[feature] Distribute + ingest Accepts to followers (#3404)

This commit is contained in:
tobi 2024-10-08 10:51:13 +02:00 committed by GitHub
parent 99f535f99b
commit 1e421cb912
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
9 changed files with 607 additions and 250 deletions

View file

@ -569,6 +569,7 @@ For example, the following json object `Reject`s the attempt of `@someone@somewh
```json ```json
{ {
"@context": "https://www.w3.org/ns/activitystreams",
"actor": "https://example.org/users/post_author", "actor": "https://example.org/users/post_author",
"to": "https://somewhere.else.example.org/users/someone", "to": "https://somewhere.else.example.org/users/someone",
"id": "https://example.org/users/post_author/activities/reject/01J0K2YXP9QCT5BE1JWQSAM3B6", "id": "https://example.org/users/post_author/activities/reject/01J0K2YXP9QCT5BE1JWQSAM3B6",
@ -591,7 +592,12 @@ For example, the following json object `Accept`s the attempt of `@someone@somewh
```json ```json
{ {
"@context": "https://www.w3.org/ns/activitystreams",
"actor": "https://example.org/users/post_author", "actor": "https://example.org/users/post_author",
"cc": [
"https://www.w3.org/ns/activitystreams#Public",
"https://example.org/users/post_author/followers"
],
"to": "https://somewhere.else.example.org/users/someone", "to": "https://somewhere.else.example.org/users/someone",
"id": "https://example.org/users/post_author/activities/reject/01J0K2YXP9QCT5BE1JWQSAM3B6", "id": "https://example.org/users/post_author/activities/reject/01J0K2YXP9QCT5BE1JWQSAM3B6",
"object": "https://somewhere.else.example.org/users/someone/statuses/01J17XY2VXGMNNPH1XR7BG2524", "object": "https://somewhere.else.example.org/users/someone/statuses/01J17XY2VXGMNNPH1XR7BG2524",
@ -601,6 +607,9 @@ For example, the following json object `Accept`s the attempt of `@someone@somewh
If this happens, `@someone@somewhere.else.example.org` (and their instance) should consider the interaction as having been approved / accepted. The instance can then feel free to distribute the interaction `Activity` to all of the recipients targed by `to`, `cc`, etc, with the additional property `approvedBy` ([see below](#approvedby)). If this happens, `@someone@somewhere.else.example.org` (and their instance) should consider the interaction as having been approved / accepted. The instance can then feel free to distribute the interaction `Activity` to all of the recipients targed by `to`, `cc`, etc, with the additional property `approvedBy` ([see below](#approvedby)).
!!! Note
In the above example, actor `https://example.org/users/post_author` addresses the `Accept` activity not just to the interacting actor `https://somewhere.else.example.org/users/someone`, but to their followers collection as well (and, implicitly, to the public). This allows followers of `https://example.org/users/post_author` on other servers to also mark the interaction as accepted, and to show the interaction alongside the interacted-with post.
### Validating presence in a Followers / Following collection ### Validating presence in a Followers / Following collection
If an `Actor` interacting with an `Object` (via `Like`, `inReplyTo`, or `Announce`) is permitted to do that interaction based on their presence in a `Followers` or `Following` collection in the `always` field of an interaction policy, then their server should *still* wait for an `Accept` to be received from the server of the target account, before distributing the interaction more widely with the `approvedBy` property set to the URI of the `Accept`. If an `Actor` interacting with an `Object` (via `Like`, `inReplyTo`, or `Announce`) is permitted to do that interaction based on their presence in a `Followers` or `Following` collection in the `always` field of an interaction policy, then their server should *still* wait for an `Accept` to be received from the server of the target account, before distributing the interaction more widely with the `approvedBy` property set to the URI of the `Accept`.

View file

@ -77,6 +77,10 @@
// See https://www.w3.org/TR/activitystreams-vocabulary/#microsyntaxes // See https://www.w3.org/TR/activitystreams-vocabulary/#microsyntaxes
// and https://www.w3.org/TR/activitystreams-vocabulary/#dfn-tag // and https://www.w3.org/TR/activitystreams-vocabulary/#dfn-tag
TagHashtag = "Hashtag" TagHashtag = "Hashtag"
// Not in the AS spec, just used internally to indicate
// that we don't *yet* know what type of Object something is.
ObjectUnknown = "Unknown"
) )
// isActivity returns whether AS type name is of an Activity (NOT IntransitiveActivity). // isActivity returns whether AS type name is of an Activity (NOT IntransitiveActivity).

View file

@ -527,8 +527,9 @@ func (d *Dereferencer) enrichStatus(
// serve statuses with the `approved_by` field, but we // serve statuses with the `approved_by` field, but we
// might have marked a status as pre-approved on our side // might have marked a status as pre-approved on our side
// based on the author's inclusion in a followers/following // based on the author's inclusion in a followers/following
// collection. By carrying over previously-set values we // collection, or by providing pre-approval URI on the bare
// can avoid marking such statuses as "pending" again. // status passed to RefreshStatus. By carrying over previously
// set values we can avoid marking such statuses as "pending".
// //
// If a remote has in the meantime retracted its approval, // If a remote has in the meantime retracted its approval,
// the next call to 'isPermittedStatus' will catch that. // the next call to 'isPermittedStatus' will catch that.

