ambee/giterated

1

use std::{

2

net::SocketAddr,

3

ops::Deref,

4

sync::{atomic::AtomicBool, Arc},

};

use anyhow::Error;

use futures_util::{SinkExt, StreamExt};

9

10

use giterated_models::{

11

authenticated::{AuthenticationSource, UserTokenMetadata},

instance::Instance,

};

use giterated_models::authenticated::AuthenticatedPayload;

16

use giterated_stack::{

17

AuthenticatedInstance, AuthenticatedUser, GiteratedStack, StackOperationState,

18

};

19

use jsonwebtoken::{DecodingKey, TokenData, Validation};

20

use rsa::{

21

pkcs1::DecodeRsaPublicKey,

22

pss::{Signature, VerifyingKey},

sha2::Sha256,

signature::Verifier,

RsaPublicKey,

};

use serde::Serialize;

28

29

use tokio::{net::TcpStream, sync::Mutex};

30

use tokio_tungstenite::{tungstenite::Message, WebSocketStream};

use toml::Table;

use crate::{

authentication::AuthenticationTokenGranter,

35

backend::{MetadataBackend, RepositoryBackend, UserBackend},

36

federation::connections::InstanceConnections,

37

keys::PublicKeyCache,

38

};

39

40

use super::Connections;

41

42

pub async fn connection_wrapper(

43

socket: WebSocketStream<TcpStream>,

44

connections: Arc<Mutex<Connections>>,

45

repository_backend: Arc<Mutex<dyn RepositoryBackend + Send>>,

46

user_backend: Arc<Mutex<dyn UserBackend + Send>>,

47

auth_granter: Arc<Mutex<AuthenticationTokenGranter>>,

48

settings_backend: Arc<Mutex<dyn MetadataBackend + Send>>,

49

addr: SocketAddr,

50

instance: impl ToOwned<Owned = Instance>,

51

instance_connections: Arc<Mutex<InstanceConnections>>,

52

config: Table,

53

runtime: Arc<GiteratedStack>,

54

mut operation_state: StackOperationState,

55

) {

56

let connection_state = ConnectionState {

57

socket: Arc::new(Mutex::new(socket)),

connections,

repository_backend,

user_backend,

auth_granter,

settings_backend,

addr,

instance: instance.to_owned(),

65

handshaked: Arc::new(AtomicBool::new(false)),

66

key_cache: Arc::default(),

67

instance_connections: instance_connections.clone(),

config,

};

let _handshaked = false;

72

let mut key_cache = PublicKeyCache::default();

73

74

loop {

75

let mut socket = connection_state.socket.lock().await;

76

let message = socket.next().await;

drop(socket);

match message {

Some(Ok(message)) => {

81

let payload = match message {

82

Message::Binary(payload) => payload,

83

Message::Ping(_) => {

84

let mut socket = connection_state.socket.lock().await;

85

let _ = socket.send(Message::Pong(vec![])).await;

drop(socket);

continue;

}

Message::Close(_) => return,

_ => continue,

};

let message: AuthenticatedPayload = bincode::deserialize(&payload).unwrap();

94

95

// Get authentication

96

let instance = {

97

let mut verified_instance: Option<AuthenticatedInstance> = None;

98

for source in &message.source {

99

if let AuthenticationSource::Instance {

instance,

signature,

} = source

{

let public_key = key_cache.get(&instance).await.unwrap();

105

let public_key = RsaPublicKey::from_pkcs1_pem(&public_key).unwrap();

106

let verifying_key = VerifyingKey::<Sha256>::new(public_key);

if verifying_key

.verify(

&message.payload,

&Signature::try_from(signature.as_ref()).unwrap(),

)

.is_ok()

{

verified_instance =

Some(AuthenticatedInstance::new(instance.clone()));

break;

}

}

}

verified_instance

};

let _user = {

let mut verified_user = None;

128

if let Some(verified_instance) = &instance {

129

for source in &message.source {

130

if let AuthenticationSource::User { user, token } = source {

131

// Get token

132

let public_key = key_cache.get(&verified_instance).await.unwrap();

133

134

let token: TokenData<UserTokenMetadata> = jsonwebtoken::decode(

135

token.as_ref(),

136

&DecodingKey::from_rsa_pem(public_key.as_bytes()).unwrap(),

137

&Validation::new(jsonwebtoken::Algorithm::RS256),

)

.unwrap();

if token.claims.generated_for != *verified_instance.deref() {

// Nope!

break;

}

if token.claims.user != *user {

// Nope!

break;

}

verified_user = Some(AuthenticatedUser::new(user.clone()));

break;

}

}

}

verified_user

};

let result = runtime

.handle_network_message(message, &operation_state)

162

.await;

163

164

// Asking for exploits here

165

operation_state.user = None;

166

operation_state.instance = None;

167

168

let mut socket = connection_state.socket.lock().await;

169

let _ = socket

170

.send(Message::Binary(bincode::serialize(&result).unwrap()))

.await;

drop(socket);

}

_ => {

return;

}

}

}

}

#[derive(Clone)]

pub struct ConnectionState {

184

socket: Arc<Mutex<WebSocketStream<TcpStream>>>,

185

pub connections: Arc<Mutex<Connections>>,

186

pub repository_backend: Arc<Mutex<dyn RepositoryBackend + Send>>,

187

pub user_backend: Arc<Mutex<dyn UserBackend + Send>>,

188

pub auth_granter: Arc<Mutex<AuthenticationTokenGranter>>,

189

pub settings_backend: Arc<Mutex<dyn MetadataBackend + Send>>,

190

pub addr: SocketAddr,

191

pub instance: Instance,

192

pub handshaked: Arc<AtomicBool>,

193

pub key_cache: Arc<Mutex<PublicKeyCache>>,

194

pub instance_connections: Arc<Mutex<InstanceConnections>>,

pub config: Table,

}

impl ConnectionState {

199

pub async fn send<T: Serialize>(&self, message: T) -> Result<(), Error> {

200

let payload = serde_json::to_string(&message)?;

self.socket

.lock()

.await

.send(Message::Binary(payload.into_bytes()))

.await?;

Ok(())

}

pub async fn send_raw<T: Serialize>(&self, message: T) -> Result<(), Error> {

211

let payload = serde_json::to_string(&message)?;

self.socket

.lock()

.await

.send(Message::Binary(payload.into_bytes()))

.await?;

Ok(())

}

pub async fn public_key(&self, instance: &Instance) -> Result<String, Error> {

222

let mut keys = self.key_cache.lock().await;

223

keys.get(instance).await

224

}

225

}

226