1 |
|
2 |
|
3 | var assert = require('assert-plus');
|
4 | var util = require('util');
|
5 | var utils = require('./utils');
|
6 |
|
7 |
|
8 |
|
9 |
|
10 |
|
11 | var HASH_ALGOS = utils.HASH_ALGOS;
|
12 | var PK_ALGOS = utils.PK_ALGOS;
|
13 | var HttpSignatureError = utils.HttpSignatureError;
|
14 | var InvalidAlgorithmError = utils.InvalidAlgorithmError;
|
15 | var validateAlgorithm = utils.validateAlgorithm;
|
16 |
|
17 | var State = {
|
18 | New: 0,
|
19 | Params: 1
|
20 | };
|
21 |
|
22 | var ParamsState = {
|
23 | Name: 0,
|
24 | Quote: 1,
|
25 | Value: 2,
|
26 | Comma: 3,
|
27 | Number: 4
|
28 | };
|
29 |
|
30 |
|
31 |
|
32 |
|
33 | function ExpiredRequestError(message) {
|
34 | HttpSignatureError.call(this, message, ExpiredRequestError);
|
35 | }
|
36 | util.inherits(ExpiredRequestError, HttpSignatureError);
|
37 |
|
38 |
|
39 | function InvalidHeaderError(message) {
|
40 | HttpSignatureError.call(this, message, InvalidHeaderError);
|
41 | }
|
42 | util.inherits(InvalidHeaderError, HttpSignatureError);
|
43 |
|
44 |
|
45 | function InvalidParamsError(message) {
|
46 | HttpSignatureError.call(this, message, InvalidParamsError);
|
47 | }
|
48 | util.inherits(InvalidParamsError, HttpSignatureError);
|
49 |
|
50 |
|
51 | function MissingHeaderError(message) {
|
52 | HttpSignatureError.call(this, message, MissingHeaderError);
|
53 | }
|
54 | util.inherits(MissingHeaderError, HttpSignatureError);
|
55 |
|
56 | function StrictParsingError(message) {
|
57 | HttpSignatureError.call(this, message, StrictParsingError);
|
58 | }
|
59 | util.inherits(StrictParsingError, HttpSignatureError);
|
60 |
|
61 |
|
62 |
|
63 | module.exports = {
|
64 |
|
65 | |
66 |
|
67 |
|
68 |
|
69 |
|
70 |
|
71 |
|
72 |
|
73 |
|
74 |
|
75 |
|
76 |
|
77 |
|
78 |
|
79 |
|
80 |
|
81 |
|
82 |
|
83 |
|
84 |
|
85 |
|
86 |
|
87 |
|
88 |
|
89 |
|
90 |
|
91 |
|
92 |
|
93 |
|
94 |
|
95 |
|
96 |
|
97 |
|
98 |
|
99 |
|
100 |
|
101 |
|
102 |
|
103 |
|
104 |
|
105 |
|
106 |
|
107 |
|
108 | parseRequest: function parseRequest(request, options) {
|
109 | assert.object(request, 'request');
|
110 | assert.object(request.headers, 'request.headers');
|
111 | if (options === undefined) {
|
112 | options = {};
|
113 | }
|
114 | assert.object(options, 'options');
|
115 | assert.optionalFinite(options.clockSkew, 'options.clockSkew');
|
116 |
|
117 | var headers = [request.headers['x-date'] ? 'x-date' : 'date'];
|
118 | if (options.headers !== undefined) {
|
119 | assert.arrayOfString(headers, 'options.headers');
|
120 | headers = options.headers;
|
121 | }
|
122 |
|
123 | var authzHeaderName = options.authorizationHeaderName;
|
124 | var authz = request.headers[authzHeaderName] ||
|
125 | request.headers[utils.HEADER.AUTH] || request.headers[utils.HEADER.SIG];
|
126 |
|
127 | if (!authz) {
|
128 | var errHeader = authzHeaderName ? authzHeaderName :
|
129 | utils.HEADER.AUTH + ' or ' + utils.HEADER.SIG;
|
130 |
|
131 | throw new MissingHeaderError('no ' + errHeader + ' header ' +
|
132 | 'present in the request');
|
133 | }
|
134 |
|
135 | options.clockSkew = options.clockSkew || 300;
|
136 |
|
137 |
|
138 | var i = 0;
|
139 | var state = authz === request.headers[utils.HEADER.SIG] ?
