Fix public key retrieval for GoToSocial profiles (#2354)

Author: obenland

.github/changelog/2354-from-description

@@ -0,0 +1,4 @@
+Significance: patch
+Type: fixed
+
+Fix public key retrieval for GoToSocial profiles with path-based key URLs.

includes/collection/class-remote-actors.php

@@ -12,7 +12,6 @@
 use Activitypub\Sanitize;
 use Activitypub\Webfinger;
 
-use function Activitypub\get_remote_metadata_by_actor;
 use function Activitypub\is_actor;
 use function Activitypub\object_to_uri;
 
@@ -535,7 +534,14 @@ public static function normalize_identifier( $actor ) {
 	 * @return resource|\WP_Error The public key resource or WP_Error.
 	 */
 	public static function get_public_key( $key_id ) {
-		$actor = get_remote_metadata_by_actor( \strip_fragment_from_url( $key_id ) );
+		$actor = self::get_by_uri( \strip_fragment_from_url( $key_id ) );
+
+		if ( \is_wp_error( $actor ) ) {
+			$actor = Http::get_remote_object( $key_id );
+		} else {
+			$actor = \json_decode( $actor->post_content, true );
+		}
+
 		if ( \is_wp_error( $actor ) ) {
 			return new \WP_Error( 'activitypub_no_remote_profile_found', 'No Profile found or Profile not accessible', array( 'status' => 401 ) );
 		}

tests/phpunit/tests/includes/class-test-signature.php

@@ -88,7 +88,7 @@ public function test_valid_hs2019_signatures_for_ec_curves( $curve, $algo ) {
 
 		// Mock the remote key retrieval for this curve.
 		\add_filter(
-			'pre_get_remote_metadata_by_actor',
+			'activitypub_pre_http_get_remote_object',
 			function () use ( $public_key ) {
 				return array(
 					'name'      => 'Test User',
@@ -103,7 +103,7 @@ function () use ( $public_key ) {
 		);
 
 		$this->assertTrue( Signature::verify_http_signature( $request ), "Valid hs2019 signature for curve {$curve} should verify" );
-		\remove_all_filters( 'pre_get_remote_metadata_by_actor' );
+		\remove_all_filters( 'activitypub_pre_http_get_remote_object' );
 	}
 
 	/**
@@ -132,7 +132,7 @@ public function test_invalid_hs2019_signatures_for_ec_curves() {
 		);
 
 		\add_filter(
-			'pre_get_remote_metadata_by_actor',
+			'activitypub_pre_http_get_remote_object',
 			function () use ( $public_key ) {
 				return array(
 					'name'      => 'Test User',
@@ -146,7 +146,7 @@ function () use ( $public_key ) {
 			}
 		);
 		$this->assertWPError( Signature::verify_http_signature( $request ), 'Invalid hs2019 signature for curve prime256v1 should fail' );
-		\remove_all_filters( 'pre_get_remote_metadata_by_actor' );
+		\remove_all_filters( 'activitypub_pre_http_get_remote_object' );
 	}
 
 	/**
@@ -191,7 +191,7 @@ public function test_valid_hs2019_signatures_for_rsa_sizes( $bits, $algo ) {
 		);
 
 		\add_filter(
-			'pre_get_remote_metadata_by_actor',
+			'activitypub_pre_http_get_remote_object',
 			function () use ( $public_key ) {
 				return array(
 					'name'      => 'Test User',
@@ -205,7 +205,7 @@ function () use ( $public_key ) {
 			}
 		);
 		$this->assertTrue( Signature::verify_http_signature( $request ), "Valid hs2019 signature for RSA {$bits} bits should verify" );
-		\remove_all_filters( 'pre_get_remote_metadata_by_actor' );
+		\remove_all_filters( 'activitypub_pre_http_get_remote_object' );
 	}
 
 	/**
@@ -234,7 +234,7 @@ public function test_invalid_hs2019_signatures_for_rsa_sizes() {
 		);
 
 		\add_filter(
-			'pre_get_remote_metadata_by_actor',
+			'activitypub_pre_http_get_remote_object',
 			function () use ( $public_key ) {
 				return array(
 					'name'      => 'Test User',
@@ -248,7 +248,7 @@ function () use ( $public_key ) {
 			}
 		);
 		$this->assertWPError( Signature::verify_http_signature( $request ), 'Invalid hs2019 signature for RSA 2048 bits should fail' );
-		\remove_all_filters( 'pre_get_remote_metadata_by_actor' );
+		\remove_all_filters( 'activitypub_pre_http_get_remote_object' );
 	}
 
 	/**
@@ -276,7 +276,7 @@ public function test_unsupported_ec_curve_for_hs2019() {
 			),
 		);
 		\add_filter(
-			'pre_get_remote_metadata_by_actor',
+			'activitypub_pre_http_get_remote_object',
 			function () use ( $public_key ) {
 				return array(
 					'name'      => 'Test User',
@@ -290,7 +290,7 @@ function () use ( $public_key ) {
 			}
 		);
 		$this->assertWPError( Signature::verify_http_signature( $request ), 'Unsupported EC curve secp256k1 should fail' );
-		\remove_all_filters( 'pre_get_remote_metadata_by_actor' );
+		\remove_all_filters( 'activitypub_pre_http_get_remote_object' );
 	}
 
 	/**
@@ -303,7 +303,7 @@ public function test_verify_http_signature_with_digest() {
 		$keys = Actors::get_keypair( 1 );
 
 		\add_filter(
-			'pre_get_remote_metadata_by_actor',
+			'activitypub_pre_http_get_remote_object',
 			function () use ( $keys ) {
 				return array(
 					'name'      => 'Admin',
@@ -359,7 +359,7 @@ function () use ( $keys ) {
 
 		$this->assertTrue( Signature::verify_http_signature( $request ) );
 
-		\remove_all_filters( 'pre_get_remote_metadata_by_actor' );
+		\remove_all_filters( 'activitypub_pre_http_get_remote_object' );
 	}
 
 	/**
@@ -377,7 +377,7 @@ public function test_verify_http_signature_rfc9421() {
 		$keys = self::$test_keys['rsa']['4096'];
 
 		\add_filter(
-			'pre_get_remote_metadata_by_actor',
+			'activitypub_pre_http_get_remote_object',
 			function () use ( $keys ) {
 				return array(
 					'name'      => 'Admin',
@@ -441,7 +441,7 @@ function () use ( $keys ) {
 		// The verification should succeed.
 		$this->assertTrue( Signature::verify_http_signature( $request ) );
 
-		\remove_all_filters( 'pre_get_remote_metadata_by_actor' );
+		\remove_all_filters( 'activitypub_pre_http_get_remote_object' );
 		\delete_option( 'activitypub_rfc9421_signature' );
 	}
 
@@ -496,7 +496,7 @@ public function test_verify_http_signature_rfc9421_get_request() {
 		$keys = self::$test_keys['rsa']['2048'];
 
 		\add_filter(
-			'pre_get_remote_metadata_by_actor',
+			'activitypub_pre_http_get_remote_object',
 			function () use ( $keys ) {
 				return array(
 					'name'      => 'Admin',
@@ -558,7 +558,7 @@ function () use ( $keys ) {
 		// The verification should succeed.
 		$this->assertTrue( Signature::verify_http_signature( $request ) );
 
-		\remove_all_filters( 'pre_get_remote_metadata_by_actor' );
+		\remove_all_filters( 'activitypub_pre_http_get_remote_object' );
 	}
 
 	/**
@@ -592,7 +592,7 @@ public function test_verify_http_signature_rfc9421_algorithms() {
 	 */
 	private function verify_rfc9421_signature_with_keys( $keys, $algorithm ) {
 		\add_filter(
-			'pre_get_remote_metadata_by_actor',
+			'activitypub_pre_http_get_remote_object',
 			function () use ( $keys ) {
 				return array(
 					'name'      => 'Admin',
@@ -665,7 +665,7 @@ function () use ( $keys ) {
 		// The verification should succeed.
 		$this->assertTrue( Signature::verify_http_signature( $request ) );
 
-		\remove_all_filters( 'pre_get_remote_metadata_by_actor' );
+		\remove_all_filters( 'activitypub_pre_http_get_remote_object' );
 	}
 
 	/**

tests/phpunit/tests/includes/collection/class-test-remote-actors.php

@@ -674,7 +674,7 @@ public function test_key_format_handling() {
 -----END PUBLIC KEY-----
 ';
 
-		\add_filter( 'pre_get_remote_metadata_by_actor', array( $this, 'pre_get_remote_metadata_by_actor' ), 10, 2 );
+		\add_filter( 'activitypub_pre_http_get_remote_object', array( $this, 'pre_http_get_remote_object' ), 10, 2 );
 
 		// X.509 key should remain unchanged.
 		$result       = Remote_Actors::get_public_key( 'https://example.com/author/x509' );
@@ -702,7 +702,12 @@ public function test_key_format_handling() {
 		$result = Remote_Actors::get_public_key( 'https://example.com/author/invalid' );
 		$this->assertWPError( $result );
 
-		\remove_filter( 'pre_get_remote_metadata_by_actor', array( $this, 'pre_get_remote_metadata_by_actor' ) );
+		// Test GoToSocial-style /main-key path suffix is stripped correctly.
+		$result       = Remote_Actors::get_public_key( 'https://example.com/author/x509/main-key' );
+		$key_resource = \openssl_pkey_get_details( $result );
+		$this->assertSame( $this->x509_key, $key_resource['key'] );
+
+		\remove_filter( 'activitypub_pre_http_get_remote_object', array( $this, 'pre_http_get_remote_object' ) );
 	}
 
