HTTP signatures (#4146)

* Add Request class with HTTP signature generator

Spec: https://tools.ietf.org/html/draft-cavage-http-signatures-06

* Add HTTP signature verification concern

* Add test for SignatureVerification concern

* Add basic test for Request class

* Make PuSH subscribe/unsubscribe requests use new Request class

Accidentally fix lease_seconds not being set and sent properly, and
change the new minimum subscription duration to 1 day

* Make all PuSH workers use new Request class

* Make Salmon sender use new Request class

* Make FetchLinkService use new Request class

* Make FetchAtomService use the new Request class

* Make Remotable use the new Request class

* Make ResolveRemoteAccountService use the new Request class

* Add more tests

* Allow +-30 seconds window for signed request to remain valid

* Disable time window validation for signed requests, restore 7 days
as PuSH subscription duration (which was previous default due to a bug)

spec/controllers/concerns/signature_verification_spec.rb

@@ -0,0 +1,74 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+describe ApplicationController, type: :controller do
+  controller do
+    include SignatureVerification
+
+    def success
+      head 200
+    end
+
+    def alternative_success
+      head 200
+    end
+  end
+
+  before do
+    routes.draw { get 'success' => 'anonymous#success' }
+  end
+
+  context 'without signature header' do
+    before do
+      get :success
+    end
+
+    describe '#signed_request?' do
+      it 'returns false' do
+        expect(controller.signed_request?).to be false
+      end
+    end
+
+    describe '#signed_request_account' do
+      it 'returns nil' do
+        expect(controller.signed_request_account).to be_nil
+      end
+    end
+  end
+
+  context 'with signature header' do
+    let!(:author) { Fabricate(:account) }
+
+    before do
+      get :success
+
+      fake_request = Request.new(:get, request.url)
+      fake_request.on_behalf_of(author)
+
+      request.headers.merge!(fake_request.headers)
+    end
+
+    describe '#signed_request?' do
+      it 'returns true' do
+        expect(controller.signed_request?).to be true
+      end
+    end
+
+    describe '#signed_request_account' do
+      it 'returns an account' do
+        expect(controller.signed_request_account).to eq author
+      end
+
+      it 'returns nil when path does not match' do
+        request.path = '/alternative-path'
+        expect(controller.signed_request_account).to be_nil
+      end
+
+      it 'returns nil when method does not match' do
+        post :success
+        expect(controller.signed_request_account).to be_nil
+      end
+    end
+  end
+end

spec/helpers/http_helper_spec.rb

@@ -1,13 +0,0 @@
-# frozen_string_literal: true
-
-require 'rails_helper'
-
-describe HttpHelper do
-  describe 'http_client' do
-    it 'returns HTTP::Client with default options' do
-      options = helper.http_client.default_options
-      expect(options.headers['User-Agent']).to match /.+ \(Mastodon\/.+;\ \+http:\/\/cb6e6126\.ngrok\.io\/\)/
-      expect(options.timeout_options).to eq read_timeout: 10, write_timeout: 10, connect_timeout: 10
-    end
-  end
-end

spec/lib/request_spec.rb

@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+describe Request do
+  subject { Request.new(:get, 'http://example.com') }
+
+  describe '#headers' do
+    it 'returns user agent' do
+      expect(subject.headers['User-Agent']).to be_present
+    end
+
+    it 'returns the date header' do
+      expect(subject.headers['Date']).to be_present
+    end
+
+    it 'returns the host header' do
+      expect(subject.headers['Host']).to be_present
+    end
+
+    it 'does not return virtual request-target header' do
+      expect(subject.headers['(request-target)']).to be_nil
+    end
+  end
+
+  describe '#on_behalf_of' do
+    it 'when used, adds signature header' do
+      subject.on_behalf_of(Fabricate(:account))
+      expect(subject.headers['Signature']).to be_present
+    end
+  end
+
+  describe '#add_headers' do
+    it 'adds headers to the request' do
+      subject.add_headers('Test' => 'Foo')
+      expect(subject.headers['Test']).to eq 'Foo'
+    end
+  end
+
+  describe '#perform' do
+    before do
+      stub_request(:get, 'http://example.com')
+      subject.perform
+    end
+
+    it 'executes a HTTP request' do
+      expect(a_request(:get, 'http://example.com')).to have_been_made.once
+    end
+
+    it 'sets headers' do
+      expect(a_request(:get, 'http://example.com').with(headers: subject.headers)).to have_been_made
+    end
+  end
+end

spec/workers/pubsubhubbub/confirmation_worker_spec.rb

@@ -83,6 +83,6 @@ describe Pubsubhubbub::ConfirmationWorker do
   end
 
   def http_headers
-    { 'Connection' => 'close', 'Host' => 'example.com', 'User-Agent' => 'Mastodon/PubSubHubbub' }
+    { 'Connection' => 'close', 'Host' => 'example.com', 'User-Agent' => 'http.rb/2.2.2 (Mastodon/1.4.7; +https://cb6e6126.ngrok.io/)' }
   end
 end

spec/workers/pubsubhubbub/delivery_worker_spec.rb

@@ -59,7 +59,7 @@ describe Pubsubhubbub::DeliveryWorker do
         'Content-Type' => 'application/atom+xml',
         'Host' => 'example.com',
         'Link' => "<https://#{Rails.configuration.x.local_domain}/api/push>; rel=\"hub\", <https://#{Rails.configuration.x.local_domain}/users/#{subscription.account.username}.atom>; rel=\"self\"",
-        'User-Agent' => 'Mastodon/PubSubHubbub',
+        'User-Agent' => 'http.rb/2.2.2 (Mastodon/1.4.7; +https://cb6e6126.ngrok.io/)',
       }.tap do |basic|
         known_digest = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha1'), subscription.secret.to_s, payload)
         basic.merge('X-Hub-Signature' => "sha1=#{known_digest}") if subscription.secret?