From cdd03aa64548810591e043fb59a287a1b36c92ba Mon Sep 17 00:00:00 2001 From: Vitaly Takmazov Date: Thu, 5 Jan 2023 11:00:50 +0300 Subject: ActivityPub: signed GET requests, fix Signature verification --- src/main/java/com/juick/ActivityPubManager.java | 48 ++--- src/main/java/com/juick/SignatureManager.java | 200 --------------------- .../com/juick/config/ActivityPubClientConfig.java | 61 +++++++ .../config/ActivityPubClientErrorHandler.java | 1 - .../java/com/juick/config/ActivityPubConfig.java | 38 ---- src/main/java/com/juick/config/AppConfig.java | 5 +- src/main/java/com/juick/config/SecurityConfig.java | 17 +- .../java/com/juick/service/ActivityPubService.java | 158 +++++++++++++++- .../java/com/juick/service/SignatureService.java | 57 ++++++ .../java/com/juick/service/WebfingerService.java | 58 ++++++ .../security/BearerTokenAuthenticationFilter.java | 7 +- .../HTTPSignatureAuthenticationFilter.java | 43 +++-- .../juick/util/ActivityPubRequestInterceptor.java | 2 +- src/main/java/com/juick/www/api/Users.java | 7 +- .../java/com/juick/www/controllers/Compat.java | 16 +- .../pebble/extension/filters/TagsListFilter.java | 1 - 16 files changed, 407 insertions(+), 312 deletions(-) delete mode 100644 src/main/java/com/juick/SignatureManager.java create mode 100644 src/main/java/com/juick/config/ActivityPubClientConfig.java create mode 100644 src/main/java/com/juick/service/SignatureService.java create mode 100644 src/main/java/com/juick/service/WebfingerService.java (limited to 'src/main/java/com') diff --git a/src/main/java/com/juick/ActivityPubManager.java b/src/main/java/com/juick/ActivityPubManager.java index a487afb1..db8a1acb 100644 --- a/src/main/java/com/juick/ActivityPubManager.java +++ b/src/main/java/com/juick/ActivityPubManager.java @@ -19,12 +19,13 @@ package com.juick; import com.fasterxml.jackson.core.JsonProcessingException; import com.fasterxml.jackson.databind.ObjectMapper; -import com.fasterxml.jackson.databind.json.JsonMapper; import com.juick.model.Message; import com.juick.model.Reaction; import com.juick.model.User; +import com.juick.service.ActivityPubService; import com.juick.service.MessagesService; import com.juick.service.SocialService; +import com.juick.service.WebfingerService; import com.juick.service.activities.*; import com.juick.service.component.NotificationListener; import com.juick.service.component.PingEvent; @@ -45,6 +46,7 @@ import org.apache.commons.lang3.StringUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.core.convert.ConversionService; +import org.springframework.http.MediaType; import org.springframework.web.util.UriComponents; import org.springframework.web.util.UriComponentsBuilder; @@ -62,7 +64,9 @@ import java.util.stream.Collectors; public class ActivityPubManager implements ActivityListener, NotificationListener { private static final Logger logger = LoggerFactory.getLogger("ActivityPub"); @Inject - private SignatureManager signatureManager; + private ActivityPubService activityPubService; + @Inject + private WebfingerService webfingerService; @Inject private SocialService socialService; @Inject @@ -84,12 +88,12 @@ public class ActivityPubManager implements ActivityListener, NotificationListene if (!followedUser.isAnonymous()) { // automatically accept follower requests Actor me = conversionService.convert(followedUser, Actor.class); - Actor follower = (Actor) signatureManager.getContext(URI.create(followEvent.getRequest().getActor())).get(); + Actor follower = (Actor) activityPubService.get(URI.create(followEvent.getRequest().getActor())).get(); Accept accept = new Accept(); accept.setActor(me.getId()); accept.setObject(followEvent.getRequest()); try { - signatureManager.post(me, follower, accept); + activityPubService.post(me, follower, accept); socialService.addFollower(followedUser, follower.getId()); logger.info("Follower added for {}", followedUser.getName()); } catch (IOException | NoSuchAlgorithmException e) { @@ -124,14 +128,14 @@ public class ActivityPubManager implements ActivityListener, NotificationListene Actor me = conversionService.convert(user, Actor.class); socialService.getFollowers(user).forEach(acct -> { try { - Actor follower = (Actor) signatureManager.getContext(URI.create(acct)).orElseThrow(); + Actor follower = (Actor) activityPubService.get(URI.create(acct)).orElseThrow(); Delete delete = new Delete(); delete.setId(note.getId()); delete.setActor(me.getId()); delete.setPublished(note.getPublished()); delete.setObject(note); logger.info("Deletion to follower {}", follower.getId()); - signatureManager.post(me, follower, delete); + activityPubService.post(me, follower, delete); } catch (IOException | NoSuchAlgorithmException e) { logger.warn("activitypub exception", e); } catch (NoSuchElementException ex) { @@ -196,12 +200,12 @@ public class ActivityPubManager implements ActivityListener, NotificationListene private void activityToFollowers(User user, Actor from, Activity activity) { socialService.getFollowers(user).forEach(acct -> { - var context = signatureManager.getContext(URI.create(acct)); + var context = activityPubService.get(URI.create(acct)); context.ifPresentOrElse((follower) -> { if (follower instanceof Actor) { var to = (Actor) follower; try { - signatureManager.post(from, to, activity); + activityPubService.post(from, to, activity); } catch (Exception e) { logger.warn("Delivery to {} failed: {}", to, e.getMessage()); } @@ -251,7 +255,7 @@ public class ActivityPubManager implements ActivityListener, NotificationListene subscribers.addAll(note.getCc()); subscribers.forEach(acct -> { if (!acct.equals(profileUriBuilder.followersUri(user))) { - var context = signatureManager.getContext(URI.create(acct)); + var context = activityPubService.get(URI.create(acct)); context.ifPresentOrElse((follower) -> { if (follower instanceof Actor) { var to = (Actor) follower; @@ -261,7 +265,7 @@ public class ActivityPubManager implements