Add more tests for self-destruct mode (#30374)

main-rebase-security-fix
Claire 2024-05-20 12:06:51 +02:00 committed by GitHub
parent def6b686ff
commit de4815afda
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 162 additions and 0 deletions

View File

@ -0,0 +1,70 @@
# frozen_string_literal: true
require 'rails_helper'
RSpec.describe SelfDestructHelper do
describe 'self_destruct?' do
context 'when SELF_DESTRUCT is unset' do
it 'returns false' do
expect(helper.self_destruct?).to be false
end
end
context 'when SELF_DESTRUCT is set to an invalid value' do
around do |example|
ClimateControl.modify SELF_DESTRUCT: 'true' do
example.run
end
end
it 'returns false' do
expect(helper.self_destruct?).to be false
end
end
context 'when SELF_DESTRUCT is set to value signed for the wrong purpose' do
around do |example|
ClimateControl.modify(
SELF_DESTRUCT: Rails.application.message_verifier('foo').generate('example.com'),
LOCAL_DOMAIN: 'example.com'
) do
example.run
end
end
it 'returns false' do
expect(helper.self_destruct?).to be false
end
end
context 'when SELF_DESTRUCT is set to value signed for the wrong domain' do
around do |example|
ClimateControl.modify(
SELF_DESTRUCT: Rails.application.message_verifier('self-destruct').generate('foo.com'),
LOCAL_DOMAIN: 'example.com'
) do
example.run
end
end
it 'returns false' do
expect(helper.self_destruct?).to be false
end
end
context 'when SELF_DESTRUCT is set to a correctly-signed value' do
around do |example|
ClimateControl.modify(
SELF_DESTRUCT: Rails.application.message_verifier('self-destruct').generate('example.com'),
LOCAL_DOMAIN: 'example.com'
) do
example.run
end
end
it 'returns true' do
expect(helper.self_destruct?).to be true
end
end
end
end

View File

@ -0,0 +1,92 @@
# frozen_string_literal: true
require 'rails_helper'
describe 'Self-destruct mode' do
before do
allow(SelfDestructHelper).to receive(:self_destruct?).and_return(true)
end
shared_examples 'generic logged out request' do |path|
it 'returns 410 gone and mentions self-destruct' do
get path, headers: { 'Accept' => 'text/html' }
expect(response).to have_http_status(410)
expect(response.body).to include(I18n.t('self_destruct.title'))
end
end
shared_examples 'accessible logged-in endpoint' do |path|
it 'returns 200 ok' do
get path
expect(response).to have_http_status(200)
end
end
shared_examples 'ActivityPub request' do |path|
context 'without signature' do
it 'returns 410 gone' do
get path, headers: {
'Accept' => 'application/activity+json, application/ld+json; profile="https://www.w3.org/ns/activitystreams"',
}
expect(response).to have_http_status(410)
end
end
context 'with invalid signature' do
it 'returns 410 gone' do
get path, headers: {
'Accept' => 'application/activity+json, application/ld+json; profile="https://www.w3.org/ns/activitystreams"',
'Signature' => 'keyId="https://remote.domain/users/bob#main-key",algorithm="rsa-sha256",headers="date host (request-target)",signature="bar"',
}
expect(response).to have_http_status(410)
end
end
end
context 'when requesting various unavailable endpoints' do
it_behaves_like 'generic logged out request', '/'
it_behaves_like 'generic logged out request', '/about'
it_behaves_like 'generic logged out request', '/public'
end
context 'when requesting a suspended account' do
let(:suspended) { Fabricate(:account, username: 'suspended') }
before do
suspended.suspend!
end
it_behaves_like 'generic logged out request', '/@suspended'
it_behaves_like 'ActivityPub request', '/users/suspended'
it_behaves_like 'ActivityPub request', '/users/suspended/followers'
it_behaves_like 'ActivityPub request', '/users/suspended/outbox'
end
context 'when requesting a non-suspended account' do
before do
Fabricate(:account, username: 'bob')
end
it_behaves_like 'generic logged out request', '/@bob'
it_behaves_like 'ActivityPub request', '/users/bob'
it_behaves_like 'ActivityPub request', '/users/bob/followers'
it_behaves_like 'ActivityPub request', '/users/bob/outbox'
end
context 'when accessing still-enabled endpoints when logged in' do
let(:user) { Fabricate(:user) }
before do
sign_in(user)
end
it_behaves_like 'accessible logged-in endpoint', '/auth/edit'
it_behaves_like 'accessible logged-in endpoint', '/settings/export'
it_behaves_like 'accessible logged-in endpoint', '/settings/login_activities'
it_behaves_like 'accessible logged-in endpoint', '/settings/exports/follows.csv'
end
end