WIP: Federated following

custom/conf/app.example.ini

@@ -2253,6 +2253,23 @@ PATH =
 ;;
 ;; Enable/Disable user statistics for nodeinfo if federation is enabled
 ; SHARE_USER_STATISTICS = true
+;;
+;; Maximum federation request and response size (MB)
+; MAX_SIZE = 4
+;;
+;; WARNING: Changing the settings below can break federation.
+;;
+;; HTTP signature algorithms
+; ALGORITHMS = rsa-sha256, rsa-sha512, ed25519
+;;
+;; HTTP signature digest algorithm
+; DIGEST_ALGORITHM = SHA-256
+;;
+;; GET headers for federation requests
+; GET_HEADERS = (request-target), Date
+;;
+;; POST headers for federation requests
+; POST_HEADERS = (request-target), Date, Digest
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

docs/content/doc/advanced/config-cheat-sheet.en-us.md

@@ -1090,6 +1090,14 @@ Task queue configuration has been moved to `queue.task`. However, the below conf
 
 - `ENABLED`: **true**: Enable/Disable federation capabilities
 - `SHARE_USER_STATISTICS`: **true**: Enable/Disable user statistics for nodeinfo if federation is enabled
+- `MAX_SIZE`: **4**: Maximum federation request and response size (MB)
+
+ WARNING: Changing the settings below can break federation.
+
+- `ALGORITHMS`: **rsa-sha256, rsa-sha512, ed25519**: HTTP signature algorithms
+- `DIGEST_ALGORITHM`: **SHA-256**: HTTP signature digest algorithm
+- `GET_HEADERS`: **(request-target), Date**: GET headers for federation requests
+- `POST_HEADERS`: **(request-target), Date, Digest**: POST headers for federation requests
 
 ## Packages (`packages`)
 

go.mod

@@ -28,10 +28,12 @@ require (
 	github.com/ethantkoenig/rupture v1.0.1
 	github.com/felixge/fgprof v0.9.2
 	github.com/gliderlabs/ssh v0.3.4
+	github.com/go-ap/activitypub v0.0.0-20220615144428-48208c70483b
+	github.com/go-ap/jsonld v0.0.0-20220615144122-1d862b15410d
 	github.com/go-chi/chi/v5 v5.0.7
 	github.com/go-chi/cors v1.2.1
 	github.com/go-enry/go-enry/v2 v2.8.2
-	github.com/go-fed/httpsig v1.1.0
+	github.com/go-fed/httpsig v1.1.1-0.20201223112313-55836744818e
 	github.com/go-git/go-billy/v5 v5.3.1
 	github.com/go-git/go-git/v5 v5.4.3-0.20210630082519-b4368b2a2ca4
 	github.com/go-ldap/ldap/v3 v3.4.3
@@ -83,6 +85,7 @@ require (
 	github.com/tstranex/u2f v1.0.0
 	github.com/unrolled/render v1.4.1
 	github.com/urfave/cli v1.22.9
+	github.com/valyala/fastjson v1.6.3
 	github.com/xanzy/go-gitlab v0.64.0
 	github.com/yohcop/openid-go v1.0.0
 	github.com/yuin/goldmark v1.4.12
@@ -107,6 +110,7 @@ require (
 
 require (
 	cloud.google.com/go v0.99.0 // indirect
+	git.sr.ht/~mariusor/go-xsd-duration v0.0.0-20200411073322-f0bcc40f0bf2 // indirect
 	github.com/Azure/go-ntlmssp v0.0.0-20211209120228-48547f28849e // indirect
 	github.com/Microsoft/go-winio v0.5.2 // indirect
 	github.com/ProtonMail/go-crypto v0.0.0-20220407094043-a94812496cf5 // indirect
@@ -160,6 +164,7 @@ require (
 	github.com/fsnotify/fsnotify v1.5.4 // indirect
 	github.com/fullstorydev/grpcurl v1.8.1 // indirect
 	github.com/fxamacker/cbor/v2 v2.4.0 // indirect
+	github.com/go-ap/errors v0.0.0-20220615144307-e8bc4a40ae9f // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.4 // indirect
 	github.com/go-enry/go-oniguruma v1.2.1 // indirect
 	github.com/go-git/gcfg v1.5.0 // indirect

go.sum

@@ -69,6 +69,8 @@ contrib.go.opencensus.io/exporter/stackdriver v0.13.5/go.mod h1:aXENhDJ1Y4lIg4EU
 contrib.go.opencensus.io/integrations/ocsql v0.1.4/go.mod h1:8DsSdjz3F+APR+0z0WkU1aRorQCFfRxvqjUUPMbF3fE=
 contrib.go.opencensus.io/resource v0.1.1/go.mod h1:F361eGI91LCmW1I/Saf+rX0+OFcigGlFvXwEGEnkRLA=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
+git.sr.ht/~mariusor/go-xsd-duration v0.0.0-20200411073322-f0bcc40f0bf2 h1:2OrsyJYZp7J6nyAsKi2q1SELYRaIc0aQmcQ/EQqPfk8=
+git.sr.ht/~mariusor/go-xsd-duration v0.0.0-20200411073322-f0bcc40f0bf2/go.mod h1:g/V2Hjas6Z1UHUp4yIx6bATpNzJ7DYtD0FG3+xARWxs=
 gitea.com/go-chi/binding v0.0.0-20220309004920-114340dabecb h1:Yy0Bxzc8R2wxiwXoG/rECGplJUSpXqCsog9PuJFgiHs=
 gitea.com/go-chi/binding v0.0.0-20220309004920-114340dabecb/go.mod h1:77TZu701zMXWJFvB8gvTbQ92zQ3DQq/H7l5wAEjQRKc=
 gitea.com/go-chi/cache v0.0.0-20210110083709-82c4c9ce2d5e/go.mod h1:k2V/gPDEtXGjjMGuBJiapffAXTv76H4snSmlJRLUhH0=
@@ -460,6 +462,12 @@ github.com/globalsign/mgo v0.0.0-20180905125535-1ca0a4f7cbcb/go.mod h1:xkRDCp4j0
 github.com/globalsign/mgo v0.0.0-20181015135952-eeefdecb41b8/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q=
 github.com/glycerine/go-unsnap-stream v0.0.0-20181221182339-f9677308dec2/go.mod h1:/20jfyN9Y5QPEAprSgKAUr+glWDY39ZiUEAYOEv5dsE=
 github.com/glycerine/goconvey v0.0.0-20190410193231-58a59202ab31/go.mod h1:Ogl1Tioa0aV7gstGFO7KhffUsb9M4ydbEbbxpcEDc24=
+github.com/go-ap/activitypub v0.0.0-20220615144428-48208c70483b h1:+RjYfEfoZdM3wHFs752dlOpGaoRhwRRyQxjajg08LcQ=
+github.com/go-ap/activitypub v0.0.0-20220615144428-48208c70483b/go.mod h1:DE3vvc6Didgfd3k7M1Mos6qMDFNmMrxJmYVMHG9h9Io=
+github.com/go-ap/errors v0.0.0-20220615144307-e8bc4a40ae9f h1:kJhGo4NApJP0Lt9lkJnfmuTnRWVFbCynY0kiTxpPUR4=
+github.com/go-ap/errors v0.0.0-20220615144307-e8bc4a40ae9f/go.mod h1:KHkKFKZvc05lr79+RGoq/zG8YjWi3+FK60Bxd+mpCew=
+github.com/go-ap/jsonld v0.0.0-20220615144122-1d862b15410d h1:Z/oRXMlZHjvjIqDma1FrIGL3iE5YL7MUI0bwYEZ6qbA=
+github.com/go-ap/jsonld v0.0.0-20220615144122-1d862b15410d/go.mod h1:jyveZeGw5LaADntW+UEsMjl3IlIwk+DxlYNsbofQkGA=
 github.com/go-asn1-ber/asn1-ber v1.5.4 h1:vXT6d/FNDiELJnLb6hGNa309LMsrCoYFvpwHDF0+Y1A=
 github.com/go-asn1-ber/asn1-ber v1.5.4/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-chi/chi/v5 v5.0.1/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
@@ -472,8 +480,8 @@ github.com/go-enry/go-enry/v2 v2.8.2 h1:uiGmC+3K8sVd/6DOe2AOJEOihJdqda83nPyJNtMR
 github.com/go-enry/go-enry/v2 v2.8.2/go.mod h1:GVzIiAytiS5uT/QiuakK7TF1u4xDab87Y8V5EJRpsIQ=
 github.com/go-enry/go-oniguruma v1.2.1 h1:k8aAMuJfMrqm/56SG2lV9Cfti6tC4x8673aHCcBk+eo=
 github.com/go-enry/go-oniguruma v1.2.1/go.mod h1:bWDhYP+S6xZQgiRL7wlTScFYBe023B6ilRZbCAD5Hf4=
-github.com/go-fed/httpsig v1.1.0 h1:9M+hb0jkEICD8/cAiNqEB66R87tTINszBRTjwjQzWcI=
-github.com/go-fed/httpsig v1.1.0/go.mod h1:RCMrTZvN1bJYtofsG4rd5NaO5obxQ5xBkdiS7xsT7bM=
+github.com/go-fed/httpsig v1.1.1-0.20201223112313-55836744818e h1:oRq/fiirun5HqlEWMLIcDmLpIELlG4iGbd0s8iqgPi8=
+github.com/go-fed/httpsig v1.1.1-0.20201223112313-55836744818e/go.mod h1:RCMrTZvN1bJYtofsG4rd5NaO5obxQ5xBkdiS7xsT7bM=
 github.com/go-git/gcfg v1.5.0 h1:Q5ViNfGF8zFgyJWPqYwA7qGFoMTEiBmdlkcfRmpIMa4=
 github.com/go-git/gcfg v1.5.0/go.mod h1:5m20vg6GwYabIxaOonVkTdrILxQMpEShl1xiMF4ua+E=
 github.com/go-git/go-billy/v5 v5.2.0/go.mod h1:pmpqyWchKfYfrkb/UVH4otLvyi/5gJlGI4Hb3ZqZ3W0=
@@ -1507,6 +1515,8 @@ github.com/urfave/cli v1.22.9 h1:cv3/KhXGBGjEXLC4bH0sLuJ9BewaAbpk5oyMOveu4pw=
 github.com/urfave/cli v1.22.9/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
 github.com/urfave/cli/v2 v2.2.0/go.mod h1:SE9GqnLQmjVa0iPEY0f1w3ygNIYcIJ0OKPMoW2caLfQ=
 github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
+github.com/valyala/fastjson v1.6.3 h1:tAKFnnwmeMGPbwJ7IwxcTPCNr3uIzoIj3/Fh90ra4xc=
+github.com/valyala/fastjson v1.6.3/go.mod h1:CLCAqky6SMuOcxStkYQvblddUtoRxhYMGLrsQns1aXY=
 github.com/valyala/fasttemplate v1.0.1/go.mod h1:UQGH1tvbgY+Nz5t2n7tXsz52dQxojPUpymEIMZ47gx8=
 github.com/vektah/gqlparser v1.1.2/go.mod h1:1ycwN7Ij5njmMkPPAOaRFY4rET2Enx7IkVv3vaXspKw=
 github.com/weppos/publicsuffix-go v0.13.1-0.20210123135404-5fd73613514e/go.mod h1:HYux0V0Zi04bHNwOHy4cXJVz/TQjYonnF6aoYhj+3QE=

