ambee/giterated

1

use std::{

2

net::SocketAddr,

3

ops::Deref,

4

sync::{atomic::AtomicBool, Arc},

};

use anyhow::Error;

use futures_util::{SinkExt, StreamExt};

9

10

use giterated_models::{

11

authenticated::{AuthenticationSource, UserTokenMetadata},

12

error::OperationError,

instance::Instance,

};

use giterated_models::authenticated::AuthenticatedPayload;

17

use giterated_stack::{

18

AuthenticatedInstance, AuthenticatedUser, GiteratedStack, StackOperationState,

19

};

20

use jsonwebtoken::{DecodingKey, TokenData, Validation};

21

use rsa::{

22

pkcs1::DecodeRsaPublicKey,

23

pss::{Signature, VerifyingKey},

sha2::Sha256,

signature::Verifier,

RsaPublicKey,

};

use serde::Serialize;

29

30

use tokio::{net::TcpStream, sync::Mutex};

31

use tokio_tungstenite::{tungstenite::Message, WebSocketStream};

use toml::Table;

use crate::{

authentication::AuthenticationTokenGranter,

36

backend::{MetadataBackend, RepositoryBackend, UserBackend},

37

federation::connections::InstanceConnections,

38

keys::PublicKeyCache,

39

};

40

41

use super::Connections;

42

43

pub async fn connection_wrapper(

44

socket: WebSocketStream<TcpStream>,

45

connections: Arc<Mutex<Connections>>,

46

repository_backend: Arc<Mutex<dyn RepositoryBackend + Send>>,

47

user_backend: Arc<Mutex<dyn UserBackend + Send>>,

48

auth_granter: Arc<Mutex<AuthenticationTokenGranter>>,

49

settings_backend: Arc<Mutex<dyn MetadataBackend + Send>>,

50

addr: SocketAddr,

51

instance: impl ToOwned<Owned = Instance>,

52

instance_connections: Arc<Mutex<InstanceConnections>>,

53

config: Table,

54

runtime: Arc<GiteratedStack>,

55

mut operation_state: StackOperationState,

56

) {

57

let connection_state = ConnectionState {

58

socket: Arc::new(Mutex::new(socket)),

connections,

repository_backend,

user_backend,

auth_granter,

settings_backend,

addr,

instance: instance.to_owned(),

66

handshaked: Arc::new(AtomicBool::new(false)),

67

key_cache: Arc::default(),

68

instance_connections: instance_connections.clone(),

config,

};

let _handshaked = false;

73

let mut key_cache = PublicKeyCache::default();

74

75

loop {

76

let mut socket = connection_state.socket.lock().await;

77

let message = socket.next().await;

drop(socket);

match message {

Some(Ok(message)) => {

82

let payload = match message {

83

Message::Binary(payload) => payload,

84

Message::Ping(_) => {

85

let mut socket = connection_state.socket.lock().await;

86

let _ = socket.send(Message::Pong(vec![])).await;

drop(socket);

continue;

}

Message::Close(_) => return,

_ => continue,

};

let message: AuthenticatedPayload = bincode::deserialize(&payload).unwrap();

95

96

// Get authentication

97

let instance = {

98

let mut verified_instance: Option<AuthenticatedInstance> = None;

99

for source in &message.source {

100

if let AuthenticationSource::Instance {

instance,

signature,

} = source

{

let public_key = key_cache.get(&instance).await.unwrap();

106

let public_key = RsaPublicKey::from_pkcs1_pem(&public_key).unwrap();

107

let verifying_key = VerifyingKey::<Sha256>::new(public_key);

if verifying_key

.verify(

&message.payload,

&Signature::try_from(signature.as_ref()).unwrap(),

)

.is_ok()

{

verified_instance =

Some(AuthenticatedInstance::new(instance.clone()));

break;

}

}

}

verified_instance

};

let user = {

let mut verified_user = None;

129

if let Some(verified_instance) = &instance {

130

for source in &message.source {

131

if let AuthenticationSource::User { user, token } = source {

132

// Get token

133

let public_key = key_cache.get(&verified_instance).await.unwrap();

134

135

let token: TokenData<UserTokenMetadata> = jsonwebtoken::decode(

136

token.as_ref(),

137

&DecodingKey::from_rsa_pem(public_key.as_bytes()).unwrap(),

138

&Validation::new(jsonwebtoken::Algorithm::RS256),

)

.unwrap();

if token.claims.generated_for != *verified_instance.deref() {

// Nope!

break;

}

if token.claims.user != *user {

// Nope!

break;

}

verified_user = Some(AuthenticatedUser::new(user.clone()));

break;

}

}

}

verified_user

};

operation_state.user = user;

162

operation_state.instance = instance;

163

164

let result = runtime

165

.handle_network_message(message, &operation_state)

166

.await;

167

168

// Asking for exploits here

169

operation_state.user = None;

170

operation_state.instance = None;

171

172

if let Err(OperationError::Internal(internal_error)) = &result {

173

error!("An internal error has occured: {}", internal_error);

174

}

175

176

let mut socket = connection_state.socket.lock().await;

177

let _ = socket

178

.send(Message::Binary(bincode::serialize(&result).unwrap()))

.await;

drop(socket);

}

_ => {

return;

}

}

}

}

#[derive(Clone)]

pub struct ConnectionState {

192

socket: Arc<Mutex<WebSocketStream<TcpStream>>>,

193

pub connections: Arc<Mutex<Connections>>,

194

pub repository_backend: Arc<Mutex<dyn RepositoryBackend + Send>>,

195

pub user_backend: Arc<Mutex<dyn UserBackend + Send>>,

196

pub auth_granter: Arc<Mutex<AuthenticationTokenGranter>>,

197

pub settings_backend: Arc<Mutex<dyn MetadataBackend + Send>>,

198

pub addr: SocketAddr,

199

pub instance: Instance,

200

pub handshaked: Arc<AtomicBool>,

201

pub key_cache: Arc<Mutex<PublicKeyCache>>,

202

pub instance_connections: Arc<Mutex<InstanceConnections>>,

pub config: Table,

}

impl ConnectionState {

207

pub async fn send<T: Serialize>(&self, message: T) -> Result<(), Error> {

208

let payload = serde_json::to_string(&message)?;

self.socket

.lock()

.await

.send(Message::Binary(payload.into_bytes()))

.await?;

Ok(())

}

pub async fn send_raw<T: Serialize>(&self, message: T) -> Result<(), Error> {

219

let payload = serde_json::to_string(&message)?;

self.socket

.lock()

.await

.send(Message::Binary(payload.into_bytes()))

.await?;

Ok(())

}

pub async fn public_key(&self, instance: &Instance) -> Result<String, Error> {

230

let mut keys = self.key_cache.lock().await;

231

keys.get(instance).await

232

}

233

}

234