HTTP signatures respect allowlist federation
This commit is contained in:
parent
f12d3cce39
commit
d2b0d86471
2 changed files with 57 additions and 3 deletions
|
@ -108,15 +108,28 @@ defp blocked_instances do
|
||||||
Config.get([:mrf_simple, :reject], [])
|
Config.get([:mrf_simple, :reject], [])
|
||||||
end
|
end
|
||||||
|
|
||||||
|
defp allowed_instances do
|
||||||
|
Config.get([:mrf_simple, :accept])
|
||||||
|
end
|
||||||
|
|
||||||
def should_federate?(url) do
|
def should_federate?(url) do
|
||||||
%{host: host} = URI.parse(url)
|
%{host: host} = URI.parse(url)
|
||||||
|
|
||||||
quarantined_instances =
|
with allowed <- allowed_instances(),
|
||||||
blocked_instances()
|
false <- Enum.empty?(allowed) do
|
||||||
|
allowed
|
||||||
|> Pleroma.Web.ActivityPub.MRF.instance_list_from_tuples()
|
|> Pleroma.Web.ActivityPub.MRF.instance_list_from_tuples()
|
||||||
|> Pleroma.Web.ActivityPub.MRF.subdomains_regex()
|
|> Pleroma.Web.ActivityPub.MRF.subdomains_regex()
|
||||||
|
|> Pleroma.Web.ActivityPub.MRF.subdomain_match?(host)
|
||||||
|
else
|
||||||
|
_ ->
|
||||||
|
quarantined_instances =
|
||||||
|
blocked_instances()
|
||||||
|
|> Pleroma.Web.ActivityPub.MRF.instance_list_from_tuples()
|
||||||
|
|> Pleroma.Web.ActivityPub.MRF.subdomains_regex()
|
||||||
|
|
||||||
!Pleroma.Web.ActivityPub.MRF.subdomain_match?(quarantined_instances, host)
|
not Pleroma.Web.ActivityPub.MRF.subdomain_match?(quarantined_instances, host)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
@spec recipients(User.t(), Activity.t()) :: list(User.t()) | []
|
@spec recipients(User.t(), Activity.t()) :: list(User.t()) | []
|
||||||
|
|
|
@ -69,6 +69,47 @@ test "it considers a mapped identity to be invalid when the associated instance
|
||||||
assert %{valid_signature: false} == conn.assigns
|
assert %{valid_signature: false} == conn.assigns
|
||||||
end
|
end
|
||||||
|
|
||||||
|
test "allowlist federation: it considers a mapped identity to be valid when the associated instance is allowed" do
|
||||||
|
clear_config([:activitypub, :authorized_fetch_mode], true)
|
||||||
|
|
||||||
|
clear_config([:mrf_simple, :accept], [
|
||||||
|
{"mastodon.example.org", "anime is allowed"}
|
||||||
|
])
|
||||||
|
|
||||||
|
on_exit(fn ->
|
||||||
|
Pleroma.Config.put([:activitypub, :authorized_fetch_mode], false)
|
||||||
|
Pleroma.Config.put([:mrf_simple, :accept], [])
|
||||||
|
end)
|
||||||
|
|
||||||
|
conn =
|
||||||
|
build_conn(:post, "/doesntmattter", %{"actor" => "http://mastodon.example.org/users/admin"})
|
||||||
|
|> set_signature("http://mastodon.example.org/users/admin")
|
||||||
|
|> MappedSignatureToIdentityPlug.call(%{})
|
||||||
|
|
||||||
|
assert conn.assigns[:valid_signature]
|
||||||
|
refute is_nil(conn.assigns.user)
|
||||||
|
end
|
||||||
|
|
||||||
|
test "allowlist federation: it considers a mapped identity to be invalid when the associated instance is not allowed" do
|
||||||
|
clear_config([:activitypub, :authorized_fetch_mode], true)
|
||||||
|
|
||||||
|
clear_config([:mrf_simple, :accept], [
|
||||||
|
{"misskey.example.org", "anime is allowed"}
|
||||||
|
])
|
||||||
|
|
||||||
|
on_exit(fn ->
|
||||||
|
Pleroma.Config.put([:activitypub, :authorized_fetch_mode], false)
|
||||||
|
Pleroma.Config.put([:mrf_simple, :accept], [])
|
||||||
|
end)
|
||||||
|
|
||||||
|
conn =
|
||||||
|
build_conn(:post, "/doesntmattter", %{"actor" => "http://mastodon.example.org/users/admin"})
|
||||||
|
|> set_signature("http://mastodon.example.org/users/admin")
|
||||||
|
|> MappedSignatureToIdentityPlug.call(%{})
|
||||||
|
|
||||||
|
assert %{valid_signature: false} == conn.assigns
|
||||||
|
end
|
||||||
|
|
||||||
@tag skip: "known breakage; the testsuite presently depends on it"
|
@tag skip: "known breakage; the testsuite presently depends on it"
|
||||||
test "it considers a mapped identity to be invalid when the identity cannot be found" do
|
test "it considers a mapped identity to be invalid when the identity cannot be found" do
|
||||||
conn =
|
conn =
|
||||||
|
|
Loading…
Reference in a new issue