2023-01-09 13:09:58 -07:00
|
|
|
package webfinger
|
2023-01-11 19:42:06 -07:00
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"context"
|
|
|
|
|
"crypto/ed25519"
|
|
|
|
|
"encoding/base64"
|
|
|
|
|
"encoding/json"
|
|
|
|
|
"errors"
|
|
|
|
|
"fmt"
|
|
|
|
|
"io"
|
|
|
|
|
"net/http"
|
2023-01-15 17:00:25 -07:00
|
|
|
"net/url"
|
2023-01-11 19:42:06 -07:00
|
|
|
"strings"
|
|
|
|
|
|
|
|
|
|
"github.com/golang-jwt/jwt/v4"
|
|
|
|
|
"github.com/sour-is/ev"
|
|
|
|
|
"github.com/sour-is/ev/internal/lg"
|
|
|
|
|
"github.com/sour-is/ev/pkg/es/event"
|
2023-01-15 17:00:25 -07:00
|
|
|
"github.com/sour-is/ev/pkg/set"
|
2023-01-11 19:42:06 -07:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
type service struct {
|
2023-01-25 10:35:09 -07:00
|
|
|
es *ev.EventStore
|
|
|
|
|
self set.Set[string]
|
|
|
|
|
cache func(string) bool
|
2023-01-11 19:42:06 -07:00
|
|
|
}
|
|
|
|
|
|
2023-01-15 17:00:25 -07:00
|
|
|
type Option interface {
|
|
|
|
|
ApplyWebfinger(s *service)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type WithHostnames []string
|
|
|
|
|
|
|
|
|
|
func (o WithHostnames) ApplyWebfinger(s *service) {
|
|
|
|
|
s.self = set.New(o...)
|
|
|
|
|
}
|
|
|
|
|
|
2023-01-25 10:35:09 -07:00
|
|
|
type WithCache func(string) bool
|
|
|
|
|
|
|
|
|
|
func (o WithCache) ApplyWebfinger(s *service) {
|
|
|
|
|
s.cache = o
|
|
|
|
|
}
|
|
|
|
|
|
2023-01-15 17:00:25 -07:00
|
|
|
func New(ctx context.Context, es *ev.EventStore, opts ...Option) (*service, error) {
|
2023-01-11 19:42:06 -07:00
|
|
|
ctx, span := lg.Span(ctx)
|
|
|
|
|
defer span.End()
|
|
|
|
|
|
|
|
|
|
if err := event.Register(
|
|
|
|
|
ctx,
|
|
|
|
|
&SubjectSet{},
|
|
|
|
|
&SubjectDeleted{},
|
|
|
|
|
&LinkSet{},
|
|
|
|
|
&LinkDeleted{},
|
|
|
|
|
); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
svc := &service{es: es}
|
|
|
|
|
|
2023-01-15 17:00:25 -07:00
|
|
|
for _, o := range opts {
|
|
|
|
|
o.ApplyWebfinger(svc)
|
|
|
|
|
}
|
|
|
|
|
|
2023-01-11 19:42:06 -07:00
|
|
|
return svc, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (s *service) RegisterHTTP(mux *http.ServeMux) {}
|
|
|
|
|
func (s *service) RegisterWellKnown(mux *http.ServeMux) {
|
|
|
|
|
mux.Handle("/webfinger", lg.Htrace(s, "webfinger"))
|
|
|
|
|
}
|
|
|
|
|
func (s *service) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
ctx := r.Context()
|
|
|
|
|
ctx, span := lg.Span(ctx)
|
|
|
|
|
defer span.End()
|
|
|
|
|
|
|
|
|
|
if r.URL.Path != "/webfinger" {
|
|
|
|
|
w.WriteHeader(http.StatusNotFound)
|
|
|
|
|
fmt.Fprint(w, http.StatusText(http.StatusNotFound))
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
switch r.Method {
|
|
|
|
|
