Home Explore Help
Register Sign In
bida
/
bastodon
7
0
Fork 0
Files Issues 9 Pull Requests 0 Wiki
Tree: fe6c055f35
Branches Tags
bastodon
/
spec
/
requests
/
signature_verification_spec.rb

signature_verification_spec.rb 21 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398 
  1. # frozen_string_literal: true
    2. 

  2. 

  3. require 'rails_helper'
    4. 

  4. 

  5. describe 'signature verification concern' do
    6. 

  6.   before do
    7. 

  7.     stub_tests_controller
    8. 

  8. 

  9.     # Signature checking is time-dependent, so travel to a fixed date
    10. 

  10.     travel_to '2023-12-20T10:00:00Z'
    11. 

  11.   end
    12. 

  12. 

  13.   after { Rails.application.reload_routes! }
    14. 

  14. 

  15.   # Include the private key so the tests can be easily adjusted and reviewed
    16. 

  16.   let(:actor_keypair) do
    17. 

  17.     OpenSSL::PKey.read(<<~PEM_TEXT)
    18. 

  18.       -----BEGIN RSA PRIVATE KEY-----
    19. 

  19.       MIIEowIBAAKCAQEAqIAYvNFGbZ5g4iiK6feSdXD4bDStFM58A7tHycYXaYtzZQpI
    20. 

  20.       eHXAmaXuZzXIwtrP4N0gIk8JNwZvXj2UPS+S07t0V9wNK94he01LV5EMz/GN4eNn
    21. 

  21.       FmDL64HIEuKLvV8TvgjbUPRD6Y5X0UpKi2ZIFLSb96Q5w0Z/k7ntpVKV52y8kz5F
    22. 

  22.       jr/O/0JuHryZe0yItzJh8kzFfeMf0EXzfSnaKvT7P9jhgC6uTre+jXyvVZjiHDrn
    23. 

  23.       qvvucdI3I7DRfXo1OqARBrLjy+TdseUAjNYJ+OuPRI1URIWQI01DCHqcohVu9+Ar
    24. 

  24.       +BiCjFp3ua+XMuJvrvbD61d1Fvig/9nbBRR+8QIDAQABAoIBAAgySHnFWI6gItR3
    25. 

  25.       fkfiqIm80cHCN3Xk1C6iiVu+3oBOZbHpW9R7vl9e/WOA/9O+LPjiSsQOegtWnVvd
    26. 

  26.       RRjrl7Hj20VDlZKv5Mssm6zOGAxksrcVbqwdj+fUJaNJCL0AyyseH0x/IE9T8rDC
    27. 

  27.       I1GH+3tB3JkhkIN/qjipdX5ab8MswEPu8IC4ViTpdBgWYY/xBcAHPw4xuL0tcwzh
    28. 

  28.       FBlf4DqoEVQo8GdK5GAJ2Ny0S4xbXHUURzx/R4y4CCts7niAiLGqd9jmLU1kUTMk
    29. 

  29.       QcXfQYK6l+unLc7wDYAz7sFEHh04M48VjWwiIZJnlCqmQbLda7uhhu8zkF1DqZTu
    30. 

  30.       ulWDGQECgYEA0TIAc8BQBVab979DHEEmMdgqBwxLY3OIAk0b+r50h7VBGWCDPRsC
    31. 

  31.       STD73fQY3lNet/7/jgSGwwAlAJ5PpMXxXiZAE3bUwPmHzgF7pvIOOLhA8O07tHSO
    32. 

  32.       L2mvQe6NPzjZ+6iAO2U9PkClxcvGvPx2OBvisfHqZLmxC9PIVxzruQECgYEAzjM6
    33. 

  33.       BTUXa6T/qHvLFbN699BXsUOGmHBGaLRapFDBfVvgZrwqYQcZpBBhesLdGTGSqwE7
    34. 

  34.       gWsITPIJ+Ldo+38oGYyVys+w/V67q6ud7hgSDTW3hSvm+GboCjk6gzxlt9hQ0t9X
    35. 

  35.       8vfDOYhEXvVUJNv3mYO60ENqQhILO4bQ0zi+VfECgYBb/nUccfG+pzunU0Cb6Dp3
    36. 

  36.       qOuydcGhVmj1OhuXxLFSDG84Tazo7juvHA9mp7VX76mzmDuhpHPuxN2AzB2SBEoE
    37. 

  37.       cSW0aYld413JRfWukLuYTc6hJHIhBTCRwRQFFnae2s1hUdQySm8INT2xIc+fxBXo
    38. 

  38.       zrp+Ljg5Wz90SAnN5TX0AQKBgDaatDOq0o/r+tPYLHiLtfWoE4Dau+rkWJDjqdk3
    39. 

