5 files changed, 69 insertions, 3 deletions

diff --git a/test/plugs/admin_secret_authentication_plug_test.exs b/test/plugs/admin_secret_authentication_plug_test.exs
index 506b1f609..e41ce1825 100644
--- a/test/plugs/admin_secret_authentication_plug_test.exs
+++ b/test/plugs/admin_secret_authentication_plug_test.exs
@@ -23,6 +23,8 @@ defmodule Pleroma.Plugs.AdminSecretAuthenticationPlugTest do
   end
 
   describe "when secret set it assigns an admin user" do
+    clear_config([:admin_token])
+
     test "with `admin_token` query parameter", %{conn: conn} do
       Pleroma.Config.put(:admin_token, "password123")
 
diff --git a/test/plugs/http_security_plug_test.exs b/test/plugs/http_security_plug_test.exs
index 9c1c20541..aa285d827 100644
--- a/test/plugs/http_security_plug_test.exs
+++ b/test/plugs/http_security_plug_test.exs
@@ -9,6 +9,7 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlugTest do
 
   clear_config([:http_securiy, :enabled])
   clear_config([:http_security, :sts])
+  clear_config([:http_security, :referrer_policy])
 
   describe "http security enabled" do
     setup do
diff --git a/test/plugs/http_signature_plug_test.exs b/test/plugs/http_signature_plug_test.exs
index d8ace36da..55e8bafc0 100644
--- a/test/plugs/http_signature_plug_test.exs
+++ b/test/plugs/http_signature_plug_test.exs
@@ -7,6 +7,7 @@ defmodule Pleroma.Web.Plugs.HTTPSignaturePlugTest do
   alias Pleroma.Web.Plugs.HTTPSignaturePlug
 
   import Plug.Conn
+  import Phoenix.Controller, only: [put_format: 2]
   import Mock
 
   test "it call HTTPSignatures to check validity if the actor sighed it" do
@@ -20,10 +21,69 @@ defmodule Pleroma.Web.Plugs.HTTPSignaturePlugTest do
           "signature",
           "keyId=\"http://mastodon.example.org/users/admin#main-key"
         )
+        |> put_format("activity+json")
         |> HTTPSignaturePlug.call(%{})
 
       assert conn.assigns.valid_signature == true
+      assert conn.halted == false
       assert called(HTTPSignatures.validate_conn(:_))
     end
   end
+
+  describe "requires a signature when `authorized_fetch_mode` is enabled" do
+    setup do
+      Pleroma.Config.put([:activitypub, :authorized_fetch_mode], true)
+
+      on_exit(fn ->
+        Pleroma.Config.put([:activitypub, :authorized_fetch_mode], false)
+      end)
+
+      params = %{"actor" => "http://mastodon.example.org/users/admin"}
+      conn = build_conn(:get, "/doesntmattter", params) |> put_format("activity+json")
+
+      [conn: conn]
+    end
+
+    test "when signature header is present", %{conn: conn} do
+      with_mock HTTPSignatures, validate_conn: fn _ -> false end do
+        conn =
+          conn
+          |> put_req_header(
+            "signature",
+            "keyId=\"http://mastodon.example.org/users/admin#main-key"
+          )
+          |> HTTPSignaturePlug.call(%{})
+
+        assert conn.assigns.valid_signature == false
+        assert conn.halted == true
+        assert conn.status == 401
+        assert conn.state == :sent
+        assert conn.resp_body == "Request not signed"
+        assert called(HTTPSignatures.validate_conn(:_))
+      end
+
+      with_mock HTTPSignatures, validate_conn: fn _ -> true end do
+        conn =
+          conn
+          |> put_req_header(
+            "signature",
+            "keyId=\"http://mastodon.example.org/users/admin#main-key"
+          )
+          |> HTTPSignaturePlug.call(%{})
+
+        assert conn.assigns.valid_signature == true
+        assert conn.halted == false
+        assert called(HTTPSignatures.validate_conn(:_))
+      end
+    end
+
+    test "halts the connection when `signature` header is not present", %{conn: conn} do
+      conn = HTTPSignaturePlug.call(conn, %{})
+      assert conn.assigns[:valid_signature] == nil
+      assert conn.halted == true
+      assert conn.status == 401
+      assert conn.state == :sent
+      assert conn.resp_body == "Request not signed"
+    end
+  end
 end
diff --git a/test/plugs/remote_ip_test.exs b/test/plugs/remote_ip_test.exs
index d120c588b..93e276454 100644
--- a/test/plugs/remote_ip_test.exs
+++ b/test/plugs/remote_ip_test.exs
@@ -8,6 +8,10 @@ defmodule Pleroma.Plugs.RemoteIpTest do
 
   alias Pleroma.Plugs.RemoteIp
 
+  import Pleroma.Tests.Helpers, only: [clear_config: 1, clear_config: 2]
+
+  clear_config(RemoteIp)
+
   test "disabled" do
     Pleroma.Config.put(RemoteIp, enabled: false)
 
diff --git a/test/plugs/user_enabled_plug_test.exs b/test/plugs/user_enabled_plug_test.exs
index a4035bf0e..b6f297552 100644
--- a/test/plugs/user_enabled_plug_test.exs
+++ b/test/plugs/user_enabled_plug_test.exs
@@ -8,6 +8,8 @@ defmodule Pleroma.Plugs.UserEnabledPlugTest do
   alias Pleroma.Plugs.UserEnabledPlug
   import Pleroma.Factory
 
+  clear_config([:instance, :account_activation_required])
+
   test "doesn't do anything if the user isn't set", %{conn: conn} do
     ret_conn =
       conn
@@ -18,7 +20,6 @@ defmodule Pleroma.Plugs.UserEnabledPlugTest do
 
   test "with a user that's not confirmed and a config requiring confirmation, it removes that user",
        %{conn: conn} do
-    old = Pleroma.Config.get([:instance, :account_activation_required])
     Pleroma.Config.put([:instance, :account_activation_required], true)
 
     user = insert(:user, confirmation_pending: true)
@@ -29,8 +30,6 @@ defmodule Pleroma.Plugs.UserEnabledPlugTest do
       |> UserEnabledPlug.call(%{})
 
     assert conn.assigns.user == nil
-
-    Pleroma.Config.put([:instance, :account_activation_required], old)
   end
 
   test "with a user that is deactivated, it removes that user", %{conn: conn} do