2017-08-13 07:12:16 +00:00
|
|
|
"""Handles requests for ActivityPub endpoints: actors, inbox, etc.
|
|
|
|
|
"""
|
2020-10-29 22:39:44 +00:00
|
|
|
from base64 import b64encode
|
2018-10-19 13:50:00 +00:00
|
|
|
import datetime
|
2020-10-29 22:39:44 +00:00
|
|
|
from hashlib import sha256
|
2017-08-13 07:12:16 +00:00
|
|
|
import logging
|
2021-07-10 15:07:40 +00:00
|
|
|
import re
|
2017-08-13 07:12:16 +00:00
|
|
|
|
2021-07-10 15:07:40 +00:00
|
|
|
from flask import request
|
2019-12-26 06:20:57 +00:00
|
|
|
from google.cloud import ndb
|
2017-09-28 14:25:21 +00:00
|
|
|
from granary import as2, microformats2
|
2017-08-13 07:12:16 +00:00
|
|
|
import mf2util
|
2021-08-28 14:18:46 +00:00
|
|
|
from oauth_dropins.webutil import flask_util, util
|
2021-08-06 17:29:25 +00:00
|
|
|
from oauth_dropins.webutil.flask_util import error
|
2019-12-25 07:26:58 +00:00
|
|
|
from oauth_dropins.webutil.util import json_dumps, json_loads
|
2017-08-13 07:12:16 +00:00
|
|
|
|
2021-07-10 15:07:40 +00:00
|
|
|
from app import app, cache
|
2017-08-15 06:07:24 +00:00
|
|
|
import common
|
2021-08-06 17:29:25 +00:00
|
|
|
from common import redirect_unwrap, redirect_wrap
|
2019-09-19 14:56:51 +00:00
|
|
|
from models import Follower, MagicKey
|
2018-10-19 13:50:00 +00:00
|
|
|
from httpsig.requests_auth import HTTPSignatureAuth
|
2017-08-15 06:07:24 +00:00
|
|
|
|
2019-04-16 15:02:19 +00:00
|
|
|
CACHE_TIME = datetime.timedelta(seconds=15)
|
|
|
|
|
|
2017-10-17 05:21:13 +00:00
|
|
|
SUPPORTED_TYPES = (
|
2018-10-25 04:44:21 +00:00
|
|
|
'Accept',
|
2017-10-17 05:21:13 +00:00
|
|
|
'Announce',
|
|
|
|
|
'Article',
|
|
|
|
|
'Audio',
|
2018-10-15 15:09:36 +00:00
|
|
|
'Create',
|
2020-03-01 04:28:53 +00:00
|
|
|
'Delete',
|
2018-10-19 13:50:00 +00:00
|
|
|
'Follow',
|
2017-10-17 05:21:13 +00:00
|
|
|
'Image',
|
|
|
|
|
'Like',
|
|
|
|
|
'Note',
|
2019-08-01 14:32:45 +00:00
|
|
|
'Undo',
|
2017-10-17 05:21:13 +00:00
|
|
|
'Video',
|
|
|
|
|
)
|
2017-08-15 06:07:24 +00:00
|
|
|
|
2017-10-20 14:13:04 +00:00
|
|
|
|
2018-10-21 22:28:42 +00:00
|
|
|
def send(activity, inbox_url, user_domain):
|
|
|
|
|
"""Sends an ActivityPub request to an inbox.
