diff --git a/docs/admin/domain_blocks.md b/docs/admin/domain_blocks.md index f89c84a10..98d532481 100644 --- a/docs/admin/domain_blocks.md +++ b/docs/admin/domain_blocks.md @@ -41,9 +41,9 @@ With this in mind, you should only ever treat domain blocking as *one layer* of Unfortunately, the Fediverse has its share of trolls, many of whom see domain blocking as an adversary to be defeated. To achieve this, they often target instances which use domain blocks to protect users. -As such, there are bots on the Fediverse which scrape instance domain blocks and announce any discovered blocks to the followers of the bot, opening the admin of the blocking instance up to harassment. These bots use the `api/v1/instance/peers?filter=suspended` endpoint of GoToSocial instances to gather domain block information. +As such, there are bots on the Fediverse which scrape instance domain blocks and announce any discovered blocks to the followers of the bot, opening the admin of the blocking instance up to harassment. These bots use the `api/v1/instance/peers?filter=suspended`, `api/v1/instance/peers?filter=blocked`, and/or `api/v1/instance/domain_blocks` endpoints of GoToSocial instances to gather domain block information. -By default, GoToSocial does not expose this endpoint publicly, so your instance will be safe from such scraping. However, if you set `instance-expose-suspended` to `true` in your config.yaml file, you may find that this endpoint gets scraped occasionally, and you may see your blocks being announced by troll bots. +By default, GoToSocial does not expose these endpoints publicly, so your instance will be safe from such scraping. However, if you set `instance-expose-blocklist` to `true` in your config.yaml file, you may find that these endpoints gets scraped occasionally, and you may see your blocks being announced by troll bots. ## What are the side effects of creating a domain block diff --git a/docs/api/swagger.yaml b/docs/api/swagger.yaml index 0eca007ea..97741b24e 100644 --- a/docs/api/swagger.yaml +++ b/docs/api/swagger.yaml @@ -1101,7 +1101,7 @@ definitions: properties: comment: description: |- - If the domain is blocked, what's the publicly-stated reason for the block. + If the domain is blocked or allowed, what's the publicly-stated reason (if any). Alternative to `public_comment` to be used when serializing/deserializing via /api/v1/instance. example: they smell type: string @@ -1113,11 +1113,17 @@ definitions: x-go-name: Domain public_comment: description: |- - If the domain is blocked, what's the publicly-stated reason for the block. + If the domain is blocked or allowed, what's the publicly-stated reason (if any). Alternative to `comment` to be used when serializing/deserializing NOT via /api/v1/instance. example: they smell type: string x-go-name: PublicComment + severity: + description: |- + Severity of this entry. + Only ever set for domain blocks, and if set, always="suspend". + type: string + x-go-name: Severity silenced_at: description: Time at which this domain was silenced. Key will not be present on open domains. example: "2021-07-30T09:20:25+00:00" @@ -1135,7 +1141,7 @@ definitions: properties: comment: description: |- - If the domain is blocked, what's the publicly-stated reason for the block. + If the domain is blocked or allowed, what's the publicly-stated reason (if any). Alternative to `public_comment` to be used when serializing/deserializing via /api/v1/instance. example: they smell type: string @@ -1179,11 +1185,17 @@ definitions: x-go-name: PrivateComment public_comment: description: |- - If the domain is blocked, what's the publicly-stated reason for the block. + If the domain is blocked or allowed, what's the publicly-stated reason (if any). Alternative to `comment` to be used when serializing/deserializing NOT via /api/v1/instance. example: they smell type: string x-go-name: PublicComment + severity: + description: |- + Severity of this entry. + Only ever set for domain blocks, and if set, always="suspend". + type: string + x-go-name: Severity silenced_at: description: Time at which this domain was silenced. Key will not be present on open domains. example: "2021-07-30T09:20:25+00:00" @@ -8928,37 +8940,105 @@ paths: summary: Update your instance information and/or upload a new avatar/header for the instance. tags: - instance + /api/v1/instance/domain_allows: + get: + description: OAuth token may need to be provided depending on setting `instance-expose-allowlist`. + operationId: instanceDomainAllowsGet + produces: + - application/json + responses: + "200": + description: List of explicitly allowed domains. + schema: + items: + $ref: '#/definitions/domain' + type: array + "400": + description: bad request + "401": + description: unauthorized + "403": + description: forbidden + "404": + description: not found + "406": + description: not acceptable + "500": + description: internal server error + security: + - OAuth2 Bearer: [] + summary: List explicitly allowed domains. + tags: + - instance + /api/v1/instance/domain_blocks: + get: + description: OAuth token may need to be provided depending on setting `instance-expose-blocklist`. + operationId: instanceDomainBlocksGet + produces: + - application/json + responses: + "200": + description: List of blocked domains. + schema: + items: + $ref: '#/definitions/domain' + type: array + "400": + description: bad request + "401": + description: unauthorized + "403": + description: forbidden + "404": + description: not found + "406": + description: not acceptable + "500": + description: internal server error + security: + - OAuth2 Bearer: [] + summary: List blocked domains. + tags: + - instance /api/v1/instance/peers: get: operationId: instancePeersGet parameters: - - default: open + - default: flat description: |- Comma-separated list of filters to apply to results. Recognized filters are: - - `open` -- include peers that are not suspended or silenced - - `suspended` -- include peers that have been suspended. + - `open` -- include known domains that are not in the domain blocklist + - `allowed` -- include domains that are in the domain allowlist + - `blocked` -- include domains that are in the domain blocklist + - `suspended` -- DEPRECATED! Use `blocked` instead. Same as `blocked`: include domains that are in the domain blocklist; - If filter is `open`, only instances that haven't been suspended or silenced will be returned. + If filter is `open`, only domains that aren't in the blocklist will be shown. - If filter is `suspended`, only suspended instances will be shown. + If filter is `blocked`, only domains that *are* in the blocklist will be shown. - If filter is `open,suspended`, then all known instances will be returned. + If filter is `allowed`, only domains that are in the allowlist will be shown. + + If filter is `open,blocked`, then blocked domains and known domains not on the blocklist will be shown. + + If filter is `open,allowed`, then allowed domains and known domains not on the blocklist will be shown. If filter is an empty string or not set, then `open` will be assumed as the default. in: query name: filter type: string + - default: false + description: If true, a "flat" array of strings will be returned corresponding to just domain names. + in: query + name: flat + type: boolean produces: - application/json responses: "200": description: |- - If no filter parameter is provided, or filter is empty, then a legacy, Mastodon-API compatible response will be returned. This will consist of just a 'flat' array of strings like `["example.com", "example.org"]`, which corresponds to domains this instance peers with. - - If a filter parameter is provided, then an array of objects with at least a `domain` key set on each object will be returned. - + If no filter parameter is provided, or filter is empty, then a legacy, Mastodon-API compatible response will be returned. This will consist of just a 'flat' array of strings like `["example.com", "example.org"]`, which corresponds to setting a filter of `open` and flat=true. + If a filter parameter is provided and flat is not true, then an array of objects with at least a `domain` key set on each object will be returned. Domains that are silenced or suspended will also have a key `suspended_at` or `silenced_at` that contains an iso8601 date string. If one of these keys is not present on the domain object, it is open. Suspended instances may in some cases be obfuscated, which means they will have some letters replaced by `*` to make it more difficult for bad actors to target instances with harassment. - Whether a flat response or a more detailed response is returned, domains will be sorted alphabetically by hostname. schema: items: @@ -8978,6 +9058,7 @@ paths: description: internal server error security: - OAuth2 Bearer: [] + summary: List peer domains. tags: - instance /api/v1/instance/rules: diff --git a/docs/configuration/instance.md b/docs/configuration/instance.md index 2a945eed2..1b8282a27 100644 --- a/docs/configuration/instance.md +++ b/docs/configuration/instance.md @@ -76,29 +76,61 @@ instance-federation-mode: "blocklist" # Default: false instance-federation-spam-filter: false -# Bool. Allow unauthenticated users to make queries to /api/v1/instance/peers?filter=open in order -# to see a list of instances that this instance 'peers' with. Even if set to 'false', then authenticated -# users (members of the instance) will still be able to query the endpoint. +# Bool. Allow unauthenticated users to make queries to /api/v1/instance/peers?filter=open +# in order to see a list of domains that this instance 'peers' with. +# +# Even if set to 'false', then authenticated users (members of the instance) +# will still be able to query these endpoints using an OAuth token. +# # Options: [true, false] # Default: false instance-expose-peers: false -# Bool. Allow unauthenticated users to make queries to /api/v1/instance/peers?filter=suspended in order -# to see a list of instances that this instance blocks/suspends. Even if set to 'false', then authenticated -# users (members of the instance) will still be able to query the endpoint. +# Bool. Allow unauthenticated users to make queries to the following instance API +# endpoints in order to see a list of domains that this instance explicitly blocks, +# including the public reason for each block: # -# WARNING: Setting this variable to 'true' may result in your instance being scraped by blocklist scrapers. +# - /api/v1/instance/peers?filter=blocklist +# - /api/v1/instance/peers?filter=suspended (deprecated) +# - /api/v1/instance/domain_blocks +# +# Even if set to 'false', then authenticated users (members of the instance) +# will still be able to query these endpoints using an OAuth token. +# +# WARNING: Setting to 'true' may result in your instance being targeted by blocklist scrapers. # See: https://docs.gotosocial.org/en/latest/admin/domain_blocks/#block-announce-bots # # Options: [true, false] # Default: false -instance-expose-suspended: false +instance-expose-blocklist: false -# Bool. Allow unauthenticated users to view /about/suspended, -# showing the HTML rendered list of instances that this instance blocks/suspends. +# Bool. Allow unauthenticated users to view /about/domain_blocks, +# which shows an HTML-rendered list of domains that this instance blocks, +# including the public reason for each block. # Options: [true, false] # Default: false -instance-expose-suspended-web: false +instance-expose-blocklist-web: false + +# Bool. Allow unauthenticated users to make queries to the following instance API +# endpoints in order to see a list of domains that this instance explicitly allows +# including the public reason for each allow: +# +# - /api/v1/instance/peers?filter=allowlist +# - /api/v1/instance/domain_allows +# +# Even if set to 'false', then authenticated users (members of the instance) +# will still be able to query these endpoints using an OAuth token. +# +# Options: [true, false] +# Default: false +instance-expose-allowlist: false + +# Bool. Allow unauthenticated users to view /about/domain_allows, +# which shows an HTML-rendered list of domains that this instance allows, +# including the public reason for each allow. +# Options: [true, false] +# Default: false +instance-expose-blocklist-web: false # Bool. Allow unauthenticated users to make queries to /api/v1/timelines/public in order # to see a list of public posts on this server. Even if set to 'false', then authenticated diff --git a/example/config.yaml b/example/config.yaml index b8a6599a4..2026f1a15 100644 --- a/example/config.yaml +++ b/example/config.yaml @@ -362,29 +362,61 @@ instance-federation-mode: "blocklist" # Default: false instance-federation-spam-filter: false -# Bool. Allow unauthenticated users to make queries to /api/v1/instance/peers?filter=open in order -# to see a list of instances that this instance 'peers' with. Even if set to 'false', then authenticated -# users (members of the instance) will still be able to query the endpoint. +# Bool. Allow unauthenticated users to make queries to /api/v1/instance/peers?filter=open +# in order to see a list of domains that this instance 'peers' with. +# +# Even if set to 'false', then authenticated users (members of the instance) +# will still be able to query these endpoints using an OAuth token. +# # Options: [true, false] # Default: false instance-expose-peers: false -# Bool. Allow unauthenticated users to make queries to /api/v1/instance/peers?filter=suspended in order -# to see a list of instances that this instance blocks/suspends. Even if set to 'false', then authenticated -# users (members of the instance) will still be able to query the endpoint. +# Bool. Allow unauthenticated users to make queries to the following instance API +# endpoints in order to see a list of domains that this instance explicitly blocks, +# including the public reason for each block: # -# WARNING: Setting this variable to 'true' may result in your instance being scraped by blocklist scrapers. +# - /api/v1/instance/peers?filter=blocklist +# - /api/v1/instance/peers?filter=suspended (deprecated) +# - /api/v1/instance/domain_blocks +# +# Even if set to 'false', then authenticated users (members of the instance) +# will still be able to query these endpoints using an OAuth token. +# +# WARNING: Setting to 'true' may result in your instance being targeted by blocklist scrapers. # See: https://docs.gotosocial.org/en/latest/admin/domain_blocks/#block-announce-bots # # Options: [true, false] # Default: false -instance-expose-suspended: false +instance-expose-blocklist: false -# Bool. Allow unauthenticated users to view /about/suspended, -# showing the HTML rendered list of instances that this instance blocks/suspends. +# Bool. Allow unauthenticated users to view /about/domain_blocks, +# which shows an HTML-rendered list of domains that this instance blocks, +# including the public reason for each block. # Options: [true, false] # Default: false -instance-expose-suspended-web: false +instance-expose-blocklist-web: false + +# Bool. Allow unauthenticated users to make queries to the following instance API +# endpoints in order to see a list of domains that this instance explicitly allows +# including the public reason for each allow: +# +# - /api/v1/instance/peers?filter=allowlist +# - /api/v1/instance/domain_allows +# +# Even if set to 'false', then authenticated users (members of the instance) +# will still be able to query these endpoints using an OAuth token. +# +# Options: [true, false] +# Default: false +instance-expose-allowlist: false + +# Bool. Allow unauthenticated users to view /about/domain_allows, +# which shows an HTML-rendered list of domains that this instance allows, +# including the public reason for each allow. +# Options: [true, false] +# Default: false +instance-expose-blocklist-web: false # Bool. Allow unauthenticated users to make queries to /api/v1/timelines/public in order # to see a list of public posts on this server. Even if set to 'false', then authenticated diff --git a/internal/api/client/instance/domainperms.go b/internal/api/client/instance/domainperms.go new file mode 100644 index 000000000..6503388a5 --- /dev/null +++ b/internal/api/client/instance/domainperms.go @@ -0,0 +1,172 @@ +// GoToSocial +// Copyright (C) GoToSocial Authors admin@gotosocial.org +// SPDX-License-Identifier: AGPL-3.0-or-later +// +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU Affero General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU Affero General Public License for more details. +// +// You should have received a copy of the GNU Affero General Public License +// along with this program. If not, see . + +package instance + +import ( + "errors" + "net/http" + + apiutil "code.superseriousbusiness.org/gotosocial/internal/api/util" + "code.superseriousbusiness.org/gotosocial/internal/config" + "code.superseriousbusiness.org/gotosocial/internal/gtserror" + "github.com/gin-gonic/gin" +) + +// InstanceDomainBlocksGETHandler swagger:operation GET /api/v1/instance/domain_blocks instanceDomainBlocksGet +// +// List blocked domains. +// +// OAuth token may need to be provided depending on setting `instance-expose-blocklist`. +// +// --- +// tags: +// - instance +// +// produces: +// - application/json +// +// security: +// - OAuth2 Bearer: [] +// +// responses: +// '200': +// description: List of blocked domains. +// schema: +// type: array +// items: +// "$ref": "#/definitions/domain" +// '400': +// description: bad request +// '401': +// description: unauthorized +// '403': +// description: forbidden +// '404': +// description: not found +// '406': +// description: not acceptable +// '500': +// description: internal server error +func (m *Module) InstanceDomainBlocksGETHandler(c *gin.Context) { + authed, errWithCode := apiutil.TokenAuth(c, + false, false, false, false, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) + return + } + + if _, err := apiutil.NegotiateAccept(c, apiutil.JSONAcceptHeaders...); err != nil { + apiutil.ErrorHandler(c, gtserror.NewErrorNotAcceptable(err, err.Error()), m.processor.InstanceGetV1) + return + } + + if (authed.Account == nil || authed.User == nil) && !config.GetInstanceExposeBlocklist() { + const errText = "domain blocks endpoint requires an authenticated account/user" + errWithCode := gtserror.NewErrorUnauthorized(errors.New(errText), errText) + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) + return + } + + data, errWithCode := m.processor.InstancePeersGet( + c.Request.Context(), + true, // Include blocked. + false, // Don't include allowed. + false, // Don't include open. + false, // Don't flatten. + true, // Include severity. + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) + return + } + + apiutil.JSON(c, http.StatusOK, data) +} + +// InstanceDomainAllowsGETHandler swagger:operation GET /api/v1/instance/domain_allows instanceDomainAllowsGet +// +// List explicitly allowed domains. +// +// OAuth token may need to be provided depending on setting `instance-expose-allowlist`. +// +// --- +// tags: +// - instance +// +// produces: +// - application/json +// +// security: +// - OAuth2 Bearer: [] +// +// responses: +// '200': +// description: List of explicitly allowed domains. +// schema: +// type: array +// items: +// "$ref": "#/definitions/domain" +// '400': +// description: bad request +// '401': +// description: unauthorized +// '403': +// description: forbidden +// '404': +// description: not found +// '406': +// description: not acceptable +// '500': +// description: internal server error +func (m *Module) InstanceDomainAllowsGETHandler(c *gin.Context) { + authed, errWithCode := apiutil.TokenAuth(c, + false, false, false, false, + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) + return + } + + if _, err := apiutil.NegotiateAccept(c, apiutil.JSONAcceptHeaders...); err != nil { + apiutil.ErrorHandler(c, gtserror.NewErrorNotAcceptable(err, err.Error()), m.processor.InstanceGetV1) + return + } + + if (authed.Account == nil || authed.User == nil) && !config.GetInstanceExposeAllowlist() { + const errText = "domain allows endpoint requires an authenticated account/user" + errWithCode := gtserror.NewErrorUnauthorized(errors.New(errText), errText) + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) + return + } + + data, errWithCode := m.processor.InstancePeersGet( + c.Request.Context(), + false, // Don't include blocked. + true, // Include allowed. + false, // Don't include open. + false, // Don't flatten. + false, // Don't include severity. + ) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) + return + } + + apiutil.JSON(c, http.StatusOK, data) +} diff --git a/internal/api/client/instance/instance.go b/internal/api/client/instance/instance.go index cd6c438c8..0e06941cc 100644 --- a/internal/api/client/instance/instance.go +++ b/internal/api/client/instance/instance.go @@ -29,7 +29,10 @@ const ( InstanceInformationPathV2 = "/v2/instance" InstancePeersPath = InstanceInformationPathV1 + "/peers" InstanceRulesPath = InstanceInformationPathV1 + "/rules" + InstanceBlocklistPath = InstanceInformationPathV1 + "/domain_blocks" + InstanceAllowlistPath = InstanceInformationPathV1 + "/domain_allows" PeersFilterKey = "filter" // PeersFilterKey is used to provide filters to /api/v1/instance/peers + PeersFlatKey = "flat" // PeersFlatKey is used to set "flat=true" in /api/v1/instance/peers ) type Module struct { @@ -45,9 +48,9 @@ func New(processor *processing.Processor) *Module { func (m *Module) Route(attachHandler func(method string, path string, f ...gin.HandlerFunc) gin.IRoutes) { attachHandler(http.MethodGet, InstanceInformationPathV1, m.InstanceInformationGETHandlerV1) attachHandler(http.MethodGet, InstanceInformationPathV2, m.InstanceInformationGETHandlerV2) - attachHandler(http.MethodPatch, InstanceInformationPathV1, m.InstanceUpdatePATCHHandler) attachHandler(http.MethodGet, InstancePeersPath, m.InstancePeersGETHandler) - attachHandler(http.MethodGet, InstanceRulesPath, m.InstanceRulesGETHandler) + attachHandler(http.MethodGet, InstanceBlocklistPath, m.InstanceDomainBlocksGETHandler) + attachHandler(http.MethodGet, InstanceAllowlistPath, m.InstanceDomainAllowsGETHandler) } diff --git a/internal/api/client/instance/instancepeersget.go b/internal/api/client/instance/instancepeersget.go index 7afeb7104..d9f7610b7 100644 --- a/internal/api/client/instance/instancepeersget.go +++ b/internal/api/client/instance/instancepeersget.go @@ -18,8 +18,10 @@ package instance import ( + "errors" "fmt" "net/http" + "strconv" "strings" apiutil "code.superseriousbusiness.org/gotosocial/internal/api/util" @@ -31,6 +33,8 @@ import ( // InstancePeersGETHandler swagger:operation GET /api/v1/instance/peers instancePeersGet // +// List peer domains. +// // --- // tags: // - instance @@ -44,19 +48,32 @@ import ( // type: string // description: |- // Comma-separated list of filters to apply to results. Recognized filters are: -// - `open` -- include peers that are not suspended or silenced -// - `suspended` -- include peers that have been suspended. +// - `open` -- include known domains that are not in the domain blocklist +// - `allowed` -- include domains that are in the domain allowlist +// - `blocked` -- include domains that are in the domain blocklist +// - `suspended` -- DEPRECATED! Use `blocked` instead. Same as `blocked`: include domains that are in the domain blocklist; // -// If filter is `open`, only instances that haven't been suspended or silenced will be returned. +// If filter is `open`, only domains that aren't in the blocklist will be shown. // -// If filter is `suspended`, only suspended instances will be shown. +// If filter is `blocked`, only domains that *are* in the blocklist will be shown. // -// If filter is `open,suspended`, then all known instances will be returned. +// If filter is `allowed`, only domains that are in the allowlist will be shown. +// +// If filter is `open,blocked`, then blocked domains and known domains not on the blocklist will be shown. +// +// If filter is `open,allowed`, then allowed domains and known domains not on the blocklist will be shown. // // If filter is an empty string or not set, then `open` will be assumed as the default. // in: query // required: false -// default: "open" +// default: flat +// - +// name: flat +// type: boolean +// description: If true, a "flat" array of strings will be returned corresponding to just domain names. +// in: query +// required: false +// default: false // // security: // - OAuth2 Bearer: [] @@ -67,12 +84,10 @@ import ( // If no filter parameter is provided, or filter is empty, then a legacy, // Mastodon-API compatible response will be returned. This will consist of // just a 'flat' array of strings like `["example.com", "example.org"]`, -// which corresponds to domains this instance peers with. -// -// -// If a filter parameter is provided, then an array of objects with at least -// a `domain` key set on each object will be returned. +// which corresponds to setting a filter of `open` and flat=true. // +// If a filter parameter is provided and flat is not true, then an array +// of objects with at least a `domain` key set on each object will be returned. // // Domains that are silenced or suspended will also have a key // `suspended_at` or `silenced_at` that contains an iso8601 date string. @@ -81,7 +96,6 @@ import ( // will have some letters replaced by `*` to make it more difficult for // bad actors to target instances with harassment. // -// // Whether a flat response or a more detailed response is returned, domains // will be sorted alphabetically by hostname. // schema: @@ -116,45 +130,85 @@ func (m *Module) InstancePeersGETHandler(c *gin.Context) { return } - var includeSuspended bool - var includeOpen bool - var flat bool + var ( + includeBlocked bool + includeAllowed bool + includeOpen bool + flatten bool + ) + if filterParam := c.Query(PeersFilterKey); filterParam != "" { filters := strings.Split(filterParam, ",") for _, f := range filters { trimmed := strings.TrimSpace(f) switch { - case strings.EqualFold(trimmed, "suspended"): - includeSuspended = true + case strings.EqualFold(trimmed, "blocked") || strings.EqualFold(trimmed, "suspended"): + includeBlocked = true + case strings.EqualFold(trimmed, "allowed"): + includeAllowed = true case strings.EqualFold(trimmed, "open"): includeOpen = true default: - err := fmt.Errorf("filter %s not recognized; accepted values are 'open', 'suspended'", trimmed) + err := fmt.Errorf("filter %s not recognized; accepted values are 'open', 'blocked', 'allowed', and 'suspended' (deprecated)", trimmed) apiutil.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGetV1) return } } } else { - // default is to only include open domains, and present + // Default is to only include open domains, and present // them in a 'flat' manner (just an array of strings), - // to maintain compatibility with mastodon API + // to maintain compatibility with the Mastodon API. includeOpen = true - flat = true + flatten = true } - if includeOpen && !config.GetInstanceExposePeers() && isUnauthenticated { - err := fmt.Errorf("peers open query requires an authenticated account/user") - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + if includeBlocked && isUnauthenticated && !config.GetInstanceExposeBlocklist() { + const errText = "peers blocked query requires an authenticated account/user" + errWithCode := gtserror.NewErrorUnauthorized(errors.New(errText), errText) + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } - if includeSuspended && !config.GetInstanceExposeSuspended() && isUnauthenticated { - err := fmt.Errorf("peers suspended query requires an authenticated account/user") - apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) + if includeAllowed && isUnauthenticated && !config.GetInstanceExposeAllowlist() { + const errText = "peers allowed query requires an authenticated account/user" + errWithCode := gtserror.NewErrorUnauthorized(errors.New(errText), errText) + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } - data, errWithCode := m.processor.InstancePeersGet(c.Request.Context(), includeSuspended, includeOpen, flat) + if includeOpen && isUnauthenticated && !config.GetInstanceExposePeers() { + const errText = "peers open query requires an authenticated account/user" + errWithCode := gtserror.NewErrorUnauthorized(errors.New(errText), errText) + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) + return + } + + if includeBlocked && includeAllowed { + const errText = "cannot include blocked + allowed filters at the same time" + errWithCode := gtserror.NewErrorBadRequest(errors.New(errText), errText) + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) + return + } + + if flatStr := c.Query(PeersFlatKey); flatStr != "" { + var err error + flatten, err = strconv.ParseBool(flatStr) + if err != nil { + err := fmt.Errorf("error parsing 'flat' key as boolean: %w", err) + errWithCode := gtserror.NewErrorBadRequest(err, err.Error()) + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) + return + } + } + + data, errWithCode := m.processor.InstancePeersGet( + c.Request.Context(), + includeBlocked, + includeAllowed, + includeOpen, + flatten, + false, // Don't include severity. + ) if errWithCode != nil { apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return diff --git a/internal/api/client/instance/instancepeersget_test.go b/internal/api/client/instance/instancepeersget_test.go index a18e30875..3c7f1f665 100644 --- a/internal/api/client/instance/instancepeersget_test.go +++ b/internal/api/client/instance/instancepeersget_test.go @@ -136,13 +136,14 @@ func (suite *InstancePeersGetTestSuite) TestInstancePeersGetOnlySuspended() { { "domain": "replyguys.com", "suspended_at": "2020-05-13T13:29:12.000Z", - "comment": "reply-guying to tech posts" + "comment": "reply-guying to tech