From 325ba64c667e6b505a76a627016a52d6f9cc5b65 Mon Sep 17 00:00:00 2001
From: Ryan Barrett <git@ryanb.org>
Date: Mon, 16 Oct 2023 13:04:34 -0700
Subject: [PATCH] authorization: block external requests to cloud task handlers

...by checking for a GAE Cloud Tasks header: https://cloud.google.com/tasks/docs/creating-appengine-handlers#reading_task_request_headers
---
 protocol.py            | 2 ++
 tests/test_protocol.py | 7 ++++---
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/protocol.py b/protocol.py
index 5fc524b..31eda1a 100644
--- a/protocol.py
+++ b/protocol.py
@@ -10,6 +10,7 @@ from google.cloud import ndb
 from google.cloud.ndb import OR
 from granary import as1
 from oauth_dropins.webutil.appengine_config import ndb_client
+from oauth_dropins.webutil.flask_util import cloud_tasks_only
 import werkzeug.exceptions
 
 import common
@@ -1131,6 +1132,7 @@ class Protocol:
 
 
 @app.post('/queue/receive')
+@cloud_tasks_only
 def receive_task():
     """Task handler for a newly received :class:`models.Object`.
 
diff --git a/tests/test_protocol.py b/tests/test_protocol.py
index 825e902..4a2f582 100644
--- a/tests/test_protocol.py
+++ b/tests/test_protocol.py
@@ -8,7 +8,7 @@ from arroba.tests.testutil import dns_answer
 from flask import g
 from google.cloud import ndb
 from granary import as2
-from oauth_dropins.webutil.flask_util import NoContent
+from oauth_dropins.webutil.flask_util import CLOUD_TASKS_QUEUE_HEADER, NoContent
 from oauth_dropins.webutil.testutil import requests_response
 import requests
 
@@ -1395,7 +1395,8 @@ class ProtocolReceiveTest(TestCase):
         obj = self.store_object(id='fake:post', our_as1=note,
                                 source_protocol='fake')
 
-        self.client.post('/queue/receive', data={'obj': obj.key.urlsafe()})
+        self.client.post('/queue/receive', data={'obj': obj.key.urlsafe()},
+                         headers={CLOUD_TASKS_QUEUE_HEADER: ''})
         obj = Object.get_by_id('fake:post#bridgy-fed-create')
         self.assertEqual('ignored', obj.status)
 
@@ -1412,7 +1413,7 @@ class ProtocolReceiveTest(TestCase):
             self.client.post('/queue/receive', data={
                 'obj': obj.key.urlsafe(),
                 'authed_as': 'fake:eve',
-            })
+            }, headers={CLOUD_TASKS_QUEUE_HEADER: ''})
 
         self.assertIn(
             "WARNING:protocol:actor fake:other isn't authed user fake:eve",