mastodon/spec/controllers/concerns/signature_verification_spec.rb

# frozen_string_literal: true

require 'rails_helper'

describe ApplicationController, type: :controller do
  controller do
    include SignatureVerification

    def success
      head 200
    end

    def alternative_success
      head 200
    end
  end

  before do
    routes.draw { match via: [:get, :post], 'success' => 'anonymous#success' }
  end

  context 'without signature header' do
    before do
      get :success
    end

    describe '#signed_request?' do
      it 'returns false' do
        expect(controller.signed_request?).to be false
      end
    end

    describe '#signed_request_account' do
      it 'returns nil' do
        expect(controller.signed_request_account).to be_nil
      end
    end
  end

  context 'with signature header' do
    let!(:author) { Fabricate(:account) }

    context 'without body' do
      before do
        get :success

        fake_request = Request.new(:get, request.url)
        fake_request.on_behalf_of(author)

        request.headers.merge!(fake_request.headers)
      end

      describe '#signed_request?' do
        it 'returns true' do
          expect(controller.signed_request?).to be true
        end
      end

      describe '#signed_request_account' do
        it 'returns an account' do
          expect(controller.signed_request_account).to eq author
        end

        it 'returns nil when path does not match' do
          request.path = '/alternative-path'
          expect(controller.signed_request_account).to be_nil
        end

        it 'returns nil when method does not match' do
          post :success
          expect(controller.signed_request_account).to be_nil
        end
      end
    end

    context 'with request older than a day' do
      before do
        get :success

        fake_request = Request.new(:get, request.url)
        fake_request.add_headers({ 'Date' => 2.days.ago.utc.httpdate })
        fake_request.on_behalf_of(author)

        request.headers.merge!(fake_request.headers)
      end

      describe '#signed_request?' do
        it 'returns true' do
          expect(controller.signed_request?).to be true
        end
      end

      describe '#signed_request_account' do
        it 'returns nil' do
          expect(controller.signed_request_account).to be_nil
        end
      end
    end

    context 'with body' do
      before do
        post :success, body: 'Hello world'

        fake_request = Request.new(:post, request.url, body: 'Hello world')
        fake_request.on_behalf_of(author)

        request.headers.merge!(fake_request.headers)
      end

      describe '#signed_request?' do
        it 'returns true' do
          expect(controller.signed_request?).to be true
        end
      end

      describe '#signed_request_account' do
        it 'returns an account' do
          expect(controller.signed_request_account).to eq author
        end

        it 'returns nil when path does not match' do
          request.path = '/alternative-path'
          expect(controller.signed_request_account).to be_nil
        end

        it 'returns nil when method does not match' do
          get :success
          expect(controller.signed_request_account).to be_nil
        end

        it 'returns nil when body has been tampered' do
          post :success, body: 'doo doo doo'
          expect(controller.signed_request_account).to be_nil
        end
      end
    end
  end
end
HTTP signatures (#4146) * Add Request class with HTTP signature generator Spec: https://tools.ietf.org/html/draft-cavage-http-signatures-06 * Add HTTP signature verification concern * Add test for SignatureVerification concern * Add basic test for Request class * Make PuSH subscribe/unsubscribe requests use new Request class Accidentally fix lease_seconds not being set and sent properly, and change the new minimum subscription duration to 1 day * Make all PuSH workers use new Request class * Make Salmon sender use new Request class * Make FetchLinkService use new Request class * Make FetchAtomService use the new Request class * Make Remotable use the new Request class * Make ResolveRemoteAccountService use the new Request class * Add more tests * Allow +-30 seconds window for signed request to remain valid * Disable time window validation for signed requests, restore 7 days as PuSH subscription duration (which was previous default due to a bug) 2017-07-14 11:41:49 -07:00			`# frozen_string_literal: true`

			`require 'rails_helper'`

			`describe ApplicationController, type: :controller do`
			`controller do`
			`include SignatureVerification`

