diff options
| -rw-r--r-- | config/config.exs | 3 | ||||
| -rw-r--r-- | lib/pleroma/gopher/server.ex | 10 | ||||
| -rw-r--r-- | lib/pleroma/plugs/http_signature.ex | 29 | ||||
| -rw-r--r-- | mix.exs | 3 | ||||
| -rw-r--r-- | mix.lock | 2 | ||||
| -rw-r--r-- | test/plugs/http_signature_plug_test.exs | 44 | ||||
| -rw-r--r-- | test/web/twitter_api/twitter_api_controller_test.exs | 14 |
7 files changed, 82 insertions, 23 deletions
diff --git a/config/config.exs b/config/config.exs index cf8d6c2b7..68c054457 100644 --- a/config/config.exs +++ b/config/config.exs @@ -27,7 +27,8 @@ config :logger, :console, config :mime, :types, %{ "application/xrd+xml" => ["xrd+xml"], - "application/activity+json" => ["activity+json"] + "application/activity+json" => ["activity+json"], + "application/ld+json" => ["activity+json"] } config :pleroma, :websub, Pleroma.Web.Websub diff --git a/lib/pleroma/gopher/server.ex b/lib/pleroma/gopher/server.ex index cfce4c05c..82e241f21 100644 --- a/lib/pleroma/gopher/server.ex +++ b/lib/pleroma/gopher/server.ex @@ -51,8 +51,9 @@ defmodule Pleroma.Gopher.Server.ProtocolHandler do def info(text) do text = String.replace(text, ~r/[\t\n]/, "") + String.split(text, "\r") - |> Enum.map(fn (text) -> + |> Enum.map(fn text -> "i#{text}\tfake\(NULL)\t0\r\n" end) |> Enum.join("") @@ -82,7 +83,12 @@ defmodule Pleroma.Gopher.Server.ProtocolHandler do link("Post ##{activity.id} by #{user.nickname}", "/notices/#{activity.id}") <> info("#{like_count} likes, #{announcement_count} repeats") <> - "\r\n" <> info(HtmlSanitizeEx.strip_tags(String.replace(activity.data["object"]["content"], "<br>", "\r"))) + "\r\n" <> + info( + HtmlSanitizeEx.strip_tags( + String.replace(activity.data["object"]["content"], "<br>", "\r") + ) + ) end) |> Enum.join("\r\n") end diff --git a/lib/pleroma/plugs/http_signature.ex b/lib/pleroma/plugs/http_signature.ex index af160f3ee..8b9ccdd2d 100644 --- a/lib/pleroma/plugs/http_signature.ex +++ b/lib/pleroma/plugs/http_signature.ex @@ -14,19 +14,26 @@ defmodule Pleroma.Web.Plugs.HTTPSignaturePlug do def call(conn, opts) do user = conn.params["actor"] Logger.debug("Checking sig for #{user}") + [signature | _] = get_req_header(conn, "signature") - if get_req_header(conn, "signature") do - conn = - conn - |> put_req_header( - "(request-target)", - String.downcase("#{conn.method}") <> " #{conn.request_path}" - ) + cond do + signature && String.contains?(signature, user) -> + conn = + conn + |> put_req_header( + "(request-target)", + String.downcase("#{conn.method}") <> " #{conn.request_path}" + ) + + assign(conn, :valid_signature, HTTPSignatures.validate_conn(conn)) - assign(conn, :valid_signature, HTTPSignatures.validate_conn(conn)) - else - Logger.debug("No signature header!") - conn + signature -> + Logger.debug("Signature not from actor") + assign(conn, :valid_signature, false) + + true -> + Logger.debug("No signature header!") + conn end end end @@ -45,7 +45,8 @@ defmodule Pleroma.Mixfile do {:httpoison, "~> 0.11.2"}, {:jason, "~> 1.0"}, {:ex_machina, "~> 2.0", only: :test}, - {:credo, "~> 0.7", only: [:dev, :test]} + {:credo, "~> 0.7", only: [:dev, :test]}, + {:mock, "~> 0.3.0", only: :test} ] end @@ -24,11 +24,13 @@ "httpoison": {:hex, :httpoison, "0.11.2", "9e59f17a473ef6948f63c51db07320477bad8ba88cf1df60a3eee01150306665", [:mix], [{:hackney, "~> 1.8.0", [hex: :hackney, repo: "hexpm", optional: false]}], "hexpm"}, "idna": {:hex, :idna, "5.0.2", "ac203208ada855d95dc591a764b6e87259cb0e2a364218f215ad662daa8cd6b4", [:rebar3], [{:unicode_util_compat, "0.2.0", [hex: :unicode_util_compat, repo: "hexpm", optional: false]}], "hexpm"}, "jason": {:hex, :jason, "1.0.0", "0f7cfa9bdb23fed721ec05419bcee2b2c21a77e926bce0deda029b5adc716fe2", [:mix], [{:decimal, "~> 1.0", [hex: :decimal, repo: "hexpm", optional: true]}], "hexpm"}, + "meck": {:hex, :meck, "0.8.9", "64c5c0bd8bcca3a180b44196265c8ed7594e16bcc845d0698ec6b4e577f48188", [:rebar3], [], "hexpm"}, "metrics": {:hex, :metrics, "1.0.1", "25f094dea2cda98213cecc3aeff09e940299d950904393b2a29d191c346a8486", [:rebar3], [], "hexpm"}, "mime": {:hex, :mime, "1.2.0", "78adaa84832b3680de06f88f0997e3ead3b451a440d183d688085be2d709b534", [:mix], [], "hexpm"}, "mimerl": {:hex, :mimerl, "1.0.2", "993f9b0e084083405ed8252b99460c4f0563e41729ab42d9074fd5e52439be88", [:rebar3], [], "hexpm"}, "mix_test_watch": {:hex, :mix_test_watch, "0.3.3", "70859889a8d1d43d1b75d69d87258a301f43209a17787cdb2bd9cab42adf271d", [:mix], [{:fs, "~> 