diff --git a/.config/docker_example.yml b/.config/docker_example.yml index bd0ad2872..d347882d1 100644 --- a/.config/docker_example.yml +++ b/.config/docker_example.yml @@ -164,12 +164,12 @@ id: 'aidx' #clusterLimit: 1 # Job concurrency per worker -# deliverJobConcurrency: 16 -# inboxJobConcurrency: 4 +# deliverJobConcurrency: 128 +# inboxJobConcurrency: 16 # Job rate limiter # deliverJobPerSec: 128 -# inboxJobPerSec: 64 +# inboxJobPerSec: 32 # Job attempts # deliverJobMaxAttempts: 12 diff --git a/.config/example.yml b/.config/example.yml index 0d525f61c..b11cbd137 100644 --- a/.config/example.yml +++ b/.config/example.yml @@ -230,15 +230,15 @@ id: 'aidx' #clusterLimit: 1 # Job concurrency per worker -#deliverJobConcurrency: 16 -#inboxJobConcurrency: 4 +#deliverJobConcurrency: 128 +#inboxJobConcurrency: 16 #relationshipJobConcurrency: 16 # What's relationshipJob?: # Follow, unfollow, block and unblock(ings) while following-imports, etc. or account migrations. # Job rate limiter -#deliverJobPerSec: 1024 -#inboxJobPerSec: 64 +#deliverJobPerSec: 128 +#inboxJobPerSec: 32 #relationshipJobPerSec: 64 # Job attempts diff --git a/.devcontainer/devcontainer.yml b/.devcontainer/devcontainer.yml index d74d741e0..beefcfd0a 100644 --- a/.devcontainer/devcontainer.yml +++ b/.devcontainer/devcontainer.yml @@ -157,12 +157,12 @@ id: 'aidx' #clusterLimit: 1 # Job concurrency per worker -# deliverJobConcurrency: 16 -# inboxJobConcurrency: 4 +# deliverJobConcurrency: 128 +# inboxJobConcurrency: 16 # Job rate limiter -# deliverJobPerSec: 1024 -# inboxJobPerSec: 64 +# deliverJobPerSec: 128 +# inboxJobPerSec: 32 # Job attempts # deliverJobMaxAttempts: 12 diff --git a/CHANGELOG.md b/CHANGELOG.md index b020c214b..f429033aa 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,14 +8,6 @@ - Feat: 通報を受けた際、または解決した際に、予め登録した宛先に通知を飛ばせるように(mail or webhook) #13705 - Feat: ユーザーのアイコン/バナーの変更可否をロールで設定可能に - 変更不可となっていても、設定済みのものを解除してデフォルト画像に戻すことは出来ます -- Feat: 連合に使うHTTP SignaturesがEd25519鍵に対応するように #13464 - - Ed25519署名に対応するサーバーが増えると、deliverで要求されるサーバーリソースが削減されます - - ジョブキューのconfig設定のデフォルト値を変更しました。 - default.ymlでジョブキューの並列度を設定している場合は、従前よりもconcurrencyの値をより下げるとパフォーマンスが改善する可能性があります。 - * deliverJobConcurrency: 16 (←128) - * deliverJobPerSec: 1024 (←128) - * inboxJobConcurrency: 4 (←16) - * inboxJobPerSec: 64 (←32) - Fix: 配信停止したインスタンス一覧が見れなくなる問題を修正 - Fix: Dockerコンテナの立ち上げ時に`pnpm`のインストールで固まることがある問題 - Fix: デフォルトテーマに無効なテーマコードを入力するとUIが使用できなくなる問題を修正 diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 9a56345e6..afc21ea59 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -197,7 +197,7 @@ TODO ## Environment Variable - `MISSKEY_CONFIG_YML`: Specify the file path of config.yml instead of default.yml (e.g. `2nd.yml`). -- `MISSKEY_USE_HTTP`: If it's set true, federation requests (like nodeinfo and webfinger) will be http instead of https, useful for testing federation between servers in localhost. NEVER USE IN PRODUCTION. (was `MISSKEY_WEBFINGER_USE_HTTP`) +- `MISSKEY_WEBFINGER_USE_HTTP`: If it's set true, WebFinger requests will be http instead of https, useful for testing federation between servers in localhost. NEVER USE IN PRODUCTION. ## Continuous integration Misskey uses GitHub Actions for executing automated tests. diff --git a/chart/files/default.yml b/chart/files/default.yml index 4017588fa..f98b8ebfe 100644 --- a/chart/files/default.yml +++ b/chart/files/default.yml @@ -178,12 +178,12 @@ id: "aidx" #clusterLimit: 1 # Job concurrency per worker -# deliverJobConcurrency: 16 -# inboxJobConcurrency: 4 +# deliverJobConcurrency: 128 +# inboxJobConcurrency: 16 # Job rate limiter -# deliverJobPerSec: 1024 -# inboxJobPerSec: 64 +# deliverJobPerSec: 128 +# inboxJobPerSec: 32 # Job attempts # deliverJobMaxAttempts: 12 diff --git a/packages/backend/migration/1708980134301-APMultipleKeys.js b/packages/backend/migration/1708980134301-APMultipleKeys.js deleted file mode 100644 index ca55526c6..000000000 --- a/packages/backend/migration/1708980134301-APMultipleKeys.js +++ /dev/null @@ -1,39 +0,0 @@ -/* - * SPDX-FileCopyrightText: syuilo and misskey-project - * SPDX-License-Identifier: AGPL-3.0-only - */ - -export class APMultipleKeys1708980134301 { - name = 'APMultipleKeys1708980134301' - - async up(queryRunner) { - await queryRunner.query(`DROP INDEX "public"."IDX_171e64971c780ebd23fae140bb"`); - await queryRunner.query(`ALTER TABLE "user_keypair" ADD "ed25519PublicKey" character varying(128)`); - await queryRunner.query(`ALTER TABLE "user_keypair" ADD "ed25519PrivateKey" character varying(128)`); - await queryRunner.query(`ALTER TABLE "user_publickey" DROP CONSTRAINT "FK_10c146e4b39b443ede016f6736d"`); - await queryRunner.query(`ALTER TABLE "user_publickey" DROP CONSTRAINT "PK_10c146e4b39b443ede016f6736d"`); - await queryRunner.query(`ALTER TABLE "user_publickey" ADD CONSTRAINT "PK_0db6a5fdb992323449edc8ee421" PRIMARY KEY ("userId", "keyId")`); - await queryRunner.query(`ALTER TABLE "user_publickey" DROP CONSTRAINT "PK_0db6a5fdb992323449edc8ee421"`); - await queryRunner.query(`ALTER TABLE "user_publickey" ADD CONSTRAINT "PK_171e64971c780ebd23fae140bba" PRIMARY KEY ("keyId")`); - await queryRunner.query(`ALTER TABLE "user_publickey" ADD CONSTRAINT "UQ_10c146e4b39b443ede016f6736d" UNIQUE ("userId")`); - await queryRunner.query(`CREATE INDEX "IDX_10c146e4b39b443ede016f6736" ON "user_publickey" ("userId") `); - await queryRunner.query(`ALTER TABLE "user_publickey" ADD CONSTRAINT "FK_10c146e4b39b443ede016f6736d" FOREIGN KEY ("userId") REFERENCES "user"("id") ON DELETE CASCADE ON UPDATE NO ACTION`); - } - - async down(queryRunner) { - await queryRunner.query(`ALTER TABLE "user_publickey" DROP CONSTRAINT "FK_10c146e4b39b443ede016f6736d"`); - await queryRunner.query(`DROP INDEX "public"."IDX_10c146e4b39b443ede016f6736"`); - await queryRunner.query(`ALTER TABLE "user_publickey" DROP CONSTRAINT "UQ_10c146e4b39b443ede016f6736d"`); - await queryRunner.query(`ALTER TABLE "user_publickey" DROP CONSTRAINT "PK_171e64971c780ebd23fae140bba"`); - await queryRunner.query(`ALTER TABLE "user_publickey" ADD CONSTRAINT "PK_0db6a5fdb992323449edc8ee421" PRIMARY KEY ("userId", "keyId")`); - await queryRunner.query(`ALTER TABLE "user_publickey" DROP CONSTRAINT "PK_0db6a5fdb992323449edc8ee421"`); - await queryRunner.query(`ALTER TABLE "user_publickey" ADD CONSTRAINT "PK_10c146e4b39b443ede016f6736d" PRIMARY KEY ("userId")`); - await queryRunner.query(`ALTER TABLE "user_publickey" ADD CONSTRAINT "FK_10c146e4b39b443ede016f6736d" FOREIGN KEY ("userId") REFERENCES "user"("id") ON DELETE CASCADE ON UPDATE NO ACTION`); - await queryRunner.query(`ALTER TABLE "user_profile" ALTER COLUMN "followersVisibility" DROP DEFAULT`); - await queryRunner.query(`ALTER TABLE "user_profile" ALTER COLUMN "followersVisibility" TYPE "public"."user_profile_followersVisibility_enum_old" USING "followersVisibility"::"text"::"public"."user_profile_followersVisibility_enum_old"`); - await queryRunner.query(`ALTER TABLE "user_profile" ALTER COLUMN "followersVisibility" SET DEFAULT 'public'`); - await queryRunner.query(`ALTER TABLE "user_keypair" DROP COLUMN "ed25519PrivateKey"`); - await queryRunner.query(`ALTER TABLE "user_keypair" DROP COLUMN "ed25519PublicKey"`); - await queryRunner.query(`CREATE UNIQUE INDEX "IDX_171e64971c780ebd23fae140bb" ON "user_publickey" ("keyId") `); - } -} diff --git a/packages/backend/migration/1709242519122-HttpSignImplLv.js b/packages/backend/migration/1709242519122-HttpSignImplLv.js deleted file mode 100644 index 7748bae00..000000000 --- a/packages/backend/migration/1709242519122-HttpSignImplLv.js +++ /dev/null @@ -1,16 +0,0 @@ -/* - * SPDX-FileCopyrightText: syuilo and misskey-project - * SPDX-License-Identifier: AGPL-3.0-only - */ - -export class HttpSignImplLv1709242519122 { - name = 'HttpSignImplLv1709242519122' - - async up(queryRunner) { - await queryRunner.query(`ALTER TABLE "instance" ADD "httpMessageSignaturesImplementationLevel" character varying(16) NOT NULL DEFAULT '00'`); - } - - async down(queryRunner) { - await queryRunner.query(`ALTER TABLE "instance" DROP COLUMN "httpMessageSignaturesImplementationLevel"`); - } -} diff --git a/packages/backend/migration/1709269211718-APMultipleKeysFix1.js b/packages/backend/migration/1709269211718-APMultipleKeysFix1.js deleted file mode 100644 index d2011802f..000000000 --- a/packages/backend/migration/1709269211718-APMultipleKeysFix1.js +++ /dev/null @@ -1,16 +0,0 @@ -/* - * SPDX-FileCopyrightText: syuilo and misskey-project - * SPDX-License-Identifier: AGPL-3.0-only - */ - -export class APMultipleKeys1709269211718 { - name = 'APMultipleKeys1709269211718' - - async up(queryRunner) { - await queryRunner.query(`ALTER TABLE "user_publickey" DROP CONSTRAINT "UQ_10c146e4b39b443ede016f6736d"`); - } - - async down(queryRunner) { - await queryRunner.query(`ALTER TABLE "user_publickey" ADD CONSTRAINT "UQ_10c146e4b39b443ede016f6736d" UNIQUE ("userId")`); - } -} diff --git a/packages/backend/package.json b/packages/backend/package.json index 893171ebd..22fdc5cf1 100644 --- a/packages/backend/package.json +++ b/packages/backend/package.json @@ -79,13 +79,13 @@ "@fastify/multipart": "8.3.0", "@fastify/static": "7.0.4", "@fastify/view": "9.1.0", - "@misskey-dev/node-http-message-signatures": "0.0.10", "@misskey-dev/sharp-read-bmp": "1.2.0", "@misskey-dev/summaly": "5.1.0", "@napi-rs/canvas": "^0.1.53", "@nestjs/common": "10.3.10", "@nestjs/core": "10.3.10", "@nestjs/testing": "10.3.10", + "@peertube/http-signature": "1.7.0", "@sentry/node": "8.13.0", "@sentry/profiling-node": "8.13.0", "@simplewebauthn/server": "10.0.0", diff --git a/packages/backend/src/@types/http-signature.d.ts b/packages/backend/src/@types/http-signature.d.ts new file mode 100644 index 000000000..75b62e55f --- /dev/null +++ b/packages/backend/src/@types/http-signature.d.ts @@ -0,0 +1,82 @@ +/* + * SPDX-FileCopyrightText: syuilo and misskey-project + * SPDX-License-Identifier: AGPL-3.0-only + */ + +declare module '@peertube/http-signature' { + import type { IncomingMessage, ClientRequest } from 'node:http'; + + interface ISignature { + keyId: string; + algorithm: string; + headers: string[]; + signature: string; + } + + interface IOptions { + headers?: string[]; + algorithm?: string; + strict?: boolean; + authorizationHeaderName?: string; + } + + interface IParseRequestOptions extends IOptions { + clockSkew?: number; + } + + interface IParsedSignature { + scheme: string; + params: ISignature; + signingString: string; + algorithm: string; + keyId: string; + } + + type RequestSignerConstructorOptions = + IRequestSignerConstructorOptionsFromProperties | + IRequestSignerConstructorOptionsFromFunction; + + interface IRequestSignerConstructorOptionsFromProperties { + keyId: string; + key: string | Buffer; + algorithm?: string; + } + + interface IRequestSignerConstructorOptionsFromFunction { + sign?: (data: string, cb: (err: any, sig: ISignature) => void) => void; + } + + class RequestSigner { + constructor(options: RequestSignerConstructorOptions); + + public writeHeader(header: string, value: string): string; + + public writeDateHeader(): string; + + public writeTarget(method: string, path: string): void; + + public sign(cb: (err: any, authz: string) => void): void; + } + + interface ISignRequestOptions extends IOptions { + keyId: string; + key: string; + httpVersion?: string; + } + + export function parse(request: IncomingMessage, options?: IParseRequestOptions): IParsedSignature; + export function parseRequest(request: IncomingMessage, options?: IParseRequestOptions): IParsedSignature; + + export function sign(request: ClientRequest, options: ISignRequestOptions): boolean; + export function signRequest(request: ClientRequest, options: ISignRequestOptions): boolean; + export function createSigner(): RequestSigner; + export function isSigner(obj: any): obj is RequestSigner; + + export function sshKeyToPEM(key: string): string; + export function sshKeyFingerprint(key: string): string; + export function pemToRsaSSHKey(pem: string, comment: string): string; + + export function verify(parsedSignature: IParsedSignature, pubkey: string | Buffer): boolean; + export function verifySignature(parsedSignature: IParsedSignature, pubkey: string | Buffer): boolean; + export function verifyHMAC(parsedSignature: IParsedSignature, secret: string): boolean; +} diff --git a/packages/backend/src/const.ts b/packages/backend/src/const.ts index c132cc7e7..4dc689238 100644 --- a/packages/backend/src/const.ts +++ b/packages/backend/src/const.ts @@ -9,11 +9,6 @@ export const MAX_NOTE_TEXT_LENGTH = 3000; export const USER_ONLINE_THRESHOLD = 1000 * 60 * 10; // 10min export const USER_ACTIVE_THRESHOLD = 1000 * 60 * 60 * 24 * 3; // 3days -export const REMOTE_USER_CACHE_TTL = 1000 * 60 * 60 * 3; // 3hours -export const REMOTE_USER_MOVE_COOLDOWN = 1000 * 60 * 60 * 24 * 14; // 14days - -export const REMOTE_SERVER_CACHE_TTL = 1000 * 60 * 60 * 3; // 3hours - //#region hard limits // If you change DB_* values, you must also change the DB schema. diff --git a/packages/backend/src/core/AccountUpdateService.ts b/packages/backend/src/core/AccountUpdateService.ts index ca0864f67..69a57b485 100644 --- a/packages/backend/src/core/AccountUpdateService.ts +++ b/packages/backend/src/core/AccountUpdateService.ts @@ -3,8 +3,7 @@ * SPDX-License-Identifier: AGPL-3.0-only */ -import { Inject, Injectable, OnModuleInit } from '@nestjs/common'; -import { ModuleRef } from '@nestjs/core'; +import { Inject, Injectable } from '@nestjs/common'; import { DI } from '@/di-symbols.js'; import type { UsersRepository } from '@/models/_.js'; import type { MiUser } from '@/models/User.js'; @@ -13,44 +12,30 @@ import { RelayService } from '@/core/RelayService.js'; import { ApDeliverManagerService } from '@/core/activitypub/ApDeliverManagerService.js'; import { UserEntityService } from '@/core/entities/UserEntityService.js'; import { bindThis } from '@/decorators.js'; -import type { PrivateKeyWithPem } from '@misskey-dev/node-http-message-signatures'; @Injectable() -export class AccountUpdateService implements OnModuleInit { - private apDeliverManagerService: ApDeliverManagerService; +export class AccountUpdateService { constructor( - private moduleRef: ModuleRef, - @Inject(DI.usersRepository) private usersRepository: UsersRepository, private userEntityService: UserEntityService, private apRendererService: ApRendererService, + private apDeliverManagerService: ApDeliverManagerService, private relayService: RelayService, ) { } - async onModuleInit() { - this.apDeliverManagerService = this.moduleRef.get(ApDeliverManagerService.name); - } - @bindThis - /** - * Deliver account update to followers - * @param userId user id - * @param deliverKey optional. Private key to sign the deliver. - */ - public async publishToFollowers(userId: MiUser['id'], deliverKey?: PrivateKeyWithPem) { + public async publishToFollowers(userId: MiUser['id']) { const user = await this.usersRepository.findOneBy({ id: userId }); if (user == null) throw new Error('user not found'); // フォロワーがリモートユーザーかつ投稿者がローカルユーザーならUpdateを配信 if (this.userEntityService.isLocalUser(user)) { const content = this.apRendererService.addContext(this.apRendererService.renderUpdate(await this.apRendererService.renderPerson(user), user)); - await