Add authorized_fetch server setting in addition to env var (#25798)

This commit is contained in:
Claire 2023-09-01 15:41:10 +02:00 committed by GitHub
parent 6c4c72497a
commit 9e26cd5503
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 43 additions and 8 deletions

View File

@ -11,6 +11,7 @@ class ApplicationController < ActionController::Base
include CacheConcern include CacheConcern
include DomainControlHelper include DomainControlHelper
include DatabaseHelper include DatabaseHelper
include AuthorizedFetchHelper
helper_method :current_account helper_method :current_account
helper_method :current_session helper_method :current_session
@ -51,10 +52,6 @@ class ApplicationController < ActionController::Base
private private
def authorized_fetch_mode?
ENV['AUTHORIZED_FETCH'] == 'true' || Rails.configuration.x.limited_federation_mode
end
def public_fetch_mode? def public_fetch_mode?
!authorized_fetch_mode? !authorized_fetch_mode?
end end

View File

@ -0,0 +1,11 @@
# frozen_string_literal: true
module AuthorizedFetchHelper
def authorized_fetch_mode?
ENV.fetch('AUTHORIZED_FETCH') { Setting.authorized_fetch } == 'true' || Rails.configuration.x.limited_federation_mode
end
def authorized_fetch_overridden?
ENV.key?('AUTHORIZED_FETCH') || Rails.configuration.x.limited_federation_mode
end
end

View File

@ -188,6 +188,7 @@
} }
.information-badge, .information-badge,
.simple_form .overridden,
.simple_form .recommended, .simple_form .recommended,
.simple_form .not_recommended { .simple_form .not_recommended {
display: inline-block; display: inline-block;
@ -204,6 +205,7 @@
} }
.information-badge, .information-badge,
.simple_form .overridden,
.simple_form .recommended, .simple_form .recommended,
.simple_form .not_recommended { .simple_form .not_recommended {
background-color: rgba($ui-secondary-color, 0.1); background-color: rgba($ui-secondary-color, 0.1);

View File

@ -103,6 +103,7 @@ code {
} }
} }
.overridden,
.recommended, .recommended,
.not_recommended { .not_recommended {
position: absolute; position: absolute;

View File

@ -3,6 +3,8 @@
class Form::AdminSettings class Form::AdminSettings
include ActiveModel::Model include ActiveModel::Model
include AuthorizedFetchHelper
KEYS = %i( KEYS = %i(
site_contact_username site_contact_username
site_contact_email site_contact_email
@ -34,6 +36,7 @@ class Form::AdminSettings
backups_retention_period backups_retention_period
status_page_url status_page_url
captcha_enabled captcha_enabled
authorized_fetch
).freeze ).freeze
INTEGER_KEYS = %i( INTEGER_KEYS = %i(
@ -54,6 +57,7 @@ class Form::AdminSettings
noindex noindex
require_invite_text require_invite_text
captcha_enabled captcha_enabled
authorized_fetch
).freeze ).freeze
UPLOAD_KEYS = %i( UPLOAD_KEYS = %i(
@ -61,6 +65,10 @@ class Form::AdminSettings
mascot mascot
).freeze ).freeze
OVERRIDEN_SETTINGS = {
authorized_fetch: :authorized_fetch_mode?,
}.freeze
attr_accessor(*KEYS) attr_accessor(*KEYS)
validates :registrations_mode, inclusion: { in: %w(open approved none) }, if: -> { defined?(@registrations_mode) } validates :registrations_mode, inclusion: { in: %w(open approved none) }, if: -> { defined?(@registrations_mode) }
@ -80,6 +88,8 @@ class Form::AdminSettings
stored_value = if UPLOAD_KEYS.include?(key) stored_value = if UPLOAD_KEYS.include?(key)
SiteUpload.where(var: key).first_or_initialize(var: key) SiteUpload.where(var: key).first_or_initialize(var: key)
elsif OVERRIDEN_SETTINGS.include?(key)
public_send(OVERRIDEN_SETTINGS[key])
else else
Setting.public_send(key) Setting.public_send(key)
end end

View File

@ -1,6 +1,8 @@
# frozen_string_literal: true # frozen_string_literal: true
module Payloadable module Payloadable
include AuthorizedFetchHelper
# @param [ActiveModelSerializers::Model] record # @param [ActiveModelSerializers::Model] record
# @param [ActiveModelSerializers::Serializer] serializer # @param [ActiveModelSerializers::Serializer] serializer
# @param [Hash] options # @param [Hash] options
@ -23,6 +25,6 @@ module Payloadable
end end
def signing_enabled? def signing_enabled?
ENV['AUTHORIZED_FETCH'] != 'true' && !Rails.configuration.x.limited_federation_mode !authorized_fetch_mode?
end end
end end

View File

@ -39,6 +39,11 @@
.fields-group .fields-group
= f.input :peers_api_enabled, as: :boolean, wrapper: :with_label, recommended: :recommended = f.input :peers_api_enabled, as: :boolean, wrapper: :with_label, recommended: :recommended
%h4= t('admin.settings.security.federation_authentication')
.fields-group
= f.input :authorized_fetch, as: :boolean, wrapper: :with_label, label: t('admin.settings.security.authorized_fetch'), warning_hint: authorized_fetch_overridden? ? t('admin.settings.security.authorized_fetch_overridden_hint') : nil, hint: t('admin.settings.security.authorized_fetch_hint'), disabled: authorized_fetch_overridden?, recommended: authorized_fetch_overridden? ? :overridden : nil
%h4= t('admin.settings.discovery.follow_recommendations') %h4= t('admin.settings.discovery.follow_recommendations')
.fields-group .fields-group

View File

@ -50,7 +50,7 @@ ignore_unused:
- 'activerecord.errors.*' - 'activerecord.errors.*'
- '{devise,pagination,doorkeeper}.*' - '{devise,pagination,doorkeeper}.*'
- '{date,datetime,time,number}.*' - '{date,datetime,time,number}.*'
- 'simple_form.{yes,no,recommended,not_recommended}' - 'simple_form.{yes,no,recommended,not_recommended,overridden}'
- 'simple_form.{placeholders,hints,labels}.*' - 'simple_form.{placeholders,hints,labels}.*'
- 'simple_form.{error_notification,required}.:' - 'simple_form.{error_notification,required}.:'
- 'errors.messages.*' - 'errors.messages.*'

View File

@ -97,7 +97,8 @@ SimpleForm.setup do |config|
end end
end end
b.use :hint, wrap_with: { tag: :span, class: :hint } b.use :warning_hint, wrap_with: { tag: :span, class: [:hint, 'warning-hint'] }
b.use :hint, wrap_with: { tag: :span, class: :hint }
b.use :error, wrap_with: { tag: :span, class: :error } b.use :error, wrap_with: { tag: :span, class: :error }
end end
@ -111,8 +112,8 @@ SimpleForm.setup do |config|
config.wrappers :with_block_label, class: [:input, :with_block_label], hint_class: :field_with_hint, error_class: :field_with_errors do |b| config.wrappers :with_block_label, class: [:input, :with_block_label], hint_class: :field_with_hint, error_class: :field_with_errors do |b|
b.use :html5 b.use :html5
b.use :label b.use :label
b.use :hint, wrap_with: { tag: :span, class: :hint }
b.use :warning_hint, wrap_with: { tag: :span, class: [:hint, 'warning-hint'] } b.use :warning_hint, wrap_with: { tag: :span, class: [:hint, 'warning-hint'] }
b.use :hint, wrap_with: { tag: :span, class: :hint }
b.use :input, wrap_with: { tag: :div, class: :label_input } b.use :input, wrap_with: { tag: :div, class: :label_input }
b.use :error, wrap_with: { tag: :span, class: :error } b.use :error, wrap_with: { tag: :span, class: :error }
end end

View File

@ -770,6 +770,11 @@ en:
approved: Approval required for sign up approved: Approval required for sign up
none: Nobody can sign up none: Nobody can sign up
open: Anyone can sign up open: Anyone can sign up
security:
authorized_fetch: Require authentication from federated servers
authorized_fetch_hint: Requiring authentication from federated servers enables stricter enforcement of both user-level and server-level blocks. However, this comes at the cost of a performance penalty, reduces the reach of your replies, and may introduce compatibility issues with some federated services. In addition, this will not prevent dedicated actors from fetching your public posts and accounts.
authorized_fetch_overridden_hint: You are currently unable to change this setting because it is overridden by an environment variable.
federation_authentication: Federation authentication enforcement
title: Server settings title: Server settings
site_uploads: site_uploads:
delete: Delete uploaded file delete: Delete uploaded file

View File

@ -317,6 +317,7 @@ en:
url: Endpoint URL url: Endpoint URL
'no': 'No' 'no': 'No'
not_recommended: Not recommended not_recommended: Not recommended
overridden: Overridden
recommended: Recommended recommended: Recommended
required: required:
mark: "*" mark: "*"