|
|
|
|
|
|
|
|
|
|
Args:
|
|
|
|
|
activity: dict, AS2 activity
|
|
|
|
|
inbox_url: string
|
|
|
|
|
user_domain: string, domain of the bridgy fed user sending the request
|
|
|
|
|
|
|
|
|
|
Returns:
|
|
|
|
|
requests.Response
|
|
|
|
|
"""
|
2021-12-28 06:45:57 +00:00
|
|
|
logging.info('Sending AP request from {user_domain}: {json_dumps(activity, indent=2)}')
|
2018-10-21 22:28:42 +00:00
|
|
|
|
|
|
|
|
# prepare HTTP Signature (required by Mastodon)
|
2020-10-29 22:39:44 +00:00
|
|
|
# https://w3c.github.io/activitypub/#authorization
|
2018-10-21 22:28:42 +00:00
|
|
|
# https://tools.ietf.org/html/draft-cavage-http-signatures-07
|
|
|
|
|
# https://github.com/tootsuite/mastodon/issues/4906#issuecomment-328844846
|
|
|
|
|
acct = 'acct:%s@%s' % (user_domain, user_domain)
|
|
|
|
|
key = MagicKey.get_or_create(user_domain)
|
|
|
|
|
auth = HTTPSignatureAuth(secret=key.private_pem(), key_id=acct,
|
2020-10-29 22:39:44 +00:00
|
|
|
algorithm='rsa-sha256', sign_header='signature',
|
|
|
|
|
headers=('Date', 'Digest', 'Host'))
|
2018-10-21 22:28:42 +00:00
|
|
|
|
|
|
|
|
# deliver to inbox
|
2020-10-31 22:24:56 +00:00
|
|
|
body = json_dumps(activity).encode()
|
2018-10-21 22:28:42 +00:00
|
|
|
headers = {
|
|
|
|
|
'Content-Type': common.CONTENT_TYPE_AS2,
|
|
|
|
|
# required for HTTP Signature
|
|
|
|
|
# https://tools.ietf.org/html/draft-cavage-http-signatures-07#section-2.1.3
|
|
|
|
|
'Date': datetime.datetime.utcnow().strftime('%a, %d %b %Y %H:%M:%S GMT'),
|
2020-10-29 22:39:44 +00:00
|
|
|
# required by Mastodon
|
|
|
|
|
# https://github.com/tootsuite/mastodon/pull/14556#issuecomment-674077648
|
2020-10-31 22:24:56 +00:00
|
|
|
'Digest': 'SHA-256=' + b64encode(sha256(body).digest()).decode(),
|
2020-10-29 22:39:44 +00:00
|
|
|
'Host': util.domain_from_link(inbox_url),
|
2018-10-21 22:28:42 +00:00
|
|
|
}
|
2020-10-31 22:24:56 +00:00
|
|
|
return common.requests_post(inbox_url, data=body, auth=auth,
|
|
|
|
|
headers=headers)
|
2018-10-21 22:28:42 +00:00
|
|
|
|
|
|
|
|
|
2021-07-12 21:19:56 +00:00
|
|
|
@app.get(f'/<regex("{common.DOMAIN_RE}"):domain>')
|
2021-08-28 14:18:46 +00:00
|
|
|
@flask_util.cached(cache, CACHE_TIME)
|
2021-07-10 15:07:40 +00:00
|
|
|
def actor(domain):
|
2017-08-13 07:12:16 +00:00
|
|
|
"""Serves /[DOMAIN], fetches its mf2, converts to AS Actor, and serves it."""
|
2021-07-10 15:07:40 +00:00
|
|
|
tld = domain.split('.')[-1]
|
|
|
|
|
if tld in common.TLD_BLOCKLIST:
|
2021-08-06 17:29:25 +00:00
|
|
|
error('', status=404)
|
2021-07-10 15:07:40 +00:00
|
|
|
|
2021-12-28 06:45:57 +00:00
|
|
|
mf2 = util.fetch_mf2(f'http://{domain}/', gateway=True, headers=common.HEADERS)
|
2021-07-10 15:07:40 +00:00
|
|
|
|
|
|
|
|
hcard = mf2util.representative_hcard(mf2, mf2['url'])
|
2021-12-28 06:45:57 +00:00
|
|
|
logging.info(f'Representative h-card: {json_dumps(hcard, indent=2)}')
|
2021-07-10 15:07:40 +00:00
|
|
|
if not hcard:
|
2021-12-28 06:45:57 +00:00
|
|
|
error(f"Couldn't find a representative h-card (http://microformats.org/wiki/representative-hcard-parsing) on {mf2['url']}")
|
2021-07-10 15:07:40 +00:00
|
|
|
|
|
|
|
|
key = MagicKey.get_or_create(domain)
|
|
|
|
|
obj = common.postprocess_as2(
|
|
|
|
|
as2.from_as1(microformats2.json_to_object(hcard)), key=key)
|
|
|
|
|
obj.update({
|
2021-10-23 04:17:45 +00:00
|
|
|
'preferredUsername': domain,
|
2021-07-10 15:07:40 +00:00
|
|
|
'inbox': f'{request.host_url}{domain}/inbox',
|
|
|
|
|
'outbox': f'{request.host_url}{domain}/outbox',
|
|
|
|
|
'following': f'{request.host_url}{domain}/following',
|
|
|
|
|
'followers': f'{request.host_url}{domain}/followers',
|
|
|
|
|
})
|
2021-12-28 06:45:57 +00:00
|
|
|
logging.info(f'Returning: {json_dumps(obj, indent=2)}')
|
2021-07-10 15:07:40 +00:00
|
|
|
|
|
|
|
|
return (obj, {
|
|
|
|
|
'Content-Type': common.CONTENT_TYPE_AS2,
|
|
|
|
|
'Access-Control-Allow-Origin': '*',
|
|
|
|
|
})
|
|
|
|
|
|
2017-08-13 07:12:16 +00:00
|
|
|
|
2021-07-12 21:19:56 +00:00
|
|
|
@app.post(f'/<regex("{common.DOMAIN_RE}"):domain>/inbox')
|
2021-07-10 15:07:40 +00:00
|
|
|
def inbox(domain):
|
2017-08-13 21:49:35 +00:00
|
|
|
"""Accepts POSTs to /[DOMAIN]/inbox and converts to outbound webmentions."""