case http.MethodPut, http.MethodDelete:
|
|
|
|
|
if r.ContentLength > 4096 {
|
|
|
|
|
w.WriteHeader(http.StatusRequestEntityTooLarge)
|
|
|
|
|
fmt.Fprint(w, http.StatusText(http.StatusRequestEntityTooLarge))
|
|
|
|
|
span.AddEvent("request too large")
|
|
|
|
|
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
body, err := io.ReadAll(io.LimitReader(r.Body, 4096))
|
|
|
|
|
if err != nil {
|
|
|
|
|
w.WriteHeader(http.StatusInternalServerError)
|
|
|
|
|
fmt.Fprint(w, http.StatusText(http.StatusInternalServerError))
|
|
|
|
|
span.RecordError(err)
|
|
|
|
|
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
r.Body.Close()
|
|
|
|
|
|
|
|
|
|
type claims struct {
|
2023-01-25 10:35:09 -07:00
|
|
|
PubKey string `json:"pub"`
|
2023-01-11 19:42:06 -07:00
|
|
|
*JRD
|
2023-01-25 10:35:09 -07:00
|
|
|
jwt.RegisteredClaims
|
2023-01-11 19:42:06 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
token, err := jwt.ParseWithClaims(
|
|
|
|
|
string(body),
|
|
|
|
|
&claims{},
|
|
|
|
|
func(tok *jwt.Token) (any, error) {
|
|
|
|
|
c, ok := tok.Claims.(*claims)
|
|
|
|
|
if !ok {
|
|
|
|
|
return nil, fmt.Errorf("wrong type of claim")
|
|
|
|
|
}
|
|
|
|
|
|
2023-01-25 10:35:09 -07:00
|
|
|
c.JRD.Subject = c.RegisteredClaims.Subject
|
2023-01-11 19:42:06 -07:00
|
|
|
|
2023-01-15 17:00:25 -07:00
|
|
|
c.SetProperty(NSpubkey, &c.PubKey)
|
|
|
|
|
|
2023-01-11 19:42:06 -07:00
|
|
|
pub, err := dec(c.PubKey)
|
|
|
|
|
return ed25519.PublicKey(pub), err
|
|
|
|
|
},
|
|
|
|
|
jwt.WithValidMethods([]string{"EdDSA"}),
|
|
|
|
|
jwt.WithJSONNumber(),
|
|
|
|
|
)
|
|
|
|
|
if err != nil {
|
|
|
|
|
w.WriteHeader(http.StatusUnprocessableEntity)
|
|
|
|
|
fmt.Fprint(w, http.StatusText(http.StatusUnprocessableEntity), ": ", err.Error())
|
|
|
|
|
span.RecordError(err)
|
|
|
|
|
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
c, ok := token.Claims.(*claims)
|
|
|
|
|
if !ok {
|
|
|
|
|
w.WriteHeader(http.StatusUnprocessableEntity)
|
|
|
|
|
fmt.Fprint(w, http.StatusText(http.StatusUnprocessableEntity))
|
|
|
|
|
span.AddEvent("not a claim")
|
|
|
|
|
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2023-01-25 10:35:09 -07:00
|
|
|
if c.ID != "" && s.cache != nil {
|
|
|
|
|
if ok := s.cache(c.ID); ok {
|
|
|
|
|
w.WriteHeader(http.StatusAlreadyReported)
|
|
|
|
|
fmt.Fprint(w, http.StatusText(http.StatusAlreadyReported))
|
|
|
|
|
span.AddEvent("already seen ID")
|
|
|
|
|
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
a, err := ev.Upsert(ctx, s.es, StreamID(c.JRD.Subject), func(ctx context.Context, a *JRD) error {
|
2023-01-15 17:00:25 -07:00
|
|
|
var auth *JRD
|
|
|
|
|
|
|
|
|
|
// does the target have a pubkey for self auth?
|
|
|
|
|
if _, ok := a.Properties[NSpubkey]; ok {
|
|
|
|
|
auth = a
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Check current version for auth.
|
|
|
|
|
if authID, ok := a.Properties[NSauth]; ok && authID != nil && auth == nil {
|
|
|
|
|
auth = &JRD{}
|
|
|
|
|
auth.SetStreamID(StreamID(*authID))
|
|
|
|
|
err := s.es.Load(ctx, auth)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if a.Version() == 0 || a.IsDeleted() {
|
|
|
|
|
// else does the new object claim auth from another object?
|
|
|
|
|
if authID, ok := c.Properties[NSauth]; ok && authID != nil && auth == nil {
|
|
|
|
|
auth = &JRD{}
|
|
|
|
|
auth.SetStreamID(StreamID(*authID))
|
|
|
|
|
err := s.es.Load(ctx, auth)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// fall back to use auth from submitted claims
|
|
|
|
|
if auth == nil {
|
|
|
|
|
auth = c.JRD
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if auth == nil {
|
|
|
|
|
return fmt.Errorf("auth not found")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
err = a.OnAuth(c.JRD, auth)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
2023-01-11 21:25:20 -07:00
|
|
|
if r.Method == http.MethodDelete {
|
2023-01-15 17:00:25 -07:00
|
|
|
return a.OnDelete(c.JRD)
|
2023-01-11 21:25:20 -07:00
|
|
|
}
|
2023-01-15 17:00:25 -07:00
|
|
|
return a.OnClaims(c.JRD)
|
2023-01-11 19:42:06 -07:00
|
|
|
})
|
|
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
w.WriteHeader(http.StatusUnprocessableEntity)
|
|
|
|
|
fmt.Fprint(w, http.StatusText(http.StatusUnprocessableEntity), ": ", err.Error())
|
|
|
|
|
span.RecordError(err)
|
|
|
|
|
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2023-01-15 17:00:25 -07:00
|
|
|
if version := a.Version(); r.Method == http.MethodDelete && version > 0 {
|
|
|
|
|
err = s.es.Truncate(ctx, a.StreamID(), int64(version))
|
|
|
|
|
span.RecordError(err)
|
|
|
|
|
}
|
2023-01-11 19:42:06 -07:00
|
|
|
|
2023-01-15 17:00:25 -07:00
|
|
|
w.Header().Set("Content-Type", "application/jrd+json")
|
|
|
|
|
if r.Method == http.MethodDelete {
|
|
|
|
|
w.WriteHeader(http.StatusNoContent)
|
|
|
|
|
} else {
|
|
|
|
|
w.WriteHeader(http.StatusCreated)
|
|
|
|
|
}
|
2023-01-11 19:42:06 -07:00
|
|
|
j := json.NewEncoder(w)
|
|
|
|
|
j.SetIndent("", " ")
|
|
|
|
|
err = j.Encode(a)
|
|
|
|
|
span.RecordError(err)
|
|
|
|
|
|
|
|
|
|
case http.MethodGet:
|
|
|
|
|
resource := r.URL.Query().Get("resource")
|
2023-01-15 17:00:25 -07:00
|
|
|
rels := r.URL.Query()["rel"]
|
|
|
|
|
|
2023-01-25 10:35:09 -07:00
|
|
|
if resource == "" {
|
|
|
|
|
w.WriteHeader(http.StatusBadRequest)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
host, _ := splitHostPort(r.Host)
|
|
|
|
|
|
|
|
|
|
if u := Parse(resource); u != nil && !s.self.Has(host) {
|
2023-01-15 17:00:25 -07:00
|
|
|
redirect := &url.URL{}
|
2023-01-25 10:35:09 -07:00
|
|
|
redirect.Scheme = u.URL.Scheme
|
2023-01-15 17:00:25 -07:00
|
|
|
redirect.Host = u.URL.Host
|
|
|
|
|
