GNUsocial/gnu-social
4
0
Fork 1
Code Issues Releases Wiki Activity
Files
bc030da3208143afcb869ce4611cb39d8d465fa6
gnu-social/plugins/WebFinger/WebFingerPlugin.php

233 lines
9.7 KiB
PHP
Raw Normal View History

Implemented WebFinger and replaced our XRD with PEAR XML_XRD New plugins: * LRDD LRDD implements client-side RFC6415 and RFC7033 resource descriptor discovery procedures. I.e. LRDD, host-meta and WebFinger stuff. OStatus and OpenID now depend on the LRDD plugin (XML_XRD). * WebFinger This plugin implements the server-side of RFC6415 and RFC7033. Note: WebFinger technically doesn't handle XRD, but we serve both that and JRD (JSON Resource Descriptor), depending on Accept header and one ugly hack to check for old StatusNet installations. WebFinger depends on LRDD. We might make this even prettier by using Net_WebFinger, but it is not currently RFC7033 compliant (no /.well-known/webfinger resource GETs). Disabling the WebFinger plugin would effectively render your site non- federated (which might be desired on a private site). Disabling the LRDD plugin would make your site unable to do modern web URI lookups (making life just a little bit harder).
2013-09-30 17:13:03 +02:00
<?php
/*
* GNU Social - a federating social network
* Copyright (C) 2013, Free Software Foundation, Inc.
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
/**
* Implements WebFinger for GNU Social, as well as support for the
* '.well-known/host-meta' resource.
*
* Depends on: LRDD plugin
*
GNU social is with a minor s.
2013-10-15 00:20:36 +02:00
* @package GNUsocial
Implemented WebFinger and replaced our XRD with PEAR XML_XRD New plugins: * LRDD LRDD implements client-side RFC6415 and RFC7033 resource descriptor discovery procedures. I.e. LRDD, host-meta and WebFinger stuff. OStatus and OpenID now depend on the LRDD plugin (XML_XRD). * WebFinger This plugin implements the server-side of RFC6415 and RFC7033. Note: WebFinger technically doesn't handle XRD, but we serve both that and JRD (JSON Resource Descriptor), depending on Accept header and one ugly hack to check for old StatusNet installations. WebFinger depends on LRDD. We might make this even prettier by using Net_WebFinger, but it is not currently RFC7033 compliant (no /.well-known/webfinger resource GETs). Disabling the WebFinger plugin would effectively render your site non- federated (which might be desired on a private site). Disabling the LRDD plugin would make your site unable to do modern web URI lookups (making life just a little bit harder).
2013-09-30 17:13:03 +02:00
* @author Mikael Nordfeldth <mmn@hethane.se>
*/
if (!defined('GNUSOCIAL')) { exit(1); }
class WebFingerPlugin extends Plugin
{
Publish OAuth data in host-meta
2015-06-04 18:54:09 +02:00
const OAUTH_ACCESS_TOKEN_REL = 'http://apinamespace.org/oauth/access_token';
const OAUTH_REQUEST_TOKEN_REL = 'http://apinamespace.org/oauth/request_token';
const OAUTH_AUTHORIZE_REL = 'http://apinamespace.org/oauth/authorize';
Typing on WebFinger onRouterInitialized handler argument URLMapper $m
2016-08-27 15:00:29 +02:00
public function onRouterInitialized(URLMapper $m)
Implemented WebFinger and replaced our XRD with PEAR XML_XRD New plugins: * LRDD LRDD implements client-side RFC6415 and RFC7033 resource descriptor discovery procedures. I.e. LRDD, host-meta and WebFinger stuff. OStatus and OpenID now depend on the LRDD plugin (XML_XRD). * WebFinger This plugin implements the server-side of RFC6415 and RFC7033. Note: WebFinger technically doesn't handle XRD, but we serve both that and JRD (JSON Resource Descriptor), depending on Accept header and one ugly hack to check for old StatusNet installations. WebFinger depends on LRDD. We might make this even prettier by using Net_WebFinger, but it is not currently RFC7033 compliant (no /.well-known/webfinger resource GETs). Disabling the WebFinger plugin would effectively render your site non- federated (which might be desired on a private site). Disabling the LRDD plugin would make your site unable to do modern web URI lookups (making life just a little bit harder).
2013-09-30 17:13:03 +02:00
{
$m->connect('.well-known/host-meta', array('action' => 'hostmeta'));
$m->connect('.well-known/host-meta.:format',
array('action' => 'hostmeta',
'format' => '(xml|json)'));
// the resource GET parameter can be anywhere, so don't mention it here
$m->connect('.well-known/webfinger', array('action' => 'webfinger'));
$m->connect('.well-known/webfinger.:format',
array('action' => 'webfinger',
'format' => '(xml|json)'));
$m->connect('main/ownerxrd', array('action' => 'ownerxrd'));
return true;
}
public function onLoginAction($action, &$login)
{
switch ($action) {
case 'hostmeta':
case 'webfinger':
$login = true;
return false;
}
return true;
}
Event handler StartGetProfileAcctUri for WebFinger
2013-10-28 18:26:00 +01:00
public function onStartGetProfileAcctUri(Profile $profile, &$acct)
{
$wfr = new WebFingerResource_Profile($profile);
try {
$acct = $wfr->reconstructAcct();
} catch (Exception $e) {
return true;
}
return false;
}
WebFingerResource introduced, instead of strict Profile object This is the beginning of getting notice URI info via WebFinger *XrdActionLinks is renamed *WebFingerProfileLinks, check EVENTS.txt in WebFinger plugin for new events.
2013-10-20 15:32:56 +02:00
public function onEndGetWebFingerResource($resource, WebFingerResource &$target=null, array $args=array())
{
$profile = null;
if (Discovery::isAcct($resource)) {
$parts = explode('@', substr(urldecode($resource), 5)); // 5 is strlen of 'acct:'
if (count($parts) == 2) {
list($nick, $domain) = $parts;
fix/legacy_http for WebFinger + some minor fixes Now won't match possibly maliciously named remote profile URLs (where the profile URL could be a notice URL for example, which would mean the response would be incorrect) When looking up remote entities, we should _only_ use the stored URI, but that's for the future to do...
2016-03-30 01:32:11 +02:00
if ($domain !== common_config('site', 'server')) {
WebFingerResource introduced, instead of strict Profile object This is the beginning of getting notice URI info via WebFinger *XrdActionLinks is renamed *WebFingerProfileLinks, check EVENTS.txt in WebFinger plugin for new events.
2013-10-20 15:32:56 +02:00
throw new Exception(_('Remote profiles not supported via WebFinger yet.'));
}
fix/legacy_http for WebFinger + some minor fixes Now won't match possibly maliciously named remote profile URLs (where the profile URL could be a notice URL for example, which would mean the response would be incorrect) When looking up remote entities, we should _only_ use the stored URI, but that's for the future to do...
2016-03-30 01:32:11 +02:00
$nick = common_canonical_nickname($nick);
$user = User::getKV('nickname', $nick);
if (!($user instanceof User)) {
throw new NoSuchUserException(array('nickname'=>$nick));
}
$profile = $user->getProfile();
WebFingerResource introduced, instead of strict Profile object This is the beginning of getting notice URI info via WebFinger *XrdActionLinks is renamed *WebFingerProfileLinks, check EVENTS.txt in WebFinger plugin for new events.
2013-10-20 15:32:56 +02:00
}
fix/legacy_http for WebFinger + some minor fixes Now won't match possibly maliciously named remote profile URLs (where the profile URL could be a notice URL for example, which would mean the response would be incorrect) When looking up remote entities, we should _only_ use the stored URI, but that's for the future to do...
