8 files changed, 355 insertions, 0 deletions

diff --git a/test/fixtures/httpoison_mock/https__info.pleroma.site_activity4.json b/test/fixtures/httpoison_mock/https__info.pleroma.site_activity4.json
new file mode 100644
index 000000000..57a73b12a
--- /dev/null
+++ b/test/fixtures/httpoison_mock/https__info.pleroma.site_activity4.json
@@ -0,0 +1,13 @@
+{
+        "@context": "https://www.w3.org/ns/activitystreams",
+        "attributedTo": "http://mastodon.example.org/users/admin",
+        "attachment": [],
+        "content": "<p>this post was not actually written by Haelwenn</p>",
+        "id": "http://mastodon.example.org/users/admin/activities/1234",
+        "published": "2018-09-01T22:15:00Z",
+        "tag": [],
+        "to": [
+            "https://www.w3.org/ns/activitystreams#Public"
+        ],
+        "type": "Note"
+}
diff --git a/test/media_proxy_test.exs b/test/media_proxy_test.exs
new file mode 100644
index 000000000..c69ed7ea4
--- /dev/null
+++ b/test/media_proxy_test.exs
@@ -0,0 +1,113 @@
+defmodule Pleroma.MediaProxyTest do
+  use ExUnit.Case
+  import Pleroma.Web.MediaProxy
+
+  describe "when enabled" do
+    setup do
+      enabled = Pleroma.Config.get([:media_proxy, :enabled])
+
+      unless enabled do
+        Pleroma.Config.put([:media_proxy, :enabled], true)
+        on_exit(fn -> Pleroma.Config.put([:media_proxy, :enabled], enabled) end)
+      end
+
+      :ok
+    end
+
+    test "ignores invalid url" do
+      assert url(nil) == nil
+      assert url("") == nil
+    end
+
+    test "ignores relative url" do
+      assert url("/local") == "/local"
+      assert url("/") == "/"
+    end
+
+    test "ignores local url" do
+      local_url = Pleroma.Web.Endpoint.url() <> "/hello"
+      local_root = Pleroma.Web.Endpoint.url()
+      assert url(local_url) == local_url
+      assert url(local_root) == local_root
+    end
+
+    test "encodes and decodes URL" do
+      url = "https://pleroma.soykaf.com/static/logo.png"
+      encoded = url(url)
+
+      assert String.starts_with?(
+               encoded,
+               Pleroma.Config.get([:media_proxy, :base_url], Pleroma.Web.base_url())
+             )
+
+      assert String.ends_with?(encoded, "/logo.png")
+
+      assert decode_result(encoded) == url
+    end
+
+    test "encodes and decodes URL without a path" do
+      url = "https://pleroma.soykaf.com"
+      encoded = url(url)
+      assert decode_result(encoded) == url
+    end
+
+    test "encodes and decodes URL without an extension" do
+      url = "https://pleroma.soykaf.com/path/"
+      encoded = url(url)
+      assert String.ends_with?(encoded, "/path")
+      assert decode_result(encoded) == url
+    end
+
+    test "encodes and decodes URL and ignores query params for the path" do
+      url = "https://pleroma.soykaf.com/static/logo.png?93939393939&bunny=true"
+      encoded = url(url)
+      assert String.ends_with?(encoded, "/logo.png")
+      assert decode_result(encoded) == url
+    end
+
+    test "validates signature" do
+      secret_key_base = Pleroma.Config.get([Pleroma.Web.Endpoint, :secret_key_base])
+
+      on_exit(fn ->
+        Pleroma.Config.put([Pleroma.Web.Endpoint, :secret_key_base], secret_key_base)
+      end)
+
+      encoded = url("https://pleroma.social")
+
+      Pleroma.Config.put(
+        [Pleroma.Web.Endpoint, :secret_key_base],
+        "00000000000000000000000000000000000000000000000"
+      )
+
+      [_, "proxy", sig, base64 | _] = URI.parse(encoded).path |> String.split("/")
+      assert decode_url(sig, base64) == {:error, :invalid_signature}
+    end
+  end
+
+  describe "when disabled" do
+    setup do
+      enabled = Pleroma.Config.get([:media_proxy, :enabled])
+
+      if enabled do
+        Pleroma.Config.put([:media_proxy, :enabled], false)
+
+        on_exit(fn ->
+          Pleroma.Config.put([:media_proxy, :enabled], enabled)
+          :ok
+        end)
+      end
+
+      :ok
+    end
+
+    test "does not encode remote urls" do
+      assert url("https://google.fr") == "https://google.fr"
+    end
+  end
+
+  defp decode_result(encoded) do
+    [_, "proxy", sig, base64 | _] = URI.parse(encoded).path |> String.split("/")
+    {:ok, decoded} = decode_url(sig, base64)
+    decoded
+  end
+end
diff --git a/test/support/httpoison_mock.ex b/test/support/httpoison_mock.ex
index ebd1e9c4d..0be09b6ce 100644
--- a/test/support/httpoison_mock.ex
+++ b/test/support/httpoison_mock.ex
@@ -56,6 +56,14 @@ defmodule HTTPoisonMock do
      }}
   end
 