ActivityListener, NotificationListene create.setPublished(note.getPublished()); create.setObject(note); try { - signatureManager.post(me, to, create); + activityPubService.post(me, to, create); } catch (IOException | NoSuchAlgorithmException e) { logger.warn("Delivery to {} failed: {}", to, e.getMessage()); } @@ -308,10 +312,10 @@ public class ActivityPubManager implements ActivityListener, NotificationListene note.setTags(msg.getTags().stream().map(t -> new Hashtag(profileUriBuilder.tagUri(t), t.getName())) .collect(Collectors.toList())); if (msg.getReplyToUri() != null && msg.getReplyToUri().toASCIIString().length() > 0) { - Optional noteContext = signatureManager.getContext(msg.getReplyToUri()); + Optional noteContext = activityPubService.get(msg.getReplyToUri()); if (noteContext.isPresent()) { Note activity = (Note) noteContext.get(); - Optional personContext = signatureManager.getContext(URI.create(activity.getAttributedTo())); + Optional personContext = activityPubService.get(URI.create(activity.getAttributedTo())); if (personContext.isPresent()) { Actor person = (Actor) personContext.get(); note.getTags().add(new Mention(person.getUrl(), person.getPreferredUsername())); @@ -324,13 +328,17 @@ public class ActivityPubManager implements ActivityListener, NotificationListene } MessageUtils.getGlobalMentions(msg).forEach(m -> { // @user@server.tld -> user@server.tld - Optional personContext = signatureManager.discoverPerson(m.substring(1)); - if (personContext.isPresent()) { - Actor person = (Actor) personContext.get(); - note.getTags().add(new Mention(person.getUrl(), person.getPreferredUsername())); - List cc = new ArrayList<>(note.getCc()); - cc.add(person.getId()); - note.setCc(cc); + var personURI = webfingerService.discoverAccountURI(m.substring(1), + MediaType.valueOf(Context.ACTIVITY_MEDIA_TYPE)); + if (!personURI.toASCIIString().isEmpty()) { + var personContext = activityPubService.get(personURI); + if (personContext.isPresent()) { + Actor person = (Actor) personContext.get(); + note.getTags().add(new Mention(person.getUrl(), person.getPreferredUsername())); + List cc = new ArrayList<>(note.getCc()); + cc.add(person.getId()); + note.setCc(cc); + } } }); note.setSensitive(MessageUtils.isSensitive(msg)); @@ -371,7 +379,7 @@ public class ActivityPubManager implements ActivityListener, NotificationListene } public User actorToUser(URI uri) throws HttpBadRequestException, JsonProcessingException { - var context = signatureManager.getContext(uri); + var context = activityPubService.get(uri); if (context.isPresent() && context.get() instanceof Actor actor) { User user = new User(); user.setUri(URI.create(actor.getId())); diff --git a/src/main/java/com/juick/SignatureManager.java b/src/main/java/com/juick/SignatureManager.java deleted file mode 100644 index 792cc8cd..00000000 --- a/src/main/java/com/juick/SignatureManager.java +++ /dev/null @@ -1,200 +0,0 @@ -/* - * Copyright (C) 2008-2022, Juick - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see . - */ - -package com.juick; - -import com.fasterxml.jackson.databind.ObjectMapper; -import com.juick.model.AnonymousUser; -import com.juick.model.User; -import com.juick.service.UserService; -import com.juick.service.activities.DeleteUserEvent; -import com.juick.util.DateFormattersHolder; -import com.juick.www.api.activity.model.Context; -import com.juick.www.api.activity.model.objects.Actor; -import com.juick.www.api.webfinger.model.Account; -import com.juick.www.api.webfinger.model.Link; -import org.apache.commons.lang3.StringUtils; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.springframework.cache.annotation.Cacheable; -import org.springframework.context.ApplicationEventPublisher; -import org.springframework.http.*; -import org.springframework.web.client.RestClientException; -import org.springframework.web.client.RestTemplate; -import org.springframework.web.util.UriComponentsBuilder; -import org.tomitribe.auth.signatures.Base64; -import org.tomitribe.auth.signatures.*; -import rocks.xmpp.addr.Jid; - -import javax.inject.Inject; -import java.io.IOException; -import java.net.URI; -import java.security.Key; -import java.security.MessageDigest; -import java.security.NoSuchAlgorithmException; -import java.security.SignatureException; -import java.time.Instant; -import java.util.*; - -import static com.juick.www.api.activity.model.Context.ACTIVITY_MEDIA_TYPE; - -public class SignatureManager { - private static final Logger logger = LoggerFactory.getLogger("ActivityPub"); - @Inject - private KeystoreManager keystoreManager; - @Inject - private ObjectMapper jsonMapper; - @Inject - private UserService userService; - @Inject - private RestTemplate apClient; - @Inject - private ApplicationEventPublisher applicationEventPublisher; - - public void post(Actor from, Actor to, Context data) throws IOException, NoSuchAlgorithmException { - UriComponentsBuilder uriComponentsBuilder = UriComponentsBuilder.fromUriString(to.getInbox()); - URI inbox = uriComponentsBuilder.build().toUri(); - Instant now = Instant.now(); - String requestDate = DateFormattersHolder.getHttpDateFormatter().format(now); - String host = inbox.getPort() > 0 ? String.format("%s:%d", inbox.getHost(), inbox.getPort()) : inbox.getHost(); - var finalContext = Context.build(data); - var payload = jsonMapper.writeValueAsString(finalContext); - final byte[] digest = MessageDigest.getInstance("SHA-256").digest(payload.getBytes()); // (1) - final String digestHeader = "SHA-256=" + new String(Base64.encodeBase64(digest)); - String signatureString = addSignature(from, host, "POST", inbox.getPath(), requestDate, digestHeader); - - HttpHeaders requestHeaders = new HttpHeaders(); - requestHeaders.add("Content-Type", Context.ACTIVITYSTREAMS_PROFILE_MEDIA_TYPE); - requestHeaders.add("Date", requestDate); - requestHeaders.add("Host", host); - requestHeaders.add("Digest", digestHeader); - requestHeaders.add("Signature", signatureString); - HttpEntity