From 73c54abd4e89df75faa44616b984cdbf7682d1aa Mon Sep 17 00:00:00 2001
From: DarthSim <darthsim@gmail.com>
Date: Thu, 22 Feb 2024 17:33:52 +0300
Subject: [PATCH] Add IMGPROXY_TRUSTED_SIGNATURES config

---
 CHANGELOG.md               |  1 +
 config/config.go           |  9 ++++++---
 security/signature.go      |  6 ++++++
 security/signature_test.go | 13 +++++++++++++
 4 files changed, 26 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d74d283e..c6030fff 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,7 @@
 
 ## [Unreleased]
 ### Add
+- Add the [IMGPROXY_TRUSTED_SIGNATURES](https://docs.imgproxy.net/latest/configuration/options#IMGPROXY_TRUSTED_SIGNATURES) config.
 - (pro) Add the [hashsum](https://docs.imgproxy.net/latest/usage/processing#hashsum) processing and info options.
 - (pro) Add the [calc_hashsums](https://docs.imgproxy.net/latest/usage/getting_info#calc-hashsums) info option.
 - (pro) Add the [IMGPROXY_VIDEO_THUMBNAIL_TILE_AUTO_KEYFRAMES](https://docs.imgproxy.net/latest/configuration/options#IMGPROXY_VIDEO_THUMBNAIL_TILE_AUTO_KEYFRAMES) config.
diff --git a/config/config.go b/config/config.go
index 8f5da9ed..f0f0b64b 100644
--- a/config/config.go
+++ b/config/config.go
@@ -74,9 +74,10 @@ var (
 	UseLinearColorspace bool
 	DisableShrinkOnLoad bool
 
-	Keys          [][]byte
-	Salts         [][]byte
-	SignatureSize int
+	Keys              [][]byte
+	Salts             [][]byte
+	SignatureSize     int
+	TrustedSignatures []string
 
 	Secret string
 
@@ -275,6 +276,7 @@ func Reset() {
 	Keys = make([][]byte, 0)
 	Salts = make([][]byte, 0)
 	SignatureSize = 32
+	TrustedSignatures = make([]string, 0)
 
 	Secret = ""
 
@@ -483,6 +485,7 @@ func Configure() error {
 		return err
 	}
 	configurators.Int(&SignatureSize, "IMGPROXY_SIGNATURE_SIZE")
+	configurators.StringSlice(&TrustedSignatures, "IMGPROXY_TRUSTED_SIGNATURES")
 
 	if err := configurators.HexSliceFile(&Keys, keyPath); err != nil {
 		return err
diff --git a/security/signature.go b/security/signature.go
index caf3e5c5..f6f34776 100644
--- a/security/signature.go
+++ b/security/signature.go
@@ -19,6 +19,12 @@ func VerifySignature(signature, path string) error {
 		return nil
 	}
 
+	for _, s := range config.TrustedSignatures {
+		if s == signature {
+			return nil
+		}
+	}
+
 	messageMAC, err := base64.RawURLEncoding.DecodeString(signature)
 	if err != nil {
 		return ErrInvalidSignatureEncoding
diff --git a/security/signature_test.go b/security/signature_test.go
index 6a157528..961b660b 100644
--- a/security/signature_test.go
+++ b/security/signature_test.go
@@ -51,6 +51,19 @@ func (s *SignatureTestSuite) TestVerifySignatureMultiplePairs() {
 	require.Error(s.T(), err)
 }
 
+func (s *SignatureTestSuite) TestVerifySignatureTrusted() {
+	config.TrustedSignatures = []string{"truested"}
+	defer func() {
+		config.TrustedSignatures = []string{}
+	}()
+
+	err := VerifySignature("truested", "asd")
+	require.Nil(s.T(), err)
+
+	err = VerifySignature("untrusted", "asd")
+	require.Error(s.T(), err)
+}
+
 func TestSignature(t *testing.T) {
 	suite.Run(t, new(SignatureTestSuite))
 }