commit 87cf621e21283728b2bb5517c6a6981087cc7ce5
parent 869a6c111cdd75536f283ee52d0717f4682a706c
Author: Tobi Smethurst <31960611+tsmethurst@users.noreply.github.com>
Date: Sun, 27 Jun 2021 16:52:18 +0200
Remote instance dereferencing (#70)
Remote instances are now dereferenced when they post to an inbox on a GtS instance.
Dereferencing will be done first by checking the /api/v1/instance endpoint of an instance.
If that doesn't work, /.well-known/nodeinfo will be checked.
If that doesn't work, only a minimal representation of the instance will be stored.
A new field was added to the Instance database model. To create it:
alter table instances add column contact_account_username text;
Diffstat:
14 files changed, 958 insertions(+), 511 deletions(-)
diff --git a/internal/federation/authenticate.go b/internal/federation/authenticate.go
@@ -0,0 +1,244 @@
+/*
+ GoToSocial
+ Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU Affero General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU Affero General Public License for more details.
+
+ You should have received a copy of the GNU Affero General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+package federation
+
+import (
+ "context"
+ "crypto/x509"
+ "encoding/json"
+ "encoding/pem"
+ "errors"
+ "fmt"
+ "net/http"
+ "net/url"
+ "strings"
+
+ "github.com/go-fed/activity/pub"
+ "github.com/go-fed/activity/streams"
+ "github.com/go-fed/activity/streams/vocab"
+ "github.com/go-fed/httpsig"
+ "github.com/superseriousbusiness/gotosocial/internal/db"
+ "github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
+)
+
+/*
+ publicKeyer is BORROWED DIRECTLY FROM https://github.com/go-fed/apcore/blob/master/ap/util.go
+ Thank you @cj@mastodon.technology ! <3
+*/
+type publicKeyer interface {
+ GetW3IDSecurityV1PublicKey() vocab.W3IDSecurityV1PublicKeyProperty
+}
+
+/*
+ getPublicKeyFromResponse is adapted from https://github.com/go-fed/apcore/blob/master/ap/util.go
+ Thank you @cj@mastodon.technology ! <3
+*/
+func getPublicKeyFromResponse(c context.Context, b []byte, keyID *url.URL) (vocab.W3IDSecurityV1PublicKey, error) {
+ m := make(map[string]interface{})
+ if err := json.Unmarshal(b, &m); err != nil {
+ return nil, err
+ }
+
+ t, err := streams.ToType(c, m)
+ if err != nil {
+ return nil, err
+ }
+
+ pker, ok := t.(publicKeyer)
+ if !ok {
+ return nil, fmt.Errorf("ActivityStreams type cannot be converted to one known to have publicKey property: %T", t)
+ }
+
+ pkp := pker.GetW3IDSecurityV1PublicKey()
+ if pkp == nil {
+ return nil, errors.New("publicKey property is not provided")
+ }
+
+ var pkpFound vocab.W3IDSecurityV1PublicKey
+ for pkpIter := pkp.Begin(); pkpIter != pkp.End(); pkpIter = pkpIter.Next() {
+ if !pkpIter.IsW3IDSecurityV1PublicKey() {
+ continue
+ }
+ pkValue := pkpIter.Get()
+ var pkID *url.URL
+ pkID, err = pub.GetId(pkValue)
+ if err != nil {
+ return nil, err
+ }
+ if pkID.String() != keyID.String() {
+ continue
+ }
+ pkpFound = pkValue
+ break
+ }
+
+ if pkpFound == nil {
+ return nil, fmt.Errorf("cannot find publicKey with id: %s", keyID)
+ }
+
+ return pkpFound, nil
+}
+
+// AuthenticateFederatedRequest authenticates any kind of incoming federated request from a remote server. This includes things like
+// GET requests for dereferencing our users or statuses etc, and POST requests for delivering new Activities. The function returns
+// the URL of the owner of the public key used in the requesting http signature.
+//
+// Authenticate in this case is defined as making sure that the http request is actually signed by whoever claims
+// to have signed it, by fetching the public key from the signature and checking it against the remote public key.
+//
+// To avoid making unnecessary http calls towards blocked domains, this function *does* bail early if an instance-level domain block exists
+// for the request from the incoming domain. However, it does not check whether individual blocks exist between the requesting user or domain
+// and the requested user: this should be done elsewhere.
+//
+// The provided username will be used to generate a transport for making remote requests/derefencing the public key ID of the request signature.
+// Ideally you should pass in the username of the user *being requested*, so that the remote server can decide how to handle the request based on who's making it.
+// Ie., if the request on this server is for https://example.org/users/some_username then you should pass in the username 'some_username'.
+// The remote server will then know that this is the user making the dereferencing request, and they can decide to allow or deny the request depending on their settings.
+//
+// Note that it is also valid to pass in an empty string here, in which case the keys of the instance account will be used.
+//
+// Also note that this function *does not* dereference the remote account that the signature key is associated with.
+// Other functions should use the returned URL to dereference the remote account, if required.
+func (f *federator) AuthenticateFederatedRequest(requestedUsername string, r *http.Request) (*url.URL, error) {
+
+ var publicKey interface{}
+ var pkOwnerURI *url.URL
+ var err error
+
+ // set this extra field for signature validation
+ r.Header.Set("host", f.config.Host)
+
+ verifier, err := httpsig.NewVerifier(r)
+ if err != nil {
+ return nil, fmt.Errorf("could not create http sig verifier: %s", err)
+ }
+
+ // The key ID should be given in the signature so that we know where to fetch it from the remote server.
+ // This will be something like https://example.org/users/whatever_requesting_user#main-key
+ requestingPublicKeyID, err := url.Parse(verifier.KeyId())
+ if err != nil {
+ return nil, fmt.Errorf("could not parse key id into a url: %s", err)
+ }
+
+ // if the domain is blocked we want to make as few calls towards it as possible, so already bail here if that's the case!
+ blockedDomain, err := f.blockedDomain(requestingPublicKeyID.Host)
+ if err != nil {
+ return nil, fmt.Errorf("could not tell if domain %s was blocked or not: %s", requestingPublicKeyID.Host, err)
+ }
+ if blockedDomain {
+ return nil, fmt.Errorf("host %s was domain blocked, aborting auth", requestingPublicKeyID.Host)
+ }
+
+ requestingRemoteAccount := >smodel.Account{}
+ requestingLocalAccount := >smodel.Account{}
+ requestingHost := requestingPublicKeyID.Host
+ if strings.EqualFold(requestingHost, f.config.Host) {
+ // LOCAL ACCOUNT REQUEST
+ // the request is coming from INSIDE THE HOUSE so skip the remote dereferencing
+ if err := f.db.GetWhere([]db.Where{{Key: "public_key_uri", Value: requestingPublicKeyID.String()}}, requestingLocalAccount); err != nil {
+ return nil, fmt.Errorf("couldn't get local account with public key uri %s from the database: %s", requestingPublicKeyID.String(), err)
+ }
+ publicKey = requestingLocalAccount.PublicKey
+ pkOwnerURI, err = url.Parse(requestingLocalAccount.URI)
+ if err != nil {
+ return nil, fmt.Errorf("error parsing url %s: %s", requestingLocalAccount.URI, err)
+ }
+ } else if err := f.db.GetWhere([]db.Where{{Key: "public_key_uri", Value: requestingPublicKeyID.String()}}, requestingRemoteAccount); err == nil {
+ // REMOTE ACCOUNT REQUEST WITH KEY CACHED LOCALLY
+ // this is a remote account and we already have the public key for it so use that
+ publicKey = requestingRemoteAccount.PublicKey
+ pkOwnerURI, err = url.Parse(requestingRemoteAccount.URI)
+ if err != nil {
+ return nil, fmt.Errorf("error parsing url %s: %s", requestingRemoteAccount.URI, err)
+ }
+ } else {
+ // REMOTE ACCOUNT REQUEST WITHOUT KEY CACHED LOCALLY
+ // the request is remote and we don't have the public key yet,
+ // so we need to authenticate the request properly by dereferencing the remote key
+ transport, err := f.GetTransportForUser(requestedUsername)
+ if err != nil {
+ return nil, fmt.Errorf("transport err: %s", err)
+ }
+
+ // The actual http call to the remote server is made right here in the Dereference function.