  39.       lXWn/e3WyHY3Vh/vQpEqxzgju45TXjmwaVtPATr+/usSykCxzP0PMPR3wMT+Rm1F
    40. 

  40.       rIoY/odij+CaB7qlWwxj0x/zRbwB7x1lZSp4HnrzBpxYL+JUUwVRxPLIKndSBTza
    41. 

  41.       GvVRAoGBAIVBcNcRQYF4fvZjDKAb4fdBsEuHmycqtRCsnkGOz6ebbEQznSaZ0tZE
    42. 

  42.       +JuouZaGjyp8uPjNGD5D7mIGbyoZ3KyG4mTXNxDAGBso1hrNDKGBOrGaPhZx8LgO
    43. 

  43.       4VXJ+ybXrATf4jr8ccZYsZdFpOphPzz+j55Mqg5vac5P1XjmsGTb
    44. 

  44.       -----END RSA PRIVATE KEY-----
    45. 

  45.     PEM_TEXT
    46. 

  46.   end
    47. 

  47. 

  48.   context 'without a Signature header' do
    49. 

  49.     it 'does not treat the request as signed' do
    50. 

  50.       get '/activitypub/success'
    51. 

  51. 

  52.       expect(response).to have_http_status(200)
    53. 

  53.       expect(body_as_json).to match(
    54. 

  54.         signed_request: false,
    55. 

  55.         signature_actor_id: nil,
    56. 

  56.         error: 'Request not signed'
    57. 

  57.       )
    58. 

  58.     end
    59. 

  59. 

  60.     context 'when a signature is required' do
    61. 

  61.       it 'returns http unauthorized with appropriate error' do
    62. 

  62.         get '/activitypub/signature_required'
    63. 

  63. 

  64.         expect(response).to have_http_status(401)
    65. 

  65.         expect(body_as_json).to match(
    66. 

  66.           error: 'Request not signed'
    67. 

  67.         )
    68. 

  68.       end
    69. 

  69.     end
    70. 

  70.   end
    71. 

  71. 

  72.   context 'with an HTTP Signature from a known account' do
    73. 

  73.     let!(:actor) { Fabricate(:account, domain: 'remote.domain', uri: 'https://remote.domain/users/bob', private_key: nil, public_key: actor_keypair.public_key.to_pem) }
    74. 

  74. 

  75.     context 'with a valid signature on a GET request' do
    76. 

  76.       let(:signature_header) do
    77. 

  77.         'keyId="https://remote.domain/users/bob#main-key",algorithm="rsa-sha256",headers="date host (request-target)",signature="Z8ilar3J7bOwqZkMp7sL8sRs4B1FT+UorbmvWoE+A5UeoOJ3KBcUmbsh+k3wQwbP5gMNUrra9rEWabpasZGphLsbDxfbsWL3Cf0PllAc7c1c7AFEwnewtExI83/qqgEkfWc2z7UDutXc2NfgAx89Ox8DXU/fA2GG0jILjB6UpFyNugkY9rg6oI31UnvfVi3R7sr3/x8Ea3I9thPvqI2byF6cojknSpDAwYzeKdngX3TAQEGzFHz3SDWwyp3jeMWfwvVVbM38FxhvAnSumw7YwWW4L7M7h4M68isLimoT3yfCn2ucBVL5Dz8koBpYf/40w7QidClAwCafZQFC29yDOg=="' # rubocop:disable Layout/LineLength
    78. 

  78.       end
    79. 

  79. 

  80.       it 'successfuly verifies signature', :aggregate_failures do
    81. 

  81.         expect(signature_header).to eq build_signature_string(actor_keypair, 'https://remote.domain/users/bob#main-key', 'get /activitypub/success', { 'Date' => 'Wed, 20 Dec 2023 10:00:00 GMT', 'Host' => 'www.example.com' })
    82. 

  82. 

  83.         get '/activitypub/success', headers: {
    84. 

  84.           'Host' => 'www.example.com',
    85. 

  85.           'Date' => 'Wed, 20 Dec 2023 10:00:00 GMT',
    86. 

  86.           'Signature' => signature_header,
    87. 

  87.         }
    88. 

  88. 

  89.         expect(response).to have_http_status(200)
    90. 

  90.         expect(body_as_json).to match(
    91. 

  91.           signed_request: true,
    92. 

  92.           signature_actor_id: actor.id.to_s
    93. 

  93.         )
    94. 

  94.       end
    95. 

  95.     end
    96. 

  96. 

  97.     context 'with a valid signature on a GET request that has a query string' do
    98. 

  98.       let(:signature_header) do
    99. 

