mirror
/
social
kopia lustrzana https://github.com/nextcloud/social
1
0
Forkuj 0
Kod Zgłoszenia Packages Projekty Wydania Wiki Aktywność

Merge pull request #102 from nextcloud-gmbh/check-origin 

check origin on external request
pull/99/head
Maxence Lange 2018-12-03 09:35:22 -01:00 zatwierdzone przez GitHub
rodzic d08ec50d28 0d03ef5ced
commit d16b1770fe
Nie znaleziono w bazie danych klucza dla tego podpisu
ID klucza GPG: 4AEE18F83AFDEB23
10 zmienionych plików z 195 dodań i 91 usunięć
Pokaż statystyki Ściągnij plik aktualizacji Ściągnij plik porównania Expand all files Collapse all files

23
lib/Controller/ActivityPubController.php
Wyświetl plik

@ -167,14 +167,15 @@ class ActivityPubController extends Controller {
public function sharedInbox(): Response {
try {
$this->activityService->checkRequest($this->request);
$body = file_get_contents('php://input');
$this->miscService->log('Shared Inbox: ' . $body);
$this->miscService->log('Shared Inbox: ' . $body, 0);
$activity = $this->importService->import($body);
$origin = $this->activityService->checkRequest($this->request);
$activity = $this->importService->importFromJson($body);
$activity->setOrigin($origin);
try {
$this->importService->parse($activity);
$this->importService->parseIncomingRequest($activity);
} catch (UnknownItemException $e) {
}
@ -204,18 +205,18 @@ class ActivityPubController extends Controller {
public function inbox(string $username): Response {
try {
$this->activityService->checkRequest($this->request);
$body = file_get_contents('php://input');
$this->miscService->log('Inbox: ' . $body, 0);
$origin = $this->activityService->checkRequest($this->request);
// TODO - check the recipient <-> username
// $actor = $this->actorService->getActor($username);
$this->miscService->log('Inbox: ' . $body);
$activity = $this->importService->import($body);
$activity = $this->importService->importFromJson($body);
$activity->setOrigin($origin);
try {
$this->importService->parse($activity);
$this->importService->parseIncomingRequest($activity);
} catch (UnknownItemException $e) {
}

8
lib/Exceptions/ActivityPubFormatException.php 100644
Wyświetl plik

@ -0,0 +1,8 @@
<?php
namespace OCA\Social\Exceptions;
class ActivityPubFormatException extends \Exception {
}

8
lib/Exceptions/InvalidOriginException.php 100644
Wyświetl plik

@ -0,0 +1,8 @@
<?php
namespace OCA\Social\Exceptions;
class InvalidOriginException extends \Exception {
}

88
lib/Model/ActivityPub/ACore.php
Wyświetl plik

@ -34,6 +34,7 @@ use daita\MySmallPhpTools\Traits\TArrayTools;
use daita\MySmallPhpTools\Traits\TPathTools;
use JsonSerializable;
use OCA\Social\Exceptions\ActivityCantBeVerifiedException;
use OCA\Social\Exceptions\InvalidOriginException;
use OCA\Social\Exceptions\UrlCloudException;
use OCA\Social\Model\InstancePath;
use OCA\Social\Service\ActivityPub\ICoreService;
@ -131,6 +132,9 @@ abstract class ACore implements JsonSerializable {
/** @var bool */
private $local = false;
/** @var string */
private $origin = '';
/**
* Core constructor.
@ -209,29 +213,6 @@ abstract class ACore implements JsonSerializable {
}
/**
* @param string $url
*
* @throws ActivityCantBeVerifiedException
*/
public function verify(string $url) {
$url1 = parse_url($this->getId());
$url2 = parse_url($url);
if ($this->get('host', $url1, '1') !== $this->get('host', $url2, '2')) {
throw new ActivityCantBeVerifiedException('activity cannot be verified');
}
if ($this->get('scheme', $url1, '1') !== $this->get('scheme', $url2, '2')) {
throw new ActivityCantBeVerifiedException('activity cannot be verified');
}
if ($this->getInt('port', $url1, 1) !== $this->getInt('port', $url2, 1)) {
throw new ActivityCantBeVerifiedException('activity cannot be verified');
}
}
/**
* @return string
*/
@ -512,6 +493,67 @@ abstract class ACore implements JsonSerializable {
}
/**
* @return string
*/
public function getOrigin(): string {
return $this->origin;
}
/**
* @param string $origin
*
* @return ACore
*/
public function setOrigin(string $origin): ACore {
$this->origin = $origin;
return $this;
}
/**
* @param $id
*
* @throws InvalidOriginException
*/
public function checkOrigin($id) {
$host = parse_url($id, PHP_URL_HOST);
if ($this->getRoot()
->getOrigin() === $host) {
return;
}
throw new InvalidOriginException();
}
/**
* @deprecated
*
* @param string $url
*
* @throws ActivityCantBeVerifiedException
*/
public function verify(string $url) {
// TODO - Compare this with checkOrigin()
$url1 = parse_url($this->getId());
$url2 = parse_url($url);
if ($this->get('host', $url1, '1') !== $this->get('host', $url2, '2')) {
throw new ActivityCantBeVerifiedException('activity cannot be verified');
}
if ($this->get('scheme', $url1, '1') !== $this->get('scheme', $url2, '2')) {
throw new ActivityCantBeVerifiedException('activity cannot be verified');
}
if ($this->getInt('port', $url1, 1) !== $this->getInt('port', $url2, 1)) {
throw new ActivityCantBeVerifiedException('activity cannot be verified');
}
}
/**
* @param string $published
*

3
lib/Model/ActivityPub/Activity/Tombstone.php → lib/Model/ActivityPub/Tombstone.php
Wyświetl plik

@ -28,11 +28,10 @@ declare(strict_types=1);
*/
namespace OCA\Social\Model\ActivityPub\Activity;
namespace OCA\Social\Model\ActivityPub;
use JsonSerializable;
use OCA\Social\Model\ActivityPub\ACore;
/**

8
lib/Service/ActivityPub/DeleteService.php
Wyświetl plik

@ -33,6 +33,7 @@ namespace OCA\Social\Service\ActivityPub;
use Exception;
use OCA\Social\Db\NotesRequest;
use OCA\Social\Exceptions\InvalidOriginException;
use OCA\Social\Exceptions\InvalidResourceException;
use OCA\Social\Exceptions\UnknownItemException;
use OCA\Social\Model\ActivityPub\ACore;
@ -80,9 +81,14 @@ class DeleteService implements ICoreService {
* @param ACore $delete
*
* @throws UnknownItemException
* @throws InvalidOriginException
*/
public function parse(ACore $delete) {
if (!$delete->isRoot()) {
throw new UnknownItemException();
}
if ($delete->gotObject()) {
$id = $delete->getObject()
->getId();
@ -90,6 +96,8 @@ class DeleteService implements ICoreService {
$id = $delete->getObjectId();
}
$delete->checkOrigin($id);
/** @var Delete $delete */
try {
$item = $this->activityService->getItem($id);

13
lib/Service/ActivityPub/FollowService.php
Wyświetl plik

@ -235,9 +235,11 @@ class FollowService implements ICoreService {
* @throws Exception
*/
public function parse(ACore $follow) {
/** @var Follow $follow */
if ($follow->isRoot()) {
$follow->verify($follow->getActorId());
$follow->checkOrigin($follow->getActorId());
try {
$this->followsRequest->getByPersons($follow->getActorId(), $follow->getObjectId());
} catch (FollowDoesNotExistException $e) {
@ -248,24 +250,25 @@ class FollowService implements ICoreService {
$this->confirmFollowRequest($follow);
}
}
} else {
$parent = $follow->getParent();
if ($parent->isRoot() === false) {
if (!$parent->isRoot()) {
return;
}
if ($parent->getType() === Undo::TYPE) {
$parent->verify($follow->getActorId());
$parent->checkOrigin($follow->getActorId());
$this->followsRequest->deleteByPersons($follow);
}
if ($parent->getType() === Reject::TYPE) {
$parent->verify($follow->getObjectId());
$parent->checkOrigin($follow->getObjectId());
$this->followsRequest->deleteByPersons($follow);
}
if ($parent->getType() === Accept::TYPE) {
$parent->verify($follow->getObjectId());
$parent->checkOrigin($follow->getObjectId());
$this->followsRequest->accepted($follow);
}

8
lib/Service/ActivityPub/NoteService.php
Wyświetl plik

@ -35,6 +35,7 @@ use OC\User\NoUserException;
use OCA\Social\Db\NotesRequest;
use OCA\Social\Exceptions\ActivityCantBeVerifiedException;
use OCA\Social\Exceptions\ActorDoesNotExistException;
use OCA\Social\Exceptions\InvalidOriginException;
use OCA\Social\Exceptions\NoteNotFoundException;
use OCA\Social\Exceptions\RequestException;
use OCA\Social\Exceptions\SocialAppConfigException;
@ -259,21 +260,22 @@ class NoteService implements ICoreService {
*
* @param ACore $note
*
* @throws ActivityCantBeVerifiedException
* @throws InvalidOriginException
*/
public function parse(ACore $note) {
/** @var Note $note */
if ($note->isRoot()) {
return;
}
$parent = $note->getParent();
if ($parent->isRoot() === false) {
if (!$parent->isRoot()) {
return;
}
if ($parent->getType() === Create::TYPE) {
$parent->verify(($note->getAttributedTo()));
$parent->checkOrigin($note->getAttributedTo());
try {
$this->notesRequest->getNoteById($note->getId());
} catch (NoteNotFoundException $e) {

38
lib/Service/ActivityService.php
Wyświetl plik

@ -40,6 +40,7 @@ use OCA\Social\Db\FollowsRequest;
use OCA\Social\Db\NotesRequest;
use OCA\Social\Exceptions\ActorDoesNotExistException;
use OCA\Social\Exceptions\EmptyQueueException;
use OCA\Social\Exceptions\InvalidOriginException;
use OCA\Social\Exceptions\InvalidResourceException;
use OCA\Social\Exceptions\NoHighPriorityRequestException;
use OCA\Social\Exceptions\QueueStatusException;
@ -52,8 +53,8 @@ use OCA\Social\Exceptions\UrlCloudException;
use OCA\Social\Model\ActivityPub\ACore;
use OCA\Social\Model\ActivityPub\Activity\Create;
use OCA\Social\Model\ActivityPub\Activity\Delete;
use OCA\Social\Model\ActivityPub\Activity\Tombstone;
use OCA\Social\Model\ActivityPub\Person;
use OCA\Social\Model\ActivityPub\Tombstone;
use OCA\Social\Model\InstancePath;
use OCA\Social\Model\RequestQueue;
use OCA\Social\Service\ActivityPub\PersonService;
@ -410,6 +411,7 @@ class ActivityService {
/**
* @param IRequest $request
*
* @return string
* @throws InvalidResourceException
* @throws MalformedArrayException
* @throws RequestException
@ -417,8 +419,16 @@ class ActivityService {
* @throws SocialAppConfigException
* @throws UrlCloudException
* @throws SignatureIsGoneException
* @throws InvalidOriginException
*/
public function checkRequest(IRequest $request) {
public function checkRequest(IRequest $request): string {
// TODO : check host is our current host.
// $host = $request->getHeader('host');
// if ($host === '') {
// throw new SignatureException('host is not set');
// }
$dTime = new DateTime($request->getHeader('date'));
$dTime->format(self::DATE_FORMAT);
@ -427,11 +437,12 @@ class ActivityService {
}
try {
$this->checkSignature($request);
$origin = $this->checkSignature($request);
} catch (Request410Exception $e) {
throw new SignatureIsGoneException();
}
return $origin;
}
@ -465,6 +476,7 @@ class ActivityService {
/**
* @param IRequest $request
*
* @return
* @throws InvalidResourceException
* @throws MalformedArrayException
* @throws Request410Exception
@ -472,6 +484,7 @@ class ActivityService {
* @throws SignatureException
* @throws SocialAppConfigException
* @throws UrlCloudException
* @throws InvalidOriginException
*/
private function checkSignature(IRequest $request) {
$signatureHeader = $request->getHeader('Signature');
@ -480,6 +493,8 @@ class ActivityService {
$this->mustContains(['keyId', 'headers', 'signature'], $sign);
$keyId = $sign['keyId'];
$origin = $this->getKeyOrigin($keyId);
$headers = $sign['headers'];
$signed = base64_decode($sign['signature']);
$estimated = $this->generateEstimatedSignature($headers, $request);
@ -490,6 +505,23 @@ class ActivityService {
throw new SignatureException('signature cannot be checked');
}
return $origin;
}
/**
* @param $id
*
* @return string
* @throws InvalidOriginException
*/
private function getKeyOrigin($id) {
$host = parse_url($id, PHP_URL_HOST);
if (is_string($host) && ($host !== '')) {
return $host;
}
throw new InvalidOriginException();
}

