indymedia
/
epicyon
mirror of https://gitlab.com/bashrc2/epicyon
7
4
Fork 1
Code Issues 14 Releases Wiki Activity

Fix federated shared items authorization

merge-requests/30/head
Bob Mottram 2021-08-05 13:43:21 +01:00
parent 0f71fae658
commit 5f10fc9a61
3 changed files with 31 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
daemon.py
View File

@ -10818,18 +10818,18 @@ class PubServer(BaseHTTPRequestHandler):
catalogAuthorized = authorized catalogAuthorized = authorized
if not catalogAuthorized: if not catalogAuthorized:
if self.server.debug: if self.server.debug:
print('Catalog access is not authorized. Checking' + print('Catalog access is not authorized. ' +
'Authorization header') 'Checking Authorization header')
# basic auth access to shared items catalog # Check the authorization token
if self.headers.get('Origin') and \ if self.headers.get('Origin') and \
self.headers.get('Authorization'): self.headers.get('Authorization'):
permittedDomains = \ permittedDomains = \
self.server.sharedItemsFederatedDomains self.server.sharedItemsFederatedDomains
sharedItemTokens = self.server.sharedItemFederationTokens sharedItemTokens = self.server.sharedItemFederationTokens
originDomain = self.headers.get('Origin')
if authorizeSharedItems(permittedDomains, if authorizeSharedItems(permittedDomains,
self.server.baseDir, self.server.baseDir,
originDomain, self.headers['Origin'],
callingDomain,
self.headers['Authorization'], self.headers['Authorization'],
self.server.debug, self.server.debug,
sharedItemTokens): sharedItemTokens):
@ -10838,10 +10838,6 @@ class PubServer(BaseHTTPRequestHandler):
print('Authorization token refused for ' + print('Authorization token refused for ' +
'shared items federation') 'shared items federation')
elif self.server.debug: elif self.server.debug:
if not self.headers.get('Origin'):
print('No Origin header is available for ' +
'shared items federation')
else:
print('No Authorization header is available for ' + print('No Authorization header is available for ' +
'shared items federation') 'shared items federation')
# show shared items catalog for federation # show shared items catalog for federation

12
shares.py
View File

@ -1178,6 +1178,7 @@ def createSharedItemFederationToken(baseDir: str,
def authorizeSharedItems(sharedItemsFederatedDomains: [], def authorizeSharedItems(sharedItemsFederatedDomains: [],
baseDir: str, baseDir: str,
originDomainFull: str, originDomainFull: str,
callingDomainFull: str,
authHeader: str, authHeader: str,
debug: bool, debug: bool,
tokensJson: {} = None) -> bool: tokensJson: {} = None) -> bool:
@ -1189,7 +1190,8 @@ def authorizeSharedItems(sharedItemsFederatedDomains: [],
if originDomainFull not in sharedItemsFederatedDomains: if originDomainFull not in sharedItemsFederatedDomains:
if debug: if debug:
print(originDomainFull + print(originDomainFull +
' is not in the shared items federation list') ' is not in the shared items federation list ' +
str(sharedItemsFederatedDomains))
return False return False
if 'Basic ' in authHeader: if 'Basic ' in authHeader:
if debug: if debug:
@ -1216,16 +1218,16 @@ def authorizeSharedItems(sharedItemsFederatedDomains: [],
tokensJson = loadJson(tokensFilename, 1, 2) tokensJson = loadJson(tokensFilename, 1, 2)
if not tokensJson: if not tokensJson:
return False return False
if not tokensJson.get(originDomainFull): if not tokensJson.get(callingDomainFull):
if debug: if debug:
print('DEBUG: shared item federation token ' + print('DEBUG: shared item federation token ' +
'check failed for ' + originDomainFull) 'check failed for ' + callingDomainFull)
return False return False
if not constantTimeStringCheck(tokensJson[originDomainFull], if not constantTimeStringCheck(tokensJson[callingDomainFull],
providedToken): providedToken):
if debug: if debug:
print('DEBUG: shared item federation token ' + print('DEBUG: shared item federation token ' +
'mismatch for ' + originDomainFull) 'mismatch for ' + callingDomainFull)
return False return False
return True return True

17
tests.py
View File

@ -1660,6 +1660,21 @@ def testSharedItemsFederation():
print('Bob tokens') print('Bob tokens')
pprint(bobTokens) pprint(bobTokens)
print('\n\n*********************************************************')
print('Alice can read the federated shared items catalog of Bob')
headers = {
'Origin': aliceAddress,
'Authorization': bobTokens[bobAddress],
'host': bobAddress,
'Accept': 'application/json'
}
url = httpPrefix + '://' + bobAddress + '/catalog'
catalogJson = getJson(sessionAlice, url, headers, None, True)
assert catalogJson
pprint(catalogJson)
assert 'DFC:supplies' in catalogJson
assert len(catalogJson.get('DFC:supplies')) == 3
# stop the servers # stop the servers
thrAlice.kill() thrAlice.kill()
thrAlice.join() thrAlice.join()
@ -5099,9 +5114,11 @@ def _testAuthorizeSharedItems():
assert len(tokensJson['cat.domain']) >= 64 assert len(tokensJson['cat.domain']) >= 64
assert len(tokensJson['birb.domain']) == 0 assert len(tokensJson['birb.domain']) == 0
assert not authorizeSharedItems(sharedItemsFederatedDomains, None, assert not authorizeSharedItems(sharedItemsFederatedDomains, None,
'birb.domain',
'cat.domain', 'M' * 86, 'cat.domain', 'M' * 86,
False, tokensJson) False, tokensJson)
assert authorizeSharedItems(sharedItemsFederatedDomains, None, assert authorizeSharedItems(sharedItemsFederatedDomains, None,
'birb.domain',
'cat.domain', tokensJson['cat.domain'], 'cat.domain', tokensJson['cat.domain'],
False, tokensJson) False, tokensJson)
tokensJson = \ tokensJson = \