wahhh getting there

2025-11-26 01:23:32 -06:00 · 2021-05-06 14:01:43 +02:00 · 2021-05-06 14:01:43 +02:00 · d4c919d273
commit d4c919d273
parent 41e6e8ed10
12 changed files with 214 additions and 151 deletions
--- a/internal/federation/federatingprotocol.go
+++ b/internal/federation/federatingprotocol.go
@ -137,7 +137,9 @@ func (f *federator) AuthenticatePostInbox(ctx context.Context, w http.ResponseWr
 		requestingAccount = a
 	}

-	return nil, true, nil
+	contextWithRequestingAccount := context.WithValue(ctx, util.APRequestingAccount, requestingAccount)
+
+	return contextWithRequestingAccount, true, nil
 }

 // Blocked should determine whether to permit a set of actors given by
--- a/internal/federation/federator.go
+++ b/internal/federation/federator.go
@ -23,6 +23,7 @@ import (
 	"net/url"

 	"github.com/go-fed/activity/pub"
+	"github.com/go-fed/activity/streams/vocab"
 	"github.com/sirupsen/logrus"
 	"github.com/superseriousbusiness/gotosocial/internal/config"
 	"github.com/superseriousbusiness/gotosocial/internal/db"
@ -32,9 +33,17 @@ import (

 // Federator wraps various interfaces and functions to manage activitypub federation from gotosocial
 type Federator interface {
+	// FederatingActor returns the underlying pub.FederatingActor, which can be used to send activities, and serve actors at inboxes/outboxes.
 	FederatingActor() pub.FederatingActor
-	TransportController() transport.Controller
+	// AuthenticateFederatedRequest can be used to check the authenticity of incoming http-signed requests for federating resources.
+	// The given username will be used to create a transport for making outgoing requests. See the implementation for more detailed comments.
 	AuthenticateFederatedRequest(username string, r *http.Request) (*url.URL, error)
+	// DereferenceRemoteAccount can be used to get the ActivityStreamsPerson representation of a remote account, based on the account ID (which is a URI).
+	// The given username will be used to create a transport for making outgoing requests. See the implementation for more detailed comments.
+	DereferenceRemoteAccount(username string, remoteAccountID *url.URL) (vocab.ActivityStreamsPerson, error)
+	// GetTransportForUser returns a new transport initialized with the key credentials belonging to the given username.
+	// This can be used for making signed http requests.
+	GetTransportForUser(username string) (pub.Transport, error)
 	pub.CommonBehavior
 	pub.FederatingProtocol
 }
@ -69,7 +78,3 @@ func NewFederator(db db.DB, transportController transport.Controller, config *co
 func (f *federator) FederatingActor() pub.FederatingActor {
 	return f.actor
 }
-
-func (f *federator) TransportController() transport.Controller {
-	return f.transportController
-}
--- a/internal/federation/federator_test.go
+++ b/internal/federation/federator_test.go
@ -97,7 +97,7 @@ func (suite *ProtocolTestSuite) TestPostInboxRequestBodyHook() {
 	request.Header.Set("Signature", activity.SignatureHeader)

 	// trigger the function being tested, and return the new context it creates
-	newContext, err := federator.FederatingProtocol().PostInboxRequestBodyHook(ctx, request, activity.Activity)
+	newContext, err := federator.PostInboxRequestBodyHook(ctx, request, activity.Activity)
 	assert.NoError(suite.T(), err)
 	assert.NotNil(suite.T(), newContext)

@ -173,7 +173,7 @@ func (suite *ProtocolTestSuite) TestAuthenticatePostInbox() {
 	recorder := httptest.NewRecorder()

 	// trigger the function being tested, and return the new context it creates
-	newContext, authed, err := federator.FederatingProtocol().AuthenticatePostInbox(ctxWithActivity, recorder, request)
+	newContext, authed, err := federator.AuthenticatePostInbox(ctxWithActivity, recorder, request)
 	assert.NoError(suite.T(), err)
 	assert.True(suite.T(), authed)

