|
|
|
@ -11,10 +11,7 @@ use {
|
|
|
|
|
crate::{server_server, utils},
|
|
|
|
|
log::{debug, warn},
|
|
|
|
|
rocket::{
|
|
|
|
|
data::{
|
|
|
|
|
ByteUnit, Data, FromDataFuture, FromTransformedData, Transform, TransformFuture,
|
|
|
|
|
Transformed,
|
|
|
|
|
},
|
|
|
|
|
data::{self, ByteUnit, Data, FromData},
|
|
|
|
|
http::Status,
|
|
|
|
|
outcome::Outcome::*,
|
|
|
|
|
response::{self, Responder},
|
|
|
|
@ -42,106 +39,92 @@ pub struct Ruma<T: Outgoing> {
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#[cfg(feature = "conduit_bin")]
|
|
|
|
|
impl<'a, T: Outgoing> FromTransformedData<'a> for Ruma<T>
|
|
|
|
|
#[rocket::async_trait]
|
|
|
|
|
impl<'a, T: Outgoing> FromData<'a> for Ruma<T>
|
|
|
|
|
where
|
|
|
|
|
T::Incoming: IncomingRequest,
|
|
|
|
|
{
|
|
|
|
|
type Error = ();
|
|
|
|
|
type Owned = Data;
|
|
|
|
|
type Borrowed = Self::Owned;
|
|
|
|
|
|
|
|
|
|
fn transform<'r>(
|
|
|
|
|
_req: &'r Request<'_>,
|
|
|
|
|
data: Data,
|
|
|
|
|
) -> TransformFuture<'r, Self::Owned, Self::Error> {
|
|
|
|
|
Box::pin(async move { Transform::Owned(Success(data)) })
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
fn from_data(
|
|
|
|
|
request: &'a Request<'_>,
|
|
|
|
|
outcome: Transformed<'a, Self>,
|
|
|
|
|
) -> FromDataFuture<'a, Self, Self::Error> {
|
|
|
|
|
async fn from_data(request: &'a Request<'_>, data: Data) -> data::Outcome<Self, Self::Error> {
|
|
|
|
|
let metadata = T::Incoming::METADATA;
|
|
|
|
|
|
|
|
|
|
Box::pin(async move {
|
|
|
|
|
let data = rocket::try_outcome!(outcome.owned());
|
|
|
|
|
let db = request
|
|
|
|
|
.guard::<State<'_, crate::Database>>()
|
|
|
|
|
.await
|
|
|
|
|
.expect("database was loaded");
|
|
|
|
|
|
|
|
|
|
// Get token from header or query value
|
|
|
|
|
let token = request
|
|
|
|
|
.headers()
|
|
|
|
|
.get_one("Authorization")
|
|
|
|
|
.map(|s| s[7..].to_owned()) // Split off "Bearer "
|
|
|
|
|
.or_else(|| request.get_query_value("access_token").and_then(|r| r.ok()));
|
|
|
|
|
|
|
|
|
|
let limit = db.globals.max_request_size();
|
|
|
|
|
let mut handle = data.open(ByteUnit::Byte(limit.into()));
|
|
|
|
|
let mut body = Vec::new();
|
|
|
|
|
handle.read_to_end(&mut body).await.unwrap();
|
|
|
|
|
|
|
|
|
|
let (sender_user, sender_device, from_appservice) = if let Some((_id, registration)) =
|
|
|
|
|
db.appservice
|
|
|
|
|
.iter_all()
|
|
|
|
|
.filter_map(|r| r.ok())
|
|
|
|
|
.find(|(_id, registration)| {
|
|
|
|
|
registration
|
|
|
|
|
.get("as_token")
|
|
|
|
|
.and_then(|as_token| as_token.as_str())
|
|
|
|
|
.map_or(false, |as_token| token.as_deref() == Some(as_token))
|
|
|
|
|
}) {
|
|
|
|
|
match metadata.authentication {
|
|
|
|
|
AuthScheme::AccessToken | AuthScheme::QueryOnlyAccessToken => {
|
|
|
|
|
let user_id = request.get_query_value::<String>("user_id").map_or_else(
|
|
|
|
|
|| {
|
|
|
|
|
UserId::parse_with_server_name(
|
|
|
|
|
registration
|
|
|
|
|
.get("sender_localpart")
|
|
|
|
|
.unwrap()
|
|
|
|
|
.as_str()
|
|
|
|
|
.unwrap(),
|
|
|
|
|
db.globals.server_name(),
|
|
|
|
|
)
|
|
|
|
|
.unwrap()
|
|
|
|
|
},
|
|
|
|
|
|string| {
|
|
|
|
|
UserId::try_from(string.expect("parsing to string always works"))
|
|
|
|
|
let db = request
|
|
|
|
|
.guard::<State<'_, crate::Database>>()
|
|
|
|
|
.await
|
|
|
|
|
.expect("database was loaded");
|
|
|
|
|
|
|
|
|
|
