ambee/giterated

1

use std::{error::Error, fmt::Debug};

2

3

use jsonwebtoken::{decode, Algorithm, DecodingKey, TokenData, Validation};

4

use rsa::{

5

pkcs1::{DecodeRsaPrivateKey, DecodeRsaPublicKey},

6

pss::{Signature, SigningKey, VerifyingKey},

7

sha2::Sha256,

8

signature::{RandomizedSigner, SignatureEncoding, Verifier},

9

RsaPrivateKey, RsaPublicKey,

10

};

11

use serde::{Deserialize, Serialize};

12

13

use crate::{

14

authentication::UserTokenMetadata,

15

handshake::HandshakeMessage,

16

model::{instance::Instance, user::User},

17

};

18

19

use self::{authentication::AuthenticationMessage, repository::RepositoryMessage};

20

21

pub mod authentication;

pub mod issues;

pub mod repository;

pub mod user;

#[derive(Clone, Serialize, Deserialize)]

27

pub enum MessageKind {

28

Handshake(HandshakeMessage),

29

Repository(RepositoryMessage),

30

Authentication(AuthenticationMessage),

31

}

32

33

/// An authenticated message, where the instance is authenticating

34

/// a request it is making for itself.

35

#[derive(Serialize, Deserialize)]

36

pub struct InstanceAuthenticated<T: Serialize> {

message: T,

instance: Instance,

signature: Vec<u8>,

}

impl<T> Clone for InstanceAuthenticated<T>

43

where

44

T: Clone + Serialize,

45

{

46

fn clone(&self) -> Self {

47

Self {

48

message: self.message.clone(),

49

instance: self.instance.clone(),

50

signature: self.signature.clone(),

}

}

}

impl<T> Debug for InstanceAuthenticated<T>

56

where

57

T: Debug + Serialize,

58

{

59

fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {

60

f.debug_struct("Authenticated")

61

.field("message", &self.message)

62

.field("instance", &self.instance)

63

.field("signature", &self.signature)

.finish()

}

}

impl<T: Serialize> InstanceAuthenticated<T> {

pub fn new(

message: T,

instance: Instance,

private_key: String,

) -> Result<Self, Box<dyn Error>> {

74

let mut rng = rand::thread_rng();

75

76

let private_key = RsaPrivateKey::from_pkcs1_pem(&private_key)?;

77

let signing_key = SigningKey::<Sha256>::new(private_key);

78

79

let message_json = serde_json::to_vec(&message)?;

80

81

let signature = signing_key.sign_with_rng(&mut rng, &message_json);

Ok(Self {

message,

instance,

signature: signature.to_vec(),

})

}

pub async fn inner(&self) -> &T {

&self.message

}

pub async fn validate(&self, instance: &Instance) -> Result<(), Box<dyn Error>> {

95

let public_key = public_key(instance).await?;

96

let public_key = RsaPublicKey::from_pkcs1_pem(&public_key).unwrap();

97

98

let verifying_key: VerifyingKey<Sha256> = VerifyingKey::new(public_key);

99

100

let message_json = serde_json::to_vec(&self.message).unwrap();

verifying_key

.verify(

&message_json,

&Signature::try_from(self.signature.as_ref()).unwrap(),

)

.unwrap();

Ok(())

}

}

/// An authenticated message.

114

///

115

/// Includes the message, with a digest generated with

116

/// our private key.

117

#[derive(Serialize, Deserialize)]

118

pub struct ValidatedUserAuthenticated<T: Serialize> {

#[serde(flatten)]

message: T,

user: User,

}

impl<T> Clone for ValidatedUserAuthenticated<T>

125

where

126

T: Clone + Serialize,

127

{

128

fn clone(&self) -> Self {

129

Self {

130

message: self.message.clone(),

131

user: self.user.clone(),

}

}

}

impl<T> Debug for ValidatedUserAuthenticated<T>

137

where

138

T: Debug + Serialize,

139

{

140

fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {

141

f.debug_struct("Authenticated")

142

.field("message", &self.message)

143

.field("user", &self.user)

.finish()

}

}

impl<T: Serialize> ValidatedUserAuthenticated<T> {

149

pub async fn inner(&self) -> &T {

&self.message

}

pub async fn user(&self) -> &User {

&self.user

}

}

/// An unvalidated authenticated message.

159

///

160

/// Includes the message, with a digest generated with

161

/// our private key.

162

#[derive(Serialize, Deserialize)]

163

pub struct UnvalidatedUserAuthenticated<T: Serialize> {

#[serde(flatten)]

message: T,

token: String,

digest: Vec<u8>,

}

impl<T> Clone for UnvalidatedUserAuthenticated<T>

171

where

172

T: Clone + Serialize,

173

{

174

fn clone(&self) -> Self {

175

Self {

176

message: self.message.clone(),

177

token: self.token.clone(),

178

digest: self.digest.clone(),

}

}

}

impl<T> Debug for UnvalidatedUserAuthenticated<T>

184

where

185

T: Debug + Serialize,

186

{

187

fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {

188

f.debug_struct("Authenticated")

189

.field("message", &self.message)

190

.field("token", &self.token)

191

.field("digest", &self.digest)

.finish()

}

}

impl<T: Serialize> UnvalidatedUserAuthenticated<T> {

197

pub fn new(message: T, token: String, private_key: String) -> Result<Self, Box<dyn Error>> {

198

let mut rng = rand::thread_rng();

199

200

let private_key = RsaPrivateKey::from_pkcs1_pem(&private_key)?;

201

let signing_key = SigningKey::<Sha256>::new(private_key);

202

203

let message_json = serde_json::to_vec(&message)?;

204

205

let signature = signing_key.sign_with_rng(&mut rng, &message_json);

Ok(Self {

message,

token,

digest: signature.to_vec(),

})

}

pub async fn inner(&self) -> &T {

&self.message

}

pub async fn validate(self) -> Result<ValidatedUserAuthenticated<T>, Box<dyn Error>> {

219

let instance = {

220

let mut validation = Validation::new(Algorithm::RS256);

221

validation.insecure_disable_signature_validation();

222

223

let value: TokenData<UserTokenMetadata> =

224

decode(&self.token, &DecodingKey::from_secret(b"test"), &validation).unwrap();

225

226

value.claims.generated_for.clone()

227

};

228

229

let public_key_raw = public_key(&instance).await?;

230

let public_key = RsaPublicKey::from_pkcs1_pem(&public_key_raw).unwrap();

231

232

let verifying_key: VerifyingKey<Sha256> = VerifyingKey::new(public_key);

233

234

let message_json = serde_json::to_vec(&self.message).unwrap();

verifying_key

.verify(

&message_json,

&Signature::try_from(self.digest.as_ref()).unwrap(),

)

.unwrap();

let verification_key = DecodingKey::from_rsa_pem(public_key_raw.as_bytes()).unwrap();

244

245

let data: TokenData<UserTokenMetadata> = decode(

246

&self.token,

247

&verification_key,

248

&Validation::new(Algorithm::RS256),

)

.unwrap();

assert_eq!(data.claims.generated_for, instance);

253

254

Ok(ValidatedUserAuthenticated {

255

message: self.message,

256

user: data.claims.user,

})

}

}

async fn public_key(instance: &Instance) -> Result<String, Box<dyn Error>> {

262

let key = reqwest::get(format!("https://{}/.giterated/pubkey.pem", instance.url))

.await?

.text()

.await?;

Ok(key)

}