Improve AP actor checks

2018-09-19 15:47:55 +02:00 · 2018-09-19 15:47:55 +02:00 · 12ba460e9e
parent e587e0ecee
commit 12ba460e9e
5 changed files with 30 additions and 21 deletions
--- a/server/lib/activitypub/cache-file.ts
+++ b/server/lib/activitypub/cache-file.ts
@ -31,6 +31,10 @@ function createCacheFile (cacheFileObject: CacheFileObject, video: VideoModel, b
 }
 function updateCacheFile (cacheFileObject: CacheFileObject, redundancyModel: VideoRedundancyModel, byActor: { id?: number }) {
  if (redundancyModel.actorId !== byActor.id) {
    throw new Error('Cannot update redundancy ' + redundancyModel.url + ' of another actor.')
  }
  const attributes = cacheFileActivityObjectToDBAttributes(cacheFileObject, redundancyModel.VideoFile.Video, byActor)
  redundancyModel.set('expires', attributes.expiresOn)
--- a/server/lib/activitypub/process/process-delete.ts
+++ b/server/lib/activitypub/process/process-delete.ts
@ -94,6 +94,10 @@ function processDeleteVideoComment (byActor: ActorModel, videoComment: VideoComm
  logger.debug('Removing remote video comment "%s".', videoComment.url)
  return sequelizeTypescript.transaction(async t => {
    if (videoComment.Account.id !== byActor.Account.id) {
      throw new Error('Account ' + byActor.url + ' does not own video comment ' + videoComment.url)
    }
    await videoComment.destroy({ transaction: t })
    if (videoComment.Video.isOwned()) {
--- a/server/lib/activitypub/process/process-reject.ts
+++ b/server/lib/activitypub/process/process-reject.ts
@ -17,11 +17,11 @@ export {
 // ---------------------------------------------------------------------------
-async function processReject (actor: ActorModel, targetActor: ActorModel) {
+async function processReject (follower: ActorModel, targetActor: ActorModel) {
  return sequelizeTypescript.transaction(async t => {
-    const actorFollow = await ActorFollowModel.loadByActorAndTarget(actor.id, targetActor.id, t)
+    const actorFollow = await ActorFollowModel.loadByActorAndTarget(follower.id, targetActor.id, t)
-    if (!actorFollow) throw new Error(`'Unknown actor follow ${actor.id} -> ${targetActor.id}.`)
+    if (!actorFollow) throw new Error(`'Unknown actor follow ${follower.id} -> ${targetActor.id}.`)
    await actorFollow.destroy({ transaction: t })
--- a/server/lib/activitypub/process/process-undo.ts
+++ b/server/lib/activitypub/process/process-undo.ts
@ -1,10 +1,8 @@
 import { ActivityAnnounce, ActivityFollow, ActivityLike, ActivityUndo, CacheFileObject } from '../../../../shared/models/activitypub'
 import { DislikeObject } from '../../../../shared/models/activitypub/objects'
 import { getActorUrl } from '../../../helpers/activitypub'
 import { retryTransactionWrapper } from '../../../helpers/database-utils'
 import { logger } from '../../../helpers/logger'
 import { sequelizeTypescript } from '../../../initializers'
 import { AccountModel } from '../../../models/account/account'
 import { AccountVideoRateModel } from '../../../models/account/account-video-rate'
 import { ActorModel } from '../../../models/activitypub/actor'
 import { ActorFollowModel } from '../../../models/activitypub/actor-follow'
@ -16,15 +14,13 @@ import { VideoRedundancyModel } from '../../../models/redundancy/video-redundanc
 async function processUndoActivity (activity: ActivityUndo, byActor: ActorModel) {
  const activityToUndo = activity.object
  const actorUrl = getActorUrl(activity.actor)
  if (activityToUndo.type === 'Like') {
-    return retryTransactionWrapper(processUndoLike, actorUrl, activity)
+    return retryTransactionWrapper(processUndoLike, byActor, activity)
  }
  if (activityToUndo.type === 'Create') {
    if (activityToUndo.object.type === 'Dislike') {
-      return retryTransactionWrapper(processUndoDislike, actorUrl, activity)
+      return retryTransactionWrapper(processUndoDislike, byActor, activity)
