Add Keybase integration (#10297)

* create account_identity_proofs table

* add endpoint for keybase to check local proofs

* add async task to update validity and liveness of proofs from keybase

* first pass keybase proof CRUD

* second pass keybase proof creation

* clean up proof list and add badges

* add avatar url to keybase api

* Always highlight the “Identity Proofs” navigation item when interacting with proofs.

* Update translations.

* Add profile URL.

* Reorder proofs.

* Add proofs to bio.

* Update settings/identity_proofs front-end.

* Use `link_to`.

* Only encode query params if they exist.

URLs without params had a trailing `?`.

* Only show live proofs.

* change valid to active in proof list and update liveness before displaying

* minor fixes

* add keybase config at well-known path

* extremely naive feature flagging off the identity proof UI

* fixes for rubocop

* make identity proofs page resilient to potential keybase issues

* normalize i18n

* tweaks for brakeman

* remove two unused translations

* cleanup and add more localizations

* make keybase_contacts an admin setting

* fix ExternalProofService my_domain

* use Addressable::URI in identity proofs

* use active model serializer for keybase proof config

* more cleanup of keybase proof config

* rename proof is_valid and is_live to proof_valid and proof_live

* cleanup

* assorted tweaks for more robust communication with keybase

* Clean up

* Small fixes

* Display verified identity identically to verified links

* Clean up unused CSS

* Add caching for Keybase avatar URLs

* Remove keybase_contacts setting

app/lib/proof_provider/keybase.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+class ProofProvider::Keybase
+  BASE_URL = 'https://keybase.io'
+
+  class Error < StandardError; end
+
+  class ExpectedProofLiveError < Error; end
+
+  class UnexpectedResponseError < Error; end
+
+  def initialize(proof = nil)
+    @proof = proof
+  end
+
+  def serializer_class
+    ProofProvider::Keybase::Serializer
+  end
+
+  def worker_class
+    ProofProvider::Keybase::Worker
+  end
+
+  def validate!
+    unless @proof.token&.size == 66
+      @proof.errors.add(:base, I18n.t('identity_proofs.errors.keybase.invalid_token'))
+      return
+    end
+
+    return if @proof.provider_username.blank?
+
+    if verifier.valid?
+      @proof.verified = true
+      @proof.live     = false
+    else
+      @proof.errors.add(:base, I18n.t('identity_proofs.errors.keybase.verification_failed', kb_username: @proof.provider_username))
+    end
+  end
+
+  def refresh!
+    worker_class.new.perform(@proof)
+  rescue ProofProvider::Keybase::Error
+    nil
+  end
+
+  def on_success_path(user_agent = nil)
+    verifier.on_success_path(user_agent)
+  end
+
+  def badge
+    @badge ||= ProofProvider::Keybase::Badge.new(@proof.account.username, @proof.provider_username, @proof.token)
+  end
+
+  private
+
+  def verifier
+    @verifier ||= ProofProvider::Keybase::Verifier.new(@proof.account.username, @proof.provider_username, @proof.token)
+  end
+end

app/lib/proof_provider/keybase/badge.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+class ProofProvider::Keybase::Badge
+  include RoutingHelper
+
+  def initialize(local_username, provider_username, token)
+    @local_username    = local_username
+    @provider_username = provider_username
+    @token             = token
+  end
+
+  def proof_url
+    "#{ProofProvider::Keybase::BASE_URL}/#{@provider_username}/sigchain\##{@token}"
+  end
+
+  def profile_url
+    "#{ProofProvider::Keybase::BASE_URL}/#{@provider_username}"
+  end
+
+  def icon_url
+    "#{ProofProvider::Keybase::BASE_URL}/#{@provider_username}/proof_badge/#{@token}?username=#{@local_username}&domain=#{domain}"
+  end
+
+  def avatar_url
+    Rails.cache.fetch("proof_providers/keybase/#{@provider_username}/avatar_url", expires_in: 5.minutes) { remote_avatar_url } || default_avatar_url
+  end
+
+  private
+
+  def remote_avatar_url
+    request = Request.new(:get, "#{ProofProvider::Keybase::BASE_URL}/_/api/1.0/user/pic_url.json", params: { username: @provider_username })
+
+    request.perform do |res|
+      json = Oj.load(res.body_with_limit, mode: :strict)
+      json['pic_url'] if json.is_a?(Hash)
+    end
+  rescue Oj::ParseError, HTTP::Error, OpenSSL::SSL::SSLError
+    nil
+  end
+
+  def default_avatar_url
+    asset_pack_path('media/images/proof_providers/keybase.png')
+  end
+
+  def domain
+    Rails.configuration.x.local_domain
+  end
+end