redirect.RawQuery = r.URL.RawQuery
|
|
|
|
|
redirect.Path = "/.well-known/webfinger"
|
|
|
|
|
w.Header().Set("location", redirect.String())
|
|
|
|
|
w.WriteHeader(http.StatusSeeOther)
|
|
|
|
|
return
|
|
|
|
|
}
|
2023-01-11 19:42:06 -07:00
|
|
|
|
|
|
|
|
a := &JRD{}
|
|
|
|
|
a.SetStreamID(StreamID(resource))
|
|
|
|
|
err := s.es.Load(ctx, a)
|
|
|
|
|
if err != nil {
|
|
|
|
|
span.RecordError(err)
|
|
|
|
|
|
|
|
|
|
if errors.Is(err, ev.ErrNotFound) {
|
|
|
|
|
w.WriteHeader(http.StatusNotFound)
|
|
|
|
|
fmt.Fprint(w, http.StatusText(http.StatusNotFound))
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
w.WriteHeader(http.StatusInternalServerError)
|
|
|
|
|
fmt.Fprint(w, http.StatusText(http.StatusInternalServerError))
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if a.IsDeleted() {
|
|
|
|
|
w.WriteHeader(http.StatusGone)
|
|
|
|
|
fmt.Fprint(w, http.StatusText(http.StatusGone))
|
|
|
|
|
span.AddEvent("is deleted")
|
|
|
|
|
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2023-01-15 17:00:25 -07:00
|
|
|
if len(rels) > 0 {
|
|
|
|
|
a.Links = a.GetLinksByRel(rels...)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if a.Properties != nil {
|
|
|
|
|
if redirect, ok := a.Properties[NSredirect]; ok && redirect != nil {
|
|
|
|
|
w.Header().Set("location", *redirect)
|
|
|
|
|
w.WriteHeader(http.StatusSeeOther)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2023-01-11 19:42:06 -07:00
|
|
|
w.Header().Set("Content-Type", "application/jrd+json")
|
|
|
|
|
w.WriteHeader(http.StatusOK)
|
|
|
|
|
|
|
|
|
|
j := json.NewEncoder(w)
|
|
|
|
|
j.SetIndent("", " ")
|
|
|
|
|
err = j.Encode(a)
|
|
|
|
|
span.RecordError(err)
|
|
|
|
|
|
|
|
|
|
default:
|
|
|
|
|
w.Header().Set("Allow", "GET, PUT, DELETE, OPTIONS")
|
|
|
|
|
w.WriteHeader(http.StatusMethodNotAllowed)
|
|
|
|
|
fmt.Fprint(w, http.StatusText(http.StatusMethodNotAllowed))
|
|
|
|
|
span.AddEvent("method not allow: " + r.Method)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func dec(s string) ([]byte, error) {
|
|
|
|
|
s = strings.TrimSpace(s)
|
|
|
|
|
return base64.RawURLEncoding.DecodeString(s)
|
|
|
|
|
}
|
2023-01-25 10:35:09 -07:00
|
|
|
func splitHostPort(hostPort string) (host, port string) {
|
|
|
|
|
host = hostPort
|
|
|
|
|
|
|
|
|
|
colon := strings.LastIndexByte(host, ':')
|
|
|
|
|
if colon != -1 && validOptionalPort(host[colon:]) {
|
|
|
|
|
host, port = host[:colon], host[colon+1:]
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if strings.HasPrefix(host, "[") && strings.HasSuffix(host, "]") {
|
|
|
|
|
host = host[1 : len(host)-1]
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
func validOptionalPort(port string) bool {
|
|
|
|
|
if port == "" {
|
|
|
|
|
return true
|
|
|
|
|
}
|
|
|
|
|
if port[0] != ':' {
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
for _, b := range port[1:] {
|
|
|
|
|
if b < '0' || b > '9' {
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return true
|
|
|
|
|
}
|