// Get token from header or query value
|
|
|
|
|
let token = request
|
|
|
|
|
.headers()
|
|
|
|
|
.get_one("Authorization")
|
|
|
|
|
.map(|s| s[7..].to_owned()) // Split off "Bearer "
|
|
|
|
|
.or_else(|| request.query_value("access_token").and_then(|r| r.ok()));
|
|
|
|
|
|
|
|
|
|
let limit = db.globals.max_request_size();
|
|
|
|
|
let mut handle = data.open(ByteUnit::Byte(limit.into()));
|
|
|
|
|
let mut body = Vec::new();
|
|
|
|
|
handle.read_to_end(&mut body).await.unwrap();
|
|
|
|
|
|
|
|
|
|
let (sender_user, sender_device, from_appservice) = if let Some((_id, registration)) = db
|
|
|
|
|
.appservice
|
|
|
|
|
.iter_all()
|
|
|
|
|
.filter_map(|r| r.ok())
|
|
|
|
|
.find(|(_id, registration)| {
|
|
|
|
|
registration
|
|
|
|
|
.get("as_token")
|
|
|
|
|
.and_then(|as_token| as_token.as_str())
|
|
|
|
|
.map_or(false, |as_token| token.as_deref() == Some(as_token))
|
|
|
|
|
}) {
|
|
|
|
|
match metadata.authentication {
|
|
|
|
|
AuthScheme::AccessToken | AuthScheme::QueryOnlyAccessToken => {
|
|
|
|
|
let user_id = request.query_value::<String>("user_id").map_or_else(
|
|
|
|
|
|| {
|
|
|
|
|
UserId::parse_with_server_name(
|
|
|
|
|
registration
|
|
|
|
|
.get("sender_localpart")
|
|
|
|
|
.unwrap()
|
|
|
|
|
},
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
if !db.users.exists(&user_id).unwrap() {
|
|
|
|
|
// Forbidden
|
|
|
|
|
return Failure((Status::raw(580), ()));
|
|
|
|
|
}
|
|
|
|
|
.as_str()
|
|
|
|
|
.unwrap(),
|
|
|
|
|
db.globals.server_name(),
|
|
|
|
|
)
|
|
|
|
|
.unwrap()
|
|
|
|
|
},
|
|
|
|
|
|string| {
|
|
|
|
|
UserId::try_from(string.expect("parsing to string always works"))
|
|
|
|
|
.unwrap()
|
|
|
|
|
},
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
// TODO: Check if appservice is allowed to be that user
|
|
|
|
|
(Some(user_id), None, true)
|
|
|
|
|
if !db.users.exists(&user_id).unwrap() {
|
|
|
|
|
// Forbidden
|
|
|
|
|
return Failure((Status::raw(580), ()));
|
|
|
|
|
}
|
|
|
|
|
AuthScheme::ServerSignatures => (None, None, true),
|
|
|
|
|
AuthScheme::None => (None, None, true),
|
|
|
|
|
|
|
|
|
|
// TODO: Check if appservice is allowed to be that user
|
|
|
|
|
(Some(user_id), None, true)
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
match metadata.authentication {
|
|
|
|
|
AuthScheme::AccessToken | AuthScheme::QueryOnlyAccessToken => {
|
|
|
|
|
if let Some(token) = token {
|
|
|
|
|
match db.users.find_from_token(&token).unwrap() {
|
|
|
|
|
// Unknown Token
|
|
|
|
|
None => return Failure((Status::raw(581), ())),
|
|
|
|
|
Some((user_id, device_id)) => {
|
|
|
|
|
(Some(user_id), Some(device_id.into()), false)
|
|
|
|
|
}
|
|
|
|
|
AuthScheme::ServerSignatures => (None, None, true),
|
|
|
|
|
AuthScheme::None => (None, None, true),
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
match metadata.authentication {
|
|
|
|
|
AuthScheme::AccessToken | AuthScheme::QueryOnlyAccessToken => {
|
|
|
|
|
if let Some(token) = token {
|
|
|
|
|
match db.users.find_from_token(&token).unwrap() {
|
|
|
|
|
// Unknown Token
|
|
|
|
|
None => return Failure((Status::raw(581), ())),
|
|
|
|
|
Some((user_id, device_id)) => {
|
|
|
|
|
(Some(user_id), Some(device_id.into()), false)
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
// Missing Token
|
|
|
|
|
return Failure((Status::raw(582), ()));
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