			`def success`
			`head 200`
			`end`

			`def alternative_success`
			`head 200`
			`end`
			`end`

			`before do`
Add Digest header to requests with body, handle acct and URI keyId (#4565) 2017-08-09 14:54:14 -07:00			`routes.draw { match via: [:get, :post], 'success' => 'anonymous#success' }`
HTTP signatures (#4146) * Add Request class with HTTP signature generator Spec: https://tools.ietf.org/html/draft-cavage-http-signatures-06 * Add HTTP signature verification concern * Add test for SignatureVerification concern * Add basic test for Request class * Make PuSH subscribe/unsubscribe requests use new Request class Accidentally fix lease_seconds not being set and sent properly, and change the new minimum subscription duration to 1 day * Make all PuSH workers use new Request class * Make Salmon sender use new Request class * Make FetchLinkService use new Request class * Make FetchAtomService use the new Request class * Make Remotable use the new Request class * Make ResolveRemoteAccountService use the new Request class * Add more tests * Allow +-30 seconds window for signed request to remain valid * Disable time window validation for signed requests, restore 7 days as PuSH subscription duration (which was previous default due to a bug) 2017-07-14 11:41:49 -07:00			`end`

			`context 'without signature header' do`
			`before do`
			`get :success`
			`end`

			`describe '#signed_request?' do`
			`it 'returns false' do`
			`expect(controller.signed_request?).to be false`
			`end`
			`end`

			`describe '#signed_request_account' do`
			`it 'returns nil' do`
			`expect(controller.signed_request_account).to be_nil`
			`end`
			`end`
			`end`

			`context 'with signature header' do`
			`let!(:author) { Fabricate(:account) }`

Add Digest header to requests with body, handle acct and URI keyId (#4565) 2017-08-09 14:54:14 -07:00			`context 'without body' do`
			`before do`
			`get :success`
HTTP signatures (#4146) * Add Request class with HTTP signature generator Spec: https://tools.ietf.org/html/draft-cavage-http-signatures-06 * Add HTTP signature verification concern * Add test for SignatureVerification concern * Add basic test for Request class * Make PuSH subscribe/unsubscribe requests use new Request class Accidentally fix lease_seconds not being set and sent properly, and change the new minimum subscription duration to 1 day * Make all PuSH workers use new Request class * Make Salmon sender use new Request class * Make FetchLinkService use new Request class * Make FetchAtomService use the new Request class * Make Remotable use the new Request class * Make ResolveRemoteAccountService use the new Request class * Add more tests * Allow +-30 seconds window for signed request to remain valid * Disable time window validation for signed requests, restore 7 days as PuSH subscription duration (which was previous default due to a bug) 2017-07-14 11:41:49 -07:00
Add Digest header to requests with body, handle acct and URI keyId (#4565) 2017-08-09 14:54:14 -07:00			`fake_request = Request.new(:get, request.url)`
			`fake_request.on_behalf_of(author)`
HTTP signatures (#4146) * Add Request class with HTTP signature generator Spec: https://tools.ietf.org/html/draft-cavage-http-signatures-06 * Add HTTP signature verification concern * Add test for SignatureVerification concern * Add basic test for Request class * Make PuSH subscribe/unsubscribe requests use new Request class Accidentally fix lease_seconds not being set and sent properly, and change the new minimum subscription duration to 1 day * Make all PuSH workers use new Request class * Make Salmon sender use new Request class * Make FetchLinkService use new Request class * Make FetchAtomService use the new Request class * Make Remotable use the new Request class * Make ResolveRemoteAccountService use the new Request class * Add more tests * Allow +-30 seconds window for signed request to remain valid * Disable time window validation for signed requests, restore 7 days as PuSH subscription duration (which was previous default due to a bug) 2017-07-14 11:41:49 -07:00
Add Digest header to requests with body, handle acct and URI keyId (#4565) 2017-08-09 14:54:14 -07:00			`request.headers.merge!(fake_request.headers)`
			`end`
HTTP signatures (#4146) * Add Request class with HTTP signature generator Spec: https://tools.ietf.org/html/draft-cavage-http-signatures-06 * Add HTTP signature verification concern * Add test for SignatureVerification concern * Add basic test for Request class * Make PuSH subscribe/unsubscribe requests use new Request class Accidentally fix lease_seconds not being set and sent properly, and change the new minimum subscription duration to 1 day * Make all PuSH workers use new Request class * Make Salmon sender use new Request class * Make FetchLinkService use new Request class * Make FetchAtomService use the new Request class * Make Remotable use the new Request class * Make ResolveRemoteAccountService use the new Request class * Add more tests * Allow +-30 seconds window for signed request to remain valid * Disable time window validation for signed requests, restore 7 days as PuSH subscription duration (which was previous default due to a bug) 2017-07-14 11:41:49 -07:00
Add Digest header to requests with body, handle acct and URI keyId (#4565) 2017-08-09 14:54:14 -07:00			`describe '#signed_request?' do`
			`it 'returns true' do`
			`expect(controller.signed_request?).to be true`
			`end`
			`end`

