test_can_verify_django_request(factories, api_request):
        '/',
        headers={
            'Date': prepared.headers['date'],
-            'Authorization': prepared.headers['authorization'],
+            'Signature': prepared.headers['signature'],
        }
    )
    assert signing.verify_django(django_request, public_key) is None
@ -74,7 +73,7 @@ def test_can_verify_django_request_digest(factories, api_request):
        headers={
            'Date': prepared.headers['date'],
            'Digest': prepared.headers['digest'],
-            'Authorization': prepared.headers['authorization'],
+            'Signature': prepared.headers['signature'],
        }
    )

@ -94,7 +93,7 @@ def test_can_verify_django_request_digest_failure(factories, api_request):
        headers={
            'Date': prepared.headers['date'],
            'Digest': prepared.headers['digest'] + 'noop',
-            'Authorization': prepared.headers['authorization'],
+            'Signature': prepared.headers['signature'],
        }
    )

@ -112,7 +111,7 @@ def test_can_verify_django_request_failure(factories, api_request):
        '/',
        headers={
            'Date': 'Wrong',
-            'Authorization': prepared.headers['authorization'],
+            'Signature': prepared.headers['signature'],
        }
    )
    with pytest.raises(cryptography.exceptions.InvalidSignature):