Merge remote-tracking branch 'pleroma/develop' into feature/addressable-lists

2019-05-16 17:54:24 +07:00 · 2019-05-16 17:54:24 +07:00 · fc7246d715
commit fc7246d715
parent a7a8f3bc2c a2771869a3
30 changed files with 260 additions and 447 deletions
--- a/lib/pleroma/config/deprecation_warnings.ex
+++ b/lib/pleroma/config/deprecation_warnings.ex
@ -5,15 +5,6 @@
 defmodule Pleroma.Config.DeprecationWarnings do
  require Logger

-  def check_frontend_config_mechanism do
-    if Pleroma.Config.get(:fe) do
-      Logger.warn("""
-      !!!DEPRECATION WARNING!!!
-      You are using the old configuration mechanism for the frontend. Please check config.md.
-      """)
-    end
-  end
-
  def check_hellthread_threshold do
    if Pleroma.Config.get([:mrf_hellthread, :threshold]) do
      Logger.warn("""
@ -24,7 +15,6 @@ defmodule Pleroma.Config.DeprecationWarnings do
  end

  def warn do
-    check_frontend_config_mechanism()
    check_hellthread_threshold()
  end
 end
--- a/lib/pleroma/plugs/ensure_public_or_authenticated_plug.ex
+++ b/lib/pleroma/plugs/ensure_public_or_authenticated_plug.ex
@ -0,0 +1,31 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug do
+  import Plug.Conn
+  alias Pleroma.Config
+  alias Pleroma.User
+
+  def init(options) do
+    options
+  end
+
+  def call(conn, _) do
+    public? = Config.get!([:instance, :public])
+
+    case {public?, conn} do
+      {true, _} ->
+        conn
+
+      {false, %{assigns: %{user: %User{}}}} ->
+        conn
+
+      {false, _} ->
+        conn
+        |> put_resp_content_type("application/json")
+        |> send_resp(403, Jason.encode!(%{error: "This resource requires authentication."}))
+        |> halt
+    end
+  end
+end
--- a/lib/pleroma/plugs/http_signature.ex
+++ b/lib/pleroma/plugs/http_signature.ex
@ -4,7 +4,6 @@

 defmodule Pleroma.Web.Plugs.HTTPSignaturePlug do
  alias Pleroma.Web.ActivityPub.Utils
-  alias Pleroma.Web.HTTPSignatures
  import Plug.Conn
  require Logger

--- a/lib/pleroma/signature.ex
+++ b/lib/pleroma/signature.ex
@ -0,0 +1,41 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.Signature do
+  @behaviour HTTPSignatures.Adapter
+
+  alias Pleroma.User
+  alias Pleroma.Web.ActivityPub.ActivityPub
+  alias Pleroma.Web.ActivityPub.Utils
+  alias Pleroma.Web.Salmon
+  alias Pleroma.Web.WebFinger
+
+  def fetch_public_key(conn) do
+    with actor_id <- Utils.get_ap_id(conn.params["actor"]),
+         {:ok, public_key} <- User.get_public_key_for_ap_id(actor_id) do
+      {:ok, public_key}
+    else
+      e ->
+        {:error, e}
+    end
+  end
+
+  def refetch_public_key(conn) do
+    with actor_id <- Utils.get_ap_id(conn.params["actor"]),
+         {:ok, _user} <- ActivityPub.make_user_from_ap_id(actor_id),
+         {:ok, public_key} <- User.get_public_key_for_ap_id(actor_id) do
+      {:ok, public_key}
+    else
+      e ->
+        {:error, e}
+    end
+  end
+
+  def sign(%User{} = user, headers) do
+    with {:ok, %{info: %{keys: keys}}} <- WebFinger.ensure_keys_present(user),
+         {:ok, private_key, _} <- Salmon.keys_from_pem(keys) do
+      HTTPSignatures.sign(private_key, user.ap_id <> "#main-key", headers)
+    end
+  end
+end
--- a/lib/pleroma/web/activity_pub/publisher.ex
+++ b/lib/pleroma/web/activity_pub/publisher.ex
@ -54,7 +54,7 @@ defmodule Pleroma.Web.ActivityPub.Publisher do
      |> Timex.format!("{WDshort}, {0D} {Mshort} {YYYY} {h24}:{m}:{s} GMT")