|
2021-07-10 15:07:40 +00:00
|
|
|
body = request.get_data(as_text=True)
|
|
|
|
|
logging.info(f'Got: {body}')
|
|
|
|
|
|
|
|
|
|
# parse and validate AS2 activity
|
|
|
|
|
try:
|
|
|
|
|
activity = request.json
|
|
|
|
|
assert activity
|
|
|
|
|
except (TypeError, ValueError, AssertionError):
|
2021-08-06 17:29:25 +00:00
|
|
|
error("Couldn't parse body as JSON", exc_info=True)
|
2021-07-10 15:07:40 +00:00
|
|
|
|
|
|
|
|
obj = activity.get('object') or {}
|
|
|
|
|
if isinstance(obj, str):
|
|
|
|
|
obj = {'id': obj}
|
|
|
|
|
|
|
|
|
|
type = activity.get('type')
|
|
|
|
|
if type == 'Accept': # eg in response to a Follow
|
2021-12-30 03:34:46 +00:00
|
|
|
return '' # noop
|
2021-07-10 15:07:40 +00:00
|
|
|
if type == 'Create':
|
|
|
|
|
type = obj.get('type')
|
|
|
|
|
elif type not in SUPPORTED_TYPES:
|
2021-08-06 17:29:25 +00:00
|
|
|
error('Sorry, %s activities are not supported yet.' % type,
|
2021-07-10 15:07:40 +00:00
|
|
|
status=501)
|
|
|
|
|
|
|
|
|
|
# TODO: verify signature if there is one
|
|
|
|
|
|
|
|
|
|
if type == 'Undo' and obj.get('type') == 'Follow':
|
|
|
|
|
# skip actor fetch below; we don't need it to undo a follow
|
|
|
|
|
undo_follow(redirect_unwrap(activity))
|
|
|
|
|
return ''
|
|
|
|
|
elif type == 'Delete':
|
|
|
|
|
id = obj.get('id')
|
|
|
|
|
|
|
|
|
|
# !!! temporarily disabled actually deleting Followers below because
|
|
|
|
|
# mastodon.social sends Deletes for every Bridgy Fed account, all at
|
|
|
|
|
# basically the same time, and we have many Follower objects, so we
|
|
|
|
|
# have to do this table scan for each one, so the requests take a
|
|
|
|
|
# long time and end up spawning extra App Engine instances that we
|
|
|
|
|
# get billed for. and the Delete requests are almost never for
|
|
|
|
|
# followers we have. TODO: revisit this and do it right.
|
|
|
|
|
|
|
|
|
|
# if isinstance(id, str):
|
|
|
|
|
# # assume this is an actor
|
|
|
|
|
# # https://github.com/snarfed/bridgy-fed/issues/63
|
|
|
|
|
# for key in Follower.query().iter(keys_only=True):
|
|
|
|
|
# if key.id().split(' ')[-1] == id:
|
|
|
|
|
# key.delete()
|
|
|
|
|
return ''
|
|
|
|
|
|
|
|
|
|
# fetch actor if necessary so we have name, profile photo, etc
|
|
|
|
|
for elem in obj, activity:
|
|
|
|
|
actor = elem.get('actor')
|
|
|
|
|
if actor and isinstance(actor, str):
|
|
|
|
|
elem['actor'] = common.get_as2(actor).json()
|
|
|
|
|
|
|
|
|
|
activity_unwrapped = redirect_unwrap(activity)
|
|
|
|
|
if type == 'Follow':
|
|
|
|
|
return accept_follow(activity, activity_unwrapped)
|
|
|
|
|
|
|
|
|
|
# send webmentions to each target
|
|
|
|
|
as1 = as2.to_as1(activity)
|
|
|
|
|
common.send_webmentions(as1, proxy=True, protocol='activitypub',
|
|
|
|
|
source_as2=json_dumps(activity_unwrapped))
|
|
|
|
|
|
|
|
|
|
return ''
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def accept_follow(follow, follow_unwrapped):
|
|
|
|
|
"""Replies to an AP Follow request with an Accept request.
