indymedia
/
epicyon
mirror of https://gitlab.com/bashrc2/epicyon
7
4
Fork 1
Code Issues 14 Releases Wiki Activity

Tidying

merge-requests/30/head
Bob Mottram 2024-01-31 23:52:04 +00:00
parent 0e35d6a74c
commit 3a33110166
1 changed files with 278 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

317
daemon.py
View File

@ -698,33 +698,46 @@ class PubServer(BaseHTTPRequestHandler):
return None return None
def _secure_mode(self, curr_session, proxy_type: str, def _secure_mode(self, curr_session, proxy_type: str,
force: bool) -> bool: force: bool, secure_mode: bool,
debug: bool, headers: {},
federation_list: [],
onion_domain: str,
i2p_domain: str,
session_onion, session_i2p,
base_dir: str,
person_cache: {},
project_version: str,
http_prefix: str,
domain: str,
domain_full: str,
signing_priv_key_pem: str,
path: str) -> bool:
"""http authentication of GET requests for json """http authentication of GET requests for json
aka authorized fetch aka authorized fetch
""" """
if not self.server.secure_mode and not force: if not secure_mode and not force:
return True return True
key_id = signed_get_key_id(self.headers, self.server.debug) key_id = signed_get_key_id(headers, debug)
if not key_id: if not key_id:
if self.server.debug: if debug:
print('AUTH: secure mode, ' + print('AUTH: secure mode, ' +
'failed to obtain key_id from signature') 'failed to obtain key_id from signature')
return False return False
# is the key_id (actor) valid? # is the key_id (actor) valid?
if not url_permitted(key_id, self.server.federation_list): if not url_permitted(key_id, federation_list):
if self.server.debug: if debug:
print('AUTH: Secure mode GET request not permitted: ' + key_id) print('AUTH: Secure mode GET request not permitted: ' + key_id)
return False return False
if self.server.onion_domain: if onion_domain:
if '.onion/' in key_id: if '.onion/' in key_id:
curr_session = self.server.session_onion curr_session = session_onion
proxy_type = 'tor' proxy_type = 'tor'
if self.server.i2p_domain: if i2p_domain:
if '.i2p/' in key_id: if '.i2p/' in key_id:
curr_session = self.server.session_i2p curr_session = session_i2p
proxy_type = 'i2p' proxy_type = 'i2p'
curr_session = \ curr_session = \
@ -735,37 +748,37 @@ class PubServer(BaseHTTPRequestHandler):
# obtain the public key. key_id is the actor # obtain the public key. key_id is the actor
pub_key = \ pub_key = \
get_person_pub_key(self.server.base_dir, get_person_pub_key(base_dir,
curr_session, key_id, curr_session, key_id,
self.server.person_cache, self.server.debug, person_cache, debug,
self.server.project_version, project_version,
self.server.http_prefix, http_prefix,
self.server.domain, domain,
self.server.onion_domain, onion_domain,
self.server.i2p_domain, i2p_domain,
self.server.signing_priv_key_pem) signing_priv_key_pem)
if not pub_key: if not pub_key:
if self.server.debug: if debug:
print('AUTH: secure mode failed to ' + print('AUTH: secure mode failed to ' +
'obtain public key for ' + key_id) 'obtain public key for ' + key_id)
