a90c45b7e9
Close #304. Notes: - This patch was made on top of Pleroma develop, so I created a separate cachex worker for request signature actions, instead of Akkoma's instance cache. If that is a merge blocker, I can attempt to move logic around for that. - Regarding the `has_request_signatures: true -> false` state transition: I think that is a higher level thing (resetting instance state on new instance actor key) which is separate from the changes relevant to this one. Co-authored-by: Luna <git@l4.pm> Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/312 Co-authored-by: @luna@f.l4.pm <akkoma@l4.pm> Co-committed-by: @luna@f.l4.pm <akkoma@l4.pm>
152 lines
4.7 KiB
Elixir
152 lines
4.7 KiB
Elixir
# Pleroma: A lightweight social networking server
|
|
# Copyright © 2017-2022 Pleroma Authors <https://pleroma.social/>
|
|
# SPDX-License-Identifier: AGPL-3.0-only
|
|
|
|
defmodule Pleroma.Web.Plugs.HTTPSignaturePlugTest do
|
|
use Pleroma.Web.ConnCase, async: false
|
|
import Pleroma.Factory
|
|
alias Pleroma.Web.Plugs.HTTPSignaturePlug
|
|
alias Pleroma.Instances.Instance
|
|
alias Pleroma.Repo
|
|
|
|
import Plug.Conn
|
|
import Phoenix.Controller, only: [put_format: 2]
|
|
import Mock
|
|
|
|
setup_with_mocks([
|
|
{HTTPSignatures, [],
|
|
[
|
|
signature_for_conn: fn _ ->
|
|
%{"keyId" => "http://mastodon.example.org/users/admin#main-key"}
|
|
end,
|
|
validate_conn: fn conn ->
|
|
Map.get(conn.assigns, :valid_signature, true)
|
|
end
|
|
]}
|
|
]) do
|
|
:ok
|
|
end
|
|
|
|
defp submit_to_plug(host), do: submit_to_plug(host, :get, "/doesntmattter")
|
|
|
|
defp submit_to_plug(host, method, path) do
|
|
params = %{"actor" => "http://#{host}/users/admin"}
|
|
|
|
build_conn(method, path, params)
|
|
|> put_req_header(
|
|
"signature",
|
|
"keyId=\"http://#{host}/users/admin#main-key"
|
|
)
|
|
|> put_format("activity+json")
|
|
|> HTTPSignaturePlug.call(%{})
|
|
end
|
|
|
|
test "it call HTTPSignatures to check validity if the actor signed it" do
|
|
params = %{"actor" => "http://mastodon.example.org/users/admin"}
|
|
conn = build_conn(:get, "/doesntmattter", params)
|
|
|
|
conn =
|
|
conn
|
|
|> put_req_header(
|
|
"signature",
|
|
"keyId=\"http://mastodon.example.org/users/admin#main-key"
|
|
)
|
|
|> put_format("activity+json")
|
|
|> HTTPSignaturePlug.call(%{})
|
|
|
|
assert conn.assigns.valid_signature == true
|
|
assert conn.assigns.signature_actor_id == params["actor"]
|
|
assert conn.halted == false
|
|
assert called(HTTPSignatures.validate_conn(:_))
|
|
end
|
|
|
|
test "it sets request signatures property on the instance" do
|
|
host = "mastodon.example.org"
|
|
conn = submit_to_plug(host)
|
|
assert conn.assigns.valid_signature == true
|
|
instance = Repo.get_by(Instance, %{host: host})
|
|
assert instance.has_request_signatures
|
|
end
|
|
|
|
test "it does not set request signatures property on the instance when using inbox" do
|
|
host = "mastodon.example.org"
|
|
conn = submit_to_plug(host, :post, "/inbox")
|
|
assert conn.assigns.valid_signature == true
|
|
|
|
# we don't even create the instance entry if its just POST /inbox
|
|
refute Repo.get_by(Instance, %{host: host})
|
|
end
|
|
|
|
test "it does not set request signatures property on the instance when its cached" do
|
|
host = "mastodon.example.org"
|
|
Cachex.put(:request_signatures_cache, host, true)
|
|
conn = submit_to_plug(host)
|
|
assert conn.assigns.valid_signature == true
|
|
|
|
# we don't even create the instance entry if it was already done
|
|
refute Repo.get_by(Instance, %{host: host})
|
|
end
|
|
|
|
describe "requires a signature when `authorized_fetch_mode` is enabled" do
|
|
setup do
|
|
clear_config([:activitypub, :authorized_fetch_mode], true)
|
|
|
|
params = %{"actor" => "http://mastodon.example.org/users/admin"}
|
|
conn = build_conn(:get, "/doesntmattter", params) |> put_format("activity+json")
|
|
|
|
[conn: conn]
|
|
end
|
|
|
|
test "and signature is present and incorrect", %{conn: conn} do
|
|
conn =
|
|
conn
|
|
|> assign(:valid_signature, false)
|
|
|> put_req_header(
|
|
"signature",
|
|
"keyId=\"http://mastodon.example.org/users/admin#main-key"
|
|
)
|
|
|> HTTPSignaturePlug.call(%{})
|
|
|
|
assert conn.assigns.valid_signature == false
|
|
assert conn.halted == true
|
|
assert conn.status == 401
|
|
assert conn.state == :sent
|
|
assert conn.resp_body == "Request not signed"
|
|
assert called(HTTPSignatures.validate_conn(:_))
|
|
end
|
|
|
|
test "and signature is correct", %{conn: conn} do
|
|
conn =
|
|
conn
|
|
|> put_req_header(
|
|
"signature",
|
|
"keyId=\"http://mastodon.example.org/users/admin#main-key"
|
|
)
|
|
|> HTTPSignaturePlug.call(%{})
|
|
|
|
assert conn.assigns.valid_signature == true
|
|
assert conn.halted == false
|
|
assert called(HTTPSignatures.validate_conn(:_))
|
|
end
|
|
|
|
test "and halts the connection when `signature` header is not present", %{conn: conn} do
|
|
conn = HTTPSignaturePlug.call(conn, %{})
|
|
assert conn.assigns[:valid_signature] == nil
|
|
assert conn.halted == true
|
|
assert conn.status == 401
|
|
assert conn.state == :sent
|
|
assert conn.resp_body == "Request not signed"
|
|
end
|
|
end
|
|
|
|
test "aliases redirected /object endpoints", _ do
|
|
obj = insert(:note)
|
|
act = insert(:note_activity, note: obj)
|
|
params = %{"actor" => "someparam"}
|
|
path = URI.parse(obj.data["id"]).path
|
|
conn = build_conn(:get, path, params)
|
|
|
|
assert ["/notice/#{act.id}", "/notice/#{act.id}?actor=someparam"] ==
|
|
HTTPSignaturePlug.route_aliases(conn)
|
|
end
|
|
end
|