Merge develop 2024-10-18 (#264)

.gitlab-ci.yml

@@ -1,8 +1,8 @@
-image: git.pleroma.social:5050/pleroma/pleroma/ci-base:elixir-1.13.4-otp-25
+image: git.pleroma.social:5050/pleroma/pleroma/ci-base:elixir-1.14.5-otp-25
 
 variables: &global_variables
   # Only used for the release
-  ELIXIR_VER: 1.13.4
+  ELIXIR_VER: 1.14.5
   POSTGRES_DB: pleroma_test
   POSTGRES_USER: postgres
   POSTGRES_PASSWORD: postgres
@@ -71,7 +71,7 @@ check-changelog:
   tags:
     - amd64
 
-build-1.13.4-otp-25:
+build-1.14.5-otp-25:
   extends:
   - .build_changes_policy
   - .using-ci-base
@@ -119,7 +119,7 @@ benchmark:
     - mix ecto.migrate
     - mix pleroma.load_testing
 
-unit-testing-1.13.4-otp-25:
+unit-testing-1.14.5-otp-25:
   extends:
   - .build_changes_policy
   - .using-ci-base
@@ -134,7 +134,7 @@ unit-testing-1.13.4-otp-25:
   script: &testing_script
     - mix ecto.create
     - mix ecto.migrate
-    - mix test --cover --preload-modules
+    - mix pleroma.test_runner --cover --preload-modules
   coverage: '/^Line total: ([^ ]*%)$/'
   artifacts:
     reports:

Dockerfile

@@ -1,7 +1,8 @@
+# https://hub.docker.com/r/hexpm/elixir/tags
 ARG ELIXIR_IMG=hexpm/elixir
-ARG ELIXIR_VER=1.13.4
-ARG ERLANG_VER=24.3.4.15
-ARG ALPINE_VER=3.17.5
+ARG ELIXIR_VER=1.14.5
+ARG ERLANG_VER=25.3.2.14
+ARG ALPINE_VER=3.17.9
 
 FROM ${ELIXIR_IMG}:${ELIXIR_VER}-erlang-${ERLANG_VER}-alpine-${ALPINE_VER} as build
 

changelog.d/argon2-passwords.add

@@ -0,0 +1 @@
+Added support for argon2 passwords and their conversion for migration from Akkoma fork to upstream.

changelog.d/elixir.change

@@ -0,0 +1 @@
+Elixir 1.14 and Erlang/OTP 23 is now the minimum supported release

changelog.d/following-state.fix

@@ -0,0 +1 @@
+Resolved edge case where the API can report you are following a user but the relationship is not fully established.

changelog.d/hashtag-feeds-restricted.add

@@ -0,0 +1 @@
+Repesct :restrict_unauthenticated for hashtag rss/atom feeds

changelog.d/incoming-blocks.fix

@@ -0,0 +1 @@
+Fix incoming Block activities being rejected

changelog.d/ldap-ca.add

@@ -0,0 +1 @@
+LDAP configuration now permits overriding the CA root certificate file for TLS validation.

changelog.d/ldap-password-change.add

@@ -0,0 +1 @@
+LDAP now supports users changing their passwords

changelog.d/ldap-refactor.change

@@ -0,0 +1 @@
+LDAP authentication has been refactored to operate as a GenServer process which will maintain an active connection to the LDAP server.

changelog.d/ldap-tls.fix

@@ -0,0 +1 @@
+STARTTLS certificate and hostname verification for LDAP authentication

changelog.d/ldaps.fix

@@ -0,0 +1 @@
+LDAPS connections (implicit TLS) are now supported.

changelog.d/list-id-visibility.add

@@ -0,0 +1 @@
+Include list id in StatusView

changelog.d/mrf-id_filter.add

@@ -0,0 +1 @@
+Add `id_filter` to MRF to filter URLs and their domain prior to fetching

changelog.d/notifications-group-key.add

@@ -0,0 +1 @@
+Add `group_key` to notifications

changelog.d/oauth-app-spam.fix

@@ -0,0 +1 @@
+Add a rate limiter to the OAuth App creation endpoint and ensure registered apps are assigned to users.

changelog.d/oban-uniques.change

@@ -0,0 +1 @@
+Adjust more Oban workers to enforce unique job constraints.

changelog.d/oban-update.change

@@ -0,0 +1 @@
+Oban updated to 2.18.3

changelog.d/poll-refresh.change

@@ -0,0 +1 @@
+Poll results refreshing is handled asynchronously and will not attempt to keep fetching updates to a closed poll.