2016-03-30 01:32:11 +02:00
} elseif (!common_valid_http_url($resource)) {
// If it's not a URL, we can't do our http<->https legacy fix thingie anyway,
// so just try the User URI lookup!
Let the WebFingerPlugin lookup profile resources with index.php/ too
2016-02-21 18:48:48 +01:00
try {
$user = User::getByUri($resource);
WebFingerResource introduced, instead of strict Profile object This is the beginning of getting notice URI info via WebFinger *XrdActionLinks is renamed *WebFingerProfileLinks, check EVENTS.txt in WebFinger plugin for new events.
2013-10-20 15:32:56 +02:00
$profile = $user->getProfile();
Let the WebFingerPlugin lookup profile resources with index.php/ too
2016-02-21 18:48:48 +01:00
} catch (NoResultException $e) {
fix/legacy_http for WebFinger + some minor fixes Now won't match possibly maliciously named remote profile URLs (where the profile URL could be a notice URL for example, which would mean the response would be incorrect) When looking up remote entities, we should _only_ use the stored URI, but that's for the future to do...
2016-03-30 01:32:11 +02:00
// not a User, maybe a Notice? we'll try that further down...
}
} else {
// this means $resource is a common_valid_http_url (or https)
// First build up a set of alternative resource URLs that we can use.
$alt_urls = [$resource => true];
if (strtolower(parse_url($resource, PHP_URL_SCHEME)) === 'https'
&& common_config('fix', 'legacy_http')) {
$alt_urls[preg_replace('/^https:/i', 'http:', $resource, 1)] = true;
}
if (common_config('fix', 'fancyurls')) {
foreach (array_keys($alt_urls) as $url) {
try { // if it's a /index.php/ url
// common_fake_local_fancy_url can throw an exception
$alt_url = common_fake_local_fancy_url($url);
} catch (Exception $e) { // let's try to create a fake local /index.php/ url
// this too if it can't do anything about the URL
$alt_url = common_fake_local_nonfancy_url($url);
Make WebFinger fancyurlfix configurable
2016-02-21 20:05:32 +01:00
}
fix/legacy_http for WebFinger + some minor fixes Now won't match possibly maliciously named remote profile URLs (where the profile URL could be a notice URL for example, which would mean the response would be incorrect) When looking up remote entities, we should _only_ use the stored URI, but that's for the future to do...
2016-03-30 01:32:11 +02:00
$alt_urls[$alt_url] = true;
Let the WebFingerPlugin lookup profile resources with index.php/ too
2016-02-21 18:48:48 +01:00
}
WebFingerResource introduced, instead of strict Profile object This is the beginning of getting notice URI info via WebFinger *XrdActionLinks is renamed *WebFingerProfileLinks, check EVENTS.txt in WebFinger plugin for new events.
2013-10-20 15:32:56 +02:00
}
fix/legacy_http for WebFinger + some minor fixes Now won't match possibly maliciously named remote profile URLs (where the profile URL could be a notice URL for example, which would mean the response would be incorrect) When looking up remote entities, we should _only_ use the stored URI, but that's for the future to do...
2016-03-30 01:32:11 +02:00
common_debug(__METHOD__.': Generated these alternative URLs for various federation fixes: '._ve(array_keys($alt_urls)));
WebFingerResource introduced, instead of strict Profile object This is the beginning of getting notice URI info via WebFinger *XrdActionLinks is renamed *WebFingerProfileLinks, check EVENTS.txt in WebFinger plugin for new events.
2013-10-20 15:32:56 +02:00
fix/legacy_http for WebFinger + some minor fixes Now won't match possibly maliciously named remote profile URLs (where the profile URL could be a notice URL for example, which would mean the response would be incorrect) When looking up remote entities, we should _only_ use the stored URI, but that's for the future to do...
