rd: Don't downgrade to HTTP' (#7)

Reviewed-on: #7
This commit is contained in:
Steffo 2024-12-16 01:02:58 +00:00 committed by Cross
commit b0bb31bba0
Signed by: forgejo
GPG key ID: 3277D7B12BD4777D
4 changed files with 43 additions and 123 deletions

View file

@ -24,9 +24,9 @@ fn make_client() -> reqwest::Client {
} }
macro_rules! test { macro_rules! test_version {
($id:ident, $url:literal, $version:literal) => { ($id:ident, $url:literal, $version:literal) => {
test!($id, $url, $version,); test_version!($id, $url, $version,);
}; };
($id:ident, $url:literal, $version:literal, $($tag:meta),*) => { ($id:ident, $url:literal, $version:literal, $($tag:meta),*) => {
mod $id { mod $id {
@ -59,12 +59,12 @@ macro_rules! test {
}; };
} }
test!(akkoma, "https://junimo.party", "2.1"); test_version!(akkoma, "https://junimo.party", "2.1");
test!(mastodon, "https://mastodon.social", "2.0"); test_version!(mastodon, "https://mastodon.social", "2.0");
test!(misskey, "https://misskey.io", "2.1"); test_version!(misskey, "https://misskey.io", "2.1");
test!(iceshrimpnet, "https://ice.frieren.quest", "2.1"); test_version!(iceshrimpnet, "https://meow.company", "2.1");
test!(gotosocial, "https://alpha.polymaths.social", "2.0"); test_version!(gotosocial, "https://alpha.polymaths.social", "2.0");
test!(bridgyfed, "https://fed.brid.gy", "2.1"); test_version!(bridgyfed, "https://fed.brid.gy", "2.1");
test!(threads, "https://threads.net", "", ignore = "does not support NodeInfo"); test_version!(threads, "https://threads.net", "", ignore = "does not support NodeInfo");
test!(snac, "https://ngoa.giao.loan", "2.0"); test_version!(snac, "https://ngoa.giao.loan", "2.0");
test!(hollo, "https://hollo.social", "2.1"); test_version!(hollo, "https://hollo.social", "2.1");