+ b, err := transport.Dereference(context.Background(), requestingPublicKeyID)
+ if err != nil {
+ return nil, fmt.Errorf("error deferencing key %s: %s", requestingPublicKeyID.String(), err)
+ }
+
+ // if the key isn't in the response, we can't authenticate the request
+ requestingPublicKey, err := getPublicKeyFromResponse(context.Background(), b, requestingPublicKeyID)
+ if err != nil {
+ return nil, fmt.Errorf("error getting key %s from response %s: %s", requestingPublicKeyID.String(), string(b), err)
+ }
+
+ // we should be able to get the actual key embedded in the vocab.W3IDSecurityV1PublicKey
+ pkPemProp := requestingPublicKey.GetW3IDSecurityV1PublicKeyPem()
+ if pkPemProp == nil || !pkPemProp.IsXMLSchemaString() {
+ return nil, errors.New("publicKeyPem property is not provided or it is not embedded as a value")
+ }
+
+ // and decode the PEM so that we can parse it as a golang public key
+ pubKeyPem := pkPemProp.Get()
+ block, _ := pem.Decode([]byte(pubKeyPem))
+ if block == nil || block.Type != "PUBLIC KEY" {
+ return nil, errors.New("could not decode publicKeyPem to PUBLIC KEY pem block type")
+ }
+
+ publicKey, err = x509.ParsePKIXPublicKey(block.Bytes)
+ if err != nil {
+ return nil, fmt.Errorf("could not parse public key from block bytes: %s", err)
+ }
+
+ // all good! we just need the URI of the key owner to return
+ pkOwnerProp := requestingPublicKey.GetW3IDSecurityV1Owner()
+ if pkOwnerProp == nil || !pkOwnerProp.IsIRI() {
+ return nil, errors.New("publicKeyOwner property is not provided or it is not embedded as a value")
+ }
+ pkOwnerURI = pkOwnerProp.GetIRI()
+ }
+ if publicKey == nil {
+ return nil, errors.New("returned public key was empty")
+ }
+
+ // do the actual authentication here!
+ algo := httpsig.RSA_SHA256 // TODO: make this more robust
+ if err := verifier.Verify(publicKey, algo); err != nil {
+ return nil, fmt.Errorf("error verifying key %s: %s", requestingPublicKeyID.String(), err)
+ }
+
+ return pkOwnerURI, nil
+}
+
+func (f *federator) blockedDomain(host string) (bool, error) {
+ b := >smodel.DomainBlock{}
+ err := f.db.GetWhere([]db.Where{{Key: "domain", Value: host, CaseInsensitive: true}}, b)
+ if err == nil {
+ // block exists
+ return true, nil
+ }
+
+ if _, ok := err.(db.ErrNoEntries); ok {
+ // there are no entries so there's no block
+ return false, nil
+ }
+
+ // there's an actual error
+ return false, err
+}
diff --git a/internal/federation/commonbehavior.go b/internal/federation/commonbehavior.go
@@ -20,15 +20,10 @@ package federation
import (
"context"
- "fmt"
"net/http"
- "net/url"
- "github.com/go-fed/activity/pub"
"github.com/go-fed/activity/streams"
"github.com/go-fed/activity/streams/vocab"
- "github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
- "github.com/superseriousbusiness/gotosocial/internal/util"
)
/*
@@ -101,53 +96,3 @@ func (f *federator) GetOutbox(ctx context.Context, r *http.Request) (vocab.Activ
// the CLIENT API, not through the federation API, so we just do nothing here.
return streams.NewActivityStreamsOrderedCollectionPage(), nil
}
-
-// NewTransport returns a new Transport on behalf of a specific actor.
-//
-// The actorBoxIRI will be either the inbox or outbox of an actor who is
-// attempting to do the dereferencing or delivery. Any authentication
-// scheme applied on the request must be based on this actor. The
-// request must contain some sort of credential of the user, such as a
-// HTTP Signature.
-//
-// The gofedAgent passed in should be used by the Transport
-// implementation in the User-Agent, as well as the application-specific
-// user agent string. The gofedAgent will indicate this library's use as
-// well as the library's version number.
-//
-// Any server-wide rate-limiting that needs to occur should happen in a
-// Transport implementation. This factory function allows this to be
-// created, so peer servers are not DOS'd.
-//
-// Any retry logic should also be handled by the Transport
-// implementation.
-//
-// Note that the library will not maintain a long-lived pointer to the
-// returned Transport so that any private credentials are able to be
-// garbage collected.
-func (f *federator) NewTransport(ctx context.Context, actorBoxIRI *url.URL, gofedAgent string) (pub.Transport, error) {
-
- var username string
- var err error
-
- if util.IsInboxPath(actorBoxIRI) {
- username, err = util.ParseInboxPath(actorBoxIRI)
- if err != nil {
- return nil, fmt.Errorf("couldn't parse path %s as an inbox: %s", actorBoxIRI.String(), err)
- }
- } else if util.IsOutboxPath(actorBoxIRI) {
- username, err = util.ParseOutboxPath(actorBoxIRI)
- if err != nil {
- return nil, fmt.Errorf("couldn't parse path %s as an outbox: %s", actorBoxIRI.String(), err)
- }
- } else {
- return nil, fmt.Errorf("id %s was neither an inbox path nor an outbox path", actorBoxIRI.String())
- }
-
- account := >smodel.Account{}
- if err := f.db.GetLocalAccountByUsername(username, account); err != nil {
- return nil, fmt.Errorf("error getting account with username %s from the db: %s", username, err)
- }
-
- return f.transportController.NewTransport(account.PublicKeyURI, account.PrivateKey)
-}
diff --git a/internal/federation/dereference.go b/internal/federation/dereference.go
@@ -0,0 +1,153 @@
+package federation
+
+import (
+ "context"
+ "encoding/json"
+ "errors"
+ "fmt"
+ "net/url"
+
+ "github.com/go-fed/activity/streams"
+ "github.com/go-fed/activity/streams/vocab"
+ "github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
+ "github.com/superseriousbusiness/gotosocial/internal/typeutils"
+)
+
+func (f *federator) DereferenceRemoteAccount(username string, remoteAccountID *url.URL) (typeutils.Accountable, error) {
+ f.startHandshake(username, remoteAccountID)
+ defer f.stopHandshake(username, remoteAccountID)
+
+ transport, err := f.GetTransportForUser(username)
+ if err != nil {
+ return nil, fmt.Errorf("transport err: %s", err)
+ }
+
+ b, err := transport.Dereference(context.Background(), remoteAccountID)
+ if err != nil {
+ return nil, fmt.Errorf("error deferencing %s: %s", remoteAccountID.String(), err)
+ }
+
+ m := make(map[string]interface{})
+ if err := json.Unmarshal(b, &m); err != nil {
+ return nil, fmt.Errorf("error unmarshalling bytes into json: %s", err)
+ }
+
+ t, err := streams.ToType(context.Background(), m)
+ if err != nil {
+ return nil, fmt.Errorf("error resolving json into ap vocab type: %s", err)
+ }
+
+ switch t.GetTypeName() {
+ case string(gtsmodel.ActivityStreamsPerson):
+ p, ok := t.(vocab.ActivityStreamsPerson)
+ if !ok {
+ return nil, errors.New("error resolving type as activitystreams person")
+ }
+ return p, nil
+ case string(gtsmodel.ActivityStreamsApplication):
+ p, ok := t.(vocab.ActivityStreamsApplication)
+ if !ok {
+ return nil, errors.New("error resolving type as activitystreams application")
+ }
+ return p, nil
+ case string(gtsmodel.ActivityStreamsService):
+ p, ok := t.(vocab.ActivityStreamsService)
+ if !ok {
+ return nil, errors.New("error resolving type as activitystreams service")
+ }
+ return p, nil
+ }
+
+ return nil, fmt.Errorf("type name %s not supported", t.GetTypeName())