return False return False
# was an error http code returned? # was an error http code returned?
if isinstance(pub_key, dict): if isinstance(pub_key, dict):
if self.server.debug: if debug:
print('AUTH: failed to ' + print('AUTH: failed to ' +
'obtain public key for ' + key_id + 'obtain public key for ' + key_id +
' ' + str(pub_key)) ' ' + str(pub_key))
return False return False
# verify the GET request without any digest # verify the GET request without any digest
if verify_post_headers(self.server.http_prefix, if verify_post_headers(http_prefix,
self.server.domain_full, domain_full,
pub_key, self.headers, pub_key, headers,
self.path, True, None, '', self.server.debug): path, True, None, '', debug):
return True return True
if self.server.debug: if debug:
print('AUTH: secure mode authorization failed for ' + key_id) print('AUTH: secure mode authorization failed for ' + key_id)
return False return False
@ -12447,7 +12460,23 @@ class PubServer(BaseHTTPRequestHandler):
'_GET', '_show_replies_to_post', '_GET', '_show_replies_to_post',
debug) debug)
else: else:
if self._secure_mode(curr_session, proxy_type, False): if self._secure_mode(curr_session, proxy_type, False,
self.server.secure_mode,
self.server.debug,
self.server.headers,
self.server.federation_list,
self.server.onion_domain,
self.server.i2p_domain,
self.server.session_onion,
self.server.session_i2p,
self.server.base_dir,
self.server.person_cache,
self.server.project_version,
self.server.http_prefix,
self.server.domain,
self.server.domain_full,
self.server.signing_priv_key_pem,
self.path):
msg_str = json.dumps(replies_json, ensure_ascii=False) msg_str = json.dumps(replies_json, ensure_ascii=False)
msg_str = convert_domains(calling_domain, msg_str = convert_domains(calling_domain,
referer_domain, referer_domain,
@ -12566,7 +12595,23 @@ class PubServer(BaseHTTPRequestHandler):
'_GET', '_show_replies_to_post', '_GET', '_show_replies_to_post',
debug) debug)
else: else:
if self._secure_mode(curr_session, proxy_type, False): if self._secure_mode(curr_session, proxy_type, False,
self.server.secure_mode,
self.server.debug,
self.server.headers,
self.server.federation_list,
self.server.onion_domain,
self.server.i2p_domain,
self.server.session_onion,
self.server.session_i2p,
self.server.base_dir,
self.server.person_cache,
self.server.project_version,
self.server.http_prefix,
self.server.domain,
self.server.domain_full,
self.server.signing_priv_key_pem,
self.path):
msg_str = json.dumps(replies_json, ensure_ascii=False) msg_str = json.dumps(replies_json, ensure_ascii=False)
msg_str = convert_domains(calling_domain, msg_str = convert_domains(calling_domain,
referer_domain, referer_domain,
@ -12693,7 +12738,23 @@ class PubServer(BaseHTTPRequestHandler):
fitness_performance(getreq_start_time, self.server.fitness, fitness_performance(getreq_start_time, self.server.fitness,
'_GET', '_show_roles', debug) '_GET', '_show_roles', debug)
else: else:
if self._secure_mode(curr_session, proxy_type, False): if self._secure_mode(curr_session, proxy_type, False,
self.server.secure_mode,
self.server.debug,
self.server.headers,
self.server.federation_list,
self.server.onion_domain,
self.server.i2p_domain,
self.server.session_onion,
self.server.session_i2p,
self.server.base_dir,
self.server.person_cache,
self.server.project_version,
self.server.http_prefix,
self.server.domain,
self.server.domain_full,
self.server.signing_priv_key_pem,
self.path):
roles_list = get_actor_roles_list(actor_json) roles_list = get_actor_roles_list(actor_json)
msg_str = json.dumps(roles_list, ensure_ascii=False) msg_str = json.dumps(roles_list, ensure_ascii=False)
msg_str = convert_domains(calling_domain, msg_str = convert_domains(calling_domain,
@ -12833,8 +12894,26 @@ class PubServer(BaseHTTPRequestHandler):
'_GET', '_show_skills', '_GET', '_show_skills',
self.server.debug) self.server.debug)
else: else:
signing_priv_key_pem = \
self.server.signing_priv_key_pem
if self._secure_mode(curr_session, if self._secure_mode(curr_session,
proxy_type, False): proxy_type, False,
self.server.secure_mode,
self.server.debug,
self.server.headers,
self.server.federation_list,
self.server.onion_domain,
self.server.i2p_domain,
self.server.session_onion,
self.server.session_i2p,
self.server.base_dir,
self.server.person_cache,
self.server.project_version,
self.server.http_prefix,
self.server.domain,
self.server.domain_full,
signing_priv_key_pem,
self.path):
actor_skills_list = \ actor_skills_list = \
get_occupation_skills(actor_json) get_occupation_skills(actor_json)
skills = \ skills = \
@ -13281,7 +13360,23 @@ class PubServer(BaseHTTPRequestHandler):
'_GET', '_show_post_from_file', '_GET', '_show_post_from_file',
debug) debug)
else: else:
if self._secure_mode(curr_session, proxy_type, False): if self._secure_mode(curr_session, proxy_type, False,
self.server.secure_mode,
self.server.debug,
self.server.headers,
self.server.federation_list,
self.server.onion_domain,
self.server.i2p_domain,
self.server.session_onion,
self.server.session_i2p,
self.server.base_dir,
self.server.person_cache,
self.server.project_version,
self.server.http_prefix,
self.server.domain,
self.server.domain_full,
self.server.signing_priv_key_pem,
self.path):
if not include_create_wrapper and \ if not include_create_wrapper and \
post_json_object['type'] == 'Create' and \ post_json_object['type'] == 'Create' and \
has_object_dict(post_json_object): has_object_dict(post_json_object):
@ -15254,7 +15349,23 @@ class PubServer(BaseHTTPRequestHandler):
'_GET', '_show_outbox_timeline', '_GET', '_show_outbox_timeline',
debug) debug)
else: else:
if self._secure_mode(curr_session, proxy_type, False): if self._secure_mode(curr_session, proxy_type, False,
self.server.secure_mode,
self.server.debug,
self.server.headers,
self.server.federation_list,
self.server.onion_domain,
self.server.i2p_domain,
self.server.session_onion,
self.server.session_i2p,
self.server.base_dir,
self.server.person_cache,
self.server.project_version,
self.server.http_prefix,
self.server.domain,
self.server.domain_full,
self.server.signing_priv_key_pem,
self.path):
onion_domain = self.server.onion_domain onion_domain = self.server.onion_domain
i2p_domain = self.server.i2p_domain i2p_domain = self.server.i2p_domain
msg_str = json.dumps(outbox_feed, msg_str = json.dumps(outbox_feed,
@ -15575,7 +15686,23 @@ class PubServer(BaseHTTPRequestHandler):
self.server.getreq_busy = False self.server.getreq_busy = False
return True return True
else: else:
if self._secure_mode(curr_session, proxy_type, False): if self._secure_mode(curr_session, proxy_type, False,
self.server.secure_mode,
self.server.debug,
self.server.headers,
self.server.federation_list,
self.server.onion_domain,
self.server.i2p_domain,
self.server.session_onion,
self.server.session_i2p,
self.server.base_dir,
self.server.person_cache,
self.server.project_version,
self.server.http_prefix,
self.server.domain,
self.server.domain_full,
self.server.signing_priv_key_pem,
self.path):
onion_domain = self.server.onion_domain onion_domain = self.server.onion_domain
i2p_domain = self.server.i2p_domain i2p_domain = self.server.i2p_domain
msg_str = json.dumps(shares, msg_str = json.dumps(shares,
@ -15733,7 +15860,23 @@ class PubServer(BaseHTTPRequestHandler):
debug) debug)
return True return True
else: else:
if self._secure_mode(curr_session, proxy_type, False): if self._secure_mode(curr_session, proxy_type, False,
self.server.secure_mode,
self.server.debug,
self.server.headers,
self.server.federation_list,
self.server.onion_domain,
self.server.i2p_domain,
self.server.session_onion,
self.server.session_i2p,
self.server.base_dir,
self.server.person_cache,
self.server.project_version,
self.server.http_prefix,
self.server.domain,
self.server.domain_full,
self.server.signing_priv_key_pem,
self.path):
if '/users/' in path: if '/users/' in path:
nickname = path.split('/users/')[1] nickname = path.split('/users/')[1]
if '/' in nickname: if '/' in nickname:
@ -15890,7 +16033,23 @@ class PubServer(BaseHTTPRequestHandler):
debug) debug)
return True return True
else: else:
if self._secure_mode(curr_session, proxy_type, False): if self._secure_mode(curr_session, proxy_type, False,
self.server.secure_mode,
self.server.debug,
self.server.headers,
self.server.federation_list,
self.server.onion_domain,
self.server.i2p_domain,
self.server.session_onion,
self.server.session_i2p,
self.server.base_dir,
self.server.person_cache,
self.server.project_version,
self.server.http_prefix,
self.server.domain,
self.server.domain_full,
self.server.signing_priv_key_pem,
self.path):
msg_str = json.dumps(following, msg_str = json.dumps(following,
ensure_ascii=False) ensure_ascii=False)
msg_str = convert_domains(calling_domain, msg_str = convert_domains(calling_domain,
@ -16045,7 +16204,23 @@ class PubServer(BaseHTTPRequestHandler):
debug) debug)
return True return True
else: else:
if self._secure_mode(curr_session, proxy_type, False): if self._secure_mode(curr_session, proxy_type, False,
self.server.secure_mode,
self.server.debug,
self.server.headers,
self.server.federation_list,
self.server.onion_domain,
self.server.i2p_domain,
self.server.session_onion,
self.server.session_i2p,
self.server.base_dir,
self.server.person_cache,
self.server.project_version,
self.server.http_prefix,
self.server.domain,
self.server.domain_full,
self.server.signing_priv_key_pem,
self.path):
msg_str = json.dumps(following, msg_str = json.dumps(following,
ensure_ascii=False) ensure_ascii=False)
msg_str = convert_domains(calling_domain, msg_str = convert_domains(calling_domain,
@ -16202,7 +16377,23 @@ class PubServer(BaseHTTPRequestHandler):
debug) debug)
return True return True
else: else:
if self._secure_mode(curr_session, proxy_type, False): if self._secure_mode(curr_session, proxy_type, False,
self.server.secure_mode,
self.server.debug,
self.server.headers,
self.server.federation_list,
self.server.onion_domain,
self.server.i2p_domain,
self.server.session_onion,
self.server.session_i2p,
self.server.base_dir,
self.server.person_cache,
self.server.project_version,
self.server.http_prefix,
self.server.domain,
self.server.domain_full,
self.server.signing_priv_key_pem,
self.path):
if '/users/' in path: if '/users/' in path:
nickname = path.split('/users/')[1] nickname = path.split('/users/')[1]
if '/' in nickname: if '/' in nickname:
@ -16397,7 +16588,23 @@ class PubServer(BaseHTTPRequestHandler):
if self.server.debug: if self.server.debug:
print('DEBUG: html actor sent') print('DEBUG: html actor sent')
else: else:
if self._secure_mode(curr_session, proxy_type, False): if self._secure_mode(curr_session, proxy_type, False,
self.server.secure_mode,
self.server.debug,
self.server.headers,
self.server.federation_list,
self.server.onion_domain,
self.server.i2p_domain,
self.server.session_onion,
self.server.session_i2p,
self.server.base_dir,
self.server.person_cache,
self.server.project_version,
self.server.http_prefix,
self.server.domain,
self.server.domain_full,
self.server.signing_priv_key_pem,
self.path):
accept_str = self.headers['Accept'] accept_str = self.headers['Accept']
msg_str = json.dumps(actor_json, ensure_ascii=False) msg_str = json.dumps(actor_json, ensure_ascii=False)
msg_str = convert_domains(calling_domain, msg_str = convert_domains(calling_domain,
@ -17646,7 +17853,23 @@ class PubServer(BaseHTTPRequestHandler):
print('DEBUG: followers synchronization request ' + print('DEBUG: followers synchronization request ' +
self.path + ' ' + calling_domain) self.path + ' ' + calling_domain)
# check authorized fetch # check authorized fetch
if self._secure_mode(curr_session, proxy_type, False): if self._secure_mode(curr_session, proxy_type, False,
self.server.secure_mode,
self.server.debug,
self.server.headers,
self.server.federation_list,
self.server.onion_domain,
self.server.i2p_domain,
self.server.session_onion,
self.server.session_i2p,
self.server.base_dir,
self.server.person_cache,
self.server.project_version,
self.server.http_prefix,
self.server.domain,
self.server.domain_full,
self.server.signing_priv_key_pem,
self.path):
nickname = get_nickname_from_actor(self.path) nickname = get_nickname_from_actor(self.path)
sync_cache = self.server.followers_sync_cache sync_cache = self.server.followers_sync_cache
sync_json, _ = \ sync_json, _ = \
@ -21554,7 +21777,23 @@ class PubServer(BaseHTTPRequestHandler):
return return
if not self._secure_mode(curr_session, if not self._secure_mode(curr_session,
proxy_type, False): proxy_type, False,
self.server.secure_mode,
self.server.debug,
self.server.headers,
self.server.federation_list,
self.server.onion_domain,
self.server.i2p_domain,
self.server.session_onion,
self.server.session_i2p,
self.server.base_dir,
self.server.person_cache,
self.server.project_version,
self.server.http_prefix,
self.server.domain,
self.server.domain_full,
self.server.signing_priv_key_pem,
self.path):
if self.server.debug: if self.server.debug:
print('WARN: Unauthorized GET') print('WARN: Unauthorized GET')
self._404() self._404()