Merge branch 'master' into feature-activitypub

integrations/webfinger_test.go

@@ -0,0 +1,68 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package integrations
+
+import (
+	"fmt"
+	"net/http"
+	"net/url"
+	"testing"
+
+	"code.gitea.io/gitea/models/unittest"
+	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/setting"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestWebfinger(t *testing.T) {
+	defer prepareTestEnv(t)()
+
+	setting.Federation.Enabled = true
+	defer func() {
+		setting.Federation.Enabled = false
+	}()
+
+	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2}).(*user_model.User)
+
+	appURL, _ := url.Parse(setting.AppURL)
+
+	type webfingerLink struct {
+		Rel        string                 `json:"rel,omitempty"`
+		Type       string                 `json:"type,omitempty"`
+		Href       string                 `json:"href,omitempty"`
+		Titles     map[string]string      `json:"titles,omitempty"`
+		Properties map[string]interface{} `json:"properties,omitempty"`
+	}
+
+	type webfingerJRD struct {
+		Subject    string                 `json:"subject,omitempty"`
+		Aliases    []string               `json:"aliases,omitempty"`
+		Properties map[string]interface{} `json:"properties,omitempty"`
+		Links      []*webfingerLink       `json:"links,omitempty"`
+	}
+
+	session := loginUser(t, "user1")
+
+	req := NewRequest(t, "GET", fmt.Sprintf("/.well-known/webfinger?resource=acct:%s@%s", user.LowerName, appURL.Host))
+	resp := MakeRequest(t, req, http.StatusOK)
+
+	var jrd webfingerJRD
+	DecodeJSON(t, resp, &jrd)
+	assert.Equal(t, "acct:user2@"+appURL.Host, jrd.Subject)
+	assert.ElementsMatch(t, []string{user.HTMLURL()}, jrd.Aliases)
+
+	req = NewRequest(t, "GET", fmt.Sprintf("/.well-known/webfinger?resource=acct:%s@%s", user.LowerName, "unknown.host"))
+	MakeRequest(t, req, http.StatusBadRequest)
+
+	req = NewRequest(t, "GET", fmt.Sprintf("/.well-known/webfinger?resource=acct:%s@%s", "user31", appURL.Host))
+	MakeRequest(t, req, http.StatusNotFound)
+
+	req = NewRequest(t, "GET", fmt.Sprintf("/.well-known/webfinger?resource=acct:%s@%s", "user31", appURL.Host))
+	session.MakeRequest(t, req, http.StatusOK)
+
+	req = NewRequest(t, "GET", fmt.Sprintf("/.well-known/webfinger?resource=mailto:%s", user.Email))
+	MakeRequest(t, req, http.StatusNotFound)
+}

routers/web/web.go

@@ -282,6 +282,13 @@ func RegisterRoutes(m *web.Route) {
 		}
 	}
 
+	federationEnabled := func(ctx *context.Context) {
+		if !setting.Federation.Enabled {
+			ctx.Error(http.StatusNotFound)
+			return
+		}
+	}
+
 	// FIXME: not all routes need go through same middleware.
 	// Especially some AJAX requests, we can reduce middleware number to improve performance.
 	// Routers.
@@ -289,10 +296,10 @@ func RegisterRoutes(m *web.Route) {
 	m.Get("/", Home)
 	m.Group("/.well-known", func() {
 		m.Get("/openid-configuration", auth.OIDCWellKnown)
-		if setting.Federation.Enabled {
+		m.Group("", func() {
 			m.Get("/nodeinfo", NodeInfoLinks)
 			m.Get("/webfinger", WebfingerQuery)
-		}
+		}, federationEnabled)
 		m.Get("/change-password", func(w http.ResponseWriter, req *http.Request) {
 			http.Redirect(w, req, "/user/settings/account", http.StatusTemporaryRedirect)
 		})

routers/web/webfinger.go

@@ -8,7 +8,6 @@ import (
 	"fmt"
 	"net/http"
 	"net/url"
-	"regexp"
 	"strings"
 
 	user_model "code.gitea.io/gitea/models/user"
@@ -17,8 +16,6 @@ import (
 	"code.gitea.io/gitea/modules/setting"
 )
 
-var webfingerRessourcePattern = regexp.MustCompile(`(?i)\A([a-z^:]+):(.*)\z`)
-
 // https://datatracker.ietf.org/doc/html/draft-ietf-appsawg-webfinger-14#section-4.4
 
 type webfingerJRD struct {
@@ -39,26 +36,20 @@ type webfingerLink struct {
 // WebfingerQuery returns informations about a resource
 // https://datatracker.ietf.org/doc/html/rfc7565
 func WebfingerQuery(ctx *context.Context) {
-	resource := ctx.FormTrim("resource")
-
-	scheme := "acct"
-	uri := resource
-
-	match := webfingerRessourcePattern.FindStringSubmatch(resource)
-	if match != nil {
-		scheme = match[1]
-		uri = match[2]
-	}
-
 	appURL, _ := url.Parse(setting.AppURL)
 
-	var u *user_model.User
+	resource, err := url.Parse(ctx.FormTrim("resource"))
-	var err error
+	if err != nil {
+		ctx.Error(http.StatusBadRequest)
+		return
+	}
 
-	switch scheme {
+	var u *user_model.User
+
+	switch resource.Scheme {
 	case "acct":
 		// allow only the current host
-		parts := strings.SplitN(uri, "@", 2)
+		parts := strings.SplitN(resource.Opaque, "@", 2)
 		if len(parts) != 2 {
 			ctx.Error(http.StatusBadRequest)
 			return
@@ -70,7 +61,10 @@ func WebfingerQuery(ctx *context.Context) {
 
 		u, err = user_model.GetUserByNameCtx(ctx, parts[0])
 	case "mailto":
-		u, err = user_model.GetUserByEmailContext(ctx, uri)
+		u, err = user_model.GetUserByEmailContext(ctx, resource.Opaque)
+		if u != nil && u.KeepEmailPrivate {
+			err = user_model.ErrUserNotExist{}
+		}
 	default:
 		ctx.Error(http.StatusBadRequest)
 		return
@@ -79,7 +73,7 @@ func WebfingerQuery(ctx *context.Context) {
 		if user_model.IsErrUserNotExist(err) {
 			ctx.Error(http.StatusNotFound)
 		} else {
-			log.Error("Error getting user: %v", err)
+			log.Error("Error getting user: %s Error: %v", resource.Opaque, err)
 			ctx.Error(http.StatusInternalServerError)
 		}
 		return
@@ -92,7 +86,6 @@ func WebfingerQuery(ctx *context.Context) {
 
 	aliases := []string{
 		u.HTMLURL(),
-		appURL.String() + "api/v1/activitypub/user/" + strings.ToLower(u.Name),
 	}
 	if !u.KeepEmailPrivate {
 		aliases = append(aliases, fmt.Sprintf("mailto:%s", u.Email))
@@ -108,15 +101,6 @@ func WebfingerQuery(ctx *context.Context) {
 			Rel:  "http://webfinger.net/rel/avatar",
 			Href: u.AvatarLink(),
 		},
-		{
-			Rel:  "self",
-			Type: "application/activity+json",
-			Href: appURL.String() + "api/v1/activitypub/user/" + strings.ToLower(u.Name),
-		},
-		{
-			Rel:  "http://ostatus.org/schema/1.0/subscribe",
-			Href: appURL.String() + "api/v1/authorize_interaction?uri={uri}",
-		},
 	}
 
 	ctx.JSON(http.StatusOK, &webfingerJRD{