federation: let http_signatures library handle request aliases

This avoids spurious key refetches on each failing alias

lib/pleroma/web/plugs/http_signature_plug.ex

@@ -42,35 +42,30 @@ def route_aliases(%{path_info: ["objects", id], query_string: query_string}) do
 
   def route_aliases(_), do: []
 
-  defp maybe_log_error_and_try_aliases(conn, verification_error, remaining_aliases) do
+  defp maybe_log_error(conn, verification_error) do
     case verification_error do
-      {:gone, key_id} ->
+      :gone ->
         # We can't verify the data since the actor was deleted and not previously known.
         # Likely we just received the actor’s Delete activity, so just silently drop.
-        Logger.debug("Unable to verify request signature of deleted actor; dropping (#{key_id})")
-        conn
+        Logger.debug("Unable to verify request signature of deleted actor; dropping (#{inspect(conn)})")
 
       :wrong_signature ->
-        assign_valid_signature_on_route_aliases(conn, remaining_aliases)
+        Logger.warning("Received request with invalid signature!\n#{inspect(conn)}")
+
+      {:fetch_key, e} ->
+        Logger.info("Unable to verify request since key cannot be retrieved: #{inspect(e)}")
 
       error ->
         Logger.error("Failed to verify request signature due to fatal error: #{inspect(error)}")
-        conn
     end
-  end
-
-  defp assign_valid_signature_on_route_aliases(%{assigns: %{valid_signature: true}} = conn, _),
-    do: conn
-
-  defp assign_valid_signature_on_route_aliases(conn, []) do
-    Logger.warning("Received request with invalid signature!\n#{inspect(conn)}")
     conn
   end
 
-  defp assign_valid_signature_on_route_aliases(conn, [path | rest]) do
-    request_target = String.downcase("#{conn.method}") <> " #{path}"
+  defp assign_valid_signature(%{assigns: %{valid_signature: true}} = conn, _),
+    do: conn
 
-    case HTTPSignatures.validate_conn(conn, request_target) do
+  defp assign_valid_signature(conn, request_targets) do
+    case HTTPSignatures.validate_conn(conn, request_targets) do
       {:ok, %HTTPKey{user_data: ud}} ->
         conn
         |> assign(:valid_signature, true)
@@ -80,7 +75,7 @@ defp assign_valid_signature_on_route_aliases(conn, [path | rest]) do
         conn
         |> assign(:valid_signature, false)
         |> assign(:signature_user, nil)
-        |> maybe_log_error_and_try_aliases(e, rest)
+        |> maybe_log_error(e)
     end
   end
 
@@ -88,8 +83,9 @@ defp maybe_assign_valid_signature(conn) do
     if has_signature_header?(conn) do
       # set (request-target) header to the appropriate value
       # we also replace the digest header with the one we computed
-      possible_paths =
+      request_targets =
         [conn.request_path, conn.request_path <> "?#{conn.query_string}" | route_aliases(conn)]
+        |> Enum.map(fn path -> String.downcase("#{conn.method}") <> " #{path}" end)
 
       conn =
         case conn do
@@ -97,7 +93,7 @@ defp maybe_assign_valid_signature(conn) do
           conn -> conn
         end
 
-      assign_valid_signature_on_route_aliases(conn, possible_paths)
+      assign_valid_signature(conn, request_targets)
     else
       Logger.debug("No signature header!")
       conn

mix.exs

@@ -162,7 +162,7 @@ defp deps do
       {:linkify, "~> 0.5.3"},
       {:http_signatures,
        git: "https://akkoma.dev/Oneric/http_signatures.git",
-       ref: "6a9d2f368bda48413009d7cdcf7d163e5658366e"},
+       ref: "cbdd21b2f0eb04f3641bc6d6eb2b5e1a2a17dd84"},
       {:telemetry, "~> 1.2"},
       {:telemetry_poller, "~> 1.0"},
       {:telemetry_metrics, "~> 0.6"},