posts", + "severity": "suspend" } ]`, dst.String()) } func (suite *InstancePeersGetTestSuite) TestInstancePeersGetOnlySuspendedUnauthorized() { - config.SetInstanceExposeSuspended(false) + config.SetInstanceExposeBlocklist(false) recorder := httptest.NewRecorder() baseURI := fmt.Sprintf("%s://%s", config.GetProtocol(), config.GetHost()) @@ -159,11 +160,11 @@ func (suite *InstancePeersGetTestSuite) TestInstancePeersGetOnlySuspendedUnautho b, err := io.ReadAll(result.Body) suite.NoError(err) - suite.Equal(`{"error":"Unauthorized: peers suspended query requires an authenticated account/user"}`, string(b)) + suite.Equal(`{"error":"Unauthorized: peers blocked query requires an authenticated account/user"}`, string(b)) } func (suite *InstancePeersGetTestSuite) TestInstancePeersGetOnlySuspendedAuthorized() { - config.SetInstanceExposeSuspended(false) + config.SetInstanceExposeBlocklist(false) recorder := httptest.NewRecorder() baseURI := fmt.Sprintf("%s://%s", config.GetProtocol(), config.GetHost()) @@ -186,7 +187,8 @@ func (suite *InstancePeersGetTestSuite) TestInstancePeersGetOnlySuspendedAuthori { "domain": "replyguys.com", "suspended_at": "2020-05-13T13:29:12.000Z", - "comment": "reply-guying to tech posts" + "comment": "reply-guying to tech posts", + "severity": "suspend" } ]`, dst.String()) } @@ -219,11 +221,33 @@ func (suite *InstancePeersGetTestSuite) TestInstancePeersGetAll() { { "domain": "replyguys.com", "suspended_at": "2020-05-13T13:29:12.000Z", - "comment": "reply-guying to tech posts" + "comment": "reply-guying to tech posts", + "severity": "suspend" } ]`, dst.String()) } +func (suite *InstancePeersGetTestSuite) TestInstancePeersGetAllowed() { + recorder := httptest.NewRecorder() + baseURI := fmt.Sprintf("%s://%s", config.GetProtocol(), config.GetHost()) + requestURI := fmt.Sprintf("%s/%s?filter=allowed", baseURI, instance.InstancePeersPath) + ctx := suite.newContext(recorder, http.MethodGet, requestURI, nil, "", false) + + suite.instanceModule.InstancePeersGETHandler(ctx) + + suite.Equal(http.StatusOK, recorder.Code) + + result := recorder.Result() + defer result.Body.Close() + + b, err := io.ReadAll(result.Body) + suite.NoError(err) + dst := new(bytes.Buffer) + err = json.Indent(dst, b, "", " ") + suite.NoError(err) + suite.Equal(`[]`, dst.String()) +} + func (suite *InstancePeersGetTestSuite) TestInstancePeersGetAllWithObfuscated() { err := suite.db.Put(context.Background(), >smodel.DomainBlock{ ID: "01G633XTNK51GBADQZFZQDP6WR", @@ -263,16 +287,55 @@ func (suite *InstancePeersGetTestSuite) TestInstancePeersGetAllWithObfuscated() { "domain": "o*g.*u**.t**.*or*t.*r**ev**", "suspended_at": "2021-06-09T10:34:55.000Z", - "comment": "just absolutely the worst, wowza" + "comment": "just absolutely the worst, wowza", + "severity": "suspend" }, { "domain": "replyguys.com", "suspended_at": "2020-05-13T13:29:12.000Z", - "comment": "reply-guying to tech posts" + "comment": "reply-guying to tech posts", + "severity": "suspend" } ]`, dst.String()) } +func (suite *InstancePeersGetTestSuite) TestInstancePeersGetAllWithObfuscatedFlat() { + err := suite.db.Put(context.Background(), >smodel.DomainBlock{ + ID: "01G633XTNK51GBADQZFZQDP6WR", + CreatedAt: testrig.TimeMustParse("2021-06-09T12:34:55+02:00"), + UpdatedAt: testrig.TimeMustParse("2021-06-09T12:34:55+02:00"), + Domain: "omg.just.the.worst.org.ever", + CreatedByAccountID: "01F8MH17FWEB39HZJ76B6VXSKF", + PublicComment: "just absolutely the worst, wowza", + Obfuscate: util.Ptr(true), + }) + suite.NoError(err) + + recorder := httptest.NewRecorder() + baseURI := fmt.Sprintf("%s://%s", config.GetProtocol(), config.GetHost()) + requestURI := fmt.Sprintf("%s/%s?filter=suspended,open&flat=true", baseURI, instance.InstancePeersPath) + ctx := suite.newContext(recorder, http.MethodGet, requestURI, nil, "", false) + + suite.instanceModule.InstancePeersGETHandler(ctx) + + suite.Equal(http.StatusOK, recorder.Code) + + result := recorder.Result() + defer result.Body.Close() + + b, err := io.ReadAll(result.Body) + suite.NoError(err) + dst := new(bytes.Buffer) + err = json.Indent(dst, b, "", " ") + suite.NoError(err) + suite.Equal(`[ + "example.org", + "fossbros-anonymous.io", + "o*g.*u**.t**.*or*t.*r**ev**", + "replyguys.com" +]`, dst.String()) +} + func (suite *InstancePeersGetTestSuite) TestInstancePeersGetFunkyParams() { recorder := httptest.NewRecorder() baseURI := fmt.Sprintf("%s://%s", config.GetProtocol(), config.GetHost()) @@ -289,7 +352,7 @@ func (suite *InstancePeersGetTestSuite) TestInstancePeersGetFunkyParams() { b, err := io.ReadAll(result.Body) suite.NoError(err) - suite.Equal(`{"error":"Bad Request: filter aaaaaaaaaaaaaaaaa not recognized; accepted values are 'open', 'suspended'"}`, string(b)) + suite.Equal(`{"error":"Bad Request: filter aaaaaaaaaaaaaaaaa not recognized; accepted values are 'open', 'blocked', 'allowed', and 'suspended' (deprecated)"}`, string(b)) } func TestInstancePeersGetTestSuite(t *testing.T) { diff --git a/internal/api/model/domain.go b/internal/api/model/domain.go index 8d94321d0..b793d77b0 100644 --- a/internal/api/model/domain.go +++ b/internal/api/model/domain.go @@ -32,14 +32,17 @@ type Domain struct { // Time at which this domain was silenced. Key will not be present on open domains. // example: 2021-07-30T09:20:25+00:00 SilencedAt string `json:"silenced_at,omitempty"` - // If the domain is blocked, what's the publicly-stated reason for the block. + // If the domain is blocked or allowed, what's the publicly-stated reason (if any). // Alternative to `public_comment` to be used when serializing/deserializing via /api/v1/instance. // example: they smell Comment *string `form:"comment" json:"comment,omitempty"` - // If the domain is blocked, what's the publicly-stated reason for the block. + // If the domain is blocked or allowed, what's the publicly-stated reason (if any). // Alternative to `comment` to be used when serializing/deserializing NOT via /api/v1/instance. // example: they smell PublicComment *string `form:"public_comment" json:"public_comment,omitempty"` + // Severity of this entry. + // Only ever set for domain blocks, and if set, always="suspend". + Severity string `form:"severity" json:"severity,omitempty"` } // DomainPermission represents a permission applied to one domain (explicit block/allow). diff --git a/internal/config/config.go b/internal/config/config.go index dd03b1104..5b8da9703 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -49,7 +49,10 @@ func fieldtag(field, tag string) string { // // Please note that if you update this struct's fields or tags, you // will need to regenerate the global Getter/Setter helpers by running: -// `go run ./internal/config/gen/ -out ./internal/config/helpers.gen.go` +// `go run ./internal/config/gen/ -out ./internal/config/helpers.gen.go`. +// +// You will need to have gofumpt installed in order for this to work: +// https://github.com/mvdan/gofumpt. type Configuration struct { LogLevel string `name:"log-level" usage:"Log level to run at: [trace, debug, info, warn, fatal]"` LogTimestampFormat string `name:"log-timestamp-format" usage:"Format to use for the log timestamp, as supported by Go's time.Layout"` @@ -88,8 +91,10 @@ type Configuration struct { InstanceFederationMode string `name:"instance-federation-mode" usage:"Set instance federation mode."` InstanceFederationSpamFilter bool `name:"instance-federation-spam-filter" usage:"Enable basic spam filter heuristics for messages coming from other instances, and drop messages identified as spam"` InstanceExposePeers bool `name:"instance-expose-peers" usage:"Allow unauthenticated users to query /api/v1/instance/peers?filter=open"` - InstanceExposeSuspended bool `name:"instance-expose-suspended" usage:"Expose suspended instances via web UI, and allow unauthenticated users to query /api/v1/instance/peers?filter=suspended"` - InstanceExposeSuspendedWeb bool `name:"instance-expose-suspended-web" usage:"Expose list of suspended instances as webpage on /about/suspended"` + InstanceExposeBlocklist bool `name:"instance-expose-blocklist" usage:"Expose list of blocked domains via web UI, and allow unauthenticated users to query /api/v1/instance/peers?filter=blocked and /api/v1/instance/domain_blocks"` + InstanceExposeBlocklistWeb bool `name:"instance-expose-blocklist-web" usage:"Expose list of explicitly blocked domains as webpage on /about/domain_blocks"` + InstanceExposeAllowlist bool `name:"instance-expose-allowlist" usage:"Expose list of allowed domains via web UI, and allow unauthenticated users to query /api/v1/instance/peers?filter=allowed and /api/v1/instance/domain_allows"` + InstanceExposeAllowlistWeb bool `name:"instance-expose-allowlist-web" usage:"Expose list of explicitly allowed domains as webpage on /about/domain_allows"` InstanceExposePublicTimeline bool `name:"instance-expose-public-timeline" usage:"Allow unauthenticated users to query /api/v1/timelines/public"` InstanceDeliverToSharedInboxes bool `name:"instance-deliver-to-shared-inboxes" usage:"Deliver federated messages to shared inboxes, if they're available."