…on#14800)

* Do not serve account actors at all in limited federation mode

When an account is fetched without a signature from an allowed instance,
return an error.

This isn't really an improvement in security, as the only information that was
previously returned was required protocol-level info, and the only personal bit
was the existence of the account. The existence of the account can still be
checked by issuing a webfinger query, as those are accepted without signatures.

However, this change makes it so that unallowed instances won't create account
records on their end when they find a reference to an unknown account.

The previous behavior of rendering a limited list of fields, instead of not
rendering the actor at all, was in order to prevent situations in which two
instances in Authorized Fetch mode or Limited Federation mode would fail to
reach each other because resolving an account would require a signed query…
from an account which can only be fetched with a signed query itself. However,
this should now be fine as fetching accounts is done by signing on behalf of
the special instance actor, which does not require any kind of valid signature
to be fetched.

* Fix tests

…sts (mastodon#14479)

* Add tests

* Fix handling of Reject Follow when a matching follow relationship exists

Regression from mastodon#12199

…14778)

There are edge cases where requests to certain hosts timeout when
using the vanilla HTTP.rb gem, which the goldfinger gem uses. Now
that we no longer need to support OStatus servers, webfinger logic
is so simple that there is no point encapsulating it in a gem, so
we can just use our own Request class. With that, we benefit from
more robust timeout code and IPv4/IPv6 resolution.

Fix mastodon#14091

Fix mastodon#14668

…odon#14657)

Fixes mastodon#14462

)

* Change content-type to be always computed from file data

Restore previous behavior, detecting the content-type isn't very
expensive, and some instances may serve files as application/octet-stream
regardless of their true type, making fetching media from them fail, while
it used to work pre-3.2.0.

* Add test

…ges (mastodon#14486)

* Fix contrast calculation for thumbnail color extraction

Luminance calculation was using 0-255 RGB values instead of 0-1 sRGB values,
leading to incorrectly-computed contrast values.

Since we use ColorDiff already, just use its XYZ colorspace conversion code
to get the value.

* Require at least 3:1 contrast for both accent and foreground colors

* Lower required contrast for the accent color

Fixes mastodon#14523

…achments (mastodon#14536)

* Add support for inlined objects in activity audience

* Add tests

…#14471)

* use custom private boost icon for detail status

* only use className

…odon#14656)

Follow-up to mastodon#14359

In the case of limited toots, the receiver may not be explicitly part of the
audience. If a specific user's inbox URI was specified, it makes sense to
dereference the toot from the corresponding user, instead of trying to find
someone in the explicit audience.

* Add support for latest HTTP Signatures spec draft

https://www.ietf.org/id/draft-ietf-httpbis-message-signatures-00.html

- add support for the “hs2019” signature algorithm (assumed to be equivalent
  to RSA-SHA256, since we do not have a mechanism to specify the algorithm
  within the key metadata yet)
- add support for (created) and (expires) pseudo-headers and related
  signature parameters, when using the hs2019 signature algorithm
- adjust default “headers” parameter while being backwards-compatible with
  previous implementation
- change the acceptable time window logic from 12 hours surrounding the “date”
  header to accepting signatures created up to 1 hour in the future and
  expiring up to 1 hour in the past (but only allowing expiration dates up to
  12 hours after the creation date)
  This doesn't conform with the current draft, as it doesn't permit accounting
  for clock skew.
  This, however, should be addressed in a next version of the draft:
  httpwg/http-extensions#1235

* Add additional signature requirements

* Rewrite signature params parsing using Parslet

* Make apparent which signature algorithm Mastodon on verification failure

Mastodon uses RSASSA-PKCS1-v1_5, which is not recommended for new applications,
and new implementers may thus unknowingly use RSASSA-PSS.

* Add workaround for PeerTube's invalid signature header

The previous parser allowed incorrect Signature headers, such as
those produced by old versions of the `http-signature` node.js package,
and seemingly used by PeerTube.

This commit adds a workaround for that.

* Fix `signature_key_id` raising an exception

Previously, parsing failures would result in `signature_key_id` being nil,
but the parser changes made that result in an exception.

This commit changes the `signature_key_id` method to return `nil` in case
of parsing failures.

* Move extra HTTP signature helper methods to private methods

* Relax (request-target) requirement to (request-target) || digest

This lets requests from Plume work without lowering security significantly.

- 検索クエリを分かち書きを行わない言語に最適化
- 形態素解析を行うためにElasticsearch側にkuromojiを導入
- 検索結果をマッチ度順ではなく日付順に変更

- 投票作成時，その選択肢の数の上限を4から16に変更
- 投票作成時，その有効期限をより細かく設定出来るように変更

- Announcement機能をマージ（lindwurm/mastodon）

- 元々導入していたhotaさんのannouncements機能と，本家announcements機能において，CSSのみ競合が発生
- class名が両方とも「announcements」となっており重複していた
- 元々のannouncementsの方を「announcements2」に変更

- ユニークユーザ5人以上で選出されるものを2人以上で選出されるよう変更

- カスタム絵文字としてユーザのアイコンが使える機能
- 対象はトゥート，投票の選択肢，お知らせ，アカウントプロフィール欄
- 自サーバの人が他サーバのアカウントのプロフィール絵文字を使うことはできる
- 他サーバの人がプロフィール絵文字を使うことはできない

- 投稿に，文字の投稿が含まれず，かつカスタム絵文字が1つだけの場合に特大表示(7em)する
- それに伴ってカスタム絵文字が段落に1つしか含まれない場合にちょっと大きく表示(4em)する機能は削除

- InstanceTickerを有効にするテーマの場合，はんドンクラブのティッカーは非表示にしていた
- これまでは適用範囲がHTL/FTL/LTLのみだったが，今回それに加えてnotificationも追加した

Bumps [faker](https://github.com/faker-ruby/faker) from 2.13.0 to 2.17.0.
- [Release notes](https://github.com/faker-ruby/faker/releases)
- [Changelog](https://github.com/faker-ruby/faker/blob/master/CHANGELOG.md)
- [Commits](faker-ruby/faker@v2.13.0...v2.17.0)

Signed-off-by: dependabot[bot] <support@github.com>