mix.lock

@@ -58,7 +58,7 @@
   "hackney": {:hex, :hackney, "1.23.0", "55cc09077112bcb4a69e54be46ed9bc55537763a96cd4a80a221663a7eafd767", [:rebar3], [{:certifi, "~> 2.14.0", [hex: :certifi, repo: "hexpm", optional: false]}, {:idna, "~> 6.1.0", [hex: :idna, repo: "hexpm", optional: false]}, {:metrics, "~> 1.0.0", [hex: :metrics, repo: "hexpm", optional: false]}, {:mimerl, "~> 1.1", [hex: :mimerl, repo: "hexpm", optional: false]}, {:parse_trans, "3.4.1", [hex: :parse_trans, repo: "hexpm", optional: false]}, {:ssl_verify_fun, "~> 1.1.0", [hex: :ssl_verify_fun, repo: "hexpm", optional: false]}, {:unicode_util_compat, "~> 0.7.0", [hex: :unicode_util_compat, repo: "hexpm", optional: false]}], "hexpm", "6cd1c04cd15c81e5a493f167b226a15f0938a84fc8f0736ebe4ddcab65c0b44e"},
   "hpax": {:hex, :hpax, "0.1.2", "09a75600d9d8bbd064cdd741f21fc06fc1f4cf3d0fcc335e5aa19be1a7235c84", [:mix], [], "hexpm", "2c87843d5a23f5f16748ebe77969880e29809580efdaccd615cd3bed628a8c13"},
   "html_entities": {:hex, :html_entities, "0.5.2", "9e47e70598da7de2a9ff6af8758399251db6dbb7eebe2b013f2bbd2515895c3c", [:mix], [], "hexpm", "c53ba390403485615623b9531e97696f076ed415e8d8058b1dbaa28181f4fdcc"},
-  "http_signatures": {:git, "https://akkoma.dev/Oneric/http_signatures.git", "6a9d2f368bda48413009d7cdcf7d163e5658366e", [ref: "6a9d2f368bda48413009d7cdcf7d163e5658366e"]},
+  "http_signatures": {:git, "https://akkoma.dev/Oneric/http_signatures.git", "cbdd21b2f0eb04f3641bc6d6eb2b5e1a2a17dd84", [ref: "cbdd21b2f0eb04f3641bc6d6eb2b5e1a2a17dd84"]},
   "httpoison": {:hex, :httpoison, "1.8.2", "9eb9c63ae289296a544842ef816a85d881d4a31f518a0fec089aaa744beae290", [:mix], [{:hackney, "~> 1.17", [hex: :hackney, repo: "hexpm", optional: false]}], "hexpm", "2bb350d26972e30c96e2ca74a1aaf8293d61d0742ff17f01e0279fef11599921"},
   "idna": {:hex, :idna, "6.1.1", "8a63070e9f7d0c62eb9d9fcb360a7de382448200fbbd1b106cc96d3d8099df8d", [:rebar3], [{:unicode_util_compat, "~> 0.7.0", [hex: :unicode_util_compat, repo: "hexpm", optional: false]}], "hexpm", "92376eb7894412ed19ac475e4a86f7b413c1b9fbb5bd16dccd57934157944cea"},
   "igniter": {:hex, :igniter, "0.5.29", "6bf7ddaf15e88ae75f6dad514329530ec8f4721ba14782f6386a7345c1be99fd", [:mix], [{:glob_ex, "~> 0.1.7", [hex: :glob_ex, repo: "hexpm", optional: false]}, {:inflex, "~> 2.0", [hex: :inflex, repo: "hexpm", optional: false]}, {:jason, "~> 1.4", [hex: :jason, repo: "hexpm", optional: false]}, {:owl, "~> 0.11", [hex: :owl, repo: "hexpm", optional: false]}, {:phx_new, "~> 1.7", [hex: :phx_new, repo: "hexpm", optional: true]}, {:req, "~> 0.5", [hex: :req, repo: "hexpm", optional: false]}, {:rewrite, ">= 1.1.1 and < 2.0.0-0", [hex: :rewrite, repo: "hexpm", optional: false]}, {:sourceror, "~> 1.4", [hex: :sourceror, repo: "hexpm", optional: false]}, {:spitfire, ">= 0.1.3 and < 1.0.0-0", [hex: :spitfire, repo: "hexpm", optional: false]}], "hexpm", "beb6e0f69fc6d4e3975ffa26c5459fc63fd96f85cfaeba984c2dfd3d7333b6ad"},