  99.         'keyId="https://remote.domain/users/bob#main-key",algorithm="rsa-sha256",headers="date host (request-target)",signature="SDMa4r/DQYMXYxVgYO2yEqGWWUXugKjVuz0I8dniQAk+aunzBaF2aPu+4grBfawAshlx1Xytl8lhb0H2MllEz16/tKY7rUrb70MK0w8ohXgpb0qs3YvQgdj4X24L1x2MnkFfKHR/J+7TBlnivq0HZqXm8EIkPWLv+eQxu8fbowLwHIVvRd/3t6FzvcfsE0UZKkoMEX02542MhwSif6cu7Ec/clsY9qgKahb9JVGOGS1op9Lvg/9y1mc8KCgD83U5IxVygYeYXaVQ6gixA9NgZiTCwEWzHM5ELm7w5hpdLFYxYOHg/3G3fiqJzpzNQAcCD4S4JxfE7hMI0IzVlNLT6A=="' # rubocop:disable Layout/LineLength
    100. 

  100.       end
    101. 

  101. 

  102.       it 'successfuly verifies signature', :aggregate_failures do
    103. 

  103.         expect(signature_header).to eq build_signature_string(actor_keypair, 'https://remote.domain/users/bob#main-key', 'get /activitypub/success?foo=42', { 'Date' => 'Wed, 20 Dec 2023 10:00:00 GMT', 'Host' => 'www.example.com' })
    104. 

  104. 

  105.         get '/activitypub/success?foo=42', headers: {
    106. 

  106.           'Host' => 'www.example.com',
    107. 

  107.           'Date' => 'Wed, 20 Dec 2023 10:00:00 GMT',
    108. 

  108.           'Signature' => signature_header,
    109. 

  109.         }
    110. 

  110. 

  111.         expect(response).to have_http_status(200)
    112. 

  112.         expect(body_as_json).to match(
    113. 

  113.           signed_request: true,
    114. 

  114.           signature_actor_id: actor.id.to_s
    115. 

  115.         )
    116. 

  116.       end
    117. 

  117.     end
    118. 

  118. 

  119.     context 'when the query string is missing from the signature verification (compatibility quirk)' do
    120. 

  120.       let(:signature_header) do
    121. 

  121.         'keyId="https://remote.domain/users/bob#main-key",algorithm="rsa-sha256",headers="date host (request-target)",signature="Z8ilar3J7bOwqZkMp7sL8sRs4B1FT+UorbmvWoE+A5UeoOJ3KBcUmbsh+k3wQwbP5gMNUrra9rEWabpasZGphLsbDxfbsWL3Cf0PllAc7c1c7AFEwnewtExI83/qqgEkfWc2z7UDutXc2NfgAx89Ox8DXU/fA2GG0jILjB6UpFyNugkY9rg6oI31UnvfVi3R7sr3/x8Ea3I9thPvqI2byF6cojknSpDAwYzeKdngX3TAQEGzFHz3SDWwyp3jeMWfwvVVbM38FxhvAnSumw7YwWW4L7M7h4M68isLimoT3yfCn2ucBVL5Dz8koBpYf/40w7QidClAwCafZQFC29yDOg=="' # rubocop:disable Layout/LineLength
    122. 

  122.       end
    123. 

  123. 

  124.       it 'successfuly verifies signature', :aggregate_failures do
    125. 

  125.         expect(signature_header).to eq build_signature_string(actor_keypair, 'https://remote.domain/users/bob#main-key', 'get /activitypub/success', { 'Date' => 'Wed, 20 Dec 2023 10:00:00 GMT', 'Host' => 'www.example.com' })
    126. 

  126. 

  127.         get '/activitypub/success?foo=42', headers: {
    128. 

  128.           'Host' => 'www.example.com',
    129. 

  129.           'Date' => 'Wed, 20 Dec 2023 10:00:00 GMT',
    130. 

  130.           'Signature' => signature_header,
    131. 

  131.         }
    132. 

  132. 

  133.         expect(response).to have_http_status(200)
    134. 

  134.         expect(body_as_json).to match(
    135. 

  135.           signed_request: true,
    136. 

  136.           signature_actor_id: actor.id.to_s
    137. 

  137.         )
    138. 

  138.       end
    139. 

  139.     end
    140. 

  140. 

  141.     context 'with mismatching query string' do
    142. 

  142.       let(:signature_header) do
    143. 

  143.         'keyId="https://remote.domain/users/bob#main-key",algorithm="rsa-sha256",headers="date host (request-target)",signature="SDMa4r/DQYMXYxVgYO2yEqGWWUXugKjVuz0I8dniQAk+aunzBaF2aPu+4grBfawAshlx1Xytl8lhb0H2MllEz16/tKY7rUrb70MK0w8ohXgpb0qs3YvQgdj4X24L1x2MnkFfKHR/J+7TBlnivq0HZqXm8EIkPWLv+eQxu8fbowLwHIVvRd/3t6FzvcfsE0UZKkoMEX02542MhwSif6cu7Ec/clsY9qgKahb9JVGOGS1op9Lvg/9y1mc8KCgD83U5IxVygYeYXaVQ6gixA9NgZiTCwEWzHM5ELm7w5hpdLFYxYOHg/3G3fiqJzpzNQAcCD4S4JxfE7hMI0IzVlNLT6A=="' # rubocop:disable Layout/LineLength
    144. 

