Additional specs for URI handling (#2759)
This commit is contained in:
parent
aa6a26a2d5
commit
8d4e7504b1
57
spec/fixtures/requests/localdomain-feed.txt
vendored
Normal file
57
spec/fixtures/requests/localdomain-feed.txt
vendored
Normal file
@ -0,0 +1,57 @@
|
|||||||
|
HTTP/1.1 200 OK
|
||||||
|
Date: Thu, 20 Apr 2017 07:36:08 GMT
|
||||||
|
Content-Type: application/atom+xml; charset=utf-8
|
||||||
|
Transfer-Encoding: chunked
|
||||||
|
Connection: keep-alive
|
||||||
|
Server: Mastodon
|
||||||
|
X-Frame-Options: DENY
|
||||||
|
X-Content-Type-Options: nosniff
|
||||||
|
X-XSS-Protection: 1; mode=block
|
||||||
|
Link: <https://social.sitedethib.com/.well-known/webfinger?resource=acct%3AThib%40sitedethib.com>; rel="lrdd"; type="application/xrd+xml", <https://social.sitedethib.com/users/Thib.atom>; rel="alternate"; type="application/atom+xml"
|
||||||
|
Vary: Accept-Encoding
|
||||||
|
ETag: W/"1fa54baac599205a1e54c136dea2b671"
|
||||||
|
Cache-Control: max-age=0, private, must-revalidate
|
||||||
|
Set-Cookie: _mastodon_session=Vk5XbERyQ0NscjJhdEw1eVEyY3JwQTlBVThObUJ1N3NFcVlJaCtpNU5FSmZlTzFIZ2FqSzhVY1lneFlLQ1haNkh1SDM5L0FSdnFLTGwwTnhJMy9qWWI5aWRnM1NOU1NLTmtuamR5cG5Ebm8vekFNL20ydGkxYXFXU2FwVTF1NnctLXdxdFhNVFA2VmlFVm5BY25QU2N1clE9PQ%3D%3D--47e86fed56f94d3998bfc3837af8de93ec8c104e; path=/; secure; HttpOnly
|
||||||
|
X-Request-Id: 071ec889-04fb-4efa-b55e-81eb90772b50
|
||||||
|
X-Runtime: 1.173933
|
||||||
|
Strict-Transport-Security: max-age=31536000; includeSubDomains
|
||||||
|
|
||||||
|
<?xml version="1.0"?>
|
||||||
|
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:thr="http://purl.org/syndication/thread/1.0" xmlns:activity="http://activitystrea.ms/spec/1.0/" xmlns:poco="http://portablecontacts.net/spec/1.0" xmlns:media="http://purl.org/syndication/atommedia" xmlns:ostatus="http://ostatus.org/schema/1.0" xmlns:mastodon="http://mastodon.social/schema/1.0">
|
||||||
|
<id>https://webdomain.com/users/foo.atom</id>
|
||||||
|
<title>foo</title>
|
||||||
|
<subtitle>foo</subtitle>
|
||||||
|
<updated>2017-04-08T15:38:58Z</updated>
|
||||||
|
<logo>https://quitter.no/avatar/7477-300-20160211190340.png</logo>
|
||||||
|
<author>
|
||||||
|
<id>https://webdomain.com/users/foo</id>
|
||||||
|
<activity:object-type>http://activitystrea.ms/schema/1.0/person</activity:object-type>
|
||||||
|
<uri>https://webdomain.com/users/foo</uri>
|
||||||
|
<name>foo</name>
|
||||||
|
<email>foo@localdomain.com</email>
|
||||||
|
<summary>foo</summary>
|
||||||
|
<link rel="alternate" type="text/html" href="https://webdomain.com/@foo"/>
|
||||||
|
<link rel="avatar" type="image/jpeg" media:width="120" media:height="120" href="https://quitter.no/avatar/7477-300-20160211190340.png"/>
|
||||||
|
<poco:preferredUsername>foo</poco:preferredUsername>
|
||||||
|
<poco:displayName>foo</poco:displayName>
|
||||||
|
<poco:note>foo</poco:note>
|
||||||
|
<mastodon:scope>public</mastodon:scope>
|
||||||
|
</author>
|
||||||
|
<link rel="alternate" type="text/html" href="https://webdomain.com/@foo"/>
|
||||||
|
<link rel="self" type="application/atom+xml" href="https://webdomain.com/users/foo.atom"/>
|
||||||
|
<link rel="hub" href="https://webdomain.com/api/push"/>
|
||||||
|
<link rel="salmon" href="https://webdomain.com/api/salmon/1"/>
|
||||||
|
<entry>
|
||||||
|
<id>tag:localdomain.com,2017-04-19:objectId=12774:objectType=Status</id>
|
||||||
|
<published>2017-04-19T22:28:01Z</published>
|
||||||
|
<updated>2017-04-19T22:28:01Z</updated>
|
||||||
|
<title>New status by foo</title>
|
||||||
|
<activity:object-type>http://activitystrea.ms/schema/1.0/comment</activity:object-type>
|
||||||
|
<activity:verb>http://activitystrea.ms/schema/1.0/post</activity:verb>
|
||||||
|
<content type="html" xml:lang="fr"><p>Meh, ça foire l&apos;attribution des boosts.<br />Faudra que je corrige ça…</p></content>