|
140 | State.Params : State.New;
|
141 | var substate = ParamsState.Name;
|
142 | var tmpName = '';
|
143 | var tmpValue = '';
|
144 |
|
145 | var parsed = {
|
146 | scheme: authz === request.headers[utils.HEADER.SIG] ? 'Signature' : '',
|
147 | params: {},
|
148 | signingString: ''
|
149 | };
|
150 |
|
151 | for (i = 0; i < authz.length; i++) {
|
152 | var c = authz.charAt(i);
|
153 |
|
154 | switch (Number(state)) {
|
155 |
|
156 | case State.New:
|
157 | if (c !== ' ') parsed.scheme += c;
|
158 | else state = State.Params;
|
159 | break;
|
160 |
|
161 | case State.Params:
|
162 | switch (Number(substate)) {
|
163 |
|
164 | case ParamsState.Name:
|
165 | var code = c.charCodeAt(0);
|
166 |
|
167 | if ((code >= 0x41 && code <= 0x5a) ||
|
168 | (code >= 0x61 && code <= 0x7a)) {
|
169 | tmpName += c;
|
170 | } else if (c === '=') {
|
171 | if (tmpName.length === 0)
|
172 | throw new InvalidHeaderError('bad param format');
|
173 | substate = ParamsState.Quote;
|
174 | } else {
|
175 | throw new InvalidHeaderError('bad param format');
|
176 | }
|
177 | break;
|
178 |
|
179 | case ParamsState.Quote:
|
180 | if (c === '"') {
|
181 | tmpValue = '';
|
182 | substate = ParamsState.Value;
|
183 | } else {
|
184 |
|
185 | substate = ParamsState.Number;
|
186 | code = c.charCodeAt(0);
|
187 | if (code < 0x30 || code > 0x39) {
|
188 | throw new InvalidHeaderError('bad param format');
|
189 | }
|
190 | tmpValue = c;
|
191 | }
|
192 | break;
|
193 |
|
194 | case ParamsState.Value:
|
195 | if (c === '"') {
|
196 | parsed.params[tmpName] = tmpValue;
|
197 | substate = ParamsState.Comma;
|
198 | } else {
|
199 | tmpValue += c;
|
200 | }
|
201 | break;
|
202 |
|
203 | case ParamsState.Number:
|
204 | if (c === ',') {
|
205 | parsed.params[tmpName] = parseInt(tmpValue, 10);
|
206 | tmpName = '';
|
207 | substate = ParamsState.Name;
|
208 | } else {
|
209 | code = c.charCodeAt(0);
|
210 | if (code < 0x30 || code > 0x39) {
|
211 | throw new InvalidHeaderError('bad param format');
|
212 | }
|
213 | tmpValue += c;
|
214 | }
|
215 | break;
|
216 |
|
217 |
|
218 | case ParamsState.Comma:
|
219 | if (c === ',') {
|
220 | tmpName = '';
|
221 | substate = ParamsState.Name;
|
222 | } else {
|
223 | throw new InvalidHeaderError('bad param format');
|
224 | }
|
225 | break;
|
226 |
|
227 | default:
|
228 | throw new Error('Invalid substate');
|
229 | }
|
230 | break;
|
231 |
|
232 | default:
|
233 | throw new Error('Invalid substate');
|
234 | }
|
235 |
|
236 | }
|
237 |
|
238 | if (!parsed.params.headers || parsed.params.headers === '') {
|
239 | if (request.headers['x-date']) {
|
240 | parsed.params.headers = ['x-date'];
|
241 | } else {
|
242 | parsed.params.headers = ['date'];
|
243 | }
|
244 | } else {
|
245 | parsed.params.headers = parsed.params.headers.split(' ');
|
246 | }
|
247 |
|
248 |
|
249 | if (!parsed.scheme || parsed.scheme !== 'Signature')
|
250 | throw new InvalidHeaderError('scheme was not "Signature"');
|
251 |
|
252 | if (!parsed.params.keyId)
|
253 | throw new InvalidHeaderError('keyId was not specified');
|
254 |
|
255 | if (!parsed.params.algorithm)
|
256 | throw new InvalidHeaderError('algorithm was not specified');
|
257 |
|
258 | if (!parsed.params.signature)
|
259 | throw new InvalidHeaderError('signature was not specified');
|
260 |
|
261 |
|
262 | try {
|
263 | validateAlgorithm(parsed.params.algorithm);
|
264 | } catch (e) {
|
265 | if (e instanceof InvalidAlgorithmError)
|
266 | throw (new InvalidParamsError(parsed.params.algorithm + ' is not ' +
|
267 | 'supported'));
|
268 | else
|
269 | throw (e);
|
270 | }
|
271 |
|
272 |
|
273 | for (i = 0; i < parsed.params.headers.length; i++) {
|
