use crate::fetcher::post_or_comment::PostOrComment;
-use activitypub_federation::{
- core::signatures::PublicKey,
- traits::{Actor, ApubObject},
- InstanceSettings,
- LocalInstance,
- UrlVerifier,
-};
-use anyhow::Context;
+use activitypub_federation::config::{Data, UrlVerifier};
use async_trait::async_trait;
+use lemmy_api_common::context::LemmyContext;
use lemmy_db_schema::{
- newtypes::DbUrl,
- source::{activity::Activity, instance::Instance, local_site::LocalSite},
- utils::DbPool,
+ source::{activity::ReceivedActivity, instance::Instance, local_site::LocalSite},
+ utils::{ActualDbPool, DbPool},
};
-use lemmy_utils::{error::LemmyError, location_info, settings::structs::Settings};
-use lemmy_websocket::LemmyContext;
+use lemmy_utils::error::{LemmyError, LemmyErrorType, LemmyResult};
+use moka::future::Cache;
use once_cell::sync::Lazy;
-use tokio::sync::OnceCell;
-use url::{ParseError, Url};
+use std::{sync::Arc, time::Duration};
+use url::Url;
pub mod activities;
pub(crate) mod activity_lists;
+pub mod api;
pub(crate) mod collections;
pub mod fetcher;
pub mod http;
pub mod objects;
pub mod protocol;
+pub const FEDERATION_HTTP_FETCH_LIMIT: u32 = 50;
+/// All incoming and outgoing federation actions read the blocklist/allowlist and slur filters
+/// multiple times. This causes a huge number of database reads if we hit the db directly. So we
+/// cache these values for a short time, which will already make a huge difference and ensures that
+/// changes take effect quickly.
+const BLOCKLIST_CACHE_DURATION: Duration = Duration::from_secs(60);
+
static CONTEXT: Lazy<Vec<serde_json::Value>> = Lazy::new(|| {
serde_json::from_str(include_str!("../assets/lemmy/context.json")).expect("parse context")
});
-// TODO: store this in context? but its only used in this crate, no need to expose it elsewhere
-// TODO this singleton needs to be redone to account for live data.
-async fn local_instance(context: &LemmyContext) -> &'static LocalInstance {
- static LOCAL_INSTANCE: OnceCell<LocalInstance> = OnceCell::const_new();
- LOCAL_INSTANCE
- .get_or_init(|| async {
- // Local site may be missing
- let local_site = &LocalSite::read(context.pool()).await;
- let worker_count = local_site
- .as_ref()
- .map(|l| l.federation_worker_count)
- .unwrap_or(64) as u64;
- let http_fetch_retry_limit = local_site
- .as_ref()
- .map(|l| l.federation_http_fetch_retry_limit)
- .unwrap_or(25);
- let federation_debug = local_site
- .as_ref()
- .map(|l| l.federation_debug)
- .unwrap_or(true);
-
- let settings = InstanceSettings::builder()
- .http_fetch_retry_limit(http_fetch_retry_limit)
- .worker_count(worker_count)
- .debug(federation_debug)
- .http_signature_compat(true)
- .url_verifier(Box::new(VerifyUrlData(context.clone())))
- .build()
- .expect("configure federation");
- LocalInstance::new(
- context.settings().hostname.to_owned(),
- context.client().clone(),
- settings,
- )
- })
- .await
-}
-
#[derive(Clone)]
-struct VerifyUrlData(LemmyContext);
+pub struct VerifyUrlData(pub ActualDbPool);
#[async_trait]
impl UrlVerifier for VerifyUrlData {
async fn verify(&self, url: &Url) -> Result<(), &'static str> {
- let local_site_data = fetch_local_site_data(self.0.pool())
+ let local_site_data = local_site_data_cached(&mut (&self.0).into())
.await
.expect("read local site data");
- check_apub_id_valid(url, &local_site_data, self.0.settings())
+ check_apub_id_valid(url, &local_site_data)?;
+ Ok(())
}
}
/// - the correct scheme (either http or https)
/// - URL being in the allowlist (if it is active)
/// - URL not being in the blocklist (if it is active)
-///
-/// `use_strict_allowlist` should be true only when parsing a remote community, or when parsing a
-/// post/comment in a local community.
-#[tracing::instrument(skip(settings, local_site_data))]
-fn check_apub_id_valid(
- apub_id: &Url,
- local_site_data: &LocalSiteData,
- settings: &Settings,
-) -> Result<(), &'static str> {
+#[tracing::instrument(skip(local_site_data))]
+fn check_apub_id_valid(apub_id: &Url, local_site_data: &LocalSiteData) -> Result<(), &'static str> {
let domain = apub_id.domain().expect("apud id has domain").to_string();
- let local_instance = settings
- .get_hostname_without_port()
- .expect("local hostname is valid");
- if domain == local_instance {
- return Ok(());
- }
if !local_site_data
.local_site
return Err("Federation disabled");
}
- if apub_id.scheme() != settings.get_protocol_string() {
- return Err("Invalid protocol scheme");
- }
-
- if let Some(blocked) = local_site_data.blocked_instances.as_ref() {
- if blocked.contains(&domain) {
- return Err("Domain is blocked");
- }
+ if local_site_data
+ .blocked_instances
+ .iter()
+ .any(|i| domain.eq(&i.domain))
+ {
+ return Err("Domain is blocked");
}
- if let Some(allowed) = local_site_data.allowed_instances.as_ref() {
- if !allowed.contains(&domain) {
- return Err("Domain is not in allowlist");
- }
+ // Only check this if there are instances in the allowlist
+ if !local_site_data.allowed_instances.is_empty()
+ && !local_site_data
+ .allowed_instances
+ .iter()
+ .any(|i| domain.eq(&i.domain))
+ {
+ return Err("Domain is not in allowlist");
}
Ok(())
#[derive(Clone)]
pub(crate) struct LocalSiteData {
local_site: Option<LocalSite>,
- allowed_instances: Option<Vec<String>>,
- blocked_instances: Option<Vec<String>>,
-}
-
-pub(crate) async fn fetch_local_site_data(
- pool: &DbPool,
-) -> Result<LocalSiteData, diesel::result::Error> {
- // LocalSite may be missing
- let local_site = LocalSite::read(pool).await.ok();
- let allowed = Instance::allowlist(pool).await?;
- let blocked = Instance::blocklist(pool).await?;
-
- // These can return empty vectors, so convert them to options
- let allowed_instances = (!allowed.is_empty()).then_some(allowed);
- let blocked_instances = (!blocked.is_empty()).then_some(blocked);
-
- Ok(LocalSiteData {
- local_site,
- allowed_instances,
- blocked_instances,
- })
-}
-
-#[tracing::instrument(skip(settings, local_site_data))]
-pub(crate) fn check_apub_id_valid_with_strictness(
+ allowed_instances: Vec<Instance>,
+ blocked_instances: Vec<Instance>,
+}
+
+pub(crate) async fn local_site_data_cached(
+ pool: &mut DbPool<'_>,
+) -> LemmyResult<Arc<LocalSiteData>> {
+ static CACHE: Lazy<Cache<(), Arc<LocalSiteData>>> = Lazy::new(|| {
+ Cache::builder()
+ .max_capacity(1)
+ .time_to_live(BLOCKLIST_CACHE_DURATION)
+ .build()
+ });
+ Ok(
+ CACHE
+ .try_get_with((), async {
+ let (local_site, allowed_instances, blocked_instances) =
+ lemmy_db_schema::try_join_with_pool!(pool => (
+ // LocalSite may be missing
+ |pool| async {
+ Ok(LocalSite::read(pool).await.ok())
+ },
+ Instance::allowlist,
+ Instance::blocklist
+ ))?;
+
+ Ok::<_, diesel::result::Error>(Arc::new(LocalSiteData {
+ local_site,
+ allowed_instances,
+ blocked_instances,
+ }))
+ })
+ .await?,
+ )
+}
+
+pub(crate) async fn check_apub_id_valid_with_strictness(
apub_id: &Url,
is_strict: bool,
- local_site_data: &LocalSiteData,
- settings: &Settings,
+ context: &LemmyContext,
) -> Result<(), LemmyError> {
- check_apub_id_valid(apub_id, local_site_data, settings).map_err(LemmyError::from_message)?;
let domain = apub_id.domain().expect("apud id has domain").to_string();
- let local_instance = settings
+ let local_instance = context
+ .settings()
.get_hostname_without_port()
.expect("local hostname is valid");
if domain == local_instance {
return Ok(());
}
- if let Some(allowed) = local_site_data.allowed_instances.as_ref() {
- // Only check allowlist if this is a community, or strict allowlist is enabled.
- let strict_allowlist = local_site_data
- .local_site
- .as_ref()
- .map(|l| l.federation_strict_allowlist)
- .unwrap_or(true);
- if is_strict || strict_allowlist {
- // need to allow this explicitly because apub receive might contain objects from our local
- // instance.
- let mut allowed_and_local = allowed.to_owned();
- allowed_and_local.push(local_instance);
-
- if !allowed_and_local.contains(&domain) {
- return Err(LemmyError::from_message(
- "Federation forbidden by strict allowlist",
- ));
- }
+ let local_site_data = local_site_data_cached(&mut context.pool()).await?;
+ check_apub_id_valid(apub_id, &local_site_data).map_err(|err| match err {
+ "Federation disabled" => LemmyErrorType::FederationDisabled,
+ "Domain is blocked" => LemmyErrorType::DomainBlocked,
+ "Domain is not in allowlist" => LemmyErrorType::DomainNotInAllowList,
+ _ => panic!("Could not handle apub error!"),
+ })?;
+
+ // Only check allowlist if this is a community, and there are instances in the allowlist
+ if is_strict && !local_site_data.allowed_instances.is_empty() {
+ // need to allow this explicitly because apub receive might contain objects from our local
+ // instance.
+ let mut allowed_and_local = local_site_data
+ .allowed_instances
+ .iter()
+ .map(|i| i.domain.clone())
+ .collect::<Vec<String>>();
+ let local_instance = context
+ .settings()
+ .get_hostname_without_port()
+ .expect("local hostname is valid");
+ allowed_and_local.push(local_instance);
+
+ let domain = apub_id.domain().expect("apud id has domain").to_string();
+ if !allowed_and_local.contains(&domain) {
+ return Err(LemmyErrorType::FederationDisabledByStrictAllowList)?;
}
}
Ok(())
}
-pub enum EndpointType {
- Community,
- Person,
- Post,
- Comment,
- PrivateMessage,
-}
-
-/// Generates an apub endpoint for a given domain, IE xyz.tld
-pub fn generate_local_apub_endpoint(
- endpoint_type: EndpointType,
- name: &str,
- domain: &str,
-) -> Result<DbUrl, ParseError> {
- let point = match endpoint_type {
- EndpointType::Community => "c",
- EndpointType::Person => "u",
- EndpointType::Post => "post",
- EndpointType::Comment => "comment",
- EndpointType::PrivateMessage => "private_message",
- };
-
- Ok(Url::parse(&format!("{}/{}/{}", domain, point, name))?.into())
-}
-
-pub fn generate_followers_url(actor_id: &DbUrl) -> Result<DbUrl, ParseError> {
- Ok(Url::parse(&format!("{}/followers", actor_id))?.into())
-}
-
-pub fn generate_inbox_url(actor_id: &DbUrl) -> Result<DbUrl, ParseError> {
- Ok(Url::parse(&format!("{}/inbox", actor_id))?.into())
-}
-
-pub fn generate_site_inbox_url(actor_id: &DbUrl) -> Result<DbUrl, ParseError> {
- let mut actor_id: Url = actor_id.clone().into();
- actor_id.set_path("site_inbox");
- Ok(actor_id.into())
-}
-
-pub fn generate_shared_inbox_url(actor_id: &DbUrl) -> Result<DbUrl, LemmyError> {
- let actor_id: Url = actor_id.clone().into();
- let url = format!(
- "{}://{}{}/inbox",
- &actor_id.scheme(),
- &actor_id.host_str().context(location_info!())?,
- if let Some(port) = actor_id.port() {
- format!(":{}", port)
- } else {
- "".to_string()
- },
- );
- Ok(Url::parse(&url)?.into())
-}
-
-pub fn generate_outbox_url(actor_id: &DbUrl) -> Result<DbUrl, ParseError> {
- Ok(Url::parse(&format!("{}/outbox", actor_id))?.into())
-}
-
-fn generate_moderators_url(community_id: &DbUrl) -> Result<DbUrl, LemmyError> {
- Ok(Url::parse(&format!("{}/moderators", community_id))?.into())
-}
-
-/// Store a sent or received activity in the database, for logging purposes. These records are not
-/// persistent.
-#[tracing::instrument(skip(pool))]
-async fn insert_activity(
+/// Store received activities in the database.
+///
+/// This ensures that the same activity doesnt get received and processed more than once, which
+/// would be a waste of resources.
+#[tracing::instrument(skip(data))]
+async fn insert_received_activity(
ap_id: &Url,
- activity: serde_json::Value,
- local: bool,
- sensitive: bool,
- pool: &DbPool,
-) -> Result<bool, LemmyError> {
- let ap_id = ap_id.to_owned().into();
- Ok(Activity::insert(pool, ap_id, activity, local, Some(sensitive)).await?)
+ data: &Data<LemmyContext>,
+) -> Result<(), LemmyError> {
+ ReceivedActivity::create(&mut data.pool(), &ap_id.clone().into()).await?;
+ Ok(())
}
-/// Common methods provided by ActivityPub actors (community and person). Not all methods are
-/// implemented by all actors.
-pub trait ActorType: Actor + ApubObject {
- fn actor_id(&self) -> Url;
-
- fn private_key(&self) -> Option<String>;
+#[async_trait::async_trait]
+pub trait SendActivity: Sync {
+ type Response: Sync + Send + Clone;
- fn get_public_key(&self) -> PublicKey {
- PublicKey::new_main_key(self.actor_id(), self.public_key().to_string())
+ async fn send_activity(
+ _request: &Self,
+ _response: &Self::Response,
+ _context: &Data<LemmyContext>,
+ ) -> Result<(), LemmyError> {
+ Ok(())
}
}
projects / lemmy.git / blobdiff