// Missing Token
|
|
|
|
|
return Failure((Status::raw(582), ()));
|
|
|
|
|
}
|
|
|
|
|
AuthScheme::ServerSignatures => {
|
|
|
|
|
// Get origin from header
|
|
|
|
|
let x_matrix = match request
|
|
|
|
|
}
|
|
|
|
|
AuthScheme::ServerSignatures => {
|
|
|
|
|
// Get origin from header
|
|
|
|
|
let x_matrix = match request
|
|
|
|
|
.headers()
|
|
|
|
|
.get_one("Authorization")
|
|
|
|
|
.map(|s| {
|
|
|
|
@ -158,153 +141,150 @@ where
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
let origin_str = match x_matrix.get(&Some("origin")) {
|
|
|
|
|
Some(Some(o)) => *o,
|
|
|
|
|
_ => {
|
|
|
|
|
warn!("Invalid X-Matrix header origin field: {:?}", x_matrix);
|
|
|
|
|
|
|
|
|
|
// Forbidden
|
|
|
|
|
return Failure((Status::raw(580), ()));
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
let origin_str = match x_matrix.get(&Some("origin")) {
|
|
|
|
|
Some(Some(o)) => *o,
|
|
|
|
|
_ => {
|
|
|
|
|
warn!("Invalid X-Matrix header origin field: {:?}", x_matrix);
|
|
|
|
|
|
|
|
|
|
let origin = match Box::<ServerName>::try_from(origin_str) {
|
|
|
|
|
Ok(s) => s,
|
|
|
|
|
_ => {
|
|
|
|
|
warn!(
|
|
|
|
|
"Invalid server name in X-Matrix header origin field: {:?}",
|
|
|
|
|
x_matrix
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
// Forbidden
|
|
|
|
|
return Failure((Status::raw(580), ()));
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
let key = match x_matrix.get(&Some("key")) {
|
|
|
|
|
Some(Some(k)) => *k,
|
|
|
|
|
_ => {
|
|
|
|
|
warn!("Invalid X-Matrix header key field: {:?}", x_matrix);
|
|
|
|
|
|
|
|
|
|
// Forbidden
|
|
|
|
|
return Failure((Status::raw(580), ()));
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
// Forbidden
|
|
|
|
|
return Failure((Status::raw(580), ()));
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
let sig = match x_matrix.get(&Some("sig")) {
|
|
|
|
|
Some(Some(s)) => *s,
|
|
|
|
|
_ => {
|
|
|
|
|
warn!("Invalid X-Matrix header sig field: {:?}", x_matrix);
|
|
|
|
|
let origin = match Box::<ServerName>::try_from(origin_str) {
|
|
|
|
|
Ok(s) => s,
|
|
|
|
|
_ => {
|
|
|
|
|
warn!(
|
|
|
|
|
"Invalid server name in X-Matrix header origin field: {:?}",
|
|
|
|
|
x_matrix
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
// Forbidden
|
|
|
|
|
return Failure((Status::raw(580), ()));
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
// Forbidden
|
|
|
|
|
return Failure((Status::raw(580), ()));
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
let json_body = serde_json::from_slice::<CanonicalJsonValue>(&body);
|
|
|
|
|
let key = match x_matrix.get(&Some("key")) {
|
|
|
|
|
Some(Some(k)) => *k,
|
|
|
|
|
_ => {
|
|
|
|
|
warn!("Invalid X-Matrix header key field: {:?}", x_matrix);
|
|
|
|
|
|
|
|
|
|
let mut request_map = BTreeMap::<String, CanonicalJsonValue>::new();
|
|
|
|
|
// Forbidden
|
|
|
|
|
return Failure((Status::raw(580), ()));
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
if let Ok(json_body) = json_body {
|
|
|
|
|
request_map.insert("content".to_owned(), json_body);
|
|
|
|
|
};
|
|
|
|
|
let sig = match x_matrix.get(&Some("sig")) {
|
|
|
|
|
Some(Some(s)) => *s,
|
|
|
|
|
_ => {
|
|
|
|
|
warn!("Invalid X-Matrix header sig field: {:?}", x_matrix);
|
|
|
|
|
|
|
|
|
|
request_map.insert(
|
|
|
|
|
"method".to_owned(),
|
|
|
|
|
CanonicalJsonValue::String(request.method().to_string()),