--- a/internal/federation/util.go
+++ b/internal/federation/util.go
@ -93,13 +93,13 @@ func getPublicKeyFromResponse(c context.Context, b []byte, keyID *url.URL) (voca
 	return pkpFound, nil
 }

-// AuthenticateFederatedRequest authenticates any kind of federated request from a remote server. This includes things like
-// GET requests for dereferencing users or statuses etc and POST requests for delivering new Activities.
-//
-// Error means the request did not pass authentication. No error means it's authentic.
+// AuthenticateFederatedRequest authenticates any kind of incoming federated request from a remote server. This includes things like
+// GET requests for dereferencing our users or statuses etc, and POST requests for delivering new Activities. The function returns
+// the URL of the owner of the public key used in the http signature.
 //
 // Authenticate in this case is defined as just making sure that the http request is actually signed by whoever claims
-// to have signed it, by fetching the public key from the signature and checking it against the remote public key.
+// to have signed it, by fetching the public key from the signature and checking it against the remote public key. This function
+// *does not* check whether the request is authorized, only whether it's authentic.
 //
 // The provided username will be used to generate a transport for making remote requests/derefencing the public key ID of the request signature.
 // Ideally you should pass in the username of the user *being requested*, so that the remote server can decide how to handle the request based on who's making it.
@ -108,8 +108,8 @@ func getPublicKeyFromResponse(c context.Context, b []byte, keyID *url.URL) (voca
 //
 // Note that it is also valid to pass in an empty string here, in which case the keys of the instance account will be used.
 //
-// Note that this function *does not* dereference the remote account that the signature key is associated with, but it will
-// return the owner of the public key, so that other functions can dereference it with that, as required.
+// Also note that this function *does not* dereference the remote account that the signature key is associated with.
+// Other functions should use the returned URL to dereference the remote account, if required.
 func (f *federator) AuthenticateFederatedRequest(username string, r *http.Request) (*url.URL, error) {
 	verifier, err := httpsig.NewVerifier(r)
 	if err != nil {
@ -225,9 +225,56 @@ func (f *federator) GetTransportForUser(username string) (pub.Transport, error)
 		return nil, fmt.Errorf("error getting account %s from db: %s", username, err)
 	}

-	transport, err := f.TransportController().NewTransport(ourAccount.PublicKeyURI, ourAccount.PrivateKey)
+	transport, err := f.transportController.NewTransport(ourAccount.PublicKeyURI, ourAccount.PrivateKey)
 	if err != nil {
 		return nil, fmt.Errorf("error creating transport for user %s: %s", username, err)
 	}
 	return transport, nil
 }
+
+const (
+	activityStreamsContext = "https://www.w3.org/ns/activitystreams"
+	w3idContext            = "https://w3id.org/security/v1"
+	tootContext            = "http://joinmastodon.org/ns#"
+	schemaContext          = "http://schema.org#"
+)
+
+// ActivityStreamsContext returns the url representation of https://www.w3.org/ns/activitystreams
+func ActivityStreamsContext() *url.URL {
+	u, err := url.Parse(activityStreamsContext)
+	if err != nil {
+		panic(err)
+	}
+	return u
+}
+
+// W3IDContext returns the url representation of https://w3id.org/security/v1
+func W3IDContext() *url.URL {
+	u, err := url.Parse(w3idContext)
+	if err != nil {
+		panic(err)
+	}
+	return u
+}
+
+// TootContext returns the url representation of http://joinmastodon.org/ns#
+func TootContext() *url.URL {
+	u, err := url.Parse(tootContext)
+	if err != nil {
+		panic(err)
+	}
+	return u
+}
+
+// SchemaContext returns the url representation of http://schema.org#
+func SchemaContext() *url.URL {
+	u, err := url.Parse(schemaContext)
+	if err != nil {
+		panic(err)
+	}
+	return u
+}
+
+func StandardContexts() vocab.ActivityStreamsContextProperty {
+	return nil
+}