  144.       end
    145. 

  145. 

  146.       it 'fails to verify signature', :aggregate_failures do
    147. 

  147.         expect(signature_header).to eq build_signature_string(actor_keypair, 'https://remote.domain/users/bob#main-key', 'get /activitypub/success?foo=42', { 'Date' => 'Wed, 20 Dec 2023 10:00:00 GMT', 'Host' => 'www.example.com' })
    148. 

  148. 

  149.         get '/activitypub/success?foo=43', headers: {
    150. 

  150.           'Host' => 'www.example.com',
    151. 

  151.           'Date' => 'Wed, 20 Dec 2023 10:00:00 GMT',
    152. 

  152.           'Signature' => signature_header,
    153. 

  153.         }
    154. 

  154. 

  155.         expect(body_as_json).to match(
    156. 

  156.           signed_request: true,
    157. 

  157.           signature_actor_id: nil,
    158. 

  158.           error: anything
    159. 

  159.         )
    160. 

  160.       end
    161. 

  161.     end
    162. 

  162. 

  163.     context 'with a mismatching path' do
    164. 

  164.       it 'fails to verify signature', :aggregate_failures do
    165. 

  165.         get '/activitypub/alternative-path', headers: {
    166. 

  166.           'Host' => 'www.example.com',
    167. 

  167.           'Date' => 'Wed, 20 Dec 2023 10:00:00 GMT',
    168. 

  168.           'Signature' => 'keyId="https://remote.domain/users/bob#main-key",algorithm="rsa-sha256",headers="date host (request-target)",signature="Z8ilar3J7bOwqZkMp7sL8sRs4B1FT+UorbmvWoE+A5UeoOJ3KBcUmbsh+k3wQwbP5gMNUrra9rEWabpasZGphLsbDxfbsWL3Cf0PllAc7c1c7AFEwnewtExI83/qqgEkfWc2z7UDutXc2NfgAx89Ox8DXU/fA2GG0jILjB6UpFyNugkY9rg6oI31UnvfVi3R7sr3/x8Ea3I9thPvqI2byF6cojknSpDAwYzeKdngX3TAQEGzFHz3SDWwyp3jeMWfwvVVbM38FxhvAnSumw7YwWW4L7M7h4M68isLimoT3yfCn2ucBVL5Dz8koBpYf/40w7QidClAwCafZQFC29yDOg=="', # rubocop:disable Layout/LineLength
    169. 

  169.         }
    170. 

  170. 

  171.         expect(body_as_json).to match(
    172. 

  172.           signed_request: true,
    173. 

  173.           signature_actor_id: nil,
    174. 

  174.           error: anything
    175. 

  175.         )
    176. 

  176.       end
    177. 

  177.     end
    178. 

  178. 

  179.     context 'with a mismatching method' do
    180. 

  180.       it 'fails to verify signature', :aggregate_failures do
    181. 

  181.         post '/activitypub/success', headers: {
    182. 

  182.           'Host' => 'www.example.com',
    183. 

  183.           'Date' => 'Wed, 20 Dec 2023 10:00:00 GMT',
    184. 

  184.           'Signature' => 'keyId="https://remote.domain/users/bob#main-key",algorithm="rsa-sha256",headers="date host (request-target)",signature="Z8ilar3J7bOwqZkMp7sL8sRs4B1FT+UorbmvWoE+A5UeoOJ3KBcUmbsh+k3wQwbP5gMNUrra9rEWabpasZGphLsbDxfbsWL3Cf0PllAc7c1c7AFEwnewtExI83/qqgEkfWc2z7UDutXc2NfgAx89Ox8DXU/fA2GG0jILjB6UpFyNugkY9rg6oI31UnvfVi3R7sr3/x8Ea3I9thPvqI2byF6cojknSpDAwYzeKdngX3TAQEGzFHz3SDWwyp3jeMWfwvVVbM38FxhvAnSumw7YwWW4L7M7h4M68isLimoT3yfCn2ucBVL5Dz8koBpYf/40w7QidClAwCafZQFC29yDOg=="', # rubocop:disable Layout/LineLength
    185. 

  185.         }
    186. 

  186. 

  187.         expect(body_as_json).to match(
    188. 

  188.           signed_request: true,
    189. 

