1 # Pleroma: A lightweight social networking server
2 # Copyright © 2017-2021 Pleroma Authors <https://pleroma.social/>
3 # SPDX-License-Identifier: AGPL-3.0-only
5 defmodule Pleroma.Web.Plugs.HTTPSignaturePlugTest do
6 use Pleroma.Web.ConnCase
8 alias Pleroma.Web.Plugs.HTTPSignaturePlug
11 import Phoenix.Controller, only: [put_format: 2]
14 test "it call HTTPSignatures to check validity if the actor sighed it" do
15 params = %{"actor" => "http://mastodon.example.org/users/admin"}
16 conn = build_conn(:get, "/doesntmattter", params)
18 with_mock HTTPSignatures, validate_conn: fn _ -> true end do
23 "keyId=\"http://mastodon.example.org/users/admin#main-key"
25 |> put_format("activity+json")
26 |> HTTPSignaturePlug.call(%{})
28 assert conn.assigns.valid_signature == true
29 assert conn.halted == false
30 assert called(HTTPSignatures.validate_conn(:_))
34 describe "requires a signature when `authorized_fetch_mode` is enabled" do
36 clear_config([:activitypub, :authorized_fetch_mode], true)
38 params = %{"actor" => "http://mastodon.example.org/users/admin"}
39 conn = build_conn(:get, "/doesntmattter", params) |> put_format("activity+json")
44 test "when signature header is present", %{conn: conn} do
45 with_mock HTTPSignatures, validate_conn: fn _ -> false end do
50 "keyId=\"http://mastodon.example.org/users/admin#main-key"
52 |> HTTPSignaturePlug.call(%{})
54 assert conn.assigns.valid_signature == false
55 assert conn.halted == true
56 assert conn.status == 401
57 assert conn.state == :sent
58 assert conn.resp_body == "Request not signed"
59 assert called(HTTPSignatures.validate_conn(:_))
62 with_mock HTTPSignatures, validate_conn: fn _ -> true end do
67 "keyId=\"http://mastodon.example.org/users/admin#main-key"
69 |> HTTPSignaturePlug.call(%{})
71 assert conn.assigns.valid_signature == true
72 assert conn.halted == false
73 assert called(HTTPSignatures.validate_conn(:_))
77 test "halts the connection when `signature` header is not present", %{conn: conn} do
78 conn = HTTPSignaturePlug.call(conn, %{})
79 assert conn.assigns[:valid_signature] == nil
80 assert conn.halted == true
81 assert conn.status == 401
82 assert conn.state == :sent
83 assert conn.resp_body == "Request not signed"
86 test "aliases redirected /object endpoints", _ do
88 act = insert(:note_activity, note: obj)
89 params = %{"actor" => "http://mastodon.example.org/users/admin"}
90 path = URI.parse(obj.data["id"]).path
91 conn = build_conn(:get, path, params)
92 assert ["/notice/#{act.id}"] == HTTPSignaturePlug.route_aliases(conn)