 a90c45b7e9
			
		
	
	
		a90c45b7e9
		
	
	
	
	
		
			
			Close #304. Notes: - This patch was made on top of Pleroma develop, so I created a separate cachex worker for request signature actions, instead of Akkoma's instance cache. If that is a merge blocker, I can attempt to move logic around for that. - Regarding the `has_request_signatures: true -> false` state transition: I think that is a higher level thing (resetting instance state on new instance actor key) which is separate from the changes relevant to this one. Co-authored-by: Luna <git@l4.pm> Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/312 Co-authored-by: @luna@f.l4.pm <akkoma@l4.pm> Co-committed-by: @luna@f.l4.pm <akkoma@l4.pm>
		
			
				
	
	
		
			152 lines
		
	
	
	
		
			4.7 KiB
		
	
	
	
		
			Elixir
		
	
	
	
	
	
			
		
		
	
	
			152 lines
		
	
	
	
		
			4.7 KiB
		
	
	
	
		
			Elixir
		
	
	
	
	
	
| # Pleroma: A lightweight social networking server
 | |
| # Copyright © 2017-2022 Pleroma Authors <https://pleroma.social/>
 | |
| # SPDX-License-Identifier: AGPL-3.0-only
 | |
| 
 | |
| defmodule Pleroma.Web.Plugs.HTTPSignaturePlugTest do
 | |
|   use Pleroma.Web.ConnCase, async: false
 | |
|   import Pleroma.Factory
 | |
|   alias Pleroma.Web.Plugs.HTTPSignaturePlug
 | |
|   alias Pleroma.Instances.Instance
 | |
|   alias Pleroma.Repo
 | |
| 
 | |
|   import Plug.Conn
 | |
|   import Phoenix.Controller, only: [put_format: 2]
 | |
|   import Mock
 | |
| 
 | |
|   setup_with_mocks([
 | |
|     {HTTPSignatures, [],
 | |
|      [
 | |
|        signature_for_conn: fn _ ->
 | |
|          %{"keyId" => "http://mastodon.example.org/users/admin#main-key"}
 | |
|        end,
 | |
|        validate_conn: fn conn ->
 | |
|          Map.get(conn.assigns, :valid_signature, true)
 | |
|        end
 | |
|      ]}
 | |
|   ]) do
 | |
|     :ok
 | |
|   end
 | |
| 
 | |
|   defp submit_to_plug(host), do: submit_to_plug(host, :get, "/doesntmattter")
 | |
| 
 | |
|   defp submit_to_plug(host, method, path) do
 | |
|     params = %{"actor" => "http://#{host}/users/admin"}
 | |
| 
 | |
|     build_conn(method, path, params)
 | |
|     |> put_req_header(
 | |
|       "signature",
 | |
|       "keyId=\"http://#{host}/users/admin#main-key"
 | |
|     )
 | |
|     |> put_format("activity+json")
 | |
|     |> HTTPSignaturePlug.call(%{})
 | |
|   end
 | |
| 
 | |
|   test "it call HTTPSignatures to check validity if the actor signed it" do
 | |
|     params = %{"actor" => "http://mastodon.example.org/users/admin"}
 | |
|     conn = build_conn(:get, "/doesntmattter", params)
 | |
| 
 | |
|     conn =
 | |
|       conn
 | |
|       |> put_req_header(
 | |
|         "signature",
 | |
|         "keyId=\"http://mastodon.example.org/users/admin#main-key"
 | |
|       )
 | |
|       |> put_format("activity+json")
 | |
|       |> HTTPSignaturePlug.call(%{})
 | |
| 
 | |
|     assert conn.assigns.valid_signature == true
 | |
|     assert conn.assigns.signature_actor_id == params["actor"]
 | |
|     assert conn.halted == false
 | |
|     assert called(HTTPSignatures.validate_conn(:_))
 | |
|   end
 | |
| 
 | |
|   test "it sets request signatures property on the instance" do
 | |
|     host = "mastodon.example.org"
 | |
|     conn = submit_to_plug(host)
 | |
|     assert conn.assigns.valid_signature == true
 | |
|     instance = Repo.get_by(Instance, %{host: host})
 | |
|     assert instance.has_request_signatures
 | |
|   end
 | |
| 
 | |
|   test "it does not set request signatures property on the instance when using inbox" do
 | |
|     host = "mastodon.example.org"
 | |
|     conn = submit_to_plug(host, :post, "/inbox")
 | |
|     assert conn.assigns.valid_signature == true
 | |
| 
 | |
|     # we don't even create the instance entry if its just POST /inbox
 | |
|     refute Repo.get_by(Instance, %{host: host})
 | |
|   end
 | |
| 
 | |
|   test "it does not set request signatures property on the instance when its cached" do
 | |
|     host = "mastodon.example.org"
 | |
|     Cachex.put(:request_signatures_cache, host, true)
 | |
|     conn = submit_to_plug(host)
 | |
|     assert conn.assigns.valid_signature == true
 | |
| 
 | |
|     # we don't even create the instance entry if it was already done
 | |
|     refute Repo.get_by(Instance, %{host: host})
 | |
|   end
 | |
| 
 | |
|   describe "requires a signature when `authorized_fetch_mode` is enabled" do
 | |
|     setup do
 | |
|       clear_config([:activitypub, :authorized_fetch_mode], true)
 | |
| 
 | |
|       params = %{"actor" => "http://mastodon.example.org/users/admin"}
 | |
|       conn = build_conn(:get, "/doesntmattter", params) |> put_format("activity+json")
 | |
| 
 | |
|       [conn: conn]
 | |
|     end
 | |
| 
 | |
|     test "and signature is present and incorrect", %{conn: conn} do
 | |
|       conn =
 | |
|         conn
 | |
|         |> assign(:valid_signature, false)
 | |
|         |> put_req_header(
 | |
|           "signature",
 | |
|           "keyId=\"http://mastodon.example.org/users/admin#main-key"
 | |
|         )
 | |
|         |> HTTPSignaturePlug.call(%{})
 | |
| 
 | |
|       assert conn.assigns.valid_signature == false
 | |
|       assert conn.halted == true
 | |
|       assert conn.status == 401
 | |
|       assert conn.state == :sent
 | |
|       assert conn.resp_body == "Request not signed"
 | |
|       assert called(HTTPSignatures.validate_conn(:_))
 | |
|     end
 | |
| 
 | |
|     test "and signature is correct", %{conn: conn} do
 | |
|       conn =
 | |
|         conn
 | |
|         |> put_req_header(
 | |
|           "signature",
 | |
|           "keyId=\"http://mastodon.example.org/users/admin#main-key"
 | |
|         )
 | |
|         |> HTTPSignaturePlug.call(%{})
 | |
| 
 | |
|       assert conn.assigns.valid_signature == true
 | |
|       assert conn.halted == false
 | |
|       assert called(HTTPSignatures.validate_conn(:_))
 | |
|     end
 | |
| 
 | |
|     test "and halts the connection when `signature` header is not present", %{conn: conn} do
 | |
|       conn = HTTPSignaturePlug.call(conn, %{})
 | |
|       assert conn.assigns[:valid_signature] == nil
 | |
|       assert conn.halted == true
 | |
|       assert conn.status == 401
 | |
|       assert conn.state == :sent
 | |
|       assert conn.resp_body == "Request not signed"
 | |
|     end
 | |
|   end
 | |
| 
 | |
|   test "aliases redirected /object endpoints", _ do
 | |
|     obj = insert(:note)
 | |
|     act = insert(:note_activity, note: obj)
 | |
|     params = %{"actor" => "someparam"}
 | |
|     path = URI.parse(obj.data["id"]).path
 | |
|     conn = build_conn(:get, path, params)
 | |
| 
 | |
|     assert ["/notice/#{act.id}", "/notice/#{act.id}?actor=someparam"] ==
 | |
|              HTTPSignaturePlug.route_aliases(conn)
 | |
|   end
 | |
| end
 |