apinbox.php 6.1 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145
  1. <?php
  2. // This file is part of GNU social - https://www.gnu.org/software/social
  3. //
  4. // GNU social is free software: you can redistribute it and/or modify
  5. // it under the terms of the GNU Affero General Public License as published by
  6. // the Free Software Foundation, either version 3 of the License, or
  7. // (at your option) any later version.
  8. //
  9. // GNU social is distributed in the hope that it will be useful,
  10. // but WITHOUT ANY WARRANTY; without even the implied warranty of
  11. // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  12. // GNU Affero General Public License for more details.
  13. //
  14. // You should have received a copy of the GNU Affero General Public License
  15. // along with GNU social. If not, see <http://www.gnu.org/licenses/>.
  16. /**
  17. * ActivityPub implementation for GNU social
  18. *
  19. * @package GNUsocial
  20. * @author Diogo Cordeiro <diogo@fc.up.pt>
  21. * @copyright 2018-2019 Free Software Foundation, Inc http://www.fsf.org
  22. * @license https://www.gnu.org/licenses/agpl.html GNU AGPL v3 or later
  23. * @link http://www.gnu.org/software/social/
  24. */
  25. defined('GNUSOCIAL') || die();
  26. /**
  27. * Inbox Request Handler
  28. *
  29. * @category Plugin
  30. * @package GNUsocial
  31. * @author Diogo Cordeiro <diogo@fc.up.pt>
  32. * @license https://www.gnu.org/licenses/agpl.html GNU AGPL v3 or later
  33. */
  34. class apInboxAction extends ManagedAction
  35. {
  36. protected $needLogin = false;
  37. protected $canPost = true;
  38. /**
  39. * Handle the Inbox request
  40. *
  41. * @return void
  42. * @throws ServerException
  43. * @author Diogo Cordeiro <diogo@fc.up.pt>
  44. */
  45. protected function handle()
  46. {
  47. $path = !empty($this->trimmed('id')) ? common_local_url('apInbox', ['id' => $this->trimmed('id')]) : common_local_url('apInbox');
  48. $path = parse_url($path, PHP_URL_PATH);
  49. if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
  50. ActivityPubReturn::error('Only POST requests allowed.');
  51. }
  52. common_debug('ActivityPub Inbox: Received a POST request.');
  53. $body = $data = file_get_contents('php://input');
  54. common_debug('ActivityPub Inbox: Request contents: ' . $data);
  55. $data = json_decode(file_get_contents('php://input'), true);
  56. if (!isset($data['actor'])) {
  57. ActivityPubReturn::error('Actor not found in the request.');
  58. }
  59. try {
  60. $actor = Activitypub_explorer::get_profile_from_url($data['actor']);
  61. } catch (HTTP_Request2_Exception $e) {
  62. ActivityPubReturn::error('Failed to retrieve remote actor information.');
  63. } catch (NoProfileException $e) {
  64. // Assert: This won't happen.
  65. common_log(LOG_ERR, 'PLEASE REPORT THIS: ActivityPub Inbox Handler failed with NoProfileException while retrieving remote actor information: ' . $e->getMessage());
  66. ActivityPubReturn::error('An unknown error has occurred. This was logged, please alert the sysadmin.');
  67. } catch (ServerException $e) {
  68. ActivityPubReturn::error('Could not store this remote actor.');
  69. } catch (Exception $e) {
  70. ActivityPubReturn::error('Invalid actor.');
  71. }
  72. try {
  73. $aprofile = Activitypub_profile::from_profile($actor);
  74. } catch (Exception $e) {
  75. // Assert: This won't happen.
  76. common_log(LOG_ERR, 'PLEASE REPORT THIS: ActivityPub Inbox Handler failed while retrieving AProfile from Profile: ' . $e->getMessage());
  77. ActivityPubReturn::error('An unknown error has occurred. This was logged, please alert the sysadmin.');
  78. }
  79. $actor_public_key = new Activitypub_rsa();
  80. $actor_public_key = $actor_public_key->ensure_public_key($actor);
  81. common_debug('ActivityPub Inbox: HTTP Signature: Validation will now start!');
  82. $headers = getallheaders();
  83. common_debug('ActivityPub Inbox: Request Headers: ' . print_r($headers, true));
  84. if (!isset($headers['Signature'])) {
  85. common_debug('ActivityPub Inbox: HTTP Signature: Missing Signature header.');
  86. ActivityPubReturn::error('Missing Signature header.', 400);
  87. }
  88. // Extract the signature properties
  89. $signatureData = HTTPSignature::parseSignatureHeader($headers['Signature']);
  90. common_debug('ActivityPub Inbox: HTTP Signature Data: ' . print_r($signatureData, true));
  91. if (isset($signatureData['error'])) {
  92. common_debug('ActivityPub Inbox: HTTP Signature: ' . json_encode($signatureData, true));
  93. ActivityPubReturn::error(json_encode($signatureData, true), 400);
  94. }
  95. list($verified, /*$headers*/) = HTTPSignature::verify($actor_public_key, $signatureData, $headers, $path, $body);
  96. // If the signature fails verification the first time, update profile as it might have changed public key
  97. if ($verified !== 1) {
  98. try {
  99. $res = Activitypub_explorer::get_remote_user_activity($aprofile->getUri());
  100. } catch (Exception $e) {
  101. ActivityPubReturn::error('Invalid remote actor.');
  102. }
  103. try {
  104. $actor = Activitypub_profile::update_profile($aprofile, $res);
  105. } catch (Exception $e) {
  106. ActivityPubReturn::error('Failed to updated remote actor information.');
  107. }
  108. $actor_public_key = new Activitypub_rsa();
  109. $actor_public_key = $actor_public_key->ensure_public_key($actor);
  110. list($verified, /*$headers*/) = HTTPSignature::verify($actor_public_key, $signatureData, $headers, $path, $body);
  111. }
  112. // If it still failed despite profile update
  113. if ($verified !== 1) {
  114. common_debug('ActivityPub Inbox: HTTP Signature: Invalid signature.');
  115. ActivityPubReturn::error('Invalid signature.');
  116. }
  117. // HTTP signature checked out, make sure the "actor" of the activity matches that of the signature
  118. common_debug('ActivityPub Inbox: HTTP Signature: Authorized request. Will now start the inbox handler.');
  119. try {
  120. new Activitypub_inbox_handler($data, $actor);
  121. ActivityPubReturn::answer();
  122. } catch (Exception $e) {
  123. ActivityPubReturn::error($e->getMessage());
  124. }
  125. }
  126. }