274 | var h = parsed.params.headers[i].toLowerCase();
|
275 | parsed.params.headers[i] = h;
|
276 |
|
277 | if (h === 'request-line') {
|
278 | if (!options.strict) {
|
279 | |
280 |
|
281 |
|
282 |
|
283 | parsed.signingString +=
|
284 | request.method + ' ' + request.url + ' HTTP/' + request.httpVersion;
|
285 | } else {
|
286 |
|
287 | throw (new StrictParsingError('request-line is not a valid header ' +
|
288 | 'with strict parsing enabled.'));
|
289 | }
|
290 | } else if (h === '(request-target)') {
|
291 | parsed.signingString +=
|
292 | '(request-target): ' + request.method.toLowerCase() + ' ' +
|
293 | request.url;
|
294 | } else if (h === '(keyid)') {
|
295 | parsed.signingString += '(keyid): ' + parsed.params.keyId;
|
296 | } else if (h === '(algorithm)') {
|
297 | parsed.signingString += '(algorithm): ' + parsed.params.algorithm;
|
298 | } else if (h === '(opaque)') {
|
299 | var opaque = parsed.params.opaque;
|
300 | if (opaque === undefined) {
|
301 | throw new MissingHeaderError('opaque param was not in the ' +
|
302 | authzHeaderName + ' header');
|
303 | }
|
304 | parsed.signingString += '(opaque): ' + opaque;
|
305 | } else if (h === '(created)') {
|
306 | parsed.signingString += '(created): ' + parsed.params.created;
|
307 | } else if (h === '(expires)') {
|
308 | parsed.signingString += '(expires): ' + parsed.params.expires;
|
309 | } else {
|
310 | var value = request.headers[h];
|
311 | if (value === undefined)
|
312 | throw new MissingHeaderError(h + ' was not in the request');
|
313 | parsed.signingString += h + ': ' + value;
|
314 | }
|
315 |
|
316 | if ((i + 1) < parsed.params.headers.length)
|
317 | parsed.signingString += '\n';
|
318 | }
|
319 |
|
320 |
|
321 | var date;
|
322 | var skew;
|
323 | if (request.headers.date || request.headers['x-date']) {
|
324 | if (request.headers['x-date']) {
|
325 | date = new Date(request.headers['x-date']);
|
326 | } else {
|
327 | date = new Date(request.headers.date);
|
328 | }
|
329 | var now = new Date();
|
330 | skew = Math.abs(now.getTime() - date.getTime());
|
331 |
|
332 | if (skew > options.clockSkew * 1000) {
|
333 | throw new ExpiredRequestError('clock skew of ' +
|
334 | (skew / 1000) +
|
335 | 's was greater than ' +
|
336 | options.clockSkew + 's');
|
337 | }
|
338 | }
|
339 |
|
340 | if (parsed.params.created) {
|
341 | skew = parsed.params.created - Math.floor(Date.now() / 1000);
|
342 | if (skew > options.clockSkew) {
|
343 | throw new ExpiredRequestError('Created lies in the future (with ' +
|
344 | 'skew ' + skew + 's greater than allowed ' + options.clockSkew +
|
345 | 's');
|
346 | }
|
347 | }
|
348 |
|
349 | if (parsed.params.expires) {
|
350 | var expiredSince = Math.floor(Date.now() / 1000) - parsed.params.expires;
|
351 | if (expiredSince > options.clockSkew) {
|
352 | throw new ExpiredRequestError('Request expired with skew ' +
|
353 | expiredSince + 's greater than allowed ' + options.clockSkew + 's');
|
354 | }
|
355 | }
|
356 |
|
357 | headers.forEach(function (hdr) {
|
358 |
|
359 |
|
360 | if (parsed.params.headers.indexOf(hdr.toLowerCase()) < 0)
|
361 | throw new MissingHeaderError(hdr + ' was not a signed header');
|
362 | });
|
363 |
|
364 | parsed.params.algorithm = parsed.params.algorithm.toLowerCase();
|
365 | if (options.algorithms) {
|
366 | if (options.algorithms.indexOf(parsed.params.algorithm) === -1)
|
367 | throw new InvalidParamsError(parsed.params.algorithm +
|
368 | ' is not a supported algorithm');
|
369 | }
|
370 |
|
371 | parsed.algorithm = parsed.params.algorithm.toUpperCase();
|
372 | parsed.keyId = parsed.params.keyId;
|
373 | parsed.opaque = parsed.params.opaque;
|
374 | return parsed;
|
375 | }
|
376 |
|
377 | };
|