Add support for dereferencing objects through bearcaps (#14683)

lolsob-rspec
Eugen Rochko 2020-08-30 12:34:20 +02:00 committed by GitHub
parent d0fecf89d5
commit e8d1656bd6
4 changed files with 166 additions and 14 deletions

View File

@ -71,7 +71,15 @@ class ActivityPub::Activity
end end
def object_uri def object_uri
@object_uri ||= value_or_id(@object) @object_uri ||= begin
str = value_or_id(@object)
if str.start_with?('bear:')
Addressable::URI.parse(str).query_values['u']
else
str
end
end
end end
def unsupported_object_type? def unsupported_object_type?
@ -159,12 +167,10 @@ class ActivityPub::Activity
def dereference_object! def dereference_object!
return unless @object.is_a?(String) return unless @object.is_a?(String)
return if invalid_origin?(@object)
object = fetch_resource(@object, true, signed_fetch_account) dereferencer = ActivityPub::Dereferencer.new(@object, permitted_origin: @account.uri, signature_account: signed_fetch_account)
return unless object.present? && object.is_a?(Hash) && supported_context?(object)
@object = object @object = dereferencer.object unless dereferencer.object.nil?
end end
def signed_fetch_account def signed_fetch_account

View File

@ -15,7 +15,7 @@ class ActivityPub::Activity::Create < ActivityPub::Activity
private private
def create_encrypted_message def create_encrypted_message
return reject_payload! if invalid_origin?(@object['id']) || @options[:delivered_to_account_id].blank? return reject_payload! if invalid_origin?(object_uri) || @options[:delivered_to_account_id].blank?
target_account = Account.find(@options[:delivered_to_account_id]) target_account = Account.find(@options[:delivered_to_account_id])
target_device = target_account.devices.find_by(device_id: @object.dig('to', 'deviceId')) target_device = target_account.devices.find_by(device_id: @object.dig('to', 'deviceId'))
@ -43,7 +43,7 @@ class ActivityPub::Activity::Create < ActivityPub::Activity
end end
def create_status def create_status
return reject_payload! if unsupported_object_type? || invalid_origin?(@object['id']) || Tombstone.exists?(uri: @object['id']) || !related_to_local_activity? return reject_payload! if unsupported_object_type? || invalid_origin?(object_uri) || tombstone_exists? || !related_to_local_activity?
RedisLock.acquire(lock_options) do |lock| RedisLock.acquire(lock_options) do |lock|
if lock.acquired? if lock.acquired?
@ -90,7 +90,7 @@ class ActivityPub::Activity::Create < ActivityPub::Activity
fetch_replies(@status) fetch_replies(@status)
check_for_spam check_for_spam
distribute(@status) distribute(@status)
forward_for_reply if @status.distributable? forward_for_reply
end end
def find_existing_status def find_existing_status
@ -102,8 +102,8 @@ class ActivityPub::Activity::Create < ActivityPub::Activity
def process_status_params def process_status_params
@params = begin @params = begin
{ {
uri: @object['id'], uri: object_uri,
url: object_url || @object['id'], url: object_url || object_uri,
account: @account, account: @account,
text: text_from_content || '', text: text_from_content || '',
language: detected_language, language: detected_language,
@ -313,7 +313,7 @@ class ActivityPub::Activity::Create < ActivityPub::Activity
RedisLock.acquire(poll_lock_options) do |lock| RedisLock.acquire(poll_lock_options) do |lock|
if lock.acquired? if lock.acquired?
already_voted = poll.votes.where(account: @account).exists? already_voted = poll.votes.where(account: @account).exists?
poll.votes.create!(account: @account, choice: poll.options.index(@object['name']), uri: @object['id']) poll.votes.create!(account: @account, choice: poll.options.index(@object['name']), uri: object_uri)
else else
raise Mastodon::RaceConditionError raise Mastodon::RaceConditionError
end end
@ -385,7 +385,7 @@ class ActivityPub::Activity::Create < ActivityPub::Activity
end end
def text_from_content def text_from_content
return Formatter.instance.linkify([[text_from_name, text_from_summary.presence].compact.join("\n\n"), object_url || @object['id']].join(' ')) if converted_object_type? return Formatter.instance.linkify([[text_from_name, text_from_summary.presence].compact.join("\n\n"), object_url || object_uri].join(' ')) if converted_object_type?
if @object['content'].present? if @object['content'].present?
@object['content'] @object['content']
@ -484,12 +484,16 @@ class ActivityPub::Activity::Create < ActivityPub::Activity
Account.local.where(username: local_usernames).exists? Account.local.where(username: local_usernames).exists?
end end
def tombstone_exists?
Tombstone.exists?(uri: object_uri)
end
def check_for_spam def check_for_spam
SpamCheck.perform(@status) SpamCheck.perform(@status)
end end
def forward_for_reply def forward_for_reply
return unless @json['signature'].present? && reply_to_local? return unless @status.distributable? && @json['signature'].present? && reply_to_local?
ActivityPub::RawDistributionWorker.perform_async(Oj.dump(@json), replied_to_status.account_id, [@account.preferred_inbox_url]) ActivityPub::RawDistributionWorker.perform_async(Oj.dump(@json), replied_to_status.account_id, [@account.preferred_inbox_url])
end end
@ -507,7 +511,7 @@ class ActivityPub::Activity::Create < ActivityPub::Activity
end end
def lock_options def lock_options
{ redis: Redis.current, key: "create:#{@object['id']}" } { redis: Redis.current, key: "create:#{object_uri}" }
end end
def poll_lock_options def poll_lock_options

