Merge branch 'local-signing' into 'master'

Make sure AP post requests are signed by a local user when forwarding. See merge request jaywink/federation!172
2023-02-06 14:13:11 +00:00 · 2023-02-06 14:13:11 +00:00 · 0051cee3eb
commit 0051cee3eb
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -55,6 +55,8 @@

 * Signatures are not verified and the corresponding payload is dropped if no public key is found.

+* Sign forwarded AP replies and shares with the target content author's private key. 
+
 ### Internal changes

 * Dropped python 3.6 support.
--- a/federation/outbound.py
+++ b/federation/outbound.py
@ -132,7 +132,10 @@ def handle_send(
                     ]
    :arg parent_user: (Optional) User object of the parent object, if there is one. This must be given for the
                      Diaspora protocol if a parent object exists, so that a proper ``parent_author_signature`` can
-                      be generated. If given, the payload will be sent as this user.
+                      be generated. If given, the payload will be sent as this user. For Activitypub, the
+                      parent_user's private key will be used to generate the http signature if the author_user
+                      is not a local user.
+
    :arg payload_logger: (Optional) Function to log the payloads with.
    """
    payloads = []
@ -221,8 +224,10 @@ def handle_send(
                    }
                )
                continue
+            # The parent_user MUST be local
+            local_user = author_user if author_user.rsa_private_key else parent_user
            payloads.append({
-                "auth": get_http_authentication(author_user.rsa_private_key, f"{author_user.id}#main-key"),
+                "auth": get_http_authentication(local_user.rsa_private_key, f"{local_user.id}#main-key"),
                "headers": {
                    "Content-Type": 'application/ld+json; profile="https://www.w3.org/ns/activitystreams"',
                },
--- a/federation/utils/django.py
+++ b/federation/utils/django.py
@ -23,7 +23,7 @@ def get_configuration():
    }
    try:
        configuration.update(settings.FEDERATION)
-    except ImproperlyConfigured:
+    except (ModuleNotFoundError, ImproperlyConfigured):
        # Django is not properly configured, return defaults
        return configuration
    if not all([