416 lines
9.0 KiB
Go
416 lines
9.0 KiB
Go
package webfinger
|
|
|
|
import (
|
|
"context"
|
|
"crypto/ed25519"
|
|
"embed"
|
|
"encoding/base64"
|
|
"encoding/json"
|
|
"errors"
|
|
"fmt"
|
|
"html"
|
|
"html/template"
|
|
"io"
|
|
"io/fs"
|
|
"log"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"net/url"
|
|
"os"
|
|
"strings"
|
|
|
|
"github.com/golang-jwt/jwt/v4"
|
|
"go.sour.is/ev"
|
|
"go.sour.is/ev/internal/lg"
|
|
"go.sour.is/ev/pkg/es/event"
|
|
"go.sour.is/ev/pkg/set"
|
|
)
|
|
|
|
var (
|
|
//go:embed ui/*/*
|
|
files embed.FS
|
|
templates map[string]*template.Template
|
|
)
|
|
|
|
type service struct {
|
|
es *ev.EventStore
|
|
self set.Set[string]
|
|
cache func(string) bool
|
|
}
|
|
|
|
type Option interface {
|
|
ApplyWebfinger(s *service)
|
|
}
|
|
|
|
type WithHostnames []string
|
|
|
|
func (o WithHostnames) ApplyWebfinger(s *service) {
|
|
s.self = set.New(o...)
|
|
}
|
|
|
|
type WithCache func(string) bool
|
|
|
|
func (o WithCache) ApplyWebfinger(s *service) {
|
|
s.cache = o
|
|
}
|
|
|
|
func New(ctx context.Context, es *ev.EventStore, opts ...Option) (*service, error) {
|
|
ctx, span := lg.Span(ctx)
|
|
defer span.End()
|
|
|
|
if err := event.Register(
|
|
ctx,
|
|
&SubjectSet{},
|
|
&SubjectDeleted{},
|
|
&LinkSet{},
|
|
&LinkDeleted{},
|
|
); err != nil {
|
|
return nil, err
|
|
}
|
|
svc := &service{es: es}
|
|
|
|
for _, o := range opts {
|
|
o.ApplyWebfinger(svc)
|
|
}
|
|
|
|
return svc, nil
|
|
}
|
|
|
|
func (s *service) RegisterHTTP(mux *http.ServeMux) {
|
|
a, _ := fs.Sub(files, "ui/assets")
|
|
assets := http.StripPrefix("/webfinger/assets/", http.FileServer(http.FS(a)))
|
|
|
|
mux.Handle("/webfinger", s.ui())
|
|
mux.Handle("/webfinger/assets/", assets)
|
|
}
|
|
func (s *service) RegisterWellKnown(mux *http.ServeMux) {
|
|
mux.Handle("/webfinger", lg.Htrace(s, "webfinger"))
|
|
}
|
|
func (s *service) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|
ctx := r.Context()
|
|
ctx, span := lg.Span(ctx)
|
|
defer span.End()
|
|
|
|
if r.URL.Path != "/webfinger" {
|
|
w.WriteHeader(http.StatusNotFound)
|
|
fmt.Fprint(w, http.StatusText(http.StatusNotFound))
|
|
return
|
|
}
|
|
|
|
switch r.Method {
|
|
case http.MethodPut, http.MethodDelete:
|
|
if r.ContentLength > 4096 {
|
|
w.WriteHeader(http.StatusRequestEntityTooLarge)
|
|
fmt.Fprint(w, http.StatusText(http.StatusRequestEntityTooLarge))
|
|
span.AddEvent("request too large")
|
|
|
|
return
|
|
}
|
|
body, err := io.ReadAll(io.LimitReader(r.Body, 4096))
|
|
if err != nil {
|
|
w.WriteHeader(http.StatusInternalServerError)
|
|
fmt.Fprint(w, http.StatusText(http.StatusInternalServerError))
|
|
span.RecordError(err)
|
|
|
|
return
|
|
}
|
|
r.Body.Close()
|
|
|
|
type claims struct {
|
|
PubKey string `json:"pub"`
|
|
*JRD
|
|
jwt.RegisteredClaims
|
|
}
|
|
|
|
token, err := jwt.ParseWithClaims(
|
|
string(body),
|
|
&claims{},
|
|
func(tok *jwt.Token) (any, error) {
|
|
c, ok := tok.Claims.(*claims)
|
|
if !ok {
|
|
return nil, fmt.Errorf("wrong type of claim")
|
|
}
|
|
|
|
if c.JRD == nil {
|
|
c.JRD = &JRD{}
|
|
}
|
|
|
|
c.JRD.Subject = c.RegisteredClaims.Subject
|
|
|
|
c.SetProperty(NSpubkey, &c.PubKey)
|
|
|
|
pub, err := dec(c.PubKey)
|
|
return ed25519.PublicKey(pub), err
|
|
},
|
|
jwt.WithValidMethods([]string{"EdDSA"}),
|
|
jwt.WithJSONNumber(),
|
|
)
|
|
if err != nil {
|
|
w.WriteHeader(http.StatusUnprocessableEntity)
|
|
fmt.Fprint(w, http.StatusText(http.StatusUnprocessableEntity), ": ", err.Error())
|
|
span.RecordError(err)
|
|
|
|
return
|
|
}
|
|
|
|
c, ok := token.Claims.(*claims)
|
|
if !ok {
|
|
w.WriteHeader(http.StatusUnprocessableEntity)
|
|
