Add rspec to further specify FollowRemoteAccountService (#2414)

spec/services/follow_remote_account_service_spec.rb

@@ -6,8 +6,12 @@ RSpec.describe FollowRemoteAccountService do
   before do
     stub_request(:get, "https://quitter.no/.well-known/host-meta").to_return(request_fixture('.host-meta.txt'))
     stub_request(:get, "https://example.com/.well-known/webfinger?resource=acct:catsrgr8@example.com").to_return(status: 404)
+    stub_request(:get, "https://redirected.com/.well-known/host-meta").to_return(request_fixture('redirected.host-meta.txt'))
     stub_request(:get, "https://example.com/.well-known/host-meta").to_return(status: 404)
     stub_request(:get, "https://quitter.no/.well-known/webfinger?resource=acct:gargron@quitter.no").to_return(request_fixture('webfinger.txt'))
+    stub_request(:get, "https://redirected.com/.well-known/webfinger?resource=acct:gargron@redirected.com").to_return(request_fixture('webfinger.txt'))
+    stub_request(:get, "https://redirected.com/.well-known/webfinger?resource=acct:hacker1@redirected.com").to_return(request_fixture('webfinger-hacker1.txt'))
+    stub_request(:get, "https://redirected.com/.well-known/webfinger?resource=acct:hacker2@redirected.com").to_return(request_fixture('webfinger-hacker2.txt'))
     stub_request(:get, "https://quitter.no/.well-known/webfinger?resource=acct:catsrgr8@quitter.no").to_return(status: 404)
     stub_request(:get, "https://quitter.no/api/statuses/user_timeline/7477.atom").to_return(request_fixture('feed.txt'))
     stub_request(:get, "https://quitter.no/avatar/7477-300-20160211190340.png").to_return(request_fixture('avatar.txt'))
@@ -35,4 +39,21 @@ RSpec.describe FollowRemoteAccountService do
     expect(account.domain).to eq 'quitter.no'
     expect(account.remote_url).to eq 'https://quitter.no/api/statuses/user_timeline/7477.atom'
   end
+
+  it 'follows a legitimate account redirection' do
+    account = subject.call('gargron@redirected.com')
+
+    expect(account.username).to eq 'gargron'
+    expect(account.domain).to eq 'quitter.no'
+    expect(account.remote_url).to eq 'https://quitter.no/api/statuses/user_timeline/7477.atom'
+  end
+
+  it 'prevents hijacking existing accounts' do
+    account = subject.call('hacker1@redirected.com')
+    expect(account.salmon_url).to_not eq 'https://hacker.com/main/salmon/user/7477'
+  end
+
+  it 'prevents hijacking inexisting accounts' do
+    expect { subject.call('hacker2@redirected.com') }.to raise_error Goldfinger::Error
+  end
 end