Fix #1999: broken federation with pods using allow-listing

api/funkwhale_api/federation/actors.py

@@ -13,6 +13,7 @@ logger = logging.getLogger(__name__)
 
 
 def get_actor_data(actor_url):
+    logger.debug("Fetching actor %s", actor_url)
     response = session.get_session().get(
         actor_url, headers={"Accept": "application/activity+json"},
     )

api/funkwhale_api/federation/authentication.py

@@ -46,15 +46,14 @@ class SignatureAuthentication(authentication.BaseAuthentication):
             domain = urllib.parse.urlparse(actor_url).hostname
             allowed = models.Domain.objects.filter(name=domain, allowed=True).exists()
             if not allowed:
+                logger.debug("Actor domain %s is not on allow-list", domain)
                 raise exceptions.BlockedActorOrDomain()
 
         try:
             actor = actors.get_actor(actor_url)
         except Exception as e:
             logger.info(
-                "Discarding HTTP request from blocked actor/domain %s, %s",
-                actor_url,
-                str(e),
+                "Discarding HTTP request from actor/domain %s, %s", actor_url, str(e),
             )
             raise rest_exceptions.AuthenticationFailed(
                 "Cannot fetch remote actor to authenticate signature"

api/funkwhale_api/federation/views.py

@@ -111,6 +111,13 @@ class ActorViewSet(FederationMixin, mixins.RetrieveModelMixin, viewsets.GenericV
         queryset = super().get_queryset()
         return queryset.exclude(channel__attributed_to=actors.get_service_actor())
 
+    def get_permissions(self):
+        # cf #1999 it must be possible to fetch actors without being authenticated
+        # otherwise we end up in a loop
+        if self.action == "retrieve":
+            return []
+        return super().get_permissions()
+
     def retrieve(self, request, *args, **kwargs):
         instance = self.get_object()
         if utils.should_redirect_ap_to_html(request.headers.get("accept")):