[#1560] Restricted AP- & OStatus-related routes for non-federating instances.

2020-02-22 19:48:41 +03:00 · 2020-02-22 19:48:41 +03:00 · 0cf1d4fcd0
parent 1961a680ec
commit 0cf1d4fcd0
10 changed files with 166 additions and 158 deletions
--- a/lib/pleroma/plugs/static_fe_plug.ex
+++ b/lib/pleroma/plugs/static_fe_plug.ex
@ -21,6 +21,9 @@ defmodule Pleroma.Plugs.StaticFEPlug do
  defp enabled?, do: Pleroma.Config.get([:static_fe, :enabled], false)

  defp accepts_html?(conn) do
-    conn |> get_req_header("accept") |> List.first() |> String.contains?("text/html")
+    conn
+    |> get_req_header("accept")
+    |> List.first()
+    |> String.contains?("text/html")
  end
 end
--- a/lib/pleroma/web/activity_pub/activity_pub_controller.ex
+++ b/lib/pleroma/web/activity_pub/activity_pub_controller.ex
@ -30,7 +30,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
    when action in [:activity, :object]
  )

-  plug(Pleroma.Web.FederatingPlug when action in [:inbox, :relay])
+  plug(Pleroma.Web.FederatingPlug)
  plug(:set_requester_reachable when action in [:inbox])
  plug(:relay_active? when action in [:relay])

--- a/lib/pleroma/web/ostatus/ostatus_controller.ex
+++ b/lib/pleroma/web/ostatus/ostatus_controller.ex
@ -16,6 +16,8 @@ defmodule Pleroma.Web.OStatus.OStatusController do
  alias Pleroma.Web.Metadata.PlayerView
  alias Pleroma.Web.Router

+  plug(Pleroma.Web.FederatingPlug)
+
  plug(
    RateLimiter,
    [name: :ap_routes, params: ["uuid"]] when action in [:object, :activity]
--- a/lib/pleroma/web/twitter_api/controllers/remote_follow_controller.ex
+++ b/lib/pleroma/web/twitter_api/controllers/remote_follow_controller.ex
@ -16,6 +16,8 @@ defmodule Pleroma.Web.TwitterAPI.RemoteFollowController do

  @status_types ["Article", "Event", "Note", "Video", "Page", "Question"]

+  plug(Pleroma.Web.FederatingPlug)
+
  # Note: follower can submit the form (with password auth) not being signed in (having no token)
  plug(
    OAuthScopesPlug,
--- a/lib/pleroma/web/twitter_api/controllers/util_controller.ex
+++ b/lib/pleroma/web/twitter_api/controllers/util_controller.ex
@ -17,6 +17,8 @@ defmodule Pleroma.Web.TwitterAPI.UtilController do
  alias Pleroma.Web.CommonAPI
  alias Pleroma.Web.WebFinger

+  plug(Pleroma.Web.FederatingPlug when action == :remote_subscribe)
+
  plug(
    OAuthScopesPlug,
    %{scopes: ["follow", "write:follows"]}
--- a/test/web/activity_pub/publisher_test.exs
+++ b/test/web/activity_pub/publisher_test.exs
@ -23,6 +23,10 @@ defmodule Pleroma.Web.ActivityPub.PublisherTest do
    :ok
  end

+  clear_config_all([:instance, :federating]) do
+    Pleroma.Config.put([:instance, :federating], true)
+  end
+
  describe "gather_webfinger_links/1" do
    test "it returns links" do
      user = insert(:user)
--- a/test/web/feed/user_controller_test.exs
+++ b/test/web/feed/user_controller_test.exs
@ -8,66 +8,78 @@ defmodule Pleroma.Web.Feed.UserControllerTest do
  import Pleroma.Factory
  import SweetXml

