From 2c2476f3c088aa244f45dd49a09c47108e453ac9 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Tue, 5 Jan 2021 10:29:37 +0000 Subject: [PATCH] Option to enforce json signature checks --- daemon.py | 40 ++++++++++++++++++++++++++++------------ epicyon.py | 14 +++++++++++++- inbox.py | 13 ++++++++++++- tests.py | 12 +++++++++--- translations/ar.json | 3 ++- translations/ca.json | 3 ++- translations/cy.json | 3 ++- translations/de.json | 3 ++- translations/en.json | 3 ++- translations/es.json | 3 ++- translations/fr.json | 3 ++- translations/ga.json | 3 ++- translations/hi.json | 3 ++- translations/it.json | 3 ++- translations/ja.json | 3 ++- translations/oc.json | 3 ++- translations/pt.json | 3 ++- translations/ru.json | 3 ++- translations/zh.json | 3 ++- webapp_profile.py | 4 ++++ 20 files changed, 96 insertions(+), 32 deletions(-) diff --git a/daemon.py b/daemon.py index 4c93a9ac4..4eb105fbd 100644 --- a/daemon.py +++ b/daemon.py @@ -4274,11 +4274,25 @@ class PubServer(BaseHTTPRequestHandler): actorJson['summary'] = '' actorChanged = True - # change moderators list - if fields.get('moderators'): - adminNickname = \ - getConfigParam(baseDir, 'admin') - if adminNickname: + adminNickname = \ + getConfigParam(baseDir, 'admin') + + if adminNickname: + # whether to require jsonld signatures + # on all incoming posts + if path.startswith('/users/' + + adminNickname + '/'): + verifyAllSignatures = False + if fields.get('verifyallsignatures'): + if fields['verifyallsignatures'] == 'on': + verifyAllSignatures = True + self.server.verifyAllSignatures = \ + verifyAllSignatures + setConfigParam(baseDir, "verifyAllSignatures", + verifyAllSignatures) + + # change moderators list + if fields.get('moderators'): if path.startswith('/users/' + adminNickname + '/'): moderatorsFile = \ @@ -4334,11 +4348,8 @@ class PubServer(BaseHTTPRequestHandler): 'instance', 'moderator') - # change site editors list - if fields.get('editors'): - adminNickname = \ - getConfigParam(baseDir, 'admin') - if adminNickname: + # change site editors list + if fields.get('editors'): if path.startswith('/users/' + adminNickname + '/'): editorsFile = \ @@ -13400,7 +13411,8 @@ def loadTokens(baseDir: str, tokensDict: {}, tokensLookup: {}) -> None: break -def runDaemon(sendThreadsTimeoutMins: int, +def runDaemon(verifyAllSignatures: bool, + sendThreadsTimeoutMins: int, dormantMonths: int, maxNewswirePosts: int, allowLocalNetworkAccess: bool, @@ -13480,6 +13492,9 @@ def runDaemon(sendThreadsTimeoutMins: int, # maximum number of posts to appear in the newswire on the right column httpd.maxNewswirePosts = maxNewswirePosts + # whether to require that all incoming posts have valid jsonld signatures + httpd.verifyAllSignatures = verifyAllSignatures + # This counter is used to update the list of blocked domains in memory. # It helps to avoid touching the disk and so improves flooding resistance httpd.blocklistUpdateCtr = 0 @@ -13749,7 +13764,8 @@ def runDaemon(sendThreadsTimeoutMins: int, httpd.showPublishedDateOnly, httpd.maxFollowers, httpd.allowLocalNetworkAccess, - httpd.peertubeInstances), daemon=True) + httpd.peertubeInstances, + verifyAllSignatures), daemon=True) print('Creating scheduled post thread') httpd.thrPostSchedule = \ diff --git a/epicyon.py b/epicyon.py index ec0d9c843..da5d1cda5 100644 --- a/epicyon.py +++ b/epicyon.py @@ -267,6 +267,12 @@ parser.add_argument("--allowLocalNetworkAccess", help="Whether to allow access to local network " + "addresses. This might be useful when deploying in " + "a mesh network") +parser.add_argument("--verifyAllSignatures", + dest='verifyAllSignatures', + type=str2bool, nargs='?', + const=True, default=False, + help="Whether