"type": "Delete",
"actor": "https://ds9.lemmy.ml/u/sisko",
"to": "https://enterprise.lemmy.ml/u/riker/inbox",
- "object": "https://enterprise.lemmy.ml/private_message/341"
+ "object": "https://ds9.lemmy.ml/private_message/341"
}
```
};
use activitystreams::{
activity::{ActorAndObjectRef, ActorAndObjectRefExt},
- base::{AsBase, Extends, ExtendsExt},
+ base::{AsBase, BaseExt, Extends, ExtendsExt},
+ error::DomainError,
object::{AsObject, ObjectExt},
};
use actix_web::HttpResponse;
return Err(NotFound.into());
}
+
+pub(crate) fn verify_activity_domains_valid<T, Kind>(
+ activity: &T,
+ actor_id: Url,
+ object_domain_must_match: bool,
+) -> Result<(), LemmyError>
+where
+ T: AsBase<Kind> + ActorAndObjectRef,
+{
+ let expected_domain = actor_id.domain().context(location_info!())?;
+
+ activity.id(expected_domain)?;
+
+ let object_id = match activity.object().to_owned().single_xsd_any_uri() {
+ // object is just an ID
+ Some(id) => id,
+ // object is something like an activity, a comment or a post
+ None => activity
+ .object()
+ .to_owned()
+ .one()
+ .context(location_info!())?
+ .id()
+ .context(location_info!())?
+ .to_owned(),
+ };
+
+ if object_domain_must_match && object_id.domain() != Some(expected_domain) {
+ return Err(DomainError.into());
+ }
+
+ Ok(())
+}
Ok(response)
}
-pub fn verify(request: &HttpRequest, actor: &dyn ActorType) -> Result<(), LemmyError> {
+pub fn verify_signature(request: &HttpRequest, actor: &dyn ActorType) -> Result<(), LemmyError> {
let public_key = actor.public_key().context(location_info!())?;
let verified = CONFIG2
.begin_verify(
) -> Result<SearchResponse, LemmyError> {
// Parse the shorthand query url
let query_url = if query.contains('@') {
- debug!("{}", query);
+ debug!("Search for {}", query);
let split = query.split('@').collect::<Vec<&str>>();
// User type will look like ['', username, instance]
use crate::{
+ activities::receive::verify_activity_domains_valid,
check_is_apub_id_valid,
- extensions::signatures::verify,
+ extensions::signatures::verify_signature,
fetcher::get_or_fetch_and_upsert_user,
insert_activity,
ActorType,
})
.await??;
- if !community.local {
- return Err(
- anyhow!(
- "Received activity is addressed to remote community {}",
- &community.actor_id
- )
- .into(),
- );
+ let to = activity
+ .to()
+ .context(location_info!())?
+ .to_owned()
+ .single_xsd_any_uri();
+ if Some(community.actor_id()?) != to {
+ return Err(anyhow!("Activity delivered to wrong community").into());
}
+
info!(
"Community {} received activity {:?}",
&community.name, &activity
let user = get_or_fetch_and_upsert_user(&user_uri, &context).await?;
- verify(&request, &user)?;
+ verify_signature(&request, &user)?;
let any_base = activity.clone().into_any_base()?;
let kind = activity.kind().context(location_info!())?;
context: &LemmyContext,
) -> Result<HttpResponse, LemmyError> {
let follow = Follow::from_any_base(activity)?.context(location_info!())?;
+ verify_activity_domains_valid(&follow, user.actor_id()?, false)?;
+
let community_follower_form = CommunityFollowerForm {
community_id: community.id,
user_id: user.id,
community: Community,
context: &LemmyContext,
) -> Result<HttpResponse, LemmyError> {
- let _undo = Undo::from_any_base(activity)?.context(location_info!())?;
+ let undo = Undo::from_any_base(activity)?.context(location_info!())?;
+ verify_activity_domains_valid(&undo, user.actor_id()?, true)?;
+
+ let object = undo.object().to_owned().one().context(location_info!())?;
+ let follow = Follow::from_any_base(object)?.context(location_info!())?;
+ verify_activity_domains_valid(&follow, user.actor_id()?, false)?;
let community_follower_form = CommunityFollowerForm {
community_id: community.id,
update::receive_update,
},
check_is_apub_id_valid,
- extensions::signatures::verify,
+ extensions::signatures::verify_signature,
fetcher::get_or_fetch_and_upsert_actor,
insert_activity,
};
check_is_apub_id_valid(&actor)?;
let actor = get_or_fetch_and_upsert_actor(&actor, &context).await?;
- verify(&request, actor.as_ref())?;
+ verify_signature(&request, actor.as_ref())?;
let any_base = activity.clone().into_any_base()?;
let kind = activity.kind().context(location_info!())?;
use crate::{
+ activities::receive::verify_activity_domains_valid,
check_is_apub_id_valid,
- extensions::signatures::verify,
+ extensions::signatures::verify_signature,
fetcher::{get_or_fetch_and_upsert_actor, get_or_fetch_and_upsert_community},
insert_activity,
+ ActorType,
FromApub,
};
use activitystreams::{
- activity::{Accept, ActorAndObject, Create, Delete, Undo, Update},
+ activity::{Accept, ActorAndObject, Create, Delete, Follow, Undo, Update},
base::AnyBase,
- error::DomainError,
object::Note,
prelude::*,
};
use actix_web::{web, HttpRequest, HttpResponse};
-use anyhow::Context;
+use anyhow::{anyhow, Context};
use lemmy_db::{
community::{CommunityFollower, CommunityFollowerForm},
private_message::{PrivateMessage, PrivateMessageForm},
) -> Result<HttpResponse, LemmyError> {
let activity = input.into_inner();
let username = path.into_inner();
+ let user = blocking(&context.pool(), move |conn| {
+ User_::read_from_name(&conn, &username)
+ })
+ .await??;
+
+ let to = activity
+ .to()
+ .context(location_info!())?
