nrd.li/akkoma
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

HTTP signatures respect allowlist federation

Browse source
This commit is contained in:
Atsuko Karagi 2023-04-04 17:41:13 +02:00 committed by FloatingGhost
parent f12d3cce39
commit d2b0d86471
2 changed files with 57 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
lib/pleroma/web/activity_pub/publisher.ex
View file

@ -108,15 +108,28 @@ defp blocked_instances do
Config.get([:mrf_simple, :reject], []) Config.get([:mrf_simple, :reject], [])
end end
defp allowed_instances do
Config.get([:mrf_simple, :accept])
end
def should_federate?(url) do def should_federate?(url) do
%{host: host} = URI.parse(url) %{host: host} = URI.parse(url)
quarantined_instances = with allowed <- allowed_instances(),
blocked_instances() false <- Enum.empty?(allowed) do
allowed
|> Pleroma.Web.ActivityPub.MRF.instance_list_from_tuples() |> Pleroma.Web.ActivityPub.MRF.instance_list_from_tuples()
|> Pleroma.Web.ActivityPub.MRF.subdomains_regex() |> Pleroma.Web.ActivityPub.MRF.subdomains_regex()
|> Pleroma.Web.ActivityPub.MRF.subdomain_match?(host)
else
_ ->
quarantined_instances =
blocked_instances()
|> Pleroma.Web.ActivityPub.MRF.instance_list_from_tuples()
|> Pleroma.Web.ActivityPub.MRF.subdomains_regex()
!Pleroma.Web.ActivityPub.MRF.subdomain_match?(quarantined_instances, host) not Pleroma.Web.ActivityPub.MRF.subdomain_match?(quarantined_instances, host)
end
end end
@spec recipients(User.t(), Activity.t()) :: list(User.t()) | [] @spec recipients(User.t(), Activity.t()) :: list(User.t()) | []

41
test/pleroma/web/plugs/mapped_signature_to_identity_plug_test.exs
View file

@ -69,6 +69,47 @@ test "it considers a mapped identity to be invalid when the associated instance
assert %{valid_signature: false} == conn.assigns assert %{valid_signature: false} == conn.assigns
end end
test "allowlist federation: it considers a mapped identity to be valid when the associated instance is allowed" do
clear_config([:activitypub, :authorized_fetch_mode], true)
clear_config([:mrf_simple, :accept], [
{"mastodon.example.org", "anime is allowed"}
])
on_exit(fn ->
Pleroma.Config.put([:activitypub, :authorized_fetch_mode], false)
Pleroma.Config.put([:mrf_simple, :accept], [])
end)
conn =
build_conn(:post, "/doesntmattter", %{"actor" => "http://mastodon.example.org/users/admin"})
|> set_signature("http://mastodon.example.org/users/admin")
|> MappedSignatureToIdentityPlug.call(%{})
assert conn.assigns[:valid_signature]
refute is_nil(conn.assigns.user)
end
test "allowlist federation: it considers a mapped identity to be invalid when the associated instance is not allowed" do
clear_config([:activitypub, :authorized_fetch_mode], true)
clear_config([:mrf_simple, :accept], [
{"misskey.example.org", "anime is allowed"}
])
on_exit(fn ->
Pleroma.Config.put([:activitypub, :authorized_fetch_mode], false)
Pleroma.Config.put([:mrf_simple, :accept], [])
end)
conn =
build_conn(:post, "/doesntmattter", %{"actor" => "http://mastodon.example.org/users/admin"})
|> set_signature("http://mastodon.example.org/users/admin")
|> MappedSignatureToIdentityPlug.call(%{})
assert %{valid_signature: false} == conn.assigns
end
@tag skip: "known breakage; the testsuite presently depends on it" @tag skip: "known breakage; the testsuite presently depends on it"
test "it considers a mapped identity to be invalid when the identity cannot be found" do test "it considers a mapped identity to be invalid when the identity cannot be found" do
conn = conn =