|
||||||
|
<mastodon:scope>unlisted</mastodon:scope>
|
||||||
|
<link rel="alternate" type="text/html" href="https://webdomain.com/users/foo/updates/93"/>
|
||||||
|
<link rel="self" type="application/atom+xml" href="https://webdomain.com/users/foo/updates/93.atom"/>
|
||||||
|
<thr:in-reply-to ref="tag:localdomain.com,2017-04-19:objectId=12658:objectType=Status" href="https://webdomain.com/@foo/12658"/>
|
||||||
|
</entry>
|
||||||
|
</feed>
|
14
spec/fixtures/requests/localdomain-hostmeta.txt
vendored
Normal file
14
spec/fixtures/requests/localdomain-hostmeta.txt
vendored
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
HTTP/1.1 200 OK
|
||||||
|
Server: nginx/1.6.2
|
||||||
|
Date: Sun, 20 Mar 2016 11:11:00 GMT
|
||||||
|
Content-Type: application/xrd+xml
|
||||||
|
Transfer-Encoding: chunked
|
||||||
|
Connection: keep-alive
|
||||||
|
Access-Control-Allow-Origin: *
|
||||||
|
Vary: Accept-Encoding,Cookie
|
||||||
|
Strict-Transport-Security: max-age=31536000; includeSubdomains;
|
||||||
|
|
||||||
|
<?xml version="1.0"?>
|
||||||
|
<XRD xmlns="http://docs.oasis-open.org/ns/xri/xrd-1.0">
|
||||||
|
<Link rel="lrdd" type="application/xrd+xml" template="https://webdomain.com/.well-known/webfinger?resource={uri}"/>
|
||||||
|
</XRD>
|
20
spec/fixtures/requests/localdomain-webfinger.txt
vendored
Normal file
20
spec/fixtures/requests/localdomain-webfinger.txt
vendored
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
HTTP/1.1 200 OK
|
||||||
|
Server: nginx/1.6.2
|
||||||
|
Date: Sun, 20 Mar 2016 11:11:00 GMT
|
||||||
|
Content-Type: application/xrd+xml
|
||||||
|
Transfer-Encoding: chunked
|
||||||
|
Connection: keep-alive
|
||||||
|
Access-Control-Allow-Origin: *
|
||||||
|
Vary: Accept-Encoding,Cookie
|
||||||
|
Strict-Transport-Security: max-age=31536000; includeSubdomains;
|
||||||
|
|
||||||
|
<?xml version="1.0"?>
|
||||||
|
<XRD xmlns="http://docs.oasis-open.org/ns/xri/xrd-1.0">
|
||||||
|
<Subject>acct:foo@localdomain.com</Subject>
|
||||||
|
<Alias>https://webdomain.com/@foo</Alias>
|
||||||
|
<Link rel="http://webfinger.net/rel/profile-page" type="text/html" href="https://webdomain.com/@foo"/>
|
||||||
|
<Link rel="http://schemas.google.com/g/2010#updates-from" type="application/atom+xml" href="https://webdomain.com/users/foo.atom"/>
|
||||||
|
<Link rel="salmon" href="https://webdomain.com/api/salmon/1"/>
|
||||||
|
<Link rel="magic-public-key" href="data:application/magic-public-key,RSA.wnIYUQp-jMqH8tzStBoVriiGtbMvH12IU125p-3shZHxJNDi7RHwseKi5ADEGwGwpXLMxqiyNlgCff1hG9DBc8MzHZi1V93F2hCOXK0bqZm2lbsWfjkpsDIdBZ8TltwSejuQCt_rqL-K5XCfknd94P7tHOCBnizQRBanj0IdcSSqh7CmRS5wa1UjwflXVMsgbDc2io1knMeMkXsl0jzwt-CFHprmITzWy9X6Ia4QevkntiXdMlwUf_UoJC7BRns-J-j_dz2LqFl1QfspMhR2R9p8plDSD-jjk8DUVSBFZ7GLWVHEd6dWkLncEVEeRLliCaQQBqF1huSuMDtYWfukWQ==.AQAB"/>
|
||||||
|
<Link rel="http://ostatus.org/schema/1.0/subscribe" template="https://webdomain.com/authorize_follow?acct={uri}"/>
|
||||||
|
</XRD>
|
@ -15,6 +15,10 @@ RSpec.describe FollowRemoteAccountService do
|
|||||||
stub_request(:get, "https://quitter.no/.well-known/webfinger?resource=acct:catsrgr8@quitter.no").to_return(status: 404)
|
stub_request(:get, "https://quitter.no/.well-known/webfinger?resource=acct:catsrgr8@quitter.no").to_return(status: 404)
|
||||||
stub_request(:get, "https://quitter.no/api/statuses/user_timeline/7477.atom").to_return(request_fixture('feed.txt'))
|
stub_request(:get, "https://quitter.no/api/statuses/user_timeline/7477.atom").to_return(request_fixture('feed.txt'))
|
||||||
stub_request(:get, "https://quitter.no/avatar/7477-300-20160211190340.png").to_return(request_fixture('avatar.txt'))
|
stub_request(:get, "https://quitter.no/avatar/7477-300-20160211190340.png").to_return(request_fixture('avatar.txt'))
|
||||||
|
