-pub mod activities;
-pub(crate) mod collections;
-mod context;
-pub mod fetcher;
-pub mod http;
-pub mod migrations;
-pub mod objects;
-
-#[macro_use]
-extern crate lazy_static;
-
use crate::fetcher::post_or_comment::PostOrComment;
-use anyhow::{anyhow, Context};
-use lemmy_api_common::blocking;
-use lemmy_apub_lib::{
- activity_queue::send_activity,
- traits::ActorType,
- webfinger::{webfinger_resolve_actor, WebfingerType},
+use activitypub_federation::{
+ core::signatures::PublicKey,
+ traits::{Actor, ApubObject},
+ InstanceSettingsBuilder,
+ LocalInstance,
};
-use lemmy_db_schema::{
- newtypes::{CommunityId, DbUrl},
- source::{activity::Activity, person::Person},
- DbPool,
+use anyhow::Context;
+use lemmy_api_common::utils::blocking;
+use lemmy_db_schema::{newtypes::DbUrl, source::activity::Activity, utils::DbPool};
+use lemmy_utils::{
+ error::LemmyError,
+ location_info,
+ settings::{structs::Settings, SETTINGS},
};
-use lemmy_db_views_actor::community_person_ban_view::CommunityPersonBanView;
-use lemmy_utils::{location_info, settings::structs::Settings, LemmyError};
use lemmy_websocket::LemmyContext;
-use log::info;
-use serde::Serialize;
-use std::net::IpAddr;
+use once_cell::sync::{Lazy, OnceCell};
use url::{ParseError, Url};
+pub mod activities;
+pub(crate) mod activity_lists;
+pub(crate) mod collections;
+pub mod fetcher;
+pub mod http;
+pub(crate) mod mentions;
+pub mod objects;
+pub mod protocol;
+
+static CONTEXT: Lazy<Vec<serde_json::Value>> = Lazy::new(|| {
+ serde_json::from_str(include_str!("../assets/lemmy/context.json")).expect("parse context")
+});
+
+// TODO: store this in context? but its only used in this crate, no need to expose it elsewhere
+fn local_instance(context: &LemmyContext) -> &'static LocalInstance {
+ static LOCAL_INSTANCE: OnceCell<LocalInstance> = OnceCell::new();
+ LOCAL_INSTANCE.get_or_init(|| {
+ let settings = InstanceSettingsBuilder::default()
+ .http_fetch_retry_limit(context.settings().federation.http_fetch_retry_limit)
+ .worker_count(context.settings().federation.worker_count)
+ .debug(context.settings().federation.debug)
+ // TODO No idea why, but you can't pass context.settings() to the verify_url_function closure
+ // without the value getting captured.
+ .verify_url_function(|url| check_apub_id_valid(url, &SETTINGS))
+ .build()
+ .expect("configure federation");
+ LocalInstance::new(
+ context.settings().hostname.to_owned(),
+ context.client().clone(),
+ settings,
+ )
+ })
+}
+
/// Checks if the ID is allowed for sending or receiving.
///
/// In particular, it checks for:
/// - URL being in the allowlist (if it is active)
/// - URL not being in the blocklist (if it is active)
///
-pub(crate) fn check_is_apub_id_valid(
- apub_id: &Url,
- use_strict_allowlist: bool,
- settings: &Settings,
-) -> Result<(), LemmyError> {
- let domain = apub_id.domain().context(location_info!())?.to_string();
- let local_instance = settings.get_hostname_without_port()?;
-
- if !settings.federation.enabled {
- return if domain == local_instance {
- Ok(())
- } else {
- Err(
- anyhow!(
- "Trying to connect with {}, but federation is disabled",
- domain
- )
- .into(),
- )
- };
+/// `use_strict_allowlist` should be true only when parsing a remote community, or when parsing a
+/// post/comment in a local community.
+#[tracing::instrument(skip(settings))]
+fn check_apub_id_valid(apub_id: &Url, settings: &Settings) -> Result<(), &'static str> {
+ let domain = apub_id.domain().expect("apud id has domain").to_string();
+ let local_instance = settings
+ .get_hostname_without_port()
+ .expect("local hostname is valid");
+ if domain == local_instance {
+ return Ok(());
}
- let host = apub_id.host_str().context(location_info!())?;
- let host_as_ip = host.parse::<IpAddr>();
- if host == "localhost" || host_as_ip.is_ok() {
- return Err(anyhow!("invalid hostname {}: {}", host, apub_id).into());
+ if !settings.federation.enabled {
+ return Err("Federation disabled");
}
if apub_id.scheme() != settings.get_protocol_string() {
- return Err(anyhow!("invalid apub id scheme {}: {}", apub_id.scheme(), apub_id).into());
+ return Err("Invalid protocol scheme");
}
- // TODO: might be good to put the part above in one method, and below in another
- // (which only gets called in apub::objects)
- // -> no that doesnt make sense, we still need the code below for blocklist and strict allowlist
if let Some(blocked) = settings.to_owned().federation.blocked_instances {
if blocked.contains(&domain) {
- return Err(anyhow!("{} is in federation blocklist", domain).into());
+ return Err("Domain is blocked");
+ }
+ }
+
+ if let Some(allowed) = settings.to_owned().federation.allowed_instances {
+ if !allowed.contains(&domain) {
+ return Err("Domain is not in allowlist");
}
}
+ Ok(())
+}
+
+#[tracing::instrument(skip(settings))]
+pub(crate) fn check_apub_id_valid_with_strictness(
+ apub_id: &Url,
+ is_strict: bool,
+ settings: &Settings,
+) -> Result<(), LemmyError> {
+ check_apub_id_valid(apub_id, settings).map_err(LemmyError::from_message)?;
+ let domain = apub_id.domain().expect("apud id has domain").to_string();
+ let local_instance = settings
+ .get_hostname_without_port()
+ .expect("local hostname is valid");
+ if domain == local_instance {
+ return Ok(());
+ }
+
if let Some(mut allowed) = settings.to_owned().federation.allowed_instances {
// Only check allowlist if this is a community, or strict allowlist is enabled.
let strict_allowlist = settings.to_owned().federation.strict_allowlist;
- if use_strict_allowlist || strict_allowlist {
+ if is_strict || strict_allowlist {
// need to allow this explicitly because apub receive might contain objects from our local
// instance.
allowed.push(local_instance);
if !allowed.contains(&domain) {
- return Err(anyhow!("{} not in federation allowlist", domain).into());
+ return Err(LemmyError::from_message(
+ "Federation forbidden by strict allowlist",
+ ));
}
}
}
-
Ok(())
}
-#[async_trait::async_trait(?Send)]
-pub trait CommunityType {
- fn followers_url(&self) -> Url;
- async fn get_follower_inboxes(
- &self,
- pool: &DbPool,
- settings: &Settings,
- ) -> Result<Vec<Url>, LemmyError>;
-}
-
pub enum EndpointType {
Community,
Person,
Ok(Url::parse(&format!("{}/inbox", actor_id))?.into())
}
+pub fn generate_site_inbox_url(actor_id: &DbUrl) -> Result<DbUrl, ParseError> {
+ let mut actor_id: Url = actor_id.clone().into();
+ actor_id.set_path("site_inbox");
+ Ok(actor_id.into())
+}
+
pub fn generate_shared_inbox_url(actor_id: &DbUrl) -> Result<DbUrl, LemmyError> {
let actor_id: Url = actor_id.clone().into();
let url = format!(
Ok(Url::parse(&format!("{}/moderators", community_id))?.into())
}
-/// Takes in a shortname of the type dessalines@xyz.tld or dessalines (assumed to be local), and outputs the actor id.
-/// Used in the API for communities and users.
-pub async fn get_actor_id_from_name(
- webfinger_type: WebfingerType,
- short_name: &str,
- context: &LemmyContext,
-) -> Result<DbUrl, LemmyError> {
- let split = short_name.split('@').collect::<Vec<&str>>();
-
- let name = split[0];
-
- // If there's no @, its local
- if split.len() == 1 {
- let domain = context.settings().get_protocol_and_hostname();
- let endpoint_type = match webfinger_type {
- WebfingerType::Person => EndpointType::Person,
- WebfingerType::Group => EndpointType::Community,
- };
- Ok(generate_local_apub_endpoint(endpoint_type, name, &domain)?)
- } else {
- let protocol = context.settings().get_protocol_string();
- Ok(
- webfinger_resolve_actor(name, split[1], webfinger_type, context.client(), protocol)
- .await?
- .into(),
- )
- }
-}
-
/// Store a sent or received activity in the database, for logging purposes. These records are not
/// persistent.
-async fn insert_activity<T>(
+#[tracing::instrument(skip(pool))]
+async fn insert_activity(
ap_id: &Url,
- activity: T,
+ activity: serde_json::Value,
local: bool,
sensitive: bool,
pool: &DbPool,
-) -> Result<(), LemmyError>
-where
- T: Serialize + std::fmt::Debug + Send + 'static,
-{
+) -> Result<bool, LemmyError> {
let ap_id = ap_id.to_owned().into();
- blocking(pool, move |conn| {
- Activity::insert(conn, ap_id, &activity, local, sensitive)
- })
- .await??;
- Ok(())
+ Ok(
+ blocking(pool, move |conn| {
+ Activity::insert(conn, ap_id, activity, local, sensitive)
+ })
+ .await??,
+ )
}
-async fn check_community_or_site_ban(
- person: &Person,
- community_id: CommunityId,
- pool: &DbPool,
-) -> Result<(), LemmyError> {
- if person.banned {
- return Err(anyhow!("Person is banned from site").into());
- }
- let person_id = person.id;
- let is_banned =
- move |conn: &'_ _| CommunityPersonBanView::get(conn, person_id, community_id).is_ok();
- if blocking(pool, is_banned).await? {
- return Err(anyhow!("Person is banned from community").into());
- }
+/// Common methods provided by ActivityPub actors (community and person). Not all methods are
+/// implemented by all actors.
+pub trait ActorType: Actor + ApubObject {
+ fn actor_id(&self) -> Url;
- Ok(())
-}
+ fn private_key(&self) -> Option<String>;
-pub(crate) async fn send_lemmy_activity<T: Serialize>(
- context: &LemmyContext,
- activity: &T,
- activity_id: &Url,
- actor: &dyn ActorType,
- inboxes: Vec<Url>,
- sensitive: bool,
-) -> Result<(), LemmyError> {
- if !context.settings().federation.enabled || inboxes.is_empty() {
- return Ok(());
+ fn get_public_key(&self) -> PublicKey {
+ PublicKey::new_main_key(self.actor_id(), self.public_key().to_string())
}
-
- info!("Sending activity {}", activity_id.to_string());
-
- // Don't send anything to ourselves
- // TODO: this should be a debug assert
- let hostname = context.settings().get_hostname_without_port()?;
- let inboxes: Vec<&Url> = inboxes
- .iter()
- .filter(|i| i.domain().expect("valid inbox url") != hostname)
- .collect();
-
- let serialised_activity = serde_json::to_string(&activity)?;
-
- insert_activity(
- activity_id,
- serialised_activity.clone(),
- true,
- sensitive,
- context.pool(),
- )
- .await?;
-
- send_activity(
- serialised_activity,
- actor,
- inboxes,
- context.client(),
- context.activity_queue(),
- )
- .await
}