From 42c7b629cf68957dab815fe5da4accf484e2cb90 Mon Sep 17 00:00:00 2001 From: Michael Manfre Date: Tue, 6 Dec 2022 00:23:35 -0500 Subject: [PATCH] Ignore actor delete messages for unknown actors (#124) --- tests/conftest.py | 3 +++ tests/users/views/test_activitypub.py | 22 ++++++++++++++++++++++ users/views/activitypub.py | 13 +++++++++++++ 3 files changed, 38 insertions(+) diff --git a/tests/conftest.py b/tests/conftest.py index c67717c..283de76 100644 --- a/tests/conftest.py +++ b/tests/conftest.py @@ -92,6 +92,7 @@ def identity(user, domain) -> Identity: """ identity = Identity.objects.create( actor_uri="https://example.com/@test@example.com/", + inbox_uri="https://example.com/@test@example.com/inbox/", username="test", domain=domain, name="Test User", @@ -125,6 +126,7 @@ def other_identity(user, domain) -> Identity: """ identity = Identity.objects.create( actor_uri="https://example.com/@other@example.com/", + inbox_uri="https://example.com/@other@example.com/inbox/", username="other", domain=domain, name="Other User", @@ -143,6 +145,7 @@ def remote_identity() -> Identity: domain = Domain.objects.create(domain="remote.test", local=False) return Identity.objects.create( actor_uri="https://remote.test/test-actor/", + inbox_uri="https://remote.test/@test/inbox/", profile_uri="https://remote.test/@test/", username="test", domain=domain, diff --git a/tests/users/views/test_activitypub.py b/tests/users/views/test_activitypub.py index d9ad578..c6e7faf 100644 --- a/tests/users/views/test_activitypub.py +++ b/tests/users/views/test_activitypub.py @@ -31,3 +31,25 @@ def test_webfinger_system_actor(client): data = client.get("/actor/", HTTP_ACCEPT="application/ld+json").json() assert data["id"] == "https://example.com/actor/" assert data["inbox"] == "https://example.com/actor/inbox/" + + +@pytest.mark.django_db +def test_delete_actor(client, identity): + data = { + "@context": "https://www.w3.org/ns/activitystreams", + "actor": "https://mastodon.social/users/fakec8b6984105c8f15070a2", + "id": "https://mastodon.social/users/fakec8b6984105c8f15070a2#delete", + "object": "https://mastodon.social/users/fakec8b6984105c8f15070a2", + "signature": { + "created": "2022-12-06T03:54:28Z", + "creator": "https://mastodon.social/users/fakec8b6984105c8f15070a2#main-key", + "signatureValue": "This value doesn't matter", + "type": "RsaSignature2017", + }, + "to": ["https://www.w3.org/ns/activitystreams#Public"], + "type": "Delete", + } + resp = client.post( + identity.inbox_uri, data=data, content_type="application/activity+json" + ) + assert resp.status_code == 202 diff --git a/users/views/activitypub.py b/users/views/activitypub.py index b155b08..93a6eae 100644 --- a/users/views/activitypub.py +++ b/users/views/activitypub.py @@ -145,9 +145,21 @@ class Inbox(View): # This ensures that the signature used for the headers matches the actor # described in the payload. identity = Identity.by_actor_uri(document["actor"], create=True, transient=True) + if ( + document["type"] == "Delete" + and document["actor"] == document["object"] + and not identity.pk + ): + # We don't have an Identity record for the user. No-op + exceptions.capture_message( + f"Inbox: Discarded delete message for unknown actor {document['actor']}" + ) + return HttpResponse(status=202) + if not identity.public_key: # See if we can fetch it right now async_to_sync(identity.fetch_actor)() + if not identity.public_key: exceptions.capture_message( f"Inbox error: cannot fetch actor {document['actor']}" @@ -160,6 +172,7 @@ class Inbox(View): f"Inbox: Discarded message from {identity.domain}" ) return HttpResponse(status=202) + # If there's a "signature" payload, verify against that if "signature" in document: try: