logo

pleroma

My custom branche(s) on git.pleroma.social/pleroma/pleroma git clone https://anongit.hacktivis.me/git/pleroma.git/

web_finger_test.exs (9895B)

    

  1. # Pleroma: A lightweight social networking server
  2. # Copyright © 2017-2022 Pleroma Authors <https://pleroma.social/>
  3. # SPDX-License-Identifier: AGPL-3.0-only
  5. defmodule Pleroma.Web.WebFingerTest do
  6.   use Pleroma.DataCase, async: false
  7.   alias Pleroma.Web.WebFinger
  8.   import Pleroma.Factory
  9.   import Tesla.Mock
  11.   setup do
  12.     Mox.stub_with(Pleroma.CachexMock, Pleroma.NullCache)
  13.     mock(fn env -> apply(HttpRequestMock, :request, [env]) end)
  14.     :ok
  15.   end
  17.   describe "host meta" do
  18.     test "returns a link to the xml lrdd" do
  19.       host_info = WebFinger.host_meta()
  21.       assert String.contains?(host_info, Pleroma.Web.Endpoint.url())
  22.     end
  23.   end
  25.   describe "incoming webfinger request" do
  26.     test "works for fqns" do
  27.       user = insert(:user)
  29.       {:ok, result} =
  30.         WebFinger.webfinger("#{user.nickname}@#{Pleroma.Web.Endpoint.host()}", "XML")
  32.       assert is_binary(result)
  33.     end
  35.     test "works for ap_ids" do
  36.       user = insert(:user)
  38.       {:ok, result} = WebFinger.webfinger(user.ap_id, "XML")
  39.       assert is_binary(result)
  40.     end
  41.   end
  43.   test "requires exact match for Endpoint host or WebFinger domain" do
  44.     clear_config([Pleroma.Web.WebFinger, :domain], "pleroma.dev")
  45.     user = insert(:user)
  47.     assert {:error, "Couldn't find user"} ==
  48.              WebFinger.webfinger("#{user.nickname}@#{Pleroma.Web.Endpoint.host()}xxxx", "JSON")
  50.     assert {:error, "Couldn't find user"} ==
  51.              WebFinger.webfinger("#{user.nickname}@pleroma.devxxxx", "JSON")
  53.     assert {:ok, _} =
  54.              WebFinger.webfinger("#{user.nickname}@#{Pleroma.Web.Endpoint.host()}", "JSON")
  56.     assert {:ok, _} =
  57.              WebFinger.webfinger("#{user.nickname}@pleroma.dev", "JSON")
  58.   end
  60.   describe "fingering" do
  61.     test "returns error for nonsensical input" do
  62.       assert {:error, _} = WebFinger.finger("bliblablu")
  63.       assert {:error, _} = WebFinger.finger("pleroma.social")
  64.     end
  66.     test "returns error when there is no content-type header" do
  67.       Tesla.Mock.mock(fn
  68.         %{url: "https://social.heldscal.la/.well-known/host-meta"} ->
  69.           {:