+}
+
+func (f *federator) DereferenceRemoteStatus(username string, remoteStatusID *url.URL) (typeutils.Statusable, error) {
+ transport, err := f.GetTransportForUser(username)
+ if err != nil {
+ return nil, fmt.Errorf("transport err: %s", err)
+ }
+
+ b, err := transport.Dereference(context.Background(), remoteStatusID)
+ if err != nil {
+ return nil, fmt.Errorf("error deferencing %s: %s", remoteStatusID.String(), err)
+ }
+
+ m := make(map[string]interface{})
+ if err := json.Unmarshal(b, &m); err != nil {
+ return nil, fmt.Errorf("error unmarshalling bytes into json: %s", err)
+ }
+
+ t, err := streams.ToType(context.Background(), m)
+ if err != nil {
+ return nil, fmt.Errorf("error resolving json into ap vocab type: %s", err)
+ }
+
+ // Article, Document, Image, Video, Note, Page, Event, Place, Mention, Profile
+ switch t.GetTypeName() {
+ case gtsmodel.ActivityStreamsArticle:
+ p, ok := t.(vocab.ActivityStreamsArticle)
+ if !ok {
+ return nil, errors.New("error resolving type as ActivityStreamsArticle")
+ }
+ return p, nil
+ case gtsmodel.ActivityStreamsDocument:
+ p, ok := t.(vocab.ActivityStreamsDocument)
+ if !ok {
+ return nil, errors.New("error resolving type as ActivityStreamsDocument")
+ }
+ return p, nil
+ case gtsmodel.ActivityStreamsImage:
+ p, ok := t.(vocab.ActivityStreamsImage)
+ if !ok {
+ return nil, errors.New("error resolving type as ActivityStreamsImage")
+ }
+ return p, nil
+ case gtsmodel.ActivityStreamsVideo:
+ p, ok := t.(vocab.ActivityStreamsVideo)
+ if !ok {
+ return nil, errors.New("error resolving type as ActivityStreamsVideo")
+ }
+ return p, nil
+ case gtsmodel.ActivityStreamsNote:
+ p, ok := t.(vocab.ActivityStreamsNote)
+ if !ok {
+ return nil, errors.New("error resolving type as ActivityStreamsNote")
+ }
+ return p, nil
+ case gtsmodel.ActivityStreamsPage:
+ p, ok := t.(vocab.ActivityStreamsPage)
+ if !ok {
+ return nil, errors.New("error resolving type as ActivityStreamsPage")
+ }
+ return p, nil
+ case gtsmodel.ActivityStreamsEvent:
+ p, ok := t.(vocab.ActivityStreamsEvent)
+ if !ok {
+ return nil, errors.New("error resolving type as ActivityStreamsEvent")
+ }
+ return p, nil
+ case gtsmodel.ActivityStreamsPlace:
+ p, ok := t.(vocab.ActivityStreamsPlace)
+ if !ok {
+ return nil, errors.New("error resolving type as ActivityStreamsPlace")
+ }
+ return p, nil
+ case gtsmodel.ActivityStreamsProfile:
+ p, ok := t.(vocab.ActivityStreamsProfile)
+ if !ok {
+ return nil, errors.New("error resolving type as ActivityStreamsProfile")
+ }
+ return p, nil
+ }
+
+ return nil, fmt.Errorf("type name %s not supported", t.GetTypeName())
+}
+
+func (f *federator) DereferenceRemoteInstance(username string, remoteInstanceURI *url.URL) (*gtsmodel.Instance, error) {
+ transport, err := f.GetTransportForUser(username)
+ if err != nil {
+ return nil, fmt.Errorf("transport err: %s", err)
+ }
+
+ return transport.DereferenceInstance(context.Background(), remoteInstanceURI)
+}
diff --git a/internal/federation/federatingprotocol.go b/internal/federation/federatingprotocol.go
@@ -125,6 +125,29 @@ func (f *federator) AuthenticatePostInbox(ctx context.Context, w http.ResponseWr
return ctx, false, fmt.Errorf("not authenticated: %s", err)
}
+ // authentication has passed, so add an instance entry for this instance if it hasn't been done already
+ i := >smodel.Instance{}
+ if err := f.db.GetWhere([]db.Where{{Key: "domain", Value: publicKeyOwnerURI.Host, CaseInsensitive: true}}, i); err != nil {
+ if _, ok := err.(db.ErrNoEntries); !ok {
+ // there's been an actual error
+ return ctx, false, fmt.Errorf("error getting requesting account with public key id %s: %s", publicKeyOwnerURI.String(), err)
+ }
+
+ // we don't have an entry for this instance yet so dereference it
+ i, err = f.DereferenceRemoteInstance(username, &url.URL{
+ Scheme: publicKeyOwnerURI.Scheme,
+ Host: publicKeyOwnerURI.Host,
+ })
+ if err != nil {
+ return nil, false, fmt.Errorf("could not dereference new remote instance %s during AuthenticatePostInbox: %s", publicKeyOwnerURI.Host, err)
+ }
+
+ // and put it in the db
+ if err := f.db.Put(i); err != nil {
+ return nil, false, fmt.Errorf("error inserting newly dereferenced instance %s: %s", publicKeyOwnerURI.Host, err)
+ }
+ }
+
requestingAccount := >smodel.Account{}
if err := f.db.GetWhere([]db.Where{{Key: "uri", Value: publicKeyOwnerURI.String()}}, requestingAccount); err != nil {
// there's been a proper error so return it
diff --git a/internal/federation/federator.go b/internal/federation/federator.go
@@ -28,6 +28,7 @@ import (
"github.com/superseriousbusiness/gotosocial/internal/config"
"github.com/superseriousbusiness/gotosocial/internal/db"
"github.com/superseriousbusiness/gotosocial/internal/federation/federatingdb"
+ "github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
"github.com/superseriousbusiness/gotosocial/internal/transport"
"github.com/superseriousbusiness/gotosocial/internal/typeutils"
)
@@ -50,6 +51,9 @@ type Federator interface {
// DereferenceRemoteStatus can be used to get the representation of a remote status, based on its ID (which is a URI).
// The given username will be used to create a transport for making outgoing requests. See the implementation for more detailed comments.
DereferenceRemoteStatus(username string, remoteStatusID *url.URL) (typeutils.Statusable, error)
+ // DereferenceRemoteInstance takes the URL of a remote instance, and a username (optional) to spin up a transport with. It then
+ // does its damnedest to get some kind of information back about the instance, trying /api/v1/instance, then /.well-known/nodeinfo
+ DereferenceRemoteInstance(username string, remoteInstanceURI *url.URL) (*gtsmodel.Instance, error)
// GetTransportForUser returns a new transport initialized with the key credentials belonging to the given username.
// This can be used for making signed http requests.
//
diff --git a/internal/federation/transport.go b/internal/federation/transport.go
@@ -0,0 +1,84 @@
+package federation
+
+import (
+ "context"
+ "fmt"
+ "net/url"
+
+ "github.com/go-fed/activity/pub"
+ "github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
+ "github.com/superseriousbusiness/gotosocial/internal/transport"
+ "github.com/superseriousbusiness/gotosocial/internal/util"
+)
+
+// NewTransport returns a new Transport on behalf of a specific actor.
+//
+// The actorBoxIRI will be either the inbox or outbox of an actor who is
+// attempting to do the dereferencing or delivery. Any authentication
+// scheme applied on the request must be based on this actor. The
+// request must contain some sort of credential of the user, such as a
+// HTTP Signature.
+//
+// The gofedAgent passed in should be used by the Transport
+// implementation in the User-Agent, as well as the application-specific
+// user agent string. The gofedAgent will indicate this library's use as
+// well as the library's version number.
+//
+// Any server-wide rate-limiting that needs to occur should happen in a
+// Transport implementation. This factory function allows this to be
+// created, so peer servers are not DOS'd.
+//
+// Any retry logic should also be handled by the Transport
+// implementation.
+//
+// Note that the library will not maintain a long-lived pointer to the
+// returned Transport so that any private credentials are able to be
+// garbage collected.
+func (f *federator) NewTransport(ctx context.Context, actorBoxIRI *url.URL, gofedAgent string) (pub.Transport, error) {
+
+ var username string
+ var err error
+
+ if util.IsInboxPath(actorBoxIRI) {
+ username, err = util.ParseInboxPath(actorBoxIRI)
+ if err != nil {
+ return nil, fmt.Errorf("couldn't parse path %s as an inbox: %s", actorBoxIRI.String(), err)
+ }
+ } else if util.IsOutboxPath(actorBoxIRI) {
+ username, err = util.ParseOutboxPath(actorBoxIRI)
+ if err != nil {
+ return nil, fmt.Errorf("couldn't parse path %s as an outbox: %s", actorBoxIRI.String(), err)
+ }
+ } else {
+ return nil, fmt.Errorf("id %s was neither an inbox path nor an outbox path", actorBoxIRI.String())
+ }
+
+ account := >smodel.Account{}
+ if err := f.db.GetLocalAccountByUsername(username, account); err != nil {
+ return nil, fmt.Errorf("error getting account with username %s from the db: %s", username, err)
+ }
+
+ return f.transportController.NewTransport(account.PublicKeyURI, account.PrivateKey)
+}
+
+func (f *federator) GetTransportForUser(username string) (transport.Transport, error) {
+ // We need an account to use to create a transport for dereferecing something.
+ // If a username has been given, we can fetch the account with that username and use it.
+ // Otherwise, we can take the instance account and use those credentials to make the request.
+ ourAccount := >smodel.Account{}
+ var u string
+ if username == "" {
+ u = f.config.Host
+ } else {
+ u = username
+ }
+ if err := f.db.GetLocalAccountByUsername(u, ourAccount); err != nil {
+ return nil, fmt.Errorf("error getting account %s from db: %s", username, err)
+ }
+
+ transport, err := f.transportController.NewTransport(ourAccount.PublicKeyURI, ourAccount.PrivateKey)
+ if err != nil {
+ return nil, fmt.Errorf("error creating transport for user %s: %s", username, err)
+ }
+ return transport, nil
+}
diff --git a/internal/federation/util.go b/internal/federation/util.go
@@ -1,365 +0,0 @@
-/*
- GoToSocial
- Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org
-
- This program is free software: you can redistribute it and/or modify
- it under the terms of the GNU Affero General Public License as published by
- the Free Software Foundation, either version 3 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU Affero General Public License for more details.
-
- You should have received a copy of the GNU Affero General Public License
- along with this program. If not, see <http://www.gnu.org/licenses/>.
-*/
-
-package federation
-
-import (
- "context"
- "crypto/x509"
- "encoding/json"
- "encoding/pem"
- "errors"
- "fmt"
- "net/http"
- "net/url"
- "strings"
-
- "github.com/go-fed/activity/pub"
- "github.com/go-fed/activity/streams"
- "github.com/go-fed/activity/streams/vocab"
- "github.com/go-fed/httpsig"
- "github.com/superseriousbusiness/gotosocial/internal/db"
- "github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
- "github.com/superseriousbusiness/gotosocial/internal/transport"
- "github.com/superseriousbusiness/gotosocial/internal/typeutils"
-)
-
-/*
- publicKeyer is BORROWED DIRECTLY FROM https://github.com/go-fed/apcore/blob/master/ap/util.go
- Thank you @cj@mastodon.technology ! <3
-*/
-type publicKeyer interface {
- GetW3IDSecurityV1PublicKey() vocab.W3IDSecurityV1PublicKeyProperty
-}
-
-/*
- getPublicKeyFromResponse is adapted from https://github.com/go-fed/apcore/blob/master/ap/util.go
- Thank you @cj@mastodon.technology ! <3
-*/
-func getPublicKeyFromResponse(c context.Context, b []byte, keyID *url.URL) (vocab.W3IDSecurityV1PublicKey, error) {
- m := make(map[string]interface{})
- if err := json.Unmarshal(b, &m); err != nil {
- return nil, err
- }
-
- t, err := streams.ToType(c, m)
- if err != nil {
- return nil, err
- }
-
- pker, ok := t.(publicKeyer)
- if !ok {
- return nil, fmt.Errorf("ActivityStreams type cannot be converted to one known to have publicKey property: %T", t)
- }
-
- pkp := pker.GetW3IDSecurityV1PublicKey()
- if pkp == nil {
- return nil, errors.New("publicKey property is not provided")
- }
-
- var pkpFound vocab.W3IDSecurityV1PublicKey
- for pkpIter := pkp.Begin(); pkpIter != pkp.End(); pkpIter = pkpIter.Next() {
- if !pkpIter.IsW3IDSecurityV1PublicKey() {
- continue
- }
- pkValue := pkpIter.Get()
- var pkID *url.URL
- pkID, err = pub.GetId(pkValue)
- if err != nil {
- return nil, err
- }
- if pkID.String() != keyID.String() {
- continue
- }
- pkpFound = pkValue
- break
- }
-
- if pkpFound == nil {
- return nil, fmt.Errorf("cannot find publicKey with id: %s", keyID)
- }
-
- return pkpFound, nil
-}
-
-// AuthenticateFederatedRequest authenticates any kind of incoming federated request from a remote server. This includes things like
-// GET requests for dereferencing our users or statuses etc, and POST requests for delivering new Activities. The function returns
-// the URL of the owner of the public key used in the http signature.
-//
-// Authenticate in this case is defined as just making sure that the http request is actually signed by whoever claims
-// to have signed it, by fetching the public key from the signature and checking it against the remote public key. This function
-// *does not* check whether the request is authorized, only whether it's authentic.
-//
-// The provided username will be used to generate a transport for making remote requests/derefencing the public key ID of the request signature.
-// Ideally you should pass in the username of the user *being requested*, so that the remote server can decide how to handle the request based on who's making it.
-// Ie., if the request on this server is for https://example.org/users/some_username then you should pass in the username 'some_username'.
-// The remote server will then know that this is the user making the dereferencing request, and they can decide to allow or deny the request depending on their settings.
-//
-// Note that it is also valid to pass in an empty string here, in which case the keys of the instance account will be used.
-//
-// Also note that this function *does not* dereference the remote account that the signature key is associated with.
-// Other functions should use the returned URL to dereference the remote account, if required.
-func (f *federator) AuthenticateFederatedRequest(username string, r *http.Request) (*url.URL, error) {
- // set this extra field for signature validation
- r.Header.Set("host", f.config.Host)
-
- verifier, err := httpsig.NewVerifier(r)
- if err != nil {
- return nil, fmt.Errorf("could not create http sig verifier: %s", err)
- }
-
- // The key ID should be given in the signature so that we know where to fetch it from the remote server.
- // This will be something like https://example.org/users/whatever_requesting_user#main-key
- requestingPublicKeyID, err := url.Parse(verifier.KeyId())
- if err != nil {
- return nil, fmt.Errorf("could not parse key id into a url: %s", err)
- }
-
- var publicKey interface{}
- var pkOwnerURI *url.URL
- requestingRemoteAccount := >smodel.Account{}
- requestingLocalAccount := >smodel.Account{}
- if strings.EqualFold(requestingPublicKeyID.Host, f.config.Host) {
- // LOCAL ACCOUNT REQUEST
- // the request is coming from INSIDE THE HOUSE so skip the remote dereferencing
- if err := f.db.GetWhere([]db.Where{{Key: "public_key_uri", Value: requestingPublicKeyID.String()}}, requestingLocalAccount); err != nil {
- return nil, fmt.Errorf("couldn't get local account with public key uri %s from the database: %s", requestingPublicKeyID.String(), err)
- }
- publicKey = requestingLocalAccount.PublicKey
- pkOwnerURI, err = url.Parse(requestingLocalAccount.URI)
- if err != nil {
- return nil, fmt.Errorf("error parsing url %s: %s", requestingLocalAccount.URI, err)
- }
- } else if err := f.db.GetWhere([]db.Where{{Key: "public_key_uri", Value: requestingPublicKeyID.String()}}, requestingRemoteAccount); err == nil {
- // REMOTE ACCOUNT REQUEST WITH KEY CACHED LOCALLY
- // this is a remote account and we already have the public key for it so use that
- publicKey = requestingRemoteAccount.PublicKey
- pkOwnerURI, err = url.Parse(requestingRemoteAccount.URI)
- if err != nil {
- return nil, fmt.Errorf("error parsing url %s: %s", requestingRemoteAccount.URI, err)
- }
- } else {
- // REMOTE ACCOUNT REQUEST WITHOUT KEY CACHED LOCALLY
- // the request is remote and we don't have the public key yet,
- // so we need to authenticate the request properly by dereferencing the remote key
- transport, err := f.GetTransportForUser(username)
- if err != nil {
- return nil, fmt.Errorf("transport err: %s", err)
- }
-
- // The actual http call to the remote server is made right here in the Dereference function.
- b, err := transport.Dereference(context.Background(), requestingPublicKeyID)
- if err != nil {
- return nil, fmt.Errorf("error deferencing key %s: %s", requestingPublicKeyID.String(), err)
- }
-
- // if the key isn't in the response, we can't authenticate the request
- requestingPublicKey, err := getPublicKeyFromResponse(context.Background(), b, requestingPublicKeyID)
- if err != nil {
- return nil, fmt.Errorf("error getting key %s from response %s: %s", requestingPublicKeyID.String(), string(b), err)
- }
-
- // we should be able to get the actual key embedded in the vocab.W3IDSecurityV1PublicKey
- pkPemProp := requestingPublicKey.GetW3IDSecurityV1PublicKeyPem()
- if pkPemProp == nil || !pkPemProp.IsXMLSchemaString() {
- return nil, errors.New("publicKeyPem property is not provided or it is not embedded as a value")
- }
-
- // and decode the PEM so that we can parse it as a golang public key
- pubKeyPem := pkPemProp.Get()
- block, _ := pem.Decode([]byte(pubKeyPem))
- if block == nil || block.Type != "PUBLIC KEY" {
- return nil, errors.New("could not decode publicKeyPem to PUBLIC KEY pem block type")
- }
-
- publicKey, err = x509.ParsePKIXPublicKey(block.Bytes)
- if err != nil {
- return nil, fmt.Errorf("could not parse public key from block bytes: %s", err)
- }
-
- // all good! we just need the URI of the key owner to return
- pkOwnerProp := requestingPublicKey.GetW3IDSecurityV1Owner()
- if pkOwnerProp == nil || !pkOwnerProp.IsIRI() {
- return nil, errors.New("publicKeyOwner property is not provided or it is not embedded as a value")
- }
- pkOwnerURI = pkOwnerProp.GetIRI()
- }
- if publicKey == nil {
- return nil, errors.New("returned public key was empty")
- }
-
- // do the actual authentication here!
- algo := httpsig.RSA_SHA256 // TODO: make this more robust
- if err := verifier.Verify(publicKey, algo); err != nil {
- return nil, fmt.Errorf("error verifying key %s: %s", requestingPublicKeyID.String(), err)
- }
-
- return pkOwnerURI, nil
-}
-
-func (f *federator) DereferenceRemoteAccount(username string, remoteAccountID *url.URL) (typeutils.Accountable, error) {
- f.startHandshake(username, remoteAccountID)
- defer f.stopHandshake(username, remoteAccountID)
-
- transport, err := f.GetTransportForUser(username)
- if err != nil {
- return nil, fmt.Errorf("transport err: %s", err)
- }
-
- b, err := transport.Dereference(context.Background(), remoteAccountID)
- if err != nil {
- return nil, fmt.Errorf("error deferencing %s: %s", remoteAccountID.String(), err)
- }
-
- m := make(map[string]interface{})
- if err := json.Unmarshal(b, &m); err != nil {
- return nil, fmt.Errorf("error unmarshalling bytes into json: %s", err)
- }
-
- t, err := streams.ToType(context.Background(), m)
- if err != nil {
- return nil, fmt.Errorf("error resolving json into ap vocab type: %s", err)
- }
-
- switch t.GetTypeName() {
- case string(gtsmodel.ActivityStreamsPerson):
- p, ok := t.(vocab.ActivityStreamsPerson)
- if !ok {
- return nil, errors.New("error resolving type as activitystreams person")
- }
- return p, nil
- case string(gtsmodel.ActivityStreamsApplication):
- p, ok := t.(vocab.ActivityStreamsApplication)
- if !ok {
- return nil, errors.New("error resolving type as activitystreams application")
- }
- return p, nil
- case string(gtsmodel.ActivityStreamsService):
- p, ok := t.(vocab.ActivityStreamsService)
- if !ok {
- return nil, errors.New("error resolving type as activitystreams service")
- }
- return p, nil
- }
-
- return nil, fmt.Errorf("type name %s not supported", t.GetTypeName())
-}
-
-func (f *federator) DereferenceRemoteStatus(username string, remoteStatusID *url.URL) (typeutils.Statusable, error) {
- transport, err := f.GetTransportForUser(username)
- if err != nil {
- return nil, fmt.Errorf("transport err: %s", err)
- }
-
- b, err := transport.Dereference(context.Background(), remoteStatusID)
- if err != nil {
- return nil, fmt.Errorf("error deferencing %s: %s", remoteStatusID.String(), err)
- }
-
- m := make(map[string]interface{})
- if err := json.Unmarshal(b, &m); err != nil {
- return nil, fmt.Errorf("error unmarshalling bytes into json: %s", err)
- }
-
- t, err := streams.ToType(context.Background(), m)
- if err != nil {
- return nil, fmt.Errorf("error resolving json into ap vocab type: %s", err)
- }
-
- // Article, Document, Image, Video, Note, Page, Event, Place, Mention, Profile
- switch t.GetTypeName() {
- case gtsmodel.ActivityStreamsArticle:
- p, ok := t.(vocab.ActivityStreamsArticle)
- if !ok {
- return nil, errors.New("error resolving type as ActivityStreamsArticle")
- }
- return p, nil
- case gtsmodel.ActivityStreamsDocument:
- p, ok := t.(vocab.ActivityStreamsDocument)
- if !ok {
- return nil, errors.New("error resolving type as ActivityStreamsDocument")
- }
- return p, nil
- case gtsmodel.ActivityStreamsImage:
- p, ok := t.(vocab.ActivityStreamsImage)
- if !ok {
- return nil, errors.New("error resolving type as ActivityStreamsImage")
- }
- return p, nil
- case gtsmodel.ActivityStreamsVideo:
- p, ok := t.(vocab.ActivityStreamsVideo)
- if !ok {
- return nil, errors.New("error resolving type as ActivityStreamsVideo")
- }
- return p, nil
- case gtsmodel.ActivityStreamsNote:
- p, ok := t.(vocab.ActivityStreamsNote)
- if !ok {
- return nil, errors.New("error resolving type as ActivityStreamsNote")
- }
- return p, nil
- case gtsmodel.ActivityStreamsPage:
- p, ok := t.(vocab.ActivityStreamsPage)
- if !ok {
- return nil, errors.New("error resolving type as ActivityStreamsPage")
- }
- return p, nil
- case gtsmodel.ActivityStreamsEvent:
- p, ok := t.(vocab.ActivityStreamsEvent)
- if !ok {
- return nil, errors.New("error resolving type as ActivityStreamsEvent")
- }
- return p, nil
- case gtsmodel.ActivityStreamsPlace:
- p, ok := t.(vocab.ActivityStreamsPlace)
- if !ok {
- return nil, errors.New("error resolving type as ActivityStreamsPlace")
- }
- return p, nil
- case gtsmodel.ActivityStreamsProfile:
- p, ok := t.(vocab.ActivityStreamsProfile)
- if !ok {
- return nil, errors.New("error resolving type as ActivityStreamsProfile")
- }
- return p, nil
- }
-
- return nil, fmt.Errorf("type name %s not supported", t.GetTypeName())
-}
-
-func (f *federator) GetTransportForUser(username string) (transport.Transport, error) {
- // We need an account to use to create a transport for dereferecing the signature.
