kopia lustrzana https://github.com/snarfed/bridgy-fed
authorization: block external requests to cloud task handlers
...by checking for a GAE Cloud Tasks header: https://cloud.google.com/tasks/docs/creating-appengine-handlers#reading_task_request_headerspull/687/head
rodzic
db3a5e7fd6
commit
325ba64c66
|
@ -10,6 +10,7 @@ from google.cloud import ndb
|
||||||
from google.cloud.ndb import OR
|
from google.cloud.ndb import OR
|
||||||
from granary import as1
|
from granary import as1
|
||||||
from oauth_dropins.webutil.appengine_config import ndb_client
|
from oauth_dropins.webutil.appengine_config import ndb_client
|
||||||
|
from oauth_dropins.webutil.flask_util import cloud_tasks_only
|
||||||
import werkzeug.exceptions
|
import werkzeug.exceptions
|
||||||
|
|
||||||
import common
|
import common
|
||||||
|
@ -1131,6 +1132,7 @@ class Protocol:
|
||||||
|
|
||||||
|
|
||||||
@app.post('/queue/receive')
|
@app.post('/queue/receive')
|
||||||
|
@cloud_tasks_only
|
||||||
def receive_task():
|
def receive_task():
|
||||||
"""Task handler for a newly received :class:`models.Object`.
|
"""Task handler for a newly received :class:`models.Object`.
|
||||||
|
|
||||||
|
|
|
@ -8,7 +8,7 @@ from arroba.tests.testutil import dns_answer
|
||||||
from flask import g
|
from flask import g
|
||||||
from google.cloud import ndb
|
from google.cloud import ndb
|
||||||
from granary import as2
|
from granary import as2
|
||||||
from oauth_dropins.webutil.flask_util import NoContent
|
from oauth_dropins.webutil.flask_util import CLOUD_TASKS_QUEUE_HEADER, NoContent
|
||||||
from oauth_dropins.webutil.testutil import requests_response
|
from oauth_dropins.webutil.testutil import requests_response
|
||||||
import requests
|
import requests
|
||||||
|
|
||||||
|
@ -1395,7 +1395,8 @@ class ProtocolReceiveTest(TestCase):
|
||||||
obj = self.store_object(id='fake:post', our_as1=note,
|
obj = self.store_object(id='fake:post', our_as1=note,
|
||||||
source_protocol='fake')
|
source_protocol='fake')
|
||||||
|
|
||||||
self.client.post('/queue/receive', data={'obj': obj.key.urlsafe()})
|
self.client.post('/queue/receive', data={'obj': obj.key.urlsafe()},
|
||||||
|
headers={CLOUD_TASKS_QUEUE_HEADER: ''})
|
||||||
obj = Object.get_by_id('fake:post#bridgy-fed-create')
|
obj = Object.get_by_id('fake:post#bridgy-fed-create')
|
||||||
self.assertEqual('ignored', obj.status)
|
self.assertEqual('ignored', obj.status)
|
||||||
|
|
||||||
|
@ -1412,7 +1413,7 @@ class ProtocolReceiveTest(TestCase):
|
||||||
self.client.post('/queue/receive', data={
|
self.client.post('/queue/receive', data={
|
||||||
'obj': obj.key.urlsafe(),
|
'obj': obj.key.urlsafe(),
|
||||||
'authed_as': 'fake:eve',
|
'authed_as': 'fake:eve',
|
||||||
})
|
}, headers={CLOUD_TASKS_QUEUE_HEADER: ''})
|
||||||
|
|
||||||
self.assertIn(
|
self.assertIn(
|
||||||
"WARNING:protocol:actor fake:other isn't authed user fake:eve",
|
"WARNING:protocol:actor fake:other isn't authed user fake:eve",
|
||||||
|
|
Ładowanie…
Reference in New Issue