indymedia
/
epicyon
mirror of https://gitlab.com/bashrc2/epicyon
7
4
Fork 1
Code Issues 14 Releases Wiki Activity

Occasionally rotate the federated shared items token for the instance

merge-requests/30/head
Bob Mottram 2021-08-07 11:29:40 +01:00
parent cf9bb7a381
commit 28bac56561
3 changed files with 83 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
daemon.py
View File

@ -15498,7 +15498,7 @@ def runDaemon(maxLikeCount: int,
generateSharedItemFederationTokens(httpd.sharedItemsFederatedDomains, generateSharedItemFederationTokens(httpd.sharedItemsFederatedDomains,
baseDir) baseDir)
httpd.sharedItemFederationTokens = \ httpd.sharedItemFederationTokens = \
createSharedItemFederationToken(baseDir, httpd.domainFull, createSharedItemFederationToken(baseDir, httpd.domainFull, False,
httpd.sharedItemFederationTokens) httpd.sharedItemFederationTokens)
# load peertube instances from file into a list # load peertube instances from file into a list

82
shares.py
View File

@ -12,6 +12,7 @@ import re
import secrets import secrets
import time import time
import datetime import datetime
from random import randint
from pprint import pprint from pprint import pprint
from session import getJson from session import getJson
from webfinger import webfingerHandle from webfinger import webfingerHandle
@ -1161,6 +1162,7 @@ def mergeSharedItemTokens(baseDir: str, domainFull: str,
def createSharedItemFederationToken(baseDir: str, def createSharedItemFederationToken(baseDir: str,
tokenDomainFull: str, tokenDomainFull: str,
force: bool,
tokensJson: {} = None) -> {}: tokensJson: {} = None) -> {}:
"""Updates an individual token for shared item federation """Updates an individual token for shared item federation
""" """
@ -1173,7 +1175,7 @@ def createSharedItemFederationToken(baseDir: str,
tokensJson = loadJson(tokensFilename, 1, 2) tokensJson = loadJson(tokensFilename, 1, 2)
if tokensJson is None: if tokensJson is None:
tokensJson = {} tokensJson = {}
if not tokensJson.get(tokenDomainFull): if force or not tokensJson.get(tokenDomainFull):
tokensJson[tokenDomainFull] = secrets.token_urlsafe(64) tokensJson[tokenDomainFull] = secrets.token_urlsafe(64)
if baseDir: if baseDir:
saveJson(tokensJson, tokensFilename) saveJson(tokensJson, tokensFilename)
@ -1310,6 +1312,76 @@ def runFederatedSharesWatchdog(projectVersion: str, httpd) -> None:
print('Restarting federated shares daemon...') print('Restarting federated shares daemon...')
def _generateNextSharesTokenUpdate(baseDir: str,
minDays: int, maxDays: int) -> None:
"""Creates a file containing the next date when the shared items token
for this instance will be updated
"""
tokenUpdateFilename = baseDir + '/accounts/.tokenUpdate'
nextUpdateSec = None
if os.path.isfile(tokenUpdateFilename):
with open(tokenUpdateFilename, 'r') as fp:
nextUpdateStr = fp.read()
if nextUpdateStr:
if nextUpdateStr.isdigit():
nextUpdateSec = int(nextUpdateStr)
currTime = int(time.time())
updated = False
if nextUpdateSec:
if currTime > nextUpdateSec:
nextUpdateDays = randint(minDays, maxDays)
nextUpdateInterval = int(60 * 60 * 24 * nextUpdateDays)
nextUpdateSec += nextUpdateInterval
updated = True
else:
nextUpdateDays = randint(minDays, maxDays)
nextUpdateInterval = int(60 * 60 * 24 * nextUpdateDays)
nextUpdateSec = currTime + nextUpdateInterval
updated = True
if updated:
with open(tokenUpdateFilename, 'w+') as fp:
fp.write(str(nextUpdateSec))
def _regenerateSharesToken(baseDir: str, domainFull: str,