View File

@ -0,0 +1,69 @@
# frozen_string_literal: true
class ActivityPub::Dereferencer
include JsonLdHelper
def initialize(uri, permitted_origin: nil, signature_account: nil)
@uri = uri
@permitted_origin = permitted_origin
@signature_account = signature_account
end
def object
@object ||= fetch_object!
end
private
def bear_cap?
@uri.start_with?('bear:')
end
def fetch_object!
if bear_cap?
fetch_with_token!
else
fetch_with_signature!
end
end
def fetch_with_token!
perform_request(bear_cap['u'], headers: { 'Authorization' => "Bearer #{bear_cap['t']}" })
end
def fetch_with_signature!
perform_request(@uri)
end
def bear_cap
@bear_cap ||= Addressable::URI.parse(@uri).query_values
end
def perform_request(uri, headers: nil)
return if invalid_origin?(uri)
req = Request.new(:get, uri)
req.add_headers('Accept' => 'application/activity+json, application/ld+json')
req.add_headers(headers) if headers
req.on_behalf_of(@signature_account) if @signature_account
req.perform do |res|
if res.code == 200
json = body_to_json(res.body_with_limit)
json if json.present? && json['id'] == uri
else
raise Mastodon::UnexpectedResponseError, res unless response_successful?(res) || response_error_unsalvageable?(res)
end
end
end
def invalid_origin?(uri)
return true if unsupported_uri_scheme?(uri)
needle = Addressable::URI.parse(uri).host
haystack = Addressable::URI.parse(@permitted_origin).host
!haystack.casecmp(needle).zero?
end
end

View File

@ -0,0 +1,73 @@
require 'rails_helper'
RSpec.describe ActivityPub::Dereferencer do
describe '#object' do
let(:object) { { '@context': 'https://www.w3.org/ns/activitystreams', id: 'https://example.com/foo', type: 'Note', content: 'Hoge' } }
let(:permitted_origin) { 'https://example.com' }
let(:signature_account) { nil }
let(:uri) { nil }
subject { described_class.new(uri, permitted_origin: permitted_origin, signature_account: signature_account).object }
before do
stub_request(:get, 'https://example.com/foo').to_return(body: Oj.dump(object), headers: { 'Content-Type' => 'application/activity+json' })
end
context 'with a URI' do
let(:uri) { 'https://example.com/foo' }
it 'returns object' do
expect(subject.with_indifferent_access).to eq object.with_indifferent_access
end
context 'with signature account' do
let(:signature_account) { Fabricate(:account) }
it 'makes signed request' do
subject
expect(a_request(:get, 'https://example.com/foo').with { |req| req.headers['Signature'].present? }).to have_been_made
end
end
context 'with different origin' do
let(:uri) { 'https://other-example.com/foo' }
it 'does not make request' do
subject
expect(a_request(:get, 'https://other-example.com/foo')).to_not have_been_made
end
end
end
context 'with a bearcap' do
let(:uri) { 'bear:?t=hoge&u=https://example.com/foo' }
it 'makes request with Authorization header' do
subject
expect(a_request(:get, 'https://example.com/foo').with(headers: { 'Authorization' => 'Bearer hoge' })).to have_been_made
end
it 'returns object' do
expect(subject.with_indifferent_access).to eq object.with_indifferent_access
end
context 'with signature account' do
let(:signature_account) { Fabricate(:account) }
it 'makes signed request' do
subject
expect(a_request(:get, 'https://example.com/foo').with { |req| req.headers['Signature'].present? && req.headers['Authorization'] == 'Bearer hoge' }).to have_been_made
end
end
context 'with different origin' do
let(:uri) { 'bear:?t=hoge&u=https://other-example.com/foo' }
it 'does not make request' do
subject
expect(a_request(:get, 'https://other-example.com/foo')).to_not have_been_made
end
end
end
end
end