    signature =
-      Pleroma.Web.HTTPSignatures.sign(actor, %{
+      Pleroma.Signature.sign(actor, %{
        host: host,
        "content-length": byte_size(json),
        digest: digest,
--- a/lib/pleroma/web/activity_pub/visibility.ex
+++ b/lib/pleroma/web/activity_pub/visibility.ex
@ -58,4 +58,28 @@ defmodule Pleroma.Web.ActivityPub.Visibility do
        visible_for_user?(tail, user)
    end
  end
+
+  def get_visibility(object) do
+    public = "https://www.w3.org/ns/activitystreams#Public"
+    to = object.data["to"] || []
+    cc = object.data["cc"] || []
+
+    cond do
+      public in to ->
+        "public"
+
+      public in cc ->
+        "unlisted"
+
+      # this should use the sql for the object's activity
+      Enum.any?(to, &String.contains?(&1, "/followers")) ->
+        "private"
+
+      length(cc) > 0 ->
+        "private"
+
+      true ->
+        "direct"
+    end
+  end
 end
--- a/lib/pleroma/web/common_api/common_api.ex
+++ b/lib/pleroma/web/common_api/common_api.ex
@ -116,36 +116,39 @@ defmodule Pleroma.Web.CommonAPI do
    end
  end

-  def get_visibility(%{"visibility" => visibility})
+  def get_visibility(%{"visibility" => visibility}, in_reply_to)
      when visibility in ~w{public unlisted private direct},
-      do: visibility
+      do: {visibility, get_replied_to_visibility(in_reply_to)}

-  def get_visibility(%{"visibility" => "list:" <> list_id}) do
-    {:list, String.to_integer(list_id)}
+  def get_visibility(%{"visibility" => "list:" <> list_id}, in_reply_to) do
+    visibility = {:list, String.to_integer(list_id)}
+    {visibility, get_replied_to_visibility(in_reply_to)}
  end

-  def get_visibility(%{"in_reply_to_status_id" => status_id}) when not is_nil(status_id) do
-    case get_replied_to_activity(status_id) do
-      nil ->
-        "public"
+  def get_visibility(_, in_reply_to) when not is_nil(in_reply_to) do
+    visibility = get_replied_to_visibility(in_reply_to)
+    {visibility, visibility}
+  end

-      in_reply_to ->
-        # XXX: these heuristics should be moved out of MastodonAPI.
-        with %Object{} = object <- Object.normalize(in_reply_to) do
-          Pleroma.Web.MastodonAPI.StatusView.get_visibility(object)
-        end
+  def get_visibility(_, in_reply_to), do: {"public", get_replied_to_visibility(in_reply_to)}
+
+  def get_replied_to_visibility(nil), do: nil
+
+  def get_replied_to_visibility(activity) do
+    with %Object{} = object <- Object.normalize(activity) do
+      Pleroma.Web.ActivityPub.Visibility.get_visibility(object)
    end
  end

-  def get_visibility(_), do: "public"
-
  def post(user, %{"status" => status} = data) do
-    visibility = get_visibility(data)
    limit = Pleroma.Config.get([:instance, :limit])

    with status <- String.trim(status),
         attachments <- attachments_from_ids(data),
         in_reply_to <- get_replied_to_activity(data["in_reply_to_status_id"]),
+         {visibility, in_reply_to_visibility} <- get_visibility(data, in_reply_to),
+         {_, false} <-
+           {:private_to_public, in_reply_to_visibility == "direct" && visibility != "direct"},
         {content_html, mentions, tags} <-
           make_content_html(
             status,
@ -187,6 +190,8 @@ defmodule Pleroma.Web.CommonAPI do
        },
        Pleroma.Web.ControllerHelper.truthy_param?(data["preview"]) || false
      )
+    else
+      e -> {:error, e}
    end
  end