to require that all incoming " + + "posts have valid jsonld signatures") parser.add_argument("--noapproval", type=str2bool, nargs='?', const=True, default=False, help="Allow followers without approval") @@ -2119,6 +2125,11 @@ allowLocalNetworkAccess = \ if allowLocalNetworkAccess is not None: args.allowLocalNetworkAccess = bool(allowLocalNetworkAccess) +verifyAllSignatures = \ + getConfigParam(baseDir, 'verifyAllSignatures') +if verifyAllSignatures is not None: + args.verifyAllSignatures = bool(verifyAllSignatures) + YTDomain = getConfigParam(baseDir, 'youtubedomain') if YTDomain: if '://' in YTDomain: @@ -2132,7 +2143,8 @@ if setTheme(baseDir, themeName, domain, args.allowLocalNetworkAccess): print('Theme set to ' + themeName) if __name__ == "__main__": - runDaemon(args.sendThreadsTimeoutMins, + runDaemon(args.verifyAllSignatures, + args.sendThreadsTimeoutMins, args.dormantMonths, args.maxNewswirePosts, args.allowLocalNetworkAccess, diff --git a/inbox.py b/inbox.py index 08fefc91c..23d43231a 100644 --- a/inbox.py +++ b/inbox.py @@ -2447,7 +2447,8 @@ def runInboxQueue(recentPostsCache: {}, maxRecentPosts: int, YTReplacementDomain: str, showPublishedDateOnly: bool, maxFollowers: int, allowLocalNetworkAccess: bool, - peertubeInstances: []) -> None: + peertubeInstances: [], + verifyAllSignatures: bool) -> None: """Processes received items and moves them to the appropriate directories """ @@ -2716,6 +2717,16 @@ def runInboxQueue(recentPostsCache: {}, maxRecentPosts: int, if jwebsig.get('type') and jwebsig.get('signatureValue'): if jwebsig['type'] == 'RsaSignature2017': checkJsonSignature = True + + if verifyAllSignatures and \ + not checkJsonSignature: + print('inbox post does not have a jsonld signature ' + keyId) + if os.path.isfile(queueFilename): + os.remove(queueFilename) + if len(queue) > 0: + queue.pop(0) + continue + if checkJsonSignature: # use the original json message received, not one which may have # been modified along the way diff --git a/tests.py b/tests.py index cd957bf83..d29671e2a 100644 --- a/tests.py +++ b/tests.py @@ -323,8 +323,10 @@ def createServerAlice(path: str, domain: str, port: int, dormantMonths = 3 sendThreadsTimeoutMins = 30 maxFollowers = 10 + verifyAllSignatures = True print('Server running: Alice') - runDaemon(sendThreadsTimeoutMins, + runDaemon(verifyAllSignatures, + sendThreadsTimeoutMins, dormantMonths, maxNewswirePosts, allowLocalNetworkAccess, 2048, False, True, False, False, True, maxFollowers, @@ -420,8 +422,10 @@ def createServerBob(path: str, domain: str, port: int, dormantMonths = 3 sendThreadsTimeoutMins = 30 maxFollowers = 10 + verifyAllSignatures = True print('Server running: Bob') - runDaemon(sendThreadsTimeoutMins, + runDaemon(verifyAllSignatures, + sendThreadsTimeoutMins, dormantMonths, maxNewswirePosts, allowLocalNetworkAccess, 2048, False, True, False, False, True, maxFollowers, @@ -467,8 +471,10 @@ def createServerEve(path: str, domain: str, port: int, federationList: [], dormantMonths = 3 sendThreadsTimeoutMins = 30 maxFollowers = 10 + verifyAllSignatures = True print('Server running: Eve') - runDaemon(sendThreadsTimeoutMins, + runDaemon(verifyAllSignatures, + sendThreadsTimeoutMins, dormantMonths, maxNewswirePosts, allowLocalNetworkAccess, 2048, False, True, False, False, True, maxFollowers, diff --git a/translations/ar.json b/translations/ar.json index 7cda02d25..658be63fe 100644 --- a/translations/ar.json +++ b/translations/ar.json @@ -350,5 +350,6 @@ "Show Accounts": "إظهار الحسابات", "Peertube Instances": "مثيلات Peertube", "Show