Handled disabling ActivityPub

ref https://linear.app/ghost/issue/PROD-2351

When ActivityPub is disabled we want to cease federating content, this 
is done by removng all webhooks for the ActivityPub integration.

We also request the disable site handler on ActivityPub, which currently
noops, but may eventually disable webfinger, actor lookups etc...

---------

Co-authored-by: Michael Barrett <[email protected]>

Author: allouis

ghost/core/core/server/services/activitypub/ActivityPubService.ts

@@ -81,13 +81,7 @@ export class ActivityPubService {
 
     async getWebhookSecret(): Promise<string | null> {
         try {
-            const ownerUser = await this.knex('users')
-                .select('users.*')
-                .join('roles_users', 'users.id', 'roles_users.user_id')
-                .join('roles', 'roles.id', 'roles_users.role_id')
-                .where('roles.name', 'Owner')
-                .first();
-            const token = await this.identityTokenService.getTokenForUser(ownerUser.email, 'Owner');
+            const token = await this.getOwnerUserToken();
 
             const res = await fetch(new URL('.ghost/activitypub/v1/site', this.siteUrl), {
                 headers: {
@@ -104,6 +98,34 @@ export class ActivityPubService {
         }
     }
 
+    async disable() {
+        await this.removeWebhooks();
+        await this.disableSite();
+    }
+
+    async enable() {
+        await this.initialiseWebhooks();
+    }
+
+    async removeWebhooks() {
+        const integration = await this.knex
+            .select('*')
+            .from('integrations')
+            .where('slug', '=', 'ghost-activitypub')
+            .andWhere('type', '=', 'internal')
+            .first();
+
+        if (!integration) {
+            this.logging.error('No ActivityPub integration found - cannot remove webhooks');
+            return;
+        }
+
+        await this.knex
+            .del()
+            .from('webhooks')
+            .where('integration_id', '=', integration.id);
+    }
+
     async initialiseWebhooks() {
         const integration = await this.knex
             .select('*')
@@ -155,4 +177,30 @@ export class ActivityPubService {
             .insert(webhooksToInsert)
             .into('webhooks');
     }
+
+    async disableSite() {
+        try {
+            const token = await this.getOwnerUserToken();
+
+            await fetch(new URL('.ghost/activitypub/v1/site', this.siteUrl), {
+                method: 'DELETE',
+                headers: {
+                    Authorization: `Bearer ${token}`
+                }
+            });
+        } catch (err: unknown) {
+            this.logging.error(`Could not disable ActivityPub for site: ${this.siteUrl} due to: ${err}`);
+        }
+    }
+
+    private async getOwnerUserToken() {
+        const ownerUser = await this.knex('users')
+            .select('users.*')
+            .join('roles_users', 'users.id', 'roles_users.user_id')
+            .join('roles', 'roles.id', 'roles_users.role_id')
+            .where('roles.name', 'Owner')
+            .first();
+
+        return await this.identityTokenService.getTokenForUser(ownerUser.email, 'Owner');
+    }
 }

ghost/core/core/server/services/activitypub/ActivityPubServiceWrapper.js

@@ -32,22 +32,23 @@ module.exports = class ActivityPubServiceWrapper {
             IdentityTokenServiceWrapper.instance
         );
 
-        const initActivityPubService = async () => {
-            await ActivityPubServiceWrapper.instance.initialiseWebhooks();
-            ActivityPubServiceWrapper.initialised = true;
-        };
-
-        if (settingsCache.get('social_web_enabled')) {
-            await initActivityPubService();
-        } else {
-            const initActivityPubServiceLater = async () => {
-                if (settingsCache.get('social_web_enabled') && !ActivityPubServiceWrapper.initialised) {
-                    await initActivityPubService();
+        async function configureActivityPub() {
+            if (settingsCache.get('social_web_enabled')) {
+                if (!ActivityPubServiceWrapper.initialised) {
+                    await ActivityPubServiceWrapper.instance.enable();
+                    ActivityPubServiceWrapper.initialised = true;
                 }
-            };
-
-            events.on('settings.labs.edited', initActivityPubServiceLater);
-            events.on('settings.social_web.edited', initActivityPubServiceLater);
+            } else {
+                if (ActivityPubServiceWrapper.initialised) {
+                    await ActivityPubServiceWrapper.instance.disable();
+                    ActivityPubServiceWrapper.initialised = false;
+                }
+            }
         }
+
+        events.on('settings.labs.edited', configureActivityPub);
+        events.on('settings.social_web.edited', configureActivityPub);
+
+        configureActivityPub();
     }
 };

ghost/core/test/unit/server/services/activitypub/ActivityPubService.test.ts

@@ -307,4 +307,36 @@ describe('ActivityPubService', function () {
 
         await knexInstance.destroy();
     });
+
+    it('Can disable the site', async function () {
+        const knexInstance = await getKnexInstance();
+        await addOwnerUser(knexInstance);
+        await addActivityPubIntegration(knexInstance);
+
+        const siteUrl = new URL('http://fake-site-url');
+        const scope = nock(siteUrl)
+            .delete('/.ghost/activitypub/v1/site')
+            .matchHeader('authorization', 'Bearer token:[email protected]:Owner')
+            .reply(200);
+
+        const logging = console;
+        const identityTokenService = {
+            getTokenForUser(email: string, role: string) {
+                return `token:${email}:${role}`;
+            }
+        };
+
+        const service = new ActivityPubService(
+            knexInstance,
+            siteUrl,
+            logging,
+            identityTokenService as unknown as IdentityTokenService
+        );
+
+        await service.disableSite();
+
+        assert(scope.isDone(), 'Expected the ActivityPub site endpoint to be called');
+
+        await knexInstance.destroy();
+    });
 });