From a12b6454bb0a270732f9b55f8d4366c9add44136 Mon Sep 17 00:00:00 2001
From: Egor Kislitsyn <egor@kislitsyn.com>
Date: Mon, 16 Dec 2019 22:24:03 +0700
Subject: Add an option to require fetches to be signed

---
 test/plugs/http_signature_plug_test.exs | 58 +++++++++++++++++++++++++++++++++
 1 file changed, 58 insertions(+)

(limited to 'test')

diff --git a/test/plugs/http_signature_plug_test.exs b/test/plugs/http_signature_plug_test.exs
index d8ace36da..007193dd9 100644
--- a/test/plugs/http_signature_plug_test.exs
+++ b/test/plugs/http_signature_plug_test.exs
@@ -23,7 +23,65 @@ defmodule Pleroma.Web.Plugs.HTTPSignaturePlugTest do
         |> HTTPSignaturePlug.call(%{})
 
       assert conn.assigns.valid_signature == true
+      assert conn.halted == false
       assert called(HTTPSignatures.validate_conn(:_))
     end
   end
+
+  describe "requries a signature when `authorized_fetch_mode` is enabled" do
+    setup do
+      Pleroma.Config.put([:activitypub, :authorized_fetch_mode], true)
+
+      on_exit(fn ->
+        Pleroma.Config.put([:activitypub, :authorized_fetch_mode], false)
+      end)
+
+      params = %{"actor" => "http://mastodon.example.org/users/admin"}
+      conn = build_conn(:get, "/doesntmattter", params)
+
+      [conn: conn]
+    end
+
+    test "when signature header is present", %{conn: conn} do
+      with_mock HTTPSignatures, validate_conn: fn _ -> false end do
+        conn =
+          conn
+          |> put_req_header(
+            "signature",
+            "keyId=\"http://mastodon.example.org/users/admin#main-key"
+          )
+          |> HTTPSignaturePlug.call(%{})
+
+        assert conn.assigns.valid_signature == false
+        assert conn.halted == true
+        assert conn.status == 401
+        assert conn.state == :sent
+        assert conn.resp_body == "Request not signed"
+        assert called(HTTPSignatures.validate_conn(:_))
+      end
+
+      with_mock HTTPSignatures, validate_conn: fn _ -> true end do
+        conn =
+          conn
+          |> put_req_header(
+            "signature",
+            "keyId=\"http://mastodon.example.org/users/admin#main-key"
+          )
+          |> HTTPSignaturePlug.call(%{})
+
+        assert conn.assigns.valid_signature == true
+        assert conn.halted == false
+        assert called(HTTPSignatures.validate_conn(:_))
+      end
+    end
+
+    test "halts the connection when `signature` header is not present", %{conn: conn} do
+      conn = HTTPSignaturePlug.call(conn, %{})
+      assert conn.assigns[:valid_signature] == nil
+      assert conn.halted == true
+      assert conn.status == 401
+      assert conn.state == :sent
+      assert conn.resp_body == "Request not signed"
+    end
+  end
 end
-- 
cgit v1.2.3


From e1fa8c11a9ea26f54a231cbdacdc8befe634b57e Mon Sep 17 00:00:00 2001
From: minibikini <egor@kislitsyn.com>
Date: Mon, 16 Dec 2019 18:39:59 +0000
Subject: Apply suggestion to test/plugs/http_signature_plug_test.exs

---
 test/plugs/http_signature_plug_test.exs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'test')

diff --git a/test/plugs/http_signature_plug_test.exs b/test/plugs/http_signature_plug_test.exs
index 007193dd9..77e790288 100644
--- a/test/plugs/http_signature_plug_test.exs
+++ b/test/plugs/http_signature_plug_test.exs
@@ -28,7 +28,7 @@ defmodule Pleroma.Web.Plugs.HTTPSignaturePlugTest do
     end
   end
 
-  describe "requries a signature when `authorized_fetch_mode` is enabled" do
+  describe "requires a signature when `authorized_fetch_mode` is enabled" do
     setup do
       Pleroma.Config.put([:activitypub, :authorized_fetch_mode], true)
 
-- 
cgit v1.2.3


From 775212121cc3eb108bca6c4b94a3fdf6d8d8fcd1 Mon Sep 17 00:00:00 2001
From: Egor Kislitsyn <egor@kislitsyn.com>
Date: Thu, 19 Dec 2019 20:17:18 +0700
Subject: Verify HTTP signatures only when request accepts "activity+json" type

---
 test/plugs/http_signature_plug_test.exs | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'test')

diff --git a/test/plugs/http_signature_plug_test.exs b/test/plugs/http_signature_plug_test.exs
index 77e790288..55e8bafc0 100644
--- a/test/plugs/http_signature_plug_test.exs
+++ b/test/plugs/http_signature_plug_test.exs
@@ -7,6 +7,7 @@ defmodule Pleroma.Web.Plugs.HTTPSignaturePlugTest do
   alias Pleroma.Web.Plugs.HTTPSignaturePlug
 
   import Plug.Conn
+  import Phoenix.Controller, only: [put_format: 2]
   import Mock
 
   test "it call HTTPSignatures to check validity if the actor sighed it" do
@@ -20,6 +21,7 @@ defmodule Pleroma.Web.Plugs.HTTPSignaturePlugTest do
           "signature",
           "keyId=\"http://mastodon.example.org/users/admin#main-key"
         )
+        |> put_format("activity+json")
         |> HTTPSignaturePlug.call(%{})
 
       assert conn.assigns.valid_signature == true
@@ -37,7 +39,7 @@ defmodule Pleroma.Web.Plugs.HTTPSignaturePlugTest do
       end)
 
       params = %{"actor" => "http://mastodon.example.org/users/admin"}
-      conn = build_conn(:get, "/doesntmattter", params)
+      conn = build_conn(:get, "/doesntmattter", params) |> put_format("activity+json")
 
       [conn: conn]
     end
-- 
cgit v1.2.3