From f1d96e40a34313e788a33aca654b12c18c8525f6 Mon Sep 17 00:00:00 2001 From: ThibG Date: Wed, 3 May 2017 20:40:14 +0200 Subject: [PATCH] Additional specs for URI handling (#2759) --- spec/fixtures/requests/localdomain-feed.txt | 57 +++++++++++++++++++ .../requests/localdomain-hostmeta.txt | 14 +++++ .../requests/localdomain-webfinger.txt | 20 +++++++ .../follow_remote_account_service_spec.rb | 12 ++++ .../process_interaction_service_spec.rb | 30 ++++++++++ 5 files changed, 133 insertions(+) create mode 100644 spec/fixtures/requests/localdomain-feed.txt create mode 100644 spec/fixtures/requests/localdomain-hostmeta.txt create mode 100644 spec/fixtures/requests/localdomain-webfinger.txt diff --git a/spec/fixtures/requests/localdomain-feed.txt b/spec/fixtures/requests/localdomain-feed.txt new file mode 100644 index 0000000000..b69972a4d7 --- /dev/null +++ b/spec/fixtures/requests/localdomain-feed.txt @@ -0,0 +1,57 @@ +HTTP/1.1 200 OK +Date: Thu, 20 Apr 2017 07:36:08 GMT +Content-Type: application/atom+xml; charset=utf-8 +Transfer-Encoding: chunked +Connection: keep-alive +Server: Mastodon +X-Frame-Options: DENY +X-Content-Type-Options: nosniff +X-XSS-Protection: 1; mode=block +Link: ; rel="lrdd"; type="application/xrd+xml", ; rel="alternate"; type="application/atom+xml" +Vary: Accept-Encoding +ETag: W/"1fa54baac599205a1e54c136dea2b671" +Cache-Control: max-age=0, private, must-revalidate +Set-Cookie: _mastodon_session=Vk5XbERyQ0NscjJhdEw1eVEyY3JwQTlBVThObUJ1N3NFcVlJaCtpNU5FSmZlTzFIZ2FqSzhVY1lneFlLQ1haNkh1SDM5L0FSdnFLTGwwTnhJMy9qWWI5aWRnM1NOU1NLTmtuamR5cG5Ebm8vekFNL20ydGkxYXFXU2FwVTF1NnctLXdxdFhNVFA2VmlFVm5BY25QU2N1clE9PQ%3D%3D--47e86fed56f94d3998bfc3837af8de93ec8c104e; path=/; secure; HttpOnly +X-Request-Id: 071ec889-04fb-4efa-b55e-81eb90772b50 +X-Runtime: 1.173933 +Strict-Transport-Security: max-age=31536000; includeSubDomains + + + + https://webdomain.com/users/foo.atom + foo + foo + 2017-04-08T15:38:58Z + https://quitter.no/avatar/7477-300-20160211190340.png + + https://webdomain.com/users/foo + http://activitystrea.ms/schema/1.0/person + https://webdomain.com/users/foo + foo + foo@localdomain.com + foo + + + foo + foo + foo + public + + + + + + + tag:localdomain.com,2017-04-19:objectId=12774:objectType=Status + 2017-04-19T22:28:01Z + 2017-04-19T22:28:01Z + New status by foo + http://activitystrea.ms/schema/1.0/comment + http://activitystrea.ms/schema/1.0/post + <p>Meh, ça foire l&apos;attribution des boosts.<br />Faudra que je corrige ça…</p> + unlisted + + + + + diff --git a/spec/fixtures/requests/localdomain-hostmeta.txt b/spec/fixtures/requests/localdomain-hostmeta.txt new file mode 100644 index 0000000000..0639d6f991 --- /dev/null +++ b/spec/fixtures/requests/localdomain-hostmeta.txt @@ -0,0 +1,14 @@ +HTTP/1.1 200 OK +Server: nginx/1.6.2 +Date: Sun, 20 Mar 2016 11:11:00 GMT +Content-Type: application/xrd+xml +Transfer-Encoding: chunked +Connection: keep-alive +Access-Control-Allow-Origin: * +Vary: Accept-Encoding,Cookie +Strict-Transport-Security: max-age=31536000; includeSubdomains; + + + + + diff --git a/spec/fixtures/requests/localdomain-webfinger.txt b/spec/fixtures/requests/localdomain-webfinger.txt new file mode 100644 index 0000000000..6c2a366aba --- /dev/null +++ b/spec/fixtures/requests/localdomain-webfinger.txt @@ -0,0 +1,20 @@ +HTTP/1.1 200 OK +Server: nginx/1.6.2 +Date: Sun, 20 Mar 2016 11:11:00 GMT +Content-Type: application/xrd+xml +Transfer-Encoding: chunked +Connection: keep-alive +Access-Control-Allow-Origin: * +Vary: Accept-Encoding,Cookie +Strict-Transport-Security: max-age=31536000; includeSubdomains; + + + + acct:foo@localdomain.com + https://webdomain.com/@foo + + + + + + diff --git a/spec/services/follow_remote_account_service_spec.rb b/spec/services/follow_remote_account_service_spec.rb index f087bc4bcc..9ae9ff0ce5 100644 --- a/spec/services/follow_remote_account_service_spec.rb +++ b/spec/services/follow_remote_account_service_spec.rb @@ -15,6 +15,10 @@ RSpec.describe FollowRemoteAccountService do stub_request(:get, "https://quitter.no/.well-known/webfinger?resource=acct:catsrgr8@quitter.no").to_return(status: 404) stub_request(:get, "https://quitter.no/api/statuses/user_timeline/7477.atom").to_return(request_fixture('feed.txt')) stub_request(:get, "https://quitter.no/avatar/7477-300-20160211190340.png").to_return(request_fixture('avatar.txt')) + stub_request(:get, "https://localdomain.com/.well-known/host-meta").to_return(request_fixture('localdomain-hostmeta.txt')) + stub_request(:get, "https://localdomain.com/.well-known/webfinger?resource=acct:foo@localdomain.com").to_return(status: 404) + stub_request(:get, "https://webdomain.com/.well-known/webfinger?resource=acct:foo@localdomain.com").to_return(request_fixture('localdomain-webfinger.txt')) + stub_request(:get, "https://webdomain.com/users/foo.atom").to_return(request_fixture('localdomain-feed.txt')) end it 'raises error if no such user can be resolved via webfinger' do @@ -56,4 +60,12 @@ RSpec.describe FollowRemoteAccountService do it 'prevents hijacking inexisting accounts' do expect { subject.call('hacker2@redirected.com') }.to raise_error Goldfinger::Error end + + it 'returns a new remote account' do + account = subject.call('foo@localdomain.com') + + expect(account.username).to eq 'foo' + expect(account.domain).to eq 'localdomain.com' + expect(account.remote_url).to eq 'https://webdomain.com/users/foo.atom' + end end diff --git a/spec/services/process_interaction_service_spec.rb b/spec/services/process_interaction_service_spec.rb index 0845e09ed2..f589f690df 100644 --- a/spec/services/process_interaction_service_spec.rb +++ b/spec/services/process_interaction_service_spec.rb @@ -3,6 +3,7 @@ require 'rails_helper' RSpec.describe ProcessInteractionService do let(:receiver) { Fabricate(:user, email: 'alice@example.com', account: Fabricate(:account, username: 'alice')).account } let(:sender) { Fabricate(:user, email: 'bob@example.com', account: Fabricate(:account, username: 'bob')).account } + let(:remote_sender) { Fabricate(:account, username: 'carol', domain: 'localdomain.com', uri: 'https://webdomain.com/users/carol') } subject { ProcessInteractionService.new } @@ -31,6 +32,35 @@ XML end end + describe 'follow request slap from known remote user identified by email' do + before do + receiver.update(locked: true) + # Copy already-generated key + remote_sender.update(private_key: sender.private_key, public_key: remote_sender.public_key) + + payload = < + + carol@localdomain.com + carol + https://webdomain.com/users/carol + + + someIdHere + http://activitystrea.ms/schema/1.0/request-friend + +XML + + envelope = OStatus2::Salmon.new.pack(payload, remote_sender.keypair) + subject.call(envelope, receiver) + end + + it 'creates a record' do + expect(FollowRequest.find_by(account: remote_sender, target_account: receiver)).to_not be_nil + end + end + + describe 'follow request authorization slap' do before do receiver.update(locked: true)