Add API endpoint for GitHub secret alerts

Author: Dan Gardner

Cargo.lock

@@ -85,6 +85,7 @@ tracing = "=0.1.37"
 tracing-logfmt = "=0.2.0"
 tracing-subscriber = { version = "=0.3.16", features = ["env-filter"] }
 url = "=2.3.1"
+ring = "=0.16.20"
 
 [dev-dependencies]
 cargo-registry-index = { path = "cargo-registry-index", features = ["testing"] }

Cargo.toml

@@ -1,11 +1,14 @@
 use super::frontend_prelude::*;
 
-use crate::models::ApiToken;
+use crate::github::key_from_spki;
+use crate::models::{ApiToken, User};
 use crate::schema::api_tokens;
 use crate::util::read_fill;
 use crate::views::EncodableApiTokenWithToken;
 
+use base64;
 use conduit::{Body, Response};
+use ring::signature;
 use serde_json as json;
 
 /// Handles the `GET /me/tokens` route.
@@ -114,3 +117,133 @@ pub fn revoke_current(req: &mut dyn RequestExt) -> EndpointResult {
 
     Ok(Response::builder().status(204).body(Body::empty()).unwrap())
 }
+
+/// Verifies that the GitHub signature in request headers is valid
+fn verify_github_signature(req: &dyn RequestExt, json: &[u8]) -> Result<(), Box<dyn AppError>> {
+    // Read and decode request headers
+    let headers = req.headers();
+    let req_key_id = headers
+        .get("GITHUB-PUBLIC-KEY-IDENTIFIER")
+        .ok_or_else(|| bad_request("missing HTTP header: GITHUB-PUBLIC-KEY-IDENTIFIER"))?
+        .to_str()
+        .map_err(|e| bad_request(&format!("failed to decode HTTP header: {e:?}")))?;
+    let sig = headers
+        .get("GITHUB-PUBLIC-KEY-SIGNATURE")
+        .ok_or_else(|| bad_request("missing HTTP header: GITHUB-PUBLIC-KEY-SIGNATURE"))?;
+    let sig = base64::decode(sig)
+        .map_err(|e| bad_request(&format!("failed to decode signature as base64: {e:?}")))?;
+
+    // Fetch list of public keys from GitHub API
+    let app = req.app();
+    let public_keys = app
+        .github
+        .public_keys(&app.config.gh_client_id, &app.config.gh_client_secret)
+        .map_err(|e| bad_request(&format!("failed to fetch GitHub public keys: {e:?}")))?;
+
+    for key in public_keys {
+        if key.key_identifier == req_key_id {
+            if !key.is_current {
+                return Err(bad_request(&format!(
+                    "key id {req_key_id} is not a current key"
+                )));
+            }
+            let key_bytes =
+                key_from_spki(&key).map_err(|_| bad_request("cannot parse public key"))?;
+            let gh_key =
+                signature::UnparsedPublicKey::new(&signature::ECDSA_P256_SHA256_ASN1, &key_bytes);
+
+            return match gh_key.verify(json, &sig) {
+                Ok(v) => {
+                    info!(
+                        "GitHub secret alert request validated with key id {}",
+                        key.key_identifier
+                    );
+                    Ok(v)
+                }
+                Err(e) => Err(bad_request(&format!("invalid signature: {e:?}"))),
+            };
+        }
+    }
+
+    return Err(bad_request(&format!("unknown key id {req_key_id}")));
+}
+
+#[derive(Deserialize, Serialize)]
+struct GitHubSecretAlert {
+    token: String,
+    r#type: String,
+    url: String,
+    source: String,
+}
+
+/// Revokes an API token and notifies the token owner
+fn alert_revoke_token(
+    req: &dyn RequestExt,
+    alert: &GitHubSecretAlert,
+) -> Result<(), Box<dyn AppError>> {
+    let conn = req.db_write()?;
+    // not using ApiToken::find_by_api_token in order to preserve last_used_at
+    let token = api_tokens::table
+        .filter(api_tokens::token.eq(alert.token.as_bytes()))
+        .first::<ApiToken>(&*conn)?;
+
+    diesel::update(&token)
+        .set(api_tokens::revoked.eq(true))
+        .execute(&*conn)?;
+
+    // send email notification to the token owner
+    let user = User::find(&conn, token.user_id)?;
+    info!(
+        "Revoked API token '{}' for user {} ({})",
+        alert.token, user.gh_login, user.id
+    );
+    match user.email(&conn)? {
+        None => {
+            info!(
+                "No email address for user {} ({}), cannot send email notification",
+                user.gh_login, user.id
+            );
+            Ok(())
+        }
+        Some(email) => req.app().emails.send_token_exposed_notification(
+            &email,
+            &alert.url,
+            "GitHub",
+            &alert.source,
+            &token.name,
+        ),
+    }
+}
+
+/// Handles the `POST /tokens/alert/github` route.
+pub fn alert_github(req: &mut dyn RequestExt) -> EndpointResult {
+    let max_size = 8192;
+    let length = req
+        .content_length()
+        .ok_or_else(|| bad_request("missing header: Content-Length"))?;
+
+    if length > max_size {
+        return Err(bad_request(&format!("max content length is: {max_size}")));
+    }
+
+    let mut json = vec![0; length as usize];
+    read_fill(req.body(), &mut json)?;
+    verify_github_signature(req, &json)
+        .map_err(|e| bad_request(&format!("failed to verify request signature: {e:?}")))?;
+
+    let json = String::from_utf8(json)
+        .map_err(|e| bad_request(&format!("failed to decode request body: {e:?}")))?;
+    let alerts: Vec<GitHubSecretAlert> = json::from_str(&json)
+        .map_err(|e| bad_request(&format!("invalid secret alert request: {e:?}")))?;
+
+    for alert in alerts {
+        if let Err(e) = alert_revoke_token(req, &alert) {
+            warn!(
+                "Error revoking API token in GitHub secret alert: {} ({e:?})",
+                alert.token
+            );
+        }
+    }
+
+    Ok(req.json(&json!({})))
+}

src/controllers/token.rs

@@ -91,6 +91,33 @@ or go to https://{domain}/me/pending-invites to manage all of your crate ownersh
         self.send(email, subject, &body)
     }
 
+    /// Attempts to send an API token exposure notification email
+    pub fn send_token_exposed_notification(
+        &self,
+        email: &str,
+        url: &str,
+        reporter: &str,
+        source: &str,
+        token_name: &str,
+    ) -> AppResult<()> {
+        let subject = "Exposed API token found";
+        let mut body = format!(
+            "{reporter} has notified us that your crates.io API token {token_name}\n
+has been exposed publicly. We have revoked this token as a precaution.\n
+Please review your account at https://{domain} to confirm that no\n
+unexpected changes have been made to your settings or crates.\n
+\n
+Source type: {source}\n",
+            domain = crate::config::domain_name()
+        );
+        if url.is_empty() {
+            body.push_str("\nWe were not informed of the URL where the token was found.\n");
+        } else {
+            body.push_str(&format!("\nURL where the token was found: {url}\n"));
+        }
+        self.send(email, subject, &body)
+    }
+
     /// This is supposed to be used only during tests, to retrieve the messages stored in the
     /// "memory" backend. It's not cfg'd away because our integration tests need to access this.
     pub fn mails_in_memory(&self) -> Option<Vec<StoredEmail>> {

src/email.rs

@@ -32,6 +32,7 @@ pub trait GitHubClient: Send + Sync {
         username: &str,
         auth: &AccessToken,
     ) -> AppResult<GitHubOrgMembership>;
+    fn public_keys(&self, username: &str, password: &str) -> AppResult<Vec<GitHubPublicKey>>;
 }
 
 #[derive(Debug)]
@@ -46,7 +47,7 @@ impl RealGitHubClient {
     }
 
     /// Does all the nonsense for sending a GET to Github.
-    pub fn request<T>(&self, url: &str, auth: &AccessToken) -> AppResult<T>
+    fn _request<T>(&self, url: &str, auth: &str) -> AppResult<T>
     where
         T: DeserializeOwned,
     {
@@ -56,7 +57,7 @@ impl RealGitHubClient {
         self.client()
             .get(&url)
             .header(header::ACCEPT, "application/vnd.github.v3+json")
-            .header(header::AUTHORIZATION, format!("token {}", auth.secret()))
+            .header(header::AUTHORIZATION, auth)
             .header(header::USER_AGENT, "crates.io (https://crates.io)")
             .send()?
             .error_for_status()
@@ -65,6 +66,22 @@ impl RealGitHubClient {
             .map_err(Into::into)
     }
 