			`describe '#signed_request_account' do`
			`it 'returns an account' do`
			`expect(controller.signed_request_account).to eq author`
			`end`

			`it 'returns nil when path does not match' do`
			`request.path = '/alternative-path'`
			`expect(controller.signed_request_account).to be_nil`
			`end`

			`it 'returns nil when method does not match' do`
			`post :success`
			`expect(controller.signed_request_account).to be_nil`
			`end`
HTTP signatures (#4146) * Add Request class with HTTP signature generator Spec: https://tools.ietf.org/html/draft-cavage-http-signatures-06 * Add HTTP signature verification concern * Add test for SignatureVerification concern * Add basic test for Request class * Make PuSH subscribe/unsubscribe requests use new Request class Accidentally fix lease_seconds not being set and sent properly, and change the new minimum subscription duration to 1 day * Make all PuSH workers use new Request class * Make Salmon sender use new Request class * Make FetchLinkService use new Request class * Make FetchAtomService use the new Request class * Make Remotable use the new Request class * Make ResolveRemoteAccountService use the new Request class * Add more tests * Allow +-30 seconds window for signed request to remain valid * Disable time window validation for signed requests, restore 7 days as PuSH subscription duration (which was previous default due to a bug) 2017-07-14 11:41:49 -07:00			`end`
			`end`

Improve signature verification safeguards (#8959) * Downcase signed_headers string before building the signed string The HTTP Signatures draft does not mandate the “headers” field to be downcased, but mandates the header field names to be downcased in the signed string, which means that prior to this patch, Mastodon could fail to process signatures from some compliant clients. It also means that it would not actually check the Digest of non-compliant clients that wouldn't use a lowercased Digest field name. Thankfully, I don't know of any such client. * Revert "Remove dead code (#8919)" This reverts commit a00ce8c92c06f42109aad5cfe65d46862cf037bb. * Restore time window checking, change it to 12 hours By checking the Date header, we can prevent replaying old vulnerable signatures. The focus is to prevent replaying old vulnerable requests from software that has been fixed in the meantime, so a somewhat long window should be fine and accounts for timezone misconfiguration. * Escape users' URLs when formatting them Fixes possible HTML injection * Escape all string interpolations in Formatter class Slightly improve performance by reducing class allocations from repeated Formatter#encode calls * Fix code style issues 2018-10-11 15:15:55 -07:00			`context 'with request older than a day' do`
			`before do`
			`get :success`

			`fake_request = Request.new(:get, request.url)`
			`fake_request.add_headers({ 'Date' => 2.days.ago.utc.httpdate })`
			`fake_request.on_behalf_of(author)`

			`request.headers.merge!(fake_request.headers)`
			`end`

			`describe '#signed_request?' do`
			`it 'returns true' do`
			`expect(controller.signed_request?).to be true`
			`end`
			`end`

			`describe '#signed_request_account' do`
			`it 'returns nil' do`
			`expect(controller.signed_request_account).to be_nil`
			`end`
			`end`
			`end`

Add Digest header to requests with body, handle acct and URI keyId (#4565) 2017-08-09 14:54:14 -07:00			`context 'with body' do`
			`before do`
			`post :success, body: 'Hello world'`