|
|
|
|
|
);
|
|
|
|
|
request_map.insert(
|
|
|
|
|
"uri".to_owned(),
|
|
|
|
|
CanonicalJsonValue::String(request.uri().to_string()),
|
|
|
|
|
);
|
|
|
|
|
request_map.insert(
|
|
|
|
|
"origin".to_owned(),
|
|
|
|
|
CanonicalJsonValue::String(origin.as_str().to_owned()),
|
|
|
|
|
);
|
|
|
|
|
request_map.insert(
|
|
|
|
|
"destination".to_owned(),
|
|
|
|
|
CanonicalJsonValue::String(
|
|
|
|
|
db.globals.server_name().as_str().to_owned(),
|
|
|
|
|
),
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
let mut origin_signatures = BTreeMap::new();
|
|
|
|
|
origin_signatures
|
|
|
|
|
.insert(key.to_owned(), CanonicalJsonValue::String(sig.to_owned()));
|
|
|
|
|
|
|
|
|
|
let mut signatures = BTreeMap::new();
|
|
|
|
|
signatures.insert(
|
|
|
|
|
origin.as_str().to_owned(),
|
|
|
|
|
CanonicalJsonValue::Object(origin_signatures),
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
request_map.insert(
|
|
|
|
|
"signatures".to_owned(),
|
|
|
|
|
CanonicalJsonValue::Object(signatures),
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
let keys = match server_server::fetch_signing_keys(
|
|
|
|
|
&db,
|
|
|
|
|
&origin,
|
|
|
|
|
vec![&key.to_owned()],
|
|
|
|
|
)
|
|
|
|
|
.await
|
|
|
|
|
{
|
|
|
|
|
Ok(b) => b,
|
|
|
|
|
Err(e) => {
|
|
|
|
|
warn!("Failed to fetch signing keys: {}", e);
|
|
|
|
|
// Forbidden
|
|
|
|
|
return Failure((Status::raw(580), ()));
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
let json_body = serde_json::from_slice::<CanonicalJsonValue>(&body);
|
|
|
|
|
|
|
|
|
|
let mut request_map = BTreeMap::<String, CanonicalJsonValue>::new();
|
|
|
|
|
|
|
|
|
|
if let Ok(json_body) = json_body {
|
|
|
|
|
request_map.insert("content".to_owned(), json_body);
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
request_map.insert(
|
|
|
|
|
"method".to_owned(),
|
|
|
|
|
CanonicalJsonValue::String(request.method().to_string()),
|
|
|
|
|
);
|
|
|
|
|
request_map.insert(
|
|
|
|
|
"uri".to_owned(),
|
|
|
|
|
CanonicalJsonValue::String(request.uri().to_string()),
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
println!("{}: {:?}", origin, request.uri().to_string());
|
|
|
|
|
|
|
|
|
|
request_map.insert(
|
|
|
|
|
"origin".to_owned(),
|
|
|
|
|
CanonicalJsonValue::String(origin.as_str().to_owned()),
|
|
|
|
|
);
|
|
|
|
|
request_map.insert(
|
|
|
|
|
"destination".to_owned(),
|
|
|
|
|
CanonicalJsonValue::String(db.globals.server_name().as_str().to_owned()),
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
let mut origin_signatures = BTreeMap::new();
|
|
|
|
|
origin_signatures
|
|
|
|
|
.insert(key.to_owned(), CanonicalJsonValue::String(sig.to_owned()));
|
|
|
|
|
|
|
|
|
|
let mut signatures = BTreeMap::new();
|
|
|
|
|
signatures.insert(
|
|
|
|
|
origin.as_str().to_owned(),
|
|
|
|
|
CanonicalJsonValue::Object(origin_signatures),
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
request_map.insert(
|
|
|
|
|
"signatures".to_owned(),
|
|
|
|
|
CanonicalJsonValue::Object(signatures),
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
let keys = match server_server::fetch_signing_keys(
|
|
|
|
|
&db,
|
|
|
|
|
&origin,
|
|
|
|
|
vec![&key.to_owned()],
|
|
|
|
|
)
|
|
|
|
|
.await
|
|
|
|
|
{
|
|
|
|
|
Ok(b) => b,
|
|
|
|
|
Err(e) => {
|
|
|
|
|
warn!("Failed to fetch signing keys: {}", e);
|
|
|
|
|
|
|
|
|
|