- // If a username has been given, we can fetch the account with that username and use it.
- // Otherwise, we can take the instance account and use those credentials to make the request.
- ourAccount := >smodel.Account{}
- var u string
- if username == "" {
- u = f.config.Host
- } else {
- u = username
- }
- if err := f.db.GetLocalAccountByUsername(u, ourAccount); err != nil {
- return nil, fmt.Errorf("error getting account %s from db: %s", username, err)
- }
-
- transport, err := f.transportController.NewTransport(ourAccount.PublicKeyURI, ourAccount.PrivateKey)
- if err != nil {
- return nil, fmt.Errorf("error creating transport for user %s: %s", username, err)
- }
- return transport, nil
-}
diff --git a/internal/gtsmodel/instance.go b/internal/gtsmodel/instance.go
@@ -28,6 +28,8 @@ type Instance struct {
Terms string
// Contact email address for this instance
ContactEmail string
+ // Username of the contact account for this instance
+ ContactAccountUsername string
// Contact account ID in the database for this instance
ContactAccountID string `pg:"type:CHAR(26)"`
// Reputation score of this instance
diff --git a/internal/transport/deliver.go b/internal/transport/deliver.go
@@ -0,0 +1,16 @@
+package transport
+
+import (
+ "context"
+ "net/url"
+)
+
+func (t *transport) BatchDeliver(c context.Context, b []byte, recipients []*url.URL) error {
+ return t.sigTransport.BatchDeliver(c, b, recipients)
+}
+
+func (t *transport) Deliver(c context.Context, b []byte, to *url.URL) error {
+ l := t.log.WithField("func", "Deliver")
+ l.Debugf("performing POST to %s", to.String())
+ return t.sigTransport.Deliver(c, b, to)
+}
diff --git a/internal/transport/dereference.go b/internal/transport/dereference.go
@@ -0,0 +1,12 @@
+package transport
+
+import (
+ "context"
+ "net/url"
+)
+
+func (t *transport) Dereference(c context.Context, iri *url.URL) ([]byte, error) {
+ l := t.log.WithField("func", "Dereference")
+ l.Debugf("performing GET to %s", iri.String())
+ return t.sigTransport.Dereference(c, iri)
+}
diff --git a/internal/transport/derefinstance.go b/internal/transport/derefinstance.go
@@ -0,0 +1,326 @@
+package transport
+
+import (
+ "context"
+ "encoding/json"
+ "errors"
+ "fmt"
+ "io/ioutil"
+ "net/http"
+ "net/url"
+ "strings"
+
+ apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model"
+ "github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
+ "github.com/superseriousbusiness/gotosocial/internal/id"
+ "github.com/superseriousbusiness/gotosocial/internal/util"
+)
+
+func (t *transport) DereferenceInstance(c context.Context, iri *url.URL) (*gtsmodel.Instance, error) {
+ l := t.log.WithField("func", "DereferenceInstance")
+
+ var i *gtsmodel.Instance
+ var err error
+
+ // First try to dereference using /api/v1/instance.
+ // This will provide the most complete picture of an instance, and avoid unnecessary api calls.
+ //
+ // This will only work with Mastodon-api compatible instances: Mastodon, some Pleroma instances, GoToSocial.
+ l.Debugf("trying to dereference instance %s by /api/v1/instance", iri.Host)
+ i, err = dereferenceByAPIV1Instance(c, t, iri)
+ if err == nil {
+ l.Debugf("successfully dereferenced instance using /api/v1/instance")
+ return i, nil
+ }
+ l.Debugf("couldn't dereference instance using /api/v1/instance: %s", err)
+
+ // If that doesn't work, try to dereference using /.well-known/nodeinfo.
+ // This will involve two API calls and return less info overall, but should be more widely compatible.
+ l.Debugf("trying to dereference instance %s by /.well-known/nodeinfo", iri.Host)
+ i, err = dereferenceByNodeInfo(c, t, iri)
+ if err == nil {
+ l.Debugf("successfully dereferenced instance using /.well-known/nodeinfo")
+ return i, nil
+ }
+ l.Debugf("couldn't dereference instance using /.well-known/nodeinfo: %s", err)
+
+ // we couldn't dereference the instance using any of the known methods, so just return a minimal representation
+ l.Debugf("returning minimal representation of instance %s", iri.Host)
+ id, err := id.NewRandomULID()
+ if err != nil {
+ return nil, fmt.Errorf("error creating new id for instance %s: %s", iri.Host, err)
+ }
+
+ return >smodel.Instance{
+ ID: id,
+ Domain: iri.Host,
+ URI: iri.String(),
+ }, nil
+}
+
+func dereferenceByAPIV1Instance(c context.Context, t *transport, iri *url.URL) (*gtsmodel.Instance, error) {
+ l := t.log.WithField("func", "dereferenceByAPIV1Instance")
+
+ cleanIRI := &url.URL{
+ Scheme: iri.Scheme,
+ Host: iri.Host,
+ Path: "api/v1/instance",
+ }
+
+ l.Debugf("performing GET to %s", cleanIRI.String())
+ req, err := http.NewRequest("GET", cleanIRI.String(), nil)
+ if err != nil {
+ return nil, err
+ }
+ req = req.WithContext(c)
+ req.Header.Add("Accept", "application/json")
+ req.Header.Add("Date", t.clock.Now().UTC().Format("Mon, 02 Jan 2006 15:04:05")+" GMT")
+ req.Header.Add("User-Agent", fmt.Sprintf("%s %s", t.appAgent, t.gofedAgent))
+ req.Header.Set("Host", cleanIRI.Host)
+ t.getSignerMu.Lock()
+ err = t.getSigner.SignRequest(t.privkey, t.pubKeyID, req, nil)
+ t.getSignerMu.Unlock()
+ if err != nil {
+ return nil, err
+ }
+ resp, err := t.client.Do(req)
+ if err != nil {
+ return nil, err
+ }
+ defer resp.Body.Close()
+ if resp.StatusCode != http.StatusOK {
+ return nil, fmt.Errorf("GET request to %s failed (%d): %s", cleanIRI.String(), resp.StatusCode, resp.Status)
+ }
+ b, err := ioutil.ReadAll(resp.Body)
+ if err != nil {
+ return nil, err
+ }
+
+ if len(b) == 0 {
+ return nil, errors.New("response bytes was len 0")
+ }
+
+ // try to parse the returned bytes directly into an Instance model
+ apiResp := &apimodel.Instance{}
+ if err := json.Unmarshal(b, apiResp); err != nil {
+ return nil, err
+ }
+
+ var contactUsername string
+ if apiResp.ContactAccount != nil {
+ contactUsername = apiResp.ContactAccount.Username
+ }
+
+ ulid, err := id.NewRandomULID()
+ if err != nil {
+ return nil, err
+ }
+
+ i := >smodel.Instance{
+ ID: ulid,
+ Domain: iri.Host,
+ Title: apiResp.Title,
+ URI: fmt.Sprintf("%s://%s", iri.Scheme, iri.Host),
+ ShortDescription: apiResp.ShortDescription,
+ Description: apiResp.Description,
+ ContactEmail: apiResp.Email,
+ ContactAccountUsername: contactUsername,
+ Version: apiResp.Version,
+ }
+
+ return i, nil
+}
+
+func dereferenceByNodeInfo(c context.Context, t *transport, iri *url.URL) (*gtsmodel.Instance, error) {
+ niIRI, err := callNodeInfoWellKnown(c, t, iri)
+ if err != nil {
+ return nil, fmt.Errorf("dereferenceByNodeInfo: error during initial call to well-known nodeinfo: %s", err)
+ }
+
+ ni, err := callNodeInfo(c, t, niIRI)
+ if err != nil {
+ return nil, fmt.Errorf("dereferenceByNodeInfo: error doing second call to nodeinfo uri %s: %s", niIRI.String(), err)
+ }
+
+ // we got a response of some kind! take what we can from it...
