```bash $ sofapub A minimally functional ActivityPub implementation
Usage: sofapub
Commands: setup server get post webfinger help Print this message or the help of the given subcommand(s)
Options: -h, --help Print help ```
I had the thought earlier this evening that it sure would be nice to have a tool that I could use to make properly signed requests to remote ActivityPub servers so that I could evaluate their responses and build interfaces to work effectively. This project stems from that thought. The initial working prototype was built this evening while I was sitting on the sofa.
I used certbot
to generate certificates for my test domain name (sofa.jdt.dev) manually. This is the command I used.
certbot certonly --manual -d sofa.jdt.dev --agree-tos --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory --register-unsafely-without-email --rsa-key-size 4096 --config-dir certbot/config --work-dir certbot/work --logs-dir certbot/logs
Change that for your own domain name, obviously. You'll need to be ready to update your DNS settings to add in a verification TXT record for LetsEncrypt.
You'll need to forward port 443/tcp
to port 8086
(the default I chose) on your server. You'll also need to configure your DNS appropriately to point your domain name at the external address you're forwarding from.
This is the setup command I used (adjust for your purposes). This will create the RSA certificates.
cargo run --bin sofapub setup \
--username justin \
--display-name "Justin Thomas" \
--summary "This is my test account" \
--domain sofa.jdt.dev \
--tls-private-key-path /opt/certbot/config/live/sofa.jdt.dev/privkey.pem \
--tls-certificate-path /opt/certbot/config/live/sofa.jdt.dev/fullchain.pem
The configuration is stored in $HOME/.sofapub
and a suitable directory structure will be created there to support the server's operations.
RUST_LOG=debug cargo run --bin sofapub server
will start the SofaPub server. You can also use cargo install --path .
to install the sofapub
executable to your local cargo/.bin
directory. That should be included in your PATH
already.
Messages sent to inbox
will be captured in the ~/.sofapub/data/inbox
folder with server-generated UUID filenames. Here is what a Follow request from my user at infosec.exchange looks like:
``` $ RUST_LOG=debug sofapub server
[2023-09-02T01:05:32Z DEBUG server] igniting Configuration
[2023-09-02T01:05:32Z INFO rocket::launch] 🔧 Configured for debug.
[2023-09-02T01:05:32Z INFO rocket::launch::] address: 0.0.0.0
[2023-09-02T01:05:32Z INFO rocket::launch::] port: 8086
[2023-09-02T01:05:32Z INFO rocket::launch::] workers: 16
[2023-09-02T01:05:32Z INFO rocket::launch::] max blocking threads: 512
[2023-09-02T01:05:32Z INFO rocket::launch::] ident: Rocket
[2023-09-02T01:05:32Z INFO rocket::launch::] IP header: X-Real-IP
[2023-09-02T01:05:32Z INFO rocket::launch::] limits: bytes = 8KiB, data-form = 2MiB, file = 1MiB, form = 32KiB, json = 1MiB, msgpack = 1MiB, string = 8KiB
[2023-09-02T01:05:32Z INFO rocket::launch::] temp dir: /var/folders/z6/y2vfsg3j739fbx4hwzfm7700000gn/T/
[2023-09-02T01:05:32Z INFO rocket::launch::] http/2: true
[2023-09-02T01:05:32Z INFO rocket::launch::] keep-alive: 5s
[2023-09-02T01:05:32Z INFO rocket::launch::] tls: enabled w/o mtls
[2023-09-02T01:05:32Z INFO rocket::launch::] shutdown: ctrlc = true, force = true, signals = [SIGTERM], grace = 2s, mercy = 3s
[2023-09-02T01:05:32Z INFO rocket::launch::] log level: normal
[2023-09-02T01:05:32Z INFO rocket::launch::] cli colors: true
[2023-09-02T01:05:32Z INFO rocket::launch] 📬 Routes:
[2023-09-02T01:05:32Z INFO rocket::launch::] (inboxpost) POST /inbox
[2023-09-02T01:05:32Z INFO rocket::launch::] (profile) GET /
$ ls -la ~/.sofapub/data/inbox/ total 24 drwxr-xr-x@ 6 justin staff 192 Sep 1 18:05 . drwxr-xr-x@ 7 justin staff 224 Sep 1 17:55 .. -rw-r--r--@ 1 justin staff 227 Sep 1 18:03 1b7a3159-dcac-49f8-b687-b1defa06ff79.json -rw-r--r--@ 1 justin staff 360 Sep 1 18:05 f7c0ca70-49a9-4901-8928-f7bae48b8d1b.json
$ cat ~/.sofapub/data/inbox/*.json | jq { "@context": "https://www.w3.org/ns/activitystreams", "actor": "https://infosec.exchange/users/jdt", "id": "https://infosec.exchange/a9941fe3-1051-490c-8cb8-8793a1a9bcf3", "object": "https://sofa.jdt.dev/users/justin", "type": "Follow" } { "@context": "https://www.w3.org/ns/activitystreams", "actor": "https://infosec.exchange/users/jdt", "id": "https://infosec.exchange/users/jdt#follows/2830232/undo", "object": { "actor": "https://infosec.exchange/users/jdt", "id": "https://infosec.exchange/a9941fe3-1051-490c-8cb8-8793a1a9bcf3", "object": "https://sofa.jdt.dev/users/justin", "type": "Follow" }, "type": "Undo" } ```
Technically, I issued the Follow earlier, and the messages in the log above are showing you the Undo. Nonetheless, you can see both messages are captured by SofaPub for your review.
Assuming you have SofaPub up and running and you can query your user from another instance successfully, you should be able to use the included tools to interrogate and interact with ActivityPub instances in interesting ways. Here is one example where I use sofapub_get
to request profile data from a server that requires request signing for all operations (firefish.social).
First I use the included webfinger
tool to retrieve the WebFinger record for my user at Firefish.
$ sofapub webfinger @jdt@firefish.social | jq
{
"subject": "acct:jdt@firefish.social",
"links": [
{
"rel": "self",
"type": "application/activity+json",
"href": "https://firefish.social/users/9j54zro9qetnjhza"
},
{
"rel": "http://webfinger.net/rel/profile-page",
"type": "text/html",
"href": "https://firefish.social/@jdt"
},
{
"rel": "http://ostatus.org/schema/1.0/subscribe",
"template": "https://firefish.social/authorize-follow?acct={uri}"
}
]
}
Next I use the self
href
value with a type of application/activity+json
to try to retrieve the record with curl
. This would work on most Mastodon systems (which do not require request signing by default).
$ curl -H "Accept: application/activity+json" https://firefish.social/users/9j54zro9qetnjhza
Unauthorized
Bummer. No worries, though. Here I process the request through sofapub get
which uses my private RSA key in my configuration to sign the request. My sofapub server
is running, to allow the target server to retrieve my public key to verify the signature.
$ sofapub get https://firefish.social/users/9j54zro9qetnjhza | jq
{
"@context": [
"https://www.w3.org/ns/activitystreams",
"https://w3id.org/security/v1",
{
"manuallyApprovesFollowers": "as:manuallyApprovesFollowers",
"movedToUri": "as:movedTo",
"sensitive": "as:sensitive",
"Hashtag": "as:Hashtag",
"quoteUri": "fedibird:quoteUri",
"quoteUrl": "as:quoteUrl",
"toot": "http://joinmastodon.org/ns#",
"Emoji": "toot:Emoji",
"featured": "toot:featured",
"discoverable": "toot:discoverable",
"schema": "http://schema.org#",
"PropertyValue": "schema:PropertyValue",
"value": "schema:value",
"misskey": "https://misskey-hub.net/ns#",
"_misskey_content": "misskey:_misskey_content",
"_misskey_quote": "misskey:_misskey_quote",
"_misskey_reaction": "misskey:_misskey_reaction",
"_misskey_votes": "misskey:_misskey_votes",
"_misskey_talk": "misskey:_misskey_talk",
"isCat": "misskey:isCat",
"fedibird": "http://fedibird.com/ns#",
"vcard": "http://www.w3.org/2006/vcard/ns#"
}
],
"type": "Person",
"id": "https://firefish.social/users/9j54zro9qetnjhza",
"inbox": "https://firefish.social/users/9j54zro9qetnjhza/inbox",
"outbox": "https://firefish.social/users/9j54zro9qetnjhza/outbox",
"followers": "https://firefish.social/users/9j54zro9qetnjhza/followers",
"following": "https://firefish.social/users/9j54zro9qetnjhza/following",
"featured": "https://firefish.social/users/9j54zro9qetnjhza/collections/featured",
"sharedInbox": "https://firefish.social/inbox",
"endpoints": {
"sharedInbox": "https://firefish.social/inbox"
},
"url": "https://firefish.social/@jdt",
"preferredUsername": "jdt",
"name": null,
"summary": null,
"icon": null,
"image": null,
"tag": [],
"manuallyApprovesFollowers": false,
"discoverable": true,
"publicKey": {
"id": "https://firefish.social/users/9j54zro9qetnjhza#main-key",
"type": "Key",
"owner": "https://firefish.social/users/9j54zro9qetnjhza",
"publicKeyPem": "-----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyzcWqxqXMH+tsPhIIZhU\nc9kHQHN+quayOAw+FtdX7bNmo+fY2Bndy5wRHymdcF/fFIXxCfeN6aO0FqBsPCrt\nO7XBsRkHi4LPSaZN730q+Q/FZmf6SVy943WWf8LgXOkt2VjJRO52w0seGrPR1/Dd\nB/6rFTDOVWUUyASL8+E1X2yQJ/veHRFrwpLPwYnfjJypCzhd2z3++y1PzjeHwygE\nHJx7EIcmFsiw7F+xDkEY4RWA/vV7bTajsij1P+DRkJJN+eNoK8y58Oxx2hf20tko\nf4cFnuawyLCRquixNlTHNqHxXR87nLEMP4rZrjuOjf5aIG7kxbyBnNuPtZ8ASrb/\nyprlsWkhkOY22K+XwvTWGDyo8Fduxh5ntWUB97fV1gDzD2NoN2bhXA4giUGCbo5V\nTj2Sbgsvk/DrF21whQjCJvVCThZwKfX7hZaaTWljNE1UEOTyS16WM+1i/ZWlOE5V\nQ7IbgImC+0rsbE9XeQaBJK5OhrOgO1nUeQkR4DwSaSORWuLf5xewJ6ZYxT474M+l\nytmrvCJFLUriDqFk8zjr6gon7fLt2yKagLaEU5DXduJQRMkpJ4hajpuZE2YNQwGj\n+ZNtpc6+OYfSbyxo2D/+HfVf1emQ1tSKo/w0chLzbokpIEFuR/4pmg1Etr5XG3XY\nP2nwPARDmUE/dzJ9Avq8Qy8CAwEAAQ==\n-----END PUBLIC KEY-----\n"
},
"isCat": false
}