  189.           signature_actor_id: nil,
    190. 

  190.           error: anything
    191. 

  191.         )
    192. 

  192.       end
    193. 

  193.     end
    194. 

  194. 

  195.     context 'with an unparsable date' do
    196. 

  196.       let(:signature_header) do
    197. 

  197.         'keyId="https://remote.domain/users/bob#main-key",algorithm="rsa-sha256",headers="date host (request-target)",signature="d4B7nfx8RJcfdJDu1J//5WzPzK/hgtPkdzZx49lu5QhnE7qdV3lgyVimmhCFrO16bwvzIp9iRMyRLkNFxLiEeVaa1gqeKbldGSnU0B0OMjx7rFBa65vLuzWQOATDitVGiBEYqoK4v0DMuFCz2DtFaA/DIUZ3sty8bZ/Ea3U1nByLOO6MacARA3zhMSI0GNxGqsSmZmG0hPLavB3jIXoE3IDoQabMnC39jrlcO/a8h1iaxBm2WD8TejrImJullgqlJIFpKhIHI3ipQkvTGPlm9dx0y+beM06qBvWaWQcmT09eRIUefVsOAzIhUtS/7FVb/URhZvircIJDa7vtiFcmZQ=="' # rubocop:disable Layout/LineLength
    198. 

  198.       end
    199. 

  199. 

  200.       it 'fails to verify signature', :aggregate_failures do
    201. 

  201.         expect(signature_header).to eq build_signature_string(actor_keypair, 'https://remote.domain/users/bob#main-key', 'get /activitypub/success', { 'Date' => 'wrong date', 'Host' => 'www.example.com' })
    202. 

  202. 

  203.         get '/activitypub/success', headers: {
    204. 

  204.           'Host' => 'www.example.com',
    205. 

  205.           'Date' => 'wrong date',
    206. 

  206.           'Signature' => signature_header,
    207. 

  207.         }
    208. 

  208. 

  209.         expect(body_as_json).to match(
    210. 

  210.           signed_request: true,
    211. 

  211.           signature_actor_id: nil,
    212. 

  212.           error: 'Invalid Date header: not RFC 2616 compliant date: "wrong date"'
    213. 

  213.         )
    214. 

  214.       end
    215. 

  215.     end
    216. 

  216. 

  217.     context 'with a request older than a day' do
    218. 

  218.       let(:signature_header) do
    219. 

  219.         'keyId="https://remote.domain/users/bob#main-key",algorithm="rsa-sha256",headers="date host (request-target)",signature="G1NuJv4zgoZ3B/ZIjzDWZHK4RC+5pYee74q8/LJEMCWXhcnAomcb9YHaqk1QYfQvcBUIXw3UZ3Q9xO8F9y0i8G5mzJHfQ+OgHqCoJk8EmGwsUXJMh5s1S5YFCRt8TT12TmJZz0VMqLq85ubueSYBM7QtUE/FzFIVLvz4RysgXxaXQKzdnM6+gbUEEKdCURpXdQt2NXQhp4MAmZH3+0lQoR6VxdsK0hx0Ji2PNp1nuqFTlYqNWZazVdLBN+9rETLRmvGXknvg9jOxTTppBVWnkAIl26HtLS3wwFVvz4pJzi9OQDOvLziehVyLNbU61hky+oJ215e2HuKSe2hxHNl1MA=="' # rubocop:disable Layout/LineLength
    220. 

  220.       end
    221. 

  221. 

  222.       it 'fails to verify signature', :aggregate_failures do
    223. 

  223.         expect(signature_header).to eq build_signature_string(actor_keypair, 'https://remote.domain/users/bob#main-key', 'get /activitypub/success', { 'Date' => 'Wed, 18 Dec 2023 10:00:00 GMT', 'Host' => 'www.example.com' })
    224. 

  224. 

  225.         get '/activitypub/success', headers: {
    226. 

  226.           'Host' => 'www.example.com',
    227. 

  227.           'Date' => 'Wed, 18 Dec 2023 10:00:00 GMT',
    228. 

  228.           'Signature' => signature_header,
    229. 

  229.         }
    230. 

  230. 

  231.         expect(body_as_json).to match(
    232. 

  232.           signed_request: true,
    233. 

  233.           signature_actor_id: nil,
    234. 

  234.           error: 'Signed request date outside acceptable time window'
    235. 

  235.         )
    236. 

  236.       end
    237. 

  237.     end
    238. 

  238. 

  239.     context 'with a valid signature on a POST request' do
    240. 

  240.       let(:digest_header) { 'SHA-256=ZOyIygCyaOW6GjVnihtTFtIS9PNmskdyMlNKiuyjfzw=' }
    241. 

  241.       let(:signature_header) do
    242. 

  242.         'keyId="https://remote.domain/users/bob#main-key",algorithm="rsa-sha256",headers="host date digest (request-target)",signature="gmhMjgMROGElJU3fpehV2acD5kMHeELi8EFP2UPHOdQ54H0r55AxIpji+J3lPe+N2qSb/4H1KXIh6f0lRu8TGSsu12OQmg5hiO8VA9flcA/mh9Lpk+qwlQZIPRqKP9xUEfqD+Z7ti5wPzDKrWAUK/7FIqWgcT/mlqB1R1MGkpMFc/q4CIs2OSNiWgA4K+Kp21oQxzC2kUuYob04gAZ7cyE/FTia5t08uv6lVYFdRsn4XNPn1MsHgFBwBMRG79ng3SyhoG4PrqBEi5q2IdLq3zfre/M6He3wlCpyO2VJNdGVoTIzeZ0Zz8jUscPV3XtWUchpGclLGSaKaq/JyNZeiYQ=="' # rubocop:disable Layout/LineLength
    243. 

  243.       end
    244. 

  244. 

  245.       it 'successfuly verifies signature', :aggregate_failures do
    246. 

  246.         expect(digest_header).to eq digest_value('Hello world')
    247. 

  247.         expect(signature_header).to eq build_signature_string(actor_keypair, 'https://remote.domain/users/bob#main-key', 'post /activitypub/success', { 'Host' => 'www.example.com', 'Date' => 'Wed, 20 Dec 2023 10:00:00 GMT', 'Digest' => digest_header })
    248. 

  248. 

  249.         post '/activitypub/success', params: 'Hello world', headers: {
    250. 

  250.           'Host' => 'www.example.com',
    251. 

  251.           'Date' => 'Wed, 20 Dec 2023 10:00:00 GMT',
    252. 

  252.           'Digest' => digest_header,
    253. 

  253.           'Signature' => signature_header,
    254. 

  254.         }
    255. 

  255. 

  256.         expect(response).to have_http_status(200)
    257. 

  257.         expect(body_as_json).to match(
    258. 

  258.           signed_request: true,
    259. 

  259.           signature_actor_id: actor.id.to_s
    260. 

  260.         )
    261. 

  261.       end
    262. 

  262.     end
    263. 

  263. 

  264.     context 'when the Digest of a POST request is not signed' do
    265. 

  265.       let(:digest_header) { 'SHA-256=ZOyIygCyaOW6GjVnihtTFtIS9PNmskdyMlNKiuyjfzw=' }
    266. 

  266.       let(:signature_header) do
    267. 

  267.         'keyId="https://remote.domain/users/bob#main-key",algorithm="rsa-sha256",headers="host date (request-target)",signature="CPD704CG8aCm8X8qIP8kkkiGp1qwFLk/wMVQHOGP0Txxan8c2DZtg/KK7eN8RG8tHx8br/yS2hJs51x4kXImYukGzNJd7ihE3T8lp+9RI1tCcdobTzr/VcVJHDFySdQkg266GCMijRQRZfNvqlJLiisr817PI+gNVBI5qV+vnVd1XhWCEZ+YSmMe8UqYARXAYNqMykTheojqGpTeTFGPUpTQA2Fmt2BipwIjcFDm2Hpihl2kB0MUS0x3zPmHDuadvzoBbN6m3usPDLgYrpALlh+wDs1dYMntcwdwawRKY1oE1XNtgOSum12wntDq3uYL4gya2iPdcw3c929b4koUzw=="' # rubocop:disable Layout/LineLength
    268. 

  268.       end
    269. 

  269. 

  270.       it 'fails to verify signature', :aggregate_failures do
    271. 

  271.         expect(digest_header).to eq digest_value('Hello world')
    272. 

  272.         expect(signature_header).to eq build_signature_string(actor_keypair, 'https://remote.domain/users/bob#main-key', 'post /activitypub/success', { 'Host' => 'www.example.com', 'Date' => 'Wed, 20 Dec 2023 10:00:00 GMT' })
    273. 

  273. 

  274.         post '/activitypub/success', params: 'Hello world', headers: {
    275. 

  275.           'Host' => 'www.example.com',
    276. 

  276.           'Date' => 'Wed, 20 Dec 2023 10:00:00 GMT',
    277. 

  277.           'Digest' => digest_header,
    278. 

  278.           'Signature' => signature_header,
    279. 

  279.         }
    280. 

  280. 

  281.         expect(body_as_json).to match(
    282. 

  282.           signed_request: true,
    283. 

  283.           signature_actor_id: nil,
    284. 

  284.           error: 'Mastodon requires the Digest header to be signed when doing a POST request'
    285. 

  285.         )
    286. 

  286.       end
    287. 

  287.     end
    288. 