request = new HttpEntity<>(payload, requestHeaders); - logger.debug("Sending context to {}: {}", to.getId(), payload); - ResponseEntity response = apClient.postForEntity(inbox, request, Void.class); - logger.debug("Remote response: {}", response.getStatusCode()); - } - - public String addSignature(Actor from, String host, String method, String path, String dateString, - String digestHeader) throws IOException { - return addSignature(from, host, method, path, dateString, digestHeader, keystoreManager); - } - - public String addSignature(Actor from, String host, String method, String path, String dateString, - String digestHeader, KeystoreManager keystoreManager) throws IOException { - List requiredHeaders = StringUtils.isEmpty(digestHeader) - ? Arrays.asList("(request-target)", "host", "date") - : Arrays.asList("(request-target)", "host", "date", "digest"); - Signature templateSignature = new Signature(from.getPublicKey().getId(), "rsa-sha256", null, requiredHeaders); - Map headers = new HashMap<>(); - headers.put("host", host); - headers.put("date", dateString); - if (StringUtils.isNotEmpty(digestHeader)) { - headers.put("digest", digestHeader); - } - Signer signer = new Signer(keystoreManager.getPrivateKey(), templateSignature); - Signature signature = signer.sign(method, path, headers); - // remove "Signature: " from result - return signature.toString().substring(10); - } - - public User verifySignature(String method, String path, Map headers) { - String signatureString = headers.get("signature"); - Signature signature = Signature.fromString(signatureString); - var keyId = UriComponentsBuilder.fromUriString(signature.getKeyId()).fragment(null).build().toUri(); - var context = getContext(keyId); - if (context.isPresent() && context.get() instanceof Actor actor) { - Key key = KeystoreManager.publicKeyOf(actor); - if (key != null) { - Verifier verifier = new Verifier(key, signature); - try { - boolean result = verifier.verify(method, path, headers); - if (result) { - User user = new User(); - user.setUri(URI.create(actor.getId())); - if (key.equals(keystoreManager.getPublicKey())) { - return userService.getUserByName(actor.getName()); - } - if (actor.isSuspended()) { - logger.info("{} is suspended, deleting", actor.getId()); - applicationEventPublisher.publishEvent(new DeleteUserEvent(this, actor.getId())); - } - return user; - } else { - return AnonymousUser.INSTANCE; - } - } catch (NoSuchAlgorithmException | SignatureException | MissingRequiredHeaderException - | IOException e) { - logger.warn("Verification error for {}: {}", signature.getKeyId(), e.getMessage()); - } - } else { - logger.warn("Public key missing for {}", actor.getId()); - } - } else { - logger.warn("Public key error for {}", signature.getKeyId()); - } - return AnonymousUser.INSTANCE; - } - - @Cacheable("profiles") - public Optional getContext(URI contextUri) { - try { - HttpHeaders headers = new HttpHeaders(); - headers.setAccept(Collections.singletonList(MediaType.valueOf(ACTIVITY_MEDIA_TYPE))); - HttpEntity activityRequest = new HttpEntity<>(headers); - var response = apClient.exchange(contextUri, HttpMethod.GET, activityRequest, Context.class); - if (response.getStatusCode().is2xxSuccessful() && response.hasBody()) { - var context = response.getBody(); - if (context == null) { - logger.warn("Cannot identify {}", contextUri); - return Optional.empty(); - } - return Optional.of(context); - } - } catch (Exception e) { - logger.warn("{}", e.getMessage()); - } - return Optional.empty(); - } - - public Optional discoverPerson(String acct) { - Jid acctId = Jid.of(acct); - URI resourceUri = UriComponentsBuilder.fromPath("/.well-known/webfinger").host(acctId.getDomain()) - .scheme("https").queryParam("resource", "acct:" + acct).build().toUri(); - HttpHeaders headers = new HttpHeaders(); - headers.setAccept(Collections.singletonList(MediaType.valueOf("application/jrd+json"))); - HttpEntity webfingerRequest = new HttpEntity<>(headers); - try { - ResponseEntity response = apClient.exchange(resourceUri, HttpMethod.GET, webfingerRequest, - Account.class); - if (response.getStatusCode().is2xxSuccessful()) { - Account acctData = response.getBody(); - if (acctData != null) { - for (Link l : acctData.links()) { - if (l.rel().equals("self") && l.type().equals(ACTIVITY_MEDIA_TYPE)) { - return getContext(URI.create(l.href())); - } - } - } - } - } catch (RestClientException e) { - logger.warn("Cannot discover person {}: {}", acct, e.getMessage()); - return Optional.empty(); - } - return Optional.empty(); - } -} diff --git a/src/main/java/com/juick/config/ActivityPubClientConfig.java b/src/main/java/com/juick/config/ActivityPubClientConfig.java new file mode 100644 index 00000000..940071e7 --- /dev/null +++ b/src/main/java/com/juick/config/ActivityPubClientConfig.java @@ -0,0 +1,61 @@ +package com.juick.config; + +import java.nio.charset.StandardCharsets; + +import javax.inject.Inject; + +import org.apache.hc.client5.http.impl.classic.CloseableHttpClient; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; +import org.springframework.core.convert.ConversionService; +import org.springframework.http.client.ClientHttpRequestFactory; +import org.springframework.http.client.HttpComponentsClientHttpRequestFactory; +import org.springframework.http.converter.StringHttpMessageConverter; +import org.springframework.http.converter.json.MappingJackson2HttpMessageConverter; +import org.springframework.web.client.RestTemplate; + +import com.fasterxml.jackson.databind.ObjectMapper; +import com.juick.model.User; +import com.juick.service.SignatureService; +import com.juick.util.ActivityPubRequestInterceptor; +import com.juick.www.api.activity.model.objects.Actor; + +@Configuration +public class ActivityPubClientConfig { + @Inject + CloseableHttpClient httpClient; + @Inject + ObjectMapper jsonMapper; + @Inject + private ActivityPubClientErrorHandler