fmt.Fprint(w, http.StatusText(http.StatusUnprocessableEntity))
|
|
span.AddEvent("not a claim")
|
|
|
|
return
|
|
}
|
|
|
|
if c.ID != "" && s.cache != nil {
|
|
if ok := s.cache(c.ID); ok {
|
|
w.WriteHeader(http.StatusAlreadyReported)
|
|
fmt.Fprint(w, http.StatusText(http.StatusAlreadyReported))
|
|
span.AddEvent("already seen ID")
|
|
|
|
return
|
|
}
|
|
}
|
|
|
|
json.NewEncoder(os.Stdout).Encode(c.JRD)
|
|
|
|
for i := range c.JRD.Links {
|
|
c.JRD.Links[i].Index = uint64(i)
|
|
}
|
|
|
|
a, err := ev.Upsert(ctx, s.es, StreamID(c.JRD.Subject), func(ctx context.Context, a *JRD) error {
|
|
var auth *JRD
|
|
|
|
for i := range a.Links {
|
|
a.Links[i].Index = uint64(i)
|
|
}
|
|
|
|
// does the target have a pubkey for self auth?
|
|
if _, ok := a.Properties[NSpubkey]; ok {
|
|
auth = a
|
|
}
|
|
|
|
// Check current version for auth.
|
|
if authID, ok := a.Properties[NSauth]; ok && authID != nil && auth == nil {
|
|
auth = &JRD{}
|
|
auth.SetStreamID(StreamID(*authID))
|
|
err := s.es.Load(ctx, auth)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
}
|
|
if a.Version() == 0 || a.IsDeleted() {
|
|
// else does the new object claim auth from another object?
|
|
if authID, ok := c.Properties[NSauth]; ok && authID != nil && auth == nil {
|
|
auth = &JRD{}
|
|
auth.SetStreamID(StreamID(*authID))
|
|
err := s.es.Load(ctx, auth)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
// fall back to use auth from submitted claims
|
|
if auth == nil {
|
|
auth = c.JRD
|
|
}
|
|
}
|
|
|
|
if auth == nil {
|
|
return fmt.Errorf("auth not found")
|
|
}
|
|
|
|
err = a.OnAuth(c.JRD, auth)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if r.Method == http.MethodDelete {
|
|
return a.OnDelete(c.JRD)
|
|
}
|
|
return a.OnClaims(c.JRD)
|
|
})
|
|
|
|
if err != nil {
|
|
w.WriteHeader(http.StatusUnprocessableEntity)
|
|
fmt.Fprint(w, http.StatusText(http.StatusUnprocessableEntity), ": ", err.Error())
|
|
span.RecordError(err)
|
|
|
|
return
|
|
}
|
|
|
|
if version := a.Version(); r.Method == http.MethodDelete && version > 0 {
|
|
err = s.es.Truncate(ctx, a.StreamID(), int64(version))
|
|
span.RecordError(err)
|
|
}
|
|
|
|
w.Header().Set("Content-Type", "application/jrd+json")
|
|
if r.Method == http.MethodDelete {
|
|
w.WriteHeader(http.StatusNoContent)
|
|
} else {
|
|
w.WriteHeader(http.StatusCreated)
|
|
}
|
|
j := json.NewEncoder(w)
|
|
j.SetIndent("", " ")
|
|
err = j.Encode(a)
|
|
span.RecordError(err)
|
|
|
|
case http.MethodGet:
|
|
resource := r.URL.Query().Get("resource")
|
|
rels := r.URL.Query()["rel"]
|
|
|
|
if resource == "" {
|
|
w.WriteHeader(http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
if u := Parse(resource); u != nil && !s.self.Has(u.URL.Host) {
|
|
redirect := &url.URL{}
|
|
redirect.Scheme = "https"
|
|
redirect.Host = u.URL.Host
|
|
redirect.RawQuery = r.URL.RawQuery
|
|
redirect.Path = "/.well-known/webfinger"
|
|
|
|
w.Header().Set("location", redirect.String())
|
|
w.WriteHeader(http.StatusSeeOther)
|
|
return
|
|
}
|
|
|
|
a := &JRD{}
|
|
a.SetStreamID(StreamID(resource))
|
|
err := s.es.Load(ctx, a)
|
|
if err != nil {
|
|
span.RecordError(err)
|
|
|
|
if errors.Is(err, ev.ErrNotFound) {
|
|
w.WriteHeader(http.StatusNotFound)
|
|
fmt.Fprint(w, http.StatusText(http.StatusNotFound))
|
|
return
|
|
}
|
|
|
|
w.WriteHeader(http.StatusInternalServerError)
|
|
fmt.Fprint(w, http.StatusText(http.StatusInternalServerError))
|
|
return
|
|
}
|
|
|
|
if a.IsDeleted() {
|
|
w.WriteHeader(http.StatusGone)
|
|
fmt.Fprint(w, http.StatusText(http.StatusGone))
|
|
span.AddEvent("is deleted")
|
|
|
|
return
|
|
}
|
|
|
|
if len(rels) > 0 {
|
|
a.Links = a.GetLinksByRel(rels...)
