Commit 0a14d155 authored by lain's avatar lain
Browse files

Fail faster.

parent 1b57522b
...@@ -14,19 +14,26 @@ def call(%{assigns: %{valid_signature: true}} = conn, opts) do ...@@ -14,19 +14,26 @@ def call(%{assigns: %{valid_signature: true}} = conn, opts) do
def call(conn, opts) do def call(conn, opts) do
user = conn.params["actor"] user = conn.params["actor"]
Logger.debug("Checking sig for #{user}") Logger.debug("Checking sig for #{user}")
[signature | _] = get_req_header(conn, "signature")
if get_req_header(conn, "signature") do cond do
conn = signature && String.contains?(signature, user) ->
conn conn =
|> put_req_header( conn
"(request-target)", |> put_req_header(
String.downcase("#{conn.method}") <> " #{conn.request_path}" "(request-target)",
) String.downcase("#{conn.method}") <> " #{conn.request_path}"
)
assign(conn, :valid_signature, HTTPSignatures.validate_conn(conn))
assign(conn, :valid_signature, HTTPSignatures.validate_conn(conn)) signature ->
else Logger.debug("Signature not from actor")
Logger.debug("No signature header!") assign(conn, :valid_signature, false)
conn
true ->
Logger.debug("No signature header!")
conn
end end
end end
end end
defmodule Pleroma.Web.Plugs.HTTPSignaturePlugTest do
use Pleroma.Web.ConnCase
alias Pleroma.Web.HTTPSignatures
alias Pleroma.Web.Plugs.HTTPSignaturePlug
import Plug.Conn
import Mock
test "it call HTTPSignatures to check validity if the actor sighed it" do
params = %{"actor" => "http://mastodon.example.org/users/admin"}
conn = build_conn(:get, "/doesntmattter", params)
with_mock HTTPSignatures, validate_conn: fn _ -> true end do
conn =
conn
|> put_req_header(
"signature",
"keyId=\"http://mastodon.example.org/users/admin#main-key"
)
|> HTTPSignaturePlug.call(%{})
assert conn.assigns.valid_signature == true
assert called(HTTPSignatures.validate_conn(:_))
end
end
test "bails out early if the signature isn't by the activity actor" do
params = %{"actor" => "https://mst3k.interlinked.me/users/luciferMysticus"}
conn = build_conn(:get, "/doesntmattter", params)
with_mock HTTPSignatures, validate_conn: fn _ -> false end do
conn =
conn
|> put_req_header(
"signature",
"keyId=\"http://mastodon.example.org/users/admin#main-key"
)
|> HTTPSignaturePlug.call(%{})
assert conn.assigns.valid_signature == false
refute called(HTTPSignatures.validate_conn(:_))
end
end
end
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment