activitypub: implement the ReqSignature middleware

Signed-off-by: Loïc Dachary <loic@dachary.org>
2021-11-10 13:35:02 +01:00 · 2021-11-10 13:35:02 +01:00 · 97fedf2616
commit 97fedf2616
parent 15c1f6218c
8 changed files with 293 additions and 62 deletions
--- a/integrations/api_activitypub_person_test.go
+++ b/integrations/api_activitypub_person_test.go
@ -9,9 +9,12 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/http"
+	"net/http/httptest"
 	"net/url"
 	"testing"

+	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/activitypub"
 	"code.gitea.io/gitea/modules/setting"
 	"github.com/go-fed/activity/pub"
 	"github.com/go-fed/activity/streams"
@ -32,7 +35,7 @@ func TestActivityPubPerson(t *testing.T) {
 		username := "user2"
 		req := NewRequestf(t, "GET", fmt.Sprintf("/api/v1/activitypub/user/%s", username))
 		resp := MakeRequest(t, req, http.StatusOK)
-		assert.Contains(t, string(resp.Body.Bytes()), "@context")
+		assert.Contains(t, resp.Body.String(), "@context")
 		var m map[string]interface{}
 		_ = json.Unmarshal(resp.Body.Bytes(), &m)

@ -46,26 +49,26 @@ func TestActivityPubPerson(t *testing.T) {
 		assert.Equal(t, err, nil)
 		assert.Equal(t, "Person", person.GetTypeName())
 		assert.Equal(t, username, person.GetActivityStreamsName().Begin().GetXMLSchemaString())
-		keyId := person.GetJSONLDId().GetIRI().String()
-		assert.Regexp(t, fmt.Sprintf("activitypub/user/%s$", username), keyId)
+		keyID := person.GetJSONLDId().GetIRI().String()
+		assert.Regexp(t, fmt.Sprintf("activitypub/user/%s$", username), keyID)
 		assert.Regexp(t, fmt.Sprintf("activitypub/user/%s/outbox$", username), person.GetActivityStreamsOutbox().GetIRI().String())
 		assert.Regexp(t, fmt.Sprintf("activitypub/user/%s/inbox$", username), person.GetActivityStreamsInbox().GetIRI().String())

 		pkp := person.GetW3IDSecurityV1PublicKey()
-		publicKeyId := keyId + "/#main-key"
+		publicKeyID := keyID + "/#main-key"
 		var pkpFound vocab.W3IDSecurityV1PublicKey
 		for pkpIter := pkp.Begin(); pkpIter != pkp.End(); pkpIter = pkpIter.Next() {
 			if !pkpIter.IsW3IDSecurityV1PublicKey() {
 				continue
 			}
 			pkValue := pkpIter.Get()
-			var pkId *url.URL
-			pkId, err = pub.GetId(pkValue)
+			var pkID *url.URL
+			pkID, err = pub.GetId(pkValue)
 			if err != nil {
 				return
 			}
-			assert.Equal(t, pkId.String(), publicKeyId)
-			if pkId.String() != publicKeyId {
+			assert.Equal(t, pkID.String(), publicKeyID)
+			if pkID.String() != publicKeyID {
 				continue
 			}
 			pkpFound = pkValue
@ -91,6 +94,40 @@ func TestActivityPubMissingPerson(t *testing.T) {

 		req := NewRequestf(t, "GET", "/api/v1/activitypub/user/nonexistentuser")
 		resp := MakeRequest(t, req, http.StatusNotFound)
-		assert.Contains(t, string(resp.Body.Bytes()), "GetUserByName")
+		assert.Contains(t, resp.Body.String(), "GetUserByName")
+	})
+}
+
+func TestActivityPubPersonInbox(t *testing.T) {
+	srv := httptest.NewServer(c)
+	defer srv.Close()
+
+	onGiteaRun(t, func(*testing.T, *url.URL) {
+		appURL := setting.AppURL
+		setting.Federation.Enabled = true
+		setting.Database.LogSQL = true
+		setting.AppURL = srv.URL
+		defer func() {
+			setting.Federation.Enabled = false
+			setting.Database.LogSQL = false
+			setting.AppURL = appURL
+		}()
+		username1 := "user1"
+		user1, err := user_model.GetUserByName(username1)
+		assert.NoError(t, err)
+		user1url := fmt.Sprintf("%s/api/v1/activitypub/user/%s/#main-key", srv.URL, username1)
+		c, err := activitypub.NewClient(user1, user1url)
+		assert.NoError(t, err)
+		username2 := "user2"
+		user2inboxurl := fmt.Sprintf("%s/api/v1/activitypub/user/%s/inbox", srv.URL, username2)
+
+		// Signed request succeeds
+		resp, err := c.Post([]byte{}, user2inboxurl)
+		assert.NoError(t, err)
+		assert.Equal(t, 204, resp.StatusCode)
+
+		// Unsigned request fails
+		req := NewRequest(t, "POST", user2inboxurl)
+		MakeRequest(t, req, 500)
 	})
 }