2.12", [hex: :fs, optional: false]}]}, "mochiweb": {:hex, :mochiweb, "2.15.0", "e1daac474df07651e5d17cc1e642c4069c7850dc4508d3db7263a0651330aacc", [:rebar3], [], "hexpm"}, + "mock": {:hex, :mock, "0.3.1", "994f00150f79a0ea50dc9d86134cd9ebd0d177ad60bd04d1e46336cdfdb98ff9", [:mix], [{:meck, "~> 0.8.8", [hex: :meck, repo: "hexpm", optional: false]}], "hexpm"}, "phoenix": {:hex, :phoenix, "1.3.2", "2a00d751f51670ea6bc3f2ba4e6eb27ecb8a2c71e7978d9cd3e5de5ccf7378bd", [:mix], [{:cowboy, "~> 1.0", [hex: :cowboy, repo: "hexpm", optional: true]}, {:phoenix_pubsub, "~> 1.0", [hex: :phoenix_pubsub, repo: "hexpm", optional: false]}, {:plug, "~> 1.3.3 or ~> 1.4", [hex: :plug, repo: "hexpm", optional: false]}, {:poison, "~> 2.2 or ~> 3.0", [hex: :poison, repo: "hexpm", optional: false]}], "hexpm"}, "phoenix_ecto": {:hex, :phoenix_ecto, "3.3.0", "702f6e164512853d29f9d20763493f2b3bcfcb44f118af2bc37bb95d0801b480", [:mix], [{:ecto, "~> 2.1", [hex: :ecto, repo: "hexpm", optional: false]}, {:phoenix_html, "~> 2.9", [hex: :phoenix_html, repo: "hexpm", optional: true]}, {:plug, "~> 1.0", [hex: :plug, repo: "hexpm", optional: false]}], "hexpm"}, "phoenix_html": {:hex, :phoenix_html, "2.11.1", "77b6f7fbd252168c6ec4f573de648d37cc5258cda13266ef001fbf99267eb6f3", [:mix], [{:plug, "~> 1.5", [hex: :plug, repo: "hexpm", optional: false]}], "hexpm"}, diff --git a/test/plugs/http_signature_plug_test.exs b/test/plugs/http_signature_plug_test.exs new file mode 100644 index 000000000..a15c5b470 --- /dev/null +++ b/test/plugs/http_signature_plug_test.exs @@ -0,0 +1,44 @@ +defmodule Pleroma.Web.Plugs.HTTPSignaturePlugTest do + use Pleroma.Web.ConnCase + alias Pleroma.Web.HTTPSignatures + alias Pleroma.Web.Plugs.HTTPSignaturePlug + + import Plug.Conn + import Mock + + test "it call HTTPSignatures to check validity if the actor sighed it" do + params = %{"actor" => "http://mastodon.example.org/users/admin"} + conn = build_conn(:get, "/doesntmattter", params) + + with_mock HTTPSignatures, validate_conn: fn _ -> true end do + conn = + conn + |> put_req_header( + "signature", + "keyId=\"http://mastodon.example.org/users/admin#main-key" + ) + |> HTTPSignaturePlug.call(%{}) + + assert conn.assigns.valid_signature == true + assert called(HTTPSignatures.validate_conn(:_)) + end + end + + test "bails out early if the signature isn't by the activity actor" do + params = %{"actor" => "https://mst3k.interlinked.me/users/luciferMysticus"} + conn = build_conn(:get, "/doesntmattter", params) + + with_mock HTTPSignatures, validate_conn: fn _ -> false end do + conn = + conn + |> put_req_header( + "signature", + "keyId=\"http://mastodon.example.org/users/admin#main-key" + ) + |> HTTPSignaturePlug.call(%{}) + + assert conn.assigns.valid_signature == false + refute called(HTTPSignatures.validate_conn(:_)) + end + end +end diff --git a/test/web/twitter_api/twitter_api_controller_test.exs b/test/web/twitter_api/twitter_api_controller_test.exs index 5abdc2e0e..2cbcfd086 100644 --- a/test/web/twitter_api/twitter_api_controller_test.exs +++ b/test/web/twitter_api/twitter_api_controller_test.exs @@ -600,8 +600,9 @@ defmodule Pleroma.Web.TwitterAPI.ControllerTest do |> assign(:user, user) |> get("/api/statuses/followers") - assert json_response(conn, 200) == - UserView.render("index.json", %{users: [follower_one, follower_two], for: user}) + expected = UserView.render("index.json", %{users: [follower_one, follower_two], for: user}) + result = json_response(conn, 200) + assert Enum.sort(expected) == Enum.sort(result) end end @@ -620,12 +621,9 @@ defmodule Pleroma.Web.TwitterAPI.ControllerTest do |> assign(:user, user) |> get("/api/statuses/friends") - assert MapSet.equal?( - MapSet.new(json_response(conn, 200)), - MapSet.new( - UserView.render("index.json", %{users: [followed_one, followed_two], for: user}) - ) - ) + expected = UserView.render("index.json", %{users: [followed_one, followed_two], for: user}) + result = json_response(conn, 200) + assert Enum.sort(expected) == Enum.sort(result) end test "it returns a given user's friends with user_id", %{conn: conn} do |