Option to enforce json signature checks

daemon.py

@@ -4274,11 +4274,25 @@ class PubServer(BaseHTTPRequestHandler):
                             actorJson['summary'] = ''
                             actorChanged = True
 
-                    # change moderators list
+                    adminNickname = \
-                    if fields.get('moderators'):
+                        getConfigParam(baseDir, 'admin')
-                        adminNickname = \
+
-                            getConfigParam(baseDir, 'admin')
+                    if adminNickname:
-                        if adminNickname:
+                        # whether to require jsonld signatures
+                        # on all incoming posts
+                        if path.startswith('/users/' +
+                                           adminNickname + '/'):
+                            verifyAllSignatures = False
+                            if fields.get('verifyallsignatures'):
+                                if fields['verifyallsignatures'] == 'on':
+                                    verifyAllSignatures = True
+                            self.server.verifyAllSignatures = \
+                                verifyAllSignatures
+                            setConfigParam(baseDir, "verifyAllSignatures",
+                                           verifyAllSignatures)
+
+                        # change moderators list
+                        if fields.get('moderators'):
                             if path.startswith('/users/' +
                                                adminNickname + '/'):
                                 moderatorsFile = \
@@ -4334,11 +4348,8 @@ class PubServer(BaseHTTPRequestHandler):
                                                     'instance',
                                                     'moderator')
 
-                    # change site editors list
+                        # change site editors list
-                    if fields.get('editors'):
+                        if fields.get('editors'):
-                        adminNickname = \
-                            getConfigParam(baseDir, 'admin')
-                        if adminNickname:
                             if path.startswith('/users/' +
                                                adminNickname + '/'):
                                 editorsFile = \
@@ -13400,7 +13411,8 @@ def loadTokens(baseDir: str, tokensDict: {}, tokensLookup: {}) -> None:
         break
 
 
-def runDaemon(sendThreadsTimeoutMins: int,
+def runDaemon(verifyAllSignatures: bool,
+              sendThreadsTimeoutMins: int,
               dormantMonths: int,
               maxNewswirePosts: int,
               allowLocalNetworkAccess: bool,
@@ -13480,6 +13492,9 @@ def runDaemon(sendThreadsTimeoutMins: int,
     # maximum number of posts to appear in the newswire on the right column
     httpd.maxNewswirePosts = maxNewswirePosts
 
+    # whether to require that all incoming posts have valid jsonld signatures
+    httpd.verifyAllSignatures = verifyAllSignatures
+
     # This counter is used to update the list of blocked domains in memory.
     # It helps to avoid touching the disk and so improves flooding resistance
     httpd.blocklistUpdateCtr = 0
@@ -13749,7 +13764,8 @@ def runDaemon(sendThreadsTimeoutMins: int,
                               httpd.showPublishedDateOnly,
                               httpd.maxFollowers,
                               httpd.allowLocalNetworkAccess,
-                              httpd.peertubeInstances), daemon=True)
+                              httpd.peertubeInstances,
+                              verifyAllSignatures), daemon=True)
 
     print('Creating scheduled post thread')
     httpd.thrPostSchedule = \

epicyon.py

@@ -267,6 +267,12 @@ parser.add_argument("--allowLocalNetworkAccess",
                     help="Whether to allow access to local network " +
                     "addresses. This might be useful when deploying in " +
                     "a mesh network")
+parser.add_argument("--verifyAllSignatures",
+                    dest='verifyAllSignatures',
+                    type=str2bool, nargs='?',
+                    const=True, default=False,
+                    help="Whether to require that all incoming " +
+                    "posts have valid jsonld signatures")
 parser.add_argument("--noapproval", type=str2bool, nargs='?',
                     const=True, default=False,
                     help="Allow followers without approval")
@@ -2119,6 +2125,11 @@ allowLocalNetworkAccess = \
 if allowLocalNetworkAccess is not None:
     args.allowLocalNetworkAccess = bool(allowLocalNetworkAccess)
 
+verifyAllSignatures = \
+    getConfigParam(baseDir, 'verifyAllSignatures')
+if verifyAllSignatures is not None:
+    args.verifyAllSignatures = bool(verifyAllSignatures)
+
 YTDomain = getConfigParam(baseDir, 'youtubedomain')
 if YTDomain:
     if '://' in YTDomain:
@@ -2132,7 +2143,8 @@ if setTheme(baseDir, themeName, domain, args.allowLocalNetworkAccess):
     print('Theme set to ' + themeName)
 
 if __name__ == "__main__":
-    runDaemon(args.sendThreadsTimeoutMins,
+    runDaemon(args.verifyAllSignatures,
+              args.sendThreadsTimeoutMins,
               args.dormantMonths,
               args.maxNewswirePosts,
               args.allowLocalNetworkAccess,