2016-03-30 01:32:11 +02:00
try {
common_debug(__METHOD__.': Finding User URI for WebFinger lookup on resource=='._ve($resource));
$user = new User();
$user->whereAddIn('uri', array_keys($alt_urls), $user->columnType('uri'));
$user->limit(1);
if ($user->find(true)) {
$profile = $user->getProfile();
}
unset($user);
} catch (Exception $e) {
// Most likely a UserNoProfileException, if it ever happens
// and then we need to do some debugging and perhaps fixes.
common_log(LOG_ERR, get_class($e).': '._ve($e->getMessage()));
throw $e;
}
Give Webfinger response to group queries
2016-06-25 20:13:19 +02:00
try {
common_debug(__METHOD__.': Finding User_group URI for WebFinger lookup on resource=='._ve($resource));
$group = new User_group();
$group->whereAddIn('uri', array_keys($alt_urls), $group->columnType('uri'));
$group->limit(1);
if ($group->find(true)) {
$profile = $group->getProfile();
}
unset($group);
} catch (Exception $e) {
common_log(LOG_ERR, get_class($e).': '._ve($e->getMessage()));
throw $e;
}
fix/legacy_http for WebFinger + some minor fixes Now won't match possibly maliciously named remote profile URLs (where the profile URL could be a notice URL for example, which would mean the response would be incorrect) When looking up remote entities, we should _only_ use the stored URI, but that's for the future to do...
2016-03-30 01:32:11 +02:00
// User URI did not match, so let's try our alt_urls as Profile URL values
if (!$profile instanceof Profile) {
common_debug(__METHOD__.': Finding Profile URLs for WebFinger lookup on resource=='._ve($resource));
// if our rewrite hack didn't work, try to get something by profile URL
$profile = new Profile();
$profile->whereAddIn('profileurl', array_keys($alt_urls), $profile->columnType('profileurl'));
$profile->limit(1);
if (!$profile->find(true) || !$profile->isLocal()) {
// * Either we didn't find the profile, then we want to make
// the $profile variable null for clarity.
// * Or we did find it but for a possibly malicious remote
// user who might've set their profile URL to a Notice URL
// which would've caused a sort of DoS unless we continue
// our search here by discarding the remote profile.
$profile = null;
}
}
Make WebFinger fancyurlfix configurable
2016-02-21 20:05:32 +01:00
}
WebFingerResource introduced, instead of strict Profile object This is the beginning of getting notice URI info via WebFinger *XrdActionLinks is renamed *WebFingerProfileLinks, check EVENTS.txt in WebFinger plugin for new events.
2013-10-20 15:32:56 +02:00
if ($profile instanceof Profile) {
fix/legacy_http for WebFinger + some minor fixes Now won't match possibly maliciously named remote profile URLs (where the profile URL could be a notice URL for example, which would mean the response would be incorrect) When looking up remote entities, we should _only_ use the stored URI, but that's for the future to do...
2016-03-30 01:32:11 +02:00
common_debug(__METHOD__.': Found Profile with ID=='._ve($profile->getID()).' for resource=='._ve($resource));
WebFingerResource introduced, instead of strict Profile object This is the beginning of getting notice URI info via WebFinger *XrdActionLinks is renamed *WebFingerProfileLinks, check EVENTS.txt in WebFinger plugin for new events.
2013-10-20 15:32:56 +02:00
$target = new WebFingerResource_Profile($profile);
return false; // We got our target, stop handler execution
}
$notice = Notice::getKV('uri', $resource);
if ($notice instanceof Notice) {
$target = new WebFingerResource_Notice($notice);
return false;
}
return true;
}
Implemented WebFinger and replaced our XRD with PEAR XML_XRD New plugins: * LRDD LRDD implements client-side RFC6415 and RFC7033 resource descriptor discovery procedures. I.e. LRDD, host-meta and WebFinger stuff. OStatus and OpenID now depend on the LRDD plugin (XML_XRD). * WebFinger This plugin implements the server-side of RFC6415 and RFC7033. Note: WebFinger technically doesn't handle XRD, but we serve both that and JRD (JSON Resource Descriptor), depending on Accept header and one ugly hack to check for old StatusNet installations. WebFinger depends on LRDD. We might make this even prettier by using Net_WebFinger, but it is not currently RFC7033 compliant (no /.well-known/webfinger resource GETs). Disabling the WebFinger plugin would effectively render your site non- federated (which might be desired on a private site). Disabling the LRDD plugin would make your site unable to do modern web URI lookups (making life just a little bit harder).
