Ignore actor delete messages for unknown actors (#124)

This commit is contained in:
Michael Manfre 2022-12-06 00:23:35 -05:00 committed by GitHub
parent b8460b0acd
commit 42c7b629cf
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 38 additions and 0 deletions

View file

@ -92,6 +92,7 @@ def identity(user, domain) -> Identity:
"""
identity = Identity.objects.create(
actor_uri="https://example.com/@test@example.com/",
inbox_uri="https://example.com/@test@example.com/inbox/",
username="test",
domain=domain,
name="Test User",
@ -125,6 +126,7 @@ def other_identity(user, domain) -> Identity:
"""
identity = Identity.objects.create(
actor_uri="https://example.com/@other@example.com/",
inbox_uri="https://example.com/@other@example.com/inbox/",
username="other",
domain=domain,
name="Other User",
@ -143,6 +145,7 @@ def remote_identity() -> Identity:
domain = Domain.objects.create(domain="remote.test", local=False)
return Identity.objects.create(
actor_uri="https://remote.test/test-actor/",
inbox_uri="https://remote.test/@test/inbox/",
profile_uri="https://remote.test/@test/",
username="test",
domain=domain,

View file

@ -31,3 +31,25 @@ def test_webfinger_system_actor(client):
data = client.get("/actor/", HTTP_ACCEPT="application/ld+json").json()
assert data["id"] == "https://example.com/actor/"
assert data["inbox"] == "https://example.com/actor/inbox/"
@pytest.mark.django_db
def test_delete_actor(client, identity):
data = {
"@context": "https://www.w3.org/ns/activitystreams",
"actor": "https://mastodon.social/users/fakec8b6984105c8f15070a2",
"id": "https://mastodon.social/users/fakec8b6984105c8f15070a2#delete",
"object": "https://mastodon.social/users/fakec8b6984105c8f15070a2",
"signature": {
"created": "2022-12-06T03:54:28Z",
"creator": "https://mastodon.social/users/fakec8b6984105c8f15070a2#main-key",
"signatureValue": "This value doesn't matter",
"type": "RsaSignature2017",
},
"to": ["https://www.w3.org/ns/activitystreams#Public"],
"type": "Delete",
}
resp = client.post(
identity.inbox_uri, data=data, content_type="application/activity+json"
)
assert resp.status_code == 202

View file

@ -145,9 +145,21 @@ class Inbox(View):
# This ensures that the signature used for the headers matches the actor
# described in the payload.
identity = Identity.by_actor_uri(document["actor"], create=True, transient=True)
if (
document["type"] == "Delete"
and document["actor"] == document["object"]
and not identity.pk
):
# We don't have an Identity record for the user. No-op
exceptions.capture_message(
f"Inbox: Discarded delete message for unknown actor {document['actor']}"
)
return HttpResponse(status=202)
if not identity.public_key:
# See if we can fetch it right now
async_to_sync(identity.fetch_actor)()
if not identity.public_key:
exceptions.capture_message(
f"Inbox error: cannot fetch actor {document['actor']}"
@ -160,6 +172,7 @@ class Inbox(View):
f"Inbox: Discarded message from {identity.domain}"
)
return HttpResponse(status=202)
# If there's a "signature" payload, verify against that
if "signature" in document:
try: