takahe/users/views/activitypub.py

288 lines
9.1 KiB
Python
Raw Normal View History

2022-11-13 04:14:21 +00:00
import json
from django.conf import settings
from django.http import Http404, HttpResponse, HttpResponseBadRequest, JsonResponse
2022-11-13 04:14:21 +00:00
from django.utils.decorators import method_decorator
from django.views.decorators.cache import cache_control
2022-11-13 04:14:21 +00:00
from django.views.decorators.csrf import csrf_exempt
from django.views.generic import View
from activities.models import Post
2023-05-13 16:01:27 +00:00
from activities.services import TimelineService
from core import exceptions
2022-12-05 17:55:30 +00:00
from core.decorators import cache_page
2022-11-13 04:14:21 +00:00
from core.ld import canonicalise
from core.models import Config
2022-11-13 04:14:21 +00:00
from core.signatures import (
HttpSignature,
LDSignature,
VerificationError,
VerificationFormatError,
)
from core.views import StaticContentView
from takahe import __version__
from users.models import Identity, InboxMessage, SystemActor
2022-11-13 04:14:21 +00:00
from users.shortcuts import by_handle_or_404
class HttpResponseUnauthorized(HttpResponse):
status_code = 401
class HostMeta(View):
"""
Returns a canned host-meta response
"""
def get(self, request):
return HttpResponse(
"""<?xml version="1.0" encoding="UTF-8"?>
<XRD xmlns="http://docs.oasis-open.org/ns/xri/xrd-1.0">
<Link rel="lrdd" template="https://%s/.well-known/webfinger?resource={uri}"/>
</XRD>"""
% request.headers["host"],
content_type="application/xrd+xml",
2022-11-13 04:14:21 +00:00
)
class NodeInfo(View):
"""
Returns the well-known nodeinfo response, pointing to the 2.0 one
"""
def get(self, request):
host = request.META.get("HOST", settings.MAIN_DOMAIN)
return JsonResponse(
{
"links": [
{
"rel": "http://nodeinfo.diaspora.software/ns/schema/2.0",
"href": f"https://{host}/nodeinfo/2.0/",
}
]
}
)
2022-12-05 17:55:30 +00:00
@method_decorator(cache_page(), name="dispatch")
class NodeInfo2(View):
"""
Returns the nodeinfo 2.0 response
"""
def get(self, request):
# Fetch some user stats
local_identities = Identity.objects.filter(local=True).count()
local_posts = Post.objects.filter(local=True).count()
return JsonResponse(
{
"version": "2.0",
"software": {"name": "takahe", "version": __version__},
"protocols": ["activitypub"],
"services": {"outbound": [], "inbound": []},
"usage": {
"users": {"total": local_identities},
"localPosts": local_posts,
},
"openRegistrations": Config.system.signup_allowed,
"metadata": {},
}
)
2022-12-05 17:55:30 +00:00
@method_decorator(cache_page(), name="dispatch")
2022-11-13 04:14:21 +00:00
class Webfinger(View):
"""
Services webfinger requests
"""
def get(self, request):
resource = request.GET.get("resource")
if not resource:
return HttpResponseBadRequest("No resource specified")
2022-11-13 04:14:21 +00:00
if not resource.startswith("acct:"):
return HttpResponseBadRequest("Not an account resource")
handle = resource[5:]
if handle.startswith("__system__@"):
# They are trying to webfinger the system actor
actor = SystemActor()
else:
actor = by_handle_or_404(request, handle)
return JsonResponse(actor.to_webfinger(), content_type="application/jrd+json")
2022-11-13 04:14:21 +00:00
@method_decorator(csrf_exempt, name="dispatch")
class Inbox(View):
"""
AP Inbox endpoint
"""
2022-12-10 20:24:49 +00:00
def post(self, request, handle=None):
2022-12-28 03:01:00 +00:00
# Reject bodies that are unfeasibly big
if len(request.body) > settings.JSONLD_MAX_SIZE:
return HttpResponseBadRequest("Payload size too large")
2022-11-13 04:14:21 +00:00
# Load the LD
document = canonicalise(json.loads(request.body), include_security=True)
# Find the Identity by the actor on the incoming item
# This ensures that the signature used for the headers matches the actor
# described in the payload.
identity = Identity.by_actor_uri(document["actor"], create=True, transient=True)
if (
document["type"] == "Delete"
and document["actor"] == document["object"]
2023-01-09 06:06:09 +00:00
and identity._state.adding
):
# We don't have an Identity record for the user. No-op
return HttpResponse(status=202)
2022-11-13 04:14:21 +00:00
if not identity.public_key:
# See if we can fetch it right now
identity.fetch_actor()
2022-11-13 04:14:21 +00:00
if not identity.public_key:
exceptions.capture_message(
f"Inbox error: cannot fetch actor {document['actor']}"
)
2022-11-13 04:14:21 +00:00
return HttpResponseBadRequest("Cannot retrieve actor")
2022-12-17 02:42:48 +00:00
# See if it's from a blocked user or domain
if identity.blocked or identity.domain.blocked:
2022-11-26 01:11:31 +00:00
# I love to lie! Throw it away!
exceptions.capture_message(
2022-12-17 02:42:48 +00:00
f"Inbox: Discarded message from {identity.actor_uri}"
2022-11-26 01:11:31 +00:00
)
return HttpResponse(status=202)
2022-11-13 04:14:21 +00:00
# If there's a "signature" payload, verify against that
if "signature" in document:
try:
LDSignature.verify_signature(document, identity.public_key)
except VerificationFormatError as e:
exceptions.capture_message(
f"Inbox error: Bad LD signature format: {e.args[0]}"
)
2022-11-13 04:14:21 +00:00
return HttpResponseBadRequest(e.args[0])
except VerificationError:
exceptions.capture_message("Inbox error: Bad LD signature")
2022-11-13 04:14:21 +00:00
return HttpResponseUnauthorized("Bad signature")
2022-12-17 02:42:48 +00:00
2022-11-13 04:14:21 +00:00
# Otherwise, verify against the header (assuming it's the same actor)
else:
try:
HttpSignature.verify_request(
request,
identity.public_key,
)
except VerificationFormatError as e:
exceptions.capture_message(
f"Inbox error: Bad HTTP signature format: {e.args[0]}"
)
2022-11-13 04:14:21 +00:00
return HttpResponseBadRequest(e.args[0])
except VerificationError:
exceptions.capture_message("Inbox error: Bad HTTP signature")
2022-11-13 04:14:21 +00:00
return HttpResponseUnauthorized("Bad signature")
2022-12-17 02:42:48 +00:00
# Don't allow injection of internal messages
if document["type"].startswith("__"):
return HttpResponseUnauthorized("Bad type")
2022-11-13 04:14:21 +00:00
# Hand off the item to be processed by the queue
InboxMessage.objects.create(message=document)
return HttpResponse(status=202)
class Outbox(View):
"""
The ActivityPub outbox for an identity
"""
def get(self, request, handle):
self.identity = by_handle_or_404(
self.request,
handle,
local=False,
fetch=True,
)
# If this not a local actor, 404
if not self.identity.local:
raise Http404("Not a local identity")
# Return an ordered collection with the most recent 10 public posts
posts = list(self.identity.posts.not_hidden().public()[:10])
return JsonResponse(
canonicalise(
{
"type": "OrderedCollection",
"totalItems": len(posts),
"orderedItems": [post.to_ap() for post in posts],
}
),
2023-05-13 16:01:27 +00:00
content_type="application/activity+json",
)
class FeaturedCollection(View):
"""
An ordered collection of all pinned posts of an identity
"""
def get(self, request, handle):
self.identity = by_handle_or_404(
request,
handle,
local=False,
fetch=True,
)
if not self.identity.local:
raise Http404("Not a local identity")
posts = list(TimelineService(self.identity).identity_pinned())
return JsonResponse(
canonicalise(
{
"type": "OrderedCollection",
"id": self.identity.actor_uri + "collections/featured/",
"totalItems": len(posts),
"orderedItems": [post.to_ap() for post in posts],
}
),
content_type="application/activity+json",
)
@method_decorator(cache_control(max_age=60 * 15), name="dispatch")
class EmptyOutbox(StaticContentView):
"""
A fixed-empty outbox for the system actor
"""
content_type: str = "application/activity+json"
def get_static_content(self) -> str | bytes:
return json.dumps(
canonicalise(
{
"type": "OrderedCollection",
"totalItems": 0,
"orderedItems": [],
}
)
)
@method_decorator(cache_control(max_age=60 * 15), name="dispatch")
class SystemActorView(StaticContentView):
"""
Special endpoint for the overall system actor
"""
content_type: str = "application/activity+json"
def get_static_content(self) -> str | bytes:
return json.dumps(
canonicalise(
SystemActor().to_ap(),
include_security=True,
)
)