integrations/api_activitypub_person_test.go

@@ -0,0 +1,103 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package integrations
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"testing"
+
+	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/activitypub"
+	"code.gitea.io/gitea/modules/setting"
+
+	ap "github.com/go-ap/activitypub"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestActivityPubPerson(t *testing.T) {
+	onGiteaRun(t, func(*testing.T, *url.URL) {
+		setting.Federation.Enabled = true
+		defer func() {
+			setting.Federation.Enabled = false
+		}()
+
+		username := "user2"
+		req := NewRequestf(t, "GET", fmt.Sprintf("/api/v1/activitypub/user/%s", username))
+		resp := MakeRequest(t, req, http.StatusOK)
+		body := resp.Body.Bytes()
+		assert.Contains(t, string(body), "@context")
+
+		var person ap.Person
+		err := person.UnmarshalJSON(body)
+		assert.NoError(t, err)
+
+		assert.Equal(t, ap.PersonType, person.Type)
+		assert.Equal(t, username, person.PreferredUsername.String())
+		keyID := person.GetID().String()
+		assert.Regexp(t, fmt.Sprintf("activitypub/user/%s$", username), keyID)
+		assert.Regexp(t, fmt.Sprintf("activitypub/user/%s/outbox$", username), person.Outbox.GetID().String())
+		assert.Regexp(t, fmt.Sprintf("activitypub/user/%s/inbox$", username), person.Inbox.GetID().String())
+
+		pubKey := person.PublicKey
+		assert.NotNil(t, pubKey)
+		publicKeyID := keyID + "#main-key"
+		assert.Equal(t, pubKey.ID.String(), publicKeyID)
+
+		pubKeyPem := pubKey.PublicKeyPem
+		assert.NotNil(t, pubKeyPem)
+		assert.Regexp(t, "^-----BEGIN PUBLIC KEY-----", pubKeyPem)
+	})
+}
+
+func TestActivityPubMissingPerson(t *testing.T) {
+	onGiteaRun(t, func(*testing.T, *url.URL) {
+		setting.Federation.Enabled = true
+		defer func() {
+			setting.Federation.Enabled = false
+		}()
+
+		req := NewRequestf(t, "GET", "/api/v1/activitypub/user/nonexistentuser")
+		resp := MakeRequest(t, req, http.StatusNotFound)
+		assert.Contains(t, resp.Body.String(), "user redirect does not exist")
+	})
+}
+
+func TestActivityPubPersonInbox(t *testing.T) {
+	srv := httptest.NewServer(c)
+	defer srv.Close()
+
+	onGiteaRun(t, func(*testing.T, *url.URL) {
+		appURL := setting.AppURL
+		setting.Federation.Enabled = true
+		setting.AppURL = srv.URL
+		defer func() {
+			setting.Federation.Enabled = false
+			setting.Database.LogSQL = false
+			setting.AppURL = appURL
+		}()
+		username1 := "user1"
+		ctx := context.Background()
+		user1, err := user_model.GetUserByName(ctx, username1)
+		assert.NoError(t, err)
+		user1url := fmt.Sprintf("%s/api/v1/activitypub/user/%s#main-key", srv.URL, username1)
+		c, err := activitypub.NewClient(user1, user1url)
+		assert.NoError(t, err)
+		username2 := "user2"
+		user2inboxurl := fmt.Sprintf("%s/api/v1/activitypub/user/%s/inbox", srv.URL, username2)
+
+		// Signed request succeeds
+		resp, err := c.Post([]byte{}, user2inboxurl)
+		assert.NoError(t, err)
+		assert.Equal(t, http.StatusNoContent, resp.StatusCode)
+
+		// Unsigned request fails
+		req := NewRequest(t, "POST", user2inboxurl)
+		MakeRequest(t, req, http.StatusInternalServerError)
+	})
+}

integrations/webfinger_test.go

@@ -52,7 +52,7 @@ func TestWebfinger(t *testing.T) {
 	var jrd webfingerJRD
 	DecodeJSON(t, resp, &jrd)
 	assert.Equal(t, "acct:user2@"+appURL.Host, jrd.Subject)
-	assert.ElementsMatch(t, []string{user.HTMLURL()}, jrd.Aliases)
+	assert.ElementsMatch(t, []string{user.HTMLURL(), appURL.String() + "api/v1/activitypub/user/" + url.PathEscape(user.Name)}, jrd.Aliases)
 
