feat: cli taks to cloak actors too

upub/cli/src/cloak.rs

@@ -1,11 +1,12 @@
 use futures::TryStreamExt;
-use sea_orm::{ActiveModelTrait, ActiveValue::{Set, Unchanged}, ColumnTrait, EntityTrait, IntoActiveModel, QueryFilter, QuerySelect, SelectColumns, TransactionTrait};
+use sea_orm::{ActiveModelTrait, ActiveValue::{Set, Unchanged}, ColumnTrait, Condition, EntityTrait, IntoActiveModel, QueryFilter, QuerySelect, SelectColumns, TransactionTrait};
 use upub::traits::{fetch::RequestError, Cloaker};
 
-pub async fn cloak(ctx: upub::Context, post_contents: bool) -> Result<(), RequestError> {
+pub async fn cloak(ctx: upub::Context, post_contents: bool, actors: bool) -> Result<(), RequestError> {
+	let local_base = format!("{}%", ctx.base()));
 	{
 		let mut stream = upub::model::attachment::Entity::find()
-			.filter(upub::model::attachment::Column::Url.not_like(format!("{}%", ctx.base())))
+			.filter(upub::model::attachment::Column::Url.not_like(&local_base)
 			.stream(ctx.db())
 			.await?;
 
@@ -42,5 +43,41 @@ pub async fn cloak(ctx: upub::Context, post_contents: bool) -> Result<(), Reques
 		}
 	}
 
+	if actors {
+		let mut stream = upub::model::actor::Entity::find()
+			.filter(
+				Condition::any()
+					.add(upub::model::actor::Column::Image.not_like(&local_base))
+					.add(upub::model::actor::Column::Icon.not_like(&local_base))
+			)
+			.select_only()
+			.select_column(upub::model::actor::Column::Internal)
+			.select_column(upub::model::actor::Column::Image)
+			.select_column(upub::model::actor::Column::Icon)
+			.into_tuple::<(i64, Option<String>, Option<String>)>()
+			.stream(ctx.db())
+			.await?;
+
+		while let Some((internal, image, icon)) = stream.try_next().await? {
+			if image.is_none() && icon.is_none() { continue }
+			let image = if let Some(img) = image && !img.starts_with(ctx.base()) {
+				Set(ctx.cloaked(&img))
+			} else {
+				NotSet
+			};
+			let icon = if let Some(icn) = icon && !icn.starts_with(ctx.base()) {
+				Set(ctx.cloaked(&icn))
+			} else {
+				NotSet
+			};
+			let model = upub::model::actor::ActiveModel {
+				internal: Unchanged(internal),
+				image, icon,
+				..Default::default()
+			};
+			model.update(ctx.db()).await?;
+		}
+	}
+
 	Ok(())
 }

upub/cli/src/lib.rs

@@ -119,6 +119,10 @@ pub enum CliCommand {
 		/// also replace urls inside post contents
 		#[arg(long, default_value_t = false)]
 		post_contents: bool,
+
+		/// also cloak actor images
+		#[arg(long, default_value_t = false)]
+		actors: bool,
 	},
 }
 
@@ -141,7 +145,7 @@ pub async fn run(ctx: upub::Context, command: CliCommand) -> Result<(), Box<dyn
 			Ok(nuke(ctx, for_real, delete_objects).await?),
 		CliCommand::Thread { } =>
 			Ok(thread(ctx).await?),
-		CliCommand::Cloak { post_contents } =>
-			Ok(cloak(ctx, post_contents).await?),
+		CliCommand::Cloak { post_contents, actors } =>
+			Ok(cloak(ctx, post_contents, actors).await?),
 	}
 }

upub/core/src/traits/fetch.rs

@@ -2,11 +2,11 @@ use std::collections::BTreeMap;
 
 use apb::{Activity, Actor, ActorMut, Base, Collection, Object};
 use reqwest::{header::{ACCEPT, CONTENT_TYPE, USER_AGENT}, Method, Response};
-use sea_orm::{ConnectionTrait, DbErr, EntityTrait, IntoActiveModel, NotSet};
+use sea_orm::{ConnectionTrait, DbErr, EntityTrait, IntoActiveModel, NotSet, ActiveValue::{Set, NotSet, Unchanged}};
 
 use crate::traits::normalize::AP;
 
-use super::{Addresser, Normalizer};
+use super::{Addresser, Cloaker, Normalizer};
 use httpsign::HttpSignature;
 
 #[derive(Debug, Clone)]
@@ -305,7 +305,20 @@ impl Fetcher for crate::Context {
 			}
 		}
 
-		let user_model = AP::actor_q(&document, None)?;
+		let mut user_model = AP::actor_q(&document, None)?;
+
+		// cloak remote images
+		if let Set(Some(ref image)) = user_model.image {
+			if !image.starts_with(self.base()) {
+				user_model.image = Set(Some(self.cloaked(image)));
+			}
+		}
+
+		if let Set(Some(ref icon)) = user_model.icon {
+			if !icon.starts_with(self.base()) {
+				user_model.icon = Set(Some(self.cloaked(icon)));
+			}
+		}
 
 		// TODO this may fail: while fetching, remote server may fetch our service actor.
 		//      if it does so with http signature, we will fetch that actor in background

upub/core/src/traits/process.rs

@@ -1,6 +1,6 @@
 use apb::{target::Addressed, Activity, Base, Object};
 use sea_orm::{sea_query::Expr, ActiveModelTrait, ActiveValue::{NotSet, Set}, ColumnTrait, Condition, DatabaseTransaction, EntityTrait, QueryFilter, QuerySelect, SelectColumns};
-use crate::{ext::{AnyQuery, LoggableError}, model, traits::{fetch::Pull, Addresser, Fetcher, Normalizer}};
+use crate::{ext::{AnyQuery, LoggableError}, model, traits::{fetch::Pull, Addresser, Cloaker, Fetcher, Normalizer}};
 
 #[derive(Debug, thiserror::Error)]
 pub enum ProcessorError {
@@ -368,6 +368,17 @@ pub async fn update(ctx: &crate::Context, activity: impl apb::Activity, tx: &Dat
 				.await?
 				.ok_or(ProcessorError::Incomplete)?;
 			let mut actor_model = crate::AP::actor_q(object_node.as_actor()?, Some(internal_uid))?;
+			if let Set(Some(ref image)) = actor_model.image {
+				if !image.starts_with(ctx.base()) {
+					actor_model.image = Set(Some(ctx.cloaked(image)));
+				}
+			}
+
+			if let Set(Some(ref icon)) = actor_model.icon {
+				if !icon.starts_with(ctx.base()) {
+					actor_model.icon = Set(Some(ctx.cloaked(icon)));
+				}
+			}
 			actor_model.updated = Set(chrono::Utc::now());
 			actor_model.update(tx).await?;
 		},
@@ -376,6 +387,9 @@ pub async fn update(ctx: &crate::Context, activity: impl apb::Activity, tx: &Dat
 				.await?
 				.ok_or(ProcessorError::Incomplete)?;
 			let mut object_model = crate::AP::object_q(&object_node, Some(internal_oid))?;
+			if let Set(Some(ref content)) = object_model.content {
+				object_model.content = Set(Some(ctx.sanitize(content)));
+			}
 			object_model.context = NotSet; // TODO dont overwrite context when updating!!
 			object_model.updated = Set(chrono::Utc::now());
 			object_model.update(tx).await?;