|
|
|
|
|
|
|
|
|
|
Args:
|
|
|
|
|
follow: dict, AP Follow activity
|
|
|
|
|
follow_unwrapped: dict, same, except with redirect URLs unwrapped
|
|
|
|
|
"""
|
|
|
|
|
logging.info('Replying to Follow with Accept')
|
|
|
|
|
|
|
|
|
|
followee = follow.get('object')
|
|
|
|
|
followee_unwrapped = follow_unwrapped.get('object')
|
|
|
|
|
follower = follow.get('actor')
|
|
|
|
|
if not followee or not followee_unwrapped or not follower:
|
2021-08-06 17:29:25 +00:00
|
|
|
error('Follow activity requires object and actor. Got: %s' % follow)
|
2021-07-10 15:07:40 +00:00
|
|
|
|
|
|
|
|
inbox = follower.get('inbox')
|
|
|
|
|
follower_id = follower.get('id')
|
|
|
|
|
if not inbox or not follower_id:
|
2021-08-06 17:29:25 +00:00
|
|
|
error('Follow actor requires id and inbox. Got: %s', follower)
|
2021-07-10 15:07:40 +00:00
|
|
|
|
|
|
|
|
# store Follower
|
|
|
|
|
user_domain = util.domain_from_link(followee_unwrapped)
|
|
|
|
|
Follower.get_or_create(user_domain, follower_id, last_follow=json_dumps(follow))
|
|
|
|
|
|
|
|
|
|
# send AP Accept
|
|
|
|
|
accept = {
|
|
|
|
|
'@context': 'https://www.w3.org/ns/activitystreams',
|
|
|
|
|
'id': util.tag_uri(request.host, 'accept/%s/%s' % (
|
|
|
|
|
(user_domain, follow.get('id')))),
|
|
|
|
|
'type': 'Accept',
|
|
|
|
|
'actor': followee,
|
|
|
|
|
'object': {
|
|
|
|
|
'type': 'Follow',
|
|
|
|
|
'actor': follower_id,
|
|
|
|
|
'object': followee,
|
2018-10-19 13:50:00 +00:00
|
|
|
}
|
2021-07-10 15:07:40 +00:00
|
|
|
}
|
|
|
|
|
resp = send(accept, inbox, user_domain)
|
|
|
|
|
|
|
|
|
|
# send webmention
|
|
|
|
|
common.send_webmentions(as2.to_as1(follow), proxy=True, protocol='activitypub',
|
|
|
|
|
source_as2=json_dumps(follow_unwrapped))
|
|
|
|
|
|
|
|
|
|
return resp.text, resp.status_code
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@ndb.transactional()
|
|
|
|
|
def undo_follow(undo_unwrapped):
|
|
|
|
|
"""Replies to an AP Follow request with an Accept request.
|
|
|
|
|
|
|
|
|
|
Args:
|
|
|
|
|
undo_unwrapped: dict, AP Undo activity with redirect URLs unwrapped
|
|
|
|
|
"""
|
|
|
|
|
logging.info('Undoing Follow')
|
|
|
|
|
|
|
|
|
|
follow = undo_unwrapped.get('object', {})
|
|
|
|
|
follower = follow.get('actor')
|
|
|
|
|
followee = follow.get('object')
|
|
|
|
|
if not follower or not followee:
|
2021-08-06 17:29:25 +00:00
|
|
|
error('Undo of Follow requires object with actor and object. Got: %s' % follow)
|
2021-07-10 15:07:40 +00:00
|
|
|
|
|
|
|
|
# deactivate Follower
|
|
|
|
|
user_domain = util.domain_from_link(followee)
|
|
|
|
|
follower_obj = Follower.get_by_id(Follower._id(user_domain, follower))
|
|
|
|
|
if follower_obj:
|
2021-12-28 06:45:57 +00:00
|
|
|
logging.info(f'Marking {follower_obj.key} as inactive')
|
2021-07-10 15:07:40 +00:00
|
|
|
follower_obj.status = 'inactive'
|
|
|
|
|
follower_obj.put()
|
|
|
|
|
else:
|
2021-12-28 06:45:57 +00:00
|
|
|
logging.warning(f'No Follower found for {user_domain} {follower}')
|
2021-07-10 15:07:40 +00:00
|
|
|
|
|
|
|
|
# TODO send webmention with 410 of u-follow
|