View file

@ -113,33 +113,17 @@ func (d *Dereferencer) isPermittedStatus(
func (d *Dereferencer) isPermittedReply( func (d *Dereferencer) isPermittedReply(
ctx context.Context, ctx context.Context,
requestUser string, requestUser string,
status *gtsmodel.Status, reply *gtsmodel.Status,
) (bool, error) { ) (bool, error) {
var ( var (
statusURI = status.URI // Definitely set. replyURI = reply.URI // Definitely set.
inReplyToURI = status.InReplyToURI // Definitely set. inReplyToURI = reply.InReplyToURI // Definitely set.
inReplyTo = status.InReplyTo // Might not yet be set. inReplyTo = reply.InReplyTo // Might not be set.
acceptIRI = reply.ApprovedByURI // Might not be set.
) )
// Check if status with this URI has previously been rejected. // Check if we have a stored interaction request for parent status.
req, err := d.state.DB.GetInteractionRequestByInteractionURI( parentReq, err := d.state.DB.GetInteractionRequestByInteractionURI(
gtscontext.SetBarebones(ctx),
statusURI,
)
if err != nil && !errors.Is(err, db.ErrNoEntries) {
err := gtserror.Newf("db error getting interaction request: %w", err)
return false, err
}
if req != nil && req.IsRejected() {
// This status has been
// rejected reviously, so
// it's not permitted now.
return false, nil
}
// Check if replied-to status has previously been rejected.
req, err = d.state.DB.GetInteractionRequestByInteractionURI(
gtscontext.SetBarebones(ctx), gtscontext.SetBarebones(ctx),
inReplyToURI, inReplyToURI,
) )
@ -148,71 +132,78 @@ func (d *Dereferencer) isPermittedReply(
return false, err return false, err
} }
if req != nil && req.IsRejected() { // Check if we have a stored interaction request for this reply.
// This status's parent was rejected, so thisReq, err := d.state.DB.GetInteractionRequestByInteractionURI(
// implicitly this reply should be rejected too. gtscontext.SetBarebones(ctx),
// replyURI,
// We know already that we haven't inserted )
// a rejected interaction request for this if err != nil && !errors.Is(err, db.ErrNoEntries) {
// status yet so do it before returning. err := gtserror.Newf("db error getting interaction request: %w", err)
id := id.NewULID() return false, err
}
// To ensure the Reject chain stays coherent, parentRejected := (parentReq != nil && parentReq.IsRejected())
// borrow fields from the up-thread rejection. thisRejected := (thisReq != nil && thisReq.IsRejected())
// This collapses the chain beyond the first
// rejected reply and allows us to avoid derefing
// further replies we already know we don't want.
statusID := req.StatusID
targetAccountID := req.TargetAccountID
// As nobody is actually Rejecting the reply if parentRejected {
// directly, but it's an implicit Reject coming // If this status's parent was rejected,
// from our internal logic, don't bother setting // implicitly this reply should be too;
// a URI (it's not a required field anyway). // there's nothing more to check here.
uri := "" return false, d.unpermittedByParent(
ctx,
rejection := &gtsmodel.InteractionRequest{ reply,
ID: id, thisReq,
StatusID: statusID, parentReq,
TargetAccountID: targetAccountID, )
InteractingAccountID: status.AccountID, }
InteractionURI: statusURI,
InteractionType: gtsmodel.InteractionReply,
URI: uri,
RejectedAt: time.Now(),
}
err := d.state.DB.PutInteractionRequest(ctx, rejection)
if err != nil && !errors.Is(err, db.ErrAlreadyExists) {
return false, gtserror.Newf("db error putting pre-rejected interaction request: %w", err)
}
// Parent wasn't rejected. Check if this
// reply itself was rejected previously.
//
// If it was, and it doesn't now claim to
// be approved, then we should just reject it
// again, as nothing's changed since last time.
if thisRejected && acceptIRI == "" {
// Nothing changed,
// still rejected.
return false, nil return false, nil
} }
// This reply wasn't rejected previously, or
// it was rejected previously and now claims
// to be approved. Continue permission checks.
if inReplyTo == nil { if inReplyTo == nil {
// We didn't have the replied-to status in // If we didn't have the replied-to status
// our database (yet) so we can't know if // in our database (yet), we can't check
// this reply is permitted or not. For now // right now if this reply is permitted.
// just return true; worst-case, the status //
// sticks around on the instance for a couple // For now, just return permitted if reply
// hours until we try to dereference it again // was not explicitly rejected before; worst-
// and realize it should be forbidden. // case, the reply stays on the instance for
return true, nil // a couple hours until we try to deref it
// again and realize it should be forbidden.
return !thisRejected, nil
} }
// We have the replied-to status; ensure it's fully populated.
if err := d.state.DB.PopulateStatus(ctx, inReplyTo); err != nil {
return false, gtserror.Newf("error populating status %s: %w", reply.ID, err)
}
// Make sure replied-to status is not
// a boost wrapper, and make sure it's
// actually visible to the requester.
if inReplyTo.BoostOfID != "" { if inReplyTo.BoostOfID != "" {
// We do not permit replies to // We do not permit replies
// boost wrapper statuses. (this // to boost wrapper statuses.
// shouldn't be able to happen).
log.Info(ctx, "rejecting reply to boost wrapper status") log.Info(ctx, "rejecting reply to boost wrapper status")
return false, nil return false, nil
} }
// Check visibility of local
// inReplyTo to replying account.
if inReplyTo.IsLocal() { if inReplyTo.IsLocal() {
visible, err := d.visFilter.StatusVisible(ctx, visible, err := d.visFilter.StatusVisible(ctx,
status.Account, reply.Account,
inReplyTo, inReplyTo,
) )
if err != nil { if err != nil {
@ -227,9 +218,26 @@ func (d *Dereferencer) isPermittedReply(
} }
} }
// Check interaction policy of inReplyTo. // If this reply claims to be approved,
// validate this by dereferencing the
// Accept and checking the return value.
// No further checks are required.
if acceptIRI != "" {
return d.isPermittedByAcceptIRI(
ctx,
requestUser,
reply,
inReplyTo,
thisReq,
acceptIRI,
)
}
// Status doesn't claim to be approved.
// Check interaction policy of inReplyTo
// to see if it doesn't require approval.
replyable, err := d.intFilter.StatusReplyable(ctx, replyable, err := d.intFilter.StatusReplyable(ctx,
status.Account, reply.Account,
inReplyTo, inReplyTo,
) )
if err != nil { if err != nil {
@ -238,93 +246,250 @@ func (d *Dereferencer) isPermittedReply(
} }
if replyable.Forbidden() { if replyable.Forbidden() {
// Reply is not permitted. // Reply is not permitted according to policy.
// //
// Insert a pre-rejected interaction request // Either insert a pre-rejected interaction
// into the db and return. This ensures that // req into the db, or update the existing
// replies to this now-rejected status aren't // one, and return. This ensures that replies
// inadvertently permitted. // to this rejected reply also aren't permitted.
id := id.NewULID() return false, d.rejectedByPolicy(
rejection := &gtsmodel.InteractionRequest{ ctx,
ID: id, reply,
StatusID: inReplyTo.ID, inReplyTo,
TargetAccountID: inReplyTo.AccountID, thisReq,
InteractingAccountID: status.AccountID, )
InteractionURI: statusURI,
InteractionType: gtsmodel.InteractionReply,
URI: uris.GenerateURIForReject(inReplyTo.Account.Username, id),
RejectedAt: time.Now(),
}
err := d.state.DB.PutInteractionRequest(ctx, rejection)
if err != nil && !errors.Is(err, db.ErrAlreadyExists) {
return false, gtserror.Newf("db error putting pre-rejected interaction request: %w", err)
}
return false, nil
} }
if replyable.Permitted() && // Reply is permitted according to the interaction
!replyable.MatchedOnCollection() { // policy set on the replied-to status (if any).
// Replier is permitted to do this
// interaction, and didn't match on if !replyable.MatchedOnCollection() {
// a collection so we don't need to // If we didn't match on a collection,
// do further checking. // then we don't require an acceptIRI,
// and we don't need to send an Accept;
// just permit the reply full stop.
return true, nil return true, nil
} }
// Replier is permitted to do this // Reply is permitted, but match was made based
// interaction pending approval, or // on inclusion in a followers/following collection.
// permitted but matched on a collection.
// //
// Check if we can dereference // If the status is ours, mark it as PreApproved
// an Accept that grants approval. // so the processor knows to create and send out
// an Accept for it immediately.
if status.ApprovedByURI == "" { if inReplyTo.IsLocal() {
// Status doesn't claim to be approved. reply.PendingApproval = util.Ptr(true)
// reply.PreApproved = true
// For replies to local statuses that's return true, nil
// fine, we can put it in the DB pending
// approval, and continue processing it.
//
// If permission was granted based on a match
// with a followers or following collection,
// we can mark it as PreApproved so the processor
// sends an accept out for it immediately.
//
// For replies to remote statuses, though
// we should be polite and just drop it.
if inReplyTo.IsLocal() {
status.PendingApproval = util.Ptr(true)
status.PreApproved = replyable.MatchedOnCollection()
return true, nil
}
return false, nil
} }
// Status claims to be approved, check // For replies to remote statuses, which matched
// this by dereferencing the Accept and // on a followers/following collection, but did not
// inspecting the return value. // include an acceptIRI, we should just drop it.
if err := d.validateApprovedBy( // It's possible we'll get an Accept for it later
// and we can check everything again.
return false, nil
}
// unpermittedByParent marks the given reply as rejected
// based on the fact that its parent was rejected.
//
// This will create a rejected interaction request for
// the status in the db, if one didn't exist already,
// or update an existing interaction request instead.
func (d *Dereferencer) unpermittedByParent(
ctx context.Context,
reply *gtsmodel.Status,
thisReq *gtsmodel.InteractionRequest,
parentReq *gtsmodel.InteractionRequest,
) error {
if thisReq != nil && thisReq.IsRejected() {
// This interaction request is
// already marked as rejected,
// there's nothing more to do.
return nil
}
if thisReq != nil {
// Before we return, ensure interaction
// request is marked as rejected.
thisReq.RejectedAt = time.Now()
thisReq.AcceptedAt = time.Time{}
err := d.state.DB.UpdateInteractionRequest(
ctx,
thisReq,
"rejected_at",
"accepted_at",
)
if err != nil {
return gtserror.Newf("db error updating interaction request: %w", err)
}
return nil
}
// We haven't stored a rejected interaction
// request for this status yet, do it now.
rejectID := id.NewULID()
// To ensure the Reject chain stays coherent,
// borrow fields from the up-thread rejection.
// This collapses the chain beyond the first
// rejected reply and allows us to avoid derefing
// further replies we already know we don't want.
inReplyToID := parentReq.StatusID
targetAccountID := parentReq.TargetAccountID
// As nobody is actually Rejecting the reply
// directly, but it's an implicit Reject coming
// from our internal logic, don't bother setting
// a URI (it's not a required field anyway).
uri := ""
rejection := &gtsmodel.InteractionRequest{
ID: rejectID,
StatusID: inReplyToID,
TargetAccountID: targetAccountID,
InteractingAccountID: reply.AccountID,
InteractionURI: reply.URI,
InteractionType: gtsmodel.InteractionReply,
URI: uri,
RejectedAt: time.Now(),
}
err := d.state.DB.PutInteractionRequest(ctx, rejection)
if err != nil && !errors.Is(err, db.ErrAlreadyExists) {
return gtserror.Newf("db error putting pre-rejected interaction request: %w", err)
}
return nil
}
// isPermittedByAcceptIRI checks whether the given acceptIRI
// permits the given reply to the given inReplyTo status.
// If yes, then thisReq will be updated to reflect the
// acceptance, if it's not nil.
func (d *Dereferencer) isPermittedByAcceptIRI(
ctx context.Context,
requestUser string,
reply *gtsmodel.Status,
inReplyTo *gtsmodel.Status,
thisReq *gtsmodel.InteractionRequest,
acceptIRI string,
) (bool, error) {
permitted, err := d.isValidAccept(
ctx, ctx,
requestUser, requestUser,
status.ApprovedByURI, acceptIRI,
statusURI, reply.URI,
inReplyTo.AccountURI, inReplyTo.AccountURI,
); err != nil { )
if err != nil {
// Error dereferencing means we couldn't // Error dereferencing means we couldn't
// get the Accept right now or it wasn't // get the Accept right now or it wasn't
// valid, so we shouldn't store this status. // valid, so we shouldn't store this status.
log.Errorf(ctx, "undereferencable ApprovedByURI: %v", err) err := gtserror.Newf("undereferencable ApprovedByURI: %w", err)
return false, err
}
if !permitted {
// It's a no from
// us, squirt.
return false, nil return false, nil
} }
// Status has been approved. // Reply is permitted by this Accept.
status.PendingApproval = util.Ptr(false) // If it was previously rejected or
// pending approval, clear that now.
reply.PendingApproval = util.Ptr(false)
if thisReq != nil {
thisReq.URI = acceptIRI
thisReq.AcceptedAt = time.Now()
thisReq.RejectedAt = time.Time{}
err := d.state.DB.UpdateInteractionRequest(
ctx,
thisReq,
"uri",
"accepted_at",
"rejected_at",
)
if err != nil {
return false, gtserror.Newf("db error updating interaction request: %w", err)
}
}
// All good!
return true, nil return true, nil
} }
func (d *Dereferencer) rejectedByPolicy(
ctx context.Context,
reply *gtsmodel.Status,
inReplyTo *gtsmodel.Status,
thisReq *gtsmodel.InteractionRequest,
) error {
var (
rejectID string
rejectURI string
)
if thisReq != nil {
// Reuse existing ID.
rejectID = thisReq.ID
} else {
// Generate new ID.
rejectID = id.NewULID()
}
if inReplyTo.IsLocal() {
// If this a reply to one of our statuses
// we should generate a URI for the Reject,
// else just use an implicit (empty) URI.
rejectURI = uris.GenerateURIForReject(
inReplyTo.Account.Username,
rejectID,
)
}
if thisReq != nil {
// Before we return, ensure interaction
// request is marked as rejected.
thisReq.RejectedAt = time.Now()
thisReq.AcceptedAt = time.Time{}
thisReq.URI = rejectURI
err := d.state.DB.UpdateInteractionRequest(
ctx,
thisReq,
"rejected_at",
"accepted_at",
"uri",
)
if err != nil {
return gtserror.Newf("db error updating interaction request: %w", err)
}
return nil
}
// We haven't stored a rejected interaction
// request for this status yet, do it now.
rejection := &gtsmodel.InteractionRequest{
ID: rejectID,
StatusID: inReplyTo.ID,
TargetAccountID: inReplyTo.AccountID,
InteractingAccountID: reply.AccountID,
InteractionURI: reply.URI,
InteractionType: gtsmodel.InteractionReply,
URI: rejectURI,
RejectedAt: time.Now(),
}
err := d.state.DB.PutInteractionRequest(ctx, rejection)
if err != nil && !errors.Is(err, db.ErrAlreadyExists) {
return gtserror.Newf("db error putting pre-rejected interaction request: %w", err)
}
return nil
}
func (d *Dereferencer) isPermittedBoost( func (d *Dereferencer) isPermittedBoost(
ctx context.Context, ctx context.Context,
requestUser string, requestUser string,
@ -418,18 +583,22 @@ func (d *Dereferencer) isPermittedBoost(
// Boost claims to be approved, check // Boost claims to be approved, check
// this by dereferencing the Accept and // this by dereferencing the Accept and
// inspecting the return value. // inspecting the return value.
if err := d.validateApprovedBy( permitted, err := d.isValidAccept(
ctx, ctx,
requestUser, requestUser,
status.ApprovedByURI, status.ApprovedByURI,
status.URI, status.URI,
boostOf.AccountURI, boostOf.AccountURI,
); err != nil { )
if err != nil {
// Error dereferencing means we couldn't // Error dereferencing means we couldn't
// get the Accept right now or it wasn't // get the Accept right now or it wasn't
// valid, so we shouldn't store this status. // valid, so we shouldn't store this status.
log.Errorf(ctx, "undereferencable ApprovedByURI: %v", err) err := gtserror.Newf("undereferencable ApprovedByURI: %w", err)
return false, err
}
if !permitted {
return false, nil return false, nil
} }
@ -438,43 +607,59 @@ func (d *Dereferencer) isPermittedBoost(
return true, nil return true, nil
} }
// validateApprovedBy dereferences the activitystreams Accept at // isValidAccept dereferences the activitystreams Accept at the
// the specified IRI, and checks the Accept for validity against // specified IRI, and checks the Accept for validity against the
// the provided expectedObject and expectedActor. // provided expectedObject and expectedActor.
// //
// Will return either nil if everything looked OK, or an error if // Will return either (true, nil) if everything looked OK, an error
// something went wrong during deref, or if the dereffed Accept // if something went wrong internally during deref, or (false, nil)
// did not meet expectations. // if the dereferenced Accept did not meet expectations.
func (d *Dereferencer) validateApprovedBy( func (d *Dereferencer) isValidAccept(
ctx context.Context, ctx context.Context,
requestUser string, requestUser string,
approvedByURIStr string, // Eg., "https://example.org/users/someone/accepts/01J2736AWWJ3411CPR833F6D03" acceptIRIStr string, // Eg., "https://example.org/users/someone/accepts/01J2736AWWJ3411CPR833F6D03"
expectObjectURIStr string, // Eg., "https://some.instance.example.org/users/someone_else/statuses/01J27414TWV9F7DC39FN8ABB5R" expectObjectURIStr string, // Eg., "https://some.instance.example.org/users/someone_else/statuses/01J27414TWV9F7DC39FN8ABB5R"
expectActorURIStr string, // Eg., "https://example.org/users/someone" expectActorURIStr string, // Eg., "https://example.org/users/someone"
) error { ) (bool, error) {
approvedByURI, err := url.Parse(approvedByURIStr) l := log.
WithContext(ctx).
WithField("acceptIRI", acceptIRIStr)
acceptIRI, err := url.Parse(acceptIRIStr)
if err != nil { if err != nil {
err := gtserror.Newf("error parsing approvedByURI: %w", err) // Real returnable error.
return err err := gtserror.Newf("error parsing acceptIRI: %w", err)
return false, err
} }
// Don't make calls to the remote if it's blocked. // Don't make calls to the Accept IRI
if blocked, err := d.state.DB.IsDomainBlocked(ctx, approvedByURI.Host); blocked || err != nil { // if it's blocked, just return false.
err := gtserror.Newf("domain %s is blocked", approvedByURI.Host) blocked, err := d.state.DB.IsDomainBlocked(ctx, acceptIRI.Host)
return err if err != nil {
// Real returnable error.
err := gtserror.Newf("error checking domain block: %w", err)
return false, err
}
if blocked {
l.Info("Accept host is blocked")
return false, nil
} }
tsport, err := d.transportController.NewTransportForUsername(ctx, requestUser) tsport, err := d.transportController.NewTransportForUsername(ctx, requestUser)
if err != nil { if err != nil {
// Real returnable error.
err := gtserror.Newf("error creating transport: %w", err) err := gtserror.Newf("error creating transport: %w", err)
return err return false, err
} }
// Make the call to resolve into an Acceptable. // Make the call to resolve into an Acceptable.
rsp, err := tsport.Dereference(ctx, approvedByURI) // Log any error encountered here but don't
// return it as it's not *our* error.
rsp, err := tsport.Dereference(ctx, acceptIRI)
if err != nil { if err != nil {
err := gtserror.Newf("error dereferencing %s: %w", approvedByURIStr, err) l.Errorf("error dereferencing Accept: %v", err)
return err return false, nil
} }
acceptable, err := ap.ResolveAcceptable(ctx, rsp.Body) acceptable, err := ap.ResolveAcceptable(ctx, rsp.Body)
@ -483,66 +668,71 @@ func (d *Dereferencer) validateApprovedBy(
_ = rsp.Body.Close() _ = rsp.Body.Close()
if err != nil { if err != nil {
err := gtserror.Newf("error resolving Accept %s: %w", approvedByURIStr, err) l.Errorf("error resolving to Accept: %v", err)
return err return false, err
} }
// Extract the URI/ID of the Accept. // Extract the URI/ID of the Accept.
acceptURI := ap.GetJSONLDId(acceptable) acceptID := ap.GetJSONLDId(acceptable)
acceptURIStr := acceptURI.String() acceptIDStr := acceptID.String()
// Check whether input URI and final returned URI // Check whether input URI and final returned URI
// have changed (i.e. we followed some redirects). // have changed (i.e. we followed some redirects).
rspURL := rsp.Request.URL rspURL := rsp.Request.URL
rspURLStr := rspURL.String() rspURLStr := rspURL.String()
switch { if rspURLStr != acceptIRIStr {
case rspURLStr == approvedByURIStr: // If rspURLStr != acceptIRIStr, make sure final
// response URL is at least on the same host as
// what we expected (ie., we weren't redirected
// across domains), and make sure it's the same
// as the ID of the Accept we were returned.
switch {
case rspURL.Host != acceptIRI.Host:
l.Errorf(
"final deref host %s did not match acceptIRI host",
rspURL.Host,
)
return false, nil
// i.e. from here, rspURLStr != approvedByURIStr. case acceptIDStr != rspURLStr:
// l.Errorf(
// Make sure it's at least on the same host as "final deref uri %s did not match returned Accept ID %s",
// what we expected (ie., we weren't redirected rspURLStr, acceptIDStr,
// across domains), and make sure it's the same )
// as the ID of the Accept we were returned. return false, nil
case rspURL.Host != approvedByURI.Host: }
return gtserror.Newf(
"final dereference host %s did not match approvedByURI host %s",
rspURL.Host, approvedByURI.Host,
)
case acceptURIStr != rspURLStr:
return gtserror.Newf(
"final dereference uri %s did not match returned Accept ID/URI %s",
rspURLStr, acceptURIStr,
)
} }
// Response is superficially OK,
// check in more detail now.
// Extract the actor IRI and string from Accept. // Extract the actor IRI and string from Accept.
actorIRIs := ap.GetActorIRIs(acceptable) actorIRIs := ap.GetActorIRIs(acceptable)
actorIRI, actorIRIStr := extractIRI(actorIRIs) actorIRI, actorIRIStr := extractIRI(actorIRIs)
switch { switch {
case actorIRIStr == "": case actorIRIStr == "":
err := gtserror.New("missing Accept actor IRI") l.Error("Accept missing actor IRI")
return gtserror.SetMalformed(err) return false, nil
// Ensure the Accept Actor is who we expect // Ensure the Accept Actor is on
// it to be, and not someone else trying to // the instance hosting the Accept.
// do an Accept for an interaction with a case actorIRI.Host != acceptID.Host:
// statusable they don't own. l.Errorf(
case actorIRI.Host != acceptURI.Host: "actor %s not on the same host as Accept",
return gtserror.Newf( actorIRIStr,
"Accept Actor %s was not the same host as Accept %s",
actorIRIStr, acceptURIStr,
) )
return false, nil
// Ensure the Accept Actor is who we expect // Ensure the Accept Actor is who we expect
// it to be, and not someone else trying to // it to be, and not someone else trying to
// do an Accept for an interaction with a // do an Accept for an interaction with a
// statusable they don't own. // statusable they don't own.
case actorIRIStr != expectActorURIStr: case actorIRIStr != expectActorURIStr:
return gtserror.Newf( l.Errorf(
"Accept Actor %s was not the same as expected actor %s", "actor %s was not the same as expected actor %s",
actorIRIStr, expectActorURIStr, actorIRIStr, expectActorURIStr,
) )
return false, nil
} }
// Extract the object IRI string from Accept. // Extract the object IRI string from Accept.
@ -550,20 +740,22 @@ func (d *Dereferencer) validateApprovedBy(
_, objectIRIStr := extractIRI(objectIRIs) _, objectIRIStr := extractIRI(objectIRIs)
switch { switch {
case objectIRIStr == "": case objectIRIStr == "":
err := gtserror.New("missing Accept object IRI") l.Error("missing Accept object IRI")
return gtserror.SetMalformed(err) return false, nil
// Ensure the Accept Object is what we expect // Ensure the Accept Object is what we expect
// it to be, ie., it's Accepting the interaction // it to be, ie., it's Accepting the interaction
// we need it to Accept, and not something else. // we need it to Accept, and not something else.
case objectIRIStr != expectObjectURIStr: case objectIRIStr != expectObjectURIStr:
return gtserror.Newf( l.Errorf(
"resolved Accept Object uri %s was not the same as expected object %s", "resolved Accept object IRI %s was not the same as expected object %s",
objectIRIStr, expectObjectURIStr, objectIRIStr, expectObjectURIStr,
) )
return false, nil
} }
return nil // Everything looks OK.
return true, nil
} }
// extractIRI is shorthand to extract the first IRI // extractIRI is shorthand to extract the first IRI

View file

@ -24,6 +24,7 @@
"github.com/superseriousbusiness/activity/streams/vocab" "github.com/superseriousbusiness/activity/streams/vocab"
"github.com/superseriousbusiness/gotosocial/internal/ap" "github.com/superseriousbusiness/gotosocial/internal/ap"
"github.com/superseriousbusiness/gotosocial/internal/config"
"github.com/superseriousbusiness/gotosocial/internal/db" "github.com/superseriousbusiness/gotosocial/internal/db"
"github.com/superseriousbusiness/gotosocial/internal/gtserror" "github.com/superseriousbusiness/gotosocial/internal/gtserror"
"github.com/superseriousbusiness/gotosocial/internal/gtsmodel" "github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
@ -68,6 +69,20 @@ func (f *federatingDB) Accept(ctx context.Context, accept vocab.ActivityStreamsA
return gtserror.NewErrorBadRequest(errors.New(text), text) return gtserror.NewErrorBadRequest(errors.New(text), text)
} }
// Ensure requester is the same as the
// Actor of the Accept; you can't Accept
// something on someone else's behalf.
actorURI, err := ap.ExtractActorURI(accept)
if err != nil {
const text = "Accept had empty or invalid actor property"
return gtserror.NewErrorBadRequest(errors.New(text), text)
}
if requestingAcct.URI != actorURI.String() {
const text = "Accept actor and requesting account were not the same"
return gtserror.NewErrorBadRequest(errors.New(text), text)
}
// Iterate all provided objects in the activity, // Iterate all provided objects in the activity,
// handling the ones we know how to handle. // handling the ones we know how to handle.
for _, object := range ap.ExtractObjects(accept) { for _, object := range ap.ExtractObjects(accept) {
@ -108,18 +123,6 @@ func (f *federatingDB) Accept(ctx context.Context, accept vocab.ActivityStreamsA
return err return err
} }
// ACCEPT STATUS (reply/boost)
case uris.IsStatusesPath(objIRI):
if err := f.acceptStatusIRI(
ctx,
activityID.String(),
objIRI.String(),
receivingAcct,
requestingAcct,
); err != nil {
return err
}
// ACCEPT LIKE // ACCEPT LIKE
case uris.IsLikePath(objIRI): case uris.IsLikePath(objIRI):
if err := f.acceptLikeIRI( if err := f.acceptLikeIRI(
@ -132,9 +135,20 @@ func (f *federatingDB) Accept(ctx context.Context, accept vocab.ActivityStreamsA
return err return err
} }
// UNHANDLED // ACCEPT OTHER (reply? boost?)
//
// Don't check on IsStatusesPath
// as this may be a remote status.
default: default:
log.Debugf(ctx, "unhandled iri type: %s", objIRI) if err := f.acceptOtherIRI(
ctx,
activityID,
objIRI,
receivingAcct,
requestingAcct,
); err != nil {
return err
}
} }
} }
} }
@ -276,39 +290,91 @@ func (f *federatingDB) acceptFollowIRI(
return nil return nil
} }
func (f *federatingDB) acceptStatusIRI( func (f *federatingDB) acceptOtherIRI(
ctx context.Context, ctx context.Context,
activityID string, activityID *url.URL,
objectIRI string, objectIRI *url.URL,
receivingAcct *gtsmodel.Account, receivingAcct *gtsmodel.Account,
requestingAcct *gtsmodel.Account, requestingAcct *gtsmodel.Account,
) error { ) error {
// Lock on this potential status // See if we can get a status from the db.
// URI as we may be updating it. status, err := f.state.DB.GetStatusByURI(ctx, objectIRI.String())
unlock := f.state.FedLocks.Lock(objectIRI)
defer unlock()
// Get the status from the db.
status, err := f.state.DB.GetStatusByURI(ctx, objectIRI)
if err != nil && !errors.Is(err, db.ErrNoEntries) { if err != nil && !errors.Is(err, db.ErrNoEntries) {
err := gtserror.Newf("db error getting status: %w", err) err := gtserror.Newf("db error getting status: %w", err)
return gtserror.NewErrorInternalError(err) return gtserror.NewErrorInternalError(err)
} }
if status == nil { if status != nil {
// We didn't have a status with // We had a status stored with this
// this URI, so nothing to do. // objectIRI, proceed to accept it.
// Just return. return f.acceptStoredStatus(
ctx,
activityID,
status,
receivingAcct,
requestingAcct,
)
}
if objectIRI.Host == config.GetHost() ||
objectIRI.Host == config.GetAccountDomain() {
// Claims to be Accepting something of ours,
// but we don't have a status stored for this
// URI, so most likely it's been deleted in
// the meantime, just bail.
return nil return nil
} }
if !status.IsLocal() { // This must be an Accept of a remote Activity
// We don't process Accepts of statuses // or Object. Ensure relevance of this message
// that weren't created on our instance. // by checking that receiver follows requester.
// Just return. following, err := f.state.DB.IsFollowing(
ctx,
receivingAcct.ID,
requestingAcct.ID,
)
if err != nil {
err := gtserror.Newf("db error checking following: %w", err)
return gtserror.NewErrorInternalError(err)
}
if !following {
// If we don't follow this person, and
// they're not Accepting something we know
// about, then we don't give a good goddamn.
return nil return nil
} }
// This may be a reply, or it may be a boost,
// we can't know yet without dereferencing it,
// but let the processor worry about that.
apObjectType := ap.ObjectUnknown
// Pass to the processor and let them handle side effects.
f.state.Workers.Federator.Queue.Push(&messages.FromFediAPI{
APObjectType: apObjectType,
APActivityType: ap.ActivityAccept,
APIRI: activityID,
APObject: objectIRI,
Receiving: receivingAcct,
Requesting: requestingAcct,
})
return nil
}
func (f *federatingDB) acceptStoredStatus(
ctx context.Context,
activityID *url.URL,
status *gtsmodel.Status,
receivingAcct *gtsmodel.Account,
requestingAcct *gtsmodel.Account,
) error {
// Lock on this status URI
// as we may be updating it.
unlock := f.state.FedLocks.Lock(status.URI)
defer unlock()
pendingApproval := util.PtrOrValue(status.PendingApproval, false) pendingApproval := util.PtrOrValue(status.PendingApproval, false)
if !pendingApproval { if !pendingApproval {
// Status doesn't need approval or it's // Status doesn't need approval or it's
@ -317,14 +383,6 @@ func (f *federatingDB) acceptStatusIRI(
return nil return nil
} }
// Make sure the creator of the original status
// is the same as the inbox processing the Accept;
// this also ensures the status is local.
if status.AccountID != receivingAcct.ID {
const text = "status author account and inbox account were not the same"
return gtserror.NewErrorUnprocessableEntity(errors.New(text), text)
}
// Make sure the target of the interaction (reply/boost) // Make sure the target of the interaction (reply/boost)
// is the same as the account doing the Accept. // is the same as the account doing the Accept.
if status.BoostOfAccountID != requestingAcct.ID && if status.BoostOfAccountID != requestingAcct.ID &&
@ -335,7 +393,7 @@ func (f *federatingDB) acceptStatusIRI(
// Mark the status as approved by this Accept URI. // Mark the status as approved by this Accept URI.
status.PendingApproval = util.Ptr(false) status.PendingApproval = util.Ptr(false)
status.ApprovedByURI = activityID status.ApprovedByURI = activityID.String()
if err := f.state.DB.UpdateStatus( if err := f.state.DB.UpdateStatus(
ctx, ctx,
status, status,

View file

@ -69,25 +69,29 @@ type InteractionRequest struct {
Like *StatusFave `bun:"-"` // Not stored in DB. Only set if InteractionType = InteractionLike. Like *StatusFave `bun:"-"` // Not stored in DB. Only set if InteractionType = InteractionLike.
Reply *Status `bun:"-"` // Not stored in DB. Only set if InteractionType = InteractionReply. Reply *Status `bun:"-"` // Not stored in DB. Only set if InteractionType = InteractionReply.
Announce *Status `bun:"-"` // Not stored in DB. Only set if InteractionType = InteractionAnnounce. Announce *Status `bun:"-"` // Not stored in DB. Only set if InteractionType = InteractionAnnounce.
URI string `bun:",nullzero,unique"` // ActivityPub URI of the Accept (if accepted) or Reject (if rejected). Null/empty if currently neither accepted not rejected.
AcceptedAt time.Time `bun:"type:timestamptz,nullzero"` // If interaction request was accepted, time at which this occurred. AcceptedAt time.Time `bun:"type:timestamptz,nullzero"` // If interaction request was accepted, time at which this occurred.
RejectedAt time.Time `bun:"type:timestamptz,nullzero"` // If interaction request was rejected, time at which this occurred. RejectedAt time.Time `bun:"type:timestamptz,nullzero"` // If interaction request was rejected, time at which this occurred.
// ActivityPub URI of the Accept (if accepted) or Reject (if rejected).
// Field may be empty if currently neither accepted not rejected, or if
// acceptance/rejection was implicit (ie., not resulting from an Activity).
URI string `bun:",nullzero,unique"`
} }
// IsHandled returns true if interaction // IsHandled returns true if interaction
// request has been neither accepted or rejected. // request has been neither accepted or rejected.
func (ir *InteractionRequest) IsPending() bool { func (ir *InteractionRequest) IsPending() bool {
return ir.URI == "" && ir.AcceptedAt.IsZero() && ir.RejectedAt.IsZero() return !ir.IsAccepted() && !ir.IsRejected()
} }
// IsAccepted returns true if this // IsAccepted returns true if this
// interaction request has been accepted. // interaction request has been accepted.
func (ir *InteractionRequest) IsAccepted() bool { func (ir *InteractionRequest) IsAccepted() bool {
return ir.URI != "" && !ir.AcceptedAt.IsZero() return !ir.AcceptedAt.IsZero()
} }
// IsRejected returns true if this // IsRejected returns true if this
// interaction request has been rejected. // interaction request has been rejected.
func (ir *InteractionRequest) IsRejected() bool { func (ir *InteractionRequest) IsRejected() bool {
return ir.URI != "" && !ir.RejectedAt.IsZero() return !ir.RejectedAt.IsZero()
} }

