diff options
Diffstat (limited to 'internal/api')
| -rw-r--r-- | internal/api/client/instance/domainperms.go | 172 | ||||
| -rw-r--r-- | internal/api/client/instance/instance.go | 7 | ||||
| -rw-r--r-- | internal/api/client/instance/instancepeersget.go | 110 | ||||
| -rw-r--r-- | internal/api/client/instance/instancepeersget_test.go | 81 | ||||
| -rw-r--r-- | internal/api/model/domain.go | 7 |
5 files changed, 336 insertions, 41 deletions
diff --git a/internal/api/client/instance/domainperms.go b/internal/api/client/instance/domainperms.go new file mode 100644 index 000000000..6503388a5 --- /dev/null +++ b/internal/api/client/instance/domainperms.go @@ -0,0 +1,172 @@ +// GoToSocial +// Copyright (C) GoToSocial Authors admin@gotosocial.org +// SPDX-License-Identifier: AGPL-3.0-or-later +// +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU Affero General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU Affero General Public License for more details. +// +// You should have received a copy of the GNU Affero General Public License +// along with this program. If not, see <http://www.gnu.org/licenses/>. + +package instance + +import ( + "errors" + "net/http" + + apiutil "code.superseriousbusiness.org/gotosocial/internal/api/util" + "code.superseriousbusiness.org/gotosocial/internal/config" + "code.superseriousbusiness.org/gotosocial/internal/gtserror" + "github.com/gin-gonic/gin" +) + +// InstanceDomainBlocksGETHandler swagger:operation GET /api/v1/instance/domain_blocks instanceDomainBlocksGet +// +// List blocked domains. +// +// OAuth token may need to be provided depending on setting `instance-expose-blocklist`. +// +// --- +// tags: +// - instance +// +// produces: +// - application/json +// +// security: +// - OAuth2 Bearer: [] +// +// responses: +// '200': +// description: List of blocked domains. +// schema: +// type: array +// items: +// "$ref": "#/definitions/domain" +// '400': +// description: bad request +// '401': +// description: unauthorized +// '403': +// description: forbidden +// '404': +// description: not found +// '406': +// description: not acceptable +// '500': +// description: internal server error +func (m *Module) InstanceDomainBlocksGETHandler(c *gin.Context) { + authed, errWithCode := apiutil.TokenAuth(c, + false, false, false, false, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) + return + } + + if _, err := apiutil.NegotiateAccept(c, apiutil.JSONAcceptHeaders...); err != nil { + apiutil.ErrorHandler(c, gtserror.NewErrorNotAcceptable(err, err.Error()), m.processor.InstanceGetV1) + return + } + + if (authed.Account == nil || authed.User == nil) && !config.GetInstanceExposeBlocklist() { + const errText = "domain blocks endpoint requires an authenticated account/user" + errWithCode := gtserror.NewErrorUnauthorized(errors.New(errText), errText) + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) + return + } + + data, errWithCode := m.processor.InstancePeersGet( + c.Request.Context(), + true, // Include blocked. + false, // Don't include allowed. + false, // Don't include open. + false, // Don't flatten. + true, // Include severity. + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) + return + } + + apiutil.JSON(c, http.StatusOK, data) +} + +// InstanceDomainAllowsGETHandler swagger:operation GET /api/v1/instance/domain_allows instanceDomainAllowsGet +// +// List explicitly allowed domains. +// +// OAuth token may need to be provided depending on setting `instance-expose-allowlist`. +// +// --- +// tags: +// - instance +// +// produces: +// - application/json +// +// security: +// - OAuth2 Bearer: [] +// +// responses: +// '200': +// description: List of explicitly allowed domains. +// schema: +// type: array +// items: +// "$ref": "#/definitions/domain" +// '400': +// description: bad request +// '401': +// description: unauthorized +// '403': +// description: forbidden +// '404': +// description: not found +// '406': +// description: not acceptable +// '500': +// description: internal server error +func (m *Module) InstanceDomainAllowsGETHandler(c *gin.Context) { + authed, errWithCode := apiutil.TokenAuth(c, + false, false, false, false, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) + return + } + + if _, err := apiutil.NegotiateAccept(c, apiutil.JSONAcceptHeaders...); err != nil { + apiutil.ErrorHandler(c, gtserror.NewErrorNotAcceptable(err, err.Error()), m.processor.InstanceGetV1) + return + } + + if (authed.Account == nil || authed.User == nil) && !config.GetInstanceExposeAllowlist() { + const errText = "domain allows endpoint requires an authenticated account/user" + errWithCode := gtserror.NewErrorUnauthorized(errors.New(errText), errText) + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) + return + } + + data, errWithCode := m.processor.InstancePeersGet( + c.Request.Context(), + false, // Don't include blocked. + true, // Include allowed. + false, // Don't include open. + false, // Don't flatten. + false, // Don't include severity. + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) + return + } + + apiutil.JSON(c, http.StatusOK, data) +} diff --git a/internal/api/client/instance/instance.go b/internal/api/client/instance/instance.go index cd6c438c8..0e06941cc 100644 --- a/internal/api/client/instance/instance.go +++ b/internal/api/client/instance/instance.go @@ -29,7 +29,10 @@ const ( InstanceInformationPathV2 = "/v2/instance" InstancePeersPath = InstanceInformationPathV1 + "/peers" InstanceRulesPath = InstanceInformationPathV1 + "/rules" + InstanceBlocklistPath = InstanceInformationPathV1 + "/domain_blocks" + InstanceAllowlistPath = InstanceInformationPathV1 + "/domain_allows" PeersFilterKey = "filter" // PeersFilterKey is used to provide filters to /api/v1/instance/peers + PeersFlatKey = "flat" // PeersFlatKey is used to set "flat=true" in /api/v1/instance/peers ) type Module struct { @@ -45,9 +48,9 @@ func New(processor *processing.Processor) *Module { func (m *Module) Route(attachHandler func(method string, path string, f ...gin.HandlerFunc) gin.IRoutes) { attachHandler(http.MethodGet, InstanceInformationPathV1, m.InstanceInformationGETHandlerV1) attachHandler(http.MethodGet, InstanceInformationPathV2, m.InstanceInformationGETHandlerV2) - attachHandler(http.MethodPatch, InstanceInformationPathV1, m.InstanceUpdatePATCHHandler) attachHandler(http.MethodGet, InstancePeersPath, m.InstancePeersGETHandler) - attachHandler(http.MethodGet, InstanceRulesPath, m.InstanceRulesGETHandler) + attachHandler(http.MethodGet, InstanceBlocklistPath, m.InstanceDomainBlocksGETHandler) + attachHandler(http.MethodGet, InstanceAllowlistPath, m.InstanceDomainAllowsGETHandler) } diff --git a/internal/api/client/instance/instancepeersget.go b/internal/api/client/instance/instancepeersget.go index 7afeb7104..d9f7610b7 100644 --- a/internal/api/client/instance/instancepeersget.go +++ b/internal/api/client/instance/instancepeersget.go @@ -18,8 +18,10 @@ package instance import ( + "errors" "fmt" "net/http" + "strconv" "strings" apiutil "code.superseriousbusiness.org/gotosocial/internal/api/util" @@ -31,6 +33,8 @@ import ( // InstancePeersGETHandler swagger:operation GET /api/v1/instance/peers instancePeersGet // +// List peer domains. +// // --- // tags: // - instance @@ -44,19 +48,32 @@ import ( // type: string // description: |- // Comma-separated list of filters to apply to results. Recognized filters are: -// - `open` -- include peers that are not suspended or silenced -// - `suspended` -- include peers that have been suspended. +// - `open` -- include known domains that are not in the domain blocklist +// - `allowed` -- include domains that are in the domain allowlist +// - `blocked` -- include domains that are in the domain blocklist +// - `suspended` -- DEPRECATED! Use `blocked` instead. Same as `blocked`: include domains that are in the domain blocklist; +// +// If filter is `open`, only domains that aren't in the blocklist will be shown. // -// If filter is `open`, only instances that haven't been suspended or silenced will be returned. +// If filter is `blocked`, only domains that *are* in the blocklist will be shown. // -// If filter is `suspended`, only suspended instances will be shown. +// If filter is `allowed`, only domains that