View file

@ -15,17 +15,16 @@ impl ResourceDescriptor {
/// ///
/// In order, this method attempts: /// In order, this method attempts:
/// ///
/// 1. HTTPS [XRD](ResourceDescriptorJRD::get) /// 1. [XRD](ResourceDescriptorJRD::get)
/// 2. HTTPS [JRD](ResourceDescriptorJRD::get) /// 2. [JRD](ResourceDescriptorJRD::get)
/// 3. HTTPS [JRD](ResourceDescriptorJRD::get) with .json path suffix /// 3. [JRD](ResourceDescriptorJRD::get) with .json path suffix
/// 4. HTTP [XRD](ResourceDescriptorJRD::get)
/// 5. HTTP [JRD](ResourceDescriptorJRD::get)
/// 6. HTTP [JRD](ResourceDescriptorJRD::get) with .json path suffix
/// ///
/// # Notes /// # Notes
/// ///
/// This follows redirects until the redirect chain is 10 hops; see [`reqwest::redirect`] for more info. /// This follows redirects until the redirect chain is 10 hops; see [`reqwest::redirect`] for more info.
/// ///
/// Only the protocol specified in the passed [`reqwest::Url`] is used to fetch the [`ResourceDescriptor`]; despite the specification allowing servers to use only one between HTTP and HTTPS, no implicit downgrade is ever performed to prevent MITM attacks.
///
/// # Examples /// # Examples
/// ///
/// ``` /// ```
@ -53,121 +52,51 @@ impl ResourceDescriptor {
log::trace!("Unsetting URL fragment..."); log::trace!("Unsetting URL fragment...");
url.set_fragment(None); url.set_fragment(None);
log::trace!("Setting URL scheme to HTTPS..."); log::trace!("Attempting XRD retrieval...");
url.set_scheme("https") let xrd = match ResourceDescriptorXRD::get(client, url.clone()).await {
.map_err(UrlManipulation)?;
log::trace!("Cloning URL for HTTPS XRD retrieval...");
let https_xrd_url = url.clone();
log::trace!("Attempting HTTPS XRD retrieval...");
let https_xrd = match ResourceDescriptorXRD::get(client, https_xrd_url).await {
Ok(data) => { Ok(data) => {
log::trace!("HTTPS XRD retrieval was successful, returning..."); log::trace!("XRD retrieval was successful, returning...");
return Ok(Self::XRD(data)) return Ok(Self::XRD(data))
} }
Err(err) => { Err(err) => {
log::warn!("HTTPS XRD retrieval failed."); log::warn!("XRD retrieval failed.");
err err
} }
}; };
log::trace!("Cloning URL for HTTPS JRD retrieval..."); log::trace!("Attempting JRD retrieval...");
let https_jrd_url = url.clone(); let jrd = match ResourceDescriptorJRD::get(client, url.clone()).await {
log::trace!("Attempting HTTPS JRD retrieval...");
let https_jrd = match ResourceDescriptorJRD::get(client, https_jrd_url).await {
Ok(data) => { Ok(data) => {
log::trace!("HTTPS JRD retrieval was successful, returning..."); log::trace!("JRD retrieval was successful, returning...");
return Ok(Self::JRD(data)) return Ok(Self::JRD(data))
} }
Err(err) => { Err(err) => {
log::warn!("HTTPS JRD retrieval failed."); log::warn!("JRD retrieval failed.");
err err
} }
}; };
log::trace!("Cloning URL for HTTPS JRD .json retrieval..."); log::trace!("Altering URL path for JRD .json retrieval...");
let mut https_jrdj_url = url.clone(); url.set_path(
&format!("{}.json", url.path())
log::trace!("Altering URL path for HTTPS JRD .json retrieval...");
https_jrdj_url.set_path(
&format!("{}.json", https_jrdj_url.path())
); );
log::trace!("Attempting HTTPS JRD .json retrieval..."); log::trace!("Attempting JRD .json retrieval...");
let https_jrdj = match ResourceDescriptorJRD::get(client, https_jrdj_url).await { let jrdj = match ResourceDescriptorJRD::get(client, url.clone()).await {
Ok(data) => { Ok(data) => {
log::trace!("HTTPS JRD .json retrieval was successful, returning..."); log::trace!("JRD .json retrieval was successful, returning...");
return Ok(Self::JRD(data)) return Ok(Self::JRD(data))
} }
Err(err) => { Err(err) => {
log::warn!("HTTPS JRD .json retrieval failed."); log::warn!("JRD .json retrieval failed.");
err
}
};
log::trace!("Setting URL scheme to HTTP...");
url.set_scheme("http")
.map_err(UrlManipulation)?;
log::trace!("Cloning URL for HTTP XRD retrieval...");
let http_xrd_url = url.clone();
log::trace!("Attempting HTTP XRD retrieval...");
let http_xrd = match ResourceDescriptorXRD::get(client, http_xrd_url).await {
Ok(data) => {
log::trace!("HTTP XRD retrieval was successful, returning...");
return Ok(Self::XRD(data))
}
Err(err) => {
log::warn!("HTTP XRD retrieval failed.");
err
}
};
log::trace!("Cloning URL for HTTP JRD retrieval...");
let http_jrd_url = url.clone();
log::trace!("Attempting HTTP JRD retrieval...");
let http_jrd = match ResourceDescriptorJRD::get(client, http_jrd_url).await {
Ok(data) => {
log::trace!("HTTP JRD retrieval was successful, returning...");
return Ok(Self::JRD(data))
}
Err(err) => {
log::warn!("HTTP JRD retrieval failed.");
err
}
};
log::trace!("Cloning URL for HTTP JRD .json retrieval...");
let mut http_jrdj_url = url.clone();
log::trace!("Altering URL path for HTTPS JRD .json retrieval...");
http_jrdj_url.set_path(
&format!("{}.json", http_jrdj_url.path())
);
log::trace!("Attempting HTTP JRD .json retrieval...");
let http_jrdj = match ResourceDescriptorJRD::get(client, http_jrdj_url).await {
Ok(data) => {
log::trace!("HTTP JRD .json retrieval was successful, returning...");
return Ok(Self::JRD(data))
}
Err(err) => {
log::warn!("HTTP JRD .json retrieval failed.");
err err
} }
}; };
Err(Fetch(GetFetchFailures { Err(Fetch(GetFetchFailures {
https_xrd, xrd,
https_jrd, jrd,
https_jrdj, jrdj,
http_xrd,
http_jrd,
http_jrdj,
})) }))
} }
@ -262,25 +191,16 @@ pub enum GetError {
Fetch(GetFetchFailures), Fetch(GetFetchFailures),
} }
/// Request errors occurred during [`ResourceDescriptor::discover`]. /// Request errors occurred during [`ResourceDescriptor::get`].
#[derive(Debug, Error)] #[derive(Debug, Error)]
#[error("all attempts of fetching the resource descriptor document failed")] #[error("all attempts of fetching the resource descriptor document failed")]
pub struct GetFetchFailures { pub struct GetFetchFailures {
/// HTTPS XRD retrieval. /// XRD retrieval.
pub https_xrd: GetXRDError, pub xrd: GetXRDError,
/// HTTPS JRD retrieval. /// JRD retrieval.
pub https_jrd: GetJRDError, pub jrd: GetJRDError,
/// HTTPS JRD with .json extension retrieval. /// JRD with .json extension retrieval.
pub https_jrdj: GetJRDError, pub jrdj: GetJRDError,
/// HTTPS XRD retrieval.
pub http_xrd: GetXRDError,
/// HTTP JRD retrieval.
pub http_jrd: GetJRDError,
/// HTTP JRD with .json extension retrieval.
pub http_jrdj: GetJRDError,
} }