2013-09-30 17:13:03 +02:00
public function onStartHostMetaLinks(array &$links)
{
foreach (Discovery::supportedMimeTypes() as $type) {
$links[] = new XML_XRD_Element_Link(Discovery::LRDD_REL,
common_local_url('webfinger') . '?resource={uri}',
$type,
true); // isTemplate
}
Publish OAuth data in host-meta
2015-06-04 18:54:09 +02:00
// OAuth connections
$links[] = new XML_XRD_Element_link(self::OAUTH_ACCESS_TOKEN_REL, common_local_url('ApiOAuthAccessToken'));
$links[] = new XML_XRD_Element_link(self::OAUTH_REQUEST_TOKEN_REL, common_local_url('ApiOAuthRequestToken'));
$links[] = new XML_XRD_Element_link(self::OAUTH_AUTHORIZE_REL, common_local_url('ApiOAuthAuthorize'));
Implemented WebFinger and replaced our XRD with PEAR XML_XRD New plugins: * LRDD LRDD implements client-side RFC6415 and RFC7033 resource descriptor discovery procedures. I.e. LRDD, host-meta and WebFinger stuff. OStatus and OpenID now depend on the LRDD plugin (XML_XRD). * WebFinger This plugin implements the server-side of RFC6415 and RFC7033. Note: WebFinger technically doesn't handle XRD, but we serve both that and JRD (JSON Resource Descriptor), depending on Accept header and one ugly hack to check for old StatusNet installations. WebFinger depends on LRDD. We might make this even prettier by using Net_WebFinger, but it is not currently RFC7033 compliant (no /.well-known/webfinger resource GETs). Disabling the WebFinger plugin would effectively render your site non- federated (which might be desired on a private site). Disabling the LRDD plugin would make your site unable to do modern web URI lookups (making life just a little bit harder).
2013-09-30 17:13:03 +02:00
}
/**
* Add a link header for LRDD Discovery
*/
public function onStartShowHTML($action)
{
if ($action instanceof ShowstreamAction) {
Make the Link header give URI for WebFinger lookup
2016-02-17 22:36:33 +01:00
$resource = $action->getTarget()->getUri();
$url = common_local_url('webfinger') . '?resource='.urlencode($resource);
Implemented WebFinger and replaced our XRD with PEAR XML_XRD New plugins: * LRDD LRDD implements client-side RFC6415 and RFC7033 resource descriptor discovery procedures. I.e. LRDD, host-meta and WebFinger stuff. OStatus and OpenID now depend on the LRDD plugin (XML_XRD). * WebFinger This plugin implements the server-side of RFC6415 and RFC7033. Note: WebFinger technically doesn't handle XRD, but we serve both that and JRD (JSON Resource Descriptor), depending on Accept header and one ugly hack to check for old StatusNet installations. WebFinger depends on LRDD. We might make this even prettier by using Net_WebFinger, but it is not currently RFC7033 compliant (no /.well-known/webfinger resource GETs). Disabling the WebFinger plugin would effectively render your site non- federated (which might be desired on a private site). Disabling the LRDD plugin would make your site unable to do modern web URI lookups (making life just a little bit harder).
2013-09-30 17:13:03 +02:00
foreach (array(Discovery::JRD_MIMETYPE, Discovery::XRD_MIMETYPE) as $type) {
Add all link headers, not just the last one Given the way Link headers work, it does not make any sense to just replace all other ones. Especially when we ourselves are adding in a loop.