    } else if (activityToUndo.object.type === 'CacheFile') {
      return retryTransactionWrapper(processUndoCacheFile, byActor, activity)
    }
@ -51,48 +47,46 @@ export {
 // ---------------------------------------------------------------------------
-async function processUndoLike (actorUrl: string, activity: ActivityUndo) {
+async function processUndoLike (byActor: ActorModel, activity: ActivityUndo) {
  const likeActivity = activity.object as ActivityLike
  const { video } = await getOrCreateVideoAndAccountAndChannel({ videoObject: likeActivity.object })
  return sequelizeTypescript.transaction(async t => {
-    const byAccount = await AccountModel.loadByUrl(actorUrl, t)
+    if (!byActor.Account) throw new Error('Unknown account ' + byActor.url)
    if (!byAccount) throw new Error('Unknown account ' + actorUrl)
-    const rate = await AccountVideoRateModel.load(byAccount.id, video.id, t)
+    const rate = await AccountVideoRateModel.load(byActor.Account.id, video.id, t)
-    if (!rate) throw new Error(`Unknown rate by account ${byAccount.id} for video ${video.id}.`)
+    if (!rate) throw new Error(`Unknown rate by account ${byActor.Account.id} for video ${video.id}.`)
    await rate.destroy({ transaction: t })
    await video.decrement('likes', { transaction: t })
    if (video.isOwned()) {
      // Don't resend the activity to the sender
-      const exceptions = [ byAccount.Actor ]
+      const exceptions = [ byActor ]
      await forwardVideoRelatedActivity(activity, t, exceptions, video)
    }
  })
 }
-async function processUndoDislike (actorUrl: string, activity: ActivityUndo) {
+async function processUndoDislike (byActor: ActorModel, activity: ActivityUndo) {
  const dislike = activity.object.object as DislikeObject
  const { video } = await getOrCreateVideoAndAccountAndChannel({ videoObject: dislike.object })
  return sequelizeTypescript.transaction(async t => {
-    const byAccount = await AccountModel.loadByUrl(actorUrl, t)
+    if (!byActor.Account) throw new Error('Unknown account ' + byActor.url)
    if (!byAccount) throw new Error('Unknown account ' + actorUrl)
-    const rate = await AccountVideoRateModel.load(byAccount.id, video.id, t)
+    const rate = await AccountVideoRateModel.load(byActor.Account.id, video.id, t)
-    if (!rate) throw new Error(`Unknown rate by account ${byAccount.id} for video ${video.id}.`)
+    if (!rate) throw new Error(`Unknown rate by account ${byActor.Account.id} for video ${video.id}.`)
    await rate.destroy({ transaction: t })
    await video.decrement('dislikes', { transaction: t })
    if (video.isOwned()) {
      // Don't resend the activity to the sender
-      const exceptions = [ byAccount.Actor ]
+      const exceptions = [ byActor ]
      await forwardVideoRelatedActivity(activity, t, exceptions, video)
    }
@ -108,6 +102,8 @@ async function processUndoCacheFile (byActor: ActorModel, activity: ActivityUndo
    const cacheFile = await VideoRedundancyModel.loadByUrl(cacheFileObject.id)
    if (!cacheFile) throw new Error('Unknown video cache ' + cacheFile.url)
    if (cacheFile.actorId !== byActor.id) throw new Error('Cannot delete redundancy ' + cacheFile.url + ' of another actor.')
    await cacheFile.destroy()
    if (video.isOwned()) {
--- a/server/lib/activitypub/process/process.ts
+++ b/server/lib/activitypub/process/process.ts
@ -29,6 +29,11 @@ async function processActivities (activities: Activity[], signatureActor?: Actor
  const actorsCache: { [ url: string ]: ActorModel } = {}
  for (const activity of activities) {
    if (!signatureActor && [ 'Create', 'Announce', 'Like' ].indexOf(activity.type) === -1) {
      logger.error('Cannot process activity %s (type: %s) without the actor signature.', activity.id, activity.type)
      continue
    }
    const actorUrl = getActorUrl(activity.actor)
    // When we fetch remote data, we don't have signature