activityPubClientErrorHandler; + @Inject + private SignatureService signatureService; + @Inject + private ConversionService conversionService; + @Inject + private User serviceUser; + + @Bean + ClientHttpRequestFactory clientHttpRequestFactory() { + var clientHttpRequestFactory = new HttpComponentsClientHttpRequestFactory(); + clientHttpRequestFactory.setHttpClient(httpClient); + return clientHttpRequestFactory; + } + + @Bean + MappingJackson2HttpMessageConverter mappingJacksonHttpMessageConverter() { + MappingJackson2HttpMessageConverter converter = new MappingJackson2HttpMessageConverter(); + converter.setObjectMapper(jsonMapper); + return converter; + } + + @Bean + RestTemplate restClient() { + RestTemplate restTemplate = new RestTemplate(clientHttpRequestFactory()); + restTemplate.getMessageConverters().add(0, mappingJacksonHttpMessageConverter()); + restTemplate.getMessageConverters().add(0, new StringHttpMessageConverter(StandardCharsets.UTF_8)); + restTemplate.setErrorHandler(activityPubClientErrorHandler); + restTemplate.getInterceptors().add(new ActivityPubRequestInterceptor()); + return restTemplate; + } +} diff --git a/src/main/java/com/juick/config/ActivityPubClientErrorHandler.java b/src/main/java/com/juick/config/ActivityPubClientErrorHandler.java index 243a4e32..b3aedf1f 100644 --- a/src/main/java/com/juick/config/ActivityPubClientErrorHandler.java +++ b/src/main/java/com/juick/config/ActivityPubClientErrorHandler.java @@ -18,7 +18,6 @@ package com.juick.config; import com.juick.service.activities.DeleteUserEvent; -import org.apache.commons.io.IOUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.context.ApplicationEventPublisher; diff --git a/src/main/java/com/juick/config/ActivityPubConfig.java b/src/main/java/com/juick/config/ActivityPubConfig.java index 9a626d12..b18dc71c 100644 --- a/src/main/java/com/juick/config/ActivityPubConfig.java +++ b/src/main/java/com/juick/config/ActivityPubConfig.java @@ -20,28 +20,17 @@ package com.juick.config; import com.fasterxml.jackson.databind.ObjectMapper; import com.juick.ActivityPubManager; import com.juick.KeystoreManager; -import com.juick.util.ActivityPubRequestInterceptor; import com.juick.www.WebApp; import com.juick.www.api.activity.converters.UserToActorConverter; import com.juick.www.api.activity.helpers.ProfileUriBuilder; -import org.apache.hc.client5.http.impl.classic.CloseableHttpClient; import org.springframework.beans.factory.annotation.Value; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; -import org.springframework.http.client.ClientHttpRequestFactory; -import org.springframework.http.client.HttpComponentsClientHttpRequestFactory; -import org.springframework.http.converter.StringHttpMessageConverter; -import org.springframework.http.converter.json.MappingJackson2HttpMessageConverter; -import org.springframework.web.client.RestTemplate; import javax.inject.Inject; -import java.nio.charset.StandardCharsets; - @Configuration public class ActivityPubConfig { - @Inject - ActivityPubClientErrorHandler activityPubClientErrorHandler; @Inject ObjectMapper jsonMapper; @Inject @@ -51,38 +40,11 @@ public class ActivityPubConfig { @Value("${ap_base_uri:http://localhost:8080/}") private String baseUri; - @Bean - MappingJackson2HttpMessageConverter mappingJacksonHttpMessageConverter() { - MappingJackson2HttpMessageConverter converter = new MappingJackson2HttpMessageConverter(); - converter.setObjectMapper(jsonMapper); - return converter; - } - @Bean ActivityPubManager activityPubManager() { return new ActivityPubManager(); } - @Inject - CloseableHttpClient httpClient; - - @Bean - ClientHttpRequestFactory clientHttpRequestFactory() { - var clientHttpRequestFactory = new HttpComponentsClientHttpRequestFactory(); - clientHttpRequestFactory.setHttpClient(httpClient); - return clientHttpRequestFactory; - } - - @Bean - RestTemplate apClient() { - RestTemplate restTemplate = new RestTemplate(clientHttpRequestFactory()); - restTemplate.getMessageConverters().add(0, mappingJacksonHttpMessageConverter()); - restTemplate.getMessageConverters().add(0, new StringHttpMessageConverter(StandardCharsets.UTF_8)); - restTemplate.setErrorHandler(activityPubClientErrorHandler); - restTemplate.getInterceptors().add(new ActivityPubRequestInterceptor()); - return restTemplate; - } - @Bean UserToActorConverter userToActorConverter() { return new UserToActorConverter(profileUriBuilder(), keystoreManager, webApp); diff --git a/src/main/java/com/juick/config/AppConfig.java b/src/main/java/com/juick/config/AppConfig.java index d54bc675..ff92de1f 100644 --- a/src/main/java/com/juick/config/AppConfig.java +++ b/src/main/java/com/juick/config/AppConfig.java @@ -20,6 +20,7 @@ package com.juick.config; import com.juick.*; import com.juick.model.User; import com.juick.service.HelpService; +import com.juick.service.SignatureService; import com.juick.service.StorageService; import com.juick.service.FileSystemStorageService; import com.juick.service.UserService; @@ -158,8 +159,8 @@ public class AppConfig { } @Bean - SignatureManager signatureManager() { - return new SignatureManager(); + SignatureService signatureManager() { + return new SignatureService(keystoreManager()); } @Bean diff --git a/src/main/java/com/juick/config/SecurityConfig.java b/src/main/java/com/juick/config/SecurityConfig.java index d60abe00..d3f89eef 100644 --- a/src/main/java/com/juick/config/SecurityConfig.java +++ b/src/main/java/com/juick/config/SecurityConfig.java @@ -18,7 +18,7 @@ package com.juick.config; import com.juick.KeystoreManager; -import com.juick.SignatureManager; +import com.juick.service.ActivityPubService; import com.juick.service.UserService; import com.juick.service.security.BearerTokenAuthenticationFilter; import com.juick.service.security.HTTPSignatureAuthenticationFilter; @@ -30,8 +30,6 @@ import com.nimbusds.jose.jwk.RSAKey; import com.nimbusds.jose.jwk.source.ImmutableJWKSet; import com.nimbusds.jose.jwk.source.JWKSource; import com.nimbusds.jose.proc.SecurityContext; -import jakarta.servlet.http.HttpServletRequest; -import jakarta.servlet.http.HttpServletResponse; import org.springframework.beans.factory.annotation.Value; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; @@ -53,7 +51,6 @@ import org.springframework.security.oauth2.server.authorization.config.annotatio import org.springframework.security.oauth2.server.authorization.config.annotation.web.configurers.OAuth2AuthorizationServerConfigurer; import org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings; import org.springframework.security.web.AuthenticationEntryPoint; -import org.springframework.security.web.RedirectStrategy; import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.authentication.