 	req = NewRequest(t, "GET", fmt.Sprintf("/.well-known/webfinger?resource=acct:%s@%s", user.LowerName, "unknown.host"))
 	MakeRequest(t, req, http.StatusBadRequest)

models/auth/source.go

@@ -22,14 +22,15 @@ type Type int
 
 // Note: new type must append to the end of list to maintain compatibility.
 const (
-	NoType Type = iota
-	Plain       // 1
-	LDAP        // 2
-	SMTP        // 3
-	PAM         // 4
-	DLDAP       // 5
-	OAuth2      // 6
-	SSPI        // 7
+	NoType    Type = iota
+	Plain          // 1
+	LDAP           // 2
+	SMTP           // 3
+	PAM            // 4
+	DLDAP          // 5
+	OAuth2         // 6
+	SSPI           // 7
+	Federated      // 8
 )
 
 // String returns the string name of the LoginType
@@ -178,6 +179,11 @@ func (source *Source) IsSSPI() bool {
 	return source.Type == SSPI
 }
 
+// IsFederated returns true of this source is of the Federated type.
+func (source *Source) IsFederated() bool {
+	return source.Type == Federated
+}
+
 // HasTLS returns true of this source supports TLS.
 func (source *Source) HasTLS() bool {
 	hasTLSer, ok := source.Cfg.(HasTLSer)

models/db/name.go

@@ -17,7 +17,7 @@ var (
 	ErrNameEmpty = errors.New("Name is empty")
 
 	// AlphaDashDotPattern characters prohibited in a user name (anything except A-Za-z0-9_.-)
-	AlphaDashDotPattern = regexp.MustCompile(`[^\w-\.]`)
+	AlphaDashDotPattern = regexp.MustCompile(`[^\w-\.@]`)
 )
 
 // ErrNameReserved represents a "reserved name" error.

models/forgefed/repository.go

@@ -0,0 +1,71 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package forgefed
+
+import (
+	ap "github.com/go-ap/activitypub"
+	"github.com/valyala/fastjson"
+)
+
+const (
+	RepositoryType ap.ActivityVocabularyType = "Repository"
+)
+
+type Repository struct {
+	ap.Actor
+	// Team Collection of actors who have management/push access to the repository
+	Team ap.Item `jsonld:"team,omitempty"`
+	// Forks OrderedCollection of repositories that are forks of this repository
+	Forks ap.Item `jsonld:"forks,omitempty"`
+}
+
+// GetItemByType instantiates a new Repository object if the type matches
+// otherwise it defaults to existing activitypub package typer function.
+func GetItemByType(typ ap.ActivityVocabularyType) (ap.Item, error) {
+	if typ == RepositoryType {
+		return RepositoryNew(""), nil
+	}
+	return ap.GetItemByType(typ)
+}
+
+// RepositoryNew initializes a Repository type actor
+func RepositoryNew(id ap.ID) *Repository {
+	a := ap.ActorNew(id, RepositoryType)
+	o := Repository{Actor: *a}
+	o.Type = RepositoryType
+	return &o
+}
+
+func (r Repository) MarshalJSON() ([]byte, error) {
+	b, err := r.Actor.MarshalJSON()
+	if len(b) == 0 || err != nil {
+		return make([]byte, 0), err
+	}
+
+	b = b[:len(b)-1]
+	if r.Team != nil {
+		ap.WriteItemJSONProp(&b, "team", r.Team)
+	}
+	if r.Forks != nil {
+		ap.WriteItemJSONProp(&b, "forks", r.Forks)
+	}
+	ap.Write(&b, '}')
+	return b, nil
+}
+
+func (r *Repository) UnmarshalJSON(data []byte) error {
+	p := fastjson.Parser{}
+	val, err := p.ParseBytes(data)
+	if err != nil {
+		return err
+	}
+
+	r.Team = ap.JSONGetItem(val, "team")
+	r.Forks = ap.JSONGetItem(val, "forks")
+
+	return ap.OnActor(&r.Actor, func(a *ap.Actor) error {
+		return ap.LoadActor(val, a)
+	})
+}