mirror of
https://gitlab.com/famedly/conduit.git
synced 2025-08-06 17:40:59 +00:00
fix: various issues around key fetching (especially on send_join)
- Fetch keys if cached ones aren't valid to verify current PDU
- Fetch keys from sever when we don't have any keys cached
- Don't reduce validity of current keys if we recieve stale ones
(cherry picked from commit 4bd17b2d34)
This commit is contained in:
Matthias Ahouansou
parent
db35c8b059
commit
f74df6f15b
2 changed files with 36 additions and 8 deletions
|
|
@ -255,12 +255,16 @@ lasttimelinecount_cache: {lasttimelinecount_cache}\n"
|
||||||
let ServerSigningKeys {
|
let ServerSigningKeys {
|
||||||
verify_keys,
|
verify_keys,
|
||||||
old_verify_keys,
|
old_verify_keys,
|
||||||
|
valid_until_ts,
|
||||||
..
|
..
|
||||||
} = new_keys;
|
} = new_keys;
|
||||||
|
|
||||||
prev_keys.verify_keys.extend(verify_keys);
|
prev_keys.verify_keys.extend(verify_keys);
|
||||||
prev_keys.old_verify_keys.extend(old_verify_keys);
|
prev_keys.old_verify_keys.extend(old_verify_keys);
|
||||||
prev_keys.valid_until_ts = new_keys.valid_until_ts;
|
|
||||||
|
if valid_until_ts > prev_keys.valid_until_ts {
|
||||||
|
prev_keys.valid_until_ts = valid_until_ts;
|
||||||
|
}
|
||||||
|
|
||||||
self.server_signingkeys.insert(
|
self.server_signingkeys.insert(
|
||||||
origin.as_bytes(),
|
origin.as_bytes(),
|
||||||
|
|
|
||||||
|
|
@ -1511,6 +1511,27 @@ impl Service {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
let origin_server_ts = value.get("origin_server_ts").ok_or_else(|| {
|
||||||
|
error!("Invalid PDU, no origin_server_ts field");
|
||||||
|
Error::BadRequest(
|
||||||
|
ErrorKind::MissingParam,
|
||||||
|
"Invalid PDU, no origin_server_ts field",
|
||||||
|
)
|
||||||
|
})?;
|
||||||
|
|
||||||
|
let origin_server_ts: MilliSecondsSinceUnixEpoch = {
|
||||||
|
let ts = origin_server_ts.as_integer().ok_or_else(|| {
|
||||||
|
Error::BadRequest(
|
||||||
|
ErrorKind::InvalidParam,
|
||||||
|
"origin_server_ts must be an integer",
|
||||||
|
)
|
||||||
|
})?;
|
||||||
|
|
||||||
|
MilliSecondsSinceUnixEpoch(i64::from(ts).try_into().map_err(|_| {
|
||||||
|
Error::BadRequest(ErrorKind::InvalidParam, "Time must be after the unix epoch")
|
||||||
|
})?)
|
||||||
|
};
|
||||||
|
|
||||||
let signatures = value
|
let signatures = value
|
||||||
.get("signatures")
|
.get("signatures")
|
||||||
.ok_or(Error::BadServerResponse(
|
.ok_or(Error::BadServerResponse(
|
||||||
|
|
@ -1530,15 +1551,16 @@ impl Service {
|
||||||
|
|
||||||
let contains_all_ids = |keys: &SigningKeys| {
|
let contains_all_ids = |keys: &SigningKeys| {
|
||||||
signature_ids.iter().all(|id| {
|
signature_ids.iter().all(|id| {
|
||||||
keys.verify_keys
|
(keys.valid_until_ts > origin_server_ts
|
||||||
|
&& keys
|
||||||
|
.verify_keys
|
||||||
.keys()
|
.keys()
|
||||||
.map(ToString::to_string)
|
.map(ToString::to_string)
|
||||||
.any(|key_id| id == &key_id)
|
.any(|key_id| id == &key_id))
|
||||||
|| keys
|
|| keys
|
||||||
.old_verify_keys
|
.old_verify_keys
|
||||||
.keys()
|
.iter()
|
||||||
.map(ToString::to_string)
|
.any(|(key_id, key)| key_id == id && key.expired_ts > origin_server_ts)
|
||||||
.any(|key_id| id == &key_id)
|
|
||||||
})
|
})
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
@ -1559,6 +1581,8 @@ impl Service {
|
||||||
}
|
}
|
||||||
|
|
||||||
pub_key_map.insert(origin.to_string(), result);
|
pub_key_map.insert(origin.to_string(), result);
|
||||||
|
} else {
|
||||||
|
servers.insert(origin.to_owned(), BTreeMap::new());
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue