Add support for dereferencing objects through bearcaps (#14683)
This commit is contained in:
parent
ce8f33dd2f
commit
52157fdcba
@ -71,7 +71,15 @@ class ActivityPub::Activity
|
|||||||
end
|
end
|
||||||
|
|
||||||
def object_uri
|
def object_uri
|
||||||
@object_uri ||= value_or_id(@object)
|
@object_uri ||= begin
|
||||||
|
str = value_or_id(@object)
|
||||||
|
|
||||||
|
if str.start_with?('bear:')
|
||||||
|
Addressable::URI.parse(str).query_values['u']
|
||||||
|
else
|
||||||
|
str
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
def unsupported_object_type?
|
def unsupported_object_type?
|
||||||
@ -159,12 +167,10 @@ class ActivityPub::Activity
|
|||||||
|
|
||||||
def dereference_object!
|
def dereference_object!
|
||||||
return unless @object.is_a?(String)
|
return unless @object.is_a?(String)
|
||||||
return if invalid_origin?(@object)
|
|
||||||
|
|
||||||
object = fetch_resource(@object, true, signed_fetch_account)
|
dereferencer = ActivityPub::Dereferencer.new(@object, permitted_origin: @account.uri, signature_account: signed_fetch_account)
|
||||||
return unless object.present? && object.is_a?(Hash) && supported_context?(object)
|
|
||||||
|
|
||||||
@object = object
|
@object = dereferencer.object unless dereferencer.object.nil?
|
||||||
end
|
end
|
||||||
|
|
||||||
def signed_fetch_account
|
def signed_fetch_account
|
||||||
|
@ -15,7 +15,7 @@ class ActivityPub::Activity::Create < ActivityPub::Activity
|
|||||||
private
|
private
|
||||||
|
|
||||||
def create_encrypted_message
|
def create_encrypted_message
|
||||||
return reject_payload! if invalid_origin?(@object['id']) || @options[:delivered_to_account_id].blank?
|
return reject_payload! if invalid_origin?(object_uri) || @options[:delivered_to_account_id].blank?
|
||||||
|
|
||||||
target_account = Account.find(@options[:delivered_to_account_id])
|
target_account = Account.find(@options[:delivered_to_account_id])
|
||||||
target_device = target_account.devices.find_by(device_id: @object.dig('to', 'deviceId'))
|
target_device = target_account.devices.find_by(device_id: @object.dig('to', 'deviceId'))
|
||||||
@ -43,7 +43,7 @@ class ActivityPub::Activity::Create < ActivityPub::Activity
|
|||||||
end
|
end
|
||||||
|
|
||||||
def create_status
|
def create_status
|
||||||
return reject_payload! if unsupported_object_type? || invalid_origin?(@object['id']) || Tombstone.exists?(uri: @object['id']) || !related_to_local_activity?
|
return reject_payload! if unsupported_object_type? || invalid_origin?(object_uri) || tombstone_exists? || !related_to_local_activity?
|
||||||
|
|
||||||
RedisLock.acquire(lock_options) do |lock|
|
RedisLock.acquire(lock_options) do |lock|
|
||||||
if lock.acquired?
|
if lock.acquired?
|
||||||
@ -90,7 +90,7 @@ class ActivityPub::Activity::Create < ActivityPub::Activity
|
|||||||
fetch_replies(@status)
|
fetch_replies(@status)
|
||||||
check_for_spam
|
check_for_spam
|
||||||
distribute(@status)
|
distribute(@status)
|
||||||
forward_for_reply if @status.distributable?
|
forward_for_reply
|
||||||
end
|
end
|
||||||
|
|
||||||
def find_existing_status
|
def find_existing_status
|
||||||
@ -102,8 +102,8 @@ class ActivityPub::Activity::Create < ActivityPub::Activity
|
|||||||
def process_status_params
|
def process_status_params
|
||||||
@params = begin
|
@params = begin
|
||||||
{
|
{
|
||||||
uri: @object['id'],
|
uri: object_uri,
|
||||||
url: object_url || @object['id'],
|
url: object_url || object_uri,
|
||||||
account: @account,
|
account: @account,
|
||||||
text: text_from_content || '',
|
text: text_from_content || '',
|
||||||
language: detected_language,
|
language: detected_language,
|
||||||
@ -313,7 +313,7 @@ class ActivityPub::Activity::Create < ActivityPub::Activity
|
|||||||
RedisLock.acquire(poll_lock_options) do |lock|
|
RedisLock.acquire(poll_lock_options) do |lock|
|
||||||
if lock.acquired?
|
if lock.acquired?
|
||||||
already_voted = poll.votes.where(account: @account).exists?
|
already_voted = poll.votes.where(account: @account).exists?
|
||||||
poll.votes.create!(account: @account, choice: poll.options.index(@object['name']), uri: @object['id'])
|
poll.votes.create!(account: @account, choice: poll.options.index(@object['name']), uri: object_uri)
|
||||||
else
|
else
|
||||||
raise Mastodon::RaceConditionError
|
raise Mastodon::RaceConditionError
|
||||||
end
|
end
|
||||||
@ -385,7 +385,7 @@ class ActivityPub::Activity::Create < ActivityPub::Activity
|
|||||||
end
|
end
|
||||||
|
|
||||||
def text_from_content
|
def text_from_content
|
||||||
return Formatter.instance.linkify([[text_from_name, text_from_summary.presence].compact.join("\n\n"), object_url || @object['id']].join(' ')) if converted_object_type?
|
return Formatter.instance.linkify([[text_from_name, text_from_summary.presence].compact.join("\n\n"), object_url || object_uri].join(' ')) if converted_object_type?
|
||||||
|
|
||||||
if @object['content'].present?
|
if @object['content'].present?
|
||||||
@object['content']
|
@object['content']
|
||||||
@ -484,12 +484,16 @@ class ActivityPub::Activity::Create < ActivityPub::Activity
|
|||||||
Account.local.where(username: local_usernames).exists?
|
Account.local.where(username: local_usernames).exists?
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def tombstone_exists?
|
||||||
|
Tombstone.exists?(uri: object_uri)
|
||||||
|
end
|
||||||
|
|
||||||
def check_for_spam
|
def check_for_spam
|
||||||
SpamCheck.perform(@status)
|
SpamCheck.perform(@status)
|
||||||
end
|
end
|
||||||
|
|
||||||
def forward_for_reply
|
def forward_for_reply
|
||||||
return unless @json['signature'].present? && reply_to_local?
|
return unless @status.distributable? && @json['signature'].present? && reply_to_local?
|
||||||
|
|
||||||
ActivityPub::RawDistributionWorker.perform_async(Oj.dump(@json), replied_to_status.account_id, [@account.preferred_inbox_url])
|
ActivityPub::RawDistributionWorker.perform_async(Oj.dump(@json), replied_to_status.account_id, [@account.preferred_inbox_url])
|
||||||
end
|
end
|
||||||
@ -507,7 +511,7 @@ class ActivityPub::Activity::Create < ActivityPub::Activity
|
|||||||
end
|
end
|
||||||
|
|
||||||
def lock_options
|
def lock_options
|
||||||
{ redis: Redis.current, key: "create:#{@object['id']}" }
|
{ redis: Redis.current, key: "create:#{object_uri}" }
|
||||||
end
|
end
|
||||||
|
|
||||||
def poll_lock_options
|
def poll_lock_options
|
||||||
|
69
app/lib/activitypub/dereferencer.rb
Normal file
69
app/lib/activitypub/dereferencer.rb
Normal file
@ -0,0 +1,69 @@
|
|||||||
|
# frozen_string_literal: true
|
||||||
|
|
||||||
|
class ActivityPub::Dereferencer
|
||||||
|
include JsonLdHelper
|
||||||
|
|
||||||
|
def initialize(uri, permitted_origin: nil, signature_account: nil)
|
||||||
|
@uri = uri
|
||||||
|
@permitted_origin = permitted_origin
|
||||||
|
@signature_account = signature_account
|
||||||
|
end
|
||||||
|
|
||||||
|
def object
|
||||||
|
@object ||= fetch_object!
|
||||||
|
end
|
||||||
|
|
||||||
|
private
|
||||||
|
|
||||||
|
def bear_cap?
|
||||||
|
@uri.start_with?('bear:')
|
||||||
|
end
|
||||||
|
|
||||||
|
def fetch_object!
|
||||||
|
if bear_cap?
|
||||||
|
fetch_with_token!
|
||||||
|
else
|
||||||
|
fetch_with_signature!
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def fetch_with_token!
|
||||||
|
perform_request(bear_cap['u'], headers: { 'Authorization' => "Bearer #{bear_cap['t']}" })
|
||||||
|
end
|
||||||
|
|
||||||
|
def fetch_with_signature!
|
||||||
|
perform_request(@uri)
|
||||||
|
end
|
||||||
|
|
||||||
|
def bear_cap
|
||||||
|
@bear_cap ||= Addressable::URI.parse(@uri).query_values
|
||||||
|
end
|
||||||
|
|
||||||
|
def perform_request(uri, headers: nil)
|
||||||
|
return if invalid_origin?(uri)
|
||||||
|
|
||||||
|
req = Request.new(:get, uri)
|
||||||
|
|
||||||
|
req.add_headers('Accept' => 'application/activity+json, application/ld+json')
|
||||||
|
req.add_headers(headers) if headers
|
||||||
|
req.on_behalf_of(@signature_account) if @signature_account
|
||||||
|
|
||||||
|
req.perform do |res|
|
||||||
|
if res.code == 200
|
||||||
|
json = body_to_json(res.body_with_limit)
|
||||||
|
json if json.present? && json['id'] == uri
|
||||||
|
else
|
||||||
|
raise Mastodon::UnexpectedResponseError, res unless response_successful?(res) || response_error_unsalvageable?(res)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def invalid_origin?(uri)
|
||||||
|
return true if unsupported_uri_scheme?(uri)
|
||||||
|
|
||||||
|
needle = Addressable::URI.parse(uri).host
|
||||||
|
haystack = Addressable::URI.parse(@permitted_origin).host
|
||||||
|
|
||||||
|
!haystack.casecmp(needle).zero?
|
||||||
|
end
|
||||||
|
end
|
73
spec/lib/activitypub/dereferencer_spec.rb
Normal file
73
spec/lib/activitypub/dereferencer_spec.rb
Normal file
@ -0,0 +1,73 @@
|
|||||||
|
require 'rails_helper'
|
||||||
|
|
||||||
|
RSpec.describe ActivityPub::Dereferencer do
|
||||||
|
describe '#object' do
|
||||||
|
let(:object) { { '@context': 'https://www.w3.org/ns/activitystreams', id: 'https://example.com/foo', type: 'Note', content: 'Hoge' } }
|
||||||
|
let(:permitted_origin) { 'https://example.com' }
|
||||||
|
let(:signature_account) { nil }
|
||||||
|
let(:uri) { nil }
|
||||||
|
|
||||||
|
subject { described_class.new(uri, permitted_origin: permitted_origin, signature_account: signature_account).object }
|
||||||
|
|
||||||
|
before do
|
||||||
|
stub_request(:get, 'https://example.com/foo').to_return(body: Oj.dump(object), headers: { 'Content-Type' => 'application/activity+json' })
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'with a URI' do
|
||||||
|
let(:uri) { 'https://example.com/foo' }
|
||||||
|
|
||||||
|
it 'returns object' do
|
||||||
|
expect(subject.with_indifferent_access).to eq object.with_indifferent_access
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'with signature account' do
|
||||||
|
let(:signature_account) { Fabricate(:account) }
|
||||||
|
|
||||||
|
it 'makes signed request' do
|
||||||
|
subject
|
||||||
|
expect(a_request(:get, 'https://example.com/foo').with { |req| req.headers['Signature'].present? }).to have_been_made
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'with different origin' do
|
||||||
|
let(:uri) { 'https://other-example.com/foo' }
|
||||||
|
|
||||||
|
it 'does not make request' do
|
||||||
|
subject
|
||||||
|
expect(a_request(:get, 'https://other-example.com/foo')).to_not have_been_made
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'with a bearcap' do
|
||||||
|
let(:uri) { 'bear:?t=hoge&u=https://example.com/foo' }
|
||||||
|
|
||||||
|
it 'makes request with Authorization header' do
|
||||||
|
subject
|
||||||
|
expect(a_request(:get, 'https://example.com/foo').with(headers: { 'Authorization' => 'Bearer hoge' })).to have_been_made
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'returns object' do
|
||||||
|
expect(subject.with_indifferent_access).to eq object.with_indifferent_access
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'with signature account' do
|
||||||
|
let(:signature_account) { Fabricate(:account) }
|
||||||
|
|
||||||
|
it 'makes signed request' do
|
||||||
|
subject
|
||||||
|
expect(a_request(:get, 'https://example.com/foo').with { |req| req.headers['Signature'].present? && req.headers['Authorization'] == 'Bearer hoge' }).to have_been_made
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'with different origin' do
|
||||||
|
let(:uri) { 'bear:?t=hoge&u=https://other-example.com/foo' }
|
||||||
|
|
||||||
|
it 'does not make request' do
|
||||||
|
subject
|
||||||
|
expect(a_request(:get, 'https://other-example.com/foo')).to_not have_been_made
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
Loading…
Reference in New Issue
Block a user