Promise.allSettled([ - this.apDeliverManagerService.deliverToFollowers(user, content, deliverKey), - this.relayService.deliverToRelays(user, content, deliverKey), - ]); + this.apDeliverManagerService.deliverToFollowers(user, content); + this.relayService.deliverToRelays(user, content); } } } diff --git a/packages/backend/src/core/CreateSystemUserService.ts b/packages/backend/src/core/CreateSystemUserService.ts index 60ddc9cde..6c5b0f6a3 100644 --- a/packages/backend/src/core/CreateSystemUserService.ts +++ b/packages/backend/src/core/CreateSystemUserService.ts @@ -7,7 +7,7 @@ import { randomUUID } from 'node:crypto'; import { Inject, Injectable } from '@nestjs/common'; import bcrypt from 'bcryptjs'; import { IsNull, DataSource } from 'typeorm'; -import { genRSAAndEd25519KeyPair } from '@/misc/gen-key-pair.js'; +import { genRsaKeyPair } from '@/misc/gen-key-pair.js'; import { MiUser } from '@/models/User.js'; import { MiUserProfile } from '@/models/UserProfile.js'; import { IdService } from '@/core/IdService.js'; @@ -38,7 +38,7 @@ export class CreateSystemUserService { // Generate secret const secret = generateNativeUserToken(); - const keyPair = await genRSAAndEd25519KeyPair(); + const keyPair = await genRsaKeyPair(); let account!: MiUser; @@ -64,8 +64,9 @@ export class CreateSystemUserService { }).then(x => transactionalEntityManager.findOneByOrFail(MiUser, x.identifiers[0])); await transactionalEntityManager.insert(MiUserKeypair, { + publicKey: keyPair.publicKey, + privateKey: keyPair.privateKey, userId: account.id, - ...keyPair, }); await transactionalEntityManager.insert(MiUserProfile, { diff --git a/packages/backend/src/core/FetchInstanceMetadataService.ts b/packages/backend/src/core/FetchInstanceMetadataService.ts index dc53c8711..aa16468ec 100644 --- a/packages/backend/src/core/FetchInstanceMetadataService.ts +++ b/packages/backend/src/core/FetchInstanceMetadataService.ts @@ -15,7 +15,6 @@ import { LoggerService } from '@/core/LoggerService.js'; import { HttpRequestService } from '@/core/HttpRequestService.js'; import { bindThis } from '@/decorators.js'; import { FederatedInstanceService } from '@/core/FederatedInstanceService.js'; -import { REMOTE_SERVER_CACHE_TTL } from '@/const.js'; import type { DOMWindow } from 'jsdom'; type NodeInfo = { @@ -25,7 +24,6 @@ type NodeInfo = { version?: unknown; }; metadata?: { - httpMessageSignaturesImplementationLevel?: unknown, name?: unknown; nodeName?: unknown; nodeDescription?: unknown; @@ -41,7 +39,6 @@ type NodeInfo = { @Injectable() export class FetchInstanceMetadataService { private logger: Logger; - private httpColon = 'https://'; constructor( private httpRequestService: HttpRequestService, @@ -51,7 +48,6 @@ export class FetchInstanceMetadataService { private redisClient: Redis.Redis, ) { this.logger = this.loggerService.getLogger('metadata', 'cyan'); - this.httpColon = process.env.MISSKEY_USE_HTTP?.toLowerCase() === 'true' ? 'http://' : 'https://'; } @bindThis @@ -63,7 +59,7 @@ export class FetchInstanceMetadataService { return await this.redisClient.set( `fetchInstanceMetadata:mutex:v2:${host}`, '1', 'EX', 30, // 30秒したら自動でロック解除 https://github.com/misskey-dev/misskey/issues/13506#issuecomment-1975375395 - 'GET', // 古い値を返す(なかったらnull) + 'GET' // 古い値を返す(なかったらnull) ); } @@ -77,24 +73,23 @@ export class FetchInstanceMetadataService { public async fetchInstanceMetadata(instance: MiInstance, force = false): Promise { const host = instance.host; - if (!force) { - // キャッシュ有効チェックはロック取得前に行う - const _instance = await this.federatedInstanceService.fetch(host); - const now = Date.now(); - if (_instance && _instance.infoUpdatedAt != null && (now - _instance.infoUpdatedAt.getTime() < REMOTE_SERVER_CACHE_TTL)) { - this.logger.debug(`Skip because updated recently ${_instance.infoUpdatedAt.toJSON()}`); - return; - } - - // finallyでunlockされてしまうのでtry内でロックチェックをしない - // (returnであってもfinallyは実行される) - if (await this.tryLock(host) === '1') { - // 1が返ってきていたら他にロックされているという意味なので、何もしない - return; - } + // finallyでunlockされてしまうのでtry内でロックチェックをしない + // (returnであってもfinallyは実行される) + if (!force && await this.tryLock(host) === '1') { + // 1が返ってきていたらロックされているという意味なので、何もしない + return; } try { + if (!force) { + const _instance = await this.federatedInstanceService.fetch(host); + const now = Date.now(); + if (_instance && _instance.infoUpdatedAt && (now - _instance.infoUpdatedAt.getTime() < 1000 * 60 * 60 * 24)) { + // unlock at the finally caluse + return; + } + } + this.logger.info(`Fetching metadata of ${instance.host} ...`); const [info, dom, manifest] = await Promise.all([ @@ -123,14 +118,6 @@ export class FetchInstanceMetadataService { updates.openRegistrations = info.openRegistrations; updates.maintainerName = info.metadata ? info.metadata.maintainer ? (info.metadata.maintainer.name ?? null) : null : null; updates.maintainerEmail = info.metadata ? info.metadata.maintainer ? (info.metadata.maintainer.email ?? null) : null : null; - if (info.metadata && info.metadata.httpMessageSignaturesImplementationLevel && ( - info.metadata.httpMessageSignaturesImplementationLevel === '01' || - info.metadata.httpMessageSignaturesImplementationLevel === '11' - )) { - updates.httpMessageSignaturesImplementationLevel = info.metadata.httpMessageSignaturesImplementationLevel; - } else { - updates.httpMessageSignaturesImplementationLevel = '00'; - } } if (name) updates.name = name; @@ -142,12 +129,6 @@ export class FetchInstanceMetadataService { await this.federatedInstanceService.update(instance.id, updates); this.logger.succ(`Successfuly updated metadata of ${instance.host}`); - this.logger.debug('Updated metadata:', { - info: !!info, - dom: !!dom, - manifest: !!manifest, - updates, - }); } catch (e) { this.logger.error(`Failed to update metadata of ${instance.host}: ${e}`); } finally { @@ -160,7 +141,7 @@ export class FetchInstanceMetadataService { this.logger.info(`Fetching nodeinfo of ${instance.host} ...`); try { - const wellknown = await this.httpRequestService.getJson(this.httpColon + instance.host + '/.well-known/nodeinfo') + const wellknown = await this.httpRequestService.getJson('https://' + instance.host + '/.well-known/nodeinfo') .catch(err => { if (err.statusCode === 404) { throw new Error('No nodeinfo provided'); @@ -203,7 +184,7 @@ export class FetchInstanceMetadataService { private async fetchDom(instance: MiInstance): Promise { this.logger.info(`Fetching HTML of ${instance.host} ...`); - const url = this.httpColon + instance.host; + const url = 'https://' + instance.host; const html = await this.httpRequestService.getHtml(url); @@ -215,7 +196,7 @@ export class FetchInstanceMetadataService { @bindThis private async fetchManifest(instance: MiInstance): Promise | null> { - const url = this.httpColon + instance.host; + const url = 'https://' + instance.host; const manifestUrl = url + '/manifest.json'; @@ -226,7 +207,7 @@ export class FetchInstanceMetadataService { @bindThis private async fetchFaviconUrl(instance: MiInstance, doc: DOMWindow['document'] | null): Promise { - const url = this.httpColon + instance.host; + const url = 'https://' + instance.host; if (doc) { // https://github.com/misskey-dev/misskey/pull/8220#issuecomment-1025104043 @@ -253,12 +234,12 @@ export class FetchInstanceMetadataService { @bindThis private async fetchIconUrl(instance: MiInstance, doc: DOMWindow['document'] | null, manifest: Record | null): Promise { if (manifest && manifest.icons && manifest.icons.length > 0 && manifest.icons[0].src) { - const url = this.httpColon + instance.host; + const url = 'https://' + instance.host; return (new URL(manifest.icons[0].src, url)).href; } if (doc) { - const url = this.httpColon + instance.host; + const url = 'https://' + instance.host; // https://github.com/misskey-dev/misskey/pull/8220#issuecomment-1025104043 const links = Array.from(doc.getElementsByTagName('link')).reverse(); diff --git a/packages/backend/src/core/GlobalEventService.ts b/packages/backend/src/core/GlobalEventService.ts index 312bcfb3b..87aa70713 100644 --- a/packages/backend/src/core/GlobalEventService.ts +++ b/packages/backend/src/core/GlobalEventService.ts @@ -249,7 +249,6 @@ export interface InternalEventTypes { unmute: { muterId: MiUser['id']; muteeId: MiUser['id']; }; userListMemberAdded: { userListId: MiUserList['id']; memberId: MiUser['id']; }; userListMemberRemoved: { userListId: MiUserList['id']; memberId: MiUser['id']; }; - userKeypairUpdated: { userId: MiUser['id']; }; } type EventTypesToEventPayload = EventUnionFromDictionary>>; diff --git a/packages/backend/src/core/HttpRequestService.ts b/packages/backend/src/core/HttpRequestService.ts index 4249c158d..7f3cac7c5 100644 --- a/packages/backend/src/core/HttpRequestService.ts +++ b/packages/backend/src/core/HttpRequestService.ts @@ -70,7 +70,7 @@ export class HttpRequestService { localAddress: config.outgoingAddress, }); - const maxSockets = Math.max(256, config.deliverJobConcurrency ?? 16); + const maxSockets = Math.max(256, config.deliverJobConcurrency ?? 128); this.httpAgent = config.proxy ? new HttpProxyAgent({ diff --git a/packages/backend/src/core/QueueService.ts b/packages/backend/src/core/QueueService.ts index dd3f2182b..80827a500 100644 --- a/packages/backend/src/core/QueueService.ts +++ b/packages/backend/src/core/QueueService.ts @@ -13,6 +13,7 @@ import type { Config } from '@/config.js'; import { DI } from '@/di-symbols.js'; import { bindThis } from '@/decorators.js'; import type { Antenna } from '@/server/api/endpoints/i/import-antennas.js'; +import { ApRequestCreator } from '@/core/activitypub/ApRequestService.js'; import type { DbJobData, DeliverJobData, @@ -32,7 +33,7 @@ import type { UserWebhookDeliverQueue, SystemWebhookDeliverQueue, } from './QueueModule.js'; -import { genRFC3230DigestHeader, type PrivateKeyWithPem, type ParsedSignature } from '@misskey-dev/node-http-message-signatures'; +import type httpSignature from '@peertube/http-signature'; import type * as Bull from 'bullmq'; @Injectable() @@ -89,21 +90,21 @@ export class QueueService { } @bindThis - public async deliver(user: ThinUser, content: IActivity | null, to: string | null, isSharedInbox: boolean, privateKey?: PrivateKeyWithPem) { + public deliver(user: ThinUser, content: IActivity | null, to: string | null, isSharedInbox: boolean) { if (content == null) return null; if (to == null) return null; const contentBody = JSON.stringify(content); + const digest = ApRequestCreator.createDigest(contentBody); const data: DeliverJobData = { user: { id: user.id, }, content: contentBody, - digest: await genRFC3230DigestHeader(contentBody, 'SHA-256'), + digest, to, isSharedInbox, - privateKey: privateKey && { keyId: privateKey.keyId, privateKeyPem: privateKey.privateKeyPem }, }; return this.deliverQueue.add(to, data, { @@ -121,13 +122,13 @@ export class QueueService { * @param user `{ id: string; }` この関数ではThinUserに変換しないので前もって変換してください * @param content IActivity | null * @param inboxes `Map` / key: to (inbox url), value: isSharedInbox (whether it is sharedInbox) - * @param forceMainKey boolean | undefined, force to use main (rsa) key * @returns void */ @bindThis - public async deliverMany(user: ThinUser, content: IActivity | null, inboxes: Map, privateKey?: PrivateKeyWithPem) { + public async deliverMany(user: ThinUser, content: IActivity | null, inboxes: Map) { if (content == null) return null; const contentBody = JSON.stringify(content); + const digest = ApRequestCreator.createDigest(contentBody); const opts = { attempts: this.config.deliverJobMaxAttempts ?? 12, @@ -143,9 +144,9 @@ export class QueueService { data: { user, content: contentBody, + digest, to: d[0], isSharedInbox: d[1], - privateKey: privateKey && { keyId: privateKey.keyId, privateKeyPem: privateKey.privateKeyPem }, } as DeliverJobData, opts, }))); @@ -154,7 +155,7 @@ export class QueueService { } @bindThis - public inbox(activity: IActivity, signature: ParsedSignature | null) { + public inbox(activity: IActivity, signature: httpSignature.IParsedSignature) { const data = { activity: activity, signature, diff --git a/packages/backend/src/core/RelayService.ts b/packages/backend/src/core/RelayService.ts index ad01f9890..8dd3d64f5 100644 --- a/packages/backend/src/core/RelayService.ts +++ b/packages/backend/src/core/RelayService.ts @@ -16,8 +16,6 @@ import { ApRendererService } from '@/core/activitypub/ApRendererService.js'; import { DI } from '@/di-symbols.js'; import { deepClone } from '@/misc/clone.js'; import { bindThis } from '@/decorators.js'; -import { UserKeypairService } from './UserKeypairService.js'; -import type { PrivateKeyWithPem } from '@misskey-dev/node-http-message-signatures'; const ACTOR_USERNAME = 'relay.actor' as const; @@ -36,7 +34,6 @@ export class RelayService { private queueService: QueueService, private createSystemUserService: CreateSystemUserService, private apRendererService: ApRendererService, - private userKeypairService: UserKeypairService, ) { this.relaysCache = new MemorySingleCache(1000 * 60 * 10); } @@ -114,7 +111,7 @@ export class RelayService { } @bindThis - public async deliverToRelays(user: { id: MiUser['id']; host: null; }, activity: any, privateKey?: PrivateKeyWithPem): Promise { + public async deliverToRelays(user: { id: MiUser['id']; host: null; }, activity: any): Promise { if (activity == null) return; const relays = await this.relaysCache.fetch(() => this.relaysRepository.findBy({ @@ -124,9 +121,11 @@ export class RelayService { const copy = deepClone(activity); if (!copy.to) copy.to = ['https://www.w3.org/ns/activitystreams#Public']; - privateKey = privateKey ?? await this.userKeypairService.getLocalUserPrivateKeyPem(user.id); - const signed = await this.apRendererService.attachLdSignature(copy, privateKey); - this.queueService.deliverMany(user, signed, new Map(relays.map(({ inbox }) => [inbox, false])), privateKey); + const signed = await this.apRendererService.attachLdSignature(copy, user); + + for (const relay of relays) { + this.queueService.deliver(user, signed, relay.inbox, false); + } } } diff --git a/packages/backend/src/core/SignupService.ts b/packages/backend/src/core/SignupService.ts index 54c617006..5522ecd6c 100644 --- a/packages/backend/src/core/SignupService.ts +++ b/packages/backend/src/core/SignupService.ts @@ -3,6 +3,7 @@ * SPDX-License-Identifier: AGPL-3.0-only */ +import { generateKeyPair } from 'node:crypto'; import { Inject, Injectable } from '@nestjs/common'; import bcrypt from 'bcryptjs'; import { DataSource, IsNull } from 'typeorm'; @@ -20,7 +21,6 @@ import { bindThis } from '@/decorators.js'; import UsersChart from '@/core/chart/charts/users.js'; import { UtilityService } from '@/core/UtilityService.js'; import { MetaService } from '@/core/MetaService.js'; -import { genRSAAndEd25519KeyPair } from '@/misc/gen-key-pair.js'; @Injectable() export class SignupService { @@ -93,7 +93,22 @@ export class SignupService { } } - const keyPair = await genRSAAndEd25519KeyPair(); + const keyPair = await new Promise((res, rej) => + generateKeyPair('rsa', { + modulusLength: 2048, + publicKeyEncoding: { + type: 'spki', + format: 'pem', + }, + privateKeyEncoding: { + type: 'pkcs8', + format: 'pem', + cipher: undefined, + passphrase: undefined, + }, + }, (err, publicKey, privateKey) => + err ? rej(err) : res([publicKey, privateKey]), + )); let account!: MiUser; @@ -116,8 +131,9 @@ export class SignupService { })); await transactionalEntityManager.save(new MiUserKeypair({ + publicKey: keyPair[0], + privateKey: keyPair[1], userId: account.id, - ...keyPair, })); await transactionalEntityManager.save(new MiUserProfile({ diff --git a/packages/backend/src/core/UserKeypairService.ts b/packages/backend/src/core/UserKeypairService.ts index aa90f1e20..51ac99179 100644 --- a/packages/backend/src/core/UserKeypairService.ts +++ b/packages/backend/src/core/UserKeypairService.ts @@ -5,184 +5,41 @@ import { Inject, Injectable, OnApplicationShutdown } from '@nestjs/common'; import * as Redis from 'ioredis'; -import { genEd25519KeyPair, importPrivateKey, PrivateKey, PrivateKeyWithPem } from '@misskey-dev/node-http-message-signatures'; import type { MiUser } from '@/models/User.js'; import type { UserKeypairsRepository } from '@/models/_.js'; -import { RedisKVCache, MemoryKVCache } from '@/misc/cache.js'; +import { RedisKVCache } from '@/misc/cache.js'; import type { MiUserKeypair } from '@/models/UserKeypair.js'; import { DI } from '@/di-symbols.js'; import { bindThis } from '@/decorators.js'; -import { GlobalEventService, GlobalEvents } from '@/core/GlobalEventService.js'; -import { UserEntityService } from '@/core/entities/UserEntityService.js'; -import type { webcrypto } from 'node:crypto'; @Injectable() export class UserKeypairService implements OnApplicationShutdown { - private keypairEntityCache: RedisKVCache; - private privateKeyObjectCache: MemoryKVCache; + private cache: RedisKVCache; constructor( @Inject(DI.redis) private redisClient: Redis.Redis, - @Inject(DI.redisForSub) - private redisForSub: Redis.Redis, + @Inject(DI.userKeypairsRepository) private userKeypairsRepository: UserKeypairsRepository, - - private globalEventService: GlobalEventService, - private userEntityService: UserEntityService, ) { - this.keypairEntityCache = new RedisKVCache(this.redisClient, 'userKeypair', { + this.cache = new RedisKVCache(this.redisClient, 'userKeypair', { lifetime: 1000 * 60 * 60 * 24, // 24h memoryCacheLifetime: Infinity, fetcher: (key) => this.userKeypairsRepository.findOneByOrFail({ userId: key }), toRedisConverter: (value) => JSON.stringify(value), fromRedisConverter: (value) => JSON.parse(value), }); - this.privateKeyObjectCache = new MemoryKVCache(1000 * 60 * 60 * 1); - - this.redisForSub.on('message', this.onMessage); } @bindThis public async getUserKeypair(userId: MiUser['id']): Promise { - return await this.keypairEntityCache.fetch(userId); + return await this.cache.fetch(userId); } - /** - * Get private key [Only PrivateKeyWithPem for queue data etc.] - * @param userIdOrHint user id or MiUserKeypair - * @param preferType - * If ed25519-like(`ed25519`, `01`, `11`) is specified, ed25519 keypair will be returned if exists. - * Otherwise, main keypair will be returned. - * @returns - */ - @bindThis - public async getLocalUserPrivateKeyPem( - userIdOrHint: MiUser['id'] | MiUserKeypair, - preferType?: string, - ): Promise { - const keypair = typeof userIdOrHint === 'string' ? await this.getUserKeypair(userIdOrHint) : userIdOrHint; - if ( - preferType && ['01', '11', 'ed25519'].includes(preferType.toLowerCase()) && - keypair.ed25519PublicKey != null && keypair.ed25519PrivateKey != null - ) { - return { - keyId: `${this.userEntityService.genLocalUserUri(keypair.userId)}#ed25519-key`, - privateKeyPem: keypair.ed25519PrivateKey, - }; - } - return { - keyId: `${this.userEntityService.genLocalUserUri(keypair.userId)}#main-key`, - privateKeyPem: keypair.privateKey, - }; - } - - /** - * Get private key [Only PrivateKey for ap request] - * Using cache due to performance reasons of `crypto.subtle.importKey` - * @param userIdOrHint user id, MiUserKeypair, or PrivateKeyWithPem - * @param preferType - * If ed25519-like(`ed25519`, `01`, `11`) is specified, ed25519 keypair will be returned if exists. - * Otherwise, main keypair will be returned. (ignored if userIdOrHint is PrivateKeyWithPem) - * @returns - */ - @bindThis - public async getLocalUserPrivateKey( - userIdOrHint: MiUser['id'] | MiUserKeypair | PrivateKeyWithPem, - preferType?: string, - ): Promise { - if (typeof userIdOrHint === 'object' && 'privateKeyPem' in userIdOrHint) { - // userIdOrHint is PrivateKeyWithPem - return { - keyId: userIdOrHint.keyId, - privateKey: await this.privateKeyObjectCache.fetch(userIdOrHint.keyId, async () => { - return await importPrivateKey(userIdOrHint.privateKeyPem); - }), - }; - } - - const userId = typeof userIdOrHint === 'string' ? userIdOrHint : userIdOrHint.userId; - const getKeypair = () => typeof userIdOrHint === 'string' ? this.getUserKeypair(userId) : userIdOrHint; - - if (preferType && ['01', '11', 'ed25519'].includes(preferType.toLowerCase())) { - const keyId = `${this.userEntityService.genLocalUserUri(userId)}#ed25519-key`; - const fetched = await this.privateKeyObjectCache.fetchMaybe(keyId, async () => { - const keypair = await getKeypair(); - if (keypair.ed25519PublicKey != null && keypair.ed25519PrivateKey != null) { - return await importPrivateKey(keypair.ed25519PrivateKey); - } - return; - }); - if (fetched) { - return { - keyId, - privateKey: fetched, - }; - } - } - - const keyId = `${this.userEntityService.genLocalUserUri(userId)}#main-key`; - return { - keyId, - privateKey: await this.privateKeyObjectCache.fetch(keyId, async () => { - const keypair = await getKeypair(); - return await importPrivateKey(keypair.privateKey); - }), - }; - } - - @bindThis - public async refresh(userId: MiUser['id']): Promise { - return await this.keypairEntityCache.refresh(userId); - } - - /** - * If DB has ed25519 keypair, refresh cache and return it. - * If not, create, save and return ed25519 keypair. - * @param userId user id - * @returns MiUserKeypair if keypair is created, void if keypair is already exists - */ - @bindThis - public async refreshAndPrepareEd25519KeyPair(userId: MiUser['id']): Promise { - await this.refresh(userId); - const keypair = await this.keypairEntityCache.fetch(userId); - if (keypair.ed25519PublicKey != null) { - return; - } - - const ed25519 = await genEd25519KeyPair(); - await this.userKeypairsRepository.update({ userId }, { - ed25519PublicKey: ed25519.publicKey, - ed25519PrivateKey: ed25519.privateKey, - }); - this.globalEventService.publishInternalEvent('userKeypairUpdated', { userId }); - const result = { - ...keypair, - ed25519PublicKey: ed25519.publicKey, - ed25519PrivateKey: ed25519.privateKey, - }; - this.keypairEntityCache.set(userId, result); - return result; - } - - @bindThis - private async onMessage(_: string, data: string): Promise { - const obj = JSON.parse(data); - - if (obj.channel === 'internal') { - const { type, body } = obj.message as GlobalEvents['internal']['payload']; - switch (type) { - case 'userKeypairUpdated': { - this.refresh(body.userId); - break; - } - } - } - } @bindThis public dispose(): void { - this.keypairEntityCache.dispose(); + this.cache.dispose(); } @bindThis diff --git a/packages/backend/src/core/UserSuspendService.ts b/packages/backend/src/core/UserSuspendService.ts index fc5a68c72..d594a223f 100644 --- a/packages/backend/src/core/UserSuspendService.ts +++ b/packages/backend/src/core/UserSuspendService.ts @@ -3,23 +3,27 @@ * SPDX-License-Identifier: AGPL-3.0-only */ -import { Injectable } from '@nestjs/common'; +import { Inject, Injectable } from '@nestjs/common'; +import { Not, IsNull } from 'typeorm'; +import type { FollowingsRepository } from '@/models/_.js'; import type { MiUser } from '@/models/User.js'; +import { QueueService } from '@/core/QueueService.js'; import { GlobalEventService } from '@/core/GlobalEventService.js'; +import { DI } from '@/di-symbols.js'; import { ApRendererService } from '@/core/activitypub/ApRendererService.js'; import { UserEntityService } from '@/core/entities/UserEntityService.js'; import { bindThis } from '@/decorators.js'; -import { UserKeypairService } from './UserKeypairService.js'; -import { ApDeliverManagerService } from './activitypub/ApDeliverManagerService.js'; @Injectable() export class UserSuspendService { constructor( + @Inject(DI.followingsRepository) + private followingsRepository: FollowingsRepository, + private userEntityService: UserEntityService, + private queueService: QueueService, private globalEventService: GlobalEventService, private apRendererService: ApRendererService, - private userKeypairService: UserKeypairService, - private apDeliverManagerService: ApDeliverManagerService, ) { } @@ -28,12 +32,28 @@ export class UserSuspendService { this.globalEventService.publishInternalEvent('userChangeSuspendedState', { id: user.id, isSuspended: true }); if (this.userEntityService.isLocalUser(user)) { + // 知り得る全SharedInboxにDelete配信 const content = this.apRendererService.addContext(this.apRendererService.renderDelete(this.userEntityService.genLocalUserUri(user.id), user)); - const manager = this.apDeliverManagerService.createDeliverManager(user, content); - manager.addAllKnowingSharedInboxRecipe(); - // process deliver時にはキーペアが消去されているはずなので、ここで挿入する - const privateKey = await this.userKeypairService.getLocalUserPrivateKeyPem(user.id, 'main'); - manager.execute({ privateKey }); + + const queue: string[] = []; + + const followings = await this.followingsRepository.find({ + where: [ + { followerSharedInbox: Not(IsNull()) }, + { followeeSharedInbox: Not(IsNull()) }, + ], + select: ['followerSharedInbox', 'followeeSharedInbox'], + }); + + const inboxes = followings.map(x => x.followerSharedInbox ?? x.followeeSharedInbox); + + for (const inbox of inboxes) { + if (inbox != null && !queue.includes(inbox)) queue.push(inbox); + } + + for (const inbox of queue) { + this.queueService.deliver(user, content, inbox, true); + } } } @@ -42,12 +62,28 @@ export class UserSuspendService { this.globalEventService.publishInternalEvent('userChangeSuspendedState', { id: user.id, isSuspended: false }); if (this.userEntityService.isLocalUser(user)) { + // 知り得る全SharedInboxにUndo Delete配信 const content = this.apRendererService.addContext(this.apRendererService.renderUndo(this.apRendererService.renderDelete(this.userEntityService.genLocalUserUri(user.id), user), user)); - const manager = this.apDeliverManagerService.createDeliverManager(user, content); - manager.addAllKnowingSharedInboxRecipe(); - // process deliver時にはキーペアが消去されているはずなので、ここで挿入する - const privateKey = await this.userKeypairService.getLocalUserPrivateKeyPem(user.id, 'main'); - manager.execute({ privateKey }); + + const queue: string[] = []; + + const followings = await this.followingsRepository.find({ + where: [ + { followerSharedInbox: Not(IsNull()) }, + { followeeSharedInbox: Not(IsNull()) }, + ], + select: ['followerSharedInbox', 'followeeSharedInbox'], + }); + + const inboxes = followings.map(x => x.followerSharedInbox ?? x.followeeSharedInbox); + + for (const inbox of inboxes) { + if (inbox != null && !queue.includes(inbox)) queue.push(inbox); + } + + for (const inbox of queue) { + this.queueService.deliver(user as any, content, inbox, true); + } } } } diff --git a/packages/backend/src/core/WebfingerService.ts b/packages/backend/src/core/WebfingerService.ts index aa1144778..374536a74 100644 --- a/packages/backend/src/core/WebfingerService.ts +++ b/packages/backend/src/core/WebfingerService.ts @@ -46,7 +46,7 @@ export class WebfingerService { const m = query.match(mRegex); if (m) { const hostname = m[2]; - const useHttp = process.env.MISSKEY_USE_HTTP && process.env.MISSKEY_USE_HTTP.toLowerCase() === 'true'; + const useHttp = process.env.MISSKEY_WEBFINGER_USE_HTTP && process.env.MISSKEY_WEBFINGER_USE_HTTP.toLowerCase() === 'true'; return `http${useHttp ? '' : 's'}://${hostname}/.well-known/webfinger?${urlQuery({ resource: `acct:${query}` })}`; } diff --git a/packages/backend/src/core/activitypub/ApDbResolverService.ts b/packages/backend/src/core/activitypub/ApDbResolverService.ts index 973394683..f6b70ead4 100644 --- a/packages/backend/src/core/activitypub/ApDbResolverService.ts +++ b/packages/backend/src/core/activitypub/ApDbResolverService.ts @@ -5,7 +5,7 @@ import { Inject, Injectable, OnApplicationShutdown } from '@nestjs/common'; import { DI } from '@/di-symbols.js'; -import type { MiUser, NotesRepository, UserPublickeysRepository, UsersRepository } from '@/models/_.js'; +import type { NotesRepository, UserPublickeysRepository, UsersRepository } from '@/models/_.js'; import type { Config } from '@/config.js'; import { MemoryKVCache } from '@/misc/cache.js'; import type { MiUserPublickey } from '@/models/UserPublickey.js'; @@ -13,12 +13,9 @@ import { CacheService } from '@/core/CacheService.js'; import type { MiNote } from '@/models/Note.js'; import { bindThis } from '@/decorators.js'; import { MiLocalUser, MiRemoteUser } from '@/models/User.js'; -import Logger from '@/logger.js'; import { getApId } from './type.js'; import { ApPersonService } from './models/ApPersonService.js'; -import { ApLoggerService } from './ApLoggerService.js'; import type { IObject } from './type.js'; -import { UtilityService } from '../UtilityService.js'; export type UriParseResult = { /** wether the URI was generated by us */ @@ -38,8 +35,8 @@ export type UriParseResult = { @Injectable() export class ApDbResolverService implements OnApplicationShutdown { - private publicKeyByUserIdCache: MemoryKVCache; - private logger: Logger; + private publicKeyCache: MemoryKVCache; + private publicKeyByUserIdCache: MemoryKVCache; constructor( @Inject(DI.config) @@ -56,17 +53,9 @@ export class ApDbResolverService implements OnApplicationShutdown { private cacheService: CacheService, private apPersonService: ApPersonService, - private apLoggerService: ApLoggerService, - private utilityService: UtilityService, ) { - this.publicKeyByUserIdCache = new MemoryKVCache(Infinity); - this.logger = this.apLoggerService.logger.createSubLogger('db-resolver'); - } - - private punyHost(url: string): string { - const urlObj = new URL(url); - const host = `${this.utilityService.toPuny(urlObj.hostname)}${urlObj.port.length > 0 ? ':' + urlObj.port : ''}`; - return host; + this.publicKeyCache = new MemoryKVCache(Infinity); + this.publicKeyByUserIdCache = new MemoryKVCache(Infinity); } @bindThis @@ -127,141 +116,62 @@ export class ApDbResolverService implements OnApplicationShutdown { } } + /** + * AP KeyId => Misskey User and Key + */ @bindThis - private async refreshAndFindKey(userId: MiUser['id'], keyId: string): Promise { - this.refreshCacheByUserId(userId); - const keys = await this.getPublicKeyByUserId(userId); - if (keys == null || !Array.isArray(keys) || keys.length === 0) { - this.logger.warn(`No key found (refreshAndFindKey) userId=${userId} keyId=${keyId} keys=${JSON.stringify(keys)}`); - return null; - } - const exactKey = keys.find(x => x.keyId === keyId); - if (exactKey) return exactKey; - this.logger.warn(`No exact key found (refreshAndFindKey) userId=${userId} keyId=${keyId} keys=${JSON.stringify(keys)}`); - return null; + public async getAuthUserFromKeyId(keyId: string): Promise<{ + user: MiRemoteUser; + key: MiUserPublickey; + } | null> { + const key = await this.publicKeyCache.fetch(keyId, async () => { + const key = await this.userPublickeysRepository.findOneBy({ + keyId, + }); + + if (key == null) return null; + + return key; + }, key => key != null); + + if (key == null) return null; + + const user = await this.cacheService.findUserById(key.userId).catch(() => null) as MiRemoteUser | null; + if (user == null) return null; + if (user.isDeleted) return null; + + return { + user, + key, + }; } /** * AP Actor id => Misskey User and Key - * @param uri AP Actor id - * @param keyId Key id to find. If not specified, main key will be selected. - * @returns - * 1. `null` if the user and key host do not match - * 2. `{ user: null, key: null }` if the user is not found - * 3. `{ user: MiRemoteUser, key: null }` if key is not found - * 4. `{ user: MiRemoteUser, key: MiUserPublickey }` if both are found */ @bindThis - public async getAuthUserFromApId(uri: string, keyId?: string): Promise<{ + public async getAuthUserFromApId(uri: string): Promise<{ user: MiRemoteUser; key: MiUserPublickey | null; - } | { - user: null; - key: null; - } | - null> { - if (keyId) { - if (this.punyHost(uri) !