` InstanceInjectMastodonVersion bool `name:"instance-inject-mastodon-version" usage:"This injects a Mastodon compatible version in /api/v1/instance to help Mastodon clients that use that version for feature detection"` diff --git a/internal/config/defaults.go b/internal/config/defaults.go index 8ed6ed0ea..8372e4b00 100644 --- a/internal/config/defaults.go +++ b/internal/config/defaults.go @@ -61,8 +61,8 @@ var Defaults = Configuration{ InstanceFederationMode: InstanceFederationModeDefault, InstanceFederationSpamFilter: false, InstanceExposePeers: false, - InstanceExposeSuspended: false, - InstanceExposeSuspendedWeb: false, + InstanceExposeBlocklist: false, + InstanceExposeBlocklistWeb: false, InstanceDeliverToSharedInboxes: true, InstanceLanguages: make(language.Languages, 0), InstanceSubscriptionsProcessFrom: "23:00", // 11pm, diff --git a/internal/config/helpers.gen.go b/internal/config/helpers.gen.go index a41c95861..269aa7abc 100644 --- a/internal/config/helpers.gen.go +++ b/internal/config/helpers.gen.go @@ -63,8 +63,10 @@ func (cfg *Configuration) RegisterFlags(flags *pflag.FlagSet) { flags.String("instance-federation-mode", cfg.InstanceFederationMode, "Set instance federation mode.") flags.Bool("instance-federation-spam-filter", cfg.InstanceFederationSpamFilter, "Enable basic spam filter heuristics for messages coming from other instances, and drop messages identified as spam") flags.Bool("instance-expose-peers", cfg.InstanceExposePeers, "Allow unauthenticated users to query /api/v1/instance/peers?filter=open") - flags.Bool("instance-expose-suspended", cfg.InstanceExposeSuspended, "Expose suspended instances via web UI, and allow unauthenticated users to query /api/v1/instance/peers?filter=suspended") - flags.Bool("instance-expose-suspended-web", cfg.InstanceExposeSuspendedWeb, "Expose list of suspended instances as webpage on /about/suspended") + flags.Bool("instance-expose-blocklist", cfg.InstanceExposeBlocklist, "Expose list of blocked domains via web UI, and allow unauthenticated users to query /api/v1/instance/peers?filter=blocked and /api/v1/instance/domain_blocks") + flags.Bool("instance-expose-blocklist-web", cfg.InstanceExposeBlocklistWeb, "Expose list of explicitly blocked domains as webpage on /about/domain_blocks") + flags.Bool("instance-expose-allowlist", cfg.InstanceExposeAllowlist, "Expose list of allowed domains via web UI, and allow unauthenticated users to query /api/v1/instance/peers?filter=allowed and /api/v1/instance/domain_allows") + flags.Bool("instance-expose-allowlist-web", cfg.InstanceExposeAllowlistWeb, "Expose list of explicitly allowed domains as webpage on /about/domain_allows") flags.Bool("instance-expose-public-timeline", cfg.InstanceExposePublicTimeline, "Allow unauthenticated users to query /api/v1/timelines/public") flags.Bool("instance-deliver-to-shared-inboxes", cfg.InstanceDeliverToSharedInboxes, "Deliver federated messages to shared inboxes, if they're available.") flags.Bool("instance-inject-mastodon-version", cfg.InstanceInjectMastodonVersion, "This injects a Mastodon compatible version in /api/v1/instance to help Mastodon clients that use that version for feature detection") @@ -79,7 +81,7 @@ func (cfg *Configuration) RegisterFlags(flags *pflag.FlagSet) { flags.Int("accounts-registration-backlog-limit", cfg.AccountsRegistrationBacklogLimit, "Limit how big the 'accounts pending approval' queue can grow before registration is closed. 0 or less = no limit.") flags.Bool("accounts-allow-custom-css", cfg.AccountsAllowCustomCSS, "Allow accounts to enable custom CSS for their profile pages and statuses.") flags.Int("accounts-custom-css-length", cfg.AccountsCustomCSSLength, "Maximum permitted length (characters) of custom CSS for accounts.") - flags.Int("accounts-max-profile-fields", cfg.AccountsMaxProfileFields, "Maximum amount of profile fields an account can have.") + flags.Int("accounts-max-profile-fields", cfg.AccountsMaxProfileFields, "Maximum number of profile fields allowed for each account.") flags.Int("media-description-min-chars", cfg.MediaDescriptionMinChars, "Min required chars for an image description") flags.Int("media-description-max-chars", cfg.MediaDescriptionMaxChars, "Max permitted chars for an image description") flags.Int("media-remote-cache-days", cfg.MediaRemoteCacheDays, "Number of days to locally cache media from remote instances. If set to 0, remote media will be kept indefinitely.") @@ -207,7 +209,7 @@ func (cfg *Configuration) RegisterFlags(flags *pflag.FlagSet) { } func (cfg *Configuration) MarshalMap() map[string]any { - cfgmap := make(map[string]any, 182) + cfgmap := make(map[string]any, 184) cfgmap["log-level"] = cfg.LogLevel cfgmap["log-timestamp-format"] = cfg.LogTimestampFormat cfgmap["log-db-queries"] = cfg.LogDbQueries @@ -242,8 +244,10 @@ func (cfg *Configuration) MarshalMap() map[string]any { cfgmap["instance-federation-mode"] = cfg.InstanceFederationMode cfgmap["instance-federation-spam-filter"] = cfg.InstanceFederationSpamFilter cfgmap["instance-expose-peers"] = cfg.InstanceExposePeers - cfgmap["instance-expose-suspended"] = cfg.InstanceExposeSuspended - cfgmap["instance-expose-suspended-web"] = cfg.InstanceExposeSuspendedWeb + cfgmap["instance-expose-blocklist"] = cfg.InstanceExposeBlocklist + cfgmap["instance-expose-blocklist-web"] = cfg.InstanceExposeBlocklistWeb + cfgmap["instance-expose-allowlist"] = cfg.InstanceExposeAllowlist + cfgmap["instance-expose-allowlist-web"] = cfg.InstanceExposeAllowlistWeb cfgmap["instance-expose-public-timeline"] = cfg.InstanceExposePublicTimeline cfgmap["instance-deliver-to-shared-inboxes"] = cfg.InstanceDeliverToSharedInboxes cfgmap["instance-inject-mastodon-version"] = cfg.InstanceInjectMastodonVersion @@ -674,19 +678,35 @@ func (cfg *Configuration) UnmarshalMap(cfgmap map[string]any) error { } } - if ival, ok := cfgmap["instance-expose-suspended"]; ok { + if ival, ok := cfgmap["instance-expose-blocklist"]; ok { var err error - cfg.InstanceExposeSuspended, err = cast.ToBoolE(ival) + cfg.InstanceExposeBlocklist, err = cast.ToBoolE(ival) if err != nil { - return fmt.Errorf("error casting %#v -> bool for 'instance-expose-suspended': %w", ival, err) + return fmt.Errorf("error casting %#v -> bool for 'instance-expose-blocklist': %w", ival, err) } } - if ival, ok := cfgmap["instance-expose-suspended-web"]; ok { + if ival, ok := cfgmap["instance-expose-blocklist-web"]; ok { var err error - cfg.InstanceExposeSuspendedWeb, err = cast.ToBoolE(ival) + cfg.InstanceExposeBlocklistWeb, err = cast.ToBoolE(ival) if err != nil { - return fmt.Errorf("error casting %#v -> bool for 'instance-expose-suspended-web': %w", ival, err) + return fmt.Errorf("error casting %#v -> bool for 'instance-expose-blocklist-web': %w", ival, err) + } + } + + if ival, ok := cfgmap["instance-expose-allowlist"]; ok { + var err error + cfg.InstanceExposeAllowlist, err = cast.ToBoolE(ival) + if err != nil { + return fmt.Errorf("error casting %#v -> bool for 'instance-expose-allowlist': %w", ival, err) + } + } + + if ival, ok := cfgmap["instance-expose-allowlist-web"]; ok { + var err error + cfg.InstanceExposeAllowlistWeb, err = cast.ToBoolE(ival) + if err != nil { + return fmt.Errorf("error casting %#v -> bool for 'instance-expose-allowlist-web': %w", ival, err) } } @@ -2742,55 +2762,105 @@ func GetInstanceExposePeers() bool { return global.GetInstanceExposePeers() } // SetInstanceExposePeers safely sets the value for global configuration 'InstanceExposePeers' field func SetInstanceExposePeers(v bool) { global.SetInstanceExposePeers(v) } -// InstanceExposeSuspendedFlag returns the flag name for the 'InstanceExposeSuspended' field -func InstanceExposeSuspendedFlag() string { return "instance-expose-suspended" } +// InstanceExposeBlocklistFlag returns the flag name for the 'InstanceExposeBlocklist' field +func InstanceExposeBlocklistFlag() string { return "instance-expose-blocklist" } -// GetInstanceExposeSuspended safely fetches the Configuration value for state's 'InstanceExposeSuspended' field -func (st *ConfigState) GetInstanceExposeSuspended() (v bool) { +// GetInstanceExposeBlocklist safely fetches the Configuration value for state's 'InstanceExposeBlocklist' field +func (st *ConfigState) GetInstanceExposeBlocklist() (v bool) { st.mutex.RLock() - v = st.config.InstanceExposeSuspended + v = st.config.InstanceExposeBlocklist st.mutex.RUnlock() return } -// SetInstanceExposeSuspended safely sets the Configuration value for state's 'InstanceExposeSuspended' field -func (st *ConfigState) SetInstanceExposeSuspended(v bool) { +// SetInstanceExposeBlocklist safely sets the Configuration value for state's 'InstanceExposeBlocklist' field +func (st *ConfigState) SetInstanceExposeBlocklist(v bool) { st.mutex.Lock() defer st.mutex.Unlock() - st.config.InstanceExposeSuspended = v + st.config.InstanceExposeBlocklist = v st.reloadToViper() } -// GetInstanceExposeSuspended safely fetches the value for global configuration 'InstanceExposeSuspended' field -func GetInstanceExposeSuspended() bool { return global.GetInstanceExposeSuspended() } +// GetInstanceExposeBlocklist safely fetches the value for global configuration 'InstanceExposeBlocklist' field +func GetInstanceExposeBlocklist() bool { return global.GetInstanceExposeBlocklist() } -// SetInstanceExposeSuspended safely sets the value for global configuration 'InstanceExposeSuspended' field -func SetInstanceExposeSuspended(v bool) { global.SetInstanceExposeSuspended(v) } +// SetInstanceExposeBlocklist safely sets the value for global configuration 'InstanceExposeBlocklist' field +func SetInstanceExposeBlocklist(v bool) { global.SetInstanceExposeBlocklist(v) } -// InstanceExposeSuspendedWebFlag returns the flag name for the 'InstanceExposeSuspendedWeb' field -func InstanceExposeSuspendedWebFlag() string { return "instance-expose-suspended-web" } +// InstanceExposeBlocklistWebFlag returns the flag name for the 'InstanceExposeBlocklistWeb' field +func InstanceExposeBlocklistWebFlag() string { return "instance-expose-blocklist-web" } -// GetInstanceExposeSuspendedWeb safely fetches the Configuration value for state's 'InstanceExposeSuspendedWeb' field -func (st *ConfigState) GetInstanceExposeSuspendedWeb() (v bool) { +// GetInstanceExposeBlocklistWeb safely fetches the Configuration value for state's 'InstanceExposeBlocklistWeb' field +func (st *ConfigState) GetInstanceExposeBlocklistWeb() (v bool) { st.mutex.RLock() - v = st.config.InstanceExposeSuspendedWeb + v = st.config.InstanceExposeBlocklistWeb st.mutex.RUnlock() return } -// SetInstanceExposeSuspendedWeb safely sets the Configuration value for state's 'InstanceExposeSuspendedWeb' field -func (st *ConfigState) SetInstanceExposeSuspendedWeb(v bool) { +// SetInstanceExposeBlocklistWeb safely sets the Configuration value for state's 'InstanceExposeBlocklistWeb' field +func (st *ConfigState) SetInstanceExposeBlocklistWeb(v