+  def get("https://info.pleroma.site/activity4.json", _, _) do
+    {:ok,
+     %Response{
+       status_code: 200,
+       body: File.read!("test/fixtures/httpoison_mock/https__info.pleroma.site_activity4.json")
+     }}
+  end
+
   def get("https://info.pleroma.site/actor.json", _, _) do
     {:ok,
      %Response{
@@ -756,6 +764,14 @@ defmodule HTTPoisonMock do
      }}
   end
 
+  def get("https://n1u.moe/users/rye", [Accept: "application/activity+json"], _) do
+    {:ok,
+     %Response{
+       status_code: 200,
+       body: File.read!("test/fixtures/httpoison_mock/rye.json")
+     }}
+  end
+
   def get(
         "https://mst3k.interlinked.me/users/luciferMysticus",
         [Accept: "application/activity+json"],
diff --git a/test/web/activity_pub/transmogrifier_test.exs b/test/web/activity_pub/transmogrifier_test.exs
index 6320b5b6e..829da0a65 100644
--- a/test/web/activity_pub/transmogrifier_test.exs
+++ b/test/web/activity_pub/transmogrifier_test.exs
@@ -361,6 +361,26 @@ defmodule Pleroma.Web.ActivityPub.TransmogrifierTest do
       refute Repo.get(Activity, activity.id)
     end
 
+    test "it fails for incoming deletes with spoofed origin" do
+      activity = insert(:note_activity)
+
+      data =
+        File.read!("test/fixtures/mastodon-delete.json")
+        |> Poison.decode!()
+
+      object =
+        data["object"]
+        |> Map.put("id", activity.data["object"]["id"])
+
+      data =
+        data
+        |> Map.put("object", object)
+
+      :error = Transmogrifier.handle_incoming(data)
+
+      assert Repo.get(Activity, activity.id)
+    end
+
     test "it works for incoming unannounces with an existing notice" do
       user = insert(:user)
       {:ok, activity} = CommonAPI.post(user, %{"status" => "hey"})
@@ -918,4 +938,61 @@ defmodule Pleroma.Web.ActivityPub.TransmogrifierTest do
       :error = Transmogrifier.handle_incoming(data)
     end
   end
+
+  describe "general origin containment" do
+    test "contain_origin_from_id() catches obvious spoofing attempts" do
+      data = %{
+        "id" => "http://example.com/~alyssa/activities/1234.json"
+      }
+
+      :error =
+        Transmogrifier.contain_origin_from_id(
+          "http://example.org/~alyssa/activities/1234.json",
+          data
+        )
+    end
+
+    test "contain_origin_from_id() allows alternate IDs within the same origin domain" do
+      data = %{
+        "id" => "http://example.com/~alyssa/activities/1234.json"
+      }
+
+      :ok =
+        Transmogrifier.contain_origin_from_id(
+          "http://example.com/~alyssa/activities/1234",
+          data
+        )
+    end
+
+    test "contain_origin_from_id() allows matching IDs" do
+      data = %{
+        "id" => "http://example.com/~alyssa/activities/1234.json"
+      }
+
+      :ok =
+        Transmogrifier.contain_origin_from_id(
+          "http://example.com/~alyssa/activities/1234.json",
+          data
+        )
+    end
+
+    test "users cannot be collided through fake direction spoofing attempts" do
+      user =
+        insert(:user, %{
+          nickname: "rye@niu.moe",
+          local: false,
+          ap_id: "https://niu.moe/users/rye",
+          follower_address: User.ap_followers(%User{nickname: "rye@niu.moe"})
+        })
+
+      {:error, _} = User.get_or_fetch_by_ap_id("https://n1u.moe/users/rye")
+    end
+
+    test "all objects with fake directions are rejected by the object fetcher" do
+      {:error, _} =
+        ActivityPub.fetch_and_contain_remote_object_from_id(
+          "https://info.pleroma.site/activity4.json"
+        )
+    end
+  end
 end
diff --git a/test/web/activity_pub/views/object_view_test.exs b/test/web/activity_pub/views/object_view_test.exs
index 7e08dff5d..d144a77fc 100644
--- a/test/web/activity_pub/views/object_view_test.exs
+++ b/test/web/activity_pub/views/object_view_test.exs
@@ -2,6 +2,7 @@ defmodule Pleroma.Web.ActivityPub.ObjectViewTest do
   use Pleroma.DataCase
   import Pleroma.Factory
 
