diff options
| -rw-r--r-- | internal/federation/dereferencing/status_permitted.go | 235 |
1 files changed, 115 insertions, 120 deletions
diff --git a/internal/federation/dereferencing/status_permitted.go b/internal/federation/dereferencing/status_permitted.go index 97cd61e93..9bd74811e 100644 --- a/internal/federation/dereferencing/status_permitted.go +++ b/internal/federation/dereferencing/status_permitted.go @@ -49,70 +49,67 @@ func (d *Dereferencer) isPermittedStatus( existing *gtsmodel.Status, status *gtsmodel.Status, ) ( - bool, // is permitted? - error, + permitted bool, // is permitted? + err error, ) { - // our failure condition handling - // at the end of this function for - // the case of permission = false. - onFalse := func() (bool, error) { - if existing != nil { - log.Infof(ctx, "deleting unpermitted: %s", existing.URI) - - // Delete existing status from database as it's no longer permitted. - if err := d.state.DB.DeleteStatusByID(ctx, existing.ID); err != nil { - log.Errorf(ctx, "error deleting %s after permissivity fail: %v", existing.URI, err) - } - } - return false, nil - } - - if status.Account.IsSuspended() { - // The status author is suspended, - // this shouldn't have reached here - // but it's a fast check anyways. - log.Debugf(ctx, - "status author %s is suspended", - status.AccountURI, - ) - return onFalse() - } - - if inReplyTo := status.InReplyTo; inReplyTo != nil { - return d.isPermittedReply( - ctx, + switch { + case status.Account.IsSuspended(): + // we shouldn't reach this point, log to poke devs to investigate. + log.Warnf(ctx, "status author suspended: %s", status.AccountURI) + permitted = false + + case status.InReplyTo != nil: + // Status is a reply, check permissivity. + permitted, err = d.isPermittedReply(ctx, requestUser, status, - inReplyTo, - onFalse, ) - } else if boostOf := status.BoostOf; boostOf != nil { - return d.isPermittedBoost( - ctx, + if err != nil { + return false, gtserror.Newf("error checking reply permissivity: %w", err) + } + + case status.BoostOf != nil: + // Status is a boost, check permissivity. + permitted, err = d.isPermittedBoost(ctx, requestUser, status, - boostOf, - onFalse, ) + if err != nil { + return false, gtserror.Newf("error checking boost permissivity: %w", err) + } + + default: + // In all other cases + // permit this status. + permitted = true } - // Nothing else stopping this. - return true, nil + if !permitted && existing != nil { + log.Infof(ctx, "deleting unpermitted: %s", existing.URI) + + // Delete existing status from database as it's no longer permitted. + if err := d.state.DB.DeleteStatusByID(ctx, existing.ID); err != nil { + log.Errorf(ctx, "error deleting %s after permissivity fail: %v", existing.URI, err) + } + } + + return } func (d *Dereferencer) isPermittedReply( ctx context.Context, requestUser string, status *gtsmodel.Status, - inReplyTo *gtsmodel.Status, - onFalse func() (bool, error), ) (bool, error) { + // Extract reply from status. + inReplyTo := status.InReplyTo + if inReplyTo.BoostOfID != "" { // We do not permit replies to // boost wrapper statuses. (this // shouldn't be able to happen). log.Info(ctx, "rejecting reply to boost wrapper status") - return onFalse() + return false, nil } // Check visibility of local @@ -130,7 +127,7 @@ func (d *Dereferencer) isPermittedReply( // Our status is not visible to the // account trying to do the reply. if !visible { - return onFalse() + return false, nil } } @@ -147,7 +144,7 @@ func (d *Dereferencer) isPermittedReply( if replyable.Forbidden() { // Replier is not permitted // to do this interaction. - return onFalse() + return false, nil } if replyable.Permitted() && @@ -186,7 +183,7 @@ func (d *Dereferencer) isPermittedReply( return true, nil } - return onFalse() + return