+ .to_owned()
+ .single_xsd_any_uri();
+ if Some(user.actor_id()?) != to {
+ return Err(anyhow!("Activity delivered to wrong user").into());
+ }
let actor_uri = activity
.actor()?
.context(location_info!())?;
debug!(
"User {} inbox received activity {:?} from {}",
- username,
+ user.name,
&activity.id_unchecked(),
&actor_uri
);
check_is_apub_id_valid(actor_uri)?;
let actor = get_or_fetch_and_upsert_actor(actor_uri, &context).await?;
- verify(&request, actor.as_ref())?;
+ verify_signature(&request, actor.as_ref())?;
let any_base = activity.clone().into_any_base()?;
let kind = activity.kind().context(location_info!())?;
let res = match kind {
- ValidTypes::Accept => receive_accept(any_base, username, &context).await,
- ValidTypes::Create => receive_create_private_message(any_base, &context).await,
- ValidTypes::Update => receive_update_private_message(any_base, &context).await,
- ValidTypes::Delete => receive_delete_private_message(any_base, &context).await,
- ValidTypes::Undo => receive_undo_delete_private_message(any_base, &context).await,
+ ValidTypes::Accept => receive_accept(&context, any_base, actor.as_ref(), user).await,
+ ValidTypes::Create => receive_create_private_message(&context, any_base, actor.as_ref()).await,
+ ValidTypes::Update => receive_update_private_message(&context, any_base, actor.as_ref()).await,
+ ValidTypes::Delete => receive_delete_private_message(&context, any_base, actor.as_ref()).await,
+ ValidTypes::Undo => {
+ receive_undo_delete_private_message(&context, any_base, actor.as_ref()).await
+ }
};
insert_activity(actor.user_id(), activity.clone(), false, context.pool()).await?;
/// Handle accepted follows.
async fn receive_accept(
- activity: AnyBase,
- username: String,
context: &LemmyContext,
+ activity: AnyBase,
+ actor: &dyn ActorType,
+ user: User_,
) -> Result<HttpResponse, LemmyError> {
let accept = Accept::from_any_base(activity)?.context(location_info!())?;
+ verify_activity_domains_valid(&accept, actor.actor_id()?, false)?;
+
+ // TODO: we should check that we actually sent this activity, because the remote instance
+ // could just put a fake Follow
+ let object = accept.object().to_owned().one().context(location_info!())?;
+ let follow = Follow::from_any_base(object)?.context(location_info!())?;
+ verify_activity_domains_valid(&follow, user.actor_id()?, false)?;
+
let community_uri = accept
.actor()?
.to_owned()
let community = get_or_fetch_and_upsert_community(&community_uri, context).await?;
- let user = blocking(&context.pool(), move |conn| {
- User_::read_from_name(conn, &username)
- })
- .await??;
-
// Now you need to add this to the community follower
let community_follower_form = CommunityFollowerForm {
community_id: community.id,
})
.await?;
- // TODO: make sure that we actually requested a follow
Ok(HttpResponse::Ok().finish())
}
async fn receive_create_private_message(
- activity: AnyBase,
context: &LemmyContext,
+ activity: AnyBase,
+ actor: &dyn ActorType,
) -> Result<HttpResponse, LemmyError> {
let create = Create::from_any_base(activity)?.context(location_info!())?;
+ verify_activity_domains_valid(&create, actor.actor_id()?, true)?;
+
let note = Note::from_any_base(
create
.object()
)?
.context(location_info!())?;
- let actor = create
- .actor()?
- .to_owned()
- .single_xsd_any_uri()
- .context(location_info!())?;
- let domain = Some(
- create
- .id(actor.domain().context(location_info!())?)?
