diff options
| author | lain <lain@soykaf.club> | 2018-04-02 13:13:14 +0200 |
|---|---|---|
| committer | lain <lain@soykaf.club> | 2018-04-02 13:13:14 +0200 |
| commit | 0a14d155d6a55366449bc8dea638e24200bb3dd0 (patch) | |
| tree | 1c320a672a5fddeba5aa10eb43ea5470d924bce8 | |
| parent | 1b57522bba4bbe2843b7c68d37e0530387e5b8f3 (diff) | |
| download | pleroma-0a14d155d6a55366449bc8dea638e24200bb3dd0.tar.gz | |
Fail faster.
| -rw-r--r-- | lib/pleroma/plugs/http_signature.ex | 29 | ||||
| -rw-r--r-- | test/plugs/http_signature_plug_test.exs | 44 |
2 files changed, 62 insertions, 11 deletions
diff --git a/lib/pleroma/plugs/http_signature.ex b/lib/pleroma/plugs/http_signature.ex index af160f3ee..8b9ccdd2d 100644 --- a/lib/pleroma/plugs/http_signature.ex +++ b/lib/pleroma/plugs/http_signature.ex @@ -14,19 +14,26 @@ defmodule Pleroma.Web.Plugs.HTTPSignaturePlug do def call(conn, opts) do user = conn.params["actor"] Logger.debug("Checking sig for #{user}") + [signature | _] = get_req_header(conn, "signature") - if get_req_header(conn, "signature") do - conn = - conn - |> put_req_header( - "(request-target)", - String.downcase("#{conn.method}") <> " #{conn.request_path}" - ) + cond do + signature && String.contains?(signature, user) -> + conn = + conn + |> put_req_header( + "(request-target)", + String.downcase("#{conn.method}") <> " #{conn.request_path}" + ) + + assign(conn, :valid_signature, HTTPSignatures.validate_conn(conn)) - assign(conn, :valid_signature, HTTPSignatures.validate_conn(conn)) - else - Logger.debug("No signature header!") - conn + signature -> + Logger.debug("Signature not from actor") + assign(conn, :valid_signature, false) + + true -> + Logger.debug("No signature header!") + conn end end end diff --git a/test/plugs/http_signature_plug_test.exs b/test/plugs/http_signature_plug_test.exs new file mode 100644 index 000000000..a15c5b470 --- /dev/null +++ b/test/plugs/http_signature_plug_test.exs @@ -0,0 +1,44 @@ +defmodule Pleroma.Web.Plugs.HTTPSignaturePlugTest do + use Pleroma.Web.ConnCase + alias Pleroma.Web.HTTPSignatures + alias Pleroma.Web.Plugs.HTTPSignaturePlug + + import Plug.Conn + import Mock + + test "it call HTTPSignatures to check validity if the actor sighed it" do + params = %{"actor" => "http://mastodon.example.org/users/admin"} + conn = build_conn(:get, "/doesntmattter", params) + + with_mock HTTPSignatures, validate_conn: fn _ -> true end do + conn = + conn + |> put_req_header( + "signature", + "keyId=\"http://mastodon.example.org/users/admin#main-key" + ) + |> HTTPSignaturePlug.call(%{}) + + assert conn.assigns.valid_signature == true + assert called(HTTPSignatures.validate_conn(:_)) + end + end + + test "bails out early if the signature isn't by the activity actor" do + params = %{"actor" => "https://mst3k.interlinked.me/users/luciferMysticus"} + conn = build_conn(:get, "/doesntmattter", params) + + with_mock HTTPSignatures, validate_conn: fn _ -> false end do + conn = + conn + |> put_req_header( + "signature", + "keyId=\"http://mastodon.example.org/users/admin#main-key" + ) + |> HTTPSignaturePlug.call(%{}) + + assert conn.assigns.valid_signature == false + refute called(HTTPSignatures.validate_conn(:_)) + end + end +end |