From 941d3bf2a9126f11d675a294e4d21763690ee123 Mon Sep 17 00:00:00 2001 From: Taeer Bar-Yam Date: Thu, 25 Jul 2024 07:45:57 -0400 Subject: [PATCH] fix CSP check --- mastodon.nix | 5 ++--- tests/mastodon-garage.nix | 12 +++++++++--- 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/mastodon.nix b/mastodon.nix index facda0e..95fde42 100644 --- a/mastodon.nix +++ b/mastodon.nix @@ -32,7 +32,7 @@ in }; }; services.mastodon = { - extraConfig = { + extraConfig = rec { S3_ENABLED = "true"; S3_ENDPOINT = "http://s3.garage.localhost:3900"; S3_REGION = "garage"; @@ -44,8 +44,7 @@ in S3_PROTOCOL = "http"; S3_HOSTNAME = "web.garage.localhost:3902"; # by default it tries to use "/" - # but we want "." - S3_ALIAS_HOST = "mastodon.web.garage.localhost:3902"; + S3_ALIAS_HOST = "${S3_BUCKET}.${S3_HOSTNAME}"; # SEE: the last section in https://docs.joinmastodon.org/admin/optional/object-storage/ # TODO: can we set up ACLs with garage? S3_PERMISSION = ""; diff --git a/tests/mastodon-garage.nix b/tests/mastodon-garage.nix index f40d1ce..ce04e91 100644 --- a/tests/mastodon-garage.nix +++ b/tests/mastodon-garage.nix @@ -113,15 +113,21 @@ rebuildableTest { with subtest("Content security policy allows garage images"): headers = server.succeed("xh -h http://masstodon.localhost:55001/public/local") - csp_match = re.match('^Content-Security-Policy: (.*)$', headers, re.M) + csp_match = None + # I can't figure out re.MULTILINE + for header in headers.split("\n"): + csp_match = re.match('^Content-Security-Policy: (.*)$', header) + if csp_match is not None: + break if csp_match is None: raise Exception("mastodon did not send a content security policy header") csp = csp_match.group(1) - # the content security policy should include the garage server - garage_csp = re.match(".*web\.garage\.localhost:3902.*", csp) + # the img-src content security policy should include the garage server + garage_csp = re.match(".*; img-src[^;]*web\.garage\.localhost:3902.*", csp) if garage_csp is None: raise Exception("Mastodon's content security policy does not include garage server. image will not be displayed properly on mastodon.") + # this could in theory give a false positive if mastodon changes it's colorscheme to include pure green. with subtest("image displays"): server.succeed("selenium-script") server.copy_from_vm("/mastodon-screenshot.png", "")