  288. 

  289.     context 'with a tampered body on a POST request' do
    290. 

  290.       let(:digest_header) { 'SHA-256=ZOyIygCyaOW6GjVnihtTFtIS9PNmskdyMlNKiuyjfzw=' }
    291. 

  291.       let(:signature_header) do
    292. 

  292.         'keyId="https://remote.domain/users/bob#main-key",algorithm="rsa-sha256",headers="host date digest (request-target)",signature="gmhMjgMROGElJU3fpehV2acD5kMHeELi8EFP2UPHOdQ54H0r55AxIpji+J3lPe+N2qSb/4H1KXIh6f0lRu8TGSsu12OQmg5hiO8VA9flcA/mh9Lpk+qwlQZIPRqKP9xUEfqD+Z7ti5wPzDKrWAUK/7FIqWgcT/mlqB1R1MGkpMFc/q4CIs2OSNiWgA4K+Kp21oQxzC2kUuYob04gAZ7cyE/FTia5t08uv6lVYFdRsn4XNPn1MsHgFBwBMRG79ng3SyhoG4PrqBEi5q2IdLq3zfre/M6He3wlCpyO2VJNdGVoTIzeZ0Zz8jUscPV3XtWUchpGclLGSaKaq/JyNZeiYQ=="' # rubocop:disable Layout/LineLength
    293. 

  293.       end
    294. 

  294. 

  295.       it 'fails to verify signature', :aggregate_failures do
    296. 

  296.         expect(digest_header).to_not eq digest_value('Hello world!')
    297. 

  297.         expect(signature_header).to eq build_signature_string(actor_keypair, 'https://remote.domain/users/bob#main-key', 'post /activitypub/success', { 'Host' => 'www.example.com', 'Date' => 'Wed, 20 Dec 2023 10:00:00 GMT', 'Digest' => digest_header })
    298. 

  298. 

  299.         post '/activitypub/success', params: 'Hello world!', headers: {
    300. 

  300.           'Host' => 'www.example.com',
    301. 

  301.           'Date' => 'Wed, 20 Dec 2023 10:00:00 GMT',
    302. 

  302.           'Digest' => 'SHA-256=ZOyIygCyaOW6GjVnihtTFtIS9PNmskdyMlNKiuyjfzw=',
    303. 

  303.           'Signature' => signature_header,
    304. 

  304.         }
    305. 

  305. 

  306.         expect(body_as_json).to match(
    307. 

  307.           signed_request: true,
    308. 

  308.           signature_actor_id: nil,
    309. 

  309.           error: 'Invalid Digest value. Computed SHA-256 digest: wFNeS+K3n/2TKRMFQ2v4iTFOSj+uwF7P/Lt98xrZ5Ro=; given: ZOyIygCyaOW6GjVnihtTFtIS9PNmskdyMlNKiuyjfzw='
    310. 

  310.         )
    311. 

  311.       end
    312. 

  312.     end
    313. 

  313. 

  314.     context 'with a tampered path in a POST request' do
    315. 

  315.       it 'fails to verify signature', :aggregate_failures do
    316. 

  316.         post '/activitypub/alternative-path', params: 'Hello world', headers: {
    317. 

  317.           'Host' => 'www.example.com',
    318. 

  318.           'Date' => 'Wed, 20 Dec 2023 10:00:00 GMT',
    319. 

  319.           'Digest' => 'SHA-256=ZOyIygCyaOW6GjVnihtTFtIS9PNmskdyMlNKiuyjfzw=',
    320. 

  320.           'Signature' => 'keyId="https://remote.domain/users/bob#main-key",algorithm="rsa-sha256",headers="host date digest (request-target)",signature="gmhMjgMROGElJU3fpehV2acD5kMHeELi8EFP2UPHOdQ54H0r55AxIpji+J3lPe+N2qSb/4H1KXIh6f0lRu8TGSsu12OQmg5hiO8VA9flcA/mh9Lpk+qwlQZIPRqKP9xUEfqD+Z7ti5wPzDKrWAUK/7FIqWgcT/mlqB1R1MGkpMFc/q4CIs2OSNiWgA4K+Kp21oQxzC2kUuYob04gAZ7cyE/FTia5t08uv6lVYFdRsn4XNPn1MsHgFBwBMRG79ng3SyhoG4PrqBEi5q2IdLq3zfre/M6He3wlCpyO2VJNdGVoTIzeZ0Zz8jUscPV3XtWUchpGclLGSaKaq/JyNZeiYQ=="', # rubocop:disable Layout/LineLength
    321. 

  321.         }
    322. 

  322. 

  323.         expect(response).to have_http_status(200)
    324. 

  324.         expect(body_as_json).to match(
    325. 

  325.           signed_request: true,
    326. 

