From f118374f05916d9bbf246c3a70005582b99dedea Mon Sep 17 00:00:00 2001 From: rimu <3310831+rimu@users.noreply.github.com> Date: Fri, 3 Nov 2023 20:32:12 +1300 Subject: [PATCH] instance allow list --- CONTRIBUTING.md | 2 +- app/activitypub/util.py | 21 ++++++++-- app/models.py | 6 +++ env.sample | 10 +++++ .../6a9bec0c492e_allowed_instances.py | 39 +++++++++++++++++++ 5 files changed, 73 insertions(+), 5 deletions(-) create mode 100644 env.sample create mode 100644 migrations/versions/6a9bec0c492e_allowed_instances.py diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index bc31532c..42742132 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -5,7 +5,7 @@ When it matures enough, PyFedi will aim to work in a way consistent with the [Co Please discuss your ideas in an issue at https://codeberg.org/rimu/pyfedi/issues before starting any large pieces of work to ensure alignment with the roadmap, architecture and processes. -The general style and philosphy behind the way things have been constructed is well described by +The general style and philosophy behind the way things have been constructed is well described by [The Grug Brained Developer](https://grugbrain.dev/). If that page resonates with you then you'll probably enjoy your time here! The codebase needs to be simple enough that new developers of all skill levels can easily understand what's going on and onboard quickly without a lot of upfront diff --git a/app/activitypub/util.py b/app/activitypub/util.py index 76af6e8a..2a855e7b 100644 --- a/app/activitypub/util.py +++ b/app/activitypub/util.py @@ -5,7 +5,7 @@ from typing import Union, Tuple from flask import current_app from sqlalchemy import text from app import db, cache -from app.models import User, Post, Community, BannedInstances, File, PostReply +from app.models import User, Post, Community, BannedInstances, File, PostReply, AllowedInstances import time import base64 import requests @@ -14,7 +14,7 @@ from cryptography.hazmat.primitives.asymmetric import padding from app.constants import * from urllib.parse import urlparse -from app.utils import get_request, allowlist_html, html_to_markdown +from app.utils import get_request, allowlist_html, html_to_markdown, get_setting def public_key(): @@ -184,6 +184,15 @@ def instance_blocked(host: str) -> bool: return instance is not None +@cache.memoize(150) +def instance_allowed(host: str) -> bool: + host = host.lower() + if 'https://' in host or 'http://' in host: + host = urlparse(host).hostname + instance = AllowedInstances.query.filter_by(domain=host.strip()).first() + return instance is not None + + def find_actor_or_create(actor: str) -> Union[User, Community, None]: user = None # actor parameter must be formatted as https://server/u/actor or https://server/c/actor @@ -197,8 +206,12 @@ def find_actor_or_create(actor: str) -> Union[User, Community, None]: return None elif actor.startswith('https://'): server, address = extract_domain_and_actor(actor) - if instance_blocked(server): - return None + if get_setting('use_allowlist', False): + if not instance_allowed(server): + return None + else: + if instance_blocked(server): + return None user = User.query.filter_by( ap_profile_id=actor).first() # finds users formatted like https://kbin.social/u/tables if user.banned: diff --git a/app/models.py b/app/models.py index a04401ff..d336ea22 100644 --- a/app/models.py +++ b/app/models.py @@ -451,6 +451,12 @@ class BannedInstances(db.Model): created_at = db.Column(db.DateTime, default=datetime.utcnow) +class AllowedInstances(db.Model): + id = db.Column(db.Integer, primary_key=True) + domain = db.Column(db.String(256), index=True) + created_at = db.Column(db.DateTime, default=datetime.utcnow) + + class Instance(db.Model): id = db.Column(db.Integer, primary_key=True) domain = db.Column(db.String(256), index=True) diff --git a/env.sample b/env.sample new file mode 100644 index 00000000..86606b96 --- /dev/null +++ b/env.sample @@ -0,0 +1,10 @@ +SECRET_KEY= +SERVER_NAME='127.0.0.1:5000' +DATABASE_URL=postgresql+psycopg2://pyfedi:pyfedi@127.0.0.1/pyfedi +MAIL_SERVER='' +RECAPTCHA3_PUBLIC_KEY='' +RECAPTCHA3_PRIVATE_KEY='' +MODE='development' +FULL_AP_CONTEXT=True +CACHE_TYPE='FileSystemCache' +CACHE_DIR='/dev/shm/pyfedi' diff --git a/migrations/versions/6a9bec0c492e_allowed_instances.py b/migrations/versions/6a9bec0c492e_allowed_instances.py new file mode 100644 index 00000000..2b0846c3 --- /dev/null +++ b/migrations/versions/6a9bec0c492e_allowed_instances.py @@ -0,0 +1,39 @@ +"""allowed instances + +Revision ID: 6a9bec0c492e +Revises: c88bbba381b5 +Create Date: 2023-11-03 20:23:43.536572 + +""" +from alembic import op +import sqlalchemy as sa + + +# revision identifiers, used by Alembic. +revision = '6a9bec0c492e' +down_revision = 'c88bbba381b5' +branch_labels = None +depends_on = None + + +def upgrade(): + # ### commands auto generated by Alembic - please adjust! ### + op.create_table('allowed_instances', + sa.Column('id', sa.Integer(), nullable=False), + sa.Column('domain', sa.String(length=256), nullable=True), + sa.Column('created_at', sa.DateTime(), nullable=True), + sa.PrimaryKeyConstraint('id') + ) + with op.batch_alter_table('allowed_instances', schema=None) as batch_op: + batch_op.create_index(batch_op.f('ix_allowed_instances_domain'), ['domain'], unique=False) + + # ### end Alembic commands ### + + +def downgrade(): + # ### commands auto generated by Alembic - please adjust! ### + with op.batch_alter_table('allowed_instances', schema=None) as batch_op: + batch_op.drop_index(batch_op.f('ix_allowed_instances_domain')) + + op.drop_table('allowed_instances') + # ### end Alembic commands ###