- .context(location_info!())?
- .to_owned(),
- );
- let private_message = PrivateMessageForm::from_apub(¬e, context, domain).await?;
+ let private_message =
+ PrivateMessageForm::from_apub(¬e, context, Some(actor.actor_id()?)).await?;
let inserted_private_message = blocking(&context.pool(), move |conn| {
PrivateMessage::create(conn, &private_message)
}
async fn receive_update_private_message(
- activity: AnyBase,
context: &LemmyContext,
+ activity: AnyBase,
+ actor: &dyn ActorType,
) -> Result<HttpResponse, LemmyError> {
let update = Update::from_any_base(activity)?.context(location_info!())?;
- let note = Note::from_any_base(
- update
- .object()
- .as_one()
- .context(location_info!())?
- .to_owned(),
- )?
- .context(location_info!())?;
+ verify_activity_domains_valid(&update, actor.actor_id()?, true)?;
- let actor = update
- .actor()?
- .to_owned()
- .single_xsd_any_uri()
- .context(location_info!())?;
- let domain = Some(
- update
- .id(actor.domain().context(location_info!())?)?
- .context(location_info!())?
- .to_owned(),
- );
- let private_message_form = PrivateMessageForm::from_apub(¬e, context, domain).await?;
+ let object = update
+ .object()
+ .as_one()
+ .context(location_info!())?
+ .to_owned();
+ let note = Note::from_any_base(object)?.context(location_info!())?;
+
+ let private_message_form =
+ PrivateMessageForm::from_apub(¬e, context, Some(actor.actor_id()?)).await?;
let private_message_ap_id = private_message_form
.ap_id
}
async fn receive_delete_private_message(
- activity: AnyBase,
context: &LemmyContext,
+ activity: AnyBase,
+ actor: &dyn ActorType,
) -> Result<HttpResponse, LemmyError> {
let delete = Delete::from_any_base(activity)?.context(location_info!())?;
+ verify_activity_domains_valid(&delete, actor.actor_id()?, true)?;
+
let private_message_id = delete
.object()
.to_owned()
.single_xsd_any_uri()
.context(location_info!())?;
- let actor = delete
- .actor()?
- .to_owned()
- .single_xsd_any_uri()
- .context(location_info!())?;
- let delete_id = delete
- .id(actor.domain().context(location_info!())?)?
- .map(|i| i.domain())
- .flatten();
- if private_message_id.domain() != delete_id {
- return Err(DomainError.into());
- }
let private_message = blocking(context.pool(), move |conn| {
PrivateMessage::read_from_apub_id(conn, private_message_id.as_str())
})
}
async fn receive_undo_delete_private_message(
- activity: AnyBase,
context: &LemmyContext,
+ activity: AnyBase,
+ actor: &dyn ActorType,
) -> Result<HttpResponse, LemmyError> {
let undo = Undo::from_any_base(activity)?.context(location_info!())?;
- let delete = Delete::from_any_base(undo.object().as_one().context(location_info!())?.to_owned())?
- .context(location_info!())?;
+ verify_activity_domains_valid(&undo, actor.actor_id()?, true)?;
+ let object = undo.object().to_owned().one().context(location_info!())?;
+ let delete = Delete::from_any_base(object)?.context(location_info!())?;
+ verify_activity_domains_valid(&delete, actor.actor_id()?, true)?;
+
let private_message_id = delete
.object()
.to_owned()
.single_xsd_any_uri()
.context(location_info!())?;
- let actor = undo
- .actor()?
- .to_owned()
- .single_xsd_any_uri()
- .context(location_info!())?;
- let undo_id = undo
- .id(actor.domain().context(location_info!())?)?
- .map(|i| i.domain())
- .flatten();
- if private_message_id.domain() != undo_id {
- return Err(DomainError.into());
- }
-
let private_message = blocking(context.pool(), move |conn| {
PrivateMessage::read_from_apub_id(conn, private_message_id.as_str())
})
.await??;
let res = PrivateMessageResponse { message };
-
let recipient_id = res.message.recipient_id;
-
context.chat_server().do_send(SendUserRoomMessage {
op: UserOperation::EditPrivateMessage,
response: res,
use activitystreams::{
activity::Follow,
actor::{ApActor, Group, Person},
- base::{AnyBase, AsBase},
- markers::Base,
+ base::AnyBase,
object::{Page, Tombstone},
- prelude::*,
};
use activitystreams_ext::{Ext1, Ext2};
use anyhow::{anyhow, Context};
async fn send_undo_remove(&self, mod_: &User_, context: &LemmyContext) -> Result<(), LemmyError>;
}
-pub(in crate) fn check_actor_domain<T, Kind>(
- apub: &T,
- expected_domain: Option<Url>,
-) -> Result<String, LemmyError>
-where
- T: Base + AsBase<Kind>,
-{
- let actor_id = if let Some(url) = expected_domain {
- let domain = url.domain().context(location_info!())?;
- apub.id(domain)?.context(location_info!())?
