only accept signed snippets

Cargo.toml

@@ -16,3 +16,5 @@ rand = "0.4.2"
 
 byteorder = "1.3.2"
 chrono = "0.4.9"
+sequoia-openpgp = "0.9.0"
+lazy_static = "1.4.0"

src/main.rs

@@ -1,21 +1,30 @@
+#[macro_use]
+extern crate lazy_static;
 extern crate chrono;
 extern crate iron;
 extern crate rand;
+extern crate sequoia_openpgp as openpgp;
 extern crate snap;
 
+mod pgp;
+
+use crate::pgp::KnownKeys;
 use byteorder::{BigEndian, ReadBytesExt, WriteBytesExt};
 use chrono::*;
+use core::cell::RefCell;
 use iron::method::Method;
 use iron::modifiers::Redirect;
 use iron::prelude::*;
 use iron::url::Url;
 use rand::Rng;
+use std::borrow::BorrowMut;
 use std::fs;
 use std::fs::File;
 use std::io;
 use std::io::prelude::*;
 use std::iter::Iterator;
 use std::path::{Path, PathBuf};
+use std::sync::Mutex;
 
 struct Snippet<'a> {
     id: String,
@@ -137,6 +146,12 @@ const STORAGE_DIR: &str = "/snips";
 #[cfg(debug_assertions)]
 const STORAGE_DIR: &str = "/tmp";
 
+lazy_static! {
+    static ref KNOWN_KEYS: Mutex<KnownKeys> = Mutex::new(
+        KnownKeys::load_dir([STORAGE_DIR, "keys"].join("/")).expect("Failed to load pubkeys")
+    );
+}
+
 const VERSION: &str = env!("CARGO_PKG_VERSION");
 
 fn handle(req: &mut Request) -> IronResult<Response> {
@@ -148,7 +163,7 @@ fn handle(req: &mut Request) -> IronResult<Response> {
         (Method::Post, Some(path)) => {
             if path == &"new" {
                 let snip = {
-                    let text: String = {
+                    let pgp_text: String = {
                         let bytes = ((&mut req.body).bytes().take(1024 * 512).collect::<Result<
                             Vec<u8>,
                             io::Error,
@@ -158,6 +173,11 @@ fn handle(req: &mut Request) -> IronResult<Response> {
                         String::from_utf8(bytes)
                             .map_err(|err| IronError::new(err, "Invalid utf8"))?
                     };
+                    let b_text = KNOWN_KEYS
+                        .lock().unwrap()//.map_err(|_| IronError::new(std::error::Error::from("Mutex Err"), "PGP Context unavailable"))?
+                        .verify(pgp_text.as_bytes())
+                        .map_err(|err| IronError::new(err, "Untrusted signature"))?;
+                    let text = String::from_utf8(b_text).unwrap();
                     Snippet::random(&storage).write(&*text).map_err(|err| {
                         let msg = format!("Failed to save snippet: {:?}", &err);
                         IronError::new(err, msg)

src/pgp.rs

@@ -0,0 +1,51 @@
+use std::io;
+use std::fs;
+use std::fs::{File};
+use std::path::Path;
+use std::io::prelude::*;
+use openpgp::parse::Parse;
+use openpgp::*;
+use openpgp::parse::stream::*;
+
+
+pub struct KnownKeys {
+ keys: Vec<openpgp::TPK>
+}
+impl VerificationHelper for &KnownKeys {
+
+    fn get_public_keys(&mut self, _ids: &[KeyID]) -> Result<Vec<TPK>> {
+        Ok(self.keys.clone())
+    }
+    fn check(&mut self, structure: &MessageStructure) -> Result<()> {
+        Ok(()) // Implement your verification policy here.
+    }
+}
+
+impl KnownKeys {
+    pub fn load_dir(dir: impl AsRef<Path>) -> io::Result<KnownKeys> {
+        let mut keys: Vec<openpgp::TPK> = Vec::with_capacity(3);
+        for f in fs::read_dir(dir)? {
+            let f = f?;
+            if f.metadata()?.is_dir() {
+                continue;
+            }
+            let tpk = openpgp::TPK::from_file(f.path()).unwrap();
+            println!("Fingerprint: {}", tpk.fingerprint());
+            keys.push(tpk);
+        }
+        Ok(KnownKeys{
+            keys: keys
+        })
+    }
+
+    pub fn verify(&mut self, r: impl Read) -> io::Result<Vec<u8>> {
+        let mut content = Vec::with_capacity(2048);
+        let helper = &*self;
+        let mut v = Verifier::<&KnownKeys>::from_reader(r, helper, None).map_err(|e| dbg!(e)).unwrap();
+        if v.read_to_end(&mut content).is_err() {
+            return Err(io::Error::new(io::ErrorKind::InvalidData, "Signature Mismatch"));
+        }
+        Ok(content)
+    }
+}
+