Tweak HTTP sig handling for blocked servers

This commit is contained in:
Thomas Sileo 2022-08-18 22:42:00 +02:00
parent 1e8a4f933e
commit 08618c3c72

View file

@ -143,9 +143,12 @@ async def _get_public_key(db_session: AsyncSession, key_id: str) -> Key:
class HTTPSigInfo: class HTTPSigInfo:
has_valid_signature: bool has_valid_signature: bool
signed_by_ap_actor_id: str | None = None signed_by_ap_actor_id: str | None = None
is_ap_actor_gone: bool = False is_ap_actor_gone: bool = False
is_unsupported_algorithm: bool = False is_unsupported_algorithm: bool = False
is_expired: bool = False is_expired: bool = False
is_from_blocked_server: bool = False
server: str | None = None server: str | None = None
@ -169,6 +172,12 @@ async def httpsig_checker(
) )
server = urlparse(key_id).hostname server = urlparse(key_id).hostname
if server in BLOCKED_SERVERS:
return HTTPSigInfo(
has_valid_signature=False,
server=server,
is_from_blocked_server=True,
)
if alg := hsig.get("algorithm") not in ["rsa-sha256", "hs2019"]: if alg := hsig.get("algorithm") not in ["rsa-sha256", "hs2019"]:
logger.info(f"Unsupported HTTP sig algorithm: {alg}") logger.info(f"Unsupported HTTP sig algorithm: {alg}")
@ -222,7 +231,7 @@ async def enforce_httpsig(
httpsig_info: HTTPSigInfo = fastapi.Depends(httpsig_checker), httpsig_info: HTTPSigInfo = fastapi.Depends(httpsig_checker),
) -> HTTPSigInfo: ) -> HTTPSigInfo:
"""FastAPI Depends""" """FastAPI Depends"""
if httpsig_info.server in BLOCKED_SERVERS: if httpsig_info.is_from_blocked_server:
logger.warning(f"{httpsig_info.server} is blocked") logger.warning(f"{httpsig_info.server} is blocked")
raise fastapi.HTTPException(status_code=403, detail="Blocked") raise fastapi.HTTPException(status_code=403, detail="Blocked")