// Forbidden
|
|
|
|
|
return Failure((Status::raw(580), ()));
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
// Forbidden
|
|
|
|
|
return Failure((Status::raw(580), ()));
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
let mut pub_key_map = BTreeMap::new();
|
|
|
|
|
pub_key_map.insert(origin.as_str().to_owned(), keys);
|
|
|
|
|
let mut pub_key_map = BTreeMap::new();
|
|
|
|
|
pub_key_map.insert(origin.as_str().to_owned(), keys);
|
|
|
|
|
|
|
|
|
|
match ruma::signatures::verify_json(&pub_key_map, &request_map) {
|
|
|
|
|
Ok(()) => (None, None, false),
|
|
|
|
|
Err(e) => {
|
|
|
|
|
warn!(
|
|
|
|
|
"Failed to verify json request: {}: {:?} {:?}",
|
|
|
|
|
e, pub_key_map, request_map
|
|
|
|
|
);
|
|
|
|
|
match ruma::signatures::verify_json(&pub_key_map, &request_map) {
|
|
|
|
|
Ok(()) => (None, None, false),
|
|
|
|
|
Err(e) => {
|
|
|
|
|
warn!("Failed to verify json request from {}: {}", origin, e,);
|
|
|
|
|
|
|
|
|
|
// Forbidden
|
|
|
|
|
return Failure((Status::raw(580), ()));
|
|
|
|
|
}
|
|
|
|
|
// Forbidden
|
|
|
|
|
return Failure((Status::raw(580), ()));
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
AuthScheme::None => (None, None, false),
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
let mut http_request = http::Request::builder()
|
|
|
|
|
.uri(request.uri().to_string())
|
|
|
|
|
.method(&*request.method().to_string());
|
|
|
|
|
for header in request.headers().iter() {
|
|
|
|
|
http_request = http_request.header(header.name.as_str(), &*header.value);
|
|
|
|
|
AuthScheme::None => (None, None, false),
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
let http_request = http_request.body(&*body).unwrap();
|
|
|
|
|
debug!("{:?}", http_request);
|
|
|
|
|
match <T::Incoming as IncomingRequest>::try_from_http_request(http_request) {
|
|
|
|
|
Ok(t) => Success(Ruma {
|
|
|
|
|
body: t,
|
|
|
|
|
sender_user,
|
|
|
|
|
sender_device,
|
|
|
|
|
// TODO: Can we avoid parsing it again? (We only need this for append_pdu)
|
|
|
|
|
json_body: utils::string_from_bytes(&body)
|
|
|
|
|
.ok()
|
|
|
|
|
.and_then(|s| serde_json::value::RawValue::from_string(s).ok()),
|
|
|
|
|
from_appservice,
|
|
|
|
|
}),
|
|
|
|
|
Err(e) => {
|
|
|
|
|
warn!("{:?}", e);
|
|
|
|
|
Failure((Status::raw(583), ()))
|
|
|
|
|
}
|
|
|
|
|
let mut http_request = http::Request::builder()
|
|
|
|
|
.uri(request.uri().to_string())
|
|
|
|
|
.method(&*request.method().to_string());
|
|
|
|
|
for header in request.headers().iter() {
|
|
|
|
|
http_request = http_request.header(header.name.as_str(), &*header.value);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
let http_request = http_request.body(&*body).unwrap();
|
|
|
|
|
debug!("{:?}", http_request);
|
|
|
|
|
match <T::Incoming as IncomingRequest>::try_from_http_request(http_request) {
|
|
|
|
|
Ok(t) => Success(Ruma {
|
|
|
|
|
body: t,
|
|
|
|
|
sender_user,
|
|
|
|
|
sender_device,
|
|
|
|
|
// TODO: Can we avoid parsing it again? (We only need this for append_pdu)
|
|
|
|
|
json_body: utils::string_from_bytes(&body)
|
|
|
|
|
.ok()
|
|
|
|
|
.and_then(|s| serde_json::value::RawValue::from_string(s).ok()),
|
|
|
|
|
from_appservice,
|
|
|
|
|
}),
|
|
|
|
|
Err(e) => {
|
|
|
|
|
warn!("{:?}", e);
|
|
|
|
|
Failure((Status::raw(583), ()))
|
|
|
|
|
}
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|