import * as Bull from 'bull'; import * as httpSignature from 'http-signature'; import perform from '../../remote/activitypub/perform'; import Logger from '../../services/logger'; import { registerOrFetchInstanceDoc } from '../../services/register-or-fetch-instance-doc'; import { Instances } from '../../models'; import { instanceChart } from '../../services/chart'; import { fetchMeta } from '../../misc/fetch-meta'; import { toPuny, extractDbHost } from '../../misc/convert-host'; import { getApId } from '../../remote/activitypub/type'; import { fetchNodeinfo } from '../../services/fetch-nodeinfo'; import { InboxJobData } from '..'; import DbResolver from '../../remote/activitypub/db-resolver'; import { resolvePerson } from '../../remote/activitypub/models/person'; import { LdSignature } from '../../remote/activitypub/misc/ld-signature'; const logger = new Logger('inbox'); // ユーザーのinboxにアクティビティが届いた時の処理 export default async (job: Bull.Job): Promise => { const signature = job.data.signature; // HTTP-signature const activity = job.data.activity; //#region Log const info = Object.assign({}, activity); delete info['@context']; logger.debug(JSON.stringify(info, null, 2)); //#endregion const host = toPuny(new URL(signature.keyId).hostname); // ブロックしてたら中断 const meta = await fetchMeta(); if (meta.blockedHosts.includes(host)) { return `Blocked request: ${host}`; } const keyIdLower = signature.keyId.toLowerCase(); if (keyIdLower.startsWith('acct:')) { return `Old keyId is no longer supported. ${keyIdLower}`; } const dbResolver = new DbResolver(); // HTTP-Signature keyIdを元にDBから取得 let authUser = await dbResolver.getAuthUserFromKeyId(signature.keyId); // keyIdでわからなければ、activity.actorを元にDBから取得 || activity.actorを元にリモートから取得 if (authUser == null) { authUser = await dbResolver.getAuthUserFromApId(getApId(activity.actor)); } // それでもわからなければ終了 if (authUser == null) { return `skip: failed to resolve user`; } // HTTP-Signatureの検証 if (!httpSignature.verifySignature(signature, authUser.key.keyPem)) { return 'signature verification failed'; } // signatureのsignerは、activity.actorと一致する必要がある if (authUser.user.uri !== activity.actor) { // 一致しなくても、でもLD-Signatureがありそうならそっちも見る if (activity.signature) { if (activity.signature.type !== 'RsaSignature2017') { return `skip: unsupported LD-signature type ${activity.signature.type}`; } // activity.signature.creator: https://example.oom/users/user#main-key // みたいになっててUserを引っ張れば公開キーも入ることを期待する if (activity.signature.creator) { const candicate = activity.signature.creator.replace(/#.*/, ''); await resolvePerson(candicate).catch(() => null); } // keyIdからLD-Signatureのユーザーを取得 authUser = await dbResolver.getAuthUserFromKeyId(activity.signature.creator); if (authUser == null) { return `skip: LD-Signatureのユーザーが取得できませんでした`; } // LD-Signature検証 const ldSignature = new LdSignature(); const verified = await ldSignature.verifyRsaSignature2017(activity, authUser.key.keyPem).catch(() => false); if (!verified) { return `skip: LD-Signatureの検証に失敗しました`; } // もう一度actorチェック if (authUser.user.uri !== activity.actor) { return `skip: LD-Signature user(${authUser.user.uri}) !== activity.actor(${activity.actor})`; } } else { return 'signature verification failed'; } } // activity.idがあればホストが署名者のホストであることを確認する if (typeof activity.id === 'string') { const signerHost = extractDbHost(authUser.user.uri!); const activityIdHost = extractDbHost(activity.id); if (signerHost !== activityIdHost) { return `skip: signerHost(${signerHost}) !== activity.id host(${activityIdHost}`; } } // Update stats registerOrFetchInstanceDoc(authUser.user.host).then(i => { Instances.update(i.id, { latestRequestReceivedAt: new Date(), lastCommunicatedAt: new Date(), isNotResponding: false }); fetchNodeinfo(i); instanceChart.requestReceived(i.host); }); // アクティビティを処理 await perform(authUser.user, activity); return `ok`; };