test/plugs/http_signature_plug_test.exs


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89

# Pleroma: A lightweight social networking server
# Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
# SPDX-License-Identifier: AGPL-3.0-only

defmodule Pleroma.Web.Plugs.HTTPSignaturePlugTest do
  use Pleroma.Web.ConnCase
  alias Pleroma.Web.Plugs.HTTPSignaturePlug

  import Plug.Conn
  import Phoenix.Controller, only: [put_format: 2]
  import Mock

  test "it call HTTPSignatures to check validity if the actor sighed it" do
    params = %{"actor" => "http://mastodon.example.org/users/admin"}
    conn = build_conn(:get, "/doesntmattter", params)

    with_mock HTTPSignatures, validate_conn: fn _ -> true end do
      conn =
        conn
        |> put_req_header(
          "signature",
          "keyId=\"http://mastodon.example.org/users/admin#main-key"
        )
        |> put_format("activity+json")
        |> HTTPSignaturePlug.call(%{})

      assert conn.assigns.valid_signature == true
      assert conn.halted == false
      assert called(HTTPSignatures.validate_conn(:_))
    end
  end

  describe "requires a signature when `authorized_fetch_mode` is enabled" do
    setup do
      Pleroma.Config.put([:activitypub, :authorized_fetch_mode], true)

      on_exit(fn ->
        Pleroma.Config.put([:activitypub, :authorized_fetch_mode], false)
      end)

      params = %{"actor" => "http://mastodon.example.org/users/admin"}
      conn = build_conn(:get, "/doesntmattter", params) |> put_format("activity+json")

      [conn: conn]
    end

    test "when signature header is present", %{conn: conn} do
      with_mock HTTPSignatures, validate_conn: fn _ -> false end do
        conn =
          conn
          |> put_req_header(
            "signature",
            "keyId=\"http://mastodon.example.org/users/admin#main-key"
          )
          |> HTTPSignaturePlug.call(%{})

        assert conn.assigns.valid_signature == false
        assert conn.halted == true
        assert conn.status == 401
        assert conn.state == :sent
        assert conn.resp_body == "Request not signed"
        assert called(HTTPSignatures.validate_conn(:_))
      end

      with_mock HTTPSignatures, validate_conn: fn _ -> true end do
        conn =
          conn
          |> put_req_header(
            "signature",
            "keyId=\"http://mastodon.example.org/users/admin#main-key"
          )
          |> HTTPSignaturePlug.call(%{})

        assert conn.assigns.valid_signature == true
        assert conn.halted == false
        assert called(HTTPSignatures.validate_conn(:_))
      end
    end

    test "halts the connection when `signature` header is not present", %{conn: conn} do
      conn = HTTPSignaturePlug.call(conn, %{})
      assert conn.assigns[:valid_signature] == nil
      assert conn.halted == true
      assert conn.status == 401
      assert conn.state == :sent
      assert conn.resp_body == "Request not signed"
    end
  end
end