+ id, err := id.NewRandomULID()
+ if err != nil {
+ return nil, fmt.Errorf("dereferenceByNodeInfo: error creating new id for instance %s: %s", iri.Host, err)
+ }
+
+ // this is the bare minimum instance we'll return, and we'll add more stuff to it if we can
+ i := >smodel.Instance{
+ ID: id,
+ Domain: iri.Host,
+ URI: iri.String(),
+ }
+
+ var title string
+ if i, present := ni.Metadata["nodeName"]; present {
+ // it's present, check it's a string
+ if v, ok := i.(string); ok {
+ // it is a string!
+ title = v
+ }
+ }
+ i.Title = title
+
+ var shortDescription string
+ if i, present := ni.Metadata["nodeDescription"]; present {
+ // it's present, check it's a string
+ if v, ok := i.(string); ok {
+ // it is a string!
+ shortDescription = v
+ }
+ }
+ i.ShortDescription = shortDescription
+
+ var contactEmail string
+ var contactAccountUsername string
+ if i, present := ni.Metadata["maintainer"]; present {
+ // it's present, check it's a map
+ if v, ok := i.(map[string]string); ok {
+ // see if there's an email in the map
+ if email, present := v["email"]; present {
+ if err := util.ValidateEmail(email); err == nil {
+ // valid email address
+ contactEmail = email
+ }
+ }
+ // see if there's a 'name' in the map
+ if name, present := v["name"]; present {
+ // name could be just a username, or could be a mention string eg @whatever@aaaa.com
+ username, _, err := util.ExtractMentionParts(name)
+ if err == nil {
+ // it was a mention string
+ contactAccountUsername = username
+ } else {
+ // not a mention string
+ contactAccountUsername = name
+ }
+ }
+ }
+ }
+ i.ContactEmail = contactEmail
+ i.ContactAccountUsername = contactAccountUsername
+
+ var software string
+ if ni.Software.Name != "" {
+ software = ni.Software.Name
+ }
+ if ni.Software.Version != "" {
+ software = software + " " + ni.Software.Version
+ }
+ i.Version = software
+
+ return i, nil
+}
+
+func callNodeInfoWellKnown(c context.Context, t *transport, iri *url.URL) (*url.URL, error) {
+ l := t.log.WithField("func", "callNodeInfoWellKnown")
+
+ cleanIRI := &url.URL{
+ Scheme: iri.Scheme,
+ Host: iri.Host,
+ Path: ".well-known/nodeinfo",
+ }
+
+ l.Debugf("performing GET to %s", cleanIRI.String())
+ req, err := http.NewRequest("GET", cleanIRI.String(), nil)
+ if err != nil {
+ return nil, err
+ }
+ req = req.WithContext(c)
+ req.Header.Add("Accept", "application/json")
+ req.Header.Add("Date", t.clock.Now().UTC().Format("Mon, 02 Jan 2006 15:04:05")+" GMT")
+ req.Header.Add("User-Agent", fmt.Sprintf("%s %s", t.appAgent, t.gofedAgent))
+ req.Header.Set("Host", cleanIRI.Host)
+ t.getSignerMu.Lock()
+ err = t.getSigner.SignRequest(t.privkey, t.pubKeyID, req, nil)
+ t.getSignerMu.Unlock()
+ if err != nil {
+ return nil, err
+ }
+ resp, err := t.client.Do(req)
+ if err != nil {
+ return nil, err
+ }
+ defer resp.Body.Close()
+ if resp.StatusCode != http.StatusOK {
+ return nil, fmt.Errorf("callNodeInfoWellKnown: GET request to %s failed (%d): %s", cleanIRI.String(), resp.StatusCode, resp.Status)
+ }
+ b, err := ioutil.ReadAll(resp.Body)
+ if err != nil {
+ return nil, err
+ }
+
+ if len(b) == 0 {
+ return nil, errors.New("callNodeInfoWellKnown: response bytes was len 0")
+ }
+
+ wellKnownResp := &apimodel.WellKnownResponse{}
+ if err := json.Unmarshal(b, wellKnownResp); err != nil {
+ return nil, fmt.Errorf("callNodeInfoWellKnown: could not unmarshal server response as WellKnownResponse: %s", err)
+ }
+
+ // look through the links for the first one that matches the nodeinfo schema, this is what we need
+ var nodeinfoHref *url.URL
+ for _, l := range wellKnownResp.Links {
+ if l.Href == "" || !strings.HasPrefix(l.Rel, "http://nodeinfo.diaspora.software/ns/schema/2") {
+ continue
+ }
+ nodeinfoHref, err = url.Parse(l.Href)
+ if err != nil {
+ return nil, fmt.Errorf("callNodeInfoWellKnown: couldn't parse url %s: %s", l.Href, err)
+ }
+ }
+ if nodeinfoHref == nil {
+ return nil, errors.New("callNodeInfoWellKnown: could not find nodeinfo rel in well known response")
+ }
+
+ return nodeinfoHref, nil
+}
+
+func callNodeInfo(c context.Context, t *transport, iri *url.URL) (*apimodel.Nodeinfo, error) {
+ l := t.log.WithField("func", "callNodeInfo")
+
+ l.Debugf("performing GET to %s", iri.String())
+ req, err := http.NewRequest("GET", iri.String(), nil)
+ if err != nil {
+ return nil, err
+ }
+ req = req.WithContext(c)
+ req.Header.Add("Accept", "application/json")
+ req.Header.Add("Date", t.clock.Now().UTC().Format("Mon, 02 Jan 2006 15:04:05")+" GMT")
+ req.Header.Add("User-Agent", fmt.Sprintf("%s %s", t.appAgent, t.gofedAgent))
+ req.Header.Set("Host", iri.Host)
+ t.getSignerMu.Lock()
+ err = t.getSigner.SignRequest(t.privkey, t.pubKeyID, req, nil)
+ t.getSignerMu.Unlock()
+ if err != nil {
+ return nil, err
+ }
+ resp, err := t.client.Do(req)
+ if err != nil {
+ return nil, err
+ }
+ defer resp.Body.Close()
+ if resp.StatusCode != http.StatusOK {
+ return nil, fmt.Errorf("callNodeInfo: GET request to %s failed (%d): %s", iri.String(), resp.StatusCode, resp.Status)
+ }
+ b, err := ioutil.ReadAll(resp.Body)
+ if err != nil {
+ return nil, err
+ }
+
+ if len(b) == 0 {
+ return nil, errors.New("callNodeInfo: response bytes was len 0")
+ }
+
+ niResp := &apimodel.Nodeinfo{}
+ if err := json.Unmarshal(b, niResp); err != nil {
+ return nil, fmt.Errorf("callNodeInfo: could not unmarshal server response as Nodeinfo: %s", err)
+ }
+
+ return niResp, nil
+}
diff --git a/internal/transport/derefmedia.go b/internal/transport/derefmedia.go
@@ -0,0 +1,42 @@
+package transport
+
+import (
+ "context"
+ "fmt"
+ "io/ioutil"
+ "net/http"
+ "net/url"
+)
+
+func (t *transport) DereferenceMedia(c context.Context, iri *url.URL, expectedContentType string) ([]byte, error) {
+ l := t.log.WithField("func", "DereferenceMedia")
+ l.Debugf("performing GET to %s", iri.String())
+ req, err := http.NewRequest("GET", iri.String(), nil)
+ if err != nil {
+ return nil, err
+ }
+ req = req.WithContext(c)
+ if expectedContentType == "" {
+ req.Header.Add("Accept", "*/*")
+ } else {
+ req.Header.Add("Accept", expectedContentType)
+ }
+ req.Header.Add("Date", t.clock.Now().UTC().Format("Mon, 02 Jan 2006 15:04:05")+" GMT")
+ req.Header.Add("User-Agent", fmt.Sprintf("%s %s", t.appAgent, t.gofedAgent))
+ req.Header.Set("Host", iri.Host)
+ t.getSignerMu.Lock()
+ err = t.getSigner.SignRequest(t.privkey, t.pubKeyID, req, nil)
+ t.getSignerMu.Unlock()
+ if err != nil {
+ return nil, err
+ }
+ resp, err := t.client.Do(req)
+ if err != nil {
+ return nil, err
+ }
+ defer resp.Body.Close()
+ if resp.StatusCode != http.StatusOK {
+ return nil, fmt.Errorf("GET request to %s failed (%d): %s", iri.String(), resp.StatusCode, resp.Status)
+ }
+ return ioutil.ReadAll(resp.Body)
+}
diff --git a/internal/transport/finger.go b/internal/transport/finger.go
@@ -0,0 +1,48 @@
+package transport
+
+import (
+ "context"
+ "fmt"
+ "io/ioutil"
+ "net/http"
+ "net/url"
+)
+
+func (t *transport) Finger(c context.Context, targetUsername string, targetDomain string) ([]byte, error) {
+ l := t.log.WithField("func", "Finger")
+ urlString := fmt.Sprintf("https://%s/.well-known/webfinger?resource=acct:%s@%s", targetDomain, targetUsername, targetDomain)
+ l.Debugf("performing GET to %s", urlString)
+
+ iri, err := url.Parse(urlString)
+ if err != nil {
+ return nil, fmt.Errorf("Finger: error parsing url %s: %s", urlString, err)
+ }
+
+ l.Debugf("performing GET to %s", iri.String())
+
+ req, err := http.NewRequest("GET", iri.String(), nil)
+ if err != nil {
+ return nil, err
+ }
+ req = req.WithContext(c)
+ req.Header.Add("Accept", "application/json")
+ req.Header.Add("Accept", "application/jrd+json")
+ req.Header.Add("Date", t.clock.Now().UTC().Format("Mon, 02 Jan 2006 15:04:05")+" GMT")
+ req.Header.Add("User-Agent", fmt.Sprintf("%s %s", t.appAgent, t.gofedAgent))
+ req.Header.Set("Host", iri.Host)
+ t.getSignerMu.Lock()
+ err = t.getSigner.SignRequest(t.privkey, t.pubKeyID, req, nil)
+ t.getSignerMu.Unlock()
+ if err != nil {
+ return nil, err
+ }
+ resp, err := t.client.Do(req)
+ if err != nil {
+ return nil, err
+ }
+ defer resp.Body.Close()
+ if resp.StatusCode != http.StatusOK {
+ return nil, fmt.Errorf("GET request to %s failed (%d): %s", iri.String(), resp.StatusCode, resp.Status)
+ }
+ return ioutil.ReadAll(resp.Body)
+}
diff --git a/internal/transport/transport.go b/internal/transport/transport.go
@@ -3,22 +3,23 @@ package transport
import (
"context"
"crypto"
- "fmt"
- "io/ioutil"
- "net/http"
"net/url"
"sync"
"github.com/go-fed/activity/pub"
"github.com/go-fed/httpsig"
"github.com/sirupsen/logrus"
+ "github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
)
// Transport wraps the pub.Transport interface with some additional
// functionality for fetching remote media.
type Transport interface {
pub.Transport
+ // DereferenceMedia fetches the bytes of the given media attachment IRI, with the expectedContentType.
DereferenceMedia(c context.Context, iri *url.URL, expectedContentType string) ([]byte, error)
+ // DereferenceInstance dereferences remote instance information, first by checking /api/v1/instance, and then by checking /.well-known/nodeinfo.
+ DereferenceInstance(c context.Context, iri *url.URL) (*gtsmodel.Instance, error)
// Finger performs a webfinger request with the given username and domain, and returns the bytes from the response body.
Finger(c context.Context, targetUsername string, targetDomains string) ([]byte, error)
}
@@ -36,91 +37,3 @@ type transport struct {
getSignerMu *sync.Mutex
log *logrus.Logger
}
-
-func (t *transport) BatchDeliver(c context.Context, b []byte, recipients []*url.URL) error {
- return t.sigTransport.BatchDeliver(c, b, recipients)
-}
-
-func (t *transport) Deliver(c context.Context, b []byte, to *url.URL) error {
- l := t.log.WithField("func", "Deliver")
- l.Debugf("performing POST to %s", to.String())
- return t.sigTransport.Deliver(c, b, to)
-}
-
-func (t *transport) Dereference(c context.Context, iri *url.URL) ([]byte, error) {
- l := t.log.WithField("func", "Dereference")
- l.Debugf("performing GET to %s", iri.String())
- return t.sigTransport.Dereference(c, iri)
-}
-
-func (t *transport) DereferenceMedia(c context.Context, iri *url.URL, expectedContentType string) ([]byte, error) {
- l := t.log.WithField("func", "DereferenceMedia")
- l.Debugf("performing GET to %s", iri.String())
- req, err := http.NewRequest("GET", iri.String(), nil)
- if err != nil {
- return nil, err
- }
- req = req.WithContext(c)
- if expectedContentType == "" {
- req.Header.Add("Accept", "*/*")
- } else {
- req.Header.Add("Accept", expectedContentType)
- }
- req.Header.Add("Date", t.clock.Now().UTC().Format("Mon, 02 Jan 2006 15:04:05")+" GMT")
- req.Header.Add("User-Agent", fmt.Sprintf("%s %s", t.appAgent, t.gofedAgent))
- req.Header.Set("Host", iri.Host)
- t.getSignerMu.Lock()
- err = t.getSigner.SignRequest(t.privkey, t.pubKeyID, req, nil)
- t.getSignerMu.Unlock()
- if err != nil {
- return nil, err
- }
- resp, err := t.client.Do(req)
- if err != nil {
- return nil, err
- }
- defer resp.Body.Close()
- if resp.StatusCode != http.StatusOK {
- return nil, fmt.Errorf("GET request to %s failed (%d): %s", iri.String(), resp.StatusCode, resp.Status)
- }
- return ioutil.ReadAll(resp.Body)
-}
-
-func (t *transport) Finger(c context.Context, targetUsername string, targetDomain string) ([]byte, error) {
- l := t.log.WithField("func", "Finger")
- urlString := fmt.Sprintf("https://%s/.well-known/webfinger?resource=acct:%s@%s", targetDomain, targetUsername, targetDomain)
- l.Debugf("performing GET to %s", urlString)
-
- iri, err := url.Parse(urlString)
- if err != nil {
- return nil, fmt.Errorf("Finger: error parsing url %s: %s", urlString, err)
- }
-
- l.Debugf("performing GET to %s", iri.String())
-
- req, err := http.NewRequest("GET", iri.String(), nil)
- if err != nil {
- return nil, err
- }
- req = req.WithContext(c)
- req.Header.Add("Accept", "application/json")
- req.Header.Add("Accept", "application/jrd+json")
- req.Header.Add("Date", t.clock.Now().UTC().Format("Mon, 02 Jan 2006 15:04:05")+" GMT")
- req.Header.Add("User-Agent", fmt.Sprintf("%s %s", t.appAgent, t.gofedAgent))
- req.Header.Set("Host", iri.Host)
- t.getSignerMu.Lock()
- err = t.getSigner.SignRequest(t.privkey, t.pubKeyID, req, nil)
- t.getSignerMu.Unlock()
- if err != nil {
- return nil, err
- }
- resp, err := t.client.Do(req)
- if err != nil {
- return nil, err
- }
- defer resp.Body.Close()
- if resp.StatusCode != http.StatusOK {
- return nil, fmt.Errorf("GET request to %s failed (%d): %s", iri.String(), resp.StatusCode, resp.Status)
- }
- return ioutil.ReadAll(resp.Body)
-}
