kopia lustrzana https://github.com/snarfed/bridgy-fed
authorization: block external requests to cloud task handlers
...by checking for a GAE Cloud Tasks header: https://cloud.google.com/tasks/docs/creating-appengine-handlers#reading_task_request_headerspull/687/head
rodzic
db3a5e7fd6
commit
325ba64c66
|
@ -10,6 +10,7 @@ from google.cloud import ndb
|
|||
from google.cloud.ndb import OR
|
||||
from granary import as1
|
||||
from oauth_dropins.webutil.appengine_config import ndb_client
|
||||
from oauth_dropins.webutil.flask_util import cloud_tasks_only
|
||||
import werkzeug.exceptions
|
||||
|
||||
import common
|
||||
|
@ -1131,6 +1132,7 @@ class Protocol:
|
|||
|
||||
|
||||
@app.post('/queue/receive')
|
||||
@cloud_tasks_only
|
||||
def receive_task():
|
||||
"""Task handler for a newly received :class:`models.Object`.
|
||||
|
||||
|
|
|
@ -8,7 +8,7 @@ from arroba.tests.testutil import dns_answer
|
|||
from flask import g
|
||||
from google.cloud import ndb
|
||||
from granary import as2
|
||||
from oauth_dropins.webutil.flask_util import NoContent
|
||||
from oauth_dropins.webutil.flask_util import CLOUD_TASKS_QUEUE_HEADER, NoContent
|
||||
from oauth_dropins.webutil.testutil import requests_response
|
||||
import requests
|
||||
|
||||
|
@ -1395,7 +1395,8 @@ class ProtocolReceiveTest(TestCase):
|
|||
obj = self.store_object(id='fake:post', our_as1=note,
|
||||
source_protocol='fake')
|
||||
|
||||
self.client.post('/queue/receive', data={'obj': obj.key.urlsafe()})
|
||||
self.client.post('/queue/receive', data={'obj': obj.key.urlsafe()},
|
||||
headers={CLOUD_TASKS_QUEUE_HEADER: ''})
|
||||
obj = Object.get_by_id('fake:post#bridgy-fed-create')
|
||||
self.assertEqual('ignored', obj.status)
|
||||
|
||||
|
@ -1412,7 +1413,7 @@ class ProtocolReceiveTest(TestCase):
|
|||
self.client.post('/queue/receive', data={
|
||||
'obj': obj.key.urlsafe(),
|
||||
'authed_as': 'fake:eve',
|
||||
})
|
||||
}, headers={CLOUD_TASKS_QUEUE_HEADER: ''})
|
||||
|
||||
self.assertIn(
|
||||
"WARNING:protocol:actor fake:other isn't authed user fake:eve",
|
||||
|
|
Ładowanie…
Reference in New Issue