- } else {
- let actor_id = apub.id_unchecked().context(location_info!())?;
- check_is_apub_id_valid(&actor_id)?;
- actor_id
- };
- Ok(actor_id.to_string())
-}
-
#[async_trait::async_trait(?Send)]
pub trait ApubLikeableType {
async fn send_like(&self, creator: &User_, context: &LemmyContext) -> Result<(), LemmyError>;
use crate::{
- check_actor_domain,
fetcher::{
get_or_fetch_and_insert_comment,
get_or_fetch_and_insert_post,
get_or_fetch_and_upsert_user,
},
- objects::create_tombstone,
+ objects::{check_object_domain, create_tombstone},
FromApub,
ToApub,
};
published: note.published().map(|u| u.to_owned().naive_local()),
updated: note.updated().map(|u| u.to_owned().naive_local()),
deleted: None,
- ap_id: Some(check_actor_domain(note, expected_domain)?),
+ ap_id: Some(check_object_domain(note, expected_domain)?),
local: false,
})
}
use crate::{
- check_actor_domain,
extensions::group_extensions::GroupExtension,
fetcher::get_or_fetch_and_upsert_user,
- objects::create_tombstone,
+ objects::{check_object_domain, create_tombstone},
ActorType,
FromApub,
GroupExt,
updated: group.inner.updated().map(|u| u.to_owned().naive_local()),
deleted: None,
nsfw: group.ext_one.sensitive,
- actor_id: Some(check_actor_domain(group, expected_domain)?),
+ actor_id: Some(check_object_domain(group, expected_domain)?),
local: false,
private_key: None,
public_key: Some(group.ext_two.to_owned().public_key.public_key_pem),
+use crate::check_is_apub_id_valid;
use activitystreams::{
- base::BaseExt,
+ base::{AsBase, BaseExt},
+ markers::Base,
object::{Tombstone, TombstoneExt},
};
-use anyhow::anyhow;
+use anyhow::{anyhow, Context};
use chrono::NaiveDateTime;
-use lemmy_utils::{utils::convert_datetime, LemmyError};
+use lemmy_utils::{location_info, utils::convert_datetime, LemmyError};
+use url::Url;
pub mod comment;
pub mod community;
Err(anyhow!("Cant convert object to tombstone if it wasnt deleted").into())
}
}
+
+pub(in crate::objects) fn check_object_domain<T, Kind>(
+ apub: &T,
+ expected_domain: Option<Url>,
+) -> Result<String, LemmyError>
+where
+ T: Base + AsBase<Kind>,
+{
+ let actor_id = if let Some(url) = expected_domain {
+ check_is_apub_id_valid(&url)?;
+ let domain = url.domain().context(location_info!())?;
+ apub.id(domain)?.context(location_info!())?
+ } else {
+ let actor_id = apub.id_unchecked().context(location_info!())?;
+ check_is_apub_id_valid(&actor_id)?;
+ actor_id
+ };
+ Ok(actor_id.to_string())
+}
use crate::{
- check_actor_domain,
extensions::page_extension::PageExtension,
fetcher::{get_or_fetch_and_upsert_community, get_or_fetch_and_upsert_user},
- objects::create_tombstone,
+ objects::{check_object_domain, create_tombstone},
FromApub,
PageExt,
ToApub,
embed_description: iframely_description,
embed_html: iframely_html,
thumbnail_url: pictrs_thumbnail,
- ap_id: Some(check_actor_domain(page, expected_domain)?),
+ ap_id: Some(check_object_domain(page, expected_domain)?),
local: false,
})
}
use crate::{
- check_actor_domain,
check_is_apub_id_valid,
fetcher::get_or_fetch_and_upsert_user,
- objects::create_tombstone,
+ objects::{check_object_domain, create_tombstone},
FromApub,
ToApub,
};
updated: note.updated().map(|u| u.to_owned().naive_local()),
deleted: None,
read: None,
- ap_id: Some(check_actor_domain(note, expected_domain)?),
+ ap_id: Some(check_object_domain(note, expected_domain)?),
local: false,
})
}
-use crate::{check_actor_domain, ActorType, FromApub, PersonExt, ToApub};
+use crate::{objects::check_object_domain, ActorType, FromApub, PersonExt, ToApub};
use activitystreams::{
actor::{ApActor, Endpoints, Person},
object::{Image, Tombstone},
show_avatars: false,
send_notifications_to_email: false,
matrix_user_id: None,
- actor_id: Some(check_actor_domain(person, expected_domain)?),
+ actor_id: Some(check_object_domain(person, expected_domain)?),
bio: Some(bio),
local: false,
private_key: None,
projects / lemmy.git / commitdiff