changelog.d/profile-image-descriptions.add

@@ -0,0 +1 @@
+Allow providing avatar/header descriptions

changelog.d/remote-report-policy.add

@@ -0,0 +1 @@
+Added RemoteReportPolicy from Rebased for handling bogus federated reports

changelog.d/swoosh-mua.add

@@ -0,0 +1 @@
+Added dependencies for Swoosh's Mua mail adapter

changelog.d/well-known.change

@@ -0,0 +1 @@
+Accept application/activity+json for requests to .well-known/nodeinfo

ci/elixir-1.12/Dockerfile → ci/elixir-1.14.5-otp-25/Dockerfile

@@ -1,4 +1,4 @@
-FROM elixir:1.12.3
+FROM elixir:1.14.5-otp-25
 
 # Single RUN statement, otherwise intermediate images are created
 # https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run

ci/elixir-1.13.4-otp-25/build_and_push.sh → ci/elixir-1.14.5-otp-25/build_and_push.sh

@@ -1 +1 @@
-docker buildx build --platform linux/amd64,linux/arm64 -t git.pleroma.social:5050/pleroma/pleroma/ci-base:elixir-1.13.4-otp-25 --push .
+docker buildx build --platform linux/amd64,linux/arm64 -t git.pleroma.social:5050/pleroma/pleroma/ci-base:elixir-1.14.5-otp-25 --push .

config/config.exs

@@ -344,7 +344,7 @@ config :pleroma, :manifest,
   icons: [
     %{
       src: "/static/logo.svg",
-      sizes: "144x144",
+      sizes: "512x512",
       purpose: "any",
       type: "image/svg+xml"
     }
@@ -434,6 +434,11 @@ config :pleroma, :mrf_follow_bot, follower_nickname: nil
 
 config :pleroma, :mrf_inline_quote, template: "<bdi>RT:</bdi> {url}"
 
+config :pleroma, :mrf_remote_report,
+  reject_all: false,
+  reject_anonymous: true,
+  reject_empty_message: true
+
 config :pleroma, :mrf_force_mention,
   mention_parent: true,
   mention_quoted: true
@@ -597,7 +602,8 @@ config :pleroma, Oban,
   plugins: [{Oban.Plugins.Pruner, max_age: 900}],
   crontab: [
     {"0 0 * * 0", Pleroma.Workers.Cron.DigestEmailsWorker},
-    {"0 0 * * *", Pleroma.Workers.Cron.NewUsersDigestWorker}
+    {"0 0 * * *", Pleroma.Workers.Cron.NewUsersDigestWorker},
+    {"*/10 * * * *", Pleroma.Workers.Cron.AppCleanupWorker}
   ]
 
 config :pleroma, Pleroma.Formatter,
@@ -611,14 +617,17 @@ config :pleroma, Pleroma.Formatter,
 
 config :pleroma, :ldap,
   enabled: System.get_env("LDAP_ENABLED") == "true",
-  host: System.get_env("LDAP_HOST") || "localhost",
-  port: String.to_integer(System.get_env("LDAP_PORT") || "389"),
+  host: System.get_env("LDAP_HOST", "localhost"),
+  port: String.to_integer(System.get_env("LDAP_PORT", "389")),
   ssl: System.get_env("LDAP_SSL") == "true",
   sslopts: [],
   tls: System.get_env("LDAP_TLS") == "true",
   tlsopts: [],
-  base: System.get_env("LDAP_BASE") || "dc=example,dc=com",
-  uid: System.get_env("LDAP_UID") || "cn"
+  base: System.get_env("LDAP_BASE", "dc=example,dc=com"),
+  uid: System.get_env("LDAP_UID", "cn"),
+  # defaults to CAStore's Mozilla roots
+  cacertfile: System.get_env("LDAP_CACERTFILE", nil),
+  mail: System.get_env("LDAP_MAIL", "mail")
 
 oauth_consumer_strategies =
   System.get_env("OAUTH_CONSUMER_STRATEGIES")
@@ -711,6 +720,7 @@ config :pleroma, :rate_limit,
   timeline: {500, 3},
   search: [{1000, 10}, {1000, 30}],
   app_account_creation: {1_800_000, 25},
+  oauth_app_creation: {900_000, 5},
   relations_actions: {10_000, 10},
   relation_id_action: {60_000, 2},
   statuses_actions: {10_000, 15},

config/description.exs

@@ -2241,14 +2241,8 @@ config :pleroma, :config_description, [
         label: "SSL options",
         type: :keyword,
         description: "Additional SSL options",
-        suggestions: [cacertfile: "path/to/file/with/PEM/cacerts", verify: :verify_peer],
+        suggestions: [verify: :verify_peer],
         children: [
-          %{
-            key: :cacertfile,
-            type: :string,
-            description: "Path to file with PEM encoded cacerts",
-            suggestions: ["path/to/file/with/PEM/cacerts"]
-          },
           %{
             key: :verify,
             type: :atom,
@@ -2268,14 +2262,8 @@ config :pleroma, :config_description, [
         label: "TLS options",
         type: :keyword,
         description: "Additional TLS options",
-        suggestions: [cacertfile: "path/to/file/with/PEM/cacerts", verify: :verify_peer],
+        suggestions: [verify: :verify_peer],
         children: [
-          %{
-            key: :cacertfile,
-            type: :string,
-            description: "Path to file with PEM encoded cacerts",
-            suggestions: ["path/to/file/with/PEM/cacerts"]
-          },
           %{
             key: :verify,
             type: :atom,
@@ -2292,11 +2280,25 @@ config :pleroma, :config_description, [
       },
       %{
         key: :uid,
-        label: "UID",
+        label: "UID Attribute",
         type: :string,
         description:
           "LDAP attribute name to authenticate the user, e.g. when \"cn\", the filter will be \"cn=username,base\"",
         suggestions: ["cn"]
+      },
+      %{
+        key: :cacertfile,
+        label: "CACertfile",
+        type: :string,
+        description: "Path to CA certificate file"
+      },
+      %{
+        key: :mail,
+        label: "Mail Attribute",
+        type: :string,
+        description:
+          "LDAP attribute name to use as the email address when automatically registering the user on first login",
+        suggestions: ["mail"]
       }
     ]
   },

docs/configuration/cheatsheet.md

@@ -742,6 +742,21 @@ config :pleroma, Pleroma.Emails.Mailer,
   auth: :always
 ```
 
+An example for Mua adapter:
+
+```elixir
+config :pleroma, Pleroma.Emails.Mailer,
+  enabled: true,
+  adapter: Swoosh.Adapters.Mua,
+  relay: "mail.example.com",
+  port: 465,
+  auth: [
+    username: "[email protected]",
+    password: "YOUR_SMTP_PASSWORD"
+  ],
+  protocol: :ssl
+```
+
 ### :email_notifications
 
 Email notifications settings.
@@ -968,12 +983,13 @@ Pleroma account will be created with the same name as the LDAP user name.
 * `enabled`: enables LDAP authentication
 * `host`: LDAP server hostname
 * `port`: LDAP port, e.g. 389 or 636
-* `ssl`: true to use SSL, usually implies the port 636
+* `ssl`: true to use implicit SSL/TLS, usually port 636
 * `sslopts`: additional SSL options
-* `tls`: true to start TLS, usually implies the port 389
+* `tls`: true to use explicit TLS (STARTTLS), usually port 389
 * `tlsopts`: additional TLS options
 * `base`: LDAP base, e.g. "dc=example,dc=com"
 * `uid`: LDAP attribute name to authenticate the user, e.g. when "cn", the filter will be "cn=username,base"
+* `cacertfile`: Path to alternate CA root certificates file
 
 Note, if your LDAP server is an Active Directory server the correct value is commonly `uid: "cn"`, but if you use an
 OpenLDAP server the value may be `uid: "uid"`.

docs/development/API/differences_in_mastoapi_responses.md

@@ -42,6 +42,7 @@ Has these additional fields under the `pleroma` object:
 - `quotes_count`: the count of status quotes.
 - `non_anonymous`: true if the source post specifies the poll results are not anonymous. Currently only implemented by Smithereen.
 - `bookmark_folder`: the ID of the folder bookmark is stored within (if any).
+- `list_id`: the ID of the list the post is addressed to (if any, only returned to author).
 
 The `GET /api/v1/statuses/:id/source` endpoint additionally has the following attributes:
 
@@ -103,7 +104,7 @@ Has these additional fields under the `pleroma` object:
 - `background_image`: nullable URL string, background image of the user
 - `tags`: Lists an array of tags for the user
 - `relationship` (object): Includes fields as documented for Mastodon API https://docs.joinmastodon.org/entities/relationship/
-- `is_moderator`: boolean, nullable,  true if user is a moderator
+- `is_moderator`: boolean, nullable, true if user is a moderator
 - `is_admin`: boolean, nullable, true if user is an admin
 - `confirmation_pending`: boolean, true if a new user account is waiting on email confirmation to be activated
 - `hide_favorites`: boolean, true when the user has hiding favorites enabled
@@ -120,6 +121,8 @@ Has these additional fields under the `pleroma` object:
 - `notification_settings`: object, can be absent. See `/api/v1/pleroma/notification_settings` for the parameters/keys returned.
 - `accepts_chat_messages`: boolean, but can be null if we don't have that information about a user
 - `favicon`: nullable URL string, Favicon image of the user's instance
+- `avatar_description`: string, image description for user avatar, defaults to empty string
+- `header_description`: string, image description for user banner, defaults to empty string
 
 ### Source
 
@@ -255,6 +258,8 @@ Additional parameters can be added to the JSON body/Form data:
 - `actor_type` - the type of this account.
 - `accepts_chat_messages` - if false, this account will reject all chat messages.
 - `language` - user's preferred language for receiving emails (digest, confirmation, etc.)
+- `avatar_description` - image description for user avatar
+- `header_description` - image description for user banner
 
 All images (avatar, banner and background) can be reset to the default by sending an empty string ("") instead of a file.
 

docs/installation/debian_based_jp.md

@@ -14,7 +14,7 @@ Note: This article is potentially outdated because at this time we may not have
 
 - PostgreSQL 11.0以上 (Ubuntu16.04では9.5しか提供されていないので，[](https://www.postgresql.org/download/linux/ubuntu/)こちらから新しいバージョンを入手してください)
 - `postgresql-contrib` 11.0以上 (同上)
-- Elixir 1.13 以上 ([Debianのリポジトリからインストールしないこと！！！ ここからインストールすること！](https://elixir-lang.org/install.html#unix-and-unix-like)。または [asdf](https://github.com/asdf-vm/asdf) をpleromaユーザーでインストールしてください)
+- Elixir 1.14 以上 ([Debianのリポジトリからインストールしないこと！！！ ここからインストールすること！](https://elixir-lang.org/install.html#unix-and-unix-like)。または [asdf](https://github.com/asdf-vm/asdf) をpleromaユーザーでインストールしてください)
 - `erlang-dev`
 - `erlang-nox`
 - `git`

docs/installation/generic_dependencies.include

@@ -1,8 +1,8 @@
 ## Required dependencies
 
 * PostgreSQL >=11.0
-* Elixir >=1.13.0 <1.17
-* Erlang OTP >=22.2.0 (supported: <27)
+* Elixir >=1.14.0 <1.17
+* Erlang OTP >=23.0.0 (supported: <27)
 * git
 * file / libmagic
 * gcc or clang

installation/openldap/pw_self_service.ldif

@@ -0,0 +1,7 @@
+dn: olcDatabase={1}mdb,cn=config
+changetype: modify
+add: olcAccess
+olcAccess: {1}to attrs=userPassword
+  by self write
+  by anonymous auth
+  by * none

lib/mix/tasks/pleroma/test_runner.ex

@@ -0,0 +1,25 @@
+defmodule Mix.Tasks.Pleroma.TestRunner do
+  @shortdoc "Retries tests once if they fail"
+
+  use Mix.Task
+
+  def run(args \\ []) do
+    case System.cmd("mix", ["test"] ++ args, into: IO.stream(:stdio, :line)) do
+      {_, 0} ->
+        :ok
+
+      _ ->
+        retry(args)
+    end
+  end
+
+  def retry(args) do
+    case System.cmd("mix", ["test", "--failed"] ++ args, into: IO.stream(:stdio, :line)) do
+      {_, 0} ->
+        :ok
+
+      _ ->
+        exit(1)
+    end
+  end
+end

lib/pleroma/application.ex

@@ -94,6 +94,7 @@ defmodule Pleroma.Application do
     children =
       [
         Pleroma.PromEx,
+        Pleroma.LDAP,
         Pleroma.Repo,
         Config.TransferTask,
         Pleroma.Emoji,

lib/pleroma/config/transfer_task.ex

@@ -22,7 +22,8 @@ defmodule Pleroma.Config.TransferTask do
       {:pleroma, :markup},
       {:pleroma, :streamer},
       {:pleroma, :pools},
-      {:pleroma, :connections_pool}
+      {:pleroma, :connections_pool},
+      {:pleroma, :ldap}
     ]
 
   defp reboot_time_subkeys,