Reject requests from specified instances if `authorized_fetch_mode` is enabled

Signed-off-by: marcin mikołajczak <git@mkljczk.pl>
author: marcin mikołajczak <git@mkljczk.pl> 2022-04-14 20:09:43 +0200
committer: marcin mikołajczak <git@mkljczk.pl> 2022-08-05 11:06:30 +0200
commit: c899af1d6acad1895240a0247e9b91eca5db08df (patch)
tree: 1c198359f93ce77a48601ed906b34482f5821331 /test
parent: d39f803bddb04a4c0a9e0742a437fd07f461c615 (diff)
download: pleroma-c899af1d6acad1895240a0247e9b91eca5db08df.tar.gz
pleroma-c899af1d6acad1895240a0247e9b91eca5db08df.zip
2 files changed, 67 insertions, 4 deletions
diff --git a/test/pleroma/signature_test.exs b/test/pleroma/signature_test.exs
index 92d05f26c..8f94efdc3 100644
--- a/test/pleroma/signature_test.exs
+++ b/test/pleroma/signature_test.exs
@@ -70,6 +70,14 @@ defmodule Pleroma.SignatureTest do
     end
   end
 
+  describe "get_actor_id/1" do
+    test "it returns actor id" do
+      ap_id = "https://mastodon.social/users/lambadalambda"
+
+      assert Signature.get_actor_id(make_fake_conn(ap_id)) == {:ok, ap_id}
+    end
+  end
+
   describe "sign/2" do
     test "it returns signature headers" do
       user =
diff --git a/test/pleroma/web/plugs/http_signature_plug_test.exs b/test/pleroma/web/plugs/http_signature_plug_test.exs
index 2d8fba3cd..de68e8823 100644
--- a/test/pleroma/web/plugs/http_signature_plug_test.exs
+++ b/test/pleroma/web/plugs/http_signature_plug_test.exs
@@ -10,11 +10,15 @@ defmodule Pleroma.Web.Plugs.HTTPSignaturePlugTest do
   import Phoenix.Controller, only: [put_format: 2]
   import Mock
 
-  test "it call HTTPSignatures to check validity if the actor sighed it" do
+  test "it call HTTPSignatures to check validity if the actor signed it" do
     params = %{"actor" => "http://mastodon.example.org/users/admin"}
     conn = build_conn(:get, "/doesntmattter", params)
 
-    with_mock HTTPSignatures, validate_conn: fn _ -> true end do
+    with_mock HTTPSignatures,
+      validate_conn: fn _ -> true end,
+      signature_for_conn: fn _ ->
+        %{"keyId" => "http://mastodon.example.org/users/admin#main-key"}
+      end do
       conn =
         conn
         |> put_req_header(
@@ -41,7 +45,11 @@ defmodule Pleroma.Web.Plugs.HTTPSignaturePlugTest do
     end
 
     test "when signature header is present", %{conn: conn} do
-      with_mock HTTPSignatures, validate_conn: fn _ -> false end do
+      with_mock HTTPSignatures,
+        validate_conn: fn _ -> false end,
+        signature_for_conn: fn _ ->
+          %{"keyId" => "http://mastodon.example.org/users/admin#main-key"}
+        end do
         conn =
           conn
           |> put_req_header(
@@ -58,7 +66,11 @@ defmodule Pleroma.Web.Plugs.HTTPSignaturePlugTest do
         assert called(HTTPSignatures.validate_conn(:_))
       end
 
-      with_mock HTTPSignatures, validate_conn: fn _ -> true end do
+      with_mock HTTPSignatures,
+        validate_conn: fn _ -> true end,
+        signature_for_conn: fn _ ->
+          %{"keyId" => "http://mastodon.example.org/users/admin#main-key"}
+        end do
         conn =
           conn
           |> put_req_header(
@@ -82,4 +94,47 @@ defmodule Pleroma.Web.Plugs.HTTPSignaturePlugTest do
       assert conn.resp_body == "Request not signed"
     end
   end
+
+  test "rejects requests from `rejected_instances` when `authorized_fetch_mode` is enabled" do
+    clear_config([:activitypub, :authorized_fetch_mode], true)
+    clear_config([:instance, :rejected_instances], [{"mastodon.example.org", "no reason"}])
+
+    with_mock HTTPSignatures,
+      validate_conn: fn _ -> true end,
+      signature_for_conn: fn _ ->
+        %{"keyId" => "http://mastodon.example.org/users/admin#main-key"}
+      end do
+      conn =
+        build_conn(:get, "/doesntmattter", %{"actor" => "http://mastodon.example.org/users/admin"})
+        |> put_req_header(
+          "signature",
+          "keyId=\"http://mastodon.example.org/users/admin#main-key"
+        )
+        |> put_format("activity+json")
+        |> HTTPSignaturePlug.call(%{})
+
+      assert conn.assigns.valid_signature == true
+      assert conn.halted == true
+      assert called(HTTPSignatures.validate_conn(:_))
+    end
+
+    with_mock HTTPSignatures,
+      validate_conn: fn _ -> true end,
+      signature_for_conn: fn _ ->
+        %{"keyId" => "http://allowed.example.org/users/admin#main-key"}
+      end do
+      conn =
+        build_conn(:get, "/doesntmattter", %{"actor" => "http://allowed.example.org/users/admin"})
+        |> put_req_header(
+          "signature",
+          "keyId=\"http://allowed.example.org/users/admin#main-key"
+        )
+        |> put_format("activity+json")
+        |> HTTPSignaturePlug.call(%{})
+
+      assert conn.assigns.valid_signature == true
+      assert conn.halted == false
+      assert called(HTTPSignatures.validate_conn(:_))
+    end
+  end
 end
author	marcin mikołajczak <git@mkljczk.pl>	2022-04-14 20:09:43 +0200
committer	marcin mikołajczak <git@mkljczk.pl>	2022-08-05 11:06:30 +0200
commit	c899af1d6acad1895240a0247e9b91eca5db08df (patch)
tree	1c198359f93ce77a48601ed906b34482f5821331 /test
parent	d39f803bddb04a4c0a9e0742a437fd07f461c615 (diff)
download	pleroma-c899af1d6acad1895240a0247e9b91eca5db08df.tar.gz pleroma-c899af1d6acad1895240a0247e9b91eca5db08df.zip