Do not forward messages to Firebase if topic is not world-readable

This commit is contained in:
Philipp Heckel 2022-01-31 19:33:22 -05:00
parent 936e95fd9e
commit 198e2cfd90
5 changed files with 53 additions and 37 deletions

View file

@ -64,8 +64,8 @@ type User struct {
// Grant is a struct that represents an access control entry to a topic // Grant is a struct that represents an access control entry to a topic
type Grant struct { type Grant struct {
TopicPattern string // May include wildcard (*) TopicPattern string // May include wildcard (*)
Read bool AllowRead bool
Write bool AllowWrite bool
} }
// Permission represents a read or write permission to a topic // Permission represents a read or write permission to a topic

View file

@ -281,8 +281,8 @@ func (a *SQLiteAuth) readGrants(username string) ([]Grant, error) {
} }
grants = append(grants, Grant{ grants = append(grants, Grant{
TopicPattern: fromSQLWildcard(topic), TopicPattern: fromSQLWildcard(topic),
Read: read, AllowRead: read,
Write: write, AllowWrite: write,
}) })
} }
return grants, nil return grants, nil

View file

@ -144,11 +144,11 @@ func showUsers(c *cli.Context, manager auth.Manager, users []*auth.User) error {
fmt.Fprintf(c.App.ErrWriter, "- read-write access to all topics (admin role)\n") fmt.Fprintf(c.App.ErrWriter, "- read-write access to all topics (admin role)\n")
} else if len(user.Grants) > 0 { } else if len(user.Grants) > 0 {
for _, grant := range user.Grants { for _, grant := range user.Grants {
if grant.Read && grant.Write { if grant.AllowRead && grant.AllowWrite {
fmt.Fprintf(c.App.ErrWriter, "- read-write access to topic %s\n", grant.TopicPattern) fmt.Fprintf(c.App.ErrWriter, "- read-write access to topic %s\n", grant.TopicPattern)
} else if grant.Read { } else if grant.AllowRead {
fmt.Fprintf(c.App.ErrWriter, "- read-only access to topic %s\n", grant.TopicPattern) fmt.Fprintf(c.App.ErrWriter, "- read-only access to topic %s\n", grant.TopicPattern)
} else if grant.Write { } else if grant.AllowWrite {
fmt.Fprintf(c.App.ErrWriter, "- write-only access to topic %s\n", grant.TopicPattern) fmt.Fprintf(c.App.ErrWriter, "- write-only access to topic %s\n", grant.TopicPattern)
} else { } else {
fmt.Fprintf(c.App.ErrWriter, "- no access to topic %s\n", grant.TopicPattern) fmt.Fprintf(c.App.ErrWriter, "- no access to topic %s\n", grant.TopicPattern)

View file

@ -117,14 +117,6 @@ const (
// New instantiates a new Server. It creates the cache and adds a Firebase // New instantiates a new Server. It creates the cache and adds a Firebase
// subscriber (if configured). // subscriber (if configured).
func New(conf *Config) (*Server, error) { func New(conf *Config) (*Server, error) {
var firebaseSubscriber subscriber
if conf.FirebaseKeyFile != "" {
var err error
firebaseSubscriber, err = createFirebaseSubscriber(conf)
if err != nil {
return nil, err
}
}
var mailer mailer var mailer mailer
if conf.SMTPSenderAddr != "" { if conf.SMTPSenderAddr != "" {
mailer = &smtpSender{config: conf} mailer = &smtpSender{config: conf}
@ -151,6 +143,14 @@ func New(conf *Config) (*Server, error) {
return nil, err return nil, err
} }
} }
var firebaseSubscriber subscriber
if conf.FirebaseKeyFile != "" {
var err error
firebaseSubscriber, err = createFirebaseSubscriber(conf, auther)
if err != nil {
return nil, err
}
}
return &Server{ return &Server{
config: conf, config: conf,
cache: cache, cache: cache,
@ -172,7 +172,7 @@ func createCache(conf *Config) (cache, error) {
return newMemCache(), nil return newMemCache(), nil
} }
func createFirebaseSubscriber(conf *Config) (subscriber, error) { func createFirebaseSubscriber(conf *Config, auther auth.Auther) (subscriber, error) {
fb, err := firebase.NewApp(context.Background(), nil, option.WithCredentialsFile(conf.FirebaseKeyFile)) fb, err := firebase.NewApp(context.Background(), nil, option.WithCredentialsFile(conf.FirebaseKeyFile))
if err != nil { if err != nil {
return nil, err return nil, err
@ -182,7 +182,7 @@ func createFirebaseSubscriber(conf *Config) (subscriber, error) {
return nil, err return nil, err
} }
return func(m *message) error { return func(m *message) error {
var data map[string]string // Matches https://ntfy.sh/docs/subscribe/api/#json-message-format var data map[string]string // Mostly matches https://ntfy.sh/docs/subscribe/api/#json-message-format
switch m.Event { switch m.Event {
case keepaliveEvent, openEvent: case keepaliveEvent, openEvent:
data = map[string]string{ data = map[string]string{
@ -192,6 +192,11 @@ func createFirebaseSubscriber(conf *Config) (subscriber, error) {
"topic": m.Topic, "topic": m.Topic,
} }
case messageEvent: case messageEvent:
allowForward := true
if auther != nil {
allowForward = auther.Authorize(nil, m.Topic, auth.PermissionRead) == nil
}
if allowForward {
data = map[string]string{ data = map[string]string{
"id": m.ID, "id": m.ID,
"time": fmt.Sprintf("%d", m.Time), "time": fmt.Sprintf("%d", m.Time),
@ -211,6 +216,16 @@ func createFirebaseSubscriber(conf *Config) (subscriber, error) {
data["attachment_expires"] = fmt.Sprintf("%d", m.Attachment.Expires) data["attachment_expires"] = fmt.Sprintf("%d", m.Attachment.Expires)
data["attachment_url"] = m.Attachment.URL data["attachment_url"] = m.Attachment.URL
} }
} else {
// If anonymous read for a topic is not allowed, we cannot send the message along
// via Firebase. Instead, we send a "poll_request" message, asking the client to poll.
data = map[string]string{
"id": m.ID,
"time": fmt.Sprintf("%d", m.Time),
"event": pollRequestEvent,
"topic": m.Topic,
}
}
} }
var androidConfig *messaging.AndroidConfig var androidConfig *messaging.AndroidConfig
if m.Priority >= 4 { if m.Priority >= 4 {

View file

@ -11,6 +11,7 @@ const (
openEvent = "open" openEvent = "open"
keepaliveEvent = "keepalive" keepaliveEvent = "keepalive"
messageEvent = "message" messageEvent = "message"
pollRequestEvent = "poll_request"
) )
const ( const (