+    /// Sends a GET to GitHub using OAuth access token authentication
+    pub fn request<T>(&self, url: &str, auth: &AccessToken) -> AppResult<T>
+    where
+        T: DeserializeOwned,
+    {
+        self._request(url, &format!("token {}", auth.secret()))
+    }
+
+    /// Sends a GET to GitHub using basic authentication
+    pub fn request_basic<T>(&self, url: &str, username: &str, password: &str) -> AppResult<T>
+    where
+        T: DeserializeOwned,
+    {
+        self._request(url, &format!("basic {}:{}", username, password))
+    }
+
     /// Returns a client for making HTTP requests to upload crate files.
     ///
     /// The client will go through a proxy if the application was configured via
@@ -123,6 +140,18 @@ impl GitHubClient for RealGitHubClient {
             auth,
         )
     }
+
+    /// Returns the list of public keys that can be used to verify GitHub secret alert signatures
+    fn public_keys(&self, username: &str, password: &str) -> AppResult<Vec<GitHubPublicKey>> {
+        match self.request_basic::<GitHubPublicKeyList>(
+            "/meta/public_keys/secret_scanning",
+            username,
+            password,
+        ) {
+            Ok(v) => Ok(v.public_keys),
+            Err(e) => Err(e),
+        }
+    }
 }
 
 fn handle_error_response(error: &reqwest::Error) -> Box<dyn AppError> {
@@ -178,6 +207,18 @@ pub struct GitHubOrgMembership {
     pub role: String,
 }
 
+#[derive(Debug, Deserialize)]
+pub struct GitHubPublicKey {
+    pub key_identifier: String,
+    pub key: String,
+    pub is_current: bool,
+}
+
+#[derive(Debug, Deserialize)]
+pub struct GitHubPublicKeyList {
+    pub public_keys: Vec<GitHubPublicKey>,
+}
+
 pub fn team_url(login: &str) -> String {
     let mut login_pieces = login.split(':');
     login_pieces.next();
@@ -186,3 +227,27 @@ pub fn team_url(login: &str) -> String {
         login_pieces.next().expect("org failed"),
     )
 }
+
+static PEM_HEADER: &str = "-----BEGIN PUBLIC KEY-----\n";
+static PEM_FOOTER: &str = "\n-----END PUBLIC KEY-----";
+
+/// Converts a PEM format ECDSA P-256 SHA-256 public key in SubjectPublicKeyInfo format into
+/// the Octet-String-to-Elliptic-Curve-Point format expected by ring::signature::verify
+pub fn key_from_spki(key: &GitHubPublicKey) -> Result<Vec<u8>, std::io::Error> {
+    let start_idx = key
+        .key
+        .find(PEM_HEADER)
+        .ok_or(std::io::ErrorKind::InvalidData)?;
+    let gh_key = &key.key[(start_idx + PEM_HEADER.len())..];
+    let end_idx = gh_key
+        .find(PEM_FOOTER)
+        .ok_or(std::io::ErrorKind::InvalidData)?;
+    let gh_key = gh_key[..end_idx].replace('\n', "");
+    let gh_key = base64::decode(gh_key)
+        .map_err(|_| std::io::Error::from(std::io::ErrorKind::InvalidData))?;
+    if gh_key.len() != 91 {
+        return Err(std::io::Error::from(std::io::ErrorKind::InvalidData));
+    }
+    // extract the key bytes from the fixed position in the ASN.1 structure
+    Ok(gh_key[26..91].to_vec())
+}

src/github.rs

@@ -113,6 +113,7 @@ pub fn build_router(app: &App) -> RouteBuilder {
     router.put("/api/v1/me/tokens", C(token::new));
     router.delete("/api/v1/me/tokens/:id", C(token::revoke));
     router.delete("/api/v1/tokens/current", C(token::revoke_current));
+    router.post("/api/v1/tokens/alert/github", C(token::alert_github));
     router.get(
         "/api/v1/me/crate_owner_invitations",
         C(crate_owner_invitation::list),