bridgy-fed/atproto.py

"""ATProto protocol implementation.

https://atproto.com/
"""
import itertools
import logging
import os
import re

from arroba import did
from arroba.datastore_storage import AtpRemoteBlob, AtpRepo, DatastoreStorage
from arroba.repo import Repo, Write
import arroba.server
from arroba.storage import Action, CommitData
from arroba.util import at_uri, next_tid, parse_at_uri, service_jwt
import dag_json
from flask import abort, request
from google.cloud import dns
from google.cloud import ndb
from granary import as1, bluesky
from lexrpc import Client
import requests
from requests import RequestException
from oauth_dropins.webutil.appengine_config import ndb_client
from oauth_dropins.webutil.appengine_info import DEBUG
from oauth_dropins.webutil import util
from oauth_dropins.webutil.util import json_dumps, json_loads

import common
from common import (
    add,
    DOMAIN_BLOCKLIST,
    DOMAIN_RE,
    DOMAINS,
    error,
    USER_AGENT,
)
import flask_app
from models import Object, PROTOCOLS, Target, User
from protocol import Protocol

logger = logging.getLogger(__name__)

arroba.server.storage = DatastoreStorage(ndb_client=ndb_client)

appview = Client(f'https://{os.environ["APPVIEW_HOST"]}',
                 headers={'User-Agent': USER_AGENT})
LEXICONS = appview.defs

# https://atproto.com/guides/applications#record-types
COLLECTION_TO_TYPE = {
  'app.bsky.actor.profile': 'profile',
  'app.bsky.feed.like': 'like',
  'app.bsky.feed.post': 'post',
  'app.bsky.feed.repost': 'repost',
  'app.bsky.graph.follow': 'follow',
}

DNS_GCP_PROJECT = 'brid-gy'
DNS_ZONE = 'brid-gy'
DNS_TTL = 10800  # seconds
logger.info(f'Using GCP DNS project {DNS_GCP_PROJECT} zone {DNS_ZONE}')
dns_client = dns.Client(project=DNS_GCP_PROJECT)


def did_to_handle(did):
    """Resolves a DID to a handle _if_ we have the DID doc stored locally.

    Args:
      did (str)

    Returns:
      str: handle, or None
    """
    if did_obj := ATProto.load(did, did_doc=True):
        if aka := util.get_first(did_obj.raw, 'alsoKnownAs', ''):
            handle, _, _ = parse_at_uri(aka)
            if handle:
                return handle


class ATProto(User, Protocol):
    """AT Protocol class.

    Key id is DID, currently either did:plc or did:web.
    https://atproto.com/specs/did
    """
    ABBREV = 'bsky'
    PHRASE = 'Bluesky'
    LOGO_HTML = '<img src="/oauth_dropins_static/bluesky.svg">'
    # note that PDS hostname is atproto.brid.gy here, not bsky.brid.gy. Bluesky
    # team currently has our hostname as atproto.brid.gy in their federation
    # test. also note that PDS URL shouldn't include trailing slash.
    # https://atproto.com/specs/did#did-documents
    PDS_URL = f'https://atproto{common.SUPERDOMAIN}'
    CONTENT_TYPE = 'application/json'
    HAS_COPIES = True
    DEFAULT_ENABLED_PROTOCOLS = ()

    def _pre_put_hook(self):
        """Validate id, require did:plc or non-blocklisted did:web."""
        super()._pre_put_hook()
        id = self.key.id()
        assert id

        if id.startswith('did:plc:'):
            assert id.removeprefix('did:plc:')
        elif id.startswith('did:web:'):
            domain = id.removeprefix('did:web:')
            assert (re.match(common.DOMAIN_RE, domain)
                    and not Protocol.is_blocklisted(domain)), domain
        else:
            assert False, f'{id} is not valid did:plc or did:web'

    @ndb.ComputedProperty
    def handle(self):
        """Returns handle if the DID document includes one, otherwise None."""
        return did_to_handle(self.key.id())

    def web_url(self):
        return bluesky.Bluesky.user_url(self.handle_or_id())

    @classmethod
    def owns_id(cls, id):
        return (id.startswith('at://')
                or id.startswith('did:plc:')
                or id.startswith('did:web:')
                or id.startswith('https://bsky.app/'))

    @classmethod
    def owns_handle(cls, handle, allow_internal=False):
        # TODO: implement allow_internal
        if not did.HANDLE_RE.fullmatch(handle):
            return False

    @classmethod
    def handle_to_id(cls, handle):
        assert cls.owns_handle(handle) is not False

        # TODO: shortcut our own handles? eg snarfed.org.web.brid.gy

        user = ATProto.query(ATProto.handle == handle).get()
        if user:
            return user.key.id()

        return did.resolve_handle(handle, get_fn=util.requests_get)

    @staticmethod
    def profile_at_uri(id):
        assert id.startswith('did:')
        return f'at://{id}/app.bsky.actor.profile/self'

    def profile_id(self):
        return self.profile_at_uri(self.key.id())

    @classmethod
    def bridged_web_url_for(cls, user):
        """Returns a bridged user's profile URL on bsky.app.

        For example, returns ``https://bsky.app/profile/alice.com.web.brid.gy``
        for Web user ``alice.com``.

        Args:
          user (models.User)

        Returns:
          str, or None if there isn't a canonical URL
        """
        if not isinstance(user, ATProto):
            if did := user.get_copy(ATProto):
                return bluesky.Bluesky.user_url(did_to_handle(did) or did)

    @classmethod
    def target_for(cls, obj, shared=False):
        """Returns our PDS URL as the target for the given object.

        ATProto delivery is indirect. We write all records to the user's local
        repo that we host, then BGSes and other subscribers receive them via the
        subscribeRepos event streams. So, we use a single target, our base URL
        (eg ``https://atproto.brid.gy/``) as the PDS URL, for all activities.
        """
        if cls.owns_id(obj.key.id()) is not False:
            return cls.PDS_URL

    @classmethod
    def pds_for(cls, obj):
        """Returns the PDS URL for the given object, or None.

        Args:
          obj (Object)

        Returns:
          str:
        """
        id = obj.key.id()
        # logger.debug(f'Finding ATProto PDS for {id}')

        if id.startswith('did:'):
            if obj.raw:
                for service in obj.raw.get('service', []):
                    if service.get('id') in ('#atproto_pds', f'{id}#atproto_pds'):
                        return service.get('serviceEndpoint')

            logger.info(f"{id}'s DID doc has no ATProto PDS")
            return None

        if id.startswith('https://bsky.app/'):
            return cls.pds_for(Object(id=bluesky.web_url_to_at_uri(id)))

        if id.startswith('at://'):
            repo, collection, rkey = parse_at_uri(id)

            if not repo.startswith('did:'):
                # repo is a handle; resolve it
                repo_did = cls.handle_to_id(repo)
                if repo_did:
                    return cls.pds_for(Object(id=id.replace(
                        f'at://{repo}', f'at://{repo_did}')))
                else:
                    return None

            did_obj = ATProto.load(repo, did_doc=True)
            if did_obj:
                return cls.pds_for(did_obj)
            # TODO: what should we do if the DID doesn't exist? should we return
            # None here? or do we need this path to return BF's URL so that we
            # then create the DID for non-ATP users on demand?

        # don't use Object.as1 if bsky is set, since that conversion calls
        # pds_for, which would infinite loop
        if not obj.bsky and obj.as1:
            if owner := as1.get_owner(obj.as1):
                if user_key := Protocol.key_for(owner):
                    if user := user_key.get():
                        if owner_did := user.get_copy(ATProto):
                            return cls.pds_for(Object(id=f'at://{owner_did}'))

        return None

    def is_blocklisted(url, allow_internal=False):
        # don't block common.DOMAINS since we want ourselves, ie our own PDS, to
        # be a valid domain to send to
        return util.domain_or_parent_in(util.domain_from_link(url), DOMAIN_BLOCKLIST)

    @classmethod
    @ndb.transactional()
    def create_for(cls, user):
        """Creates an ATProto repo and profile for a non-ATProto user.

        Args:
          user (models.User)

        Raises:
          ValueError: if the user's handle is invalid, eg begins or ends with an
            underscore or dash
        """
        assert not isinstance(user, ATProto)

        if user.get_copy(ATProto):
            return

        # create new DID, repo
        # PDS URL shouldn't include trailing slash!
        # https://atproto.com/specs/did#did-documents
        pds_url = common.host_url().rstrip('/') if DEBUG else cls.PDS_URL
        handle = user.handle_as('atproto')
        logger.info(f'Creating new did:plc for {user.key} {handle} {pds_url}')
        did_plc = did.create_plc(handle, pds_url=pds_url, post_fn=util.requests_post)

        Object.get_or_create(did_plc.did, raw=did_plc.doc)
        # TODO: move this to ATProto.get_or_create?
        add(user.copies, Target(uri=did_plc.did, protocol='atproto'))

        # create _atproto DNS record for handle resolution
        # https://atproto.com/specs/handle#handle-resolution
        name = f'_atproto.{handle}.'
        val = f'"did={did_plc.did}"'
        logger.info(f'adding GCP DNS TXT record for {name} {val}')
        if DEBUG:
            logger.info('  skipped since DEBUG is true')
        else:
            zone = dns_client.zone(DNS_ZONE)
            r = zone.resource_record_set(name=name, record_type='TXT', ttl=DNS_TTL,
                                         rrdatas=[val])
            changes = zone.changes()
            changes.add_record_set(r)
            changes.create()
            logger.info('  done!')

        # fetch and store profile
        if not user.obj:
            user.obj = user.load(user.profile_id())

        initial_writes = None
        if user.obj and user.obj.as1:
            # create user profile
            profile = cls.convert(user.obj, fetch_blobs=True, from_user=user)
            profile.setdefault('labels', {'$type': 'com.atproto.label.defs#selfLabels'})
            profile['labels'].setdefault('values', []).append({
                'val' : f'bridged-from-bridgy-fed-{user.LABEL}',
            })

            profile_json = json_dumps(dag_json.encode(profile).decode(), indent=2)
            logger.info(f'Storing ATProto app.bsky.actor.profile self: {profile_json}')
            initial_writes = [Write(
                action=Action.CREATE, collection='app.bsky.actor.profile',
                rkey='self', record=profile)]
            uri = at_uri(did_plc.did, 'app.bsky.actor.profile', 'self')
            user.obj.add('copies', Target(uri=uri, protocol='atproto'))
            user.obj.put()

        repo = Repo.create(
            arroba.server.storage, did_plc.did, handle=handle,
            callback=lambda _: common.create_task(queue='atproto-commit'),
            initial_writes=initial_writes,
            signing_key=did_plc.signing_key,
            rotation_key=did_plc.rotation_key)

        user.put()

    @classmethod
    def send(to_cls, obj, url, from_user=None, orig_obj=None):
        """Creates a record if we own its repo.

        Creates the repo first if it doesn't exist.

        If the repo's DID doc doesn't say we're its PDS, does nothing and
        returns False.

        Doesn't deliver anywhere externally! BGS(es) will receive this record
        through ``subscribeRepos`` and then deliver it to AppView(s), which will
        notify recipients as necessary.
        """
        if util.domain_from_link(url) not in DOMAINS:
            logger.info(f'Target PDS {url} is not us')
            return False

        verb = obj.as1.get('verb')
        if verb in ('accept', 'undo'):
            logger.info(f'Skipping sending {verb}, not supported in ATProto')
            return False

        # determine "base" object, if any
        type = as1.object_type(obj.as1)
        base_obj = obj
        if type in ('post', 'update', 'delete'):
            obj_as1 = as1.get_object(obj.as1)
            type = as1.object_type(obj_as1)
            # TODO: should we not load for deletes?
            base_obj = PROTOCOLS[obj.source_protocol].load(obj_as1['id'])
            if not base_obj:
                base_obj = obj

        # convert to Bluesky record; short circuits on error
        try:
            record = to_cls.convert(base_obj, fetch_blobs=True, from_user=from_user)
        except ValueError as e:
            logger.info(f'Skipping due to {e}')
            return False

        # find user
        from_cls = PROTOCOLS[obj.source_protocol]
        from_key = from_cls.actor_key(obj)
        if not from_key:
            logger.info(f"Couldn't find {obj.source_protocol} user for {obj.key}")
            return False

        # load user
        user = from_cls.get_or_create(from_key.id(), propagate=True)
        did = user.get_copy(ATProto)
        assert did
        logger.info(f'{user.key} is {did}')
        did_doc = to_cls.load(did, did_doc=True)
        pds = to_cls.pds_for(did_doc)
        if not pds or util.domain_from_link(pds) not in DOMAINS:
            logger.warning(f'{from_key} {did} PDS {pds} is not us')
            return False

        # load repo
        repo = arroba.server.storage.load_repo(did)
        assert repo
        repo.callback = lambda _: common.create_task(queue='atproto-commit')

        if verb == 'flag':
            return to_cls.create_report(record, user)

        # write commit
        type = record['$type']
        lex_type = LEXICONS[type]['type']
        assert lex_type == 'record', f"Can't store {type} object of type {lex_type}"

        ndb.transactional()
        def write():
            match verb:
                case 'update':
                    action = Action.UPDATE
                case 'delete':
                    action = Action.DELETE
                case _:
                    action = Action.CREATE
                    rkey = next_tid()

            if verb in ('update', 'delete'):
                # load existing record, check that it's the same one
                copy = base_obj.get_copy(to_cls)
                assert copy
                copy_did, coll, rkey = parse_at_uri(copy)
                assert copy_did == did, (copy_did, did)
                assert coll == type, (coll, type)

            logger.info(f'Storing ATProto {action} {type} {rkey}: {dag_json.encode(record).decode()}')
            repo.apply_writes([Write(action=action, collection=type, rkey=rkey,
                                     record=record)])

            at_uri = f'at://{did}/{type}/{rkey}'
            base_obj.add('copies', Target(uri=at_uri, protocol=to_cls.LABEL))
            base_obj.put()

        write()
        return True

    @classmethod
    def load(cls, id, did_doc=False, **kwargs):
        """Thin wrapper that converts DIDs and bsky.app URLs to at:// URIs.

        Args:
          did_doc (bool): if True, loads and returns a DID document object
            instead of an ``app.bsky.actor.profile/self``.
        """
        if id.startswith('did:') and not did_doc:
            id = cls.profile_at_uri(id)

        elif id.startswith('https://bsky.app/'):
            try:
                id = bluesky.web_url_to_at_uri(id)
            except ValueError as e:
                logger.warning(f"Couldn't convert {id} to at:// URI: {e}")
                return None

        return super().load(id, **kwargs)

    @classmethod
    def fetch(cls, obj, **kwargs):
        """Tries to fetch a ATProto object.

        Args:
          obj (models.Object): with the id to fetch. Fills data into the ``as2``
            property.
          kwargs: ignored

        Returns:
          bool: True if the object was fetched and populated successfully,
          False otherwise
        """
        id = obj.key.id()
        if not cls.owns_id(id):
            logger.info(f"ATProto can't fetch {id}")
            return False

        assert not id.startswith('https://bsky.app/')  # handled in load

        # did:plc, did:web
        if id.startswith('did:'):
            try:
                obj.raw = did.resolve(id, get_fn=util.requests_get)
                return True
            except (ValueError, requests.RequestException) as e:
                util.interpret_http_exception(e)
                return False

        # at:// URI. if it has a handle, resolve and replace with DID.
        # examples:
        # at://did:plc:s2koow7r6t7tozgd4slc3dsg/app.bsky.feed.post/3jqcpv7bv2c2q
        # https://bsky.social/xrpc/com.atproto.repo.getRecord?repo=did:plc:s2koow7r6t7tozgd4slc3dsg&collection=app.bsky.feed.post&rkey=3jqcpv7bv2c2q
        repo, collection, rkey = parse_at_uri(id)
        if not repo.startswith('did:'):
            handle = repo
            repo = cls.handle_to_id(repo)
            if not repo:
                return False
            assert repo.startswith('did:')
            obj.key = ndb.Key(Object, id.replace(f'at://{handle}', f'at://{repo}'))

        try:
            appview.address = f'https://{os.environ["APPVIEW_HOST"]}'
            ret = appview.com.atproto.repo.getRecord(
                repo=repo, collection=collection, rkey=rkey)
        except RequestException as e:
            util.interpret_http_exception(e)
            return False

        # TODO: verify sig?
        obj.bsky = {
            **ret['value'],
            'cid': ret.get('cid'),
        }
        return True

    @classmethod
    def convert(cls, obj, fetch_blobs=False, from_user=None):
        """Converts a :class:`models.Object` to ``app.bsky.*`` lexicon JSON.

        Args:
          obj (models.Object)
          fetch_blobs (bool): whether to fetch images and other blobs, store
            them in :class:`arroba.datastore_storage.AtpRemoteBlob`\s if they
            don't already exist, and fill them into the returned object.
          from_user (models.User): user (actor) this activity/object is from

        Returns:
          dict: JSON object
        """
        from_proto = PROTOCOLS.get(obj.source_protocol)
        # TODO: uncomment
        # if from_proto and not from_user.is_enabled(cls):
        #     error(f'{cls.LABEL} <=> {from_proto.LABEL} not enabled')

        if obj.bsky:
            return obj.bsky

        if not obj.as1:
            return {}

        blobs = {}  # maps str URL to dict blob object
        if fetch_blobs:
            for o in obj.as1, as1.get_object(obj.as1):
                for url in util.get_urls(o, 'image'):
                    if url not in blobs:
                        blob = AtpRemoteBlob.get_or_create(
                            url=url, get_fn=util.requests_get)
                        blobs[url] = blob.as_object()

        ret = bluesky.from_as1(cls.translate_ids(obj.as1), blobs=blobs)
            # TODO: uncomment this and pass through client eventually? would be
            # nice to start reusing granary's resolving handles and CIDs, but we
            # do much of that ourselves here in BF beforehand, so granary ends
            # up duplicating those network requests
            # client=appview)

        # fill in CIDs from Objects
        def populate_cid(strong_ref):
            if uri := strong_ref.get('uri'):
                # TODO: fail if this load fails? since we don't populate CID
                if ref_obj := ATProto.load(uri):
                    if not ref_obj.bsky.get('cid'):
                        ref_obj = ATProto.load(uri, remote=True)
                    strong_ref.update({
                        'cid': ref_obj.bsky.get('cid'),
                        'uri': ref_obj.key.id(),
                    })

        match ret.get('$type'):
            case ('app.bsky.feed.like'
                  | 'app.bsky.feed.repost'
                  | 'com.atproto.moderation.createReport#input'):
                populate_cid(ret['subject'])
            case 'app.bsky.feed.post' if ret.get('reply'):
                populate_cid(ret['reply']['root'])
                populate_cid(ret['reply']['parent'])

        return ret


    @classmethod
    def create_report(cls, input, from_user):
        """Sends a ``createReport`` for a ``flag`` activity.

        Args:
          input (dict): ``createReport`` input
          from_user (models.User): user (actor) this flag is from

        Returns:
          bool: True if the report was sent successfully, False if the flag's
            actor is not bridged into ATProto
        """
        assert input['$type'] == 'com.atproto.moderation.createReport#input'

        repo_did = from_user.get_copy(ATProto)
        if not repo_did:
            return False
        repo = arroba.server.storage.load_repo(repo_did)
        mod_host = os.environ['MOD_SERVICE_HOST']
        token = service_jwt(host=mod_host,
                            aud=os.environ['MOD_SERVICE_DID'],
                            repo_did=repo_did,
                            privkey=repo.signing_key)

        client = Client(f'https://{mod_host}', truncate=True,
                        headers={'User-Agent': USER_AGENT})
        output = client.com.atproto.moderation.createReport(input)
        logger.info(f'Created report on {mod_host}: {json_dumps(output)}')
        return True

# URL route is registered in hub.py
def poll_notifications():
    """Fetches and enqueueus new activities from the AppView for our users.

    Uses the ``listNotifications`` endpoint, which is intended for end users. 🤷

    https://github.com/bluesky-social/atproto/discussions/1538

    TODO: unify with poll_posts
    """
    repos = {r.key.id(): r for r in AtpRepo.query()}
    logger.info(f'Got {len(repos)} repos')
    if not repos:
        return 'Nothing to do ¯\_(ツ)_/¯', 204

    users = itertools.chain(*(cls.query(cls.copies.uri.IN(list(repos)))
                              for cls in set(PROTOCOLS.values())
                              if cls and cls != ATProto))

    # this client needs to be request-local because we set its service token
    # below per user that we're polling
    client = Client(f'https://{os.environ["APPVIEW_HOST"]}',
                    headers={'User-Agent': USER_AGENT})

    for user in users:
        if not user.is_enabled(ATProto):
            logger.info(f'Skipping {user.key.id()}')
            continue

        logger.debug(f'Fetching notifs for {user.key.id()}')

        did = user.get_copy(ATProto)
        repo = repos[did]
        client.session['accessJwt'] = service_jwt(os.environ['APPVIEW_HOST'],
                                                  repo_did=did,
                                                  privkey=repo.signing_key)

        resp = client.app.bsky.notification.listNotifications(
            # higher limit for protocol bot users to try to make sure we don't
            # miss any follows
            limit=100 if Protocol.for_bridgy_subdomain(user.handle) else 10)
        latest_indexed_at = user.atproto_notifs_indexed_at

        for notif in resp['notifications']:
            if (user.atproto_notifs_indexed_at
                    and notif['indexedAt'] <= user.atproto_notifs_indexed_at):
                continue

            if not latest_indexed_at or notif['indexedAt'] > latest_indexed_at:
                latest_indexed_at = notif['indexedAt']

            # TODO: verify sig. skipping this for now because we're getting
            # these from the AppView, which is trusted, specifically we expect
            # the BGS and/or the AppView already checked sigs.
            actor_did = notif['author']['did']
            obj = Object.get_or_create(id=notif['uri'], bsky=notif['record'],
                                       source_protocol=ATProto.ABBREV,
                                       actor=actor_did)
            if obj.status in ('complete', 'ignored'):
                continue

            logger.debug(f'Got new {notif["reason"]} from {notif["author"]["handle"]} {notif["uri"]} {notif["cid"]} : {json_dumps(notif, indent=2)}')

            if not obj.status:
                obj.status = 'new'
            obj.add('notify', user.key)
            obj.put()

            common.create_task(queue='receive', obj=obj.key.urlsafe(),
                               authed_as=actor_did)

        # store indexed_at
        @ndb.transactional()
        def store_indexed_at():
            u = user.key.get()
            u.atproto_notifs_indexed_at = latest_indexed_at
            u.put()
        store_indexed_at()

    return 'OK'


# URL route is registered in hub.py
def poll_posts():
    """Fetches and enqueueus bridged Bluesky users' new posts from the AppView.

    Uses the ``getAuthorFeed`` endpoint, which is intended for clients. 🤷

    TODO: unify with poll_notifications
    """
    # this client needs to be request-local because we set its service token
    # below per user that we're polling
    client = Client(f'https://{os.environ["APPVIEW_HOST"]}',
                    headers={'User-Agent': USER_AGENT})

    for user in ATProto.query(ATProto.enabled_protocols != None):
        if user.status == 'opt-out':
            continue

        did = user.key.id()
        logger.debug(f'Fetching posts for {did} {user.handle}')

        resp = appview.app.bsky.feed.getAuthorFeed(
            actor=did, filter='posts_with_replies', limit=10)
        latest_indexed_at = user.atproto_feed_indexed_at

        for item in resp['feed']:
            # TODO: handle reposts once we have a URI for them
            # https://github.com/bluesky-social/atproto/issues/1811
            if item.get('reason'):
                continue

            post = item['post']

            # TODO: use item['reason']['indexedAt'] instead for reposts once
            # we're handling them
            if (user.atproto_feed_indexed_at
                    and post['indexedAt'] <= user.atproto_feed_indexed_at):
                continue

            if not latest_indexed_at or post['indexedAt'] > latest_indexed_at:
                latest_indexed_at = post['indexedAt']

            # TODO: verify sig. skipping this for now because we're getting
            # these from the AppView, which is trusted, specifically we expect
            # the BGS and/or the AppView already checked sigs.
            assert did == post['author']['did']
            obj = Object.get_or_create(id=post['uri'], bsky=post['record'],
                                       source_protocol=ATProto.ABBREV, actor=did)
            if obj.status in ('complete', 'ignored'):
                continue

            logger.debug(f'Got new post: {post["uri"]} : {json_dumps(item, indent=2)}')
            if not obj.status:
                obj.status = 'new'
            obj.add('feed', user.key)
            obj.put()

            common.create_task(queue='receive', obj=obj.key.urlsafe(), authed_as=did)

        # store indexed_at
        @ndb.transactional()
        def store_indexed_at():
            u = user.key.get()
            u.atproto_feed_indexed_at = latest_indexed_at
            u.put()
        store_indexed_at()

    return 'OK'