*; import org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices; @@ -65,7 +62,6 @@ import org.springframework.web.cors.CorsConfigurationSource; import org.springframework.web.cors.UrlBasedCorsConfigurationSource; import javax.inject.Inject; -import java.io.IOException; import java.security.interfaces.RSAPrivateKey; import java.security.interfaces.RSAPublicKey; import java.util.Arrays; @@ -107,7 +103,7 @@ public class SecurityConfig { } @Inject - private SignatureManager signatureManager; + private ActivityPubService activityPubService; @Bean HashParamAuthenticationFilter apiAuthenticationFilter() { @@ -195,11 +191,11 @@ public class SecurityConfig { } @Bean - @Order(2) + @Order(Ordered.HIGHEST_PRECEDENCE + 1) SecurityFilterChain apiChain(HttpSecurity http) throws Exception { - http.securityMatcher("/api/**") + http.securityMatcher("/api/**", "/u/**", "/n/**") .addFilterBefore(apiAuthenticationFilter(), BasicAuthenticationFilter.class) - .addFilterBefore(new HTTPSignatureAuthenticationFilter(signatureManager, userService), + .addFilterBefore(new HTTPSignatureAuthenticationFilter(activityPubService, userService), BasicAuthenticationFilter.class) .authorizeHttpRequests(requests -> requests .requestMatchers(HttpMethod.OPTIONS).permitAll() @@ -210,7 +206,7 @@ public class SecurityConfig { "/api/skypebotendpoint", "/api/_fblogin", "/api/_vklogin", "/api/_tglogin", "/api/_google", "/api/_applelogin", "/api/signup", - "/api/inbox", "/api/events", "/api/u/", + "/api/inbox", "/api/events", "/u/**", "/n/**", "/api/info/**", "/api/v1/apps", "/api/v1/instance", "/api/nodeinfo/2.0", "/oauth/**") .permitAll() @@ -251,6 +247,7 @@ public class SecurityConfig { return handler; } @Bean + @Order(Ordered.HIGHEST_PRECEDENCE + 2) SecurityFilterChain wwwChain(HttpSecurity http) throws Exception { http.addFilterBefore(wwwAuthenticationFilter(), BasicAuthenticationFilter.class) .authorizeHttpRequests(authorize -> authorize diff --git a/src/main/java/com/juick/service/ActivityPubService.java b/src/main/java/com/juick/service/ActivityPubService.java index c45b0c13..f161be7b 100644 --- a/src/main/java/com/juick/service/ActivityPubService.java +++ b/src/main/java/com/juick/service/ActivityPubService.java @@ -18,24 +18,71 @@ package com.juick.service; import com.juick.model.User; +import com.juick.service.activities.DeleteUserEvent; +import com.juick.util.DateFormattersHolder; +import com.juick.www.api.activity.model.Context; +import com.juick.www.api.activity.model.objects.Actor; +import com.fasterxml.jackson.databind.ObjectMapper; +import com.juick.KeystoreManager; import com.juick.model.AnonymousUser; + +import org.apache.commons.codec.binary.Base64; +import org.apache.commons.lang3.StringUtils; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Value; +import org.springframework.cache.annotation.Cacheable; +import org.springframework.context.ApplicationEventPublisher; +import org.springframework.core.convert.ConversionService; import org.springframework.dao.DuplicateKeyException; +import org.springframework.http.*; import org.springframework.stereotype.Repository; import org.springframework.transaction.annotation.Transactional; +import org.springframework.web.client.RestTemplate; import org.springframework.web.util.UriComponents; import org.springframework.web.util.UriComponentsBuilder; +import org.tomitribe.auth.signatures.MissingRequiredHeaderException; +import org.tomitribe.auth.signatures.Signature; +import org.tomitribe.auth.signatures.Verifier; import javax.annotation.Nonnull; import javax.inject.Inject; + +import java.io.IOException; +import java.net.URI; +import java.security.Key; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; +import java.security.SignatureException; +import java.time.Instant; +import java.util.Collections; import java.util.List; +import java.util.Map; +import java.util.Optional; @Repository public class ActivityPubService extends BaseJdbcService implements SocialService { + + private static final Logger logger = LoggerFactory.getLogger("ActivityPub"); + @Value("${ap_base_uri:http://localhost:8080/}") private String baseUri; @Inject private UserService userService; + @Inject + private RestTemplate restClient; + @Inject + private ObjectMapper jsonMapper; + @Inject + private SignatureService signatureService; + @Inject + private ApplicationEventPublisher applicationEventPublisher; + @Inject + private KeystoreManager keystoreManager; + @Inject + private User serviceUser; + @Inject + private ConversionService conversionService; @Transactional(readOnly = true) @Override @@ -53,7 +100,8 @@ public class ActivityPubService extends BaseJdbcService implements SocialService @Transactional(readOnly = true) @Override public @Nonnull List getFollowers(User user) { - return getJdbcTemplate().queryForList("SELECT acct FROM followers WHERE user_id=?", String.class, user.getUid()); + return getJdbcTemplate().queryForList("SELECT acct FROM followers WHERE user_id=?", String.class, + user.getUid()); } @Transactional @@ -78,4 +126,112 @@ public class ActivityPubService extends BaseJdbcService implements SocialService public void removeAccount(String