commit: 086ba59d0346be870dc7df2660fbb55666bf0af7
parent f271ea6e432d685c113582e5944d79e12c153016
Author: Haelwenn (lanodan) Monnier <contact@hacktivis.me>
Date: Sat, 16 Dec 2023 18:56:46 +0100
HTTPSignaturePlug: Add :authorized_fetch_mode_exceptions
Diffstat:
5 files changed, 43 insertions(+), 5 deletions(-)
diff --git a/changelog.d/auth-fetch-exception.add b/changelog.d/auth-fetch-exception.add
@@ -0,0 +1 @@
+HTTPSignaturePlug: Add :authorized_fetch_mode_exceptions configuration
+\ No newline at end of file
diff --git a/config/description.exs b/config/description.exs
@@ -1772,6 +1772,12 @@ config :pleroma, :config_description, [
description: "Require HTTP signatures for AP fetches"
},
%{
+ key: :authorized_fetch_mode_exceptions,
+ type: {:list, :string},
+ description:
+ "List of IPs (CIDR format accepted) to exempt from HTTP Signatures requirement (for example to allow debugging, you shouldn't otherwise need this)"
+ },
+ %{
key: :note_replies_output_limit,
type: :integer,
description:
diff --git a/docs/configuration/cheatsheet.md b/docs/configuration/cheatsheet.md
@@ -279,6 +279,7 @@ Notes:
* `deny_follow_blocked`: Whether to disallow following an account that has blocked the user in question
* `sign_object_fetches`: Sign object fetches with HTTP signatures
* `authorized_fetch_mode`: Require HTTP signatures for AP fetches
+* `authorized_fetch_mode_exceptions`: List of IPs (CIDR format accepted) to exempt from HTTP Signatures requirement (for example to allow debugging, you shouldn't otherwise need this)
## Pleroma.User
diff --git a/lib/pleroma/web/plugs/http_signature_plug.ex b/lib/pleroma/web/plugs/http_signature_plug.ex
@@ -3,6 +3,8 @@
# SPDX-License-Identifier: AGPL-3.0-only
defmodule Pleroma.Web.Plugs.HTTPSignaturePlug do
+ alias Pleroma.Helpers.InetHelper
+
import Plug.Conn
import Phoenix.Controller, only: [get_format: 1, text: 2]
require Logger
@@ -89,12 +91,20 @@ defmodule Pleroma.Web.Plugs.HTTPSignaturePlug do
defp maybe_require_signature(%{assigns: %{valid_signature: true}} = conn), do: conn
- defp maybe_require_signature(conn) do
+ defp maybe_require_signature(%{remote_ip: remote_ip} = conn) do
if Pleroma.Config.get([:activitypub, :authorized_fetch_mode], false) do
- conn
- |> put_status(:unauthorized)
- |> text("Request not signed")
- |> halt()
+ exceptions =
+ Pleroma.Config.get([:activitypub, :authorized_fetch_mode_exceptions], [])
+ |> Enum.map(&InetHelper.parse_cidr/1)
+
+ if Enum.any?(exceptions, fn x -> InetCidr.contains?(x, remote_ip) end) do
+ conn
+ else
+ conn
+ |> put_status(:unauthorized)
+ |> text("Request not signed")
+ |> halt()
+ end
else
conn
end
diff --git a/test/pleroma/web/plugs/http_signature_plug_test.exs b/test/pleroma/web/plugs/http_signature_plug_test.exs
@@ -81,5 +81,24 @@ defmodule Pleroma.Web.Plugs.HTTPSignaturePlugTest do
assert conn.state == :sent
assert conn.resp_body == "Request not signed"
end
+
+ test "exempts specific IPs from `authorized_fetch_mode_exceptions`", %{conn: conn} do
+ clear_config([:activitypub, :authorized_fetch_mode_exceptions], ["192.168.0.0/24"])
+
+ with_mock HTTPSignatures, validate_conn: fn _ -> false end do
+ conn =
+ conn
+ |> Map.put(:remote_ip, {192, 168, 0, 1})
+ |> put_req_header(
+ "signature",
+ "keyId=\"http://mastodon.example.org/users/admin#main-key"
+ )
+ |> HTTPSignaturePlug.call(%{})
+
+ assert conn.remote_ip == {192, 168, 0, 1}
+ assert conn.halted == false
+ assert called(HTTPSignatures.validate_conn(:_))
+ end
+ end
end
end
