moviewyrm/bookwyrm/tests/test_signing.py

200 lines
7.5 KiB
Python
Raw Normal View History

2021-03-08 16:49:10 +00:00
""" getting and verifying signatures """
import time
from collections import namedtuple
from urllib.parse import urlsplit
import pathlib
2020-11-27 21:02:26 +00:00
from unittest.mock import patch
import json
import responses
import pytest
from django.test import TestCase, Client
from django.utils.http import http_date
from bookwyrm import models
from bookwyrm.activitypub import Follow
from bookwyrm.settings import DOMAIN
from bookwyrm.signatures import create_key_pair, make_signature, make_digest
2021-03-08 16:49:10 +00:00
def get_follow_activity(follower, followee):
2021-04-26 16:15:42 +00:00
"""generates a test activity"""
return Follow(
2021-03-08 16:49:10 +00:00
id="https://test.com/user/follow/id",
actor=follower.remote_id,
object=followee.remote_id,
).serialize()
2021-03-08 16:49:10 +00:00
KeyPair = namedtuple("KeyPair", ("private_key", "public_key"))
Sender = namedtuple("Sender", ("remote_id", "key_pair"))
class Signature(TestCase):
2021-04-26 16:15:42 +00:00
"""signature test"""
2021-03-08 16:49:10 +00:00
def setUp(self):
2021-04-26 16:15:42 +00:00
"""create users and test data"""
with patch("bookwyrm.suggested_users.rerank_suggestions_task.delay"):
self.mouse = models.User.objects.create_user(
"mouse@%s" % DOMAIN,
"mouse@example.com",
"",
local=True,
localname="mouse",
)
self.rat = models.User.objects.create_user(
"rat@%s" % DOMAIN, "rat@example.com", "", local=True, localname="rat"
)
self.cat = models.User.objects.create_user(
"cat@%s" % DOMAIN, "cat@example.com", "", local=True, localname="cat"
)
private_key, public_key = create_key_pair()
self.fake_remote = Sender(
2021-03-08 16:49:10 +00:00
"http://localhost/user/remote", KeyPair(private_key, public_key)
)
2021-08-02 23:05:40 +00:00
models.SiteSettings.objects.create()
2020-08-19 13:26:55 +00:00
def send(self, signature, now, data, digest):
2021-04-26 16:15:42 +00:00
"""test request"""
c = Client()
return c.post(
urlsplit(self.rat.inbox).path,
data=data,
2021-03-08 16:49:10 +00:00
content_type="application/json",
**{
2021-03-08 16:49:10 +00:00
"HTTP_DATE": now,
"HTTP_SIGNATURE": signature,
"HTTP_DIGEST": digest,
"HTTP_CONTENT_TYPE": "application/activity+json; charset=utf-8",
"HTTP_HOST": DOMAIN,
}
)
2021-03-08 16:49:10 +00:00
def send_test_request( # pylint: disable=too-many-arguments
self, sender, signer=None, send_data=None, digest=None, date=None
):
2021-04-26 16:15:42 +00:00
"""sends a follow request to the "rat" user"""
now = date or http_date()
data = json.dumps(get_follow_activity(sender, self.rat))
2020-08-19 13:26:55 +00:00
digest = digest or make_digest(data)
2021-03-08 16:49:10 +00:00
signature = make_signature(signer or sender, self.rat.inbox, now, digest)
with patch("bookwyrm.views.inbox.activity_task.delay"):
with patch("bookwyrm.models.user.set_remote_server.delay"):
2020-12-03 20:50:21 +00:00
return self.send(signature, now, send_data or data, digest)
2020-11-27 21:02:26 +00:00
def test_correct_signature(self):
2021-04-26 16:15:42 +00:00
"""this one should just work"""
2020-11-27 21:02:26 +00:00
response = self.send_test_request(sender=self.mouse)
self.assertEqual(response.status_code, 200)
def test_wrong_signature(self):
2021-03-08 16:49:10 +00:00
"""Messages must be signed by the right actor.
