From 9e26cd55038084638fdf71b75f526494777d2849 Mon Sep 17 00:00:00 2001 From: Claire Date: Fri, 1 Sep 2023 15:41:10 +0200 Subject: [PATCH] Add `authorized_fetch` server setting in addition to env var (#25798) --- app/controllers/application_controller.rb | 5 +---- app/helpers/authorized_fetch_helper.rb | 11 +++++++++++ app/javascript/styles/mastodon/accounts.scss | 2 ++ app/javascript/styles/mastodon/forms.scss | 1 + app/models/form/admin_settings.rb | 10 ++++++++++ app/services/concerns/payloadable.rb | 4 +++- app/views/admin/settings/discovery/show.html.haml | 5 +++++ config/i18n-tasks.yml | 2 +- config/initializers/simple_form.rb | 5 +++-- config/locales/en.yml | 5 +++++ config/locales/simple_form.en.yml | 1 + 11 files changed, 43 insertions(+), 8 deletions(-) create mode 100644 app/helpers/authorized_fetch_helper.rb diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 975315e24738a345364e097a193c9e8bda2cd03a..6ec93f824eb57024fd62fb81bfe6479d6c91a864 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -11,6 +11,7 @@ class ApplicationController < ActionController::Base include CacheConcern include DomainControlHelper include DatabaseHelper + include AuthorizedFetchHelper helper_method :current_account helper_method :current_session @@ -51,10 +52,6 @@ class ApplicationController < ActionController::Base private - def authorized_fetch_mode? - ENV['AUTHORIZED_FETCH'] == 'true' || Rails.configuration.x.limited_federation_mode - end - def public_fetch_mode? !authorized_fetch_mode? end diff --git a/app/helpers/authorized_fetch_helper.rb b/app/helpers/authorized_fetch_helper.rb new file mode 100644 index 0000000000000000000000000000000000000000..ce87526e6abb8ba2cb7084d1277fc92ce51e160a --- /dev/null +++ b/app/helpers/authorized_fetch_helper.rb @@ -0,0 +1,11 @@ +# frozen_string_literal: true + +module AuthorizedFetchHelper + def authorized_fetch_mode? + ENV.fetch('AUTHORIZED_FETCH') { Setting.authorized_fetch } == 'true' || Rails.configuration.x.limited_federation_mode + end + + def authorized_fetch_overridden? + ENV.key?('AUTHORIZED_FETCH') || Rails.configuration.x.limited_federation_mode + end +end diff --git a/app/javascript/styles/mastodon/accounts.scss b/app/javascript/styles/mastodon/accounts.scss index 2a5285ee027fc1eac96e8846a73e160edc9719dd..80d6c13cef72fbd3ff29184d5fdc4eb334c9ca35 100644 --- a/app/javascript/styles/mastodon/accounts.scss +++ b/app/javascript/styles/mastodon/accounts.scss @@ -188,6 +188,7 @@ } .information-badge, +.simple_form .overridden, .simple_form .recommended, .simple_form .not_recommended { display: inline-block; @@ -204,6 +205,7 @@ } .information-badge, +.simple_form .overridden, .simple_form .recommended, .simple_form .not_recommended { background-color: rgba($ui-secondary-color, 0.1); diff --git a/app/javascript/styles/mastodon/forms.scss b/app/javascript/styles/mastodon/forms.scss index a7079c1457cf7145f6c11065c2e0aebd5646b761..0f8eecee011f8ff5b4bc146c97e38efed22738dc 100644 --- a/app/javascript/styles/mastodon/forms.scss +++ b/app/javascript/styles/mastodon/forms.scss @@ -103,6 +103,7 @@ code { } } + .overridden, .recommended, .not_recommended { position: absolute; diff --git a/app/models/form/admin_settings.rb b/app/models/form/admin_settings.rb index a6be55fd7b2ba80363f1fcaa2865042a6b086335..7be026d85ff9cb61caebe15c5977448e9d1f08a8 100644 --- a/app/models/form/admin_settings.rb +++ b/app/models/form/admin_settings.rb @@ -3,6 +3,8 @@ class Form::AdminSettings include ActiveModel::Model + include AuthorizedFetchHelper + KEYS = %i( site_contact_username site_contact_email @@ -34,6 +36,7 @@ class Form::AdminSettings backups_retention_period status_page_url captcha_enabled + authorized_fetch ).freeze INTEGER_KEYS = %i( @@ -54,6 +57,7 @@ class Form::AdminSettings noindex require_invite_text captcha_enabled + authorized_fetch ).freeze UPLOAD_KEYS = %i( @@ -61,6 +65,10 @@ class Form::AdminSettings mascot ).freeze + OVERRIDEN_SETTINGS = { + authorized_fetch: :authorized_fetch_mode?, + }.freeze + attr_accessor(*KEYS) validates :registrations_mode, inclusion: { in: %w(open approved none) }, if: -> { defined?(@registrations_mode) } @@ -80,6 +88,8 @@ class Form::AdminSettings stored_value = if UPLOAD_KEYS.include?(key) SiteUpload.where(var: key).first_or_initialize(var: key) + elsif OVERRIDEN_SETTINGS.include?