stub_request(:get, "https://localdomain.com/.well-known/host-meta").to_return(request_fixture('localdomain-hostmeta.txt'))
|
||||||
|
stub_request(:get, "https://localdomain.com/.well-known/webfinger?resource=acct:foo@localdomain.com").to_return(status: 404)
|
||||||
|
stub_request(:get, "https://webdomain.com/.well-known/webfinger?resource=acct:foo@localdomain.com").to_return(request_fixture('localdomain-webfinger.txt'))
|
||||||
|
stub_request(:get, "https://webdomain.com/users/foo.atom").to_return(request_fixture('localdomain-feed.txt'))
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'raises error if no such user can be resolved via webfinger' do
|
it 'raises error if no such user can be resolved via webfinger' do
|
||||||
@ -56,4 +60,12 @@ RSpec.describe FollowRemoteAccountService do
|
|||||||
it 'prevents hijacking inexisting accounts' do
|
it 'prevents hijacking inexisting accounts' do
|
||||||
expect { subject.call('hacker2@redirected.com') }.to raise_error Goldfinger::Error
|
expect { subject.call('hacker2@redirected.com') }.to raise_error Goldfinger::Error
|
||||||
end
|
end
|
||||||
|
|
||||||
|
it 'returns a new remote account' do
|
||||||
|
account = subject.call('foo@localdomain.com')
|
||||||
|
|
||||||
|
expect(account.username).to eq 'foo'
|
||||||
|
expect(account.domain).to eq 'localdomain.com'
|
||||||
|
expect(account.remote_url).to eq 'https://webdomain.com/users/foo.atom'
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
@ -3,6 +3,7 @@ require 'rails_helper'
|
|||||||
RSpec.describe ProcessInteractionService do
|
RSpec.describe ProcessInteractionService do
|
||||||
let(:receiver) { Fabricate(:user, email: 'alice@example.com', account: Fabricate(:account, username: 'alice')).account }
|
let(:receiver) { Fabricate(:user, email: 'alice@example.com', account: Fabricate(:account, username: 'alice')).account }
|
||||||
let(:sender) { Fabricate(:user, email: 'bob@example.com', account: Fabricate(:account, username: 'bob')).account }
|
let(:sender) { Fabricate(:user, email: 'bob@example.com', account: Fabricate(:account, username: 'bob')).account }
|
||||||
|
let(:remote_sender) { Fabricate(:account, username: 'carol', domain: 'localdomain.com', uri: 'https://webdomain.com/users/carol') }
|
||||||
|
|
||||||
subject { ProcessInteractionService.new }
|
subject { ProcessInteractionService.new }
|
||||||
|
|
||||||
@ -31,6 +32,35 @@ XML
|
|||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
describe 'follow request slap from known remote user identified by email' do
|
||||||
|
before do
|
||||||
|
receiver.update(locked: true)
|
||||||
|
# Copy already-generated key
|
||||||
|
remote_sender.update(private_key: sender.private_key, public_key: remote_sender.public_key)
|
||||||
|
|
||||||
|
payload = <<XML
|
||||||
|
<entry xmlns="http://www.w3.org/2005/Atom" xmlns:activity="http://activitystrea.ms/spec/1.0/">
|
||||||
|
<author>
|
||||||
|
<email>carol@localdomain.com</email>
|
||||||
|
<name>carol</name>
|
||||||
|
<uri>https://webdomain.com/users/carol</uri>
|
||||||
|
</author>
|
||||||
|
|
||||||
|
<id>someIdHere</id>
|
||||||
|
<activity:verb>http://activitystrea.ms/schema/1.0/request-friend</activity:verb>
|
||||||
|
</entry>
|
||||||
|
XML
|
||||||
|
|
||||||
|
envelope = OStatus2::Salmon.new.pack(payload, remote_sender.keypair)
|
||||||
|
subject.call(envelope, receiver)
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'creates a record' do
|
||||||
|
expect(FollowRequest.find_by(account: remote_sender, target_account: receiver)).to_not be_nil
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
|
||||||
describe 'follow request authorization slap' do
|
describe 'follow request authorization slap' do
|
||||||
before do
|
before do
|
||||||
receiver.update(locked: true)
|
receiver.update(locked: true)
|
||||||
|
Loading…
Reference in New Issue
Block a user