Merge pull request #6906 from annando/http-sign-photo

Use HTTP-Signature to authenticate when fetching photos.
2019-03-18 20:15:38 -04:00 · 2019-03-18 20:15:38 -04:00 · d23e877b21
parent d32105aa8b a876c20850
commit d23e877b21
3 changed files with 82 additions and 47 deletions
--- a/src/Module/Photo.php
+++ b/src/Module/Photo.php
@ -45,6 +45,9 @@ class Photo extends BaseModule
 			exit;
 		}

+		/// @todo Add Authentication to enable fetching of non public content
+		// $requester = HTTPSignature::getSigner('', $_SERVER);
+
 		$customsize = 0;
 		$photo = false;
 		switch($a->argc) {
--- a/src/Module/Proxy.php
+++ b/src/Module/Proxy.php
@ -10,8 +10,9 @@ use Friendica\Core\L10n;
 use Friendica\Core\System;
 use Friendica\Model\Photo;
 use Friendica\Object\Image;
-use Friendica\Util\Network;
+use Friendica\Util\HTTPSignature;
 use Friendica\Util\Proxy as ProxyUtils;
+use Friendica\Core\Logger;

 /**
 * @brief Module Proxy
@ -81,30 +82,27 @@ class Proxy extends BaseModule
 		// Try to use photo from db
 		self::responseFromDB($request);

-
 		//
 		// If script is here, the requested url has never cached before.
 		// Let's fetch it, scale it if required, then save it in cache.
 		//

-
 		// It shouldn't happen but it does - spaces in URL
 		$request['url'] = str_replace(' ', '+', $request['url']);
-		$redirects = 0;
-		$fetchResult = Network::fetchUrlFull($request['url'], true, $redirects, 10);
+		$fetchResult = HTTPSignature::fetchRaw($request['url'], local_user(), true, ['timeout' => 10]);
 		$img_str = $fetchResult->getBody();

-		$tempfile = tempnam(get_temppath(), 'cache');
-		file_put_contents($tempfile, $img_str);
-		$mime = mime_content_type($tempfile);
-		unlink($tempfile);
-
 		// If there is an error then return a blank image
 		if ((substr($fetchResult->getReturnCode(), 0, 1) == '4') || (!$img_str)) {
 			self::responseError();
 			// stop.
 		}

+		$tempfile = tempnam(get_temppath(), 'cache');
+		file_put_contents($tempfile, $img_str);
+		$mime = mime_content_type($tempfile);
+		unlink($tempfile);
+
 		$image = new Image($img_str, $mime);
 		if (!$image->isValid()) {
 			self::responseError();
@ -160,7 +158,6 @@ class Proxy extends BaseModule
 		$size = 1024;
 		$sizetype = '';

-		
 		// Look for filename in the arguments
 		if (($a->argc > 1) && !isset($_REQUEST['url'])) {
 			if (isset($a->argv[3])) {
@ -277,8 +274,8 @@ class Proxy extends BaseModule
 	 * @throws \Friendica\Network\HTTPException\InternalServerErrorException
 	 * @throws \ImagickException
 	 */
-	private static function responseFromDB(&$request) {
-	
+	private static function responseFromDB(&$request)
+	{
 		$photo = Photo::getPhoto($request['urlhash']);

 		if ($photo !== false) {
@ -292,7 +289,8 @@ class Proxy extends BaseModule
 	 * @brief Output a blank image, without cache headers, in case of errors
 	 *
 	 */
-	private static function responseError() {
+	private static function responseError()
+	{
 		header('Content-type: image/png');
 		echo file_get_contents('images/blank.png');
 		exit();
@ -319,5 +317,3 @@ class Proxy extends BaseModule
 		exit();
 	}
 }
-
-
--- a/src/Util/HTTPSignature.php
+++ b/src/Util/HTTPSignature.php
@ -328,8 +328,46 @@ class HTTPSignature
 	 */
 	public static function fetch($request, $uid)
 	{
-		$owner = User::getOwnerDataById($uid);
+		$opts = ['accept_content' => 'application/activity+json, application/ld+json'];
+		$curlResult = self::fetchRaw($request, $uid, false, $opts);

+		if (empty($curlResult)) {
+			return false;
+		}
+
+		if (!$curlResult->isSuccess() || empty($curlResult->getBody())) {
+			return false;
+		}
+
+		$content = json_decode($curlResult->getBody(), true);
+		if (empty($content) || !is_array($content)) {
+			return false;
+		}
+
+		return $content;
+	}
+
+	/**
+	 * @brief Fetches raw data for a user
+	 *
+	 * @param string  $request request url
+	 * @param integer $uid     User id of the requester
+	 * @param boolean $binary  TRUE if asked to return binary results (file download) (default is "false")
+	 * @param array   $opts    (optional parameters) assoziative array with:
+	 *                         'accept_content' => supply Accept: header with 'accept_content' as the value
+	 *                         'timeout' => int Timeout in seconds, default system config value or 60 seconds
+	 *                         'http_auth' => username:password
+	 *                         'novalidate' => do not validate SSL certs, default is to validate using our CA list
+	 *                         'nobody' => only return the header
+	 *                         'cookiejar' => path to cookie jar file
+	 *
+	 * @return object CurlResult
+	 * @throws \Friendica\Network\HTTPException\InternalServerErrorException
+	 */
+	public static function fetchRaw($request, $uid = 0, $binary = false, $opts = [])
+	{
+		if (!empty($uid)) {
+			$owner = User::getOwnerDataById($uid);
 			if (!$owner) {
 				return;
 			}
@ -346,25 +384,23 @@ class HTTPSignature
 			$signature = base64_encode(Crypto::rsaSign($signed_data, $owner['uprvkey'], 'sha256'));

 			$headers[] = 'Signature: keyId="' . $owner['url'] . '#main-key' . '",algorithm="rsa-sha256",headers="(request-target) date host",signature="' . $signature . '"';
+		} else {
+			$headers = [];
+		}

-		$headers[] = 'Accept: application/activity+json, application/ld+json';
+		if (!empty($opts['accept_content'])) {
+			$headers[] = 'Accept: ' . $opts['accept_content'];
+		}

-		$curlResult = Network::curl($request, false, $redirects, ['header' => $headers]);
+		$curl_opts = $opts;
+		$curl_opts['header'] = $headers;
+
+		$curlResult = Network::curl($request, false, $redirects, $curl_opts);
 		$return_code = $curlResult->getReturnCode();

 		Logger::log('Fetched for user ' . $uid . ' from ' . $request . ' returned ' . $return_code, Logger::DEBUG);

-		if (!$curlResult->isSuccess() || empty($curlResult->getBody())) {
-			return false;
-		}
-
-		$content = json_decode($curlResult->getBody(), true);
-
-		if (empty($content) || !is_array($content)) {
-			return false;
-		}
-
-		return $content;
+		return $curlResult;
 	}

 	/**