166 lines
5.2 KiB
Elixir
166 lines
5.2 KiB
Elixir
# Pleroma: A lightweight social networking server
|
|
# Copyright © 2017-2022 Pleroma Authors <https://pleroma.social/>
|
|
# SPDX-License-Identifier: AGPL-3.0-only
|
|
|
|
defmodule Pleroma.Web.Plugs.HTTPSignaturePlugTest do
|
|
use Pleroma.Web.ConnCase, async: true
|
|
|
|
alias Pleroma.StaticStubbedConfigMock, as: ConfigMock
|
|
alias Pleroma.StubbedHTTPSignaturesMock, as: HTTPSignaturesMock
|
|
alias Pleroma.Web.Plugs.HTTPSignaturePlug
|
|
|
|
import Mox
|
|
import Phoenix.Controller, only: [put_format: 2]
|
|
import Plug.Conn
|
|
|
|
test "it calls HTTPSignatures to check validity if the actor signed it" do
|
|
params = %{"actor" => "http://mastodon.example.org/users/admin"}
|
|
conn = build_conn(:get, "/doesntmattter", params)
|
|
|
|
HTTPSignaturesMock
|
|
|> expect(:validate_conn, fn _ -> true end)
|
|
|
|
conn =
|
|
conn
|
|
|> put_req_header(
|
|
"signature",
|
|
"keyId=\"http://mastodon.example.org/users/admin#main-key"
|
|
)
|
|
|> put_format("activity+json")
|
|
|> HTTPSignaturePlug.call(%{})
|
|
|
|
assert conn.assigns.valid_signature == true
|
|
assert conn.halted == false
|
|
end
|
|
|
|
describe "requires a signature when `authorized_fetch_mode` is enabled" do
|
|
setup do
|
|
params = %{"actor" => "http://mastodon.example.org/users/admin"}
|
|
conn = build_conn(:get, "/doesntmattter", params) |> put_format("activity+json")
|
|
|
|
[conn: conn]
|
|
end
|
|
|
|
test "when signature header is present", %{conn: orig_conn} do
|
|
ConfigMock
|
|
|> expect(:get, fn [:activitypub, :authorized_fetch_mode], false -> true end)
|
|
|> expect(:get, fn [:activitypub, :authorized_fetch_mode_exceptions], [] -> [] end)
|
|
|
|
HTTPSignaturesMock
|
|
|> expect(:validate_conn, 2, fn _ -> false end)
|
|
|
|
conn =
|
|
orig_conn
|
|
|> put_req_header(
|
|
"signature",
|
|
"keyId=\"http://mastodon.example.org/users/admin#main-key"
|
|
)
|
|
|> HTTPSignaturePlug.call(%{})
|
|
|
|
assert conn.assigns.valid_signature == false
|
|
assert conn.halted == true
|
|
assert conn.status == 401
|
|
assert conn.state == :sent
|
|
assert conn.resp_body == "Request not signed"
|
|
|
|
ConfigMock
|
|
|> expect(:get, fn [:activitypub, :authorized_fetch_mode], false -> true end)
|
|
|
|
HTTPSignaturesMock
|
|
|> expect(:validate_conn, fn _ -> true end)
|
|
|
|
conn =
|
|
orig_conn
|
|
|> put_req_header(
|
|
"signature",
|
|
"keyId=\"http://mastodon.example.org/users/admin#main-key"
|
|
)
|
|
|> HTTPSignaturePlug.call(%{})
|
|
|
|
assert conn.assigns.valid_signature == true
|
|
assert conn.halted == false
|
|
end
|
|
|
|
test "halts the connection when `signature` header is not present", %{conn: conn} do
|
|
ConfigMock
|
|
|> expect(:get, fn [:activitypub, :authorized_fetch_mode], false -> true end)
|
|
|> expect(:get, fn [:activitypub, :authorized_fetch_mode_exceptions], [] -> [] end)
|
|
|
|
conn = HTTPSignaturePlug.call(conn, %{})
|
|
assert conn.assigns[:valid_signature] == nil
|
|
assert conn.halted == true
|
|
assert conn.status == 401
|
|
assert conn.state == :sent
|
|
assert conn.resp_body == "Request not signed"
|
|
end
|
|
|
|
test "exempts specific IPs from `authorized_fetch_mode_exceptions`", %{conn: conn} do
|
|
ConfigMock
|
|
|> expect(:get, fn [:activitypub, :authorized_fetch_mode], false -> true end)
|
|
|> expect(:get, fn [:activitypub, :authorized_fetch_mode_exceptions], [] ->
|
|
["192.168.0.0/24"]
|
|
end)
|
|
|> expect(:get, fn [:activitypub, :authorized_fetch_mode], false -> true end)
|
|
|
|
HTTPSignaturesMock
|
|
|> expect(:validate_conn, 2, fn _ -> false end)
|
|
|
|
conn =
|
|
conn
|
|
|> Map.put(:remote_ip, {192, 168, 0, 1})
|
|
|> put_req_header(
|
|
"signature",
|
|
"keyId=\"http://mastodon.example.org/users/admin#main-key"
|
|
)
|
|
|> HTTPSignaturePlug.call(%{})
|
|
|
|
assert conn.remote_ip == {192, 168, 0, 1}
|
|
assert conn.halted == false
|
|
end
|
|
end
|
|
|
|
test "rejects requests from `rejected_instances` when `authorized_fetch_mode` is enabled" do
|
|
ConfigMock
|
|
|> expect(:get, fn [:activitypub, :authorized_fetch_mode], false -> true end)
|
|
|> expect(:get, fn [:instance, :rejected_instances] ->
|
|
[{"mastodon.example.org", "no reason"}]
|
|
end)
|
|
|
|
HTTPSignaturesMock
|
|
|> expect(:validate_conn, fn _ -> true end)
|
|
|
|
conn =
|
|
build_conn(:get, "/doesntmattter", %{"actor" => "http://mastodon.example.org/users/admin"})
|
|
|> put_req_header(
|
|
"signature",
|
|
"keyId=\"http://mastodon.example.org/users/admin#main-key"
|
|
)
|
|
|> put_format("activity+json")
|
|
|> HTTPSignaturePlug.call(%{})
|
|
|
|
assert conn.assigns.valid_signature == true
|
|
assert conn.halted == true
|
|
|
|
ConfigMock
|
|
|> expect(:get, fn [:activitypub, :authorized_fetch_mode], false -> true end)
|
|
|> expect(:get, fn [:instance, :rejected_instances] ->
|
|
[{"mastodon.example.org", "no reason"}]
|
|
end)
|
|
|
|
HTTPSignaturesMock
|
|
|> expect(:validate_conn, fn _ -> true end)
|
|
|
|
conn =
|
|
build_conn(:get, "/doesntmattter", %{"actor" => "http://allowed.example.org/users/admin"})
|
|
|> put_req_header(
|
|
"signature",
|
|
"keyId=\"http://allowed.example.org/users/admin#main-key"
|
|
)
|
|
|> put_format("activity+json")
|
|
|> HTTPSignaturePlug.call(%{})
|
|
|
|
assert conn.assigns.valid_signature == true
|
|
assert conn.halted == false
|
|
end
|
|
end
|