Merge branch 'auth-fetch-exception' into 'develop'

HTTPSignaturePlug: Add :authorized_fetch_mode_exceptions See merge request pleroma/pleroma!4007
2024-05-28 04:42:35 +00:00 · 2024-05-28 04:42:35 +00:00 · 25903a4996
parent 8ff0c32903 73d58c22d4
commit 25903a4996
7 changed files with 55 additions and 17 deletions
--- a/changelog.d/auth-fetch-exception.add
+++ b/changelog.d/auth-fetch-exception.add
@ -0,0 +1 @@
+HTTPSignaturePlug: Add :authorized_fetch_mode_exceptions configuration
--- a/config/description.exs
+++ b/config/description.exs
@ -1816,6 +1816,12 @@
        type: :boolean,
        description: "Require HTTP signatures for AP fetches"
      },
+      %{
+        key: :authorized_fetch_mode_exceptions,
+        type: {:list, :string},
+        description:
+          "List of IPs (CIDR format accepted) to exempt from HTTP Signatures requirement (for example to allow debugging, you shouldn't otherwise need this)"
+      },
      %{
        key: :note_replies_output_limit,
        type: :integer,
--- a/docs/configuration/cheatsheet.md
+++ b/docs/configuration/cheatsheet.md
@ -284,6 +284,7 @@ Notes:
 * `deny_follow_blocked`: Whether to disallow following an account that has blocked the user in question
 * `sign_object_fetches`: Sign object fetches with HTTP signatures
 * `authorized_fetch_mode`: Require HTTP signatures for AP fetches
+* `authorized_fetch_mode_exceptions`: List of IPs (CIDR format accepted) to exempt from HTTP Signatures requirement (for example to allow debugging, you shouldn't otherwise need this)

 ## Pleroma.User

--- a/lib/pleroma/helpers/inet_helper.ex
+++ b/lib/pleroma/helpers/inet_helper.ex
@ -16,4 +16,15 @@ def parse_address(ip) when is_binary(ip) do
  def parse_address(ip) do
    :inet.parse_address(ip)
  end
+
+  def parse_cidr(proxy) when is_binary(proxy) do
+    proxy =
+      cond do
+        "/" in String.codepoints(proxy) -> proxy
+        InetCidr.v4?(InetCidr.parse_address!(proxy)) -> proxy <> "/32"
+        InetCidr.v6?(InetCidr.parse_address!(proxy)) -> proxy <> "/128"
+      end
+
+    InetCidr.parse_cidr!(proxy, true)
+  end
 end
--- a/lib/pleroma/web/plugs/http_signature_plug.ex
+++ b/lib/pleroma/web/plugs/http_signature_plug.ex
@ -3,6 +3,8 @@
 # SPDX-License-Identifier: AGPL-3.0-only

 defmodule Pleroma.Web.Plugs.HTTPSignaturePlug do
+  alias Pleroma.Helpers.InetHelper
+
  import Plug.Conn
  import Phoenix.Controller, only: [get_format: 1, text: 2]
  require Logger
@ -89,12 +91,20 @@ defp has_signature_header?(conn) do

  defp maybe_require_signature(%{assigns: %{valid_signature: true}} = conn), do: conn

-  defp maybe_require_signature(conn) do
+  defp maybe_require_signature(%{remote_ip: remote_ip} = conn) do
    if Pleroma.Config.get([:activitypub, :authorized_fetch_mode], false) do
+      exceptions =
+        Pleroma.Config.get([:activitypub, :authorized_fetch_mode_exceptions], [])
+        |> Enum.map(&InetHelper.parse_cidr/1)
+
+      if Enum.any?(exceptions, fn x -> InetCidr.contains?(x, remote_ip) end) do
+        conn
+      else
        conn
        |> put_status(:unauthorized)
        |> text("Request not signed")
        |> halt()
+      end
    else
      conn
    end
--- a/lib/pleroma/web/plugs/remote_ip.ex
+++ b/lib/pleroma/web/plugs/remote_ip.ex
@ -8,6 +8,7 @@ defmodule Pleroma.Web.Plugs.RemoteIp do
  """

  alias Pleroma.Config
+  alias Pleroma.Helpers.InetHelper
  import Plug.Conn

  @behaviour Plug
@ -30,19 +31,8 @@ defp remote_ip_opts do
    proxies =
      Config.get([__MODULE__, :proxies], [])
      |> Enum.concat(reserved)
-      |> Enum.map(&maybe_add_cidr/1)
+      |> Enum.map(&InetHelper.parse_cidr/1)

    {headers, proxies}
  end
-
-  defp maybe_add_cidr(proxy) when is_binary(proxy) do
-    proxy =
-      cond do
-        "/" in String.codepoints(proxy) -> proxy
-        InetCidr.v4?(InetCidr.parse_address!(proxy)) -> proxy <> "/32"
-        InetCidr.v6?(InetCidr.parse_address!(proxy)) -> proxy <> "/128"
-      end
-
-    InetCidr.parse_cidr!(proxy, true)
-  end
 end
--- a/test/pleroma/web/plugs/http_signature_plug_test.exs
+++ b/test/pleroma/web/plugs/http_signature_plug_test.exs
@ -81,5 +81,24 @@ test "halts the connection when `signature` header is not present", %{conn: conn
      assert conn.state == :sent
      assert conn.resp_body == "Request not signed"
    end
+
+    test "exempts specific IPs from `authorized_fetch_mode_exceptions`", %{conn: conn} do
+      clear_config([:activitypub, :authorized_fetch_mode_exceptions], ["192.168.0.0/24"])
+
+      with_mock HTTPSignatures, validate_conn: fn _ -> false end do
+        conn =
+          conn
+          |> Map.put(:remote_ip, {192, 168, 0, 1})
+          |> put_req_header(
+            "signature",
+            "keyId=\"http://mastodon.example.org/users/admin#main-key"
+          )
+          |> HTTPSignaturePlug.call(%{})
+
+        assert conn.remote_ip == {192, 168, 0, 1}
+        assert conn.halted == false
+        assert called(HTTPSignatures.validate_conn(:_))
+      end
+    end
  end
 end
				`@ -0,0 +1 @@`
				`HTTPSignaturePlug: Add :authorized_fetch_mode_exceptions configuration`