are in the allowlist will be shown. // -// If filter is `open,suspended`, then all known instances will be returned. +// If filter is `open,blocked`, then blocked domains and known domains not on the blocklist will be shown. +// +// If filter is `open,allowed`, then allowed domains and known domains not on the blocklist will be shown. // // If filter is an empty string or not set, then `open` will be assumed as the default. // in: query // required: false -// default: "open" +// default: flat +// - +// name: flat +// type: boolean +// description: If true, a "flat" array of strings will be returned corresponding to just domain names. +// in: query +// required: false +// default: false // // security: // - OAuth2 Bearer: [] @@ -67,12 +84,10 @@ import ( // If no filter parameter is provided, or filter is empty, then a legacy, // Mastodon-API compatible response will be returned. This will consist of // just a 'flat' array of strings like `["example.com", "example.org"]`, -// which corresponds to domains this instance peers with. -// -// -// If a filter parameter is provided, then an array of objects with at least -// a `domain` key set on each object will be returned. +// which corresponds to setting a filter of `open` and flat=true. // +// If a filter parameter is provided and flat is not true, then an array +// of objects with at least a `domain` key set on each object will be returned. // // Domains that are silenced or suspended will also have a key // `suspended_at` or `silenced_at` that contains an iso8601 date string. @@ -81,7 +96,6 @@ import ( // will have some letters replaced by `*` to make it more difficult for // bad actors to target instances with harassment. // -// // Whether a flat response or a more detailed response is returned, domains // will be sorted alphabetically by hostname. // schema: @@ -116,45 +130,85 @@ func (m *Module) InstancePeersGETHandler(c *gin.Context) { return } - var includeSuspended bool - var includeOpen bool - var flat bool + var ( + includeBlocked bool + includeAllowed bool + includeOpen bool + flatten bool + ) + if filterParam := c.Query(PeersFilterKey); filterParam != "" { filters := strings.Split(filterParam, ",") for _, f := range filters { trimmed := strings.TrimSpace(f) switch { - case strings.EqualFold(trimmed, "suspended"): - includeSuspended = true + case strings.EqualFold(trimmed, "blocked") || strings.EqualFold(trimmed, "suspended"): + includeBlocked = true + case strings.EqualFold(trimmed, "allowed"): + includeAllowed = true case strings.EqualFold(trimmed, "open"): includeOpen = true default: - err := fmt.Errorf("filter %s not recognized; accepted values are 'open', 'suspended'", trimmed) + err := fmt.Errorf("filter %s not recognized; accepted values are 'open', 'blocked', 'allowed', and 'suspended' (deprecated)", trimmed) apiutil.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGetV1) return } } } else { - // default is to only include open domains, and present + // Default is to only include open domains, and present // them in a 'flat' manner (just an array of strings), - // to maintain compatibility with mastodon API + // to maintain compatibility with the Mastodon API. includeOpen = true - flat = true + flatten = true } - if includeOpen && !config.GetInstanceExposePeers() && isUnauthenticated { - err := fmt.Errorf("peers open query requires an authenticated account/user") - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + if includeBlocked && isUnauthenticated && !config.GetInstanceExposeBlocklist() { + const errText = "peers blocked query requires an authenticated account/user" + errWithCode := gtserror.NewErrorUnauthorized(errors.New(errText), errText) + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } - if includeSuspended && !config.GetInstanceExposeSuspended() && isUnauthenticated { - err := fmt.Errorf("peers suspended query requires an authenticated account/user") - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + if includeAllowed && isUnauthenticated && !config.GetInstanceExposeAllowlist() { + const errText = "peers allowed query requires an authenticated account/user" + errWithCode := gtserror.NewErrorUnauthorized(errors.New(errText), errText) + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } - data, errWithCode := m.processor.InstancePeersGet(c.Request.Context(), includeSuspended, includeOpen, flat) + if includeOpen && isUnauthenticated && !config.GetInstanceExposePeers() { + const errText = "peers open query requires an authenticated account/user" + errWithCode := gtserror.NewErrorUnauthorized(errors.New(errText), errText) + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) + return + } + + if includeBlocked && includeAllowed { + const errText = "cannot include blocked + allowed filters at the same time" + errWithCode := gtserror.NewErrorBadRequest(errors.New(errText), errText) + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) + return + } + + if flatStr := c.Query(PeersFlatKey); flatStr != "" { + var err error + flatten, err = strconv.ParseBool(flatStr) + if err != nil { + err := fmt.Errorf("error parsing 'flat' key as boolean: %w", err) + errWithCode := gtserror.NewErrorBadRequest(err, err.Error()) + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) + return + } + } + + data, errWithCode := m.processor.InstancePeersGet( + c.Request.Context(), + includeBlocked, + includeAllowed, + includeOpen, + flatten, + false, // Don't include severity. + ) if errWithCode != nil { apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return diff --git a/internal/api/client/instance/instancepeersget_test.go b/internal/api/client/instance/instancepeersget_test.go index a18e30875..3c7f1f665 100644 --- a/internal/api/client/instance/instancepeersget_test.go +++ b/internal/api/client/instance/instancepeersget_test.go @@ -136,13 +136,14 @@ func (suite *InstancePeersGetTestSuite) TestInstancePeersGetOnlySuspended() { { "domain": "replyguys.com", "suspended_at": "2020-05-13T13:29:12.000Z", - "comment": "reply-guying to tech posts" + "comment": "reply-guying to tech posts", + "severity": "suspend" } ]`, dst.String()) } func (suite *InstancePeersGetTestSuite) TestInstancePeersGetOnlySuspendedUnauthorized() { - config.SetInstanceExposeSuspended(false) + config.SetInstanceExposeBlocklist(false) recorder := httptest.NewRecorder() baseURI := fmt.Sprintf("%s://%s", config.GetProtocol(), config.GetHost()) @@ -159,11 +160,11 @@ func (suite *InstancePeersGetTestSuite) TestInstancePeersGetOnlySuspendedUnautho b, err := io.ReadAll(result.Body) suite.NoError(err) - suite.Equal(`{"error":"Unauthorized: peers suspended query requires an authenticated account/user"}`, string(b)) + suite.Equal(`{"error":"Unauthorized: peers blocked query requires an authenticated account/user"}`, string(b)) } func (suite *InstancePeersGetTestSuite) TestInstancePeersGetOnlySuspendedAuthorized() { - config.SetInstanceExposeSuspended(false) + config.SetInstanceExposeBlocklist(false) recorder := httptest.NewRecorder() baseURI := fmt.Sprintf("%s://%s", config.GetProtocol(), config.GetHost()) @@ -186,7 +187,8 @@ func (suite *InstancePeersGetTestSuite) TestInstancePeersGetOnlySuspendedAuthori { "domain": "replyguys.com", "suspended_at": "2020-05-13T13:29:12.000Z", - "comment": "reply-guying to tech posts" + "comment": "reply-guying to tech posts", + "severity": "suspend" } ]`, dst.String()) } @@ -219,11 +221,33 @@ func (suite *InstancePeersGetTestSuite) TestInstancePeersGetAll() { { "domain": "replyguys.com", "suspended_at": "2020-05-13T13:29:12.000Z", - "comment": "reply-guying to tech posts" + "comment": "reply-guying to tech posts", + "severity": "suspend" } ]`, dst.String()) } +func (suite *InstancePeersGetTestSuite) TestInstancePeersGetAllowed() { + recorder := httptest.NewRecorder() + baseURI := fmt.Sprintf("%s://%s", config.GetProtocol(), config.GetHost()) + requestURI := fmt.Sprintf("%s/%s?filter=allowed", baseURI, instance.InstancePeersPath) + ctx := suite.newContext(recorder, http.MethodGet, requestURI, nil, "", false) + + suite.instanceModule.InstancePeersGETHandler(ctx) + + suite.Equal(http.StatusOK, recorder.Code) + + result := recorder.Result() + defer result.Body.Close() + + b, err := io.ReadAll(result.Body) + suite.NoError(err) + dst := new(bytes.Buffer) + err = json.Indent(dst, b, "", " ") + suite.NoError(err) + suite.Equal(`[]`, dst.String()) +} + func (suite *InstancePeersGetTestSuite) TestInstancePeersGetAllWithObfuscated() { err := suite.db.Put(context.Background(), >smodel.DomainBlock{ ID: "01G633XTNK51GBADQZFZQDP6WR", @@ -263,16 +287,55 @@ func (suite *InstancePeersGetTestSuite) TestInstancePeersGetAllWithObfuscated() { "domain": "o*g.*u**.t**.*or*t.*r**ev**", "suspended_at": "2021-06-09T10:34:55.000Z", - "comment": "just absolutely the worst, wowza" + "comment": "just absolutely the worst, wowza", + "severity": "suspend" }, { "domain": "replyguys.com", "suspended_at": "2020-05-13T13:29:12.000Z", - "comment": "reply-guying to tech posts" + "comment": "reply-guying to tech posts", + "severity": "suspend" } ]`, dst.String()) } +func (suite *InstancePeersGetTestSuite) TestInstancePeersGetAllWithObfuscatedFlat() { + err := suite.db.Put(context.Background(), >smodel.DomainBlock{ + ID: "01G633XTNK51GBADQZFZQDP6WR", + CreatedAt: testrig.TimeMustParse("2021-06-09T12:34:55+02:00"), + UpdatedAt: testrig.TimeMustParse("2021-06-09T12:34:55+02:00"), + Domain: "omg.just.the.worst.org.ever", + CreatedByAccountID: "01F8MH17FWEB39HZJ76B6VXSKF", + PublicComment: "just absolutely the worst, wowza", + Obfuscate: util.Ptr(true), + }) + suite.NoError(err) + + recorder := httptest.NewRecorder() + baseURI := fmt.Sprintf("%s://%s", config.GetProtocol(), config.GetHost()) + requestURI := fmt.Sprintf("%s/%s?filter=suspended,open&flat=true", baseURI, instance.InstancePeersPath) + ctx := suite.newContext(recorder, http.MethodGet, requestURI, nil, "", false) + + suite.instanceModule.InstancePeersGETHandler(ctx) + + suite.Equal(http.StatusOK, recorder.Code) + + result := recorder.Result() + defer result.Body.Close() + + b, err := io.ReadAll(result.Body) + suite.NoError(err) + dst := new(bytes.Buffer) + err = json.Indent(dst, b, "", " ") + suite.NoError(err) + suite.Equal(`[ + "example.org", + "fossbros-anonymous.io", + "o*g.*u**.t**.*or*t.*r**ev**", + "replyguys.com" +]`, dst.String()) +} + func (suite *InstancePeersGetTestSuite) TestInstancePeersGetFunkyParams() { recorder := httptest.NewRecorder() baseURI := fmt.Sprintf("%s://%s", config.GetProtocol(), config.GetHost()) @@ -289,7 +352,7 @@ func (suite *InstancePeersGetTestSuite) TestInstancePeersGetFunkyParams() { b, err := io.ReadAll(result.Body) suite.NoError(err) - suite.Equal(`{"error":"Bad Request: filter aaaaaaaaaaaaaaaaa not recognized; accepted values are 'open', 'suspended'"}`, string(b)) + suite.Equal(`{"error":"Bad Request: filter aaaaaaaaaaaaaaaaa not recognized; accepted values are 'open', 'blocked', 'allowed', and 'suspended' (deprecated)"}`, string(b)) } func TestInstancePeersGetTestSuite(t *testing.T) { diff --git a/internal/api/model/domain.go b/internal/api/model/domain.go index 8d94321d0..b793d77b0 100644 --- a/internal/api/model/domain.go +++ b/internal/api/model/domain.go @@ -32,14 +32,17 @@ type Domain struct { // Time at which this domain was silenced. Key will not be present on open domains. // example: 2021-07-30T09:20:25+00:00 SilencedAt string `json:"silenced_at,omitempty"` - // If the domain is blocked, what's the publicly-stated reason for the block. + // If the domain is blocked or allowed, what's the publicly-stated reason (if any). // Alternative to `public_comment` to be used when serializing/deserializing via /api/v1/instance. // example: they smell Comment *string `form:"comment" json:"comment,omitempty"` - // If the domain is blocked, what's the publicly-stated reason for the block. + // If the domain is blocked or allowed, what's the publicly-stated reason (if any). // Alternative to `comment` to be used when serializing/deserializing NOT via /api/v1/instance. // example: they smell PublicComment *string `form:"public_comment" json:"public_comment,omitempty"` + // Severity of this entry. + // Only ever set for domain blocks, and if set, always="suspend". + Severity string `form:"severity" json:"severity,omitempty"` } // DomainPermission represents a permission applied to one domain (explicit block/allow). |