== this.punyHost(keyId)) { - /** - * keyIdはURL形式かつkeyIdのホストはuriのホストと一致するはず - * (ApPersonService.validateActorに由来) - * - * ただ、Mastodonはリプライ関連で他人のトゥートをHTTP Signature署名して送ってくることがある - * そのような署名は有効性に疑問があるので無視することにする - * ここではuriとkeyIdのホストが一致しない場合は無視する - * ハッシュをなくしたkeyIdとuriの同一性を比べてみてもいいが、`uri#*-key`というkeyIdを設定するのが - * 決まりごとというわけでもないため幅を持たせることにする - * - * - * The keyId should be in URL format and its host should match the host of the uri - * (derived from ApPersonService.validateActor) - * - * However, Mastodon sometimes sends toots from other users with HTTP Signature signing for reply-related purposes - * Such signatures are of questionable validity, so we choose to ignore them - * Here, we ignore cases where the hosts of uri and keyId do not match - * We could also compare the equality of keyId without the hash and uri, but since setting a keyId like `uri#*-key` - * is not a strict rule, we decide to allow for some flexibility - */ - this.logger.warn(`actor uri and keyId are not matched uri=${uri} keyId=${keyId}`); - return null; - } - } + } | null> { + const user = await this.apPersonService.resolvePerson(uri) as MiRemoteUser; + if (user.isDeleted) return null; - const user = await this.apPersonService.resolvePerson(uri, undefined, true) as MiRemoteUser; - if (user.isDeleted) return { user: null, key: null }; - - const keys = await this.getPublicKeyByUserId(user.id); - - if (keys == null || !Array.isArray(keys) || keys.length === 0) { - this.logger.warn(`No key found uri=${uri} userId=${user.id} keys=${JSON.stringify(keys)}`); - return { user, key: null }; - } - - if (!keyId) { - // Choose the main-like - const mainKey = keys.find(x => { - try { - const url = new URL(x.keyId); - const path = url.pathname.split('/').pop()?.toLowerCase(); - if (url.hash) { - if (url.hash.toLowerCase().includes('main')) { - return true; - } - } else if (path?.includes('main') || path === 'publickey') { - return true; - } - } catch { /* noop */ } - - return false; - }); - return { user, key: mainKey ?? keys[0] }; - } - - const exactKey = keys.find(x => x.keyId === keyId); - if (exactKey) return { user, key: exactKey }; - - /** - * keyIdで見つからない場合、まずはキャッシュを更新して再取得 - * If not found with keyId, update cache and reacquire - */ - const cacheRaw = this.publicKeyByUserIdCache.cache.get(user.id); - if (cacheRaw && cacheRaw.date > Date.now() - 1000 * 60 * 12) { - const exactKey = await this.refreshAndFindKey(user.id, keyId); - if (exactKey) return { user, key: exactKey }; - } - - /** - * lastFetchedAtでの更新制限を弱めて再取得 - * Reacquisition with weakened update limit at lastFetchedAt - */ - if (user.lastFetchedAt == null || user.lastFetchedAt < new Date(Date.now() - 1000 * 60 * 12)) { - this.logger.info(`Fetching user to find public key uri=${uri} userId=${user.id} keyId=${keyId}`); - const renewed = await this.apPersonService.fetchPersonWithRenewal(uri, 0); - if (renewed == null || renewed.isDeleted) return null; - - return { user, key: await this.refreshAndFindKey(user.id, keyId) }; - } - - this.logger.warn(`No key found uri=${uri} userId=${user.id} keyId=${keyId}`); - return { user, key: null }; - } - - @bindThis - public async getPublicKeyByUserId(userId: MiUser['id']): Promise { - return await this.publicKeyByUserIdCache.fetch( - userId, - () => this.userPublickeysRepository.find({ where: { userId } }), + const key = await this.publicKeyByUserIdCache.fetch( + user.id, + () => this.userPublickeysRepository.findOneBy({ userId: user.id }), v => v != null, ); - } - @bindThis - public refreshCacheByUserId(userId: MiUser['id']): void { - this.publicKeyByUserIdCache.delete(userId); + return { + user, + key, + }; } @bindThis public dispose(): void { + this.publicKeyCache.dispose(); this.publicKeyByUserIdCache.dispose(); } diff --git a/packages/backend/src/core/activitypub/ApDeliverManagerService.ts b/packages/backend/src/core/activitypub/ApDeliverManagerService.ts index db3302e6f..5d07cd8e8 100644 --- a/packages/backend/src/core/activitypub/ApDeliverManagerService.ts +++ b/packages/backend/src/core/activitypub/ApDeliverManagerService.ts @@ -9,14 +9,10 @@ import { DI } from '@/di-symbols.js'; import type { FollowingsRepository } from '@/models/_.js'; import type { MiLocalUser, MiRemoteUser, MiUser } from '@/models/User.js'; import { QueueService } from '@/core/QueueService.js'; +import { UserEntityService } from '@/core/entities/UserEntityService.js'; import { bindThis } from '@/decorators.js'; import type { IActivity } from '@/core/activitypub/type.js'; import { ThinUser } from '@/queue/types.js'; -import { AccountUpdateService } from '@/core/AccountUpdateService.js'; -import type Logger from '@/logger.js'; -import { UserKeypairService } from '../UserKeypairService.js'; -import { ApLoggerService } from './ApLoggerService.js'; -import type { PrivateKeyWithPem } from '@misskey-dev/node-http-message-signatures'; interface IRecipe { type: string; @@ -31,19 +27,12 @@ interface IDirectRecipe extends IRecipe { to: MiRemoteUser; } -interface IAllKnowingSharedInboxRecipe extends IRecipe { - type: 'AllKnowingSharedInbox'; -} - const isFollowers = (recipe: IRecipe): recipe is IFollowersRecipe => recipe.type === 'Followers'; const isDirect = (recipe: IRecipe): recipe is IDirectRecipe => recipe.type === 'Direct'; -const isAllKnowingSharedInbox = (recipe: IRecipe): recipe is IAllKnowingSharedInboxRecipe => - recipe.type === 'AllKnowingSharedInbox'; - class DeliverManager { private actor: ThinUser; private activity: IActivity | null; @@ -51,18 +40,16 @@ class DeliverManager { /** * Constructor - * @param userKeypairService + * @param userEntityService * @param followingsRepository * @param queueService * @param actor Actor * @param activity Activity to deliver */ constructor( - private userKeypairService: UserKeypairService, + private userEntityService: UserEntityService, private followingsRepository: FollowingsRepository, private queueService: QueueService, - private accountUpdateService: AccountUpdateService, - private logger: Logger, actor: { id: MiUser['id']; host: null; }, activity: IActivity | null, @@ -104,18 +91,6 @@ class DeliverManager { this.addRecipe(recipe); } - /** - * Add recipe for all-knowing shared inbox deliver - */ - @bindThis - public addAllKnowingSharedInboxRecipe(): void { - const deliver: IAllKnowingSharedInboxRecipe = { - type: 'AllKnowingSharedInbox', - }; - - this.addRecipe(deliver); - } - /** * Add recipe * @param recipe Recipe @@ -129,44 +104,11 @@ class DeliverManager { * Execute delivers */ @bindThis - public async execute(opts?: { privateKey?: PrivateKeyWithPem }): Promise { - //#region MIGRATION - if (!opts?.privateKey) { - /** - * ed25519の署名がなければ追加する - */ - const created = await this.userKeypairService.refreshAndPrepareEd25519KeyPair(this.actor.id); - if (created) { - // createdが存在するということは新規作成されたということなので、フォロワーに配信する - this.logger.info(`ed25519 key pair created for user ${this.actor.id} and publishing to followers`); - // リモートに配信 - const keyPair = await this.userKeypairService.getLocalUserPrivateKeyPem(created, 'main'); - await this.accountUpdateService.publishToFollowers(this.actor.id, keyPair); - } - } - //#endregion - - //#region collect inboxes by recipes + public async execute(): Promise { // The value flags whether it is shared or not. // key: inbox URL, value: whether it is sharedInbox const inboxes = new Map(); - if (this.recipes.some(r => isAllKnowingSharedInbox(r))) { - // all-knowing shared inbox - const followings = await this.followingsRepository.find({ - where: [ - { followerSharedInbox: Not(IsNull()) }, - { followeeSharedInbox: Not(IsNull()) }, - ], - select: ['followerSharedInbox', 'followeeSharedInbox'], - }); - - for (const following of followings) { - if (following.followeeSharedInbox) inboxes.set(following.followeeSharedInbox, true); - if (following.followerSharedInbox) inboxes.set(following.followerSharedInbox, true); - } - } - // build inbox list // Process follower recipes first to avoid duplication when processing direct recipes later. if (this.recipes.some(r => isFollowers(r))) { @@ -200,49 +142,39 @@ class DeliverManager { inboxes.set(recipe.to.inbox, false); } - //#endregion // deliver - await this.queueService.deliverMany(this.actor, this.activity, inboxes, opts?.privateKey); - this.logger.info(`Deliver queues dispatched: inboxes=${inboxes.size} actorId=${this.actor.id} activityId=${this.activity?.id}`); + await this.queueService.deliverMany(this.actor, this.activity, inboxes); } } @Injectable() export class ApDeliverManagerService { - private logger: Logger; - constructor( @Inject(DI.followingsRepository) private followingsRepository: FollowingsRepository, - private userKeypairService: UserKeypairService, + private userEntityService: UserEntityService, private queueService: QueueService, - private accountUpdateService: AccountUpdateService, - private apLoggerService: ApLoggerService, ) { - this.logger = this.apLoggerService.logger.createSubLogger('deliver-manager'); } /** * Deliver activity to followers * @param actor * @param activity Activity - * @param forceMainKey Force to use main (rsa) key */ @bindThis - public async deliverToFollowers(actor: { id: MiLocalUser['id']; host: null; }, activity: IActivity, privateKey?: PrivateKeyWithPem): Promise { + public async deliverToFollowers(actor: { id: MiLocalUser['id']; host: null; }, activity: IActivity): Promise { const manager = new DeliverManager( - this.userKeypairService, + this.userEntityService, this.followingsRepository, this.queueService, - this.accountUpdateService, - this.logger, actor, activity, ); manager.addFollowersRecipe(); - await manager.execute({ privateKey }); + await manager.execute(); } /** @@ -254,11 +186,9 @@ export class ApDeliverManagerService { @bindThis public async deliverToUser(actor: { id: MiLocalUser['id']; host: null; }, activity: IActivity, to: MiRemoteUser): Promise { const manager = new DeliverManager( - this.userKeypairService, + this.userEntityService, this.followingsRepository, this.queueService, - this.accountUpdateService, - this.logger, actor, activity, ); @@ -269,11 +199,10 @@ export class ApDeliverManagerService { @bindThis public createDeliverManager(actor: { id: MiUser['id']; host: null; }, activity: IActivity | null): DeliverManager { return new DeliverManager( - this.userKeypairService, + this.userEntityService, this.followingsRepository, this.queueService, - this.accountUpdateService, - this.logger, + actor, activity, ); diff --git a/packages/backend/src/core/activitypub/ApInboxService.ts b/packages/backend/src/core/activitypub/ApInboxService.ts index 1bef9fe07..e2164fec1 100644 --- a/packages/backend/src/core/activitypub/ApInboxService.ts +++ b/packages/backend/src/core/activitypub/ApInboxService.ts @@ -114,8 +114,15 @@ export class ApInboxService { result = await this.performOneActivity(actor, activity); } - // ついでにリモートユーザーの情報が古かったら更新しておく? - // → No, この関数が呼び出される前に署名検証で更新されているはず + // ついでにリモートユーザーの情報が古かったら更新しておく + if (actor.uri) { + if (actor.lastFetchedAt == null || Date.now() - actor.lastFetchedAt.getTime() > 1000 * 60 * 60 * 24) { + setImmediate(() => { + this.apPersonService.updatePerson(actor.uri); + }); + } + } + return result; } @bindThis diff --git a/packages/backend/src/core/activitypub/ApRendererService.ts b/packages/backend/src/core/activitypub/ApRendererService.ts index 5d7419f93..98e944f34 100644 --- a/packages/backend/src/core/activitypub/ApRendererService.ts +++ b/packages/backend/src/core/activitypub/ApRendererService.ts @@ -22,6 +22,7 @@ import { UserKeypairService } from '@/core/UserKeypairService.js'; import { MfmService } from '@/core/MfmService.js'; import { UserEntityService } from '@/core/entities/UserEntityService.js'; import { DriveFileEntityService } from '@/core/entities/DriveFileEntityService.js'; +import type { MiUserKeypair } from '@/models/UserKeypair.js'; import type { UsersRepository, UserProfilesRepository, NotesRepository, DriveFilesRepository, PollsRepository } from '@/models/_.js'; import { bindThis } from '@/decorators.js'; import { CustomEmojiService } from '@/core/CustomEmojiService.js'; @@ -30,7 +31,6 @@ import { JsonLdService } from './JsonLdService.js'; import { ApMfmService } from './ApMfmService.js'; import { CONTEXT } from './misc/contexts.js'; import type { IAccept, IActivity, IAdd, IAnnounce, IApDocument, IApEmoji, IApHashtag, IApImage, IApMention, IBlock, ICreate, IDelete, IFlag, IFollow, IKey, ILike, IMove, IObject, IPost, IQuestion, IReject, IRemove, ITombstone, IUndo, IUpdate } from './type.js'; -import type { PrivateKeyWithPem } from '@misskey-dev/node-http-message-signatures'; @Injectable() export class ApRendererService { @@ -251,15 +251,15 @@ export class ApRendererService { } @bindThis - public renderKey(user: MiLocalUser, publicKey: string, postfix?: string): IKey { + public renderKey(user: MiLocalUser, key: MiUserKeypair, postfix?: string): IKey { return { - id: `${this.userEntityService.genLocalUserUri(user.id)}${postfix ?? '/publickey'}`, + id: `${this.config.url}/users/${user.id}${postfix ?? '/publickey'}`, type: 'Key', owner: this.userEntityService.genLocalUserUri(user.id), - publicKeyPem: createPublicKey(publicKey).export({ + publicKeyPem: createPublicKey(key.publicKey).export({ type: 'spki', format: 'pem', - }) as string, + }), }; } @@ -499,10 +499,7 @@ export class ApRendererService { tag, manuallyApprovesFollowers: user.isLocked, discoverable: user.isExplorable, - publicKey: this.renderKey(user, keypair.publicKey, '#main-key'), - additionalPublicKeys: [ - ...