false, nil } // Status claims to be approved, check @@ -199,14 +196,12 @@ func (d *Dereferencer) isPermittedReply( status.URI, inReplyTo.AccountURI, ); err != nil { + // Error dereferencing means we couldn't // get the Accept right now or it wasn't // valid, so we shouldn't store this status. - // - // Do log the error though as it may be - // interesting for admins to see. - log.Info(ctx, "rejecting reply with undereferenceable ApprovedByURI: %v", err) - return onFalse() + log.Errorf(ctx, "undereferencable ApprovedByURI: %v", err) + return false, nil } // Status has been approved. @@ -218,15 +213,16 @@ func (d *Dereferencer) isPermittedBoost( ctx context.Context, requestUser string, status *gtsmodel.Status, - boostOf *gtsmodel.Status, - onFalse func() (bool, error), ) (bool, error) { + + // Extract boost from status. + boostOf := status.BoostOf if boostOf.BoostOfID != "" { + // We do not permit boosts of // boost wrapper statuses. (this // shouldn't be able to happen). - log.Info(ctx, "rejecting boost of boost wrapper status") - return onFalse() + return false, nil } // Check visibility of local @@ -244,7 +240,7 @@ func (d *Dereferencer) isPermittedBoost( // Our status is not visible to the // account trying to do the boost. if !visible { - return onFalse() + return false, nil } } @@ -261,7 +257,7 @@ func (d *Dereferencer) isPermittedBoost( if boostable.Forbidden() { // Booster is not permitted // to do this interaction. - return onFalse() + return false, nil } if boostable.Permitted() && @@ -300,7 +296,7 @@ func (d *Dereferencer) isPermittedBoost( return true, nil } - return onFalse() + return false, nil } // Boost claims to be approved, check @@ -313,14 +309,12 @@ func (d *Dereferencer) isPermittedBoost( status.URI, boostOf.AccountURI, ); err != nil { + // Error dereferencing means we couldn't // get the Accept right now or it wasn't // valid, so we shouldn't store this status. - // - // Do log the error though as it may be - // interesting for admins to see. - log.Info(ctx, "rejecting boost with undereferenceable ApprovedByURI: %v", err) - return onFalse() + log.Errorf(ctx, "undereferencable ApprovedByURI: %v", err) + return false, nil } // Status has been approved. @@ -339,8 +333,8 @@ func (d *Dereferencer) validateApprovedBy( ctx context.Context, requestUser string, approvedByURIStr string, // Eg., "https://example.org/users/someone/accepts/01J2736AWWJ3411CPR833F6D03" - expectedObject string, // Eg., "https://some.instance.example.org/users/someone_else/statuses/01J27414TWV9F7DC39FN8ABB5R" - expectedActor string, // Eg., "https://example.org/users/someone" + expectObjectURIStr string, // Eg., "https://some.instance.example.org/users/someone_else/statuses/01J27414TWV9F7DC39FN8ABB5R" + expectActorURIStr string, // Eg., "https://example.org/users/someone" ) error { approvedByURI, err := url.Parse(approvedByURIStr) if err != nil { @@ -354,14 +348,14 @@ func (d *Dereferencer) validateApprovedBy( return err } - transport, err := d.transportController.NewTransportForUsername(ctx, requestUser) + tsport, err := d.transportController.NewTransportForUsername(ctx, requestUser) if err != nil { err := gtserror.Newf("error creating transport: %w", err) return err } // Make the call to resolve into an Acceptable. - rsp, err := transport.Dereference(ctx, approvedByURI) + rsp, err := tsport.Dereference(ctx, approvedByURI) if err != nil { err := gtserror.Newf("error dereferencing %s: %w", approvedByURIStr, err) return err @@ -385,82 +379,83 @@ func (d *Dereferencer) validateApprovedBy( // have changed (i.e. we followed some redirects). rspURL := rsp.Request.URL rspURLStr := rspURL.String() - if rspURLStr != approvedByURIStr { - // Final URI was different from approvedByURIStr. - // - // Make sure it's at least on the same host as - // what we expected (ie., we weren't redirected - // across domains), and make sure it's the same - // as the ID of the Accept we were returned. - if rspURL.Host != approvedByURI.Host { - err := gtserror.Newf( - "final dereference host %s did not match approvedByURI host %s", - rspURL.Host, approvedByURI.Host, - ) - return err - } + switch { + case rspURLStr == approvedByURIStr: - if acceptURIStr != rspURLStr { - err := gtserror.Newf( - "final dereference uri %s did not match returned Accept ID/URI %s", - rspURLStr, acceptURIStr, - ) - return err - } + // i.e. from here, rspURLStr != approvedByURIStr. + // + // Make sure it's at least on the same host as + // what we expected (ie., we weren't redirected + // across domains), and make sure it's the same + // as the ID of the Accept we were returned. + case rspURL.Host != approvedByURI.Host: + return gtserror.Newf( + "final dereference host %s did not match approvedByURI host %s", + rspURL.Host, approvedByURI.Host, + ) + case acceptURIStr != rspURLStr: + return gtserror.Newf( + "final dereference uri %s did not match returned Accept ID/URI %s", + rspURLStr, acceptURIStr, + ) } - // Ensure the Accept URI has the same host - // as the Accept Actor, so we know we're - // not dealing with someone on a different - // domain just pretending to be the Actor. + // Extract the actor IRI and string from Accept. actorIRIs := ap.GetActorIRIs(acceptable) - if len(actorIRIs) != 1 { - err := gtserror.New("resolved Accept actor(s) length was not 1") + actorIRI, actorIRIStr := extractIRI(actorIRIs) + switch { + case actorIRIStr == "": + err := gtserror.New("missing Accept actor IRI") return gtserror.SetMalformed(err) - } - - actorIRI := actorIRIs[0] - actorStr := actorIRI.String() - if actorIRI.Host != acceptURI.Host { - err := gtserror.Newf( + // Ensure the Accept Actor is who we expect + // it to be, and not someone else trying to + // do an Accept for an interaction with a + // statusable they don't own. + case actorIRI.Host != acceptURI.Host: + return gtserror.Newf( "Accept Actor %s was not the same host as Accept %s", - actorStr, acceptURIStr, + actorIRIStr, acceptURIStr, ) - return err - } // Ensure the Accept Actor is who we expect // it to be, and not someone else trying to // do an Accept for an interaction with a // statusable they don't own. - if actorStr != expectedActor { - err := gtserror.Newf( + case actorIRIStr != expectActorURIStr: + return gtserror.Newf( "Accept Actor %s was not the same as expected actor %s", - actorStr, expectedActor, + actorIRIStr, expectActorURIStr, ) - return err } + // Extract the object IRI string from Accept. + objectIRIs := ap.GetObjectIRIs(acceptable) + _, objectIRIStr := extractIRI(objectIRIs) + switch { + case objectIRIStr == "": + err := gtserror.New("missing Accept object IRI") + return gtserror.SetMalformed(err) + // Ensure the Accept Object is what we expect // it to be, ie., it's Accepting the interaction // we need it to Accept, and not something else. - objectIRIs := ap.GetObjectIRIs(acceptable) - if len(objectIRIs) != 1 { - err := gtserror.New("resolved Accept object(s) length was not 1") - return err - } - - objectIRI := objectIRIs[0] - objectStr := objectIRI.String() - - if objectStr != expectedObject { - err := gtserror.Newf( + case objectIRIStr != expectObjectURIStr: + return gtserror.Newf( "resolved Accept Object uri %s was not the same as expected object %s", - objectStr, expectedObject, + objectIRIStr, expectObjectURIStr, ) - return err } return nil } + +// extractIRI is shorthand to extract the first IRI +// url.URL{} object and serialized form from slice. +func extractIRI(iris []*url.URL) (*url.URL, string) { + if len(iris) == 0 { + return nil, "" + } + u := iris[0] + return u, u.String() +} |