--- a/lib/pleroma/web/federator/publisher.ex
+++ b/lib/pleroma/web/federator/publisher.ex
@ -31,7 +31,7 @@ defmodule Pleroma.Web.Federator.Publisher do
  """
  @spec enqueue_one(module(), Map.t()) :: :ok
  def enqueue_one(module, %{} = params),
-    do: PleromaJobQueue.enqueue(:federation_outgoing, __MODULE__, [:publish_one, module, params])
+    do: PleromaJobQueue.enqueue(:federator_outgoing, __MODULE__, [:publish_one, module, params])

  @spec perform(atom(), module(), any()) :: {:ok, any()} | {:error, any()}
  def perform(:publish_one, module, params) do
--- a/lib/pleroma/web/http_signatures/http_signatures.ex
+++ b/lib/pleroma/web/http_signatures/http_signatures.ex
@ -1,91 +0,0 @@
-# Pleroma: A lightweight social networking server
-# Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>
-# SPDX-License-Identifier: AGPL-3.0-only
-
-# https://tools.ietf.org/html/draft-cavage-http-signatures-08
-defmodule Pleroma.Web.HTTPSignatures do
-  alias Pleroma.User
-  alias Pleroma.Web.ActivityPub.ActivityPub
-  alias Pleroma.Web.ActivityPub.Utils
-
-  require Logger
-
-  def split_signature(sig) do
-    default = %{"headers" => "date"}
-
-    sig =
-      sig
-      |> String.trim()
-      |> String.split(",")
-      |> Enum.reduce(default, fn part, acc ->
-        [key | rest] = String.split(part, "=")
-        value = Enum.join(rest, "=")
-        Map.put(acc, key, String.trim(value, "\""))
-      end)
-
-    Map.put(sig, "headers", String.split(sig["headers"], ~r/\s/))
-  end
-
-  def validate(headers, signature, public_key) do
-    sigstring = build_signing_string(headers, signature["headers"])
-    Logger.debug("Signature: #{signature["signature"]}")
-    Logger.debug("Sigstring: #{sigstring}")
-    {:ok, sig} = Base.decode64(signature["signature"])
-    :public_key.verify(sigstring, :sha256, sig, public_key)
-  end
-
-  def validate_conn(conn) do
-    # TODO: How to get the right key and see if it is actually valid for that request.
-    # For now, fetch the key for the actor.
-    with actor_id <- Utils.get_ap_id(conn.params["actor"]),
-         {:ok, public_key} <- User.get_public_key_for_ap_id(actor_id) do
-      if validate_conn(conn, public_key) do
-        true
-      else
-        Logger.debug("Could not validate, re-fetching user and trying one more time")
-        # Fetch user anew and try one more time
-        with actor_id <- Utils.get_ap_id(conn.params["actor"]),
-             {:ok, _user} <- ActivityPub.make_user_from_ap_id(actor_id),
-             {:ok, public_key} <- User.get_public_key_for_ap_id(actor_id) do
-          validate_conn(conn, public_key)
-        end
-      end
-    else
-      _e ->
-        Logger.debug("Could not public key!")
-        false
-    end
-  end
-
-  def validate_conn(conn, public_key) do
-    headers = Enum.into(conn.req_headers, %{})
-    signature = split_signature(headers["signature"])
-    validate(headers, signature, public_key)
-  end
-
-  def build_signing_string(headers, used_headers) do
-    used_headers
-    |> Enum.map(fn header -> "#{header}: #{headers[header]}" end)
-    |> Enum.join("\n")
-  end
-
-  def sign(user, headers) do
-    with {:ok, %{info: %{keys: keys}}} <- Pleroma.Web.WebFinger.ensure_keys_present(user),
-         {:ok, private_key, _} = Pleroma.Web.Salmon.keys_from_pem(keys) do
-      sigstring = build_signing_string(headers, Map.keys(headers))
-
-      signature =
-        :public_key.sign(sigstring, :sha256, private_key)
-        |> Base.encode64()
-
-      [
-        keyId: user.ap_id <> "#main-key",
-        algorithm: "rsa-sha256",
-        headers: Map.keys(headers) |> Enum.join(" "),
-        signature: signature
-      ]
-      |> Enum.map(fn {k, v} -> "#{k}=\"#{v}\"" end)
-      |> Enum.join(",")
-    end
-  end
-end
--- a/lib/pleroma/web/mastodon_api/views/status_view.ex
+++ b/lib/pleroma/web/mastodon_api/views/status_view.ex
@ -16,6 +16,8 @@ defmodule Pleroma.Web.MastodonAPI.StatusView do
  alias Pleroma.Web.MastodonAPI.StatusView
  alias Pleroma.Web.MediaProxy

+  import Pleroma.Web.ActivityPub.Visibility, only: [get_visibility: 1]
+
  # TODO: Add cached version.
  defp get_replied_to_activities(activities) do
    activities
@ -340,30 +342,6 @@ defmodule Pleroma.Web.MastodonAPI.StatusView do
    end
  end

-  def get_visibility(object) do
-    public = "https://www.w3.org/ns/activitystreams#Public"
-    to = object.data["to"] || []
-    cc = object.data["cc"] || []
-
-    cond do
-      public in to ->
-        "public"
-
-      public in cc ->
-        "unlisted"
-
-      # this should use the sql for the object's activity
-      Enum.any?(to, &String.contains?(&1, "/followers")) ->
-        "private"
-
-      length(cc) > 0 ->
-        "private"
-
-      true ->
-        "direct"
-    end
-  end
-
  def render_content(%{data: %{"type" => "Video"}} = object) do
    with name when not is_nil(name) and name != "" <- object.data["name"] do
      "<p><a href=\"#{object.data["id"]}\">#{name}</a></p>#{object.data["content"]}"
--- a/lib/pleroma/web/router.ex
+++ b/lib/pleroma/web/router.ex
@ -84,11 +84,13 @@ defmodule Pleroma.Web.Router do
    plug(Pleroma.Plugs.EnsureUserKeyPlug)
  end

-  pipeline :oauth_read_or_unauthenticated do
+  pipeline :oauth_read_or_public do
    plug(Pleroma.Plugs.OAuthScopesPlug, %{
      scopes: ["read"],
      fallback: :proceed_unauthenticated
    })
+
+    plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
  end

  pipeline :oauth_read do
@ -404,7 +406,7 @@ defmodule Pleroma.Web.Router do
    get("/accounts/search", MastodonAPIController, :account_search)

    scope [] do
-      pipe_through(:oauth_read_or_unauthenticated)
+      pipe_through(:oauth_read_or_public)

      get("/timelines/public", MastodonAPIController, :public_timeline)
      get("/timelines/tag/:tag", MastodonAPIController, :hashtag_timeline)
@ -425,7 +427,7 @@ defmodule Pleroma.Web.Router do
  end

  scope "/api/v2", Pleroma.Web.MastodonAPI do
-    pipe_through([:api, :oauth_read_or_unauthenticated])
+    pipe_through([:api, :oauth_read_or_public])
    get("/search", MastodonAPIController, :search2)
  end

@ -455,7 +457,7 @@ defmodule Pleroma.Web.Router do
    )

    scope [] do
-      pipe_through(:oauth_read_or_unauthenticated)
+      pipe_through(:oauth_read_or_public)

      get("/statuses/user_timeline", TwitterAPI.Controller, :user_timeline)
      get("/qvitter/statuses/user_timeline", TwitterAPI.Controller, :user_timeline)
@ -473,7 +475,7 @@ defmodule Pleroma.Web.Router do
  end

  scope "/api", Pleroma.Web do
-    pipe_through([:api, :oauth_read_or_unauthenticated])
+    pipe_through([:api, :oauth_read_or_public])

    get("/statuses/public_timeline", TwitterAPI.Controller, :public_timeline)

