Remove bto & bcc before serving ActivityStream object

2018-06-08 23:45:25 +02:00 · 2018-06-08 23:45:25 +02:00 · 2764b67c7e
--- a/pub/handlers.go
+++ b/pub/handlers.go
@ -5,6 +5,7 @@ import (
 	"crypto"
 	"encoding/json"
 	"fmt"
+	"github.com/go-fed/activity/vocab"
 	"github.com/go-fed/httpsig"
 	"net/http"
 	"net/url"
@ -109,6 +110,9 @@ func serveActivityPubObject(c context.Context, a Application, clock Clock, w htt
 	if err != nil {
 		return
 	}
+	if obj, ok := pObj.(vocab.ObjectType); ok {
+		clearSensitiveFields(obj)
+	}
 	var m map[string]interface{}
 	m, err = pObj.Serialize()
 	if err != nil {
--- a/pub/handlers_test.go
+++ b/pub/handlers_test.go
@ -140,6 +140,43 @@ func TestServeActivityPubObject(t *testing.T) {
 			expectedCode:  http.StatusForbidden,
 			expectHandled: true,
 		},
+		{
+			name: "remove bto & bcc",
+			app: &MockApplication{
+				t: t,
+				get: func(c context.Context, id *url.URL, rw RWType) (PubObject, error) {
+					if rw != Read {
+						t.Fatalf("expected RWType of %d, got %d", Read, rw)
+					} else if s := id.String(); s != noteURIString {
+						t.Fatalf("expected %s, got %s", noteURIString, s)
+					}
+					testNote = &vocab.Note{}
+					testNote.SetId(noteIRI)
+					testNote.AppendNameString(noteName)
+					testNote.AppendContentString("This is a simple note")
+					testNote.AppendBtoIRI(samIRI)
+					testNote.AppendBccIRI(sallyIRI)
+					return testNote, nil
+				},
+				owns: func(c context.Context, id *url.URL) bool {
+					if s := id.String(); s != noteURIString {
+						t.Fatalf("expected %s, got %s", noteURIString, s)
+					}
+					return true
+				},
+			},
+			clock:        &MockClock{now},
+			input:        ActivityPubRequest(httptest.NewRequest("GET", noteURIString, nil)),
+			expectedCode: http.StatusOK,
+			expectedObjFn: func() vocab.Serializer {
+				testNote = &vocab.Note{}
+				testNote.SetId(noteIRI)
+				testNote.AppendNameString(noteName)
+				testNote.AppendContentString("This is a simple note")
+				return testNote
+			},
+			expectHandled: true,
+		},
 	}
 	for _, test := range tests {
 		t.Logf("Running table test case %q", test.name)
@ -515,6 +552,43 @@ func TestServeActivityPubObjectWithVerificationMethod(t *testing.T) {
 			expectedCode:  http.StatusBadRequest,
 			expectHandled: true,
 		},
+		{
+			name: "remove bto & bcc",
+			app: &MockApplication{
+				t: t,
+				get: func(c context.Context, id *url.URL, rw RWType) (PubObject, error) {
+					if rw != Read {
+						t.Fatalf("expected RWType of %d, got %d", Read, rw)
+					} else if s := id.String(); s != noteURIString {
+						t.Fatalf("expected %s, got %s", noteURIString, s)
+					}
+					testNote = &vocab.Note{}
+					testNote.SetId(noteIRI)
+					testNote.AppendNameString(noteName)
+					testNote.AppendContentString("This is a simple note")
+					testNote.AppendBtoIRI(samIRI)
+					testNote.AppendBccIRI(sallyIRI)
+					return testNote, nil
+				},
+				owns: func(c context.Context, id *url.URL) bool {
+					if s := id.String(); s != noteURIString {
+						t.Fatalf("expected %s, got %s", noteURIString, s)
+					}
+					return true
+				},
+			},
+			clock:        &MockClock{now},
+			input:        ActivityPubRequest(httptest.NewRequest("GET", noteURIString, nil)),
+			expectedCode: http.StatusOK,
+			expectedObjFn: func() vocab.Serializer {
+				testNote = &vocab.Note{}
+				testNote.SetId(noteIRI)
+				testNote.AppendNameString(noteName)
+				testNote.AppendContentString("This is a simple note")
+				return testNote
+			},
+			expectHandled: true,
+		},
 	}
 	for _, test := range tests {
 		t.Logf("Running table test case %q", test.name)
--- a/pub/internal.go
+++ b/pub/internal.go
@ -2103,6 +2103,27 @@ func getIRISetFromOrderedItems(c vocab.OrderedCollectionType) (map[string]bool,
 	return r, nil
 }

+func clearSensitiveFields(obj vocab.ObjectType) {
+	for i := 0; i < obj.BtoLen(); i++ {
+		if obj.IsBtoObject(0) {
+			obj.RemoveBtoObject(0)
+		} else if obj.IsBtoLink(0) {
+			obj.RemoveBtoLink(0)
+		} else if obj.IsBtoIRI(0) {
+			obj.RemoveBtoIRI(0)
+		}
+	}
+	for i := 0; i < obj.BccLen(); i++ {
+		if obj.IsBccObject(0) {
+			obj.RemoveBccObject(0)
+		} else if obj.IsBccLink(0) {
+			obj.RemoveBccLink(0)
+		} else if obj.IsBccIRI(0) {
+			obj.RemoveBccIRI(0)
+		}
+	}
+}
+
 // TODO: Move this to vocab package.
 var activityTypes = []string{"Accept", "Add", "Announce", "Arrive", "Block", "Create", "Delete", "Dislike", "Flag", "Follow", "Ignore", "Invite", "Join", "Leave", "Like", "Listen", "Move", "Offer", "Question", "Reject", "Read", "Remove", "TentativeReject", "TentativeAccept", "Travel", "Undo", "Update", "View"}