View file

@ -20,6 +20,7 @@
import ( import (
"context" "context"
"errors" "errors"
"net/url"
"time" "time"
"codeberg.org/gruf/go-kv" "codeberg.org/gruf/go-kv"
@ -144,6 +145,10 @@ func (p *Processor) ProcessFromFediAPI(ctx context.Context, fMsg *messages.FromF
// ACCEPT (pending) ANNOUNCE // ACCEPT (pending) ANNOUNCE
case ap.ActivityAnnounce: case ap.ActivityAnnounce:
return p.fediAPI.AcceptAnnounce(ctx, fMsg) return p.fediAPI.AcceptAnnounce(ctx, fMsg)
// ACCEPT (remote) REPLY or ANNOUNCE
case ap.ObjectUnknown:
return p.fediAPI.AcceptRemoteStatus(ctx, fMsg)
} }
// REJECT SOMETHING // REJECT SOMETHING
@ -823,6 +828,60 @@ func (p *fediAPI) AcceptReply(ctx context.Context, fMsg *messages.FromFediAPI) e
return nil return nil
} }
func (p *fediAPI) AcceptRemoteStatus(ctx context.Context, fMsg *messages.FromFediAPI) error {
// See if we can accept a remote
// status we don't have stored yet.
objectIRI, ok := fMsg.APObject.(*url.URL)
if !ok {
return gtserror.Newf("%T not parseable as *url.URL", fMsg.APObject)
}
acceptIRI := fMsg.APIRI
if acceptIRI == nil {
return gtserror.New("acceptIRI was nil")
}
// Assume we're accepting a status; create a
// barebones status for dereferencing purposes.
bareStatus := &gtsmodel.Status{
URI: objectIRI.String(),
ApprovedByURI: acceptIRI.String(),
}
// Call RefreshStatus() to process the provided
// barebones status and insert it into the database,
// if indeed it's actually a status URI we can fetch.
//
// This will also check whether the given AcceptIRI
// actually grants permission for this status.
status, _, err := p.federate.RefreshStatus(ctx,
fMsg.Receiving.Username,
bareStatus,
nil, nil,
)
if err != nil {
return gtserror.Newf("error processing accepted status %s: %w", bareStatus.URI, err)
}
// No error means it was indeed a remote status, and the
// given acceptIRI permitted it. Timeline and notify it.
if err := p.surface.timelineAndNotifyStatus(ctx, status); err != nil {
log.Errorf(ctx, "error timelining and notifying status: %v", err)
}
// Interaction counts changed on the interacted status;
// uncache the prepared version from all timelines.
if status.InReplyToID != "" {
p.surface.invalidateStatusFromTimelines(ctx, status.InReplyToID)
}
if status.BoostOfID != "" {
p.surface.invalidateStatusFromTimelines(ctx, status.BoostOfID)
}
return nil
}
func (p *fediAPI) AcceptAnnounce(ctx context.Context, fMsg *messages.FromFediAPI) error { func (p *fediAPI) AcceptAnnounce(ctx context.Context, fMsg *messages.FromFediAPI) error {
boost, ok := fMsg.GTSModel.(*gtsmodel.Status) boost, ok := fMsg.GTSModel.(*gtsmodel.Status)
if !ok { if !ok {

View file

@ -1988,6 +1988,16 @@ func (c *Converter) InteractionReqToASAccept(
return nil, gtserror.Newf("invalid interacting account uri: %w", err) return nil, gtserror.Newf("invalid interacting account uri: %w", err)
} }
publicIRI, err := url.Parse(pub.PublicActivityPubIRI)
if err != nil {
return nil, gtserror.Newf("invalid public uri: %w", err)
}
followersIRI, err := url.Parse(req.TargetAccount.FollowersURI)
if err != nil {
return nil, gtserror.Newf("invalid followers uri: %w", err)
}
// Set id to the URI of // Set id to the URI of
// interaction request. // interaction request.
ap.SetJSONLDId(accept, acceptID) ap.SetJSONLDId(accept, acceptID)
@ -2003,6 +2013,9 @@ func (c *Converter) InteractionReqToASAccept(
// of interaction URI. // of interaction URI.
ap.AppendTo(accept, toIRI) ap.AppendTo(accept, toIRI)
// Cc to the actor's followers, and to Public.
ap.AppendCc(accept, publicIRI, followersIRI)
return accept, nil return accept, nil
} }
@ -2034,6 +2047,16 @@ func (c *Converter) InteractionReqToASReject(
return nil, gtserror.Newf("invalid interacting account uri: %w", err) return nil, gtserror.Newf("invalid interacting account uri: %w", err)
} }
publicIRI, err := url.Parse(pub.PublicActivityPubIRI)
if err != nil {
return nil, gtserror.Newf("invalid public uri: %w", err)
}
followersIRI, err := url.Parse(req.TargetAccount.FollowersURI)
if err != nil {
return nil, gtserror.Newf("invalid followers uri: %w", err)
}
// Set id to the URI of // Set id to the URI of
// interaction request. // interaction request.
ap.SetJSONLDId(reject, rejectID) ap.SetJSONLDId(reject, rejectID)
@ -2049,5 +2072,8 @@ func (c *Converter) InteractionReqToASReject(
// of interaction URI. // of interaction URI.
ap.AppendTo(reject, toIRI) ap.AppendTo(reject, toIRI)
// Cc to the actor's followers, and to Public.
ap.AppendCc(reject, publicIRI, followersIRI)
return reject, nil return reject, nil
} }

View file

@ -1181,6 +1181,10 @@ func (suite *InternalToASTestSuite) TestInteractionReqToASAccept() {
suite.Equal(`{ suite.Equal(`{
"@context": "https://www.w3.org/ns/activitystreams", "@context": "https://www.w3.org/ns/activitystreams",
"actor": "http://localhost:8080/users/the_mighty_zork", "actor": "http://localhost:8080/users/the_mighty_zork",
"cc": [
"https://www.w3.org/ns/activitystreams#Public",
"http://localhost:8080/users/the_mighty_zork/followers"
],
"id": "http://localhost:8080/users/the_mighty_zork/accepts/01J1AKMZ8JE5NW0ZSFTRC1JJNE", "id": "http://localhost:8080/users/the_mighty_zork/accepts/01J1AKMZ8JE5NW0ZSFTRC1JJNE",
"object": "https://fossbros-anonymous.io/users/foss_satan/statuses/01J1AKRRHQ6MDDQHV0TP716T2K", "object": "https://fossbros-anonymous.io/users/foss_satan/statuses/01J1AKRRHQ6MDDQHV0TP716T2K",
"to": "http://fossbros-anonymous.io/users/foss_satan", "to": "http://fossbros-anonymous.io/users/foss_satan",