(key) + public_send(OVERRIDEN_SETTINGS[key]) else Setting.public_send(key) end diff --git a/app/services/concerns/payloadable.rb b/app/services/concerns/payloadable.rb index 1389a42ed652d2b6516da6e9e1433f8dcb2afd99..bd9d9d74b516acbc10e140f011a3aec9b9232dec 100644 --- a/app/services/concerns/payloadable.rb +++ b/app/services/concerns/payloadable.rb @@ -1,6 +1,8 @@ # frozen_string_literal: true module Payloadable + include AuthorizedFetchHelper + # @param [ActiveModelSerializers::Model] record # @param [ActiveModelSerializers::Serializer] serializer # @param [Hash] options @@ -23,6 +25,6 @@ module Payloadable end def signing_enabled? - ENV['AUTHORIZED_FETCH'] != 'true' && !Rails.configuration.x.limited_federation_mode + !authorized_fetch_mode? end end diff --git a/app/views/admin/settings/discovery/show.html.haml b/app/views/admin/settings/discovery/show.html.haml index c48e0fdc62bb88894443eab28de1b67f0e4911fb..62011d5c567110dab3092456ac345e39b343bcfa 100644 --- a/app/views/admin/settings/discovery/show.html.haml +++ b/app/views/admin/settings/discovery/show.html.haml @@ -39,6 +39,11 @@ .fields-group = f.input :peers_api_enabled, as: :boolean, wrapper: :with_label, recommended: :recommended + %h4= t('admin.settings.security.federation_authentication') + + .fields-group + = f.input :authorized_fetch, as: :boolean, wrapper: :with_label, label: t('admin.settings.security.authorized_fetch'), warning_hint: authorized_fetch_overridden? ? t('admin.settings.security.authorized_fetch_overridden_hint') : nil, hint: t('admin.settings.security.authorized_fetch_hint'), disabled: authorized_fetch_overridden?, recommended: authorized_fetch_overridden? ? :overridden : nil + %h4= t('admin.settings.discovery.follow_recommendations') .fields-group diff --git a/config/i18n-tasks.yml b/config/i18n-tasks.yml index d0677b80fb41e0c288ecd8c2752da42119ba5e64..2d4487ce56ce05916ea7ce32273f1aee11abe18c 100644 --- a/config/i18n-tasks.yml +++ b/config/i18n-tasks.yml @@ -50,7 +50,7 @@ ignore_unused: - 'activerecord.errors.*' - '{devise,pagination,doorkeeper}.*' - '{date,datetime,time,number}.*' - - 'simple_form.{yes,no,recommended,not_recommended}' + - 'simple_form.{yes,no,recommended,not_recommended,overridden}' - 'simple_form.{placeholders,hints,labels}.*' - 'simple_form.{error_notification,required}.:' - 'errors.messages.*' diff --git a/config/initializers/simple_form.rb b/config/initializers/simple_form.rb index 9d90cc6ca8740e233836d3164c5ea82d1115b68e..a7a2d251e52e9797b7fe82b8e448132f24ddd60e 100644 --- a/config/initializers/simple_form.rb +++ b/config/initializers/simple_form.rb @@ -97,7 +97,8 @@ SimpleForm.setup do |config| end end - b.use :hint, wrap_with: { tag: :span, class: :hint } + b.use :warning_hint, wrap_with: { tag: :span, class: [:hint, 'warning-hint'] } + b.use :hint, wrap_with: { tag: :span, class: :hint } b.use :error, wrap_with: { tag: :span, class: :error } end @@ -111,8 +112,8 @@ SimpleForm.setup do |config| config.wrappers :with_block_label, class: [:input, :with_block_label], hint_class: :field_with_hint, error_class: :field_with_errors do |b| b.use :html5 b.use :label - b.use :hint, wrap_with: { tag: :span, class: :hint } b.use :warning_hint, wrap_with: { tag: :span, class: [:hint, 'warning-hint'] } + b.use :hint, wrap_with: { tag: :span, class: :hint } b.use :input, wrap_with: { tag: :div, class: :label_input } b.use :error, wrap_with: { tag: :span, class: :error } end diff --git a/config/locales/en.yml b/config/locales/en.yml index 8bdfd1ec9138a463293d4377563a15971cc762cc..693155d6efcc2eed0d830c1b9493b1184e0126c5 100644 --- a/config/locales/en.yml +++ b/config/locales/en.yml @@ -770,6 +770,11 @@ en: approved: Approval required for sign up none: Nobody can sign up open: Anyone can sign up + security: + authorized_fetch: Require authentication from federated servers + authorized_fetch_hint: Requiring authentication from federated servers enables stricter enforcement of both user-level and server-level blocks. However, this comes at the cost of a performance penalty, reduces the reach of your replies, and may introduce compatibility issues with some federated services. In addition, this will not prevent dedicated actors from fetching your public posts and accounts. + authorized_fetch_overridden_hint: You are currently unable to change this setting because it is overridden by an environment variable. + federation_authentication: Federation authentication enforcement title: Server settings site_uploads: delete: Delete uploaded file diff --git a/config/locales/simple_form.en.yml b/config/locales/simple_form.en.yml index efda7b778b84de5b5a262013e79b89d494c60df9..b1297606bc8c45de13327c775c4c2a23fef0a8a1 100644 --- a/config/locales/simple_form.en.yml +++ b/config/locales/simple_form.en.yml @@ -317,6 +317,7 @@ en: url: Endpoint URL 'no': 'No' not_recommended: Not recommended + overridden: Overridden recommended: Recommended required: mark: "*"