From c63b7f929d8e3a251cf3df14fcaed9fa259a5d46 Mon Sep 17 00:00:00 2001 From: Eliot Berriot Date: Fri, 30 Mar 2018 21:59:58 +0200 Subject: [PATCH] Use own requests-http-signing to be compatible with Signature header --- api/funkwhale_api/federation/factories.py | 1 + api/funkwhale_api/federation/signing.py | 5 +-- api/requirements/base.txt | 4 ++- api/tests/federation/test_signing.py | 39 +++++++++++------------ 4 files changed, 26 insertions(+), 23 deletions(-) diff --git a/api/funkwhale_api/federation/factories.py b/api/funkwhale_api/federation/factories.py index f5d612b0d..3cfecfa96 100644 --- a/api/funkwhale_api/federation/factories.py +++ b/api/funkwhale_api/federation/factories.py @@ -15,6 +15,7 @@ class SignatureAuthFactory(factory.Factory): algorithm = 'rsa-sha256' key = factory.LazyFunction(lambda: keys.get_key_pair()[0]) key_id = factory.Faker('url') + use_auth_header = False class Meta: model = requests_http_signature.HTTPSignatureAuth diff --git a/api/funkwhale_api/federation/signing.py b/api/funkwhale_api/federation/signing.py index 87ac82bac..6f77cbd42 100644 --- a/api/funkwhale_api/federation/signing.py +++ b/api/funkwhale_api/federation/signing.py @@ -5,7 +5,8 @@ import requests_http_signature def verify(request, public_key): return requests_http_signature.HTTPSignatureAuth.verify( request, - key_resolver=lambda **kwargs: public_key + key_resolver=lambda **kwargs: public_key, + use_auth_header=False, ) @@ -20,7 +21,7 @@ def verify_django(django_request, public_key): # with requests_http_signature headers[h.lower()] = v try: - signature = headers['authorization'] + signature = headers['signature'] except KeyError: raise exceptions.MissingSignature diff --git a/api/requirements/base.txt b/api/requirements/base.txt index 02cf1c702..b66e297a9 100644 --- a/api/requirements/base.txt +++ b/api/requirements/base.txt @@ -61,4 +61,6 @@ django-cacheops>=4,<4.1 daphne==2.0.4 cryptography>=2,<3 -requests-http-signature==0.0.3 +# requests-http-signature==0.0.3 +# clone until the branch is merged and released upstream +git+https://github.com/EliotBerriot/requests-http-signature.git@signature-header-support diff --git a/api/tests/federation/test_signing.py b/api/tests/federation/test_signing.py index dc678f749..9da7a0f87 100644 --- a/api/tests/federation/test_signing.py +++ b/api/tests/federation/test_signing.py @@ -7,23 +7,23 @@ from funkwhale_api.federation import signing from funkwhale_api.federation import keys -def test_can_sign_and_verify_request(factories): - private, public = factories['federation.KeyPair']() - auth = factories['federation.SignatureAuth'](key=private) - request = factories['federation.SignedRequest']( +def test_can_sign_and_verify_request(nodb_factories): + private, public = nodb_factories['federation.KeyPair']() + auth = nodb_factories['federation.SignatureAuth'](key=private) + request = nodb_factories['federation.SignedRequest']( auth=auth ) prepared_request = request.prepare() assert 'date' in prepared_request.headers - assert 'authorization' in prepared_request.headers - assert prepared_request.headers['authorization'].startswith('Signature') - assert signing.verify(prepared_request, public) is None + assert 'signature' in prepared_request.headers + assert signing.verify( + prepared_request, public) is None -def test_can_sign_and_verify_request_digest(factories): - private, public = factories['federation.KeyPair']() - auth = factories['federation.SignatureAuth'](key=private) - request = factories['federation.SignedRequest']( +def test_can_sign_and_verify_request_digest(nodb_factories): + private, public = nodb_factories['federation.KeyPair']() + auth = nodb_factories['federation.SignatureAuth'](key=private) + request = nodb_factories['federation.SignedRequest']( auth=auth, method='post', data=b'hello=world' @@ -31,14 +31,13 @@ def test_can_sign_and_verify_request_digest(factories): prepared_request = request.prepare() assert 'date' in prepared_request.headers assert 'digest' in prepared_request.headers - assert 'authorization' in prepared_request.headers - assert prepared_request.headers['authorization'].startswith('Signature') + assert 'signature' in prepared_request.headers assert signing.verify(prepared_request, public) is None -def test_verify_fails_with_wrong_key(factories): - wrong_private, wrong_public = factories['federation.KeyPair']() - request = factories['federation.SignedRequest']() +def test_verify_fails_with_wrong_key(nodb_factories): + wrong_private, wrong_public = nodb_factories['federation.KeyPair']() + request = nodb_factories['federation.SignedRequest']() prepared_request = request.prepare() with pytest.raises(cryptography.exceptions.InvalidSignature): @@ -55,7 +54,7 @@ def test_can_verify_django_request(factories, api_request): '/', headers={ 'Date': prepared.headers['date'], - 'Authorization': prepared.headers['authorization'], + 'Signature': prepared.headers['signature'], } ) assert signing.verify_django(django_request, public_key) is None @@ -74,7 +73,7 @@ def test_can_verify_django_request_digest(factories, api_request): headers={ 'Date': prepared.headers['date'], 'Digest': prepared.headers['digest'], - 'Authorization': prepared.headers['authorization'], + 'Signature': prepared.headers['signature'], } ) @@ -94,7 +93,7 @@ def test_can_verify_django_request_digest_failure(factories, api_request): headers={ 'Date': prepared.headers['date'], 'Digest': prepared.headers['digest'] + 'noop', - 'Authorization': prepared.headers['authorization'], + 'Signature': prepared.headers['signature'], } ) @@ -112,7 +111,7 @@ def test_can_verify_django_request_failure(factories, api_request): '/', headers={ 'Date': 'Wrong', - 'Authorization': prepared.headers['authorization'], + 'Signature': prepared.headers['signature'], } ) with pytest.raises(cryptography.exceptions.InvalidSignature):