bool) { st.mutex.Lock() defer st.mutex.Unlock() - st.config.InstanceExposeSuspendedWeb = v + st.config.InstanceExposeBlocklistWeb = v st.reloadToViper() } -// GetInstanceExposeSuspendedWeb safely fetches the value for global configuration 'InstanceExposeSuspendedWeb' field -func GetInstanceExposeSuspendedWeb() bool { return global.GetInstanceExposeSuspendedWeb() } +// GetInstanceExposeBlocklistWeb safely fetches the value for global configuration 'InstanceExposeBlocklistWeb' field +func GetInstanceExposeBlocklistWeb() bool { return global.GetInstanceExposeBlocklistWeb() } -// SetInstanceExposeSuspendedWeb safely sets the value for global configuration 'InstanceExposeSuspendedWeb' field -func SetInstanceExposeSuspendedWeb(v bool) { global.SetInstanceExposeSuspendedWeb(v) } +// SetInstanceExposeBlocklistWeb safely sets the value for global configuration 'InstanceExposeBlocklistWeb' field +func SetInstanceExposeBlocklistWeb(v bool) { global.SetInstanceExposeBlocklistWeb(v) } + +// InstanceExposeAllowlistFlag returns the flag name for the 'InstanceExposeAllowlist' field +func InstanceExposeAllowlistFlag() string { return "instance-expose-allowlist" } + +// GetInstanceExposeAllowlist safely fetches the Configuration value for state's 'InstanceExposeAllowlist' field +func (st *ConfigState) GetInstanceExposeAllowlist() (v bool) { + st.mutex.RLock() + v = st.config.InstanceExposeAllowlist + st.mutex.RUnlock() + return +} + +// SetInstanceExposeAllowlist safely sets the Configuration value for state's 'InstanceExposeAllowlist' field +func (st *ConfigState) SetInstanceExposeAllowlist(v bool) { + st.mutex.Lock() + defer st.mutex.Unlock() + st.config.InstanceExposeAllowlist = v + st.reloadToViper() +} + +// GetInstanceExposeAllowlist safely fetches the value for global configuration 'InstanceExposeAllowlist' field +func GetInstanceExposeAllowlist() bool { return global.GetInstanceExposeAllowlist() } + +// SetInstanceExposeAllowlist safely sets the value for global configuration 'InstanceExposeAllowlist' field +func SetInstanceExposeAllowlist(v bool) { global.SetInstanceExposeAllowlist(v) } + +// InstanceExposeAllowlistWebFlag returns the flag name for the 'InstanceExposeAllowlistWeb' field +func InstanceExposeAllowlistWebFlag() string { return "instance-expose-allowlist-web" } + +// GetInstanceExposeAllowlistWeb safely fetches the Configuration value for state's 'InstanceExposeAllowlistWeb' field +func (st *ConfigState) GetInstanceExposeAllowlistWeb() (v bool) { + st.mutex.RLock() + v = st.config.InstanceExposeAllowlistWeb + st.mutex.RUnlock() + return +} + +// SetInstanceExposeAllowlistWeb safely sets the Configuration value for state's 'InstanceExposeAllowlistWeb' field +func (st *ConfigState) SetInstanceExposeAllowlistWeb(v bool) { + st.mutex.Lock() + defer st.mutex.Unlock() + st.config.InstanceExposeAllowlistWeb = v + st.reloadToViper() +} + +// GetInstanceExposeAllowlistWeb safely fetches the value for global configuration 'InstanceExposeAllowlistWeb' field +func GetInstanceExposeAllowlistWeb() bool { return global.GetInstanceExposeAllowlistWeb() } + +// SetInstanceExposeAllowlistWeb safely sets the value for global configuration 'InstanceExposeAllowlistWeb' field +func SetInstanceExposeAllowlistWeb(v bool) { global.SetInstanceExposeAllowlistWeb(v) } // InstanceExposePublicTimelineFlag returns the flag name for the 'InstanceExposePublicTimeline' field func InstanceExposePublicTimelineFlag() string { return "instance-expose-public-timeline" } diff --git a/internal/processing/instance.go b/internal/processing/instance.go index 87fe1e3ef..e1a3785e9 100644 --- a/internal/processing/instance.go +++ b/internal/processing/instance.go @@ -19,8 +19,10 @@ package processing import ( "context" + "errors" "fmt" - "sort" + "slices" + "strings" apimodel "code.superseriousbusiness.org/gotosocial/internal/api/model" "code.superseriousbusiness.org/gotosocial/internal/config" @@ -31,6 +33,7 @@ import ( "code.superseriousbusiness.org/gotosocial/internal/text" "code.superseriousbusiness.org/gotosocial/internal/typeutils" "code.superseriousbusiness.org/gotosocial/internal/util" + "code.superseriousbusiness.org/gotosocial/internal/util/xslices" "code.superseriousbusiness.org/gotosocial/internal/validate" ) @@ -62,70 +65,126 @@ func (p *Processor) InstanceGetV2(ctx context.Context) (*apimodel.InstanceV2, gt return ai, nil } -func (p *Processor) InstancePeersGet(ctx context.Context, includeSuspended bool, includeOpen bool, flat bool) (interface{}, gtserror.WithCode) { - domains := []*apimodel.Domain{} +func (p *Processor) InstancePeersGet( + ctx context.Context, + includeBlocked bool, + includeAllowed bool, + includeOpen bool, + flatten bool, + includeSeverity bool, +) (any, gtserror.WithCode) { + var ( + domainPerms []gtsmodel.DomainPermission + apiDomains []*apimodel.Domain + ) + + if includeBlocked { + blocks, err := p.state.DB.GetDomainBlocks(ctx) + if err != nil && !errors.Is(err, db.ErrNoEntries) { + err := gtserror.Newf("db error getting domain blocks: %w", err) + return nil, gtserror.NewErrorInternalError(err) + } + + for _, block := range blocks { + domainPerms = append(domainPerms, block) + } + + } else if includeAllowed { + allows, err := p.state.DB.GetDomainAllows(ctx) + if err != nil && !errors.Is(err, db.ErrNoEntries) { + err := gtserror.Newf("db error getting domain allows: %w", err) + return nil, gtserror.NewErrorInternalError(err) + } + + for _, allow := range allows { + domainPerms = append(domainPerms, allow) + } + } + + for _, domainPerm := range domainPerms { + // Domain may be in Punycode, + // de-punify it just in case. + domain := domainPerm.GetDomain() + depunied, err := util.DePunify(domain) + if err != nil { + log.Errorf(ctx, "couldn't depunify domain %s: %v", domain, err) + continue + } + + if util.PtrOrZero(domainPerm.GetObfuscate()) { + // Obfuscate the de-punified version. + depunied = obfuscate(depunied) + } + + apiDomain := &apimodel.Domain{ + Domain: depunied, + Comment: util.Ptr(domainPerm.GetPublicComment()), + } + + if domainPerm.GetType() == gtsmodel.DomainPermissionBlock { + const severity = "suspend" + apiDomain.Severity = severity + suspendedAt := domainPerm.GetCreatedAt() + apiDomain.SuspendedAt = util.FormatISO8601(suspendedAt) + } + + apiDomains = append(apiDomains, apiDomain) + } if includeOpen { instances, err := p.state.DB.GetInstancePeers(ctx, false) - if err != nil && err != db.ErrNoEntries { - err = fmt.Errorf("error selecting instance peers: %s", err) + if err != nil && !errors.Is(err, db.ErrNoEntries) { + err = gtserror.Newf("db error getting instance peers: %w", err) return nil, gtserror.NewErrorInternalError(err) } - for _, i := range instances { + for _, instance := range instances { // Domain may be in Punycode, // de-punify it just in case. - d, err := util.DePunify(i.Domain) + domain := instance.Domain + depunied, err := util.DePunify(domain) if err != nil { - log.Errorf(ctx, "couldn't depunify domain %s: %s", i.Domain, err) + log.Errorf(ctx, "couldn't depunify domain %s: %v", domain, err) continue } - domains = append(domains, &apimodel.Domain{Domain: d}) + apiDomains = append( + apiDomains, + &apimodel.Domain{ + Domain: depunied, + }, + ) } } - if includeSuspended { - domainBlocks := []*gtsmodel.DomainBlock{} - if err := p.state.DB.GetAll(ctx, &domainBlocks); err != nil && err != db.ErrNoEntries { - return nil, gtserror.NewErrorInternalError(err) - } + // Sort a-z. + slices.SortFunc( + apiDomains, + func(a, b *apimodel.Domain) int { + return strings.Compare(a.Domain, b.Domain) + }, + ) - for _, domainBlock := range domainBlocks { - // Domain may be in Punycode, - // de-punify it just in case. - d, err := util.DePunify(domainBlock.Domain) - if err != nil { - log.Errorf(ctx, "couldn't depunify domain %s: %s", domainBlock.Domain, err) - continue - } + // Deduplicate. + apiDomains = xslices.DeduplicateFunc( + apiDomains, + func(v *apimodel.Domain) string { + return v.Domain + }, + ) - if *domainBlock.Obfuscate { - // Obfuscate the de-punified version. - d = obfuscate(d) - } - - domains = append(domains, &apimodel.Domain{ - Domain: d, - SuspendedAt: util.FormatISO8601(domainBlock.CreatedAt), - Comment: &domainBlock.PublicComment, - }) - } + if flatten { + // Return just the domains. + return xslices.Gather( + []string{}, + apiDomains, + func(v *apimodel.Domain) string { + return v.Domain + }, + ), nil } - sort.Slice(domains, func(i, j int) bool { - return domains[i].Domain < domains[j].Domain - }) - - if flat { - flattened := []string{} - for _, d := range domains { - flattened = append(flattened, d.Domain) - } - return flattened, nil - } - - return domains, nil + return apiDomains, nil } func (p *Processor) InstanceGetRules(ctx context.Context) ([]apimodel.InstanceRule, gtserror.WithCode) { diff --git a/internal/web/about.go b/internal/web/about.go index e899bcb84..23af503ac 100644 --- a/internal/web/about.go +++ b/internal/web/about.go @@ -57,7 +57,8 @@ func (m *Module) aboutGETHandler(c *gin.Context) { Stylesheets: []string{cssAbout}, Extra: map[string]any{ "showStrap": true, - "blocklistExposed": config.GetInstanceExposeSuspendedWeb(), + "blocklistExposed": config.GetInstanceExposeBlocklistWeb(), + "allowlistExposed": config.GetInstanceExposeAllowlistWeb(), "languages": config.GetInstanceLanguages().DisplayStrs(), }, } diff --git a/internal/web/domain-blocklist.go b/internal/web/domain-blocklist.go deleted file mode 100644 index 34e23d899..000000000 --- a/internal/web/domain-blocklist.go +++ /dev/null @@ -1,75 +0,0 @@ -// GoToSocial -// Copyright (C) GoToSocial Authors admin@gotosocial.org -// SPDX-License-Identifier: AGPL-3.0-or-later -// -// This program is free software: you can redistribute it and/or modify -// it under the terms of the GNU Affero General Public License as published by -// the Free Software Foundation, either version 3 of the License, or -// (at your option) any later version. -// -// This program is distributed in the hope that it will be useful, -// but WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -// GNU Affero General Public License for more details. -// -// You should have received a copy of the GNU Affero General Public License -// along with this program. If not, see . - -package web - -import ( - "context" - "fmt" - - apimodel "code.superseriousbusiness.org/gotosocial/internal/api/model" - apiutil "code.superseriousbusiness.org/gotosocial/internal/api/util" - "code.superseriousbusiness.org/gotosocial/internal/config" - "code.superseriousbusiness.org/gotosocial/internal/gtserror" - "github.com/gin-gonic/gin" -) - -const ( - domainBlockListPath = aboutPath + "/suspended" -) - -func (m *Module) domainBlockListGETHandler(c *gin.Context) { - instance, errWithCode := m.processor.InstanceGetV1(c.Request.Context()) - if errWithCode != nil { - apiutil.WebErrorHandler(c, errWithCode, m.processor.InstanceGetV1) - return - } - - // Return instance we already got from the db, - // don't try to fetch it again when erroring. - instanceGet := func(ctx context.Context) (*apimodel.InstanceV1, gtserror.WithCode) { - return instance, nil - } - - // We only serve text/html at this endpoint. - if _, err := apiutil.NegotiateAccept(c, apiutil.TextHTML); err != nil { - apiutil.WebErrorHandler(c, gtserror.NewErrorNotAcceptable(err, err.Error()), instanceGet) - return - } - - if !config.GetInstanceExposeSuspendedWeb() { - err := fmt.Errorf("this instance does not publicy expose its blocklist") - apiutil.WebErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), instanceGet) - return - } - - domainBlocks, errWithCode := m.processor.InstancePeersGet(c.Request.Context(), true, false, false) - if errWithCode != nil { - apiutil.WebErrorHandler(c, errWithCode, instanceGet) - return - } - - page := apiutil.WebPage{ - Template: "domain-blocklist.tmpl", - Instance: instance, - OGMeta: apiutil.OGBase(instance), - Stylesheets: []string{cssFA}, - Extra: map[string]any{"blocklist": domainBlocks}, - } - - apiutil.TemplateWebPage(c, page) -} diff --git a/internal/web/domainperms.go b/internal/web/domainperms.go new file mode 100644 index 000000000..24608e1fd --- /dev/null +++ b/internal/web/domainperms.go @@ -0,0 +1,136 @@ +// GoToSocial +// Copyright (C) GoToSocial Authors admin@gotosocial.org +// SPDX-License-Identifier: AGPL-3.0-or-later +// +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU Affero General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU Affero General Public License for more details. +// +// You should have received a copy of the GNU Affero General Public License +// along with this program. If not, see . + +package web + +import ( + "context" + "errors" + + apimodel "code.superseriousbusiness.org/gotosocial/internal/api/model" + apiutil "code.superseriousbusiness.org/gotosocial/internal/api/util" + "code.superseriousbusiness.org/gotosocial/internal/config" + "code.superseriousbusiness.org/gotosocial/internal/gtserror" + "github.com/gin-gonic/gin" +) + +const ( + domainBlocklistPath = aboutPath + "/domain_blocks" + domainAllowlistPath = aboutPath + "/domain_allows" +) + +func (m *Module) domainBlocklistGETHandler(c *gin.Context) { + instance, errWithCode := m.processor.InstanceGetV1(c.Request.Context()) + if errWithCode != nil { + apiutil.WebErrorHandler(c, errWithCode, m.processor.InstanceGetV1) + return + } + + // Return instance we already got from the db, + // don't try to fetch it again when erroring. + instanceGet := func(ctx context.Context) (*apimodel.InstanceV1, gtserror.WithCode) { + return instance, nil + } + + // We only serve text/html at this endpoint. + if _, err := apiutil.NegotiateAccept(c, apiutil.TextHTML); err != nil { + errWithCode := gtserror.NewErrorNotAcceptable(err, err.Error()) + apiutil.WebErrorHandler(c, errWithCode, instanceGet) + return + } + + if !config.GetInstanceExposeBlocklistWeb() { + const errText = "this instance does not expose its blocklist via the web" + errWithCode := gtserror.NewErrorUnauthorized(errors.New(errText), errText) + apiutil.WebErrorHandler(c, errWithCode, instanceGet) + return + } + + domainBlocks, errWithCode := m.processor.InstancePeersGet( + c.Request.Context(), + true, // Include blocked. + false, // Don't include allowed. + false, // Don't include open. + false, // Don't flatten list. + false, // Don't include severity. + ) + if errWithCode != nil { + apiutil.WebErrorHandler(c, errWithCode, instanceGet) + return + } + + page := apiutil.WebPage{ + Template: "domain-blocklist.tmpl", + Instance: instance, + OGMeta: apiutil.OGBase(instance), + Stylesheets: []string{cssFA}, + Extra: map[string]any{"blocklist": domainBlocks}, + } + + apiutil.TemplateWebPage(c, page) +} + +func (m *Module) domainAllowlistGETHandler(c *gin.Context) { + instance, errWithCode := m.processor.InstanceGetV1(c.Request.Context()) + if errWithCode != nil { + apiutil.WebErrorHandler(c, errWithCode, m.processor.InstanceGetV1) + return + } + + // Return instance we already got from the db, + // don't try to fetch it again when erroring. + instanceGet := func(ctx context.Context) (*apimodel.InstanceV1, gtserror.WithCode) { + return instance, nil + } + + // We only serve text/html at this endpoint. + if _, err := apiutil.NegotiateAccept(c, apiutil.TextHTML); err != nil { + errWithCode := gtserror.NewErrorNotAcceptable(err, err.Error()) + apiutil.WebErrorHandler(c, errWithCode, instanceGet) + return + } + + if !config.GetInstanceExposeAllowlistWeb() { + const errText = "this instance does not expose its allowlist via the web" + errWithCode := gtserror.NewErrorUnauthorized(errors.New(errText), errText) + apiutil.WebErrorHandler(c, errWithCode, instanceGet) + return + } + + domainAllows, errWithCode := m.processor.InstancePeersGet( + c.Request.Context(), + false, // Don't include blocked. + true, // Include allowed. + false, // Don't include open. + false, // Don't flatten list. + false, // Don't include severity. + ) + if errWithCode != nil { + apiutil.WebErrorHandler(c, errWithCode, instanceGet) + return + } + + page := apiutil.WebPage{ + Template: "domain-allowlist.tmpl", + Instance: instance, + OGMeta: apiutil.OGBase(instance), + Stylesheets: []string{cssFA}, + Extra: map[string]any{"allowlist": domainAllows}, + } + + apiutil.TemplateWebPage(c, page) +} diff --git a/internal/web/web.go b/internal/web/web.go index 4494f8ff9..c7b7c9f25 100644 --- a/internal/web/web.go +++ b/internal/web/web.go @@ -127,7 +127,8 @@ func (m *Module) Route(r *router.Router, mi ...gin.HandlerFunc) { everythingElseGroup.Handle(http.MethodPost, confirmEmailPath, m.confirmEmailPOSTHandler) everythingElseGroup.Handle(http.MethodGet, aboutPath, m.aboutGETHandler) everythingElseGroup.Handle(http.MethodGet, loginPath, m.loginGETHandler) - everythingElseGroup.Handle(http.MethodGet, domainBlockListPath, m.domainBlockListGETHandler) + everythingElseGroup.Handle(http.MethodGet, domainBlocklistPath, m.domainBlocklistGETHandler) + everythingElseGroup.Handle(http.MethodGet, domainAllowlistPath, m.domainAllowlistGETHandler) everythingElseGroup.Handle(http.MethodGet, tagsPath, m.tagGETHandler) everythingElseGroup.Handle(http.MethodGet, signupPath, m.signupGETHandler) everythingElseGroup.Handle(http.MethodPost, signupPath, m.signupPOSTHandler) diff --git a/test/envparsing.sh b/test/envparsing.sh index 21abe5f51..f6a6dcc9a 100755 --- a/test/envparsing.sh +++ b/test/envparsing.sh @@ -108,10 +108,12 @@ EXPECT=$(cat << "EOF" "http-client-tls-insecure-skip-verify": false, "instance-allow-backdating-statuses": true, "instance-deliver-to-shared-inboxes": false, + "instance-expose-allowlist": true, + "instance-expose-allowlist-web": true, + "instance-expose-blocklist": true, + "instance-expose-blocklist-web": true, "instance-expose-peers": true, "instance-expose-public-timeline": true, - "instance-expose-suspended": true, - "instance-expose-suspended-web": true, "instance-federation-mode": "allowlist", "instance-federation-spam-filter": true, "instance-inject-mastodon-version": true, @@ -237,8 +239,10 @@ GTS_DB_TLS_CA_CERT='' \ GTS_WEB_TEMPLATE_BASE_DIR='/root' \ GTS_WEB_ASSET_BASE_DIR='/root' \ GTS_INSTANCE_EXPOSE_PEERS=true \ -GTS_INSTANCE_EXPOSE_SUSPENDED=true \ -GTS_INSTANCE_EXPOSE_SUSPENDED_WEB=true \ +GTS_INSTANCE_EXPOSE_BLOCKLIST=true \ +GTS_INSTANCE_EXPOSE_BLOCKLIST_WEB=true \ +GTS_INSTANCE_EXPOSE_ALLOWLIST=true \ +GTS_INSTANCE_EXPOSE_ALLOWLIST_WEB=true \ GTS_INSTANCE_EXPOSE_PUBLIC_TIMELINE=true \ GTS_INSTANCE_FEDERATION_MODE='allowlist' \ GTS_INSTANCE_FEDERATION_SPAM_FILTER=true \ diff --git a/testrig/config.go b/testrig/config.go index 3f8f22430..558e5a54c 100644 --- a/testrig/config.go +++ b/testrig/config.go @@ -88,8 +88,10 @@ func testDefaults() config.Configuration { InstanceFederationMode: config.InstanceFederationModeDefault, InstanceFederationSpamFilter: true, InstanceExposePeers: true, - InstanceExposeSuspended: true, - InstanceExposeSuspendedWeb: true, + InstanceExposeBlocklist: true, + InstanceExposeBlocklistWeb: true, + InstanceExposeAllowlist: true, + InstanceExposeAllowlistWeb: true, InstanceDeliverToSharedInboxes: true, InstanceLanguages: language.Languages{ { diff --git a/web/source/css/base.css b/web/source/css/base.css index 615616725..c9ff21d74 100644 --- a/web/source/css/base.css +++ b/web/source/css/base.css @@ -599,7 +599,7 @@ section.oob-token { } } -.domain-blocklist { +.domain-perm-list { box-shadow: $boxshadow; .entry { @@ -632,7 +632,7 @@ section.oob-token { } @media screen and (max-width: 30rem) { - .domain-blocklist .entry { + .domain-perm-list .entry { grid-template-columns: 1fr; gap: 0; } diff --git a/web/template/about.tmpl b/web/template/about.tmpl index c263d73a7..37b12215a 100644 --- a/web/template/about.tmpl +++ b/web/template/about.tmpl @@ -99,7 +99,7 @@ Profiles can have up to
  • Register an Account on {{ .instance.Title -}}
  • Rules
  • Terms and Conditions
    • -
  • Moderated Servers
    • +
  • Domain permissions
    • @@ -172,25 +172,50 @@ Profiles can have up to {{- end }} -
    -

    Moderated servers

    +
    +

    Domain permissions

    ActivityPub instances federate with other instances by exchanging data with them over the network. Exchanged data includes things like accounts, statuses, likes, boosts, and media attachments. - This exchange of data can be prevented for instances on specific domains via a domain block created - by an instance admin. When an instance is domain blocked by another instance: +

    +

    + This exchange of data is open by default but can be blocked for instances + on specific domains via a domain block created by an instance admin. +

    +

    + Alternatively, if this instance is running in allowlist mode, exchange of data with remote + instances must be explicitly allowed via a domain allow entry. +

    +

    + For more information on domain blocks, domain allows, etc, see the following pages (all links open in a new tab):

      -
    • Any existing data from the blocked instance is deleted from the storage of the instance doing the blocking.
      • -
    • Interaction between the two instances is cut off in both directions; neither instance can interact with the other.
      • -
    • No new data from the blocked instance will be created on the instance that blocks it.
      • +
    • Federation modes
      • +
    • Domain blocks
      • +
    • Domain permission subscriptions
      • +
    +

    Blocked domains

    +

    When a domain block entry is created on this instance:

    +
      +
    • No new data from instances on the blocked domain will be created on this instance.
      • +
    • Interaction between this instance and blocked instances is cut off in both directions.
      • +
    • (In case of an exact match): Any existing data from blocked instances are deleted from the storage of this instance.

    {{- if .blocklistExposed }} - View the list of domains blocked by this instance + View the list of domains blocked by this instance {{- else }} - This instance does not publically share their list of blocked domains. + This instance does not publically share its list of blocked domains. + {{- end }} +

    +

    Allowed domains

    +

    When an admin adds an explicit domain allow entry, instances on the domain and its subdomains are allowed to federate with this instance.

    +

    + {{- if .allowlistExposed }} + View the list of domains explicitly allowed by this instance + {{- else }} + This instance does not publically share its list of explicitly allowed domains. {{- end }}

    diff --git a/web/template/domain-allowlist.tmpl b/web/template/domain-allowlist.tmpl new file mode 100644 index 000000000..b7db87bce --- /dev/null +++ b/web/template/domain-allowlist.tmpl @@ -0,0 +1,48 @@ +{{- /* +// GoToSocial +// Copyright (C) GoToSocial Authors admin@gotosocial.org +// SPDX-License-Identifier: AGPL-3.0-or-later +// +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU Affero General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU Affero General Public License for more details. +// +// You should have received a copy of the GNU Affero General Public License +// along with this program. If not, see . +*/ -}} + +{{- with . }} +
    +
    +

    Instance Allowlist

    +

    + The following list of domains has been explicitly allowed by the administrator(s) of this instance. +

    +

    + This extends to subdomains, so an allowlist entry for domain 'example.com' includes domain 'social.example.com' etc as well. +

    +
    +
    +
    Domain
    +
    Public comment
    +
    + {{- range .allowlist }} +
    +
    + {{- .Domain -}} +
    +
    +

    {{- .Comment -}}

    +
    +
    + {{- end }} +
    +
    +
    +{{- end }} \ No newline at end of file diff --git a/web/template/domain-blocklist.tmpl b/web/template/domain-blocklist.tmpl index 9a21796f9..e3ebfca1b 100644 --- a/web/template/domain-blocklist.tmpl +++ b/web/template/domain-blocklist.tmpl @@ -20,18 +20,17 @@ {{- with . }}
    -

    Suspended Instances

    +

    Instance Blocklist

    - The following list of domains have been suspended - by the administrator(s) of this server. + The following list of domains has been blocked by the administrator(s) of this instance.

    - All current and future accounts on these instances are - blocked, and no more data is federated to the remote servers. - This extends to subdomains, so an entry for 'example.com' - includes 'social.example.com' as well. + All past, present, and future accounts at blocked domains are forbidden from interacting + with this instance or accounts on this instance. No data will be sent to the server at the + remote domain, and no data will be received from it. This extends to subdomains, so a + blocklist entry for domain 'example.com' includes domain 'social.example.com' etc as well.

    -
    +
    Domain
    Public comment
    @@ -42,7 +41,7 @@ {{- .Domain -}}
    -

    {{- .PublicComment -}}

    +

    {{- .Comment -}}

    {{- end }}