video previews for the following Peertube sites.": "إظهار معاينات الفيديو لمواقع Peertube التالية.", - "Follows you": "يتبعك" + "Follows you": "يتبعك", + "Verify all signatures": "تحقق من جميع التوقيعات" } diff --git a/translations/ca.json b/translations/ca.json index d17bbc050..06ea47e6d 100644 --- a/translations/ca.json +++ b/translations/ca.json @@ -350,5 +350,6 @@ "Show Accounts": "Mostra comptes", "Peertube Instances": "Instàncies de Peertube", "Show video previews for the following Peertube sites.": "Mostra les previsualitzacions de vídeo dels següents llocs de Peertube.", - "Follows you": "Et segueix" + "Follows you": "Et segueix", + "Verify all signatures": "Verifiqueu totes les signatures" } diff --git a/translations/cy.json b/translations/cy.json index 8db9b525b..a610b167a 100644 --- a/translations/cy.json +++ b/translations/cy.json @@ -350,5 +350,6 @@ "Show Accounts": "Dangos Cyfrifon", "Peertube Instances": "Camau Peertube", "Show video previews for the following Peertube sites.": "Dangos rhagolygon fideo ar gyfer y safleoedd Peertube canlynol.", - "Follows you": "Yn eich dilyn chi" + "Follows you": "Yn eich dilyn chi", + "Verify all signatures": "Gwirio pob llofnod" } diff --git a/translations/de.json b/translations/de.json index a82a4aaa7..cdf9aaefa 100644 --- a/translations/de.json +++ b/translations/de.json @@ -350,5 +350,6 @@ "Show Accounts": "Konten anzeigen", "Peertube Instances": "Peertube-Instanzen", "Show video previews for the following Peertube sites.": "Zeigen Sie eine Videovorschau für die folgenden Peertube-Websites an.", - "Follows you": "Folgt dir" + "Follows you": "Folgt dir", + "Verify all signatures": "Überprüfen Sie alle Signaturen" } diff --git a/translations/en.json b/translations/en.json index 9e93dcb82..40537ba17 100644 --- a/translations/en.json +++ b/translations/en.json @@ -350,5 +350,6 @@ "Show Accounts": "Show Accounts", "Peertube Instances": "Peertube Instances", "Show video previews for the following Peertube sites.": "Show video previews for the following Peertube sites.", - "Follows you": "Follows you" + "Follows you": "Follows you", + "Verify all signatures": "Verify all signatures" } diff --git a/translations/es.json b/translations/es.json index edc36088f..f63b2d4ea 100644 --- a/translations/es.json +++ b/translations/es.json @@ -350,5 +350,6 @@ "Show Accounts": "Mostrar cuentas", "Peertube Instances": "Instancias de Peertube", "Show video previews for the following Peertube sites.": "Muestre vistas previas de video para los siguientes sitios de Peertube.", - "Follows you": "Te sigue" + "Follows you": "Te sigue", + "Verify all signatures": "Verificar todas las firmas" } diff --git a/translations/fr.json b/translations/fr.json index 838d18388..1ae6dc989 100644 --- a/translations/fr.json +++ b/translations/fr.json @@ -350,5 +350,6 @@ "Show Accounts": "Afficher les comptes", "Peertube Instances": "Instances Peertube", "Show video previews for the following Peertube sites.": "Afficher des aperçus vidéo pour les sites Peertube suivants.", - "Follows you": "Vous suit" + "Follows you": "Vous suit", + "Verify all signatures": "Vérifier toutes les signatures" } diff --git a/translations/ga.json b/translations/ga.json index 396d3ae8d..ef2f77fef 100644 --- a/translations/ga.json +++ b/translations/ga.json @@ -350,5 +350,6 @@ "Show Accounts": "Taispeáin Cuntais", "Peertube Instances": "Imeachtaí Peertube", "Show video previews for the following Peertube sites.": "Taispeáin réamhamharcanna físe do na suíomhanna Peertube seo a leanas.", - "Follows you": "Leanann tú" + "Follows you": "Leanann tú", + "Verify all signatures": "Fíoraigh