(keypair.ed25519PublicKey ? [this.renderKey(user, keypair.ed25519PublicKey, '#ed25519-key')] : []), - ], + publicKey: this.renderKey(user, keypair, '#main-key'), isCat: user.isCat, attachment: attachment.length ? attachment : undefined, }; @@ -625,10 +622,12 @@ export class ApRendererService { } @bindThis - public async attachLdSignature(activity: any, key: PrivateKeyWithPem): Promise { + public async attachLdSignature(activity: any, user: { id: MiUser['id']; host: null; }): Promise { + const keypair = await this.userKeypairService.getUserKeypair(user.id); + const jsonLd = this.jsonLdService.use(); jsonLd.debug = false; - activity = await jsonLd.signRsaSignature2017(activity, key.privateKeyPem, key.keyId); + activity = await jsonLd.signRsaSignature2017(activity, keypair.privateKey, `${this.config.url}/users/${user.id}#main-key`); return activity; } diff --git a/packages/backend/src/core/activitypub/ApRequestService.ts b/packages/backend/src/core/activitypub/ApRequestService.ts index 0cae91316..93ac8ce9a 100644 --- a/packages/backend/src/core/activitypub/ApRequestService.ts +++ b/packages/backend/src/core/activitypub/ApRequestService.ts @@ -3,9 +3,9 @@ * SPDX-License-Identifier: AGPL-3.0-only */ +import * as crypto from 'node:crypto'; import { URL } from 'node:url'; import { Inject, Injectable } from '@nestjs/common'; -import { genRFC3230DigestHeader, signAsDraftToRequest } from '@misskey-dev/node-http-message-signatures'; import { DI } from '@/di-symbols.js'; import type { Config } from '@/config.js'; import type { MiUser } from '@/models/User.js'; @@ -15,61 +15,122 @@ import { LoggerService } from '@/core/LoggerService.js'; import { bindThis } from '@/decorators.js'; import type Logger from '@/logger.js'; import { validateContentTypeSetAsActivityPub } from '@/core/activitypub/misc/validator.js'; -import type { PrivateKeyWithPem, PrivateKey } from '@misskey-dev/node-http-message-signatures'; -export async function createSignedPost(args: { level: string; key: PrivateKey; url: string; body: string; digest?: string, additionalHeaders: Record }) { - const u = new URL(args.url); - const request = { - url: u.href, - method: 'POST', - headers: { - 'Date': new Date().toUTCString(), - 'Host': u.host, - 'Content-Type': 'application/activity+json', - ...args.additionalHeaders, - } as Record, - }; +type Request = { + url: string; + method: string; + headers: Record; +}; - // TODO: httpMessageSignaturesImplementationLevelによって新規格で通信をするようにする - const digestHeader = args.digest ?? await genRFC3230DigestHeader(args.body, 'SHA-256'); - request.headers['Digest'] = digestHeader; +type Signed = { + request: Request; + signingString: string; + signature: string; + signatureHeader: string; +}; - const result = await signAsDraftToRequest( - request, - args.key, - ['(request-target)', 'date', 'host', 'digest'], - ); +type PrivateKey = { + privateKeyPem: string; + keyId: string; +}; - return { - request, - ...result, - }; -} +export class ApRequestCreator { + static createSignedPost(args: { key: PrivateKey, url: string, body: string, digest?: string, additionalHeaders: Record }): Signed { + const u = new URL(args.url); + const digestHeader = args.digest ?? this.createDigest(args.body); -export async function createSignedGet(args: { level: string; key: PrivateKey; url: string; additionalHeaders: Record }) { - const u = new URL(args.url); - const request = { - url: u.href, - method: 'GET', - headers: { - 'Accept': 'application/activity+json, application/ld+json; profile="https://www.w3.org/ns/activitystreams"', - 'Date': new Date().toUTCString(), - 'Host': new URL(args.url).host, - ...args.additionalHeaders, - } as Record, - }; + const request: Request = { + url: u.href, + method: 'POST', + headers: this.#objectAssignWithLcKey({ + 'Date': new Date().toUTCString(), + 'Host': u.host, + 'Content-Type': 'application/activity+json', + 'Digest': digestHeader, + }, args.additionalHeaders), + }; - // TODO: httpMessageSignaturesImplementationLevelによって新規格で通信をするようにする - const result = await signAsDraftToRequest( - request, - args.key, - ['(request-target)', 'date', 'host', 'accept'], - ); + const result = this.#signToRequest(request, args.key, ['(request-target)', 'date', 'host', 'digest']); - return { - request, - ...result, - }; + return { + request, + signingString: result.signingString, + signature: result.signature, + signatureHeader: result.signatureHeader, + }; + } + + static createDigest(body: string) { + return `SHA-256=${crypto.createHash('sha256').update(body).digest('base64')}`; + } + + static createSignedGet(args: { key: PrivateKey, url: string, additionalHeaders: Record }): Signed { + const u = new URL(args.url); + + const request: Request = { + url: u.href, + method: 'GET', + headers: this.#objectAssignWithLcKey({ + 'Accept': 'application/activity+json, application/ld+json; profile="https://www.w3.org/ns/activitystreams"', + 'Date': new Date().toUTCString(), + 'Host': new URL(args.url).host, + }, args.additionalHeaders), + }; + + const result = this.#signToRequest(request, args.key, ['(request-target)', 'date', 'host', 'accept']); + + return { + request, + signingString: result.signingString, + signature: result.signature, + signatureHeader: result.signatureHeader, + }; + } + + static #signToRequest(request: Request, key: PrivateKey, includeHeaders: string[]): Signed { + const signingString = this.#genSigningString(request, includeHeaders); + const signature = crypto.sign('sha256', Buffer.from(signingString), key.privateKeyPem).toString('base64'); + const signatureHeader = `keyId="${key.keyId}",algorithm="rsa-sha256",headers="${includeHeaders.join(' ')}",signature="${signature}"`; + + request.headers = this.#objectAssignWithLcKey(request.headers, { + Signature: signatureHeader, + }); + // node-fetch will generate this for us. if we keep 'Host', it won't change with redirects! + delete request.headers['host']; + + return { + request, + signingString, + signature, + signatureHeader, + }; + } + + static #genSigningString(request: Request, includeHeaders: string[]): string { + request.headers = this.#lcObjectKey(request.headers); + + const results: string[] = []; + + for (const key of includeHeaders.map(x => x.toLowerCase())) { + if (key === '(request-target)') { + results.push(`(request-target): ${request.method.toLowerCase()} ${new URL(request.url).pathname}`); + } else { + results.push(`${key}: ${request.headers[key]}`); + } + } + + return results.join('\n'); + } + + static #lcObjectKey(src: Record): Record { + const dst: Record = {}; + for (const key of Object.keys(src).filter(x => x !== '__proto__' && typeof src[x] === 'string')) dst[key.toLowerCase()] = src[key]; + return dst; + } + + static #objectAssignWithLcKey(a: Record, b: Record): Record { + return Object.assign(this.#lcObjectKey(a), this.#lcObjectKey(b)); + } } @Injectable() @@ -89,28 +150,21 @@ export class ApRequestService { } @bindThis - public async signedPost(user: { id: MiUser['id'] }, url: string, object: unknown, level: string, digest?: string, key?: PrivateKeyWithPem): Promise { + public async signedPost(user: { id: MiUser['id'] }, url: string, object: unknown, digest?: string): Promise { const body = typeof object === 'string' ? object : JSON.stringify(object); - const keyFetched = await this.userKeypairService.getLocalUserPrivateKey(key ?? user.id, level); - const req = await createSignedPost({ - level, - key: keyFetched, + + const keypair = await this.userKeypairService.getUserKeypair(user.id); + + const req = ApRequestCreator.createSignedPost({ + key: { + privateKeyPem: keypair.privateKey, + keyId: `${this.config.url}/users/${user.id}#main-key`, + }, url, body, - additionalHeaders: { - 'User-Agent': this.config.userAgent, - }, digest, - }); - - // node-fetch will generate this for us. if we keep 'Host', it won't change with redirects! - delete req.request.headers['Host']; - - this.logger.debug('create signed post', { - version: 'draft', - level, - url, - keyId: keyFetched.keyId, + additionalHeaders: { + }, }); await this.httpRequestService.send(url, { @@ -126,27 +180,19 @@ export class ApRequestService { * @param url URL to fetch */ @bindThis - public async signedGet(url: string, user: { id: MiUser['id'] }, level: string): Promise { - const key = await this.userKeypairService.getLocalUserPrivateKey(user.id, level); - const req = await createSignedGet({ - level, - key, + public async signedGet(url: string, user: { id: MiUser['id'] }): Promise { + const keypair = await this.userKeypairService.getUserKeypair(user.id); + + const req = ApRequestCreator.createSignedGet({ + key: { + privateKeyPem: keypair.privateKey, + keyId: `${this.config.url}/users/${user.id}#main-key`, + }, url, additionalHeaders: { - 'User-Agent': this.config.userAgent, }, }); - // node-fetch will generate this for us. if we keep 'Host', it won't change with redirects! - delete req.request.headers['Host']; - - this.logger.debug('create signed get', { - version: 'draft', - level, - url, - keyId: key.keyId, - }); - const res = await this.httpRequestService.send(url, { method: req.request.method, headers: req.request.headers, diff --git a/packages/backend/src/core/activitypub/ApResolverService.ts b/packages/backend/src/core/activitypub/ApResolverService.ts index 727ff6f95..bb3c40f09 100644 --- a/packages/backend/src/core/activitypub/ApResolverService.ts +++ b/packages/backend/src/core/activitypub/ApResolverService.ts @@ -16,7 +16,6 @@ import { UtilityService } from '@/core/UtilityService.js'; import { bindThis } from '@/decorators.js'; import { LoggerService } from '@/core/LoggerService.js'; import type Logger from '@/logger.js'; -import { FederatedInstanceService } from '@/core/FederatedInstanceService.js'; import { isCollectionOrOrderedCollection } from './type.js'; import { ApDbResolverService } from './ApDbResolverService.js'; import { ApRendererService } from './ApRendererService.js'; @@ -42,7 +41,6 @@ export class Resolver { private httpRequestService: HttpRequestService, private apRendererService: ApRendererService, private apDbResolverService: ApDbResolverService, - private federatedInstanceService: FederatedInstanceService, private loggerService: LoggerService, private recursionLimit = 100, ) { @@ -105,10 +103,8 @@ export class Resolver { this.user = await this.instanceActorService.getInstanceActor(); } - const server = await this.federatedInstanceService.fetch(host); - const object = (this.user - ? await this.apRequestService.signedGet(value, this.user, server.httpMessageSignaturesImplementationLevel) as IObject + ? await this.apRequestService.signedGet(value, this.user) as IObject : await this.httpRequestService.getActivityJson(value)) as IObject; if ( @@ -204,7 +200,6 @@ export class ApResolverService { private httpRequestService: HttpRequestService, private apRendererService: ApRendererService, private apDbResolverService: ApDbResolverService, - private federatedInstanceService: FederatedInstanceService, private loggerService: LoggerService, ) { } @@ -225,7 +220,6 @@ export class ApResolverService { this.httpRequestService, this.apRendererService, this.apDbResolverService, - this.federatedInstanceService, this.loggerService, ); } diff --git a/packages/backend/src/core/activitypub/misc/contexts.ts b/packages/backend/src/core/activitypub/misc/contexts.ts index fc4e3e3be..feb8c42c5 100644 --- a/packages/backend/src/core/activitypub/misc/contexts.ts +++ b/packages/backend/src/core/activitypub/misc/contexts.ts @@ -134,7 +134,6 @@ const security_v1 = { 'privateKey': { '@id': 'sec:privateKey', '@type': '@id' }, 'privateKeyPem': 'sec:privateKeyPem', 'publicKey': { '@id': 'sec:publicKey', '@type': '@id' }, - 'additionalPublicKeys': { '@id': 'sec:publicKey', '@type': '@id' }, 'publicKeyBase58': 'sec:publicKeyBase58', 'publicKeyPem': 'sec:publicKeyPem', 'publicKeyWif': 'sec:publicKeyWif', diff --git a/packages/backend/src/core/activitypub/models/ApPersonService.ts b/packages/backend/src/core/activitypub/models/ApPersonService.ts index c41fc713d..457205e02 100644 --- a/packages/backend/src/core/activitypub/models/ApPersonService.ts +++ b/packages/backend/src/core/activitypub/models/ApPersonService.ts @@ -3,10 +3,9 @@ * SPDX-License-Identifier: AGPL-3.0-only */ -import { verify } from 'crypto'; import { Inject, Injectable } from '@nestjs/common'; import promiseLimit from 'promise-limit'; -import { DataSource, In, Not } from 'typeorm'; +import { DataSource } from 'typeorm'; import { ModuleRef } from '@nestjs/core'; import { DI } from '@/di-symbols.js'; import type { FollowingsRepository, InstancesRepository, UserProfilesRepository, UserPublickeysRepository, UsersRepository } from '@/models/_.js'; @@ -40,7 +39,6 @@ import { MetaService } from '@/core/MetaService.js'; import { DriveFileEntityService } from '@/core/entities/DriveFileEntityService.js'; import type { AccountMoveService } from '@/core/AccountMoveService.js'; import { checkHttps } from '@/misc/check-https.js'; -import { REMOTE_USER_CACHE_TTL, REMOTE_USER_MOVE_COOLDOWN } from '@/const.js'; import { getApId, getApType, getOneApHrefNullable, isActor, isCollection, isCollectionOrOrderedCollection, isPropertyValue } from '../type.js'; import { extractApHashtags } from './tag.js'; import type { OnModuleInit } from '@nestjs/common'; @@ -50,7 +48,7 @@ import type { ApResolverService, Resolver } from '../ApResolverService.js'; import type { ApLoggerService } from '../ApLoggerService.js'; // eslint-disable-next-line @typescript-eslint/consistent-type-imports import type { ApImageService } from './ApImageService.js'; -import type { IActor, IKey, IObject } from '../type.js'; +import type { IActor, IObject } from '../type.js'; const nameLength = 128; const summaryLength = 2048; @@ -187,38 +185,13 @@ export class ApPersonService implements OnModuleInit { } if (x.publicKey) { - const publicKeys = Array.isArray(x.publicKey) ? x.publicKey : [x.publicKey]; - - for (const publicKey of publicKeys) { - if (typeof publicKey.id !== 'string') { - throw new Error('invalid Actor: publicKey.id is not a string'); - } - - const publicKeyIdHost = this.punyHost(publicKey.id); - if (publicKeyIdHost !== expectHost) { - throw new Error('invalid Actor: publicKey.id has different host'); - } - } - } - - if (x.additionalPublicKeys) { - if (!x.publicKey) { - throw new Error('invalid Actor: additionalPublicKeys is set but publicKey is not'); + if (typeof x.publicKey.id !== 'string') { + throw new Error('invalid Actor: publicKey.id is not a string'); } - if (!Array.isArray(x.additionalPublicKeys)) { - throw new Error('invalid Actor: additionalPublicKeys is not an array'); - } - - for (const key of x.additionalPublicKeys) { - if (typeof key.id !== 'string') { - throw new Error('invalid Actor: additionalPublicKeys.id is not a string'); - } - - const keyIdHost = this.punyHost(key.id); - if (keyIdHost !== expectHost) { - throw new Error('invalid Actor: additionalPublicKeys.id has different host'); - } + const publicKeyIdHost = this.punyHost(x.publicKey.id); + if (publicKeyIdHost !== expectHost) { + throw new Error('invalid Actor: publicKey.id has different host'); } } @@ -255,33 +228,6 @@ export class ApPersonService implements OnModuleInit { return null; } - /** - * uriからUser(Person)をフェッチします。 - * - * Misskeyに対象のPersonが登録されていればそれを返し、登録がなければnullを返します。 - * また、TTLが0でない場合、TTLを過ぎていた場合はupdatePersonを実行します。 - */ - @bindThis - async fetchPersonWithRenewal(uri: string, TTL = REMOTE_USER_CACHE_TTL): Promise { - const exist = await this.fetchPerson(uri); - if (exist == null) return null; - - if (this.userEntityService.isRemoteUser(exist)) { - if (TTL === 0 || exist.lastFetchedAt == null || Date.now() - exist.lastFetchedAt.getTime() > TTL) { - this.logger.debug('fetchPersonWithRenewal: renew', { uri, TTL, lastFetchedAt: exist.lastFetchedAt }); - try { - await this.updatePerson(exist.uri); - return await this.fetchPerson(uri); - } catch (err) { - this.logger.error('error occurred while renewing user', { err }); - } - } - this.logger.debug('fetchPersonWithRenewal: use cache', { uri, TTL, lastFetchedAt: exist.lastFetchedAt }); - } - - return exist; - } - private async resolveAvatarAndBanner(user: MiRemoteUser, icon: any, image: any): Promise>> { if (user == null) throw new Error('failed to create user: user is null'); @@ -417,15 +363,11 @@ export class ApPersonService implements OnModuleInit { })); if (person.publicKey) { - const publicKeys = new Map(); - (person.additionalPublicKeys ?? []).forEach(key => publicKeys.set(key.id, key)); - (Array.isArray(person.publicKey) ? person.publicKey : [person.publicKey]).forEach(key => publicKeys.set(key.id, key)); - - await transactionalEntityManager.save(Array.from(publicKeys.values(), key => new MiUserPublickey({ - keyId: key.id, - userId: user!.id, - keyPem: key.publicKeyPem, - }))); + await transactionalEntityManager.save(new MiUserPublickey({ + userId: user.id, + keyId: person.publicKey.id, + keyPem: person.publicKey.publicKeyPem, + })); } }); } catch (e) { @@ -571,29 +513,11 @@ export class ApPersonService implements OnModuleInit { // Update user await this.usersRepository.update(exist.id, updates); - try { - // Deleteアクティビティ受信時にもここが走ってsaveがuserforeign key制約エラーを吐くことがある - // とりあえずtry-catchで囲っておく - const publicKeys = new Map(); - if (person.publicKey) { - (person.additionalPublicKeys ?? []).forEach(key => publicKeys.set(key.id, key)); - (Array.isArray(person.publicKey) ? person.publicKey : [person.publicKey]).forEach(key => publicKeys.set(key.id, key)); - - await this.userPublickeysRepository.save(Array.from(publicKeys.values(), key => ({ - keyId: key.id, - userId: exist.id, - keyPem: key.publicKeyPem, - }))); - } - - this.userPublickeysRepository.delete({ - keyId: Not(In(Array.from(publicKeys.keys()))), - userId: exist.id, - }).catch(err => { - this.logger.error('something happened while deleting remote user public keys:', { userId: exist.id, err }); + if (person.publicKey) { + await this.userPublickeysRepository.update({ userId: exist.id }, { + keyId: person.publicKey.id, + keyPem: person.publicKey.publicKeyPem, }); - } catch (err) { - this.logger.error('something happened while updating remote user public keys:', { userId: exist.id, err }); } let _description: string | null = null; @@ -635,7 +559,7 @@ export class ApPersonService implements OnModuleInit { exist.movedAt == null || // 以前のmovingから14日以上経過した場合のみ移行処理を許可 // (Mastodonのクールダウン期間は30日だが若干緩めに設定しておく) - exist.movedAt.getTime() + REMOTE_USER_MOVE_COOLDOWN < updated.movedAt.getTime() + exist.movedAt.getTime() + 1000 * 60 * 60 * 24 * 14 < updated.movedAt.getTime() )) { this.logger.info(`Start to process Move of @${updated.username}@${updated.host} (${uri})`); return this.processRemoteMove(updated, movePreventUris) @@ -658,9 +582,9 @@ export class ApPersonService implements OnModuleInit { * リモートサーバーからフェッチしてMisskeyに登録しそれを返します。 */ @bindThis - public async resolvePerson(uri: string, resolver?: Resolver, withRenewal = false): Promise { + public async resolvePerson(uri: string, resolver?: Resolver): Promise { //#region このサーバーに既に登録されていたらそれを返す - const exist = withRenewal ? await this.fetchPersonWithRenewal(uri) : await this.fetchPerson(uri); + const exist = await this.fetchPerson(uri); if (exist) return exist; //#endregion diff --git a/packages/backend/src/core/activitypub/type.ts b/packages/backend/src/core/activitypub/type.ts index 1d5597166..5b6c6c8ca 100644 --- a/packages/backend/src/core/activitypub/type.ts +++ b/packages/backend/src/core/activitypub/type.ts @@ -55,7 +55,7 @@ export function getOneApId(value: ApObject): string { export function getApId(value: string | IObject): string { if (typeof value === 'string') return value; if (typeof value.id === 'string') return value.id; - throw new Error('cannot determine id'); + throw new Error('cannot detemine id'); } /** @@ -169,8 +169,10 @@ export interface IActor extends IObject { discoverable?: boolean; inbox: string; sharedInbox?: string; // 後方互換性のため - publicKey?: IKey | IKey[]; - additionalPublicKeys?: IKey[]; + publicKey?: { + id: string; + publicKeyPem: string; + }; followers?: string | ICollection | IOrderedCollection; following?: string | ICollection | IOrderedCollection; featured?: string | IOrderedCollection; @@ -234,9 +236,8 @@ export const isEmoji = (object: IObject): object is IApEmoji => export interface IKey extends IObject { type: 'Key'; - id: string; owner: string; - publicKeyPem: string; + publicKeyPem: string | Buffer; } export interface IApDocument extends IObject { diff --git a/packages/backend/src/core/entities/InstanceEntityService.ts b/packages/backend/src/core/entities/InstanceEntityService.ts index fd0f55c6a..9117b1391 100644 --- a/packages/backend/src/core/entities/InstanceEntityService.ts +++ b/packages/backend/src/core/entities/InstanceEntityService.ts @@ -56,7 +56,6 @@ export class InstanceEntityService { infoUpdatedAt: instance.infoUpdatedAt ? instance.infoUpdatedAt.toISOString() : null, latestRequestReceivedAt: instance.latestRequestReceivedAt ? instance.latestRequestReceivedAt.toISOString() : null, moderationNote: iAmModerator ? instance.moderationNote : null, - httpMessageSignaturesImplementationLevel: instance.httpMessageSignaturesImplementationLevel, }; } diff --git a/packages/backend/src/misc/cache.ts b/packages/backend/src/misc/cache.ts index f498c110b..bba64a06e 100644 --- a/packages/backend/src/misc/cache.ts +++ b/packages/backend/src/misc/cache.ts @@ -195,9 +195,6 @@ export class MemoryKVCache { private lifetime: number; private gcIntervalHandle: NodeJS.Timeout; - /** - * @param lifetime キャッシュの生存期間 (ms) - */ constructor(lifetime: MemoryKVCache['lifetime']) { this.cache = new Map(); this.lifetime = lifetime; diff --git a/packages/backend/src/misc/gen-key-pair.ts b/packages/backend/src/misc/gen-key-pair.ts index 0b033ec33..02a303dc0 100644 --- a/packages/backend/src/misc/gen-key-pair.ts +++ b/packages/backend/src/misc/gen-key-pair.ts @@ -3,14 +3,39 @@ * SPDX-License-Identifier: AGPL-3.0-only */ -import { genEd25519KeyPair, genRsaKeyPair } from '@misskey-dev/node-http-message-signatures'; +import * as crypto from 'node:crypto'; +import * as util from 'node:util'; -export async function genRSAAndEd25519KeyPair(rsaModulusLength = 4096) { - const [rsa, ed25519] = await Promise.all([genRsaKeyPair(rsaModulusLength), genEd25519KeyPair()]); - return { - publicKey: rsa.publicKey, - privateKey: rsa.privateKey, - ed25519PublicKey: ed25519.publicKey, - ed25519PrivateKey: ed25519.privateKey, - }; +const generateKeyPair = util.promisify(crypto.generateKeyPair); + +export async function genRsaKeyPair(modulusLength = 2048) { + return await generateKeyPair('rsa', { + modulusLength, + publicKeyEncoding: { + type: 'spki', + format: 'pem', + }, + privateKeyEncoding: { + type: 'pkcs8', + format: 'pem', + cipher: undefined, + passphrase: undefined, + }, + }); +} + +export async function genEcKeyPair(namedCurve: 'prime256v1' | 'secp384r1' | 'secp521r1' | 'curve25519' = 'prime256v1') { + return await generateKeyPair('ec', { + namedCurve, + publicKeyEncoding: { + type: 'spki', + format: 'pem', + }, + privateKeyEncoding: { + type: 'pkcs8', + format: 'pem', + cipher: undefined, + passphrase: undefined, + }, + }); } diff --git a/packages/backend/src/models/Instance.ts b/packages/backend/src/models/Instance.ts index f2f2831cf..17cd5c666 100644 --- a/packages/backend/src/models/Instance.ts +++ b/packages/backend/src/models/Instance.ts @@ -158,9 +158,4 @@ export class MiInstance { length: 16384, default: '', }) public moderationNote: string; - - @Column('varchar', { - length: 16, default: '00', nullable: false, - }) - public httpMessageSignaturesImplementationLevel: string; } diff --git a/packages/backend/src/models/UserKeypair.ts b/packages/backend/src/models/UserKeypair.ts index afa74ef11..f5252d126 100644 --- a/packages/backend/src/models/UserKeypair.ts +++ b/packages/backend/src/models/UserKeypair.ts @@ -3,7 +3,7 @@ * SPDX-License-Identifier: AGPL-3.0-only */ -import { PrimaryColumn, Entity, JoinColumn, Column, ManyToOne } from 'typeorm'; +import { PrimaryColumn, Entity, JoinColumn, Column, OneToOne } from 'typeorm'; import { id } from './util/id.js'; import { MiUser } from './User.js'; @@ -12,42 +12,22 @@ export class MiUserKeypair { @PrimaryColumn(id()) public userId: MiUser['id']; - @ManyToOne(type => MiUser, { + @OneToOne(type => MiUser, { onDelete: 'CASCADE', }) @JoinColumn() public user: MiUser | null; - /** - * RSA public key - */ @Column('varchar', { length: 4096, }) public publicKey: string; - /** - * RSA private key - */ @Column('varchar', { length: 4096, }) public privateKey: string; - @Column('varchar', { - length: 128, - nullable: true, - default: null, - }) - public ed25519PublicKey: string | null; - - @Column('varchar', { - length: 128, - nullable: true, - default: null, - }) - public ed25519PrivateKey: string | null; - constructor(data: Partial) { if (data == null) return; diff --git a/packages/backend/src/models/UserPublickey.ts b/packages/backend/src/models/UserPublickey.ts index 0ecff2bcb..6bcd78530 100644 --- a/packages/backend/src/models/UserPublickey.ts +++ b/packages/backend/src/models/UserPublickey.ts @@ -9,13 +9,7 @@ import { MiUser } from './User.js'; @Entity('user_publickey') export class MiUserPublickey { - @PrimaryColumn('varchar', { - length: 256, - }) - public keyId: string; - - @Index() - @Column(id()) + @PrimaryColumn(id()) public userId: MiUser['id']; @OneToOne(type => MiUser, { @@ -24,6 +18,12 @@ export class MiUserPublickey { @JoinColumn() public user: MiUser | null; + @Index({ unique: true }) + @Column('varchar', { + length: 256, + }) + public keyId: string; + @Column('varchar', { length: 4096, }) diff --git a/packages/backend/src/models/json-schema/federation-instance.ts b/packages/backend/src/models/json-schema/federation-instance.ts index c02e7f557..ed40d405c 100644 --- a/packages/backend/src/models/json-schema/federation-instance.ts +++ b/packages/backend/src/models/json-schema/federation-instance.ts @@ -116,9 +116,5 @@ export const packedFederationInstanceSchema = { type: 'string', optional: true, nullable: true, }, - httpMessageSignaturesImplementationLevel: { - type: 'string', - optional: false, nullable: false, - }, }, } as const; diff --git a/packages/backend/src/queue/QueueProcessorService.ts b/packages/backend/src/queue/QueueProcessorService.ts index 169b22c3f..7bd74f321 100644 --- a/packages/backend/src/queue/QueueProcessorService.ts +++ b/packages/backend/src/queue/QueueProcessorService.ts @@ -250,9 +250,9 @@ export class QueueProcessorService implements OnApplicationShutdown { }, { ...baseQueueOptions(this.config, QUEUE.DELIVER), autorun: false, - concurrency: this.config.deliverJobConcurrency ?? 16, + concurrency: this.config.deliverJobConcurrency ?? 128, limiter: { - max: this.config.deliverJobPerSec ?? 1024, + max: this.config.deliverJobPerSec ?? 128, duration: 1000, }, settings: { @@ -290,9 +290,9 @@ export class QueueProcessorService implements OnApplicationShutdown { }, { ...baseQueueOptions(this.config, QUEUE.INBOX), autorun: false, - concurrency: this.config.inboxJobConcurrency ?? 4, + concurrency: this.config.inboxJobConcurrency ?? 16, limiter: { - max: this.config.inboxJobPerSec ?? 64, + max: this.config.inboxJobPerSec ?? 32, duration: 1000, }, settings: { diff --git a/packages/backend/src/queue/processors/DeliverProcessorService.ts b/packages/backend/src/queue/processors/DeliverProcessorService.ts index 3bd9187e8..d66594586 100644 --- a/packages/backend/src/queue/processors/DeliverProcessorService.ts +++ b/packages/backend/src/queue/processors/DeliverProcessorService.ts @@ -73,33 +73,25 @@ export class DeliverProcessorService { } try { - const _server = await this.federatedInstanceService.fetch(host); - await this.fetchInstanceMetadataService.fetchInstanceMetadata(_server).then(() => {}); - const server = await this.federatedInstanceService.fetch(host); - - await this.apRequestService.signedPost( - job.data.user, - job.data.to, - job.data.content, - server.httpMessageSignaturesImplementationLevel, - job.data.digest, - job.data.privateKey, - ); + await this.apRequestService.signedPost(job.data.user, job.data.to, job.data.content, job.data.digest); // Update stats - if (server.isNotResponding) { - this.federatedInstanceService.update(server.id, { - isNotResponding: false, - notRespondingSince: null, - }); - } + this.federatedInstanceService.fetch(host).then(i => { + if (i.isNotResponding) { + this.federatedInstanceService.update(i.id, { + isNotResponding: false, + notRespondingSince: null, + }); + } - this.apRequestChart.deliverSucc(); - this.federationChart.deliverd(server.host, true); + this.fetchInstanceMetadataService.fetchInstanceMetadata(i); + this.apRequestChart.deliverSucc(); + this.federationChart.deliverd(i.host, true); - if (meta.enableChartsForFederatedInstances) { - this.instanceChart.requestSent(server.host, true); - } + if (meta.enableChartsForFederatedInstances) { + this.instanceChart.requestSent(i.host, true); + } + }); return 'Success'; } catch (res) { diff --git a/packages/backend/src/queue/processors/InboxProcessorService.ts b/packages/backend/src/queue/processors/InboxProcessorService.ts index 935c623df..fa7009f8f 100644 --- a/packages/backend/src/queue/processors/InboxProcessorService.ts +++ b/packages/backend/src/queue/processors/InboxProcessorService.ts @@ -5,8 +5,8 @@ import { URL } from 'node:url'; import { Injectable } from '@nestjs/common'; +import httpSignature from '@peertube/http-signature'; import * as Bull from 'bullmq'; -import { verifyDraftSignature } from '@misskey-dev/node-http-message-signatures'; import type Logger from '@/logger.js'; import { MetaService } from '@/core/MetaService.js'; import { FederatedInstanceService } from '@/core/FederatedInstanceService.js'; @@ -20,7 +20,6 @@ import type { MiRemoteUser } from '@/models/User.js'; import type { MiUserPublickey } from '@/models/UserPublickey.js'; import { ApDbResolverService } from '@/core/activitypub/ApDbResolverService.js'; import { StatusError } from '@/misc/status-error.js'; -import * as Acct from '@/misc/acct.js'; import { UtilityService } from '@/core/UtilityService.js'; import { ApPersonService } from '@/core/activitypub/models/ApPersonService.js'; import { JsonLdService } from '@/core/activitypub/JsonLdService.js'; @@ -53,15 +52,8 @@ export class InboxProcessorService { @bindThis public async process(job: Bull.Job): Promise { - const signature = job.data.signature ? - 'version' in job.data.signature ? job.data.signature.value : job.data.signature - : null; - if (Array.isArray(signature)) { - // RFC 9401はsignatureが配列になるが、とりあえずエラーにする - throw new Error('signature is array'); - } + const signature = job.data.signature; // HTTP-signature let activity = job.data.activity; - let actorUri = getApId(activity.actor); //#region Log const info = Object.assign({}, activity); @@ -69,7 +61,7 @@ export class InboxProcessorService { this.logger.debug(JSON.stringify(info, null, 2)); //#endregion - const host = this.utilityService.toPuny(new URL(actorUri).hostname); + const host = this.utilityService.toPuny(new URL(signature.keyId).hostname); // ブロックしてたら中断 const meta = await this.metaService.fetch(); @@ -77,76 +69,69 @@ export class InboxProcessorService { return `Blocked request: ${host}`; } - // HTTP-Signature keyIdを元にDBから取得 - let authUser: Awaited> = null; - let httpSignatureIsValid = null as boolean | null; + const keyIdLower = signature.keyId.toLowerCase(); + if (keyIdLower.startsWith('acct:')) { + return `Old keyId is no longer supported. ${keyIdLower}`; + } - try { - authUser = await this.apDbResolverService.getAuthUserFromApId(actorUri, signature?.keyId); - } catch (err) { - // 対象が4xxならスキップ - if (err instanceof StatusError) { - if (!err.isRetryable) { - throw new Bull.UnrecoverableError(`skip: Ignored deleted actors on both ends ${activity.actor} - ${err.statusCode}`); + // HTTP-Signature keyIdを元にDBから取得 + let authUser: { + user: MiRemoteUser; + key: MiUserPublickey | null; + } | null = await this.apDbResolverService.getAuthUserFromKeyId(signature.keyId); + + // keyIdでわからなければ、activity.actorを元にDBから取得 || activity.actorを元にリモートから取得 + if (authUser == null) { + try { + authUser = await this.apDbResolverService.getAuthUserFromApId(getApId(activity.actor)); + } catch (err) { + // 対象が4xxならスキップ + if (err instanceof StatusError) { + if (!err.isRetryable) { + throw new Bull.UnrecoverableError(`skip: Ignored deleted actors on both ends ${activity.actor} - ${err.statusCode}`); + } + throw new Error(`Error in actor ${activity.actor} - ${err.statusCode}`); } - throw new Error(`Error in actor ${activity.actor} - ${err.statusCode}`); } } - // authUser.userがnullならスキップ - if (authUser != null && authUser.user == null) { + // それでもわからなければ終了 + if (authUser == null) { throw new Bull.UnrecoverableError('skip: failed to resolve user'); } - if (signature != null && authUser != null) { - if (signature.keyId.toLowerCase().startsWith('acct:')) { - this.logger.warn(`Old keyId is no longer supported. lowerKeyId=${signature.keyId.toLowerCase()}`); - } else if (authUser.key != null) { - // keyがなかったらLD Signatureで検証するべき - // HTTP-Signatureの検証 - const errorLogger = (ms: any) => this.logger.error(ms); - httpSignatureIsValid = await verifyDraftSignature(signature, authUser.key.keyPem, errorLogger); - this.logger.debug('Inbox message validation: ', { - userId: authUser.user.id, - userAcct: Acct.toString(authUser.user), - parsedKeyId: signature.keyId, - foundKeyId: authUser.key.keyId, - httpSignatureValid: httpSignatureIsValid, - }); - } + // publicKey がなくても終了 + if (authUser.key == null) { + throw new Bull.UnrecoverableError('skip: failed to resolve user publicKey'); } - if ( - authUser == null || - httpSignatureIsValid !== true || - authUser.user.uri !== actorUri // 一応チェック - ) { + // HTTP-Signatureの検証 + const httpSignatureValidated = httpSignature.verifySignature(signature, authUser.key.keyPem); + + // また、signatureのsignerは、activity.actorと一致する必要がある + if (!httpSignatureValidated || authUser.user.uri !== activity.actor) { // 一致しなくても、でもLD-Signatureがありそうならそっちも見る const ldSignature = activity.signature; - - if (ldSignature && ldSignature.creator) { + if (ldSignature) { if (ldSignature.type !== 'RsaSignature2017') { throw new Bull.UnrecoverableError(`skip: unsupported LD-signature type ${ldSignature.type}`); } - if (ldSignature.creator.toLowerCase().startsWith('acct:')) { - throw new Bull.UnrecoverableError(`old key not supported ${ldSignature.creator}`); + // ldSignature.creator: https://example.oom/users/user#main-key + // みたいになっててUserを引っ張れば公開キーも入ることを期待する + if (ldSignature.creator) { + const candicate = ldSignature.creator.replace(/#.*/, ''); + await this.apPersonService.resolvePerson(candicate).catch(() => null); } - authUser = await this.apDbResolverService.getAuthUserFromApId(actorUri, ldSignature.creator); - + // keyIdからLD-Signatureのユーザーを取得 + authUser = await this.apDbResolverService.getAuthUserFromKeyId(ldSignature.creator); if (authUser == null) { - throw new Bull.UnrecoverableError(`skip: LD-Signatureのactorとcreatorが一致しませんでした uri=${actorUri} creator=${ldSignature.creator}`); - } - if (authUser.user == null) { - throw new Bull.UnrecoverableError(`skip: LD-Signatureのユーザーが取得できませんでした uri=${actorUri} creator=${ldSignature.creator}`); - } - // 一応actorチェック - if (authUser.user.uri !== actorUri) { - throw new Bull.UnrecoverableError(`skip: LD-Signature user(${authUser.user.uri}) !== activity.actor(${actorUri})`); + throw new Bull.UnrecoverableError('skip: LD-Signatureのユーザーが取得できませんでした'); } + if (authUser.key == null) { - throw new Bull.UnrecoverableError(`skip: LD-SignatureのユーザーはpublicKeyを持っていませんでした uri=${actorUri} creator=${ldSignature.creator}`); + throw new Bull.UnrecoverableError('skip: LD-SignatureのユーザーはpublicKeyを持っていませんでした'); } const jsonLd = this.jsonLdService.use(); @@ -157,27 +142,13 @@ export class InboxProcessorService { throw new Bull.UnrecoverableError('skip: LD-Signatureの検証に失敗しました'); } - // ブロックしてたら中断 - const ldHost = this.utilityService.extractDbHost(authUser.user.uri); - if (this.utilityService.isBlockedHost(meta.blockedHosts, ldHost)) { - throw new Bull.UnrecoverableError(`Blocked request: ${ldHost}`); - } - // アクティビティを正規化 - // GHSA-2vxv-pv3m-3wvj delete activity.signature; try { activity = await jsonLd.compact(activity) as IActivity; } catch (e) { throw new Bull.UnrecoverableError(`skip: failed to compact activity: ${e}`); } - - // actorが正規化前後で一致しているか確認 - actorUri = getApId(activity.actor); - if (authUser.user.uri !== actorUri) { - throw new Bull.UnrecoverableError(`skip: LD-Signature user(${authUser.user.uri}) !== activity(after normalization).actor(${actorUri})`); - } - // TODO: 元のアクティビティと非互換な形に正規化される場合は転送をスキップする // https://github.com/mastodon/mastodon/blob/664b0ca/app/services/activitypub/process_collection_service.rb#L24-L29 activity.signature = ldSignature; @@ -187,8 +158,19 @@ export class InboxProcessorService { delete compactedInfo['@context']; this.logger.debug(`compacted: ${JSON.stringify(compactedInfo, null, 2)}`); //#endregion + + // もう一度actorチェック + if (authUser.user.uri !== activity.actor) { + throw new Bull.UnrecoverableError(`skip: LD-Signature user(${authUser.user.uri}) !== activity.actor(${activity.actor})`); + } + + // ブロックしてたら中断 + const ldHost = this.utilityService.extractDbHost(authUser.user.uri); + if (this.utilityService.isBlockedHost(meta.blockedHosts, ldHost)) { + throw new Bull.UnrecoverableError(`Blocked request: ${ldHost}`); + } } else { - throw new Bull.UnrecoverableError(`skip: http-signature verification failed and no LD-Signature. http_signature_keyId=${signature?.keyId}`); + throw new Bull.UnrecoverableError(`skip: http-signature verification failed and no LD-Signature. keyId=${signature.keyId}`); } } diff --git a/packages/backend/src/queue/types.ts b/packages/backend/src/queue/types.ts index f2466f2e3..a4077a054 100644 --- a/packages/backend/src/queue/types.ts +++ b/packages/backend/src/queue/types.ts @@ -9,24 +9,7 @@ import type { MiNote } from '@/models/Note.js'; import type { MiUser } from '@/models/User.js'; import type { MiWebhook } from '@/models/Webhook.js'; import type { IActivity } from '@/core/activitypub/type.js'; -import type { ParsedSignature, PrivateKeyWithPem } from '@misskey-dev/node-http-message-signatures'; - -/** - * @peertube/http-signature 時代の古いデータにも対応しておく - * TODO: 2026年ぐらいには消す - */ -export interface OldParsedSignature { - scheme: 'Signature'; - params: { - keyId: string; - algorithm: string; - headers: string[]; - signature: string; - }; - signingString: string; - algorithm: string; - keyId: string; -} +import type httpSignature from '@peertube/http-signature'; export type DeliverJobData = { /** Actor */ @@ -39,13 +22,11 @@ export type DeliverJobData = { to: string; /** whether it is sharedInbox */ isSharedInbox: boolean; - /** force to use main (rsa) key */ - privateKey?: PrivateKeyWithPem; }; export type InboxJobData = { activity: IActivity; - signature: ParsedSignature | OldParsedSignature | null; + signature: httpSignature.IParsedSignature; }; export type RelationshipJobData = { diff --git a/packages/backend/src/server/ActivityPubServerService.ts b/packages/backend/src/server/ActivityPubServerService.ts index 753eaad04..3255d6462 100644 --- a/packages/backend/src/server/ActivityPubServerService.ts +++ b/packages/backend/src/server/ActivityPubServerService.ts @@ -3,10 +3,11 @@ * SPDX-License-Identifier: AGPL-3.0-only */ +import * as crypto from 'node:crypto'; import { IncomingMessage } from 'node:http'; import { Inject, Injectable } from '@nestjs/common'; import fastifyAccepts from '@fastify/accepts'; -import { verifyDigestHeader, parseRequestSignature } from '@misskey-dev/node-http-message-signatures'; +import httpSignature from '@peertube/http-signature'; import { Brackets, In, IsNull, LessThan, Not } from 'typeorm'; import accepts from 'accepts'; import vary from 'vary'; @@ -30,17 +31,12 @@ import { IActivity } from '@/core/activitypub/type.js'; import { isQuote, isRenote } from '@/misc/is-renote.js'; import type { FastifyInstance, FastifyRequest, FastifyReply, FastifyPluginOptions, FastifyBodyParser } from 'fastify'; import type { FindOptionsWhere } from 'typeorm'; -import { LoggerService } from '@/core/LoggerService.js'; -import Logger from '@/logger.js'; const ACTIVITY_JSON = 'application/activity+json; charset=utf-8'; const LD_JSON = 'application/ld+json; profile="https://www.w3.org/ns/activitystreams"; charset=utf-8'; @Injectable() export class ActivityPubServerService { - private logger: Logger; - private inboxLogger: Logger; - constructor( @Inject(DI.config) private config: Config, @@ -75,11 +71,8 @@ export class ActivityPubServerService { private queueService: QueueService, private userKeypairService: UserKeypairService, private queryService: QueryService, - private loggerService: LoggerService, ) { //this.createServer = this.createServer.bind(this); - this.logger = this.loggerService.getLogger('server-ap', 'gray'); - this.inboxLogger = this.logger.createSubLogger('inbox', 'gray'); } @bindThis @@ -107,44 +100,70 @@ export class ActivityPubServerService { } @bindThis - private async inbox(request: FastifyRequest, reply: FastifyReply) { - if (request.body == null) { - this.inboxLogger.warn('request body is empty'); - reply.code(400); - return; - } + private inbox(request: FastifyRequest, reply: FastifyReply) { + let signature; - let signature: ReturnType; - - const verifyDigest = await verifyDigestHeader(request.raw, request.rawBody || '', true); - if (verifyDigest !== true) { - this.inboxLogger.warn('digest verification failed'); + try { + signature = httpSignature.parseRequest(request.raw, { 'headers': [] }); + } catch (e) { reply.code(401); return; } - try { - signature = parseRequestSignature(request.raw, { - requiredInputs: { - draft: ['(request-target)', 'digest', 'host', 'date'], - }, - }); - } catch (err) { - this.inboxLogger.warn('signature header parsing failed', { err }); + if (signature.params.headers.indexOf('host') === -1 + || request.headers.host !== this.config.host) { + // Host not specified or not match. + reply.code(401); + return; + } - if (typeof request.body === 'object' && 'signature' in request.body) { - // LD SignatureがあればOK - this.queueService.inbox(request.body as IActivity, null); - reply.code(202); + if (signature.params.headers.indexOf('digest') === -1) { + // Digest not found. + reply.code(401); + } else { + const digest = request.headers.digest; + + if (typeof digest !== 'string') { + // Huh? + reply.code(401); return; } - this.inboxLogger.warn('signature header parsing failed and LD signature not found'); - reply.code(401); - return; + const re = /^([a-zA-Z0-9\-]+)=(.+)$/; + const match = digest.match(re); + + if (match == null) { + // Invalid digest + reply.code(401); + return; + } + + const algo = match[1].toUpperCase(); + const digestValue = match[2]; + + if (algo !== 'SHA-256') { + // Unsupported digest algorithm + reply.code(401); + return; + } + + if (request.rawBody == null) { + // Bad request + reply.code(400); + return; + } + + const hash = crypto.createHash('sha256').update(request.rawBody).digest('base64'); + + if (hash !== digestValue) { + // Invalid digest + reply.code(401); + return; + } } this.queueService.inbox(request.body as IActivity, signature); + reply.code(202); } @@ -621,7 +640,7 @@ export class ActivityPubServerService { if (this.userEntityService.isLocalUser(user)) { reply.header('Cache-Control', 'public, max-age=180'); this.setResponseType(request, reply); - return (this.apRendererService.addContext(this.apRendererService.renderKey(user, keypair.publicKey))); + return (this.apRendererService.addContext(this.apRendererService.renderKey(user, keypair))); } else { reply.code(400); return; diff --git a/packages/backend/src/server/NodeinfoServerService.ts b/packages/backend/src/server/NodeinfoServerService.ts index c0f808476..cc18997fd 100644 --- a/packages/backend/src/server/NodeinfoServerService.ts +++ b/packages/backend/src/server/NodeinfoServerService.ts @@ -94,13 +94,6 @@ export class NodeinfoServerService { localComments: 0, }, metadata: { - /** - * '00': Draft, RSA only - * '01': Draft, Ed25519 suported - * '11': RFC 9421, Ed25519 supported - */ - httpMessageSignaturesImplementationLevel: '01', - nodeName: meta.name, nodeDescription: meta.description, nodeAdmins: [{ diff --git a/packages/backend/src/server/api/endpoints/admin/queue/inbox-delayed.ts b/packages/backend/src/server/api/endpoints/admin/queue/inbox-delayed.ts index bfe230da8..305ae1af1 100644 --- a/packages/backend/src/server/api/endpoints/admin/queue/inbox-delayed.ts +++ b/packages/backend/src/server/api/endpoints/admin/queue/inbox-delayed.ts @@ -56,8 +56,7 @@ export default class extends Endpoint { // eslint- const res = [] as [string, number][]; for (const job of jobs) { - const signature = job.data.signature ? 'version' in job.data.signature ? job.data.signature.value : job.data.signature : null; - const host = signature ? Array.isArray(signature) ? 