2015-10-25 18:42:37 +00:00
header('Link: <'.$url.'>; rel="'. Discovery::LRDD_REL.'"; type="'.$type.'"', false);
Implemented WebFinger and replaced our XRD with PEAR XML_XRD New plugins: * LRDD LRDD implements client-side RFC6415 and RFC7033 resource descriptor discovery procedures. I.e. LRDD, host-meta and WebFinger stuff. OStatus and OpenID now depend on the LRDD plugin (XML_XRD). * WebFinger This plugin implements the server-side of RFC6415 and RFC7033. Note: WebFinger technically doesn't handle XRD, but we serve both that and JRD (JSON Resource Descriptor), depending on Accept header and one ugly hack to check for old StatusNet installations. WebFinger depends on LRDD. We might make this even prettier by using Net_WebFinger, but it is not currently RFC7033 compliant (no /.well-known/webfinger resource GETs). Disabling the WebFinger plugin would effectively render your site non- federated (which might be desired on a private site). Disabling the LRDD plugin would make your site unable to do modern web URI lookups (making life just a little bit harder).
2013-09-30 17:13:03 +02:00
}
}
}
Plugins didn't match lib/plugin.php onPluginVersion function definition I ran: for i in `grep -R onPluginVersion...version plugins/|cut -d: -f1`; do sed -i '{ s/\(onPluginVersion(\)\(\&\$versions\)/\1array \2/ }' $i; done
2015-06-06 22:04:01 +02:00
public function onPluginVersion(array &$versions)
Implemented WebFinger and replaced our XRD with PEAR XML_XRD New plugins: * LRDD LRDD implements client-side RFC6415 and RFC7033 resource descriptor discovery procedures. I.e. LRDD, host-meta and WebFinger stuff. OStatus and OpenID now depend on the LRDD plugin (XML_XRD). * WebFinger This plugin implements the server-side of RFC6415 and RFC7033. Note: WebFinger technically doesn't handle XRD, but we serve both that and JRD (JSON Resource Descriptor), depending on Accept header and one ugly hack to check for old StatusNet installations. WebFinger depends on LRDD. We might make this even prettier by using Net_WebFinger, but it is not currently RFC7033 compliant (no /.well-known/webfinger resource GETs). Disabling the WebFinger plugin would effectively render your site non- federated (which might be desired on a private site). Disabling the LRDD plugin would make your site unable to do modern web URI lookups (making life just a little bit harder).
2013-09-30 17:13:03 +02:00
{
$versions[] = array('name' => 'WebFinger',
Using GNUSOCIAL_VERSION instead of STATUSNET_VERSION
2013-11-01 13:51:41 +01:00
'version' => GNUSOCIAL_VERSION,
Implemented WebFinger and replaced our XRD with PEAR XML_XRD New plugins: * LRDD LRDD implements client-side RFC6415 and RFC7033 resource descriptor discovery procedures. I.e. LRDD, host-meta and WebFinger stuff. OStatus and OpenID now depend on the LRDD plugin (XML_XRD). * WebFinger This plugin implements the server-side of RFC6415 and RFC7033. Note: WebFinger technically doesn't handle XRD, but we serve both that and JRD (JSON Resource Descriptor), depending on Accept header and one ugly hack to check for old StatusNet installations. WebFinger depends on LRDD. We might make this even prettier by using Net_WebFinger, but it is not currently RFC7033 compliant (no /.well-known/webfinger resource GETs). Disabling the WebFinger plugin would effectively render your site non- federated (which might be desired on a private site). Disabling the LRDD plugin would make your site unable to do modern web URI lookups (making life just a little bit harder).
2013-09-30 17:13:03 +02:00
'author' => 'Mikael Nordfeldth',
'homepage' => 'http://www.gnu.org/software/social/',
// TRANS: Plugin description.
'rawdescription' => _m('Adds WebFinger lookup to GNU Social'));
return true;
}
}
Copy Permalink