Option to enforce json signature checks

main
Bob Mottram 2021-01-05 10:29:37 +00:00
parent b8a698d887
commit 2c2476f3c0
20 changed files with 96 additions and 32 deletions

View File

@ -4274,11 +4274,25 @@ class PubServer(BaseHTTPRequestHandler):
actorJson['summary'] = ''
actorChanged = True
# change moderators list
if fields.get('moderators'):
adminNickname = \
getConfigParam(baseDir, 'admin')
if adminNickname:
adminNickname = \
getConfigParam(baseDir, 'admin')
if adminNickname:
# whether to require jsonld signatures
# on all incoming posts
if path.startswith('/users/' +
adminNickname + '/'):
verifyAllSignatures = False
if fields.get('verifyallsignatures'):
if fields['verifyallsignatures'] == 'on':
verifyAllSignatures = True
self.server.verifyAllSignatures = \
verifyAllSignatures
setConfigParam(baseDir, "verifyAllSignatures",
verifyAllSignatures)
# change moderators list
if fields.get('moderators'):
if path.startswith('/users/' +
adminNickname + '/'):
moderatorsFile = \
@ -4334,11 +4348,8 @@ class PubServer(BaseHTTPRequestHandler):
'instance',
'moderator')
# change site editors list
if fields.get('editors'):
adminNickname = \
getConfigParam(baseDir, 'admin')
if adminNickname:
# change site editors list
if fields.get('editors'):
if path.startswith('/users/' +
adminNickname + '/'):
editorsFile = \
@ -13400,7 +13411,8 @@ def loadTokens(baseDir: str, tokensDict: {}, tokensLookup: {}) -> None:
break
def runDaemon(sendThreadsTimeoutMins: int,
def runDaemon(verifyAllSignatures: bool,
sendThreadsTimeoutMins: int,
dormantMonths: int,
maxNewswirePosts: int,
allowLocalNetworkAccess: bool,
@ -13480,6 +13492,9 @@ def runDaemon(sendThreadsTimeoutMins: int,
# maximum number of posts to appear in the newswire on the right column
httpd.maxNewswirePosts = maxNewswirePosts
# whether to require that all incoming posts have valid jsonld signatures
httpd.verifyAllSignatures = verifyAllSignatures
# This counter is used to update the list of blocked domains in memory.
# It helps to avoid touching the disk and so improves flooding resistance
httpd.blocklistUpdateCtr = 0
@ -13749,7 +13764,8 @@ def runDaemon(sendThreadsTimeoutMins: int,
httpd.showPublishedDateOnly,
httpd.maxFollowers,
httpd.allowLocalNetworkAccess,
httpd.peertubeInstances), daemon=True)
httpd.peertubeInstances,
verifyAllSignatures), daemon=True)
print('Creating scheduled post thread')
httpd.thrPostSchedule = \

View File

@ -267,6 +267,12 @@ parser.add_argument("--allowLocalNetworkAccess",
help="Whether to allow access to local network " +
"addresses. This might be useful when deploying in " +
"a mesh network")
parser.add_argument("--verifyAllSignatures",
dest='verifyAllSignatures',
type=str2bool, nargs='?',
const=True, default=False,
help="Whether to require that all incoming " +
"posts have valid jsonld signatures")
parser.add_argument("--noapproval", type=str2bool, nargs='?',
const=True, default=False,
help="Allow followers without approval")
@ -2119,6 +2125,11 @@ allowLocalNetworkAccess = \
if allowLocalNetworkAccess is not None:
args.allowLocalNetworkAccess = bool(allowLocalNetworkAccess)
verifyAllSignatures = \
getConfigParam(baseDir, 'verifyAllSignatures')
if verifyAllSignatures is not None:
args.verifyAllSignatures = bool(verifyAllSignatures)
YTDomain = getConfigParam(baseDir, 'youtubedomain')
if YTDomain:
if '://' in YTDomain:
@ -2132,7 +2143,8 @@ if setTheme(baseDir, themeName, domain, args.allowLocalNetworkAccess):
print('Theme set to ' + themeName)
if __name__ == "__main__":
runDaemon(args.sendThreadsTimeoutMins,
runDaemon(args.verifyAllSignatures,
args.sendThreadsTimeoutMins,
args.dormantMonths,
args.maxNewswirePosts,
args.allowLocalNetworkAccess,

View File

@ -2447,7 +2447,8 @@ def runInboxQueue(recentPostsCache: {}, maxRecentPosts: int,
YTReplacementDomain: str,
showPublishedDateOnly: bool,
maxFollowers: int, allowLocalNetworkAccess: bool,
peertubeInstances: []) -> None:
peertubeInstances: [],
verifyAllSignatures: bool) -> None:
"""Processes received items and moves them to the appropriate
directories
"""
@ -2716,6 +2717,16 @@ def runInboxQueue(recentPostsCache: {}, maxRecentPosts: int,
if jwebsig.get('type') and jwebsig.get('signatureValue'):
if jwebsig['type'] == 'RsaSignature2017':
checkJsonSignature = True
if verifyAllSignatures and \
not checkJsonSignature:
print('inbox post does not have a jsonld signature ' + keyId)
if os.path.isfile(queueFilename):
os.remove(queueFilename)
if len(queue) > 0:
queue.pop(0)
continue
if checkJsonSignature:
# use the original json message received, not one which may have
# been modified along the way

View File

@ -323,8 +323,10 @@ def createServerAlice(path: str, domain: str, port: int,
dormantMonths = 3
sendThreadsTimeoutMins = 30
maxFollowers = 10
verifyAllSignatures = True
print('Server running: Alice')
runDaemon(sendThreadsTimeoutMins,
runDaemon(verifyAllSignatures,
sendThreadsTimeoutMins,
dormantMonths, maxNewswirePosts,
allowLocalNetworkAccess,
2048, False, True, False, False, True, maxFollowers,
@ -420,8 +422,10 @@ def createServerBob(path: str, domain: str, port: int,
dormantMonths = 3
sendThreadsTimeoutMins = 30
maxFollowers = 10
verifyAllSignatures = True
print('Server running: Bob')
runDaemon(sendThreadsTimeoutMins,
runDaemon(verifyAllSignatures,
sendThreadsTimeoutMins,
dormantMonths, maxNewswirePosts,
allowLocalNetworkAccess,
2048, False, True, False, False, True, maxFollowers,
@ -467,8 +471,10 @@ def createServerEve(path: str, domain: str, port: int, federationList: [],
dormantMonths = 3
sendThreadsTimeoutMins = 30
maxFollowers = 10
verifyAllSignatures = True
print('Server running: Eve')
runDaemon(sendThreadsTimeoutMins,
runDaemon(verifyAllSignatures,
sendThreadsTimeoutMins,
dormantMonths, maxNewswirePosts,
allowLocalNetworkAccess,
2048, False, True, False, False, True, maxFollowers,

View File

@ -350,5 +350,6 @@
"Show Accounts": "إظهار الحسابات",
"Peertube Instances": "مثيلات Peertube",
"Show video previews for the following Peertube sites.": "إظهار معاينات الفيديو لمواقع Peertube التالية.",
"Follows you": "يتبعك"
"Follows you": "يتبعك",
"Verify all signatures": "تحقق من جميع التوقيعات"
}

View File

@ -350,5 +350,6 @@
"Show Accounts": "Mostra comptes",
"Peertube Instances": "Instàncies de Peertube",
"Show video previews for the following Peertube sites.": "Mostra les previsualitzacions de vídeo dels següents llocs de Peertube.",
"Follows you": "Et segueix"
"Follows you": "Et segueix",
"Verify all signatures": "Verifiqueu totes les signatures"
}

View File

@ -350,5 +350,6 @@
"Show Accounts": "Dangos Cyfrifon",
"Peertube Instances": "Camau Peertube",
"Show video previews for the following Peertube sites.": "Dangos rhagolygon fideo ar gyfer y safleoedd Peertube canlynol.",
"Follows you": "Yn eich dilyn chi"
"Follows you": "Yn eich dilyn chi",
"Verify all signatures": "Gwirio pob llofnod"
}

View File

@ -350,5 +350,6 @@
"Show Accounts": "Konten anzeigen",
"Peertube Instances": "Peertube-Instanzen",
"Show video previews for the following Peertube sites.": "Zeigen Sie eine Videovorschau für die folgenden Peertube-Websites an.",
"Follows you": "Folgt dir"
"Follows you": "Folgt dir",
"Verify all signatures": "Überprüfen Sie alle Signaturen"
}

View File

@ -350,5 +350,6 @@
"Show Accounts": "Show Accounts",
"Peertube Instances": "Peertube Instances",
"Show video previews for the following Peertube sites.": "Show video previews for the following Peertube sites.",
"Follows you": "Follows you"
"Follows you": "Follows you",
"Verify all signatures": "Verify all signatures"
}

View File

@ -350,5 +350,6 @@
"Show Accounts": "Mostrar cuentas",
"Peertube Instances": "Instancias de Peertube",
"Show video previews for the following Peertube sites.": "Muestre vistas previas de video para los siguientes sitios de Peertube.",
"Follows you": "Te sigue"
"Follows you": "Te sigue",
"Verify all signatures": "Verificar todas las firmas"
}

View File

@ -350,5 +350,6 @@
"Show Accounts": "Afficher les comptes",
"Peertube Instances": "Instances Peertube",
"Show video previews for the following Peertube sites.": "Afficher des aperçus vidéo pour les sites Peertube suivants.",
"Follows you": "Vous suit"
"Follows you": "Vous suit",
"Verify all signatures": "Vérifier toutes les signatures"
}

View File

@ -350,5 +350,6 @@
"Show Accounts": "Taispeáin Cuntais",
"Peertube Instances": "Imeachtaí Peertube",
"Show video previews for the following Peertube sites.": "Taispeáin réamhamharcanna físe do na suíomhanna Peertube seo a leanas.",
"Follows you": "Leanann tú"
"Follows you": "Leanann tú",
"Verify all signatures": "Fíoraigh gach síniú"
}

View File

@ -350,5 +350,6 @@
"Show Accounts": "खाते दिखाएं",
"Peertube Instances": "Peertube उदाहरण",
"Show video previews for the following Peertube sites.": "निम्नलिखित Peertube साइटों के लिए वीडियो पूर्वावलोकन दिखाएं।",
"Follows you": "आपका पीछा करता है"
"Follows you": "आपका पीछा करता है",
"Verify all signatures": "सभी हस्ताक्षर सत्यापित करें"
}

View File

@ -350,5 +350,6 @@
"Show Accounts": "Mostra account",
"Peertube Instances": "Istanze di Peertube",
"Show video previews for the following Peertube sites.": "Mostra le anteprime dei video per i seguenti siti Peertube.",
"Follows you": "Ti segue"
"Follows you": "Ti segue",
"Verify all signatures": "Verifica tutte le firme"
}

View File

@ -350,5 +350,6 @@
"Show Accounts": "アカウントを表示する",
"Peertube Instances": "Peertubeインスタンス",
"Show video previews for the following Peertube sites.": "次のPeertubeサイトのビデオプレビューを表示します。",
"Follows you": "あなたについていきます"
"Follows you": "あなたについていきます",
"Verify all signatures": "すべての署名を確認する"
}

View File

@ -346,5 +346,6 @@
"Show Accounts": "Show Accounts",
"Peertube Instances": "Peertube Instances",
"Show video previews for the following Peertube sites.": "Show video previews for the following Peertube sites.",
"Follows you": "Follows you"
"Follows you": "Follows you",
"Verify all signatures": "Verify all signatures"
}

View File

@ -350,5 +350,6 @@
"Show Accounts": "Mostrar contas",
"Peertube Instances": "Instâncias Peertube",
"Show video previews for the following Peertube sites.": "Mostrar visualizações de vídeo para os seguintes sites Peertube.",
"Follows you": "Segue você"
"Follows you": "Segue você",
"Verify all signatures": "Verifique todas as assinaturas"
}

View File

@ -350,5 +350,6 @@
"Show Accounts": "Показать счета",
"Peertube Instances": "Экземпляры Peertube",
"Show video previews for the following Peertube sites.": "Показать превью видео для следующих сайтов Peertube.",
"Follows you": "Следует за вами"
"Follows you": "Следует за вами",
"Verify all signatures": "Проверить все подписи"
}

View File

@ -350,5 +350,6 @@
"Show Accounts": "显示帐户",
"Peertube Instances": "Peertube实例",
"Show video previews for the following Peertube sites.": "显示以下Peertube网站的视频预览。",
"Follows you": "跟着你"
"Follows you": "跟着你",
"Verify all signatures": "验证所有签名"
}

View File

@ -1106,6 +1106,10 @@ def htmlEditProfile(cssCache: {}, translate: {}, baseDir: str, path: str,
instanceStr += \
' <input type="file" id="instanceLogo" name="instanceLogo"'
instanceStr += ' accept="' + imageFormats + '">'
instanceStr += \
' <input type="checkbox" class="profilecheckbox" ' + \
'name="verifyallsignatures"> ' + \
translate['Verify all signatures'] + '<br>\n'
instanceStr += '</div>'
moderators = ''