From 08618c3c726067122d08b71f3229718c9e781757 Mon Sep 17 00:00:00 2001 From: Thomas Sileo Date: Thu, 18 Aug 2022 22:42:00 +0200 Subject: [PATCH] Tweak HTTP sig handling for blocked servers --- app/httpsig.py | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/app/httpsig.py b/app/httpsig.py index 645b0cc..049a0fd 100644 --- a/app/httpsig.py +++ b/app/httpsig.py @@ -143,9 +143,12 @@ async def _get_public_key(db_session: AsyncSession, key_id: str) -> Key: class HTTPSigInfo: has_valid_signature: bool signed_by_ap_actor_id: str | None = None + is_ap_actor_gone: bool = False is_unsupported_algorithm: bool = False is_expired: bool = False + is_from_blocked_server: bool = False + server: str | None = None @@ -169,6 +172,12 @@ async def httpsig_checker( ) server = urlparse(key_id).hostname + if server in BLOCKED_SERVERS: + return HTTPSigInfo( + has_valid_signature=False, + server=server, + is_from_blocked_server=True, + ) if alg := hsig.get("algorithm") not in ["rsa-sha256", "hs2019"]: logger.info(f"Unsupported HTTP sig algorithm: {alg}") @@ -222,7 +231,7 @@ async def enforce_httpsig( httpsig_info: HTTPSigInfo = fastapi.Depends(httpsig_checker), ) -> HTTPSigInfo: """FastAPI Depends""" - if httpsig_info.server in BLOCKED_SERVERS: + if httpsig_info.is_from_blocked_server: logger.warning(f"{httpsig_info.server} is blocked") raise fastapi.HTTPException(status_code=403, detail="Blocked")