View file

@ -181,7 +181,7 @@ impl ResourceDescriptorXRD {
pub async fn get(client: &reqwest::Client, url: reqwest::Url) -> Result<Self, GetXRDError> { pub async fn get(client: &reqwest::Client, url: reqwest::Url) -> Result<Self, GetXRDError> {
use GetXRDError::*; use GetXRDError::*;
log::debug!("Getting host-meta XRD document at: {url}"); log::debug!("Getting XRD document at: {url}");
log::trace!("Building request..."); log::trace!("Building request...");
let request = { let request = {

View file

@ -105,7 +105,7 @@ macro_rules! test_de_ser_xrd {
test_discover_hostmeta!(test_discover_hostmeta_junimo_party, "https://junimo.party"); test_discover_hostmeta!(test_discover_hostmeta_junimo_party, "https://junimo.party");
test_discover_hostmeta!(test_discover_hostmeta_mastodon_social, "https://mastodon.social"); test_discover_hostmeta!(test_discover_hostmeta_mastodon_social, "https://mastodon.social");
test_discover_hostmeta!(test_discover_hostmeta_misskey_io, "https://misskey.io"); test_discover_hostmeta!(test_discover_hostmeta_misskey_io, "https://misskey.io");
test_discover_hostmeta!(test_discover_hostmeta_ice_frieren_quest, "https://ice.frieren.quest"); test_discover_hostmeta!(test_discover_hostmeta_meow_company, "https://meow.company");
test_discover_hostmeta!(test_discover_hostmeta_alpha_polymaths_social, "https://alpha.polymaths.social"); test_discover_hostmeta!(test_discover_hostmeta_alpha_polymaths_social, "https://alpha.polymaths.social");
test_discover_hostmeta!(test_discover_hostmeta_fed_brid_gy, "https://fed.brid.gy"); test_discover_hostmeta!(test_discover_hostmeta_fed_brid_gy, "https://fed.brid.gy");
test_discover_hostmeta!(test_discover_hostmeta_threads_net, "https://threads.net", ignore = "does not support host-meta"); test_discover_hostmeta!(test_discover_hostmeta_threads_net, "https://threads.net", ignore = "does not support host-meta");