From c899af1d6acad1895240a0247e9b91eca5db08df Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?marcin=20miko=C5=82ajczak?= <git@mkljczk.pl>
Date: Thu, 14 Apr 2022 20:09:43 +0200
Subject: Reject requests from specified instances if `authorized_fetch_mode`
 is enabled
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: marcin mikołajczak <git@mkljczk.pl>
---
 test/pleroma/signature_test.exs                    |  8 +++
 .../pleroma/web/plugs/http_signature_plug_test.exs | 63 ++++++++++++++++++++--
 2 files changed, 67 insertions(+), 4 deletions(-)

(limited to 'test')

diff --git a/test/pleroma/signature_test.exs b/test/pleroma/signature_test.exs
index 92d05f26c..8f94efdc3 100644
--- a/test/pleroma/signature_test.exs
+++ b/test/pleroma/signature_test.exs
@@ -70,6 +70,14 @@ defmodule Pleroma.SignatureTest do
     end
   end
 
+  describe "get_actor_id/1" do
+    test "it returns actor id" do
+      ap_id = "https://mastodon.social/users/lambadalambda"
+
+      assert Signature.get_actor_id(make_fake_conn(ap_id)) == {:ok, ap_id}
+    end
+  end
+
   describe "sign/2" do
     test "it returns signature headers" do
       user =
diff --git a/test/pleroma/web/plugs/http_signature_plug_test.exs b/test/pleroma/web/plugs/http_signature_plug_test.exs
index 2d8fba3cd..de68e8823 100644
--- a/test/pleroma/web/plugs/http_signature_plug_test.exs
+++ b/test/pleroma/web/plugs/http_signature_plug_test.exs
@@ -10,11 +10,15 @@ defmodule Pleroma.Web.Plugs.HTTPSignaturePlugTest do
   import Phoenix.Controller, only: [put_format: 2]
   import Mock
 
-  test "it call HTTPSignatures to check validity if the actor sighed it" do
+  test "it call HTTPSignatures to check validity if the actor signed it" do
     params = %{"actor" => "http://mastodon.example.org/users/admin"}
     conn = build_conn(:get, "/doesntmattter", params)
 
-    with_mock HTTPSignatures, validate_conn: fn _ -> true end do
+    with_mock HTTPSignatures,
+      validate_conn: fn _ -> true end,
+      signature_for_conn: fn _ ->
+        %{"keyId" => "http://mastodon.example.org/users/admin#main-key"}
+      end do
       conn =
         conn
         |> put_req_header(
@@ -41,7 +45,11 @@ defmodule Pleroma.Web.Plugs.HTTPSignaturePlugTest do
     end
 
     test "when signature header is present", %{conn: conn} do
-      with_mock HTTPSignatures, validate_conn: fn _ -> false end do
+      with_mock HTTPSignatures,
+        validate_conn: fn _ -> false end,
+        signature_for_conn: fn _ ->
+          %{"keyId" => "http://mastodon.example.org/users/admin#main-key"}
+        end do
         conn =
           conn
           |> put_req_header(
@@ -58,7 +66,11 @@ defmodule Pleroma.Web.Plugs.HTTPSignaturePlugTest do
         assert called(HTTPSignatures.validate_conn(:_))
       end
 
-      with_mock HTTPSignatures, validate_conn: fn _ -> true end do
+      with_mock HTTPSignatures,
+        validate_conn: fn _ -> true end,
+        signature_for_conn: fn _ ->
+          %{"keyId" => "http://mastodon.example.org/users/admin#main-key"}
+        end do
         conn =
           conn
           |> put_req_header(
@@ -82,4 +94,47 @@ defmodule Pleroma.Web.Plugs.HTTPSignaturePlugTest do
       assert conn.resp_body == "Request not signed"
     end
   end
+
+  test "rejects requests from `rejected_instances` when `authorized_fetch_mode` is enabled" do
+    clear_config([:activitypub, :authorized_fetch_mode], true)
+    clear_config([:instance, :rejected_instances], [{"mastodon.example.org", "no reason"}])
+
+    with_mock HTTPSignatures,
+      validate_conn: fn _ -> true end,
+      signature_for_conn: fn _ ->
+        %{"keyId" => "http://mastodon.example.org/users/admin#main-key"}
+      end do
+      conn =
+        build_conn(:get, "/doesntmattter", %{"actor" => "http://mastodon.example.org/users/admin"})
+        |> put_req_header(
+          "signature",
+          "keyId=\"http://mastodon.example.org/users/admin#main-key"
+        )
+        |> put_format("activity+json")
+        |> HTTPSignaturePlug.call(%{})
+
+      assert conn.assigns.valid_signature == true
+      assert conn.halted == true
+      assert called(HTTPSignatures.validate_conn(:_))
+    end
+
+    with_mock HTTPSignatures,
+      validate_conn: fn _ -> true end,
+      signature_for_conn: fn _ ->
+        %{"keyId" => "http://allowed.example.org/users/admin#main-key"}
+      end do
+      conn =
+        build_conn(:get, "/doesntmattter", %{"actor" => "http://allowed.example.org/users/admin"})
+        |> put_req_header(
+          "signature",
+          "keyId=\"http://allowed.example.org/users/admin#main-key"
+        )
+        |> put_format("activity+json")
+        |> HTTPSignaturePlug.call(%{})
+
+      assert conn.assigns.valid_signature == true
+      assert conn.halted == false
+      assert called(HTTPSignatures.validate_conn(:_))
+    end
+  end
 end
-- 
cgit v1.2.3