			`fake_request = Request.new(:post, request.url, body: 'Hello world')`
			`fake_request.on_behalf_of(author)`

			`request.headers.merge!(fake_request.headers)`
HTTP signatures (#4146) * Add Request class with HTTP signature generator Spec: https://tools.ietf.org/html/draft-cavage-http-signatures-06 * Add HTTP signature verification concern * Add test for SignatureVerification concern * Add basic test for Request class * Make PuSH subscribe/unsubscribe requests use new Request class Accidentally fix lease_seconds not being set and sent properly, and change the new minimum subscription duration to 1 day * Make all PuSH workers use new Request class * Make Salmon sender use new Request class * Make FetchLinkService use new Request class * Make FetchAtomService use the new Request class * Make Remotable use the new Request class * Make ResolveRemoteAccountService use the new Request class * Add more tests * Allow +-30 seconds window for signed request to remain valid * Disable time window validation for signed requests, restore 7 days as PuSH subscription duration (which was previous default due to a bug) 2017-07-14 11:41:49 -07:00			`end`

Add Digest header to requests with body, handle acct and URI keyId (#4565) 2017-08-09 14:54:14 -07:00			`describe '#signed_request?' do`
			`it 'returns true' do`
			`expect(controller.signed_request?).to be true`
			`end`
HTTP signatures (#4146) * Add Request class with HTTP signature generator Spec: https://tools.ietf.org/html/draft-cavage-http-signatures-06 * Add HTTP signature verification concern * Add test for SignatureVerification concern * Add basic test for Request class * Make PuSH subscribe/unsubscribe requests use new Request class Accidentally fix lease_seconds not being set and sent properly, and change the new minimum subscription duration to 1 day * Make all PuSH workers use new Request class * Make Salmon sender use new Request class * Make FetchLinkService use new Request class * Make FetchAtomService use the new Request class * Make Remotable use the new Request class * Make ResolveRemoteAccountService use the new Request class * Add more tests * Allow +-30 seconds window for signed request to remain valid * Disable time window validation for signed requests, restore 7 days as PuSH subscription duration (which was previous default due to a bug) 2017-07-14 11:41:49 -07:00			`end`

Add Digest header to requests with body, handle acct and URI keyId (#4565) 2017-08-09 14:54:14 -07:00			`describe '#signed_request_account' do`
			`it 'returns an account' do`
			`expect(controller.signed_request_account).to eq author`
			`end`

			`it 'returns nil when path does not match' do`
			`request.path = '/alternative-path'`
			`expect(controller.signed_request_account).to be_nil`
			`end`

			`it 'returns nil when method does not match' do`
			`get :success`
			`expect(controller.signed_request_account).to be_nil`
			`end`

			`it 'returns nil when body has been tampered' do`
Update Rails (#8141) * Update Rails * fix Update Rails 2018-08-12 03:25:23 -07:00			`post :success, body: 'doo doo doo'`
Add Digest header to requests with body, handle acct and URI keyId (#4565) 2017-08-09 14:54:14 -07:00			`expect(controller.signed_request_account).to be_nil`
			`end`
HTTP signatures (#4146) * Add Request class with HTTP signature generator Spec: https://tools.ietf.org/html/draft-cavage-http-signatures-06 * Add HTTP signature verification concern * Add test for SignatureVerification concern * Add basic test for Request class * Make PuSH subscribe/unsubscribe requests use new Request class Accidentally fix lease_seconds not being set and sent properly, and change the new minimum subscription duration to 1 day * Make all PuSH workers use new Request class * Make Salmon sender use new Request class * Make FetchLinkService use new Request class * Make FetchAtomService use the new Request class * Make Remotable use the new Request class * Make ResolveRemoteAccountService use the new Request class * Add more tests * Allow +-30 seconds window for signed request to remain valid * Disable time window validation for signed requests, restore 7 days as PuSH subscription duration (which was previous default due to a bug) 2017-07-14 11:41:49 -07:00			`end`
			`end`
			`end`
			`end`