 	/**
@@ -876,7 +881,31 @@ function ( $preempt, $parsed_args, $url ) {
 	 * @return array|\WP_Error
 	 */
 	public function pre_get_remote_metadata_by_actor( $value, $url ) {
-		if ( 'https://example.com/author/x509' === $url ) {
+		if ( 'https://example.com/author/invalid' === $url ) {
+			return array(
+				'name'      => 'Test Actor',
+				'url'       => 'https://example.com/author/invalid',
+				'publicKey' => array(
+					'id'           => 'https://example.com/author#main-key',
+					'owner'        => 'https://example.com/author',
+					'publicKeyPem' => 'INVALID KEY DATA',
+				),
+			);
+		}
+
+		return new \WP_Error( 'invalid_url', $url );
+	}
+
+	/**
+	 * Pre http get remote object.
+	 *
+	 * @param mixed  $pre           The preempted value.
+	 * @param string $url_or_object The URL or object.
+	 * @return array|\WP_Error
+	 */
+	public function pre_http_get_remote_object( $pre, $url_or_object ) {
+
+		if ( 'https://example.com/author/x509' === $url_or_object ) {
 			return array(
 				'name'      => 'Test Actor',
 				'url'       => 'https://example.com/author/x509',
@@ -888,7 +917,7 @@ public function pre_get_remote_metadata_by_actor( $value, $url ) {
 			);
 		}
 
-		if ( 'https://example.com/author/pkcs1' === $url ) {
+		if ( 'https://example.com/author/pkcs1' === $url_or_object ) {
 			return array(
 				'name'      => 'Test Actor',
 				'url'       => 'https://example.com/author/pkcs1',
@@ -900,7 +929,7 @@ public function pre_get_remote_metadata_by_actor( $value, $url ) {
 			);
 		}
 
-		if ( 'https://example.com/author/ec' === $url ) {
+		if ( 'https://example.com/author/ec' === $url_or_object ) {
 			return array(
 				'name'      => 'Test Actor',
 				'url'       => 'https://example.com/author/ec',
@@ -912,7 +941,7 @@ public function pre_get_remote_metadata_by_actor( $value, $url ) {
 			);
 		}
 
-		if ( 'https://example.com/author/pkcs8' === $url ) {
+		if ( 'https://example.com/author/pkcs8' === $url_or_object ) {
 			return array(
 				'name'      => 'Test Actor',
 				'url'       => 'https://example.com/author/pkcs8',
@@ -924,18 +953,18 @@ public function pre_get_remote_metadata_by_actor( $value, $url ) {
 			);
 		}
 
-		if ( 'https://example.com/author/invalid' === $url ) {
+		if ( 'https://example.com/author/x509/main-key' === $url_or_object ) {
 			return array(
-				'name'      => 'Test Actor',
-				'url'       => 'https://example.com/author/invalid',
+				'id'        => 'https://example.com/author/x509',
+				'type'      => 'Person',
 				'publicKey' => array(
 					'id'           => 'https://example.com/author#main-key',
 					'owner'        => 'https://example.com/author',
-					'publicKeyPem' => 'INVALID KEY DATA',
+					'publicKeyPem' => $this->x509_key,
 				),
 			);
 		}
 
-		return new \WP_Error( 'invalid_url', $url );
+		return $pre;
 	}
 }

tests/phpunit/tests/includes/rest/class-test-actors-inbox-controller.php

@@ -260,8 +260,8 @@ public function test_announce_request() {
 	 * @covers ::create_item
 	 */
 	public function test_user_inbox_post_verification() {
-		add_filter(
-			'pre_get_remote_metadata_by_actor',
+		\add_filter(
+			'activitypub_pre_http_get_remote_object',
 			function ( $json, $actor ) {
 				$public_key = Actors::get_public_key( self::$user_id );
 
@@ -286,7 +286,7 @@ function ( $json, $actor ) {
 		// Test valid request.
 		$actor    = Actors::get_by_id( self::$user_id );
 		$object   = \Activitypub\Transformer\Post::transform( $post )->to_object();
-		$activity = new \Activitypub\Activity\Activity( 'Like' );
+		$activity = new \Activitypub\Activity\Activity();
 		$activity->from_array(
 			array(
 				'id'     => 'https://example.com/activity/1',
@@ -330,7 +330,7 @@ function ( $json, $actor ) {
 		$response = \rest_do_request( $request );
 		$this->assertEquals( 202, $response->get_status() );
 
-		remove_filter( 'pre_get_remote_metadata_by_actor', '__return_true' );
+		\remove_all_filters( 'activitypub_pre_http_get_remote_object' );
 	}
 
 	/**