minDays: int, maxDays: int, httpd) -> None:
"""Occasionally the shared items token for your instance is updated.
Scenario:
- You share items with $FriendlyInstance
- Some time later under new management
$FriendlyInstance becomes $HostileInstance
- You block $HostileInstance and remove them from your
federated shares domains list
- $HostileInstance still knows your shared items token,
and can still have access to your shared items if it presents a
spoofed Origin header together with the token
By rotating the token occasionally $HostileInstance will eventually
lose access to your federated shares. If other instances within your
federated shares list of domains continue to follow and communicate
then they will receive the new token automatically
"""
tokenUpdateFilename = baseDir + '/accounts/.tokenUpdate'
if not os.path.isfile(tokenUpdateFilename):
return
nextUpdateSec = None
with open(tokenUpdateFilename, 'r') as fp:
nextUpdateStr = fp.read()
if nextUpdateStr:
if nextUpdateStr.isdigit():
nextUpdateSec = int(nextUpdateStr)
if not nextUpdateSec:
return
currTime = int(time.time())
if currTime <= nextUpdateSec:
return
createSharedItemFederationToken(baseDir, domainFull, True, None)
_generateNextSharesTokenUpdate(baseDir, minDays, maxDays)
# update the tokens used within the daemon
httpd.sharedItemFederationTokens = \
generateSharedItemFederationTokens(httpd.sharedItemsFederatedDomains,
baseDir)
def runFederatedSharesDaemon(baseDir: str, httpd, httpPrefix: str, def runFederatedSharesDaemon(baseDir: str, httpd, httpPrefix: str,
domainFull: str, proxyType: str, debug: bool, domainFull: str, proxyType: str, debug: bool,
systemLanguage: str) -> None: systemLanguage: str) -> None:
@ -1318,6 +1390,10 @@ def runFederatedSharesDaemon(baseDir: str, httpd, httpPrefix: str,
secondsPerHour = 60 * 60 secondsPerHour = 60 * 60
fileCheckIntervalSec = 120 fileCheckIntervalSec = 120
time.sleep(60) time.sleep(60)
# the token for this instance will be changed every 7-14 days
minDays = 7
maxDays = 14
_generateNextSharesTokenUpdate(baseDir, minDays, maxDays)
while True: while True:
sharedItemsFederatedDomainsStr = \ sharedItemsFederatedDomainsStr = \
getConfigParam(baseDir, 'sharedItemsFederatedDomains') getConfigParam(baseDir, 'sharedItemsFederatedDomains')
@ -1325,6 +1401,10 @@ def runFederatedSharesDaemon(baseDir: str, httpd, httpPrefix: str,
time.sleep(fileCheckIntervalSec) time.sleep(fileCheckIntervalSec)
continue continue
# occasionally change the federated shared items token
# for this instance
_regenerateSharesToken(baseDir, domainFull, minDays, maxDays, httpd)
# get a list of the domains within the shared items federation # get a list of the domains within the shared items federation
sharedItemsFederatedDomains = [] sharedItemsFederatedDomains = []
sharedItemsFederatedDomainsList = \ sharedItemsFederatedDomainsList = \

2
tests.py
View File

@ -5110,7 +5110,7 @@ def _testAuthorizeSharedItems():
tokensJson = \ tokensJson = \
generateSharedItemFederationTokens(sharedItemsFederatedDomains, None) generateSharedItemFederationTokens(sharedItemsFederatedDomains, None)
tokensJson = \ tokensJson = \
createSharedItemFederationToken(None, 'cat.domain', tokensJson) createSharedItemFederationToken(None, 'cat.domain', False, tokensJson)
assert tokensJson assert tokensJson
assert not tokensJson.get('dog.domain') assert not tokensJson.get('dog.domain')
assert tokensJson.get('cat.domain') assert tokensJson.get('cat.domain')