Add `authorized_fetch` server setting in addition to env var (#25798)

shrike
Claire 2023-09-01 15:41:10 +02:00 committed by GitHub
parent 6c4c72497a
commit 9e26cd5503
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 43 additions and 8 deletions

View File

@ -11,6 +11,7 @@ class ApplicationController < ActionController::Base
include CacheConcern
include DomainControlHelper
include DatabaseHelper
include AuthorizedFetchHelper
helper_method :current_account
helper_method :current_session
@ -51,10 +52,6 @@ class ApplicationController < ActionController::Base
private
def authorized_fetch_mode?
ENV['AUTHORIZED_FETCH'] == 'true' || Rails.configuration.x.limited_federation_mode
end
def public_fetch_mode?
!authorized_fetch_mode?
end

View File

@ -0,0 +1,11 @@
# frozen_string_literal: true
module AuthorizedFetchHelper
def authorized_fetch_mode?
ENV.fetch('AUTHORIZED_FETCH') { Setting.authorized_fetch } == 'true' || Rails.configuration.x.limited_federation_mode
end
def authorized_fetch_overridden?
ENV.key?('AUTHORIZED_FETCH') || Rails.configuration.x.limited_federation_mode
end
end

View File

@ -188,6 +188,7 @@
}
.information-badge,
.simple_form .overridden,
.simple_form .recommended,
.simple_form .not_recommended {
display: inline-block;
@ -204,6 +205,7 @@
}
.information-badge,
.simple_form .overridden,
.simple_form .recommended,
.simple_form .not_recommended {
background-color: rgba($ui-secondary-color, 0.1);

View File

@ -103,6 +103,7 @@ code {
}
}
.overridden,
.recommended,
.not_recommended {
position: absolute;

View File

@ -3,6 +3,8 @@
class Form::AdminSettings
include ActiveModel::Model
include AuthorizedFetchHelper
KEYS = %i(
site_contact_username
site_contact_email
@ -34,6 +36,7 @@ class Form::AdminSettings
backups_retention_period
status_page_url
captcha_enabled
authorized_fetch
).freeze
INTEGER_KEYS = %i(
@ -54,6 +57,7 @@ class Form::AdminSettings
noindex
require_invite_text
captcha_enabled
authorized_fetch
).freeze
UPLOAD_KEYS = %i(
@ -61,6 +65,10 @@ class Form::AdminSettings
mascot
).freeze
OVERRIDEN_SETTINGS = {
authorized_fetch: :authorized_fetch_mode?,
}.freeze
attr_accessor(*KEYS)
validates :registrations_mode, inclusion: { in: %w(open approved none) }, if: -> { defined?(@registrations_mode) }
@ -80,6 +88,8 @@ class Form::AdminSettings
stored_value = if UPLOAD_KEYS.include?(key)
SiteUpload.where(var: key).first_or_initialize(var: key)
elsif OVERRIDEN_SETTINGS.include?(key)
public_send(OVERRIDEN_SETTINGS[key])
else
Setting.public_send(key)
end

View File

@ -1,6 +1,8 @@
# frozen_string_literal: true
module Payloadable
include AuthorizedFetchHelper
# @param [ActiveModelSerializers::Model] record
# @param [ActiveModelSerializers::Serializer] serializer
# @param [Hash] options
@ -23,6 +25,6 @@ module Payloadable
end
def signing_enabled?
ENV['AUTHORIZED_FETCH'] != 'true' && !Rails.configuration.x.limited_federation_mode
!authorized_fetch_mode?
end
end

View File

@ -39,6 +39,11 @@
.fields-group
= f.input :peers_api_enabled, as: :boolean, wrapper: :with_label, recommended: :recommended
%h4= t('admin.settings.security.federation_authentication')
.fields-group
= f.input :authorized_fetch, as: :boolean, wrapper: :with_label, label: t('admin.settings.security.authorized_fetch'), warning_hint: authorized_fetch_overridden? ? t('admin.settings.security.authorized_fetch_overridden_hint') : nil, hint: t('admin.settings.security.authorized_fetch_hint'), disabled: authorized_fetch_overridden?, recommended: authorized_fetch_overridden? ? :overridden : nil
%h4= t('admin.settings.discovery.follow_recommendations')
.fields-group

View File

@ -50,7 +50,7 @@ ignore_unused:
- 'activerecord.errors.*'
- '{devise,pagination,doorkeeper}.*'
- '{date,datetime,time,number}.*'
- 'simple_form.{yes,no,recommended,not_recommended}'
- 'simple_form.{yes,no,recommended,not_recommended,overridden}'
- 'simple_form.{placeholders,hints,labels}.*'
- 'simple_form.{error_notification,required}.:'
- 'errors.messages.*'

View File

@ -97,6 +97,7 @@ SimpleForm.setup do |config|
end
end
b.use :warning_hint, wrap_with: { tag: :span, class: [:hint, 'warning-hint'] }
b.use :hint, wrap_with: { tag: :span, class: :hint }
b.use :error, wrap_with: { tag: :span, class: :error }
end
@ -111,8 +112,8 @@ SimpleForm.setup do |config|
config.wrappers :with_block_label, class: [:input, :with_block_label], hint_class: :field_with_hint, error_class: :field_with_errors do |b|
b.use :html5
b.use :label
b.use :hint, wrap_with: { tag: :span, class: :hint }
b.use :warning_hint, wrap_with: { tag: :span, class: [:hint, 'warning-hint'] }
b.use :hint, wrap_with: { tag: :span, class: :hint }
b.use :input, wrap_with: { tag: :div, class: :label_input }
b.use :error, wrap_with: { tag: :span, class: :error }
end

View File

@ -770,6 +770,11 @@ en:
approved: Approval required for sign up
none: Nobody can sign up
open: Anyone can sign up
security:
authorized_fetch: Require authentication from federated servers
authorized_fetch_hint: Requiring authentication from federated servers enables stricter enforcement of both user-level and server-level blocks. However, this comes at the cost of a performance penalty, reduces the reach of your replies, and may introduce compatibility issues with some federated services. In addition, this will not prevent dedicated actors from fetching your public posts and accounts.
authorized_fetch_overridden_hint: You are currently unable to change this setting because it is overridden by an environment variable.
federation_authentication: Federation authentication enforcement
title: Server settings
site_uploads:
delete: Delete uploaded file

View File

@ -317,6 +317,7 @@ en:
url: Endpoint URL
'no': 'No'
not_recommended: Not recommended
overridden: Overridden
recommended: Recommended
required:
mark: "*"