+  alias Pleroma.Config
  alias Pleroma.Object
  alias Pleroma.User

-  clear_config([:feed])
-
-  test "gets a feed", %{conn: conn} do
-    Pleroma.Config.put(
-      [:feed, :post_title],
-      %{max_length: 10, omission: "..."}
-    )
-
-    activity = insert(:note_activity)
-
-    note =
-      insert(:note,
-        data: %{
-          "content" => "This is :moominmamma: note ",
-          "attachment" => [
-            %{
-              "url" => [%{"mediaType" => "image/png", "href" => "https://pleroma.gov/image.png"}]
-            }
-          ],
-          "inReplyTo" => activity.data["id"]
-        }
-      )
-
-    note_activity = insert(:note_activity, note: note)
-    user = User.get_cached_by_ap_id(note_activity.data["actor"])
-
-    note2 =
-      insert(:note,
-        user: user,
-        data: %{"content" => "42 This is :moominmamma: note ", "inReplyTo" => activity.data["id"]}
-      )
-
-    _note_activity2 = insert(:note_activity, note: note2)
-    object = Object.normalize(note_activity)
-
-    resp =
-      conn
-      |> put_req_header("content-type", "application/atom+xml")
-      |> get(user_feed_path(conn, :feed, user.nickname))
-      |> response(200)
-
-    activity_titles =
-      resp
-      |> SweetXml.parse()
-      |> SweetXml.xpath(~x"//entry/title/text()"l)
-
-    assert activity_titles == ['42 This...', 'This is...']
-    assert resp =~ object.data["content"]
+  clear_config_all([:instance, :federating]) do
+    Config.put([:instance, :federating], true)
  end

-  test "returns 404 for a missing feed", %{conn: conn} do
-    conn =
-      conn
-      |> put_req_header("content-type", "application/atom+xml")
-      |> get(user_feed_path(conn, :feed, "nonexisting"))
+  describe "feed" do
+    clear_config([:feed])

-    assert response(conn, 404)
+    test "gets a feed", %{conn: conn} do
+      Config.put(
+        [:feed, :post_title],
+        %{max_length: 10, omission: "..."}
+      )
+
+      activity = insert(:note_activity)
+
+      note =
+        insert(:note,
+          data: %{
+            "content" => "This is :moominmamma: note ",
+            "attachment" => [
+              %{
+                "url" => [
+                  %{"mediaType" => "image/png", "href" => "https://pleroma.gov/image.png"}
+                ]
+              }
+            ],
+            "inReplyTo" => activity.data["id"]
+          }
+        )
+
+      note_activity = insert(:note_activity, note: note)
+      user = User.get_cached_by_ap_id(note_activity.data["actor"])
+
+      note2 =
+        insert(:note,
+          user: user,
+          data: %{
+            "content" => "42 This is :moominmamma: note ",
+            "inReplyTo" => activity.data["id"]
+          }
+        )
+
+      _note_activity2 = insert(:note_activity, note: note2)
+      object = Object.normalize(note_activity)
+
+      resp =
+        conn
+        |> put_req_header("content-type", "application/atom+xml")
+        |> get(user_feed_path(conn, :feed, user.nickname))
+        |> response(200)
+
+      activity_titles =
+        resp
+        |> SweetXml.parse()
+        |> SweetXml.xpath(~x"//entry/title/text()"l)
+
+      assert activity_titles == ['42 This...', 'This is...']
+      assert resp =~ object.data["content"]
+    end
+
+    test "returns 404 for a missing feed", %{conn: conn} do
+      conn =
+        conn
+        |> put_req_header("content-type", "application/atom+xml")
+        |> get(user_feed_path(conn, :feed, "nonexisting"))
+
+      assert response(conn, 404)
+    end
  end

  describe "feed_redirect" do
@ -248,4 +260,29 @@ defmodule Pleroma.Web.Feed.UserControllerTest do
      assert response == %{"error" => "Not found"}
    end
  end
+
+  describe "feed_redirect (depending on federation enabled state)" do
+    setup %{conn: conn} do
+      user = insert(:user)
+      conn = put_req_header(conn, "accept", "application/json")
+
+      %{conn: conn, user: user}
+    end
+
+    clear_config([:instance, :federating])
+
+    test "renders if instance is federating", %{conn: conn, user: user} do
+      Config.put([:instance, :federating], true)
+
+      conn = get(conn, "/users/#{user.nickname}")
+      assert json_response(conn, 200)
+    end
+
+    test "renders 404 if instance is NOT federating", %{conn: conn, user: user} do
+      Config.put([:instance, :federating], false)
+
+      conn = get(conn, "/users/#{user.nickname}")
+      assert json_response(conn, 404)
+    end
+  end
 end
--- a/test/web/static_fe/static_fe_controller_test.exs
+++ b/test/web/static_fe/static_fe_controller_test.exs
@ -1,56 +1,42 @@
 defmodule Pleroma.Web.StaticFE.StaticFEControllerTest do
  use Pleroma.Web.ConnCase
+
  alias Pleroma.Activity
+  alias Pleroma.Config
  alias Pleroma.Web.ActivityPub.Transmogrifier
  alias Pleroma.Web.CommonAPI

  import Pleroma.Factory

  clear_config_all([:static_fe, :enabled]) do
-    Pleroma.Config.put([:static_fe, :enabled], true)
+    Config.put([:static_fe, :enabled], true)
  end

-  describe "user profile page" do
-    test "just the profile as HTML", %{conn: conn} do
-      user = insert(:user)
+  setup %{conn: conn} do
+    conn = put_req_header(conn, "accept", "text/html")
+    user = insert(:user)

-      conn =
-        conn
-        |> put_req_header("accept", "text/html")
-        |> get("/users/#{user.nickname}")
+    %{conn: conn, user: user}
+  end
+
+  describe "user profile html" do
+    test "just the profile as HTML", %{conn: conn, user: user} do
+      conn = get(conn, "/users/#{user.nickname}")

      assert html_response(conn, 200) =~ user.nickname
    end

-    test "renders json unless there's an html accept header", %{conn: conn} do
-      user = insert(:user)
-
-      conn =
-        conn
-        |> put_req_header("accept", "application/json")
-        |> get("/users/#{user.nickname}")
-
-      assert json_response(conn, 200)
-    end
-
    test "404 when user not found", %{conn: conn} do
-      conn =
-        conn
-        |> put_req_header("accept", "text/html")
-        |> get("/users/limpopo")
+      conn = get(conn, "/users/limpopo")

      assert html_response(conn, 404) =~ "not found"
    end

-    test "profile does not include private messages", %{conn: conn} do
-      user = insert(:user)
+    test "profile does not include private messages", %{conn: conn, user: user} do
      CommonAPI.post(user, %{"status" => "public"})
      CommonAPI.post(user, %{"status" => "private", "visibility" => "private"})

-      conn =
-        conn
-        |> put_req_header("accept", "text/html")
-        |> get("/users/#{user.nickname}")
+      conn = get(conn, "/users/#{user.nickname}")

      html = html_response(conn, 200)

@ -58,14 +44,10 @@ defmodule Pleroma.Web.StaticFE.StaticFEControllerTest do
      refute html =~ ">private<"
    end

-    test "pagination", %{conn: conn} do
-      user = insert(:user)
+    test "pagination", %{conn: conn, user: user} do
      Enum.map(1..30, fn i -> CommonAPI.post(user, %{"status" => "test#{i}"}) end)

-      conn =
-        conn
-        |> put_req_header("accept", "text/html")
-        |> get("/users/#{user.nickname}")
+      conn = get(conn, "/users/#{user.nickname}")

      html = html_response(conn, 200)

@ -75,15 +57,11 @@ defmodule Pleroma.Web.StaticFE.StaticFEControllerTest do
      refute html =~ ">test1<"
    end

-    test "pagination, page 2", %{conn: conn} do
-      user = insert(:user)
+    test "pagination, page 2", %{conn: conn, user: user} do
      activities = Enum.map(1..30, fn i -> CommonAPI.post(user, %{"status" => "test#{i}"}) end)
      {:ok, a11} = Enum.at(activities, 11)

-      conn =
-        conn
-        |> put_req_header("accept", "text/html")
-        |> get("/users/#{user.nickname}?max_id=#{a11.id}")
+      conn = get(conn, "/users/#{user.nickname}?max_id=#{a11.id}")

      html = html_response(conn, 200)

@ -94,15 +72,11 @@ defmodule Pleroma.Web.StaticFE.StaticFEControllerTest do
    end
  end

-  describe "notice rendering" do
-    test "single notice page", %{conn: conn} do
-      user = insert(:user)
+  describe "notice html" do
+    test "single notice page", %{conn: conn, user: user} do
      {:ok, activity} = CommonAPI.post(user, %{"status" => "testing a thing!"})

-      conn =
-        conn
-        |> put_req_header("accept", "text/html")
-        |> get("/notice/#{activity.id}")
+      conn = get(conn, "/notice/#{activity.id}")

      html = html_response(conn, 200)
      assert html =~ "<header>"
@ -110,8 +84,7 @@ defmodule Pleroma.Web.StaticFE.StaticFEControllerTest do
      assert html =~ "testing a thing!"
    end

-    test "shows the whole thread", %{conn: conn} do
-      user = insert(:user)
+    test "shows the whole thread", %{conn: conn, user: user} do
      {:ok, activity} = CommonAPI.post(user, %{"status" => "space: the final frontier"})

      CommonAPI.post(user, %{
@ -119,70 +92,47 @@ defmodule Pleroma.Web.StaticFE.StaticFEControllerTest do
        "in_reply_to_status_id" => activity.id
      })

-      conn =
-        conn
-        |> put_req_header("accept", "text/html")
-        |> get("/notice/#{activity.id}")
+      conn = get(conn, "/notice/#{activity.id}")

      html = html_response(conn, 200)
      assert html =~ "the final frontier"
      assert html =~ "voyages"
    end

-    test "redirect by AP object ID", %{conn: conn} do
-      user = insert(:user)
-
+    test "redirect by AP object ID", %{conn: conn, user: user} do
      {:ok, %Activity{data: %{"object" => object_url}}} =
        CommonAPI.post(user, %{"status" => "beam me up"})

-      conn =
-        conn
-        |> put_req_header("accept", "text/html")
-        |> get(URI.parse(object_url).path)
+      conn = get(conn, URI.parse(object_url).path)

      assert html_response(conn, 302) =~ "redirected"
    end

-    test "redirect by activity ID", %{conn: conn} do
-      user = insert(:user)
-
+    test "redirect by activity ID", %{conn: conn, user: user} do
      {:ok, %Activity{data: %{"id" => id}}} =
        CommonAPI.post(user, %{"status" => "I'm a doctor, not a devops!"})

-      conn =
-        conn
-        |> put_req_header("accept", "text/html")
-        |> get(URI.parse(id).path)
+      conn = get(conn, URI.parse(id).path)

      assert html_response(conn, 302) =~ "redirected"
    end

    test "404 when notice not found", %{conn: conn} do
-      conn =
-        conn
-        |> put_req_header("accept", "text/html")
-        |> get("/notice/88c9c317")
+      conn = get(conn, "/notice/88c9c317")

      assert html_response(conn, 404) =~ "not found"
    end

-    test "404 for private status", %{conn: conn} do
-      user = insert(:user)
-
+    test "404 for private status", %{conn: conn, user: user} do
      {:ok, activity} =
        CommonAPI.post(user, %{"status" => "don't show me!", "visibility" => "private"})

-      conn =
-        conn
-        |> put_req_header("accept", "text/html")
-        |> get("/notice/#{activity.id}")
+      conn = get(conn, "/notice/#{activity.id}")

      assert html_response(conn, 404) =~ "not found"
    end

-    test "302 for remote cached status", %{conn: conn} do
-      user = insert(:user)
-
+    test "302 for remote cached status", %{conn: conn, user: user} do
      message = %{
        "@context" => "https://www.w3.org/ns/activitystreams",
        "to" => user.follower_address,
@ -199,10 +149,7 @@ defmodule Pleroma.Web.StaticFE.StaticFEControllerTest do

      assert {:ok, activity} = Transmogrifier.handle_incoming(message)

-      conn =
-        conn
-        |> put_req_header("accept", "text/html")
-        |> get("/notice/#{activity.id}")
+      conn = get(conn, "/notice/#{activity.id}")

      assert html_response(conn, 302) =~ "redirected"
    end
--- a/test/web/twitter_api/remote_follow_controller_test.exs
+++ b/test/web/twitter_api/remote_follow_controller_test.exs
@ -5,8 +5,10 @@
 defmodule Pleroma.Web.TwitterAPI.RemoteFollowControllerTest do
  use Pleroma.Web.ConnCase

+  alias Pleroma.Config
  alias Pleroma.User
  alias Pleroma.Web.CommonAPI
+
  import ExUnit.CaptureLog
  import Pleroma.Factory

@ -15,6 +17,10 @@ defmodule Pleroma.Web.TwitterAPI.RemoteFollowControllerTest do
    :ok
  end

+  clear_config_all([:instance, :federating]) do
+    Config.put([:instance, :federating], true)
+  end
+
  clear_config([:instance])
  clear_config([:frontend_configurations, :pleroma_fe])
  clear_config([:user, :deny_follow_blocked])
--- a/test/web/twitter_api/util_controller_test.exs
+++ b/test/web/twitter_api/util_controller_test.exs
@ -6,6 +6,7 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do
  use Pleroma.Web.ConnCase
  use Oban.Testing, repo: Pleroma.Repo

+  alias Pleroma.Config
  alias Pleroma.Tests.ObanHelpers
  alias Pleroma.User

@ -178,7 +179,7 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do

  describe "GET /api/statusnet/config" do
    test "it returns config in xml format", %{conn: conn} do
-      instance = Pleroma.Config.get(:instance)
+      instance = Config.get(:instance)

      response =
        conn
@ -195,12 +196,12 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do
    end

    test "it returns config in json format", %{conn: conn} do
-      instance = Pleroma.Config.get(:instance)
-      Pleroma.Config.put([:instance, :managed_config], true)
-      Pleroma.Config.put([:instance, :registrations_open], false)
-      Pleroma.Config.put([:instance, :invites_enabled], true)
-      Pleroma.Config.put([:instance, :public], false)
-      Pleroma.Config.put([:frontend_configurations, :pleroma_fe], %{theme: "asuka-hospital"})
+      instance = Config.get(:instance)
+      Config.put([:instance, :managed_config], true)
+      Config.put([:instance, :registrations_open], false)
+      Config.put([:instance, :invites_enabled], true)
+      Config.put([:instance, :public], false)
+      Config.put([:frontend_configurations, :pleroma_fe], %{theme: "asuka-hospital"})

      response =
        conn
@ -234,7 +235,7 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do
    end

    test "returns the state of safe_dm_mentions flag", %{conn: conn} do
-      Pleroma.Config.put([:instance, :safe_dm_mentions], true)
+      Config.put([:instance, :safe_dm_mentions], true)

      response =
        conn
@ -243,7 +244,7 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do

      assert response["site"]["safeDMMentionsEnabled"] == "1"

-      Pleroma.Config.put([:instance, :safe_dm_mentions], false)
+      Config.put([:instance, :safe_dm_mentions], false)

      response =
        conn
@ -254,8 +255,8 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do
    end

    test "it returns the managed config", %{conn: conn} do
-      Pleroma.Config.put([:instance, :managed_config], false)
-      Pleroma.Config.put([:frontend_configurations, :pleroma_fe], %{theme: "asuka-hospital"})
+      Config.put([:instance, :managed_config], false)
+      Config.put([:frontend_configurations, :pleroma_fe], %{theme: "asuka-hospital"})

      response =
        conn
@ -264,7 +265,7 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do

      refute response["site"]["pleromafe"]

-      Pleroma.Config.put([:instance, :managed_config], true)
+      Config.put([:instance, :managed_config], true)

      response =
        conn
@ -287,7 +288,7 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do
        }
      ]

-      Pleroma.Config.put(:frontend_configurations, config)
+      Config.put(:frontend_configurations, config)

      response =
        conn
@ -320,7 +321,7 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do
    clear_config([:instance, :healthcheck])

    test "returns 503 when healthcheck disabled", %{conn: conn} do
-      Pleroma.Config.put([:instance, :healthcheck], false)
+      Config.put([:instance, :healthcheck], false)

      response =
        conn
@ -331,7 +332,7 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do
    end

    test "returns 200 when healthcheck enabled and all ok", %{conn: conn} do
-      Pleroma.Config.put([:instance, :healthcheck], true)
+      Config.put([:instance, :healthcheck], true)

      with_mock Pleroma.Healthcheck,
        system_info: fn -> %Pleroma.Healthcheck{healthy: true} end do
@ -351,7 +352,7 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do
    end

    test "returns 503 when healthcheck enabled and health is false", %{conn: conn} do
-      Pleroma.Config.put([:instance, :healthcheck], true)
+      Config.put([:instance, :healthcheck], true)

      with_mock Pleroma.Healthcheck,
        system_info: fn -> %Pleroma.Healthcheck{healthy: false} end do
@ -426,6 +427,10 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do
  end

  describe "POST /main/ostatus - remote_subscribe/2" do
+    clear_config([:instance, :federating]) do
+      Config.put([:instance, :federating], true)
+    end
+
    test "renders subscribe form", %{conn: conn} do
      user = insert(:user)