feat(activitiypub): enable HTTP signatures on all ActivityPub endpoints (#7035)

- Set the right keyID and use the right signing keys for outgoing requests. - Verify the HTTP signature of all incoming requests, except for the server actor. - Caches keys of incoming requests for users and servers actors. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7035 Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: famfo <famfo@famfo.xyz> Co-committed-by: famfo <famfo@famfo.xyz>
2025-08-01 17:38:33 +00:00 · 2025-04-03 15:24:15 +00:00 · 2025-04-03 15:24:15 +00:00 · 77b0275572
commit 77b0275572
parent ba5b157f7e
22 changed files with 681 additions and 122 deletions
--- a/tests/integration/activitypub_client_test.go
+++ b/tests/integration/activitypub_client_test.go
@ -0,0 +1,54 @@
+// Copyright 2025 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package integration
+
+import (
+	"net/url"
+	"testing"
+
+	"forgejo.org/models/db"
+	"forgejo.org/models/unittest"
+	user_model "forgejo.org/models/user"
+	"forgejo.org/modules/activitypub"
+	"forgejo.org/modules/setting"
+	"forgejo.org/modules/test"
+	"forgejo.org/routers"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestActivityPubClientBodySize(t *testing.T) {
+	defer test.MockVariableValue(&setting.Federation.Enabled, true)()
+	defer test.MockVariableValue(&testWebRoutes, routers.NormalRoutes())()
+
+	onGiteaRun(t, func(t *testing.T, u *url.URL) {
+		user1 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
+
+		clientFactory, err := activitypub.GetClientFactory(db.DefaultContext)
+		require.NoError(t, err)
+
+		apClient, err := clientFactory.WithKeys(db.DefaultContext, user1, user1.APActorKeyID())
+		require.NoError(t, err)
+
+		url := u.JoinPath("/api/v1/nodeinfo").String()
+
+		// Request with normal MaxSize
+		t.Run("NormalMaxSize", func(t *testing.T) {
+			resp, err := apClient.GetBody(url)
+			require.NoError(t, err)
+			assert.Contains(t, string(resp), "forgejo")
+		})
+
+		// Set MaxSize to something very low to always fail
+		// Request with low MaxSize
+		t.Run("LowMaxSize", func(t *testing.T) {
+			defer test.MockVariableValue(&setting.Federation.MaxSize, 100)()
+
+			_, err = apClient.GetBody(url)
+			require.Error(t, err)
+			assert.ErrorContains(t, err, "Request returned")
+		})
+	})
+}
--- a/tests/integration/api_activitypub_person_test.go
+++ b/tests/integration/api_activitypub_person_test.go
@ -26,33 +26,47 @@ import (
 func TestActivityPubPerson(t *testing.T) {
 	defer test.MockVariableValue(&setting.Federation.Enabled, true)()
 	defer test.MockVariableValue(&testWebRoutes, routers.NormalRoutes())()
-	defer tests.PrepareTestEnv(t)()
+	onGiteaRun(t, func(t *testing.T, u *url.URL) {
+		userID := 2
+		username := "user2"
+		userURL := fmt.Sprintf("%sapi/v1/activitypub/user-id/%d", u, userID)

-	userID := 2
-	username := "user2"
-	req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/activitypub/user-id/%v", userID))
-	resp := MakeRequest(t, req, http.StatusOK)
-	assert.Contains(t, resp.Body.String(), "@context")
+		user1 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})

-	var person ap.Person
-	err := person.UnmarshalJSON(resp.Body.Bytes())
-	require.NoError(t, err)
+		clientFactory, err := activitypub.GetClientFactory(db.DefaultContext)
+		require.NoError(t, err)

-	assert.Equal(t, ap.PersonType, person.Type)
-	assert.Equal(t, username, person.PreferredUsername.String())
-	keyID := person.GetID().String()
-	assert.Regexp(t, fmt.Sprintf("activitypub/user-id/%v$", userID), keyID)
-	assert.Regexp(t, fmt.Sprintf("activitypub/user-id/%v/outbox$", userID), person.Outbox.GetID().String())
-	assert.Regexp(t, fmt.Sprintf("activitypub/user-id/%v/inbox$", userID), person.Inbox.GetID().String())
+		apClient, err := clientFactory.WithKeys(db.DefaultContext, user1, user1.APActorKeyID())
+		require.NoError(t, err)

-	pubKey := person.PublicKey
-	assert.NotNil(t, pubKey)
-	publicKeyID := keyID + "#main-key"
-	assert.Equal(t, pubKey.ID.String(), publicKeyID)
+		// Unsigned request
+		t.Run("UnsignedRequest", func(t *testing.T) {
+			req := NewRequest(t, "GET", userURL)
+			MakeRequest(t, req, http.StatusBadRequest)
+		})