  326.           signature_actor_id: nil,
    327. 

  327.           error: anything
    328. 

  328.         )
    329. 

  329.       end
    330. 

  330.     end
    331. 

  331.   end
    332. 

  332. 

  333.   context 'with an inaccessible key' do
    334. 

  334.     before do
    335. 

  335.       stub_request(:get, 'https://remote.domain/users/alice#main-key').to_return(status: 404)
    336. 

  336.     end
    337. 

  337. 

  338.     it 'fails to verify signature', :aggregate_failures do
    339. 

  339.       get '/activitypub/success', headers: {
    340. 

  340.         'Host' => 'www.example.com',
    341. 

  341.         'Date' => 'Wed, 20 Dec 2023 10:00:00 GMT',
    342. 

  342.         'Signature' => 'keyId="https://remote.domain/users/alice#main-key",algorithm="rsa-sha256",headers="date host (request-target)",signature="Z8ilar3J7bOwqZkMp7sL8sRs4B1FT+UorbmvWoE+A5UeoOJ3KBcUmbsh+k3wQwbP5gMNUrra9rEWabpasZGphLsbDxfbsWL3Cf0PllAc7c1c7AFEwnewtExI83/qqgEkfWc2z7UDutXc2NfgAx89Ox8DXU/fA2GG0jILjB6UpFyNugkY9rg6oI31UnvfVi3R7sr3/x8Ea3I9thPvqI2byF6cojknSpDAwYzeKdngX3TAQEGzFHz3SDWwyp3jeMWfwvVVbM38FxhvAnSumw7YwWW4L7M7h4M68isLimoT3yfCn2ucBVL5Dz8koBpYf/40w7QidClAwCafZQFC29yDOg=="', # rubocop:disable Layout/LineLength
    343. 

  343.       }
    344. 

  344. 

  345.       expect(body_as_json).to match(
    346. 

  346.         signed_request: true,
    347. 

  347.         signature_actor_id: nil,
    348. 

  348.         error: 'Unable to fetch key JSON at https://remote.domain/users/alice#main-key'
    349. 

  349.       )
    350. 

  350.     end
    351. 

  351.   end
    352. 

  352. 

  353.   private
    354. 

  354. 

  355.   def stub_tests_controller
    356. 

  356.     stub_const('ActivityPub::TestsController', activitypub_tests_controller)
    357. 

  357. 

  358.     Rails.application.routes.draw do
    359. 

  359.       # NOTE: RouteSet#draw removes all routes, so we need to re-insert one
    360. 

  360.       resource :instance_actor, path: 'actor', only: [:show]
    361. 

  361. 

  362.       match :via => [:get, :post], '/activitypub/success' => 'activitypub/tests#success'
    363. 

  363.       match :via => [:get, :post], '/activitypub/alternative-path' => 'activitypub/tests#alternative_success'
    364. 

  364.       match :via => [:get, :post], '/activitypub/signature_required' => 'activitypub/tests#signature_required'
    365. 

  365.     end
    366. 

  366.   end
    367. 

  367. 

  368.   def activitypub_tests_controller
    369. 

  369.     Class.new(ApplicationController) do
    370. 

  370.       include SignatureVerification
    371. 

  371. 

  372.       before_action :require_actor_signature!, only: [:signature_required]
    373. 

  373. 

  374.       def success
    375. 

  375.         render json: {
    376. 

  376.           signed_request: signed_request?,
    377. 

  377.           signature_actor_id: signed_request_actor&.id&.to_s,
    378. 

  378.         }.merge(signature_verification_failure_reason || {})
    379. 

  379.       end
    380. 

  380. 

  381.       alias_method :alternative_success, :success
    382. 

  382.       alias_method :signature_required, :success
    383. 

  383.     end
    384. 

  384.   end
    385. 

  385. 

  386.   def digest_value(body)
    387. 

  387.     "SHA-256=#{Digest::SHA256.base64digest(body)}"
    388. 

  388.   end
    389. 

  389. 

  390.   def build_signature_string(keypair, key_id, request_target, headers)
    391. 

  391.     algorithm = 'rsa-sha256'
    392. 

  392.     signed_headers = headers.merge({ '(request-target)' => request_target })
    393. 

  393.     signed_string = signed_headers.map { |key, value| "#{key.downcase}: #{value}" }.join("\n")
    394. 

  394.     signature = Base64.strict_encode64(keypair.sign(OpenSSL::Digest.new('SHA256'), signed_string))
    395. 

  395. 

  396.     "keyId=\"#{key_id}\",algorithm=\"#{algorithm}\",headers=\"#{signed_headers.keys.join(' ').downcase}\",signature=\"#{signature}\""
    397. 

  397.   end
    398. 

  398. end
    399.