gach síniú" } diff --git a/translations/hi.json b/translations/hi.json index 05878a580..232cb54c2 100644 --- a/translations/hi.json +++ b/translations/hi.json @@ -350,5 +350,6 @@ "Show Accounts": "खाते दिखाएं", "Peertube Instances": "Peertube उदाहरण", "Show video previews for the following Peertube sites.": "निम्नलिखित Peertube साइटों के लिए वीडियो पूर्वावलोकन दिखाएं।", - "Follows you": "आपका पीछा करता है" + "Follows you": "आपका पीछा करता है", + "Verify all signatures": "सभी हस्ताक्षर सत्यापित करें" } diff --git a/translations/it.json b/translations/it.json index 72d777ee1..1ad7efef6 100644 --- a/translations/it.json +++ b/translations/it.json @@ -350,5 +350,6 @@ "Show Accounts": "Mostra account", "Peertube Instances": "Istanze di Peertube", "Show video previews for the following Peertube sites.": "Mostra le anteprime dei video per i seguenti siti Peertube.", - "Follows you": "Ti segue" + "Follows you": "Ti segue", + "Verify all signatures": "Verifica tutte le firme" } diff --git a/translations/ja.json b/translations/ja.json index 6287b1ab7..7606a7aff 100644 --- a/translations/ja.json +++ b/translations/ja.json @@ -350,5 +350,6 @@ "Show Accounts": "アカウントを表示する", "Peertube Instances": "Peertubeインスタンス", "Show video previews for the following Peertube sites.": "次のPeertubeサイトのビデオプレビューを表示します。", - "Follows you": "あなたについていきます" + "Follows you": "あなたについていきます", + "Verify all signatures": "すべての署名を確認する" } diff --git a/translations/oc.json b/translations/oc.json index eb198fb68..07b9569c6 100644 --- a/translations/oc.json +++ b/translations/oc.json @@ -346,5 +346,6 @@ "Show Accounts": "Show Accounts", "Peertube Instances": "Peertube Instances", "Show video previews for the following Peertube sites.": "Show video previews for the following Peertube sites.", - "Follows you": "Follows you" + "Follows you": "Follows you", + "Verify all signatures": "Verify all signatures" } diff --git a/translations/pt.json b/translations/pt.json index dfa17dc02..183b73d09 100644 --- a/translations/pt.json +++ b/translations/pt.json @@ -350,5 +350,6 @@ "Show Accounts": "Mostrar contas", "Peertube Instances": "Instâncias Peertube", "Show video previews for the following Peertube sites.": "Mostrar visualizações de vídeo para os seguintes sites Peertube.", - "Follows you": "Segue você" + "Follows you": "Segue você", + "Verify all signatures": "Verifique todas as assinaturas" } diff --git a/translations/ru.json b/translations/ru.json index 855c07f52..147a699a8 100644 --- a/translations/ru.json +++ b/translations/ru.json @@ -350,5 +350,6 @@ "Show Accounts": "Показать счета", "Peertube Instances": "Экземпляры Peertube", "Show video previews for the following Peertube sites.": "Показать превью видео для следующих сайтов Peertube.", - "Follows you": "Следует за вами" + "Follows you": "Следует за вами", + "Verify all signatures": "Проверить все подписи" } diff --git a/translations/zh.json b/translations/zh.json index a2be25403..23a46718d 100644 --- a/translations/zh.json +++ b/translations/zh.json @@ -350,5 +350,6 @@ "Show Accounts": "显示帐户", "Peertube Instances": "Peertube实例", "Show video previews for the following Peertube sites.": "显示以下Peertube网站的视频预览。", - "Follows you": "跟着你" + "Follows you": "跟着你", + "Verify all signatures": "验证所有签名" } diff --git a/webapp_profile.py b/webapp_profile.py index 65d29a592..a2b3e3deb 100644 --- a/webapp_profile.py +++ b/webapp_profile.py @@ -1106,6 +1106,10 @@ def htmlEditProfile(cssCache: {}, translate: {}, baseDir: str, path: str, instanceStr += \ ' ' + instanceStr += \ + ' ' + \ + translate['Verify all signatures'] + '
\n' instanceStr += '' moderators = ''