-	pubKeyPem := pubKey.PublicKeyPem
-	assert.NotNil(t, pubKeyPem)
-	assert.Regexp(t, "^-----BEGIN PUBLIC KEY-----", pubKeyPem)
+		t.Run("SignedRequestValidation", func(t *testing.T) {
+			// Signed requset
+			resp, err := apClient.GetBody(userURL)
+			require.NoError(t, err)
+
+			var person ap.Person
+			err = person.UnmarshalJSON(resp)
+			require.NoError(t, err)
+
+			assert.Equal(t, ap.PersonType, person.Type)
+			assert.Equal(t, username, person.PreferredUsername.String())
+			assert.Regexp(t, fmt.Sprintf("activitypub/user-id/%d$", userID), person.GetID())
+			assert.Regexp(t, fmt.Sprintf("activitypub/user-id/%d/outbox$", userID), person.Outbox.GetID().String())
+			assert.Regexp(t, fmt.Sprintf("activitypub/user-id/%d/inbox$", userID), person.Inbox.GetID().String())
+
+			assert.NotNil(t, person.PublicKey)
+			assert.Regexp(t, fmt.Sprintf("activitypub/user-id/%d#main-key$", userID), person.PublicKey.ID)
+
+			assert.NotNil(t, person.PublicKey.PublicKeyPem)
+			assert.Regexp(t, "^-----BEGIN PUBLIC KEY-----", person.PublicKey.PublicKeyPem)
+		})
+	})
 }

 func TestActivityPubMissingPerson(t *testing.T) {
--- a/tests/integration/api_activitypub_repository_test.go
+++ b/tests/integration/api_activitypub_repository_test.go
@ -28,18 +28,28 @@ import (
 func TestActivityPubRepository(t *testing.T) {
 	defer test.MockVariableValue(&setting.Federation.Enabled, true)()
 	defer test.MockVariableValue(&testWebRoutes, routers.NormalRoutes())()
-	defer tests.PrepareTestEnv(t)()

-	repositoryID := 2
-	req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/activitypub/repository-id/%v", repositoryID))
-	resp := MakeRequest(t, req, http.StatusOK)
-	assert.Contains(t, resp.Body.String(), "@context")
+	onGiteaRun(t, func(t *testing.T, u *url.URL) {
+		repositoryID := 2

-	var repository forgefed_modules.Repository
-	err := repository.UnmarshalJSON(resp.Body.Bytes())
-	require.NoError(t, err)
+		apServerActor := user.NewAPServerActor()

-	assert.Regexp(t, fmt.Sprintf("activitypub/repository-id/%v$", repositoryID), repository.GetID().String())
+		cf, err := activitypub.GetClientFactory(db.DefaultContext)
+		require.NoError(t, err)
+
+		c, err := cf.WithKeys(db.DefaultContext, apServerActor, apServerActor.APActorKeyID())
+		require.NoError(t, err)
+
+		resp, err := c.GetBody(fmt.Sprintf("%sapi/v1/activitypub/repository-id/%d", u, repositoryID))
+		require.NoError(t, err)
+		assert.Contains(t, string(resp), "@context")
+
+		var repository forgefed_modules.Repository
+		err = repository.UnmarshalJSON(resp)
+		require.NoError(t, err)
+
+		assert.Regexp(t, fmt.Sprintf("activitypub/repository-id/%d$", repositoryID), repository.GetID().String())
+	})
 }

 func TestActivityPubMissingRepository(t *testing.T) {
@ -48,7 +58,7 @@ func TestActivityPubMissingRepository(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()

 	repositoryID := 9999999
-	req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/activitypub/repository-id/%v", repositoryID))
+	req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/activitypub/repository-id/%d", repositoryID))
 	resp := MakeRequest(t, req, http.StatusNotFound)
 	assert.Contains(t, resp.Body.String(), "repository does not exist")
 }
@ -62,14 +72,16 @@ func TestActivityPubRepositoryInboxValid(t *testing.T) {
 	defer federatedSrv.Close()

 	onGiteaRun(t, func(t *testing.T, u *url.URL) {
-		actionsUser := user.NewActionsUser()
+		apServerActor := user.NewAPServerActor()
 		repositoryID := 2
 		timeNow := time.Now().UTC()

 		cf, err := activitypub.GetClientFactory(db.DefaultContext)
 		require.NoError(t, err)
-		c, err := cf.WithKeys(db.DefaultContext, actionsUser, "not used")
+
+		c, err := cf.WithKeys(db.DefaultContext, apServerActor, apServerActor.APActorKeyID())
 		require.NoError(t, err)
+
 		repoInboxURL := u.JoinPath(fmt.Sprintf("/api/v1/activitypub/repository-id/%d/inbox", repositoryID)).String()

 		activity1 := []byte(fmt.Sprintf(
@ -139,14 +151,16 @@ func TestActivityPubRepositoryInboxInvalid(t *testing.T) {
 	defer test.MockVariableValue(&testWebRoutes, routers.NormalRoutes())()

 	onGiteaRun(t, func(t *testing.T, u *url.URL) {
-		actionsUser := user.NewActionsUser()
+		apServerActor := user.NewAPServerActor()
 		repositoryID := 2
+
 		cf, err := activitypub.GetClientFactory(db.DefaultContext)
 		require.NoError(t, err)
-		c, err := cf.WithKeys(db.DefaultContext, actionsUser, "not used")
+
+		c, err := cf.WithKeys(db.DefaultContext, apServerActor, apServerActor.APActorKeyID())
 		require.NoError(t, err)

-		repoInboxURL := u.JoinPath(fmt.Sprintf("/api/v1/activitypub/repository-id/%v/inbox", repositoryID)).String()
+		repoInboxURL := u.JoinPath(fmt.Sprintf("/api/v1/activitypub/repository-id/%d/inbox", repositoryID)).String()
 		activity := []byte(`{"type":"Wrong"}`)
 		resp, err := c.Post(activity, repoInboxURL)
 		require.NoError(t, err)
--- a/tests/integration/api_federation_httpsig_test.go
+++ b/tests/integration/api_federation_httpsig_test.go
@ -0,0 +1,82 @@
+// Copyright 2025 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package integration
+
+import (
+	"fmt"
+	"net/http"
+	"net/url"
+	"testing"
+
+	"forgejo.org/models/db"
+	"forgejo.org/models/forgefed"
+	"forgejo.org/models/unittest"
+	"forgejo.org/models/user"
+	"forgejo.org/modules/activitypub"
+	"forgejo.org/modules/setting"
+	"forgejo.org/modules/test"
+	"forgejo.org/routers"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestFederationHttpSigValidation(t *testing.T) {
+	defer test.MockVariableValue(&setting.Federation.Enabled, true)()
+	defer test.MockVariableValue(&testWebRoutes, routers.NormalRoutes())()
+
+	onGiteaRun(t, func(t *testing.T, u *url.URL) {
+		userID := 2
+		userURL := fmt.Sprintf("%sapi/v1/activitypub/user-id/%d", u, userID)
+
+		user1 := unittest.AssertExistsAndLoadBean(t, &user.User{ID: 1})
+
+		clientFactory, err := activitypub.GetClientFactory(db.DefaultContext)
+		require.NoError(t, err)
+
+		apClient, err := clientFactory.WithKeys(db.DefaultContext, user1, user1.APActorKeyID())
+		require.NoError(t, err)
+
+		// Unsigned request
+		t.Run("UnsignedRequest", func(t *testing.T) {
+			req := NewRequest(t, "GET", userURL)
+			MakeRequest(t, req, http.StatusBadRequest)
+		})
+
+		// Signed request
+		t.Run("SignedRequest", func(t *testing.T) {
+			resp, err := apClient.Get(userURL)
+			require.NoError(t, err)
+			assert.Equal(t, http.StatusOK, resp.StatusCode)
+		})
+
+		// HACK HACK HACK: the host part of the URL gets set to which IP forgejo is
+		// listening on, NOT localhost, which is the Domain given to forgejo which
+		// is then used for eg. the keyID all requests
+		applicationKeyID := fmt.Sprintf("%sapi/v1/activitypub/actor#main-key", setting.AppURL)
+		actorKeyID := fmt.Sprintf("%sapi/v1/activitypub/user-id/1#main-key", setting.AppURL)
+
+		// Check for cached public keys
+		t.Run("ValidateCaches", func(t *testing.T) {
+			host, err := forgefed.FindFederationHostByKeyID(db.DefaultContext, applicationKeyID)
+			require.NoError(t, err)
+			assert.NotNil(t, host)
+			assert.True(t, host.PublicKey.Valid)
+
+			user, err := user.GetFederatedUserByKeyID(db.DefaultContext, actorKeyID)
+			require.NoError(t, err)
+			assert.NotNil(t, user)
+			assert.True(t, user.PublicKey.Valid)
+		})
+
+		// Disable signature validation
+		defer test.MockVariableValue(&setting.Federation.SignatureEnforced, false)()
+
+		// Unsigned request
+		t.Run("SignatureValidationDisabled", func(t *testing.T) {
+			req := NewRequest(t, "GET", userURL)
+			MakeRequest(t, req, http.StatusOK)