|
|
}
|
|
|
|
if a.Properties != nil {
|
|
if redirect, ok := a.Properties[NSredirect]; ok && redirect != nil {
|
|
w.Header().Set("location", *redirect)
|
|
w.WriteHeader(http.StatusSeeOther)
|
|
return
|
|
}
|
|
}
|
|
|
|
w.Header().Set("Content-Type", "application/jrd+json")
|
|
w.WriteHeader(http.StatusOK)
|
|
|
|
j := json.NewEncoder(w)
|
|
j.SetIndent("", " ")
|
|
err = j.Encode(a)
|
|
span.RecordError(err)
|
|
|
|
default:
|
|
w.Header().Set("Allow", "GET, PUT, DELETE, OPTIONS")
|
|
w.WriteHeader(http.StatusMethodNotAllowed)
|
|
fmt.Fprint(w, http.StatusText(http.StatusMethodNotAllowed))
|
|
span.AddEvent("method not allow: " + r.Method)
|
|
}
|
|
}
|
|
func (s *service) ui() http.HandlerFunc {
|
|
loadTemplates()
|
|
return func(w http.ResponseWriter, r *http.Request) {
|
|
args := struct {
|
|
Req *http.Request
|
|
Status int
|
|
Body []byte
|
|
JRD *JRD
|
|
Err error
|
|
}{Status: http.StatusOK}
|
|
|
|
if r.URL.Query().Has("resource") {
|
|
args.Req, args.Err = http.NewRequestWithContext(r.Context(), http.MethodGet, r.URL.String(), nil)
|
|
if args.Err != nil {
|
|
http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
|
|
return
|
|
}
|
|
wr := httptest.NewRecorder()
|
|
s.ServeHTTP(wr, args.Req)
|
|
|
|
args.Status = wr.Code
|
|
|
|
switch wr.Code {
|
|
case http.StatusSeeOther:
|
|
res, err := http.DefaultClient.Get(wr.Header().Get("location"))
|
|
args.Err = err
|
|
if err == nil {
|
|
args.Status = res.StatusCode
|
|
args.Body, args.Err = io.ReadAll(res.Body)
|
|
}
|
|
case http.StatusOK:
|
|
args.Body, args.Err = io.ReadAll(wr.Body)
|
|
if args.Err == nil {
|
|
args.JRD, args.Err = ParseJRD(args.Body)
|
|
}
|
|
}
|
|
if args.Err == nil && args.Body != nil {
|
|
args.JRD, args.Err = ParseJRD(args.Body)
|
|
}
|
|
}
|
|
|
|
t := templates["home.go.tpl"]
|
|
err := t.Execute(w, args)
|
|
if err != nil {
|
|
log.Println(err)
|
|
}
|
|
}
|
|
}
|
|
|
|
func dec(s string) ([]byte, error) {
|
|
s = strings.TrimSpace(s)
|
|
return base64.RawURLEncoding.DecodeString(s)
|
|
}
|
|
|
|
var funcMap = map[string]any{
|
|
"propName": func(in string) string { return in[strings.LastIndex(in, "/")+1:] },
|
|
"escape": html.EscapeString,
|
|
}
|
|
|
|
func loadTemplates() error {
|
|
if templates != nil {
|
|
return nil
|
|
}
|
|
templates = make(map[string]*template.Template)
|
|
tmplFiles, err := fs.ReadDir(files, "ui/pages")
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
for _, tmpl := range tmplFiles {
|
|
if tmpl.IsDir() {
|
|
continue
|
|
}
|
|
pt := template.New(tmpl.Name())
|
|
pt.Funcs(funcMap)
|
|
pt, err = pt.ParseFS(files, "ui/pages/"+tmpl.Name(), "ui/layouts/*.go.tpl")
|
|
if err != nil {
|
|
log.Println(err)
|
|
|
|
return err
|
|
}
|
|
templates[tmpl.Name()] = pt
|
|
}
|
|
return nil
|
|
}
|