Allow admins to switch between blacklisting and whitelisting domains

This includes the migrations and necessary configuration setting to enable it.

This does not include any admin UI for making these changes.

add silence to domain_whitelist for about/more

Fix WhitelistDomainService

Update Domain Whitelisting to static methods

fix missing uses of AllowDomainService

temp whitelist fixing

Fix default domain allow severity always being :enable

update for ActivityPub

some whitelisting fixing

Fix silencing new users for whitelisted domains with :silence

Fix silence detection

For whatever reason, :silence is returning as "silence" so now we check for
both.

app/controllers/admin/domain_whitelist_controller.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+class Admin::DomainWhitelistController < ApplicationController
+  before_action :require_admin!
+
+  layout 'admin'
+
+  def index
+    @unblocks = DomainWhitelist.paginate(page: params[:page], per_page: 40)
+  end
+
+  def create
+  end
+end

app/helpers/admin/domain_whitelist_helper.rb

@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+module Admin::DomainWhitelistHelper
+end

app/lib/activitypub/activity/create.rb

@@ -6,6 +6,7 @@ class ActivityPub::Activity::Create < ActivityPub::Activity
 
   def perform
     return if delete_arrived_first?(object_uri) || unsupported_object_type? || invalid_origin?(@object['id'])
+    return if AllowDomainService.blocked?(@account.domain)
 
     RedisLock.acquire(lock_options) do |lock|
       if lock.acquired?
@@ -249,7 +250,7 @@ class ActivityPub::Activity::Create < ActivityPub::Activity
 
   def skip_download?
     return @skip_download if defined?(@skip_download)
-    @skip_download ||= DomainBlock.find_by(domain: @account.domain)&.reject_media?
+    @skip_download ||= AllowDomainService.reject_media?(@account.domain)
   end
 
   def invalid_origin?(url)

app/lib/ostatus/activity/creation.rb

@@ -148,7 +148,7 @@ class OStatus::Activity::Creation < OStatus::Activity::Base
   end
 
   def save_media
-    do_not_download = DomainBlock.find_by(domain: @account.domain)&.reject_media?
+    do_not_download = AllowDomainService.reject_media?(@account.domain)
     media_attachments = []
 
     @xml.xpath('./xmlns:link[@rel="enclosure"]', xmlns: OStatus::TagManager::XMLNS).each do |link|
@@ -176,7 +176,7 @@ class OStatus::Activity::Creation < OStatus::Activity::Base
   end
 
   def save_emojis(parent)
-    do_not_download = DomainBlock.find_by(domain: parent.account.domain)&.reject_media?
+    do_not_download = AllowDomainService.reject_media?(parent.account.domain)
 
     return if do_not_download
 

app/models/domain_whitelist.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+class DomainWhitelist < ApplicationRecord
+  enum severity: [:silence, :enable]
+
+  def self.enabled?
+    return Setting.where(var: 'whitelist_enabled').first_or_initialize(var: 'whitelist_enabled', value: false)
+  end
+
+  validates :domain, presence: true, uniqueness: true
+
+  def self.blocked?(domain)
+    !where(domain: domain).exists?
+  end
+
+  def self.silenced?(domain)
+    whitelist = where(domain: domain)
+    whitelist.exists? && whitelist[0].severity == :silence
+  end
+
+  before_validation :normalize_domain
+
+  private
+
+  def normalize_domain
+    self.domain = TagManager.instance.normalize_domain(domain)
+  end
+end

app/services/activitypub/process_account_service.rb

@@ -180,20 +180,15 @@ class ActivityPub::ProcessAccountService < BaseService
   end
 
   def skip_download?
-    @account.suspended? || domain_block&.reject_media?
+    @account.suspended? || AllowDomainService.reject_media?(@domain)
   end
 
   def auto_suspend?
-    domain_block&.suspend?
+    AllowDomainService.blocked?(@domain)
   end
 
   def auto_silence?
-    domain_block&.silence?
-  end
-
-  def domain_block
-    return @domain_block if defined?(@domain_block)
-    @domain_block = DomainBlock.find_by(domain: @domain)
+    AllowDomainService.silenced?(@domain)
   end
 
   def key_changed?

app/services/allow_domain_service.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+class AllowDomainService < BaseService
+  def self.default_allow
+    return :suspend if DomainWhitelist.enabled?
+    :enable
+  end
+
+  def self.record_type
+    if DomainWhitelist.enabled?
+      DomainWhitelist
+    else
+      DomainBlock
+    end
+  end
+
+  def self.call(domain)
+    return true if domain.nil?
+    domain = self.record_type.find_by(domain: domain)
+    return self.default_allow if domain.nil?
+    return domain.severity
+  end
+
+  def self.blocked?(domain)
+    return self.call(domain) == :suspend
+  end
+
+  def self.silenced?(domain)
+    sev = self.call(domain)
+    return sev == :silence || sev == "silence"
+  end
+
+  def self.reject_media?(domain)
+    domain = self.record_type.find_by(domain: domain)
+    !domain.nil? && domain.reject_media?
+  end
+
+end

app/services/pubsubhubbub/subscribe_service.rb

@@ -54,7 +54,7 @@ class Pubsubhubbub::SubscribeService < BaseService
   end
 
   def blocked_domain?
-    DomainBlock.blocked? Addressable::URI.parse(callback).host
+    AllowDomainService.blocked?(Addressable::URI.parse(callback).host)
   end
 
   def locate_subscription

app/services/resolve_account_service.rb

@@ -126,16 +126,11 @@ class ResolveAccountService < BaseService
   end
 
   def auto_suspend?
-    domain_block&.suspend?
+    AllowDomainService.blocked?(@domain)
   end
 
   def auto_silence?
-    domain_block&.silence?
-  end
-
-  def domain_block
-    return @domain_block if defined?(@domain_block)
-    @domain_block = DomainBlock.find_by(domain: @domain)
+    AllowDomainService.silenced?(@domain)
   end
 
   def atom_url

app/services/send_interaction_service.rb

@@ -30,7 +30,7 @@ class SendInteractionService < BaseService
   end
 
   def block_notification?
-    DomainBlock.blocked?(@target_account.domain)
+    AllowDomainService.blocked?(@target_account.domain)
   end
 
   def salmon

app/services/update_remote_profile_service.rb

@@ -25,8 +25,7 @@ class UpdateRemoteProfileService < BaseService
     account.display_name = remote_profile.display_name || ''
     account.note         = remote_profile.note         || ''
     account.locked       = remote_profile.locked?
-
-    if !account.suspended? && !DomainBlock.find_by(domain: account.domain)&.reject_media?
+    if !account.suspended? && !AllowDomainService.reject_media?(account.domain)
       if remote_profile.avatar.present?
         account.avatar_remote_url = remote_profile.avatar
       else

app/services/whitelist_domain_service.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+class WhitelistDomainService < BaseService
+  def self.call(domain, severity)
+    d = DomainWhitelist.where(domain: domain).first_or_create!(domain: domain, severity: severity)
+    d.severity = severity
+    d.save!
+
+    if severity == :silence
+      Account.where(domain: domain).update_all(silenced: true)
+    elsif severity == :enable
+      Account.where(:domain => domain).update_all(suspended: false)
+    end
+  end
+end

app/workers/pubsubhubbub/delivery_worker.rb

@@ -37,7 +37,7 @@ class Pubsubhubbub::DeliveryWorker
   end
 
   def blocked_domain?
-    DomainBlock.blocked?(host)
+    AllowDomainService.blocked?(host)
   end
 
   def host

config/settings.yml

@@ -57,6 +57,8 @@ defaults: &defaults
   activity_api_enabled: true
   peers_api_enabled: true
   show_known_fediverse_at_about_page: true
+  whitelist_enabled: false
+
 development:
   <<: *defaults
 

db/migrate/20170227002025_add_whitelists.rb

@@ -0,0 +1,12 @@
+class AddWhitelists < ActiveRecord::Migration[5.0]
+  def change
+    create_table :domain_whitelists do |t|
+      t.string :domain, null: false, default: ''
+      t.integer :severity, default: 0
+      t.boolean :reject_media
+      t.timestamps
+    end
+
+    add_index :domain_whitelists, :domain, unique: true
+  end
+end