(cat cannot sign messages on behalf of mouse)"""
response = self.send_test_request(sender=self.mouse, signer=self.cat)
self.assertEqual(response.status_code, 401)
@responses.activate
def test_remote_signer(self):
2021-04-26 16:15:42 +00:00
"""signtures for remote users"""
2021-03-08 16:49:10 +00:00
datafile = pathlib.Path(__file__).parent.joinpath("data/ap_user.json")
data = json.loads(datafile.read_bytes())
2021-03-08 16:49:10 +00:00
data["id"] = self.fake_remote.remote_id
data["publicKey"]["publicKeyPem"] = self.fake_remote.key_pair.public_key
del data["icon"] # Avoid having to return an avatar.
responses.add(responses.GET, self.fake_remote.remote_id, json=data, status=200)
responses.add(
2021-03-08 16:49:10 +00:00
responses.GET, "https://localhost/.well-known/nodeinfo", status=404
)
responses.add(
responses.GET,
2021-03-08 16:49:10 +00:00
"https://example.com/user/mouse/outbox?page=true",
json={"orderedItems": []},
status=200,
)
2021-08-02 23:05:40 +00:00
with patch("bookwyrm.models.user.get_remote_reviews.delay"):
response = self.send_test_request(sender=self.fake_remote)
self.assertEqual(response.status_code, 200)
@responses.activate
def test_key_needs_refresh(self):
2021-04-26 16:15:42 +00:00
"""an out of date key should be updated and the new key work"""
2021-03-08 16:49:10 +00:00
datafile = pathlib.Path(__file__).parent.joinpath("data/ap_user.json")
data = json.loads(datafile.read_bytes())
2021-03-08 16:49:10 +00:00
data["id"] = self.fake_remote.remote_id
data["publicKey"]["publicKeyPem"] = self.fake_remote.key_pair.public_key
del data["icon"] # Avoid having to return an avatar.
responses.add(responses.GET, self.fake_remote.remote_id, json=data, status=200)
responses.add(
2021-03-08 16:49:10 +00:00
responses.GET, "https://localhost/.well-known/nodeinfo", status=404
)
# Second and subsequent fetches get a different key:
2020-12-03 20:45:01 +00:00
key_pair = KeyPair(*create_key_pair())
new_sender = Sender(self.fake_remote.remote_id, key_pair)
2021-03-08 16:49:10 +00:00
data["publicKey"]["publicKeyPem"] = key_pair.public_key
responses.add(responses.GET, self.fake_remote.remote_id, json=data, status=200)
2021-08-02 23:05:40 +00:00
with patch("bookwyrm.models.user.get_remote_reviews.delay"):
# Key correct:
response = self.send_test_request(sender=self.fake_remote)
self.assertEqual(response.status_code, 200)
2021-05-27 19:37:27 +00:00
2021-08-02 23:05:40 +00:00
# Old key is cached, so still works:
response = self.send_test_request(sender=self.fake_remote)
self.assertEqual(response.status_code, 200)
2021-05-27 19:37:27 +00:00
2021-08-02 23:05:40 +00:00
# Try with new key:
response = self.send_test_request(sender=new_sender)
self.assertEqual(response.status_code, 200)
2021-05-27 19:37:27 +00:00
2021-08-02 23:05:40 +00:00
# Now the old key will fail:
response = self.send_test_request(sender=self.fake_remote)
self.assertEqual(response.status_code, 401)
@responses.activate
def test_nonexistent_signer(self):
2021-04-26 16:15:42 +00:00
"""fail when unable to look up signer"""
responses.add(
responses.GET,
2020-05-14 01:23:54 +00:00
self.fake_remote.remote_id,
2021-03-08 16:49:10 +00:00
json={"error": "not found"},
status=404,
)
response = self.send_test_request(sender=self.fake_remote)
self.assertEqual(response.status_code, 401)
@pytest.mark.integration
def test_changed_data(self):
2021-03-08 16:49:10 +00:00
"""Message data must match the digest header."""
with patch("bookwyrm.activitypub.resolve_remote_id"):
response = self.send_test_request(
2021-03-08 16:49:10 +00:00
self.mouse, send_data=get_follow_activity(self.mouse, self.cat)
)
self.assertEqual(response.status_code, 401)
@pytest.mark.integration
def test_invalid_digest(self):
2021-04-26 16:15:42 +00:00
"""signature digest must be valid"""
2021-03-08 16:49:10 +00:00
with patch("bookwyrm.activitypub.resolve_remote_id"):
response = self.send_test_request(
2021-03-08 16:49:10 +00:00
self.mouse, digest="SHA-256=AAAAAAAAAAAAAAAAAA"
)
self.assertEqual(response.status_code, 401)
@pytest.mark.integration
def test_old_message(self):
2021-03-08 16:49:10 +00:00
"""Old messages should be rejected to prevent replay attacks."""
with patch("bookwyrm.activitypub.resolve_remote_id"):
response = self.send_test_request(
2021-03-08 16:49:10 +00:00
self.mouse, date=http_date(time.time() - 301)
)
self.assertEqual(response.status_code, 401)