2 files changed, 144 insertions, 0 deletions

diff --git a/test/object/containment_test.exs b/test/object/containment_test.exs
new file mode 100644
index 000000000..268675c86
--- /dev/null
+++ b/test/object/containment_test.exs
@@ -0,0 +1,59 @@
+defmodule Pleroma.Object.ContainmentTest do
+  use Pleroma.DataCase
+
+  alias Pleroma.User
+  alias Pleroma.Object.Containment
+  alias Pleroma.Web.ActivityPub.ActivityPub
+
+  import Pleroma.Factory
+
+  describe "general origin containment" do
+    test "contain_origin_from_id() catches obvious spoofing attempts" do
+      data = %{
+        "id" => "http://example.com/~alyssa/activities/1234.json"
+      }
+
+      :error =
+        Containment.contain_origin_from_id(
+          "http://example.org/~alyssa/activities/1234.json",
+          data
+        )
+    end
+
+    test "contain_origin_from_id() allows alternate IDs within the same origin domain" do
+      data = %{
+        "id" => "http://example.com/~alyssa/activities/1234.json"
+      }
+
+      :ok =
+        Containment.contain_origin_from_id(
+          "http://example.com/~alyssa/activities/1234",
+          data
+        )
+    end
+
+    test "contain_origin_from_id() allows matching IDs" do
+      data = %{
+        "id" => "http://example.com/~alyssa/activities/1234.json"
+      }
+
+      :ok =
+        Containment.contain_origin_from_id(
+          "http://example.com/~alyssa/activities/1234.json",
+          data
+        )
+    end
+
+    test "users cannot be collided through fake direction spoofing attempts" do
+      user =
+        insert(:user, %{
+          nickname: "rye@niu.moe",
+          local: false,
+          ap_id: "https://niu.moe/users/rye",
+          follower_address: User.ap_followers(%User{nickname: "rye@niu.moe"})
+        })
+
+      {:error, _} = User.get_or_fetch_by_ap_id("https://n1u.moe/users/rye")
+    end
+  end
+end
diff --git a/test/object/fetcher_test.exs b/test/object/fetcher_test.exs
new file mode 100644
index 000000000..3bbade9d1
--- /dev/null
+++ b/test/object/fetcher_test.exs
@@ -0,0 +1,85 @@
+defmodule Pleroma.Object.FetcherTest do
+  use Pleroma.DataCase
+
+  alias Pleroma.{Activity, Object}
+  alias Pleroma.Object.Fetcher
+
+  import Pleroma.Factory
+
+  describe "actor origin containment" do
+    test "it rejects objects with a bogus origin" do
+      {:error, _} = Fetcher.fetch_object_from_id("https://info.pleroma.site/activity.json")
+    end
+
+    test "it rejects objects when attributedTo is wrong (variant 1)" do
+      {:error, _} = Fetcher.fetch_object_from_id("https://info.pleroma.site/activity2.json")
+    end
+
+    test "it rejects objects when attributedTo is wrong (variant 2)" do
+      {:error, _} = Fetcher.fetch_object_from_id("https://info.pleroma.site/activity3.json")
+    end
+  end
+
+  describe "fetching an object" do
+    test "it fetches an object" do
+      {:ok, object} =
+        Fetcher.fetch_object_from_id("http://mastodon.example.org/@admin/99541947525187367")
+
+      assert activity = Activity.get_create_activity_by_object_ap_id(object.data["id"])
+      assert activity.data["id"]
+
+      {:ok, object_again} =
+        Fetcher.fetch_object_from_id("http://mastodon.example.org/@admin/99541947525187367")
+
+      assert [attachment] = object.data["attachment"]
+      assert is_list(attachment["url"])
+
+      assert object == object_again
+    end
+
+    test "it works with objects only available via Ostatus" do
+      {:ok, object} = Fetcher.fetch_object_from_id("https://shitposter.club/notice/2827873")
+      assert activity = Activity.get_create_activity_by_object_ap_id(object.data["id"])
+      assert activity.data["id"]
+
+      {:ok, object_again} = Fetcher.fetch_object_from_id("https://shitposter.club/notice/2827873")
+
+      assert object == object_again
+    end
+
+    test "it correctly stitches up conversations between ostatus and ap" do
+      last = "https://mstdn.io/users/mayuutann/statuses/99568293732299394"
+      {:ok, object} = Fetcher.fetch_object_from_id(last)
+
+      object = Object.get_by_ap_id(object.data["inReplyTo"])
+      assert object
+    end
+  end
+
+  describe "implementation quirks" do
+    test "it can fetch plume articles" do
+      {:ok, object} =
+        Fetcher.fetch_object_from_id(
+          "https://baptiste.gelez.xyz/~/PlumeDevelopment/this-month-in-plume-june-2018/"
+        )
+
+      assert object
+    end
+
+    test "it can fetch peertube videos" do
+      {:ok, object} =
+        Fetcher.fetch_object_from_id(
+          "https://peertube.moe/videos/watch/df5f464b-be8d-46fb-ad81-2d4c2d1630e3"
+        )
+
+      assert object
+    end
+
+    test "all objects with fake directions are rejected by the object fetcher" do
+      {:error, _} =
+        Fetcher.fetch_and_contain_remote_object_from_id(
+          "https://info.pleroma.site/activity4.json"
+        )
+    end
+  end
+end