d8f4de450c
will verify unknown aliases against old ones if the new identifies as a previously recognized URI. Steps: 1. Check the newly received URI. Who does it say it is? 2. Compare these alleged identities to our local database. 3. If we found any locally stored identities, ask it about its aliases. 4. Do any of the aliases from our known identity match the recently introduced one? Currently we do _not_ update the ostatus_profile table with the new URI.
271 lines
11 KiB
PHP
271 lines
11 KiB
PHP
<?php
|
|
/*
|
|
* StatusNet - the distributed open-source microblogging tool
|
|
* Copyright (C) 2010, StatusNet, Inc.
|
|
*
|
|
* This program is free software: you can redistribute it and/or modify
|
|
* it under the terms of the GNU Affero General Public License as published by
|
|
* the Free Software Foundation, either version 3 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU Affero General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU Affero General Public License
|
|
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
/**
|
|
* @package OStatusPlugin
|
|
* @author James Walker <james@status.net>
|
|
*/
|
|
|
|
if (!defined('GNUSOCIAL')) { exit(1); }
|
|
|
|
class SalmonAction extends Action
|
|
{
|
|
protected $needPost = true;
|
|
|
|
protected $oprofile = null; // Ostatus_profile of the actor
|
|
protected $actor = null; // Profile object of the actor
|
|
|
|
var $xml = null;
|
|
var $activity = null;
|
|
var $target = null;
|
|
|
|
protected function prepare(array $args=array())
|
|
{
|
|
StatusNet::setApi(true); // Send smaller error pages
|
|
|
|
parent::prepare($args);
|
|
|
|
if (!isset($_SERVER['CONTENT_TYPE']) || $_SERVER['CONTENT_TYPE'] != 'application/magic-envelope+xml') {
|
|
// TRANS: Client error. Do not translate "application/magic-envelope+xml".
|
|
$this->clientError(_m('Salmon requires "application/magic-envelope+xml".'));
|
|
}
|
|
|
|
try {
|
|
$envxml = file_get_contents('php://input');
|
|
$magic_env = new MagicEnvelope($envxml); // parse incoming XML as a MagicEnvelope
|
|
|
|
$entry = $magic_env->getPayload(); // Not cryptographically verified yet!
|
|
$this->activity = new Activity($entry->documentElement);
|
|
if (empty($this->activity->actor->id)) {
|
|
common_log(LOG_ERR, "broken actor: " . var_export($this->activity->actor->id, true));
|
|
common_log(LOG_ERR, "activity with no actor: " . var_export($this->activity, true));
|
|
// TRANS: Exception.
|
|
throw new Exception(_m('Received a salmon slap from unidentified actor.'));
|
|
}
|
|
$profile = $this->profileFromActor($this->activity->actor);
|
|
} catch (Exception $e) {
|
|
common_debug('Salmon envelope parsing failed with: '.$e->getMessage());
|
|
$this->clientError($e->getMessage());
|
|
}
|
|
|
|
// Cryptographic verification test
|
|
if (!$magic_env->verify($profile)) {
|
|
common_log(LOG_DEBUG, "Salmon signature verification failed.");
|
|
// TRANS: Client error.
|
|
$this->clientError(_m('Salmon signature verification failed.'));
|
|
}
|
|
|
|
$this->actor = $profile;
|
|
$this->oprofile = Ostatus_profile::fromProfile($profile);
|
|
|
|
return true;
|
|
}
|
|
|
|
/**
|
|
* Check the posted activity type and break out to appropriate processing.
