diff options
| author | Eugen Rochko <eugen@zeonfederated.com> | 2019-07-11 20:11:09 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-07-11 20:11:09 +0200 |
| commit | 5bf67ca91350e40e6f329271d3ca2bdcba87ab64 (patch) | |
| tree | e6a124c0c3913900a6d55c163b0ef308bfae64c7 /app/controllers/concerns | |
| parent | 4e1260feaa09bfa7305887e34cb129b37bee6c52 (diff) | |
Add ActivityPub secure mode (#11269)
* Add HTTP signature requirement for served ActivityPub resources * Change `SECURE_MODE` to `AUTHORIZED_FETCH` * Add 'Signature' to 'Vary' header and improve code style * Improve code style by adding `public_fetch_mode?` method
Diffstat (limited to 'app/controllers/concerns')
| -rw-r--r-- | app/controllers/concerns/account_controller_concern.rb | 2 | ||||
| -rw-r--r-- | app/controllers/concerns/signature_verification.rb | 19 |
2 files changed, 17 insertions, 4 deletions
diff --git a/app/controllers/concerns/account_controller_concern.rb b/app/controllers/concerns/account_controller_concern.rb index 287a930da..11eac0eb6 100644 --- a/app/controllers/concerns/account_controller_concern.rb +++ b/app/controllers/concerns/account_controller_concern.rb @@ -11,7 +11,7 @@ module AccountControllerConcern layout 'public' before_action :set_instance_presenter - before_action :set_link_headers + before_action :set_link_headers, if: -> { request.format.nil? || request.format == :html } end private diff --git a/app/controllers/concerns/signature_verification.rb b/app/controllers/concerns/signature_verification.rb index 0ccdf5ec9..7b251cf80 100644 --- a/app/controllers/concerns/signature_verification.rb +++ b/app/controllers/concerns/signature_verification.rb @@ -7,12 +7,20 @@ module SignatureVerification include DomainControlHelper + def require_signature! + render plain: signature_verification_failure_reason, status: signature_verification_failure_code unless signed_request_account + end + def signed_request? request.headers['Signature'].present? end def signature_verification_failure_reason - return @signature_verification_failure_reason if defined?(@signature_verification_failure_reason) + @signature_verification_failure_reason + end + + def signature_verification_failure_code + @signature_verification_failure_code || 401 end def signed_request_account @@ -125,11 +133,16 @@ module SignatureVerification end def account_from_key_id(key_id) + domain = key_id.start_with?('acct:') ? key_id.split('@').last : key_id + + if domain_not_allowed?(domain) + @signature_verification_failure_code = 403 + return + end + if key_id.start_with?('acct:') stoplight_wrap_request { ResolveAccountService.new.call(key_id.gsub(/\Aacct:/, '')) } elsif !ActivityPub::TagManager.instance.local_uri?(key_id) - return if domain_not_allowed?(key_id) - account = ActivityPub::TagManager.instance.uri_to_resource(key_id, Account) account ||= stoplight_wrap_request { ActivityPub::FetchRemoteKeyService.new.call(key_id, id: false) } account |