mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2025-04-19 13:39:26 +00:00
77b0275572
- Set the right keyID and use the right signing keys for outgoing requests. - Verify the HTTP signature of all incoming requests, except for the server actor. - Caches keys of incoming requests for users and servers actors. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7035 Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: famfo <famfo@famfo.xyz> Co-committed-by: famfo <famfo@famfo.xyz>
106 lines
3.5 KiB
Go
106 lines
3.5 KiB
Go
// Copyright 2022 The Gitea Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package integration
|
|
|
|
import (
|
|
"fmt"
|
|
"net/http"
|
|
"net/url"
|
|
"testing"
|
|
|
|
"forgejo.org/models/db"
|
|
"forgejo.org/models/unittest"
|
|
user_model "forgejo.org/models/user"
|
|
"forgejo.org/modules/activitypub"
|
|
"forgejo.org/modules/setting"
|
|
"forgejo.org/modules/test"
|
|
"forgejo.org/routers"
|
|
"forgejo.org/tests"
|
|
|
|
ap "github.com/go-ap/activitypub"
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
func TestActivityPubPerson(t *testing.T) {
|
|
defer test.MockVariableValue(&setting.Federation.Enabled, true)()
|
|
defer test.MockVariableValue(&testWebRoutes, routers.NormalRoutes())()
|
|
onGiteaRun(t, func(t *testing.T, u *url.URL) {
|
|
userID := 2
|
|
username := "user2"
|
|
userURL := fmt.Sprintf("%sapi/v1/activitypub/user-id/%d", u, userID)
|
|
|
|
user1 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
|
|
|
|
clientFactory, err := activitypub.GetClientFactory(db.DefaultContext)
|
|
require.NoError(t, err)
|
|
|
|
apClient, err := clientFactory.WithKeys(db.DefaultContext, user1, user1.APActorKeyID())
|
|
require.NoError(t, err)
|
|
|
|
// Unsigned request
|
|
t.Run("UnsignedRequest", func(t *testing.T) {
|
|
req := NewRequest(t, "GET", userURL)
|
|
MakeRequest(t, req, http.StatusBadRequest)
|
|
})
|
|
|
|
t.Run("SignedRequestValidation", func(t *testing.T) {
|
|
// Signed requset
|
|
resp, err := apClient.GetBody(userURL)
|
|
require.NoError(t, err)
|
|
|
|
var person ap.Person
|
|
err = person.UnmarshalJSON(resp)
|
|
require.NoError(t, err)
|
|
|
|
assert.Equal(t, ap.PersonType, person.Type)
|
|
assert.Equal(t, username, person.PreferredUsername.String())
|
|
assert.Regexp(t, fmt.Sprintf("activitypub/user-id/%d$", userID), person.GetID())
|
|
assert.Regexp(t, fmt.Sprintf("activitypub/user-id/%d/outbox$", userID), person.Outbox.GetID().String())
|
|
assert.Regexp(t, fmt.Sprintf("activitypub/user-id/%d/inbox$", userID), person.Inbox.GetID().String())
|
|
|
|
assert.NotNil(t, person.PublicKey)
|
|
assert.Regexp(t, fmt.Sprintf("activitypub/user-id/%d#main-key$", userID), person.PublicKey.ID)
|
|
|
|
assert.NotNil(t, person.PublicKey.PublicKeyPem)
|
|
assert.Regexp(t, "^-----BEGIN PUBLIC KEY-----", person.PublicKey.PublicKeyPem)
|
|
})
|
|
})
|
|
}
|
|
|
|
func TestActivityPubMissingPerson(t *testing.T) {
|
|
defer test.MockVariableValue(&setting.Federation.Enabled, true)()
|
|
defer test.MockVariableValue(&testWebRoutes, routers.NormalRoutes())()
|
|
defer tests.PrepareTestEnv(t)()
|
|
|
|
req := NewRequest(t, "GET", "/api/v1/activitypub/user-id/999999999")
|
|
resp := MakeRequest(t, req, http.StatusNotFound)
|
|
assert.Contains(t, resp.Body.String(), "user does not exist")
|
|
}
|
|
|
|
func TestActivityPubPersonInbox(t *testing.T) {
|
|
defer test.MockVariableValue(&setting.Federation.Enabled, true)()
|
|
defer test.MockVariableValue(&testWebRoutes, routers.NormalRoutes())()
|
|
|
|
onGiteaRun(t, func(t *testing.T, u *url.URL) {
|
|
defer test.MockVariableValue(&setting.AppURL, u.String())()
|
|
user1 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
|
|
|
|
user1url := u.JoinPath("/api/v1/activitypub/user-id/1").String() + "#main-key"
|
|
cf, err := activitypub.GetClientFactory(db.DefaultContext)
|
|
require.NoError(t, err)
|
|
c, err := cf.WithKeys(db.DefaultContext, user1, user1url)
|
|
require.NoError(t, err)
|
|
user2inboxurl := u.JoinPath("/api/v1/activitypub/user-id/2/inbox").String()
|
|
|
|
// Signed request succeeds
|
|
resp, err := c.Post([]byte{}, user2inboxurl)
|
|
require.NoError(t, err)
|
|
assert.Equal(t, http.StatusNoContent, resp.StatusCode)
|
|
|
|
// Unsigned request fails
|
|
req := NewRequest(t, "POST", user2inboxurl)
|
|
MakeRequest(t, req, http.StatusBadRequest)
|
|
})
|
|
}
|