+		})
+	})
+}
--- a/tests/integration/user_federationhost_xorm_test.go
+++ b/tests/integration/user_federationhost_xorm_test.go
@ -0,0 +1,109 @@
+// Copyright 2025 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package integration
+
+import (
+	"database/sql"
+	"testing"
+
+	"forgejo.org/models/db"
+	"forgejo.org/models/forgefed"
+	"forgejo.org/models/user"
+	"forgejo.org/tests"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestStoreFederationHost(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+	t.Run("ExplicitNull", func(t *testing.T) {
+		federationHost := forgefed.FederationHost{
+			HostFqdn: "ExplicitNull",
+			// Explicit null on KeyID and PublicKey
+			KeyID:     sql.NullString{Valid: false},
+			PublicKey: sql.Null[sql.RawBytes]{Valid: false},
+		}
+
+		_, err := db.GetEngine(db.DefaultContext).Insert(&federationHost)
+		require.NoError(t, err)
+
+		dbFederationHost := new(forgefed.FederationHost)
+		has, err := db.GetEngine(db.DefaultContext).Where("host_fqdn=?", "ExplicitNull").Get(dbFederationHost)
+		require.NoError(t, err)
+		assert.True(t, has)
+
+		assert.False(t, dbFederationHost.KeyID.Valid)
+		assert.False(t, dbFederationHost.PublicKey.Valid)
+	})
+
+	t.Run("NotNull", func(t *testing.T) {
+		federationHost := forgefed.FederationHost{
+			HostFqdn:  "ImplicitNull",
+			KeyID:     sql.NullString{Valid: true, String: "meow"},
+			PublicKey: sql.Null[sql.RawBytes]{Valid: true, V: sql.RawBytes{0x23, 0x42}},
+		}
+
+		_, err := db.GetEngine(db.DefaultContext).Insert(&federationHost)
+		require.NoError(t, err)
+
+		dbFederationHost := new(forgefed.FederationHost)
+		has, err := db.GetEngine(db.DefaultContext).Where("host_fqdn=?", "ImplicitNull").Get(dbFederationHost)
+		require.NoError(t, err)
+		assert.True(t, has)
+
+		assert.True(t, dbFederationHost.KeyID.Valid)
+		assert.Equal(t, "meow", dbFederationHost.KeyID.String)
+
+		assert.True(t, dbFederationHost.PublicKey.Valid)
+		assert.Equal(t, sql.RawBytes{0x23, 0x42}, dbFederationHost.PublicKey.V)
+	})
+}
+
+func TestStoreFederatedUser(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+	t.Run("ExplicitNull", func(t *testing.T) {
+		federatedUser := user.FederatedUser{
+			UserID:           0,
+			ExternalID:       "ExplicitNull",
+			FederationHostID: 0,
+			KeyID:            sql.NullString{Valid: false},
+			PublicKey:        sql.Null[sql.RawBytes]{Valid: false},
+		}
+
+		_, err := db.GetEngine(db.DefaultContext).Insert(&federatedUser)
+		require.NoError(t, err)
+
+		dbFederatedUser := new(user.FederatedUser)
+		has, err := db.GetEngine(db.DefaultContext).Where("user_id=?", 0).Get(dbFederatedUser)
+		require.NoError(t, err)
+		assert.True(t, has)
+
+		assert.False(t, dbFederatedUser.KeyID.Valid)
+		assert.False(t, dbFederatedUser.PublicKey.Valid)
+	})
+
+	t.Run("NotNull", func(t *testing.T) {
+		federatedUser := user.FederatedUser{
+			UserID:           1,
+			ExternalID:       "ImplicitNull",
+			FederationHostID: 1,
+			KeyID:            sql.NullString{Valid: true, String: "woem"},
+			PublicKey:        sql.Null[sql.RawBytes]{Valid: true, V: sql.RawBytes{0x42, 0x23}},
+		}
+
+		_, err := db.GetEngine(db.DefaultContext).Insert(&federatedUser)
+		require.NoError(t, err)
+
+		dbFederatedUser := new(user.FederatedUser)
+		has, err := db.GetEngine(db.DefaultContext).Where("user_id=?", 1).Get(dbFederatedUser)
+		require.NoError(t, err)
+		assert.True(t, has)
+
+		assert.True(t, dbFederatedUser.KeyID.Valid)
+		assert.Equal(t, "woem", dbFederatedUser.KeyID.String)
+		assert.True(t, dbFederatedUser.PublicKey.Valid)
+		assert.Equal(t, sql.RawBytes{0x42, 0x23}, dbFederatedUser.PublicKey.V)
+	})
+}