inbox.py

@@ -2447,7 +2447,8 @@ def runInboxQueue(recentPostsCache: {}, maxRecentPosts: int,
                   YTReplacementDomain: str,
                   showPublishedDateOnly: bool,
                   maxFollowers: int, allowLocalNetworkAccess: bool,
-                  peertubeInstances: []) -> None:
+                  peertubeInstances: [],
+                  verifyAllSignatures: bool) -> None:
     """Processes received items and moves them to the appropriate
     directories
     """
@@ -2716,6 +2717,16 @@ def runInboxQueue(recentPostsCache: {}, maxRecentPosts: int,
                 if jwebsig.get('type') and jwebsig.get('signatureValue'):
                     if jwebsig['type'] == 'RsaSignature2017':
                         checkJsonSignature = True
+
+        if verifyAllSignatures and \
+           not checkJsonSignature:
+            print('inbox post does not have a jsonld signature ' + keyId)
+            if os.path.isfile(queueFilename):
+                os.remove(queueFilename)
+            if len(queue) > 0:
+                queue.pop(0)
+            continue
+
         if checkJsonSignature:
             # use the original json message received, not one which may have
             # been modified along the way

tests.py

@@ -323,8 +323,10 @@ def createServerAlice(path: str, domain: str, port: int,
     dormantMonths = 3
     sendThreadsTimeoutMins = 30
     maxFollowers = 10
+    verifyAllSignatures = True
     print('Server running: Alice')
-    runDaemon(sendThreadsTimeoutMins,
+    runDaemon(verifyAllSignatures,
+              sendThreadsTimeoutMins,
               dormantMonths, maxNewswirePosts,
               allowLocalNetworkAccess,
               2048, False, True, False, False, True, maxFollowers,
@@ -420,8 +422,10 @@ def createServerBob(path: str, domain: str, port: int,
     dormantMonths = 3
     sendThreadsTimeoutMins = 30
     maxFollowers = 10
+    verifyAllSignatures = True
     print('Server running: Bob')
-    runDaemon(sendThreadsTimeoutMins,
+    runDaemon(verifyAllSignatures,
+              sendThreadsTimeoutMins,
               dormantMonths, maxNewswirePosts,
               allowLocalNetworkAccess,
               2048, False, True, False, False, True, maxFollowers,
@@ -467,8 +471,10 @@ def createServerEve(path: str, domain: str, port: int, federationList: [],
     dormantMonths = 3
     sendThreadsTimeoutMins = 30
     maxFollowers = 10
+    verifyAllSignatures = True
     print('Server running: Eve')
-    runDaemon(sendThreadsTimeoutMins,
+    runDaemon(verifyAllSignatures,
+              sendThreadsTimeoutMins,
               dormantMonths, maxNewswirePosts,
               allowLocalNetworkAccess,
               2048, False, True, False, False, True, maxFollowers,

translations/ar.json

@@ -350,5 +350,6 @@
     "Show Accounts": "إظهار الحسابات",
     "Peertube Instances": "مثيلات Peertube",
     "Show video previews for the following Peertube sites.": "إظهار معاينات الفيديو لمواقع Peertube التالية.",
-    "Follows you": "يتبعك"
+    "Follows you": "يتبعك",
+    "Verify all signatures": "تحقق من جميع التوقيعات"
 }

translations/ca.json

@@ -350,5 +350,6 @@
     "Show Accounts": "Mostra comptes",
     "Peertube Instances": "Instàncies de Peertube",
     "Show video previews for the following Peertube sites.": "Mostra les previsualitzacions de vídeo dels següents llocs de Peertube.",
-    "Follows you": "Et segueix"
+    "Follows you": "Et segueix",
+    "Verify all signatures": "Verifiqueu totes les signatures"
 }

translations/cy.json

@@ -350,5 +350,6 @@
     "Show Accounts": "Dangos Cyfrifon",
     "Peertube Instances": "Camau Peertube",
     "Show video previews for the following Peertube sites.": "Dangos rhagolygon fideo ar gyfer y safleoedd Peertube canlynol.",
-    "Follows you": "Yn eich dilyn chi"
+    "Follows you": "Yn eich dilyn chi",
+    "Verify all signatures": "Gwirio pob llofnod"
 }

translations/de.json

@@ -350,5 +350,6 @@
     "Show Accounts": "Konten anzeigen",
     "Peertube Instances": "Peertube-Instanzen",
     "Show video previews for the following Peertube sites.": "Zeigen Sie eine Videovorschau für die folgenden Peertube-Websites an.",
-    "Follows you": "Folgt dir"
+    "Follows you": "Folgt dir",
+    "Verify all signatures": "Überprüfen Sie alle Signaturen"
 }

translations/en.json

@@ -350,5 +350,6 @@
     "Show Accounts": "Show Accounts",
     "Peertube Instances": "Peertube Instances",
     "Show video previews for the following Peertube sites.": "Show video previews for the following Peertube sites.",
-    "Follows you": "Follows you"
+    "Follows you": "Follows you",
+    "Verify all signatures": "Verify all signatures"
 }

translations/es.json

@@ -350,5 +350,6 @@
     "Show Accounts": "Mostrar cuentas",
     "Peertube Instances": "Instancias de Peertube",
     "Show video previews for the following Peertube sites.": "Muestre vistas previas de video para los siguientes sitios de Peertube.",
-    "Follows you": "Te sigue"
+    "Follows you": "Te sigue",
+    "Verify all signatures": "Verificar todas las firmas"
 }

translations/fr.json

@@ -350,5 +350,6 @@
     "Show Accounts": "Afficher les comptes",
     "Peertube Instances": "Instances Peertube",
     "Show video previews for the following Peertube sites.": "Afficher des aperçus vidéo pour les sites Peertube suivants.",
-    "Follows you": "Vous suit"
+    "Follows you": "Vous suit",
+    "Verify all signatures": "Vérifier toutes les signatures"
 }

translations/ga.json

@@ -350,5 +350,6 @@
     "Show Accounts": "Taispeáin Cuntais",
     "Peertube Instances": "Imeachtaí Peertube",
     "Show video previews for the following Peertube sites.": "Taispeáin réamhamharcanna físe do na suíomhanna Peertube seo a leanas.",
-    "Follows you": "Leanann tú"
+    "Follows you": "Leanann tú",
+    "Verify all signatures": "Fíoraigh gach síniú"
 }

translations/hi.json

@@ -350,5 +350,6 @@
     "Show Accounts": "खाते दिखाएं",
     "Peertube Instances": "Peertube उदाहरण",
     "Show video previews for the following Peertube sites.": "निम्नलिखित Peertube साइटों के लिए वीडियो पूर्वावलोकन दिखाएं।",
-    "Follows you": "आपका पीछा करता है"
+    "Follows you": "आपका पीछा करता है",
+    "Verify all signatures": "सभी हस्ताक्षर सत्यापित करें"
 }

translations/it.json

@@ -350,5 +350,6 @@
     "Show Accounts": "Mostra account",
     "Peertube Instances": "Istanze di Peertube",
     "Show video previews for the following Peertube sites.": "Mostra le anteprime dei video per i seguenti siti Peertube.",
-    "Follows you": "Ti segue"
+    "Follows you": "Ti segue",
+    "Verify all signatures": "Verifica tutte le firme"
 }

translations/ja.json

@@ -350,5 +350,6 @@
     "Show Accounts": "アカウントを表示する",
     "Peertube Instances": "Peertubeインスタンス",
     "Show video previews for the following Peertube sites.": "次のPeertubeサイトのビデオプレビューを表示します。",
-    "Follows you": "あなたについていきます"
+    "Follows you": "あなたについていきます",
+    "Verify all signatures": "すべての署名を確認する"
 }

translations/oc.json

@@ -346,5 +346,6 @@
     "Show Accounts": "Show Accounts",
     "Peertube Instances": "Peertube Instances",
     "Show video previews for the following Peertube sites.": "Show video previews for the following Peertube sites.",
-    "Follows you": "Follows you"
+    "Follows you": "Follows you",
+    "Verify all signatures": "Verify all signatures"
 }

translations/pt.json

@@ -350,5 +350,6 @@
     "Show Accounts": "Mostrar contas",
     "Peertube Instances": "Instâncias Peertube",
     "Show video previews for the following Peertube sites.": "Mostrar visualizações de vídeo para os seguintes sites Peertube.",
-    "Follows you": "Segue você"
+    "Follows you": "Segue você",
+    "Verify all signatures": "Verifique todas as assinaturas"
 }

translations/ru.json

@@ -350,5 +350,6 @@
     "Show Accounts": "Показать счета",
     "Peertube Instances": "Экземпляры Peertube",
     "Show video previews for the following Peertube sites.": "Показать превью видео для следующих сайтов Peertube.",
-    "Follows you": "Следует за вами"
+    "Follows you": "Следует за вами",
+    "Verify all signatures": "Проверить все подписи"
 }

translations/zh.json

@@ -350,5 +350,6 @@
     "Show Accounts": "显示帐户",
     "Peertube Instances": "Peertube实例",
     "Show video previews for the following Peertube sites.": "显示以下Peertube网站的视频预览。",
-    "Follows you": "跟着你"
+    "Follows you": "跟着你",
+    "Verify all signatures": "验证所有签名"
 }

webapp_profile.py

@@ -1106,6 +1106,10 @@ def htmlEditProfile(cssCache: {}, translate: {}, baseDir: str, path: str,
             instanceStr += \
                 '  <input type="file" id="instanceLogo" name="instanceLogo"'
             instanceStr += '      accept="' + imageFormats + '">'
+            instanceStr += \
+                '      <input type="checkbox" class="profilecheckbox" ' + \
+                'name="verifyallsignatures"> ' + \
+                translate['Verify all signatures'] + '<br>\n'
             instanceStr += '</div>'
 
             moderators = ''