89
lib/Service/ImportService.php
Wyświetl plik

@ -33,6 +33,8 @@ namespace OCA\Social\Service;
use daita\MySmallPhpTools\Traits\TArrayTools;
use Exception;
use OCA\Social\Exceptions\ActivityPubFormatException;
use OCA\Social\Exceptions\InvalidResourceException;
use OCA\Social\Exceptions\SocialAppConfigException;
use OCA\Social\Exceptions\UnknownItemException;
use OCA\Social\Exceptions\UrlCloudException;
@ -41,7 +43,7 @@ use OCA\Social\Model\ActivityPub\Activity\Accept;
use OCA\Social\Model\ActivityPub\Activity\Create;
use OCA\Social\Model\ActivityPub\Activity\Delete;
use OCA\Social\Model\ActivityPub\Activity\Reject;
use OCA\Social\Model\ActivityPub\Activity\Tombstone;
use OCA\Social\Model\ActivityPub\Tombstone;
use OCA\Social\Model\ActivityPub\Document;
use OCA\Social\Model\ActivityPub\Follow;
use OCA\Social\Model\ActivityPub\Image;
@ -108,10 +110,14 @@ class ImportService {
* @throws UnknownItemException
* @throws UrlCloudException
* @throws SocialAppConfigException
* @throws ActivityPubFormatException
*/
public function import(string $json) {
public function importFromJson(string $json) {
$data = json_decode($json, true);
$activity = $this->createItem($data, null);
if (!is_array($data)) {
throw new ActivityPubFormatException();
}
$activity = $this->importFromData($data, null);
return $activity;
}
@ -126,9 +132,14 @@ class ImportService {
* @throws UrlCloudException
* @throws SocialAppConfigException
*/
private function createItem(array $data, $root = null): ACore {
private function importFromData(array $data, $root = null): ACore {
// TODO - missing : Person (why not ?), OrderCollection (not yet), Document (should ?)
switch ($this->get('type', $data, '')) {
case Accept::TYPE:
$item = new Accept($root);
break;
switch ($this->get('type', $data)) {
case Create::TYPE:
$item = new Create($root);
break;
@ -137,34 +148,30 @@ class ImportService {
$item = new Delete($root);
break;
case Tombstone::TYPE:
$item = new Tombstone($root);
break;
case Note::TYPE:
$item = new Note($root);
case Follow::TYPE:
$item = new Follow($root);
break;
case Image::TYPE:
$item = new Image($root);
break;
case Follow::TYPE:
$item = new Follow($root);
break;
case Undo::TYPE:
$item = new Undo($root);
break;
case Accept::TYPE:
$item = new Accept($root);
case Note::TYPE:
$item = new Note($root);
break;
case Reject::TYPE:
$item = new Reject($root);
break;
case Tombstone::TYPE:
$item = new Tombstone($root);
break;
case Undo::TYPE:
$item = new Undo($root);
break;
default:
throw new UnknownItemException();
}
@ -174,14 +181,16 @@ class ImportService {
$item->setSource(json_encode($data, JSON_UNESCAPED_SLASHES));
try {
$object = $this->createItem($this->getArray('object', $data, []), $item);
$object = $this->importFromData($this->getArray('object', $data, []), $item);
$object->setParent($item);
$item->setObject($object);
} catch (UnknownItemException $e) {
}
try {
/** @var Document $icon */
$icon = $this->createItem($this->getArray('icon', $data, []), $item);
$icon = $this->importFromData($this->getArray('icon', $data, []), $item);
$icon->setParent($item);
$item->setIcon($icon);
} catch (UnknownItemException $e) {
}
@ -195,44 +204,25 @@ class ImportService {
*
* @throws UnknownItemException
*/
public function parse(Acore $activity) {
public function parseIncomingRequest(ACore $activity) {
if ($activity->gotObject()) {
try {
$this->parse($activity->getObject());
$this->parseIncomingRequest($activity->getObject());
} catch (UnknownItemException $e) {
}
}
switch ($activity->getType()) {
// case 'Activity':
// $service = $this;
// break;
case Delete::TYPE:
$service = $this->deleteService;
break;
// case Undo::TYPE:
// $service = $this->undoService;
// break;
//
// case Accept::TYPE:
// $service = $this->acceptService;
// break;
//
// case Reject::TYPE:
// $service = $this->rejectService;
// break;
case Follow::TYPE:
$service = $this->followService;
break;
// case Image::TYPE:
// $service = $this->imageService;
// break;
case Note::TYPE:
$service = $this->noteService;
break;
@ -251,5 +241,16 @@ class ImportService {
}
/**
* @param ACore $activity
*
* @param string $id
*
* @throws InvalidResourceException
*/
public function verifyOrigin(ACore $activity, string $id) {
throw new InvalidResourceException();
}
}