package registry import ( "bytes" "context" "crypto" "crypto/rand" "crypto/rsa" "crypto/sha256" "crypto/x509" "encoding/base64" "encoding/gob" "encoding/json" "encoding/pem" "fmt" "io" "net/http" "net/url" "strings" "sync" "time" "git.capotej.com/capotej/communique/config" "git.capotej.com/capotej/communique/models" "git.capotej.com/capotej/communique/tools" "git.capotej.com/capotej/communique/urls" "git.capotej.com/capotej/communique/views" "github.com/go-fed/activity/streams" "github.com/go-fed/activity/streams/vocab" "github.com/go-fed/httpsig" "go.uber.org/zap" ) type Handler struct { handlerCfg config.Handler } // TODO rename to controller and controller.go type Registry struct { cfg config.Config persister *models.Persister handlerMap map[string]Handler log *zap.SugaredLogger signer httpsig.Signer mu sync.Mutex } func NewRegistry(cfg config.Config, persister *models.Persister, log *zap.SugaredLogger) (*Registry, error) { reg := Registry{cfg: cfg, persister: persister, log: log} reg.handlerMap = make(map[string]Handler) for _, v := range cfg.Handlers { reg.handlerMap[v.Name] = Handler{handlerCfg: v} err := generateKeypairIfNeeded(v, persister) if err != nil { return nil, err } } return ®, nil } func generateKeypairIfNeeded(v config.Handler, p *models.Persister) error { kp, err := models.CreateKeypair(v) if err != nil { return err } err = p.Store(kp) if err != nil { return err } return nil } func (r *Registry) Actor(name string) (map[string]interface{}, error) { handler := r.findByName(name) if handler == nil { return nil, nil } aso := models.NewKeypair(handler.handlerCfg) result, err := r.persister.Find(aso) if err != nil { return nil, err } buf := bytes.NewBuffer(result) dec := gob.NewDecoder(buf) var keypair models.Keypair err = dec.Decode(&keypair) if err != nil { return nil, err } privKey := &keypair.PrivateKey pemdata := pem.EncodeToMemory( &pem.Block{ Type: "PUBLIC KEY", Bytes: x509.MarshalPKCS1PublicKey(&privKey.PublicKey), }, ) return views.RenderActor(handler.handlerCfg.Name, r.cfg.Domain, string(pemdata)) } func (r *Registry) OutboxCollection(name string) (map[string]interface{}, error) { handler := r.findByName(name) if handler == nil { return nil, nil } aso := models.NewOutboxItem(handler.handlerCfg) page, err := r.persister.Collect(aso) if err != nil { return nil, err } var outboxItems []models.OutboxItem for _, v := range page { //TODO pagination buf := bytes.NewBuffer(v) dec := gob.NewDecoder(buf) var outboxItem models.OutboxItem err = dec.Decode(&outboxItem) if err != nil { return nil, err } outboxItems = append(outboxItems, outboxItem) } return views.RenderOutboxCollection(handler.handlerCfg.Name, r.cfg.Domain, outboxItems) } func (r *Registry) Following(name string) (map[string]interface{}, error) { handler := r.findByName(name) if handler == nil { return nil, nil } profile, err := urls.UrlProfile(name, r.cfg.Domain) if err != nil { return nil, err } following, err := urls.UrlFollowing(name, r.cfg.Domain) if err != nil { return nil, err } result := make(map[string]interface{}) result["@context"] = "https://www.w3.org/ns/activitystreams" result["attributedTo"] = profile.String() result["id"] = following.String() result["totalItems"] = 0 result["orderedItems"] = []bool{} result["type"] = "OrderedCollection" return result, nil } func (r *Registry) Followers(name string) (map[string]interface{}, error) { handler := r.findByName(name) if handler == nil { return nil, nil } profile, err := urls.UrlProfile(name, r.cfg.Domain) if err != nil { return nil, err } followers, err := urls.UrlFollowers(name, r.cfg.Domain) if err != nil { return nil, err } result := make(map[string]interface{}) result["@context"] = "https://www.w3.org/ns/activitystreams" result["attributedTo"] = profile.String() result["id"] = followers.String() result["totalItems"] = 0 result["orderedItems"] = []bool{} result["type"] = "OrderedCollection" return result, nil } func (r *Registry) Inbox(name string, req *http.Request, payload []byte) error { handler := r.findByName(name) if handler == nil { return nil } domainUrl, err := url.Parse(r.cfg.Domain) if err != nil { return err } logger := r.log.With("type", "inbox") if req.Host != domainUrl.Host { logger.Warnf("%s != %s, configured domain should match incoming Host: header otherwise things may not work right. You'll need to enable 'ProxyPreserveHost' (for apache2) or proxy_set_header Host $host; (for nginx)", req.Host, r.cfg.Domain) } ctx := context.Background() person, verifyError := tools.VerifyRequest(ctx, req, r.log) if verifyError != nil { return verifyError } var followData map[string]interface{} err = json.Unmarshal(payload, &followData) if err != nil { return err } actorUrl, err := urls.UrlProfile(handler.handlerCfg.Name, r.cfg.Domain) if err != nil { return err } resolver, err := streams.NewJSONResolver(func(c context.Context, follow vocab.ActivityStreamsFollow) error { // Follow idProp := person.GetJSONLDId() idPropUrl := idProp.Get() inboxProp := person.GetActivityStreamsInbox() url := inboxProp.GetIRI() logger.With("actor", idPropUrl).With("inbox", url).Debugf("follow") actorKeyUrl, err := urls.UrlProfileKey(handler.handlerCfg.Name, r.cfg.Domain) if err != nil { return err } r.deliverAcceptToInbox(url, actorUrl, actorKeyUrl, follow, handler.handlerCfg) // subscribeActorToHandler() return nil }, func(c context.Context, note vocab.ActivityStreamsUndo) error { // Unfollow idProp := person.GetJSONLDId() idPropUrl := idProp.Get() inboxProp := person.GetActivityStreamsInbox() url := inboxProp.GetIRI() logger.With("actor", idPropUrl).With("inbox", url).Debugf("undo") return nil }) err = resolver.Resolve(ctx, followData) return err } func (r *Registry) deliverAcceptToInbox(url, actorUrl, actorKeyUrl *url.URL, follow vocab.ActivityStreamsFollow, handler config.Handler) error { accept := streams.NewActivityStreamsAccept() actorProp := streams.NewActivityStreamsActorProperty() actorProp.AppendIRI(actorUrl) accept.SetActivityStreamsActor(actorProp) objProp := streams.NewActivityStreamsObjectProperty() objProp.AppendActivityStreamsFollow(follow) accept.SetActivityStreamsObject(objProp) payload, err := streams.Serialize(accept) if err != nil { return err } jsonData, err := json.Marshal(payload) aso := models.NewKeypair(handler) result, err := r.persister.Find(aso) if err != nil { return err } buf := bytes.NewBuffer(result) dec := gob.NewDecoder(buf) var keypair models.Keypair err = dec.Decode(&keypair) if err != nil { return err } privKey := &keypair.PrivateKey request, err := http.NewRequest("POST", url.String(), bytes.NewBuffer(jsonData)) date := time.Now().UTC().Format(http.TimeFormat) request.Header.Set("Date", date) request.Header.Set("Content-Type", "application/activity+json") request.Header.Set("Host", url.Host) h := sha256.New() h.Write(jsonData) digestHeader := base64.StdEncoding.Strict().EncodeToString(h.Sum(nil)) request.Header.Add("Digest", "SHA-256="+digestHeader) request.Header.Add("Content-Type", "application/activity+json") signedString := fmt.Sprintf("(request-target): post %s\ndate: %s\ndigest: %s\nhost: %s", url.Path, date, digestHeader, url.Host) r.log.With( "type", "delivery", ).With( "payload", payload, ).With( "signature string", signedString, ).With( "host", request.Header.Get("host"), ).Debugf("signing request") digestBytes := sha256.Sum256([]byte(signedString)) fmt.Println() fmt.Println() fmt.Println("'" + signedString + "'") fmt.Println() fmt.Println() r.mu.Lock() signature, err := rsa.SignPKCS1v15(rand.Reader, privKey, crypto.SHA256, digestBytes[:]) if err != nil { return err } // verify our own signature to ensure sanity err = rsa.VerifyPKCS1v15(&privKey.PublicKey, crypto.SHA256, digestBytes[:], signature) if err != nil { return err } else { r.log.With("type", "delivery").Debugf("verified own signature") } r.mu.Unlock() b64sig := base64.StdEncoding.Strict().EncodeToString(signature) var header = `keyId="` + actorKeyUrl.String() + `",algorithm="hs2019",headers="(request-target) date digest host",signature="` + b64sig + `"` request.Header.Add("Signature", header) //http sig signing code - broken? // r.mu.Lock() // prefs := []httpsig.Algorithm{} // digestAlgorithm := httpsig.DigestSha256 // // The "Date" and "Digest" headers must already be set on r, as well as r.URL. // headersToSign := []string{httpsig.RequestTarget, "host", "date", "digest", "content-type"} // signer, _, err := httpsig.NewSigner(prefs, digestAlgorithm, headersToSign, httpsig.Signature, 100) // if err != nil { // return err // } // // To sign the digest, we need to give the signer a copy of the body... // // ...but it is optional, no digest will be signed if given "nil" // // body := nil // // If r were a http.ResponseWriter, call SignResponse instead. // err = signer.SignRequest(privKey, actorKeyUrl.String(), request, jsonData) // r.mu.Unlock() // // HACK // oldSig := request.Header.Get("signature") // request.Header.Set("signature", strings.ReplaceAll(oldSig, "hs2019", "rsa-sha256")) r.log.With( "type", "delivery", ).With( "inbox", url.String(), ).With( "digest", request.Header.Get("digest"), ).With( "signature", request.Header.Get("signature"), ).With( "actor", actorUrl.String(), ).Debug("sending signed accept request") client := &http.Client{} response, err := client.Do(request) if err != nil { return fmt.Errorf("could not send accept request: %w", err) } responseBody, err := io.ReadAll(response.Body) defer response.Body.Close() r.log.With("type", "delivery").With("response", responseBody).With("status", response.Status).Debugf("received") return err } func (r *Registry) ActivityOrNote(activityOrNote, name, id string) (map[string]interface{}, error) { handler := r.findByName(name) if handler == nil { return nil, nil } lookup := models.NewOutboxItem(handler.handlerCfg) lookup.Id = []byte(id) result, err := r.persister.Find(lookup) if err != nil { return nil, err } if result == nil { return nil, nil } buf := bytes.NewBuffer(result) dec := gob.NewDecoder(buf) var outboxItem models.OutboxItem err = dec.Decode(&outboxItem) if err != nil { return nil, err } if activityOrNote == "activity" { return views.RenderActivity(handler.handlerCfg.Name, r.cfg.Domain, outboxItem) } return views.RenderNote(handler.handlerCfg.Name, r.cfg.Domain, outboxItem) } // This has to handle various lookup formats: // ?resource=acct:actor@domain // ?resource=actor@domain // ?resource=actor // ?resource=acct:actor func (r *Registry) Webfinger(fqn string) (*views.WebfingerResource, error) { // Strip away acct: prefix, if found fqn = strings.TrimPrefix(fqn, "acct:") // Strip away @domain suffix, if found domainUrl, err := url.Parse(r.cfg.Domain) if err != nil { return nil, err } hostname := "@" + domainUrl.Hostname() fqn = strings.TrimSuffix(fqn, hostname) // We should just have $actor left handler := r.findByName(fqn) if handler == nil { return nil, nil } return views.RenderWebfinger(handler.handlerCfg.Name, r.cfg.Domain, hostname) } func (r *Registry) findByName(name string) *Handler { handler, ok := r.handlerMap[name] if !ok { return nil } return &handler }