'TODO' : new URL(signature.keyId).host : new URL(job.data.activity.actor).host; + const host = new URL(job.data.signature.keyId).host; if (res.find(x => x[0] === host)) { res.find(x => x[0] === host)![1]++; } else { diff --git a/packages/backend/test/e2e/timelines.ts b/packages/backend/test/e2e/timelines.ts index fce1eacf0..540b866b2 100644 --- a/packages/backend/test/e2e/timelines.ts +++ b/packages/backend/test/e2e/timelines.ts @@ -378,7 +378,7 @@ describe('Timelines', () => { assert.strictEqual(res.body.some(note => note.id === bobNote2.id), true); assert.strictEqual(res.body.some(note => note.id === carolNote1.id), false); assert.strictEqual(res.body.some(note => note.id === carolNote2.id), false); - }); + }, 1000 * 10); test.concurrent('フォローしているユーザーのチャンネル投稿が含まれない', async () => { const [alice, bob] = await Promise.all([signup(), signup()]); @@ -672,7 +672,7 @@ describe('Timelines', () => { assert.strictEqual(res.body.some(note => note.id === bobNote1.id), false); assert.strictEqual(res.body.some(note => note.id === bobNote2.id), true); - }); + }, 1000 * 10); }); describe('Social TL', () => { @@ -812,7 +812,7 @@ describe('Timelines', () => { assert.strictEqual(res.body.some(note => note.id === bobNote1.id), false); assert.strictEqual(res.body.some(note => note.id === bobNote2.id), true); - }); + }, 1000 * 10); }); describe('User List TL', () => { @@ -1025,7 +1025,7 @@ describe('Timelines', () => { assert.strictEqual(res.body.some(note => note.id === bobNote1.id), false); assert.strictEqual(res.body.some(note => note.id === bobNote2.id), true); - }); + }, 1000 * 10); test.concurrent('リスインしているユーザーの自身宛ての visibility: specified なノートが含まれる', async () => { const [alice, bob] = await Promise.all([signup(), signup()]); @@ -1184,7 +1184,7 @@ describe('Timelines', () => { assert.strictEqual(res.body.some(note => note.id === bobNote1.id), false); assert.strictEqual(res.body.some(note => note.id === bobNote2.id), true); - }); + }, 1000 * 10); test.concurrent('[withChannelNotes: true] チャンネル投稿が含まれる', async () => { const [alice, bob] = await Promise.all([signup(), signup()]); diff --git a/packages/backend/test/misc/mock-resolver.ts b/packages/backend/test/misc/mock-resolver.ts index 485506ee6..3c7e79670 100644 --- a/packages/backend/test/misc/mock-resolver.ts +++ b/packages/backend/test/misc/mock-resolver.ts @@ -14,7 +14,6 @@ import type { InstanceActorService } from '@/core/InstanceActorService.js'; import type { LoggerService } from '@/core/LoggerService.js'; import type { MetaService } from '@/core/MetaService.js'; import type { UtilityService } from '@/core/UtilityService.js'; -import type { FederatedInstanceService } from '@/core/FederatedInstanceService.js'; import { bindThis } from '@/decorators.js'; import type { FollowRequestsRepository, @@ -48,7 +47,6 @@ export class MockResolver extends Resolver { {} as HttpRequestService, {} as ApRendererService, {} as ApDbResolverService, - {} as FederatedInstanceService, loggerService, ); } diff --git a/packages/backend/test/unit/FetchInstanceMetadataService.ts b/packages/backend/test/unit/FetchInstanceMetadataService.ts index 2e66b81fc..bf8f3ab0e 100644 --- a/packages/backend/test/unit/FetchInstanceMetadataService.ts +++ b/packages/backend/test/unit/FetchInstanceMetadataService.ts @@ -75,61 +75,62 @@ describe('FetchInstanceMetadataService', () => { test('Lock and update', async () => { redisClient.set = mockRedis(); const now = Date.now(); - federatedInstanceService.fetch.mockResolvedValue({ infoUpdatedAt: new Date(now - 10 * 1000 * 60 * 60 * 24) } as any); + federatedInstanceService.fetch.mockResolvedValue({ infoUpdatedAt: { getTime: () => { return now - 10 * 1000 * 60 * 60 * 24; } } } as any); httpRequestService.getJson.mockImplementation(() => { throw Error(); }); const tryLockSpy = jest.spyOn(fetchInstanceMetadataService, 'tryLock'); const unlockSpy = jest.spyOn(fetchInstanceMetadataService, 'unlock'); await fetchInstanceMetadataService.fetchInstanceMetadata({ host: 'example.com' } as any); - expect(federatedInstanceService.fetch).toHaveBeenCalledTimes(1); expect(tryLockSpy).toHaveBeenCalledTimes(1); expect(unlockSpy).toHaveBeenCalledTimes(1); + expect(federatedInstanceService.fetch).toHaveBeenCalledTimes(1); expect(httpRequestService.getJson).toHaveBeenCalled(); }); - test('Don\'t lock and update if recently updated', async () => { + test('Lock and don\'t update', async () => { redisClient.set = mockRedis(); - federatedInstanceService.fetch.mockResolvedValue({ infoUpdatedAt: new Date() } as any); + const now = Date.now(); + federatedInstanceService.fetch.mockResolvedValue({ infoUpdatedAt: { getTime: () => now } } as any); httpRequestService.getJson.mockImplementation(() => { throw Error(); }); const tryLockSpy = jest.spyOn(fetchInstanceMetadataService, 'tryLock'); const unlockSpy = jest.spyOn(fetchInstanceMetadataService, 'unlock'); await fetchInstanceMetadataService.fetchInstanceMetadata({ host: 'example.com' } as any); + expect(tryLockSpy).toHaveBeenCalledTimes(1); + expect(unlockSpy).toHaveBeenCalledTimes(1); expect(federatedInstanceService.fetch).toHaveBeenCalledTimes(1); - expect(tryLockSpy).toHaveBeenCalledTimes(0); - expect(unlockSpy).toHaveBeenCalledTimes(0); expect(httpRequestService.getJson).toHaveBeenCalledTimes(0); }); test('Do nothing when lock not acquired', async () => { redisClient.set = mockRedis(); const now = Date.now(); - federatedInstanceService.fetch.mockResolvedValue({ infoUpdatedAt: new Date(now - 10 * 1000 * 60 * 60 * 24) } as any); + federatedInstanceService.fetch.mockResolvedValue({ infoUpdatedAt: { getTime: () => now - 10 * 1000 * 60 * 60 * 24 } } as any); httpRequestService.getJson.mockImplementation(() => { throw Error(); }); await fetchInstanceMetadataService.tryLock('example.com'); const tryLockSpy = jest.spyOn(fetchInstanceMetadataService, 'tryLock'); const unlockSpy = jest.spyOn(fetchInstanceMetadataService, 'unlock'); await fetchInstanceMetadataService.fetchInstanceMetadata({ host: 'example.com' } as any); - expect(federatedInstanceService.fetch).toHaveBeenCalledTimes(1); expect(tryLockSpy).toHaveBeenCalledTimes(1); expect(unlockSpy).toHaveBeenCalledTimes(0); + expect(federatedInstanceService.fetch).toHaveBeenCalledTimes(0); expect(httpRequestService.getJson).toHaveBeenCalledTimes(0); }); - test('Do when forced', async () => { + test('Do when lock not acquired but forced', async () => { redisClient.set = mockRedis(); const now = Date.now(); - federatedInstanceService.fetch.mockResolvedValue({ infoUpdatedAt: new Date(now - 10 * 1000 * 60 * 60 * 24) } as any); + federatedInstanceService.fetch.mockResolvedValue({ infoUpdatedAt: { getTime: () => now - 10 * 1000 * 60 * 60 * 24 } } as any); httpRequestService.getJson.mockImplementation(() => { throw Error(); }); await fetchInstanceMetadataService.tryLock('example.com'); const tryLockSpy = jest.spyOn(fetchInstanceMetadataService, 'tryLock'); const unlockSpy = jest.spyOn(fetchInstanceMetadataService, 'unlock'); await fetchInstanceMetadataService.fetchInstanceMetadata({ host: 'example.com' } as any, true); - expect(federatedInstanceService.fetch).toHaveBeenCalledTimes(0); expect(tryLockSpy).toHaveBeenCalledTimes(0); expect(unlockSpy).toHaveBeenCalledTimes(1); + expect(federatedInstanceService.fetch).toHaveBeenCalledTimes(0); expect(httpRequestService.getJson).toHaveBeenCalled(); }); }); diff --git a/packages/backend/test/unit/ap-request.ts b/packages/backend/test/unit/ap-request.ts index 50894c8b8..d3d39240d 100644 --- a/packages/backend/test/unit/ap-request.ts +++ b/packages/backend/test/unit/ap-request.ts @@ -4,8 +4,10 @@ */ import * as assert from 'assert'; -import { verifyDraftSignature, parseRequestSignature, genEd25519KeyPair, genRsaKeyPair, importPrivateKey } from '@misskey-dev/node-http-message-signatures'; -import { createSignedGet, createSignedPost } from '@/core/activitypub/ApRequestService.js'; +import httpSignature from '@peertube/http-signature'; + +import { genRsaKeyPair } from '@/misc/gen-key-pair.js'; +import { ApRequestCreator } from '@/core/activitypub/ApRequestService.js'; export const buildParsedSignature = (signingString: string, signature: string, algorithm: string) => { return { @@ -22,68 +24,38 @@ export const buildParsedSignature = (signingString: string, signature: string, a }; }; -async function getKeyPair(level: string) { - if (level === '00') { - return await genRsaKeyPair(); - } else if (level === '01') { - return await genEd25519KeyPair(); - } - throw new Error('Invalid level'); -} +describe('ap-request', () => { + test('createSignedPost with verify', async () => { + const keypair = await genRsaKeyPair(); + const key = { keyId: 'x', 'privateKeyPem': keypair.privateKey }; + const url = 'https://example.com/inbox'; + const activity = { a: 1 }; + const body = JSON.stringify(activity); + const headers = { + 'User-Agent': 'UA', + }; -describe('ap-request post', () => { - const url = 'https://example.com/inbox'; - const activity = { a: 1 }; - const body = JSON.stringify(activity); - const headers = { - 'User-Agent': 'UA', - }; + const req = ApRequestCreator.createSignedPost({ key, url, body, additionalHeaders: headers }); - describe.each(['00', '01'])('createSignedPost with verify', (level) => { - test('pem', async () => { - const keypair = await getKeyPair(level); - const key = { keyId: 'x', 'privateKeyPem': keypair.privateKey }; + const parsed = buildParsedSignature(req.signingString, req.signature, 'rsa-sha256'); - const req = await createSignedPost({ level, key, url, body, additionalHeaders: headers }); + const result = httpSignature.verifySignature(parsed, keypair.publicKey); + assert.deepStrictEqual(result, true); + }); - const parsed = parseRequestSignature(req.request); - expect(parsed.version).toBe('draft'); - expect(Array.isArray(parsed.value)).toBe(false); - const verify = await verifyDraftSignature(parsed.value as any, keypair.publicKey); - assert.deepStrictEqual(verify, true); - }); - test('imported', async () => { - const keypair = await getKeyPair(level); - const key = { keyId: 'x', 'privateKey': await importPrivateKey(keypair.privateKey) }; + test('createSignedGet with verify', async () => { + const keypair = await genRsaKeyPair(); + const key = { keyId: 'x', 'privateKeyPem': keypair.privateKey }; + const url = 'https://example.com/outbox'; + const headers = { + 'User-Agent': 'UA', + }; - const req = await createSignedPost({ level, key, url, body, additionalHeaders: headers }); + const req = ApRequestCreator.createSignedGet({ key, url, additionalHeaders: headers }); - const parsed = parseRequestSignature(req.request); - expect(parsed.version).toBe('draft'); - expect(Array.isArray(parsed.value)).toBe(false); - const verify = await verifyDraftSignature(parsed.value as any, keypair.publicKey); - assert.deepStrictEqual(verify, true); - }); - }); -}); - -describe('ap-request get', () => { - describe.each(['00', '01'])('createSignedGet with verify', (level) => { - test('pass', async () => { - const keypair = await getKeyPair(level); - const key = { keyId: 'x', 'privateKeyPem': keypair.privateKey }; - const url = 'https://example.com/outbox'; - const headers = { - 'User-Agent': 'UA', - }; - - const req = await createSignedGet({ level, key, url, additionalHeaders: headers }); - - const parsed = parseRequestSignature(req.request); - expect(parsed.version).toBe('draft'); - expect(Array.isArray(parsed.value)).toBe(false); - const verify = await verifyDraftSignature(parsed.value as any, keypair.publicKey); - assert.deepStrictEqual(verify, true); - }); + const parsed = buildParsedSignature(req.signingString, req.signature, 'rsa-sha256'); + + const result = httpSignature.verifySignature(parsed, keypair.publicKey); + assert.deepStrictEqual(result, true); }); }); diff --git a/packages/misskey-js/src/autogen/types.ts b/packages/misskey-js/src/autogen/types.ts index 2a7e5a323..d3c857219 100644 --- a/packages/misskey-js/src/autogen/types.ts +++ b/packages/misskey-js/src/autogen/types.ts @@ -4608,7 +4608,6 @@ export type components = { /** Format: date-time */ latestRequestReceivedAt: string | null; moderationNote?: string | null; - httpMessageSignaturesImplementationLevel: string; }; GalleryPost: { /** diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 2d426c2fa..7d3fec859 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -125,9 +125,6 @@ importers: '@fastify/view': specifier: 9.1.0 version: 9.1.0 - '@misskey-dev/node-http-message-signatures': - specifier: 0.0.10 - version: 0.0.10 '@misskey-dev/sharp-read-bmp': specifier: 1.2.0 version: 1.2.0 @@ -146,6 +143,9 @@ importers: '@nestjs/testing': specifier: 10.3.10 version: 10.3.10(@nestjs/common@10.3.10(reflect-metadata@0.2.2)(rxjs@7.8.1))(@nestjs/core@10.3.10(@nestjs/common@10.3.10(reflect-metadata@0.2.2)(rxjs@7.8.1))(@nestjs/platform-express@10.3.10)(encoding@0.1.13)(reflect-metadata@0.2.2)(rxjs@7.8.1))(@nestjs/platform-express@10.3.10(@nestjs/common@10.3.10(reflect-metadata@0.2.2)(rxjs@7.8.1))(@nestjs/core@10.3.10)) + '@peertube/http-signature': + specifier: 1.7.0 + version: 1.7.0 '@sentry/node': specifier: 8.13.0 version: 8.13.0 @@ -3228,11 +3228,6 @@ packages: '@kurkle/color@0.3.2': resolution: {integrity: sha512-fuscdXJ9G1qb7W8VdHi+IwRqij3lBkosAm4ydQtEmbY58OzHXqQhvlxqEkoz0yssNVn38bcpRWgA9PP+OGoisw==} - '@lapo/asn1js@2.0.4': - resolution: {integrity: sha512-KJD3wQAZxozcraJdWp3utDU6DEZgAVBGp9INCdptUpZaXCEYkpwNb7h7wyYh5y6DxtpvIud8k0suhWJ/z2rKvw==} - engines: {node: '>=12.20.0'} - hasBin: true - '@levischuck/tiny-cbor@0.2.2': resolution: {integrity: sha512-f5CnPw997Y2GQ8FAvtuVVC19FX8mwNNC+1XJcIi16n/LTJifKO6QBgGLgN3YEmqtGMk17SKSuoWES3imJVxAVw==} @@ -3286,10 +3281,6 @@ packages: eslint-plugin-import: '>= 2' globals: '>= 15' - '@misskey-dev/node-http-message-signatures@0.0.10': - resolution: {integrity: sha512-HiAuc//tOU077KFUJhHYLAPWku9enTpOFIqQiK6l2i2mIizRvv7HhV7Y+yuav5quDOAz+WZGK/i5C9OR5fkKIg==} - engines: {node: '>=18.4.0'} - '@misskey-dev/sharp-read-bmp@1.2.0': resolution: {integrity: sha512-er4pRakXzHYfEgOFAFfQagqDouG+wLm+kwNq1I30oSdIHDa0wM3KjFpfIGQ25Fks4GcmOl1s7Zh6xoQu5dNjTw==} @@ -3680,6 +3671,10 @@ packages: '@peculiar/asn1-x509@2.3.8': resolution: {integrity: sha512-voKxGfDU1c6r9mKiN5ZUsZWh3Dy1BABvTM3cimf0tztNwyMJPhiXY94eRTgsMQe6ViLfT6EoXxkWVzcm3mFAFw==} + '@peertube/http-signature@1.7.0': + resolution: {integrity: sha512-aGQIwo6/sWtyyqhVK4e1MtxYz4N1X8CNt6SOtCc+Wnczs5S5ONaLHDDR8LYaGn0MgOwvGgXyuZ5sJIfd7iyoUw==} + engines: {node: '>=0.10'} + '@pkgjs/parseargs@0.11.0': resolution: {integrity: sha512-+1VkjdD0QBLPodGrJUeqarH8VAIvQODIbwh9XpP5Syisf7YoQgsJKPNFoqqLQlu+VQ/tVSshMR6loPMn8U+dPg==} engines: {node: '>=14'} @@ -10529,9 +10524,6 @@ packages: resolution: {integrity: sha512-U9nH88a3fc/ekCF1l0/UP1IosiuIjyTh7hBvXVMHYgVcfGvt897Xguj2UOLDeI5BG2m7/uwyaLVT6fbtCwTyzw==} engines: {iojs: '>=1.0.0', node: '>=0.10.0'} - rfc4648@1.5.3: - resolution: {integrity: sha512-MjOWxM065+WswwnmNONOT+bD1nXzY9Km6u3kzvnx8F8/HXGZdz3T6e6vZJ8Q/RIMUSp/nxqjH3GwvJDy8ijeQQ==} - rfdc@1.3.0: resolution: {integrity: sha512-V2hovdzFbOi77/WajaSMXk2OLm+xNIeQdMMuB7icj7bk6zi2F8GGAxigcnDFpJHbNyNcgyJDiP+8nOrY5cZGrA==} @@ -11083,10 +11075,6 @@ packages: resolution: {integrity: sha512-pQ+V+nYQdC5H3Q7qBZAz/MO6lwGhoC2gOAjuouGf/VO0m7vQRh8QNMl2Uf6SwAtzZ9bOw3UIeBukEGNJl5dtXQ==} engines: {node: '>=14.16'} - structured-headers@1.0.1: - resolution: {integrity: sha512-QYBxdBtA4Tl5rFPuqmbmdrS9kbtren74RTJTcs0VSQNVV5iRhJD4QlYTLD0+81SBwUQctjEQzjTRI3WG4DzICA==} - engines: {node: '>= 14', npm: '>=6'} - stylehacks@6.1.1: resolution: {integrity: sha512-gSTTEQ670cJNoaeIp9KX6lZmm8LJ3jPB5yJmX8Zq/wQxOsAFXV3qjWzHas3YYk1qesuVIyYWWUpZ0vSE/dTSGg==} engines: {node: ^14 || ^16 || >=18.0} @@ -14654,8 +14642,6 @@ snapshots: '@kurkle/color@0.3.2': {} - '@lapo/asn1js@2.0.4': {} - '@levischuck/tiny-cbor@0.2.2': {} '@lukeed/csprng@1.0.1': {} @@ -14736,12 +14722,6 @@ snapshots: eslint-plugin-import: 2.29.1(@typescript-eslint/parser@7.15.0(eslint@9.6.0)(typescript@5.5.3))(eslint@9.6.0) globals: 15.7.0 - '@misskey-dev/node-http-message-signatures@0.0.10': - dependencies: - '@lapo/asn1js': 2.0.4 - rfc4648: 1.5.3 - structured-headers: 1.0.1 - '@misskey-dev/sharp-read-bmp@1.2.0': dependencies: decode-bmp: 0.2.1 @@ -15202,6 +15182,12 @@ snapshots: pvtsutils: 1.3.5 tslib: 2.6.2 + '@peertube/http-signature@1.7.0': + dependencies: + assert-plus: 1.0.0 + jsprim: 1.4.2 + sshpk: 1.17.0 + '@pkgjs/parseargs@0.11.0': optional: true @@ -23893,8 +23879,6 @@ snapshots: reusify@1.0.4: {} - rfc4648@1.5.3: {} - rfdc@1.3.0: {} rimraf@2.6.3: @@ -24490,8 +24474,6 @@ snapshots: '@tokenizer/token': 0.3.0 peek-readable: 5.0.0 - structured-headers@1.0.1: {} - stylehacks@6.1.1(postcss@8.4.38): dependencies: browserslist: 4.23.0