+  alias Pleroma.Web.CommonAPI
   alias Pleroma.Web.ActivityPub.ObjectView
 
   test "renders a note object" do
@@ -15,4 +16,43 @@ defmodule Pleroma.Web.ActivityPub.ObjectViewTest do
     assert result["type"] == "Note"
     assert result["@context"]
   end
+
+  test "renders a note activity" do
+    note = insert(:note_activity)
+
+    result = ObjectView.render("object.json", %{object: note})
+
+    assert result["id"] == note.data["id"]
+    assert result["to"] == note.data["to"]
+    assert result["object"]["type"] == "Note"
+    assert result["object"]["content"] == note.data["object"]["content"]
+    assert result["type"] == "Create"
+    assert result["@context"]
+  end
+
+  test "renders a like activity" do
+    note = insert(:note_activity)
+    user = insert(:user)
+
+    {:ok, like_activity, _} = CommonAPI.favorite(note.id, user)
+
+    result = ObjectView.render("object.json", %{object: like_activity})
+
+    assert result["id"] == like_activity.data["id"]
+    assert result["object"] == note.data["object"]["id"]
+    assert result["type"] == "Like"
+  end
+
+  test "renders an announce activity" do
+    note = insert(:note_activity)
+    user = insert(:user)
+
+    {:ok, announce_activity, _} = CommonAPI.repeat(note.id, user)
+
+    result = ObjectView.render("object.json", %{object: announce_activity})
+
+    assert result["id"] == announce_activity.data["id"]
+    assert result["object"] == note.data["object"]["id"]
+    assert result["type"] == "Announce"
+  end
 end
diff --git a/test/web/federator_test.exs b/test/web/federator_test.exs
index c709d1181..02e1ca76e 100644
--- a/test/web/federator_test.exs
+++ b/test/web/federator_test.exs
@@ -61,4 +61,42 @@ defmodule Pleroma.Web.FederatorTest do
       Pleroma.Config.put([:instance, :allow_relay], true)
     end
   end
+
+  describe "Receive an activity" do
+    test "successfully processes incoming AP docs with correct origin" do
+      params = %{
+        "@context" => "https://www.w3.org/ns/activitystreams",
+        "actor" => "http://mastodon.example.org/users/admin",
+        "type" => "Create",
+        "id" => "http://mastodon.example.org/users/admin/activities/1",
+        "object" => %{
+          "type" => "Note",
+          "content" => "hi world!",
+          "id" => "http://mastodon.example.org/users/admin/objects/1",
+          "attributedTo" => "http://mastodon.example.org/users/admin"
+        },
+        "to" => ["https://www.w3.org/ns/activitystreams#Public"]
+      }
+
+      {:ok, _activity} = Federator.handle(:incoming_ap_doc, params)
+    end
+
+    test "rejects incoming AP docs with incorrect origin" do
+      params = %{
+        "@context" => "https://www.w3.org/ns/activitystreams",
+        "actor" => "https://niu.moe/users/rye",
+        "type" => "Create",
+        "id" => "http://mastodon.example.org/users/admin/activities/1",
+        "object" => %{
+          "type" => "Note",
+          "content" => "hi world!",
+          "id" => "http://mastodon.example.org/users/admin/objects/1",
+          "attributedTo" => "http://mastodon.example.org/users/admin"
+        },
+        "to" => ["https://www.w3.org/ns/activitystreams#Public"]
+      }
+
+      :error = Federator.handle(:incoming_ap_doc, params)
+    end
+  end
 end
diff --git a/test/web/ostatus/ostatus_controller_test.exs b/test/web/ostatus/ostatus_controller_test.exs
index c23b175e8..371c835c0 100644
--- a/test/web/ostatus/ostatus_controller_test.exs
+++ b/test/web/ostatus/ostatus_controller_test.exs
@@ -2,6 +2,7 @@ defmodule Pleroma.Web.OStatus.OStatusControllerTest do
   use Pleroma.Web.ConnCase
   import Pleroma.Factory
   alias Pleroma.{User, Repo}
+  alias Pleroma.Web.CommonAPI
   alias Pleroma.Web.OStatus.ActivityRepresenter
 
   test "decodes a salmon", %{conn: conn} do
@@ -167,6 +168,32 @@ defmodule Pleroma.Web.OStatus.OStatusControllerTest do
     assert json_response(conn, 200)
   end
 
+  test "only gets a notice in AS2 format for Create messages", %{conn: conn} do
+    note_activity = insert(:note_activity)
+    url = "/notice/#{note_activity.id}"
+
+    conn =
+      conn
+      |> put_req_header("accept", "application/activity+json")
+      |> get(url)
+
+    assert json_response(conn, 200)
+
+    user = insert(:user)
+
+    {:ok, like_activity, _} = CommonAPI.favorite(note_activity.id, user)
+    url = "/notice/#{like_activity.id}"
+
+    assert like_activity.data["type"] == "Like"
+
+    conn =
+      build_conn()
+      |> put_req_header("accept", "application/activity+json")
+      |> get(url)
+
+    assert response(conn, 404)
+  end
+
   test "gets an activity in AS2 format", %{conn: conn} do
     note_activity = insert(:note_activity)
     [_, uuid] = hd(Regex.scan(~r/.+\/([\w-]+)$/, note_activity.data["id"]))
diff --git a/test/web/retry_queue_test.exs b/test/web/retry_queue_test.exs
new file mode 100644
index 000000000..ce2964993
--- /dev/null
+++ b/test/web/retry_queue_test.exs
@@ -0,0 +1,31 @@
+defmodule MockActivityPub do
+  def publish_one(ret) do
+    {ret, "success"}
+  end
+end
+
+defmodule Pleroma.ActivityTest do
+  use Pleroma.DataCase
+  alias Pleroma.Web.Federator.RetryQueue
+
+  @small_retry_count 0
+  @hopeless_retry_count 10
+
+  test "failed posts are retried" do
+    {:retry, _timeout} = RetryQueue.get_retry_params(@small_retry_count)
+
+    assert {:noreply, %{delivered: 1}} ==
+             RetryQueue.handle_info({:send, :ok, MockActivityPub, @small_retry_count}, %{
+               delivered: 0
+             })
+  end
+
+  test "posts that have been tried too many times are dropped" do
+    {:drop, _timeout} = RetryQueue.get_retry_params(@hopeless_retry_count)
+
+    assert {:noreply, %{dropped: 1}} ==
+             RetryQueue.handle_cast({:maybe_enqueue, %{}, nil, @hopeless_retry_count}, %{
+               dropped: 0
+             })
+  end
+end