@ -487,7 +489,7 @@ defmodule Pleroma.Web.Router do
  end

  scope "/api", Pleroma.Web, as: :twitter_api_search do
-    pipe_through([:api, :oauth_read_or_unauthenticated])
+    pipe_through([:api, :oauth_read_or_public])
    get("/pleroma/search_user", TwitterAPI.Controller, :search_user)
  end

@ -671,7 +673,7 @@ defmodule Pleroma.Web.Router do
    delete("/auth/sign_out", MastodonAPIController, :logout)

    scope [] do
-      pipe_through(:oauth_read_or_unauthenticated)
+      pipe_through(:oauth_read_or_public)
      get("/web/*path", MastodonAPIController, :index)
    end
  end
--- a/lib/pleroma/web/twitter_api/controllers/util_controller.ex
+++ b/lib/pleroma/web/twitter_api/controllers/util_controller.ex
@ -173,8 +173,6 @@ defmodule Pleroma.Web.TwitterAPI.UtilController do

  def config(conn, _params) do
    instance = Pleroma.Config.get(:instance)
-    instance_fe = Pleroma.Config.get(:fe)
-    instance_chat = Pleroma.Config.get(:chat)

    case get_format(conn) do
      "xml" ->
@ -219,31 +217,7 @@ defmodule Pleroma.Web.TwitterAPI.UtilController do
            if(Pleroma.Config.get([:instance, :safe_dm_mentions]), do: "1", else: "0")
        }

-        pleroma_fe =
-          if instance_fe do
-            %{
-              theme: Keyword.get(instance_fe, :theme),
-              background: Keyword.get(instance_fe, :background),
-              logo: Keyword.get(instance_fe, :logo),
-              logoMask: Keyword.get(instance_fe, :logo_mask),
-              logoMargin: Keyword.get(instance_fe, :logo_margin),
-              redirectRootNoLogin: Keyword.get(instance_fe, :redirect_root_no_login),
-              redirectRootLogin: Keyword.get(instance_fe, :redirect_root_login),
-              chatDisabled: !Keyword.get(instance_chat, :enabled),
-              showInstanceSpecificPanel: Keyword.get(instance_fe, :show_instance_panel),
-              scopeOptionsEnabled: Keyword.get(instance_fe, :scope_options_enabled),
-              formattingOptionsEnabled: Keyword.get(instance_fe, :formatting_options_enabled),
-              collapseMessageWithSubject:
-                Keyword.get(instance_fe, :collapse_message_with_subject),
-              hidePostStats: Keyword.get(instance_fe, :hide_post_stats),
-              hideUserStats: Keyword.get(instance_fe, :hide_user_stats),
-              scopeCopy: Keyword.get(instance_fe, :scope_copy),
-              subjectLineBehavior: Keyword.get(instance_fe, :subject_line_behavior),
-              alwaysShowSubjectInput: Keyword.get(instance_fe, :always_show_subject_input)
-            }
-          else
-            Pleroma.Config.get([:frontend_configurations, :pleroma_fe])
-          end
+        pleroma_fe = Pleroma.Config.get([:frontend_configurations, :pleroma_fe])

        managed_config = Keyword.get(instance, :managed_config)

--- a/lib/pleroma/web/twitter_api/views/activity_view.ex
+++ b/lib/pleroma/web/twitter_api/views/activity_view.ex
@ -310,7 +310,7 @@ defmodule Pleroma.Web.TwitterAPI.ActivityView do
      "tags" => tags,
      "activity_type" => "post",
      "possibly_sensitive" => possibly_sensitive,
-      "visibility" => StatusView.get_visibility(object),
+      "visibility" => Pleroma.Web.ActivityPub.Visibility.get_visibility(object),
      "summary" => summary,
      "summary_html" => summary |> Formatter.emojify(object.data["emoji"]),
      "card" => card,