|
|
*/
|
|
|
|
protected function handle()
|
|
{
|
|
parent::handle();
|
|
|
|
common_log(LOG_DEBUG, "Got a " . $this->activity->verb);
|
|
try {
|
|
if (Event::handle('StartHandleSalmonTarget', array($this->activity, $this->target)) &&
|
|
Event::handle('StartHandleSalmon', array($this->activity))) {
|
|
switch ($this->activity->verb) {
|
|
case ActivityVerb::POST:
|
|
$this->handlePost();
|
|
break;
|
|
case ActivityVerb::SHARE:
|
|
$this->handleShare();
|
|
break;
|
|
case ActivityVerb::FOLLOW:
|
|
case ActivityVerb::FRIEND:
|
|
$this->handleFollow();
|
|
break;
|
|
case ActivityVerb::UNFOLLOW:
|
|
$this->handleUnfollow();
|
|
break;
|
|
case ActivityVerb::JOIN:
|
|
$this->handleJoin();
|
|
break;
|
|
case ActivityVerb::LEAVE:
|
|
$this->handleLeave();
|
|
break;
|
|
case ActivityVerb::TAG:
|
|
$this->handleTag();
|
|
break;
|
|
case ActivityVerb::UNTAG:
|
|
$this->handleUntag();
|
|
break;
|
|
case ActivityVerb::UPDATE_PROFILE:
|
|
$this->handleUpdateProfile();
|
|
break;
|
|
default:
|
|
// TRANS: Client exception.
|
|
throw new ClientException(_m('Unrecognized activity type.'));
|
|
}
|
|
Event::handle('EndHandleSalmon', array($this->activity));
|
|
Event::handle('EndHandleSalmonTarget', array($this->activity, $this->target));
|
|
}
|
|
} catch (AlreadyFulfilledException $e) {
|
|
// The action's results are already fulfilled. Maybe it was a
|
|
// duplicate? Maybe someone's database is out of sync?
|
|
// Let's just accept it and move on.
|
|
common_log(LOG_INFO, 'Salmon slap carried an event which had already been fulfilled.');
|
|
}
|
|
}
|
|
|
|
function handlePost()
|
|
{
|
|
// TRANS: Client exception.
|
|
throw new ClientException(_m('This target does not understand posts.'));
|
|
}
|
|
|
|
function handleFollow()
|
|
{
|
|
// TRANS: Client exception.
|
|
throw new ClientException(_m('This target does not understand follows.'));
|
|
}
|
|
|
|
function handleUnfollow()
|
|
{
|
|
// TRANS: Client exception.
|
|
throw new ClientException(_m('This target does not understand unfollows.'));
|
|
}
|
|
|
|
function handleShare()
|
|
{
|
|
// TRANS: Client exception.
|
|
throw new ClientException(_m('This target does not understand share events.'));
|
|
}
|
|
|
|
function handleJoin()
|
|
{
|
|
// TRANS: Client exception.
|
|
throw new ClientException(_m('This target does not understand joins.'));
|
|
}
|
|
|
|
function handleLeave()
|
|
{
|
|
// TRANS: Client exception.
|
|
throw new ClientException(_m('This target does not understand leave events.'));
|
|
}
|
|
|
|
function handleTag()
|
|
{
|
|
// TRANS: Client exception.
|
|
throw new ClientException(_m('This target does not understand list events.'));
|
|
}
|
|
|
|
function handleUntag()
|
|
{
|
|
// TRANS: Client exception.
|
|
throw new ClientException(_m('This target does not understand unlist events.'));
|
|
}
|
|
|
|
/**
|
|
* Remote user sent us an update to their profile.
|
|
* If we already know them, accept the updates.
|
|
*/
|
|
function handleUpdateProfile()
|
|
{
|
|
$oprofile = Ostatus_profile::getActorProfile($this->activity);
|
|
if ($oprofile instanceof Ostatus_profile) {
|
|
common_log(LOG_INFO, "Got a profile-update ping from $oprofile->uri");
|
|
$oprofile->updateFromActivityObject($this->activity->actor);
|
|
} else {
|
|
common_log(LOG_INFO, "Ignoring profile-update ping from unknown " . $this->activity->actor->id);
|
|
}
|
|
}
|
|
|
|
function profileFromActor(ActivityObject $actor)
|
|
{
|
|
try {
|
|
$profile = Profile::fromUri($actor->id);
|
|
} catch (UnknownUriException $e) {
|
|
// Apparently we didn't find the Profile object based on our URI,
|
|
// so OStatus doesn't have it with this URI in ostatus_profile.
|
|
// Try to look it up again, remote side may have changed from http to https
|
|
// or maybe publish an acct: URI now instead of an http: URL.
|
|
//
|
|
// Steps:
|
|
// 1. Check the newly received URI. Who does it say it is?
|
|
// 2. Compare these alleged identities to our local database.
|
|
// 3. If we found any locally stored identities, ask it about its aliases.
|
|
// 4. Do any of the aliases from our known identity match the recently introduced one?
|
|
//
|
|
// Example: We have stored http://example.com/user/1 but this URI says https://example.com/user/1
|
|
common_debug('No local Profile object found for a magicsigned activity author URI: '.$e->object_uri);
|
|
$disco = new Discovery();
|
|
$xrd = $disco->lookup($e->object_uri);
|
|
// Step 1: We got a bunch of discovery data for https://example.com/user/1 which includes
|
|
// aliases https://example.com/user and hopefully our original http://example.com/user/1 too
|
|
$all_ids = array_merge(array($xrd->subject), $xrd->aliases);
|
|
|
|
if (!in_array($e->object_uri, $all_ids)) {
|
|
common_debug('The activity author URI we got was not listed itself when doing discovery on it.');
|
|
throw $e;
|
|
}
|
|
|
|
// Go through each reported alias from lookup to see if we know this already
|
|
foreach ($all_ids as $aliased_uri) {
|
|
$oprofile = Ostatus_profile::getKV('uri', $aliased_uri);
|
|
if (!$oprofile instanceof Ostatus_profile) {
|
|
continue; // unknown locally, check the next alias
|
|
}
|
|
// Step 2: We found the alleged http://example.com/user/1 URI in our local database,
|
|
// but this can't be trusted yet because anyone can publish any alias.
|
|
common_debug('Found a local Ostatus_profile for "'.$e->object_uri.'" with this URI: '.$aliased_uri);
|
|
|
|
// We found an existing OStatus profile, but is it really the same? Do a callback to the URI's origin
|
|
// Step 3: lookup our previously known http://example.com/user/1 webfinger etc.
|
|
$xrd = $disco->lookup($oprofile->getUri()); // getUri returns ->uri, which we filtered on earlier
|
|
$doublecheck_aliases = array_merge(array($xrd->subject), $xrd->aliases);
|
|
common_debug('Trying to match known "'.$aliased_uri.'" against its returned aliases: '.implode(' ', $doublecheck_aliases));
|
|
// if we find our original URI here, it is a legitimate alias
|
|
// Step 4: Is the newly introduced https://example.com/user/1 URI in the list of aliases
|
|
// presented by http://example.com/user/1 (i.e. do they both say they are the same identity?)
|
|
if (in_array($e->object_uri, $doublecheck_aliases)) {
|
|
common_debug('These identities both say they are each other: "'.$aliased_uri.'" and "'.$e->object_uri);
|
|
$profile = $oprofile->localProfile();
|
|
break; // don't iterate through aliases anymore
|
|
}
|
|
}
|
|
// We might end up here after $all_ids is iterated through without a $profile value,
|
|
// so after this catch we'll have to make sure we don't return a non-Profile value.
|
|
}
|
|
if (!$profile instanceof Profile) {
|
|
common_debug("We do not have a local profile to connect to this activity's author. Let's create one.");
|
|
// ensureActivityObjectProfile throws exception on failure
|
|
$oprofile = Ostatus_profile::createActivityObjectProfile($actor);
|
|
$profile = $oprofile->localProfile();
|
|
}
|
|
assert($profile instanceof Profile);
|
|
return $profile;
|
|
}
|
|
|
|
function saveNotice()
|
|
{
|
|
$oprofile = $this->ensureProfile();
|
|
return $oprofile->processPost($this->activity, 'salmon');
|
|
}
|
|
}
|