app/lib/proof_provider/keybase/config_serializer.rb

@@ -0,0 +1,70 @@
+# frozen_string_literal: true
+
+class ProofProvider::Keybase::ConfigSerializer < ActiveModel::Serializer
+  include RoutingHelper
+
+  attributes :version, :domain, :display_name, :username,
+             :brand_color, :logo, :description, :prefill_url,
+             :profile_url, :check_url, :check_path, :avatar_path,
+             :contact
+
+  def version
+    1
+  end
+
+  def domain
+    Rails.configuration.x.local_domain
+  end
+
+  def display_name
+    Setting.site_title
+  end
+
+  def logo
+    { svg_black: full_asset_url(asset_pack_path('media/images/logo_transparent_black.svg')), svg_full: full_asset_url(asset_pack_path('media/images/logo.svg')) }
+  end
+
+  def brand_color
+    '#282c37'
+  end
+
+  def description
+    Setting.site_short_description.presence || Setting.site_description.presence || I18n.t('about.about_mastodon_html')
+  end
+
+  def username
+    { min: 1, max: 30, re: Account::USERNAME_RE.inspect }
+  end
+
+  def prefill_url
+    params = {
+      provider: 'keybase',
+      token: '%{sig_hash}',
+      provider_username: '%{kb_username}',
+      username: '%{username}',
+      user_agent: '%{kb_ua}',
+    }
+
+    CGI.unescape(new_settings_identity_proof_url(params))
+  end
+
+  def profile_url
+    CGI.unescape(short_account_url('%{username}')) # rubocop:disable Style/FormatStringToken
+  end
+
+  def check_url
+    CGI.unescape(api_proofs_url(username: '%{username}', provider: 'keybase'))
+  end
+
+  def check_path
+    ['signatures']
+  end
+
+  def avatar_path
+    ['avatar']
+  end
+
+  def contact
+    [Setting.site_contact_email.presence].compact
+  end
+end

app/lib/proof_provider/keybase/serializer.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+class ProofProvider::Keybase::Serializer < ActiveModel::Serializer
+  include RoutingHelper
+
+  attribute :avatar
+
+  has_many :identity_proofs, key: :signatures
+
+  def avatar
+    full_asset_url(object.avatar_original_url)
+  end
+
+  class AccountIdentityProofSerializer < ActiveModel::Serializer
+    attributes :sig_hash, :kb_username
+
+    def sig_hash
+      object.token
+    end
+
+    def kb_username
+      object.provider_username
+    end
+  end
+end

app/lib/proof_provider/keybase/verifier.rb

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+class ProofProvider::Keybase::Verifier
+  def initialize(local_username, provider_username, token)
+    @local_username    = local_username
+    @provider_username = provider_username
+    @token             = token
+  end
+
+  def valid?
+    request = Request.new(:get, "#{ProofProvider::Keybase::BASE_URL}/_/api/1.0/sig/proof_valid.json", params: query_params)
+
+    request.perform do |res|
+      json = Oj.load(res.body_with_limit, mode: :strict)
+
+      if json.is_a?(Hash)
+        json.fetch('proof_valid', false)
+      else
+        false
+      end
+    end
+  rescue Oj::ParseError, HTTP::Error, OpenSSL::SSL::SSLError
+    false
+  end
+
+  def on_success_path(user_agent = nil)
+    url = Addressable::URI.parse("#{ProofProvider::Keybase::BASE_URL}/_/proof_creation_success")
+    url.query_values = query_params.merge(kb_ua: user_agent || 'unknown')
+    url.to_s
+  end
+
+  def status
+    request = Request.new(:get, "#{ProofProvider::Keybase::BASE_URL}/_/api/1.0/sig/proof_live.json", params: query_params)
+
+    request.perform do |res|
+      raise ProofProvider::Keybase::UnexpectedResponseError unless res.code == 200
+
+      json = Oj.load(res.body_with_limit, mode: :strict)
+
+      raise ProofProvider::Keybase::UnexpectedResponseError unless json.is_a?(Hash) && json.key?('proof_valid') && json.key?('proof_live')
+
+      json
+    end
+  rescue Oj::ParseError, HTTP::Error, OpenSSL::SSL::SSLError
+    raise ProofProvider::Keybase::UnexpectedResponseError
+  end
+
+  private
+
+  def query_params
+    {
+      domain: domain,
+      kb_username: @provider_username,
+      username: @local_username,
+      sig_hash: @token,
+    }
+  end
+
+  def domain
+    Rails.configuration.x.local_domain
+  end
+end

app/lib/proof_provider/keybase/worker.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+class ProofProvider::Keybase::Worker
+  include Sidekiq::Worker
+
+  sidekiq_options queue: 'pull', retry: 20, unique: :until_executed
+
+  sidekiq_retry_in do |count, exception|
+    # Retry aggressively when the proof is valid but not live in Keybase.
+    # This is likely because Keybase just hasn't noticed the proof being
+    # served from here yet.
+
+    if exception.class == ProofProvider::Keybase::ExpectedProofLiveError
+      case count
+      when 0..2 then 0.seconds
+      when 2..6 then 1.second
+      end
+    end
+  end
+
+  def perform(proof_id)
+    proof    = proof_id.is_a?(AccountIdentityProof) ? proof_id : AccountIdentityProof.find(proof_id)
+    verifier = ProofProvider::Keybase::Verifier.new(proof.account.username, proof.provider_username, proof.token)
+    status   = verifier.status
+
+    # If Keybase thinks the proof is valid, and it exists here in Mastodon,
+    # then it should be live. Keybase just has to notice that it's here
+    # and then update its state. That might take a couple seconds.
+    raise ProofProvider::Keybase::ExpectedProofLiveError if status['proof_valid'] && !status['proof_live']
+
+    proof.update!(verified: status['proof_valid'], live: status['proof_live'])
+  end
+end