acct) { getJdbcTemplate().update("DELETE FROM followers WHERE acct=?", acct); } + + @Cacheable("profiles") + public Optional get(URI contextUri) { + Instant now = Instant.now(); + String requestDate = DateFormattersHolder.getHttpDateFormatter().format(now); + String host = contextUri.getPort() > 0 ? String.format("%s:%d", contextUri.getHost(), contextUri.getPort()) + : contextUri.getHost(); + var from = conversionService.convert(serviceUser, Actor.class); + try { + String signatureString = signatureService.addSignature(from, host, "get", contextUri.getPath(), requestDate, + ""); + HttpHeaders requestHeaders = new HttpHeaders(); + requestHeaders.add("Date", requestDate); + requestHeaders.add("Host", host); + requestHeaders.add("Signature", signatureString); + requestHeaders.setAccept(Collections.singletonList(MediaType.valueOf(Context.ACTIVITY_MEDIA_TYPE))); + HttpEntity activityRequest = new HttpEntity<>(requestHeaders); + var response = restClient.exchange(contextUri, HttpMethod.GET, activityRequest, Context.class); + if (response.getStatusCode().is2xxSuccessful()) { + var context = response.getBody(); + if (context == null) { + logger.warn("Cannot identify {}", contextUri); + return Optional.empty(); + } + return Optional.of(context); + } + } catch (IOException e) { + logger.warn("HTTP Signature exception: {}", e.getMessage()); + } + return Optional.empty(); + } + + public HttpStatusCode post(Actor from, Actor to, Context data) throws IOException, NoSuchAlgorithmException { + UriComponentsBuilder uriComponentsBuilder = UriComponentsBuilder.fromUriString(to.getInbox()); + URI inbox = uriComponentsBuilder.build().toUri(); + Instant now = Instant.now(); + String requestDate = DateFormattersHolder.getHttpDateFormatter().format(now); + String host = inbox.getPort() > 0 ? String.format("%s:%d", inbox.getHost(), inbox.getPort()) : inbox.getHost(); + var finalContext = Context.build(data); + var payload = jsonMapper.writeValueAsString(finalContext); + final byte[] digest = MessageDigest.getInstance("SHA-256").digest(payload.getBytes()); // (1) + final String digestHeader = "SHA-256=" + new String(Base64.encodeBase64(digest)); + String signatureString = signatureService.addSignature(from, host, "post", inbox.getPath(), requestDate, + digestHeader); + + HttpHeaders requestHeaders = new HttpHeaders(); + requestHeaders.add("Content-Type", Context.ACTIVITYSTREAMS_PROFILE_MEDIA_TYPE); + requestHeaders.add("Date", requestDate); + requestHeaders.add("Host", host); + requestHeaders.add("Digest", digestHeader); + requestHeaders.add("Signature", signatureString); + HttpEntity request = new HttpEntity<>(payload, requestHeaders); + logger.debug("Sending context to {}: {}", to.getId(), payload); + ResponseEntity response = restClient.postForEntity(inbox, request, String.class); + logger.debug("Remote response: {} {}", response.getStatusCode(), response.getBody()); + return response.getStatusCode(); + } + + public User verifyActor(String method, String path, Map headers) { + String signatureString = headers.get("signature"); + if (StringUtils.isNotEmpty(signatureString)) { + try { + Signature signature = Signature.fromString(signatureString); + var keyId = UriComponentsBuilder.fromUriString(signature.getKeyId()).fragment(null).build().toUri(); + var user = getUserByAccountUri(keyId.toASCIIString()); + Key key = null; + Actor actor = null; + if (!user.isAnonymous()) { + // local user + key = keystoreManager.getPublicKey(); + } else { + var context = get(keyId); + if (context.isPresent()) { + actor = (Actor) context.get(); + key = KeystoreManager.publicKeyOf(actor); + } + } + if (key != null) { + Verifier verifier = new Verifier(key, signature); + try { + boolean result = verifier.verify(method.toLowerCase(), path, headers); + if (result) { + if (!user.isAnonymous()) { + return user; + } else { + if (actor != null) { + User person = new User(); + person.setUri(URI.create(actor.getId())); + if (actor.isSuspended()) { + logger.info("{} is suspended, deleting", actor.getId()); + applicationEventPublisher + .publishEvent(new DeleteUserEvent(this, actor.getId())); + } + return person; + } + } + } + } catch (NoSuchAlgorithmException | SignatureException | MissingRequiredHeaderException + | IOException e) { + logger.warn("Verification error for {}: {}", signature.getKeyId(), e.getMessage()); + } + } + } catch (Exception ex) { + + } + } + return AnonymousUser.INSTANCE; + } } diff --git a/src/main/java/com/juick/service/SignatureService.java b/src/main/java/com/juick/service/SignatureService.java new file mode 100644 index 00000000..12d9d67b --- /dev/null +++ b/src/main/java/com/juick/service/SignatureService.java @@ -0,0 +1,57 @@ +/* + * Copyright (C) 2008-2022, Juick + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see . + */ + +package com.juick.service; + +import com.juick.KeystoreManager; +import com.juick.www.api.activity.model.objects.Actor; +import org.apache.commons.lang3.StringUtils; +import org.tomitribe.auth.signatures.*; +import java.io.IOException; +import java.util.*; + +public class SignatureService { + + private KeystoreManager keystoreManager; + + public SignatureService(KeystoreManager keystoreManager) { + this.keystoreManager = keystoreManager; + } + + public String addSignature(Actor from, String host, String method, String path, String dateString, + String digestHeader) throws IOException { + return addSignature(from, host, method, path, dateString, digestHeader, keystoreManager); + } + + public String addSignature(Actor from, String host, String method, String path, String dateString, + String digestHeader, KeystoreManager keystoreManager) throws IOException { + List requiredHeaders = StringUtils.isEmpty(digestHeader) + ? Arrays.asList("(request-target)", "host", "date") + : Arrays.asList("(request-target)", "host", "date", "digest"); + Signature templateSignature = new Signature(from.getPublicKey().getId(), "rsa-sha256", null, requiredHeaders); + Map headers = new HashMap<>(); + headers.put("host", host); + headers.put("date", dateString); + if (StringUtils.isNotEmpty(digestHeader)) { + headers.put("digest", digestHeader); + } + Signer signer = new Signer(keystoreManager.getPrivateKey(), templateSignature); + Signature signature = signer.sign(method.toLowerCase(), path, headers); + // remove "Signature: " from result + return signature.toString().substring(10); + } +} diff --git a/src/main/java/com/juick/service/WebfingerService.java b/src/main/java/com/juick/service/WebfingerService.java new file mode 100644 index 00000000..dc978763 --- /dev/null +++ b/src/main/java/com/juick/service/WebfingerService.java @@ -0,0 +1,58 @@ +package com.juick.service; + +import java.net.URI; +import java.util.Collections; + +import javax.inject.Inject; + +import org.apache.commons.lang3.StringUtils; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.http.HttpEntity; +import org.springframework.http.HttpHeaders; +import org.springframework.http.HttpMethod; +import org.springframework.http.MediaType; +import org.springframework.http.ResponseEntity; +import org.springframework.stereotype.Component; +import org.springframework.web.client.RestClientException; +import org.springframework.web.client.RestTemplate; +import org.springframework.web.util.UriComponentsBuilder; + +import com.juick.www.api.webfinger.model.Account; +import com.juick.www.api.webfinger.model.Link; + +import rocks.xmpp.addr.Jid; + +@Component +public class WebfingerService { + private static final Logger logger = LoggerFactory.getLogger("ActivityPub"); + + private final RestTemplate restClient; + @Inject + public WebfingerService(final RestTemplate restClient) { + this.restClient = restClient; + } + public URI discoverAccountURI(String acct, MediaType linkType) { + Jid acctId = Jid.of(acct); + URI resourceUri = UriComponentsBuilder.fromPath("/.well-known/webfinger").host(acctId.getDomain()) + .scheme("https").queryParam("resource", "acct:" + acct).build().toUri(); + HttpHeaders headers = new HttpHeaders(); + headers.setAccept(Collections.singletonList(MediaType.valueOf("application/jrd+json"))); + HttpEntity webfingerRequest = new HttpEntity<>(headers); + try { + ResponseEntity response = restClient.exchange(resourceUri, HttpMethod.GET, webfingerRequest, + Account.class); + if (response.getStatusCode().is2xxSuccessful()) { + var account = response.getBody(); + for (Link l : account.links()) { + if (l.rel().equals("self") && l.type().equals(linkType.toString())) { + return URI.create(l.href()); + } + } + } + } catch (RestClientException e) { + logger.warn("Cannot discover person {}: {}", acct, e.getMessage()); + } + return URI.create(StringUtils.EMPTY); + } +} diff --git a/src/main/java/com/juick/service/security/BearerTokenAuthenticationFilter.java b/src/main/java/com/juick/service/security/BearerTokenAuthenticationFilter.java index 2e96a594..f4e73b12 100644 --- a/src/main/java/com/juick/service/security/BearerTokenAuthenticationFilter.java +++ b/src/main/java/com/juick/service/security/BearerTokenAuthenticationFilter.java @@ -19,7 +19,6 @@ package com.juick.service.security; import com.juick.service.UserService; import com.juick.service.security.entities.JuickUser; -import io.jsonwebtoken.Claims; import io.jsonwebtoken.JwtParser; import io.jsonwebtoken.Jwts; import jakarta.servlet.FilterChain; @@ -52,9 +51,9 @@ public class BearerTokenAuthenticationFilter extends BaseAuthenticationFilter { } @Override - protected void doFilterInternal(@Nonnull HttpServletRequest request, - @Nonnull HttpServletResponse response, - @Nonnull FilterChain filterChain) throws ServletException, IOException { + protected void doFilterInternal(HttpServletRequest request, + HttpServletResponse response, + FilterChain filterChain) throws ServletException, IOException { if (authenticationIsRequired()) { var headers = Collections.list(request.getHeaderNames()) .stream() diff --git a/src/main/java/com/juick/service/security/HTTPSignatureAuthenticationFilter.java b/src/main/java/com/juick/service/security/HTTPSignatureAuthenticationFilter.java index 5f6a730e..a851ef36 100644 --- a/src/main/java/com/juick/service/security/HTTPSignatureAuthenticationFilter.java +++ b/src/main/java/com/juick/service/security/HTTPSignatureAuthenticationFilter.java @@ -17,8 +17,8 @@ package com.juick.service.security; -import com.juick.SignatureManager; import com.juick.model.User; +import com.juick.service.ActivityPubService; import com.juick.service.UserService; import com.juick.service.security.entities.JuickUser; import jakarta.servlet.FilterChain; @@ -31,7 +31,6 @@ import org.springframework.security.authentication.UsernamePasswordAuthenticatio import org.springframework.security.core.Authentication; import org.springframework.security.core.context.SecurityContextHolder; -import javax.annotation.Nonnull; import java.io.IOException; import java.util.Collections; import java.util.Map; @@ -39,39 +38,37 @@ import java.util.stream.Collectors; public class HTTPSignatureAuthenticationFilter extends BaseAuthenticationFilter { - private final SignatureManager signatureManager; + private final ActivityPubService signatureManager; private final UserService userService; public HTTPSignatureAuthenticationFilter( - final SignatureManager signatureManager, + final ActivityPubService activityPubService, final UserService userService) { - this.signatureManager = signatureManager; + this.signatureManager = activityPubService; this.userService = userService; } @Override - protected void doFilterInternal(@Nonnull HttpServletRequest request, @Nonnull HttpServletResponse response, - @Nonnull FilterChain filterChain) throws IOException, ServletException { + protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, + FilterChain filterChain) throws IOException, ServletException { if (authenticationIsRequired()) { Map headers = Collections.list(request.getHeaderNames()) .stream() .collect(Collectors.toMap(String::toLowerCase, request::getHeader)); - if (StringUtils.isNotEmpty(headers.get("signature"))) { - User user = signatureManager.verifySignature(request.getMethod(), request.getRequestURI(), headers); - String userUri = user.getUri().toString(); - if (!user.isAnonymous() || userUri.length() > 0) { - if (userUri.length() == 0) { - User userWithPassword = userService.getUserByName(user.getName()); - userWithPassword.setAuthHash(userService.getHashByUID(userWithPassword.getUid())); - Authentication authentication = new UsernamePasswordAuthenticationToken( - new JuickUser(user), userWithPassword.getCredentials(), JuickUser.USER_AUTHORITY); - SecurityContextHolder.getContext().setAuthentication(authentication); - } else { - // anonymous must have with uri - Authentication authentication = new AnonymousAuthenticationToken(userUri, - new JuickUser(user), JuickUser.ANONYMOUS_AUTHORITY); - SecurityContextHolder.getContext().setAuthentication(authentication); - } + var user = signatureManager.verifyActor(request.getMethod(), request.getRequestURI(), headers); + String userUri = user.getUri().toString(); + if (!user.isAnonymous() || userUri.length() > 0) { + if (userUri.length() == 0) { + User userWithPassword = userService.getUserByName(user.getName()); + userWithPassword.setAuthHash(userService.getHashByUID(userWithPassword.getUid())); + Authentication authentication = new UsernamePasswordAuthenticationToken( + new JuickUser(user), userWithPassword.getCredentials(), JuickUser.USER_AUTHORITY); + SecurityContextHolder.getContext().setAuthentication(authentication); + } else { + // anonymous must have with uri + Authentication authentication = new AnonymousAuthenticationToken(userUri, + new JuickUser(user), JuickUser.ANONYMOUS_AUTHORITY); + SecurityContextHolder.getContext().setAuthentication(authentication); } } } diff --git a/src/main/java/com/juick/util/ActivityPubRequestInterceptor.java b/src/main/java/com/juick/util/ActivityPubRequestInterceptor.java index 1876cc90..138a3d09 100644 --- a/src/main/java/com/juick/util/ActivityPubRequestInterceptor.java +++ b/src/main/java/com/juick/util/ActivityPubRequestInterceptor.java @@ -30,7 +30,7 @@ public class ActivityPubRequestInterceptor implements ClientHttpRequestIntercept @Override public @NonNull ClientHttpResponse intercept(HttpRequest request, @NonNull byte[] body, - ClientHttpRequestExecution execution) throws IOException { + ClientHttpRequestExecution execution) throws IOException { request.getHeaders().set(HttpHeaders.USER_AGENT, "Juick/2.x"); return execution.execute(request, body); } diff --git a/src/main/java/com/juick/www/api/Users.java b/src/main/java/com/juick/www/api/Users.java index f7c24d8d..124632d0 100644 --- a/src/main/java/com/juick/www/api/Users.java +++ b/src/main/java/com/juick/www/api/Users.java @@ -72,11 +72,6 @@ public class Users { @Inject private ApplicationEventPublisher applicationEventPublisher; - @RequestMapping(value = "/api/auth", method = RequestMethod.GET, produces = MediaType.APPLICATION_JSON_VALUE) - public String getAuthToken(@ModelAttribute User visitor) { - return userService.getHashByUID(visitor.getUid()); - } - @RequestMapping(value = "/api/users", method = RequestMethod.GET, produces = MediaType.APPLICATION_JSON_VALUE) public List doGetUsers( @ModelAttribute User visitor, @@ -105,7 +100,7 @@ public class Users { SecureUser me = new SecureUser(); me.setUid(visitor.getUid()); me.setName(visitor.getName()); - me.setAuthHash(getAuthToken(visitor)); + me.setAuthHash(userService.getHashByUID(visitor.getUid())); List unread = messagesService.getUnread(visitor); me.setUnread(unread); me.setUnreadCount(unread.size()); diff --git a/src/main/java/com/juick/www/controllers/Compat.java b/src/main/java/com/juick/www/controllers/Compat.java index 936a8e5c..300a0855 100644 --- a/src/main/java/com/juick/www/controllers/Compat.java +++ b/src/main/java/com/juick/www/controllers/Compat.java @@ -17,8 +17,11 @@ package com.juick.www.controllers; -import com.juick.SignatureManager; +import com.juick.service.ActivityPubService; +import com.juick.service.WebfingerService; import com.juick.util.HttpNotFoundException; +import com.juick.www.api.activity.model.Context; +import org.springframework.http.MediaType; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.RequestParam; @@ -30,7 +33,9 @@ import javax.inject.Inject; @Controller public class Compat { @Inject - private SignatureManager signatureManager; + private WebfingerService webfingerService; + @Inject + private ActivityPubService activityPubService; @GetMapping("/share") public RedirectView share(@RequestParam String text, RedirectAttributes attributes) { attributes.addAttribute("body", text); @@ -38,9 +43,10 @@ public class Compat { } @GetMapping("/mention") public RedirectView mention(@RequestParam String username) { - var profile = signatureManager.discoverPerson(username); - if (profile.isPresent()) { - return new RedirectView(profile.get().getUrl()); + var uri = webfingerService.discoverAccountURI(username, MediaType.valueOf(Context.ACTIVITY_MEDIA_TYPE)); + if (!uri.toASCIIString().isEmpty()) { + var context = activityPubService.get(uri).orElseThrow(HttpNotFoundException::new); + return new RedirectView(context.getUrl()); } throw new HttpNotFoundException(); } diff --git a/src/main/java/com/mitchellbosecke/pebble/extension/filters/TagsListFilter.java b/src/main/java/com/mitchellbosecke/pebble/extension/filters/TagsListFilter.java index 14faaa5d..bf4b72fd 100644 --- a/src/main/java/com/mitchellbosecke/pebble/extension/filters/TagsListFilter.java +++ b/src/main/java/com/mitchellbosecke/pebble/extension/filters/TagsListFilter.java @@ -25,7 +25,6 @@ import io.pebbletemplates.pebble.template.PebbleTemplate; import java.util.Collection; import java.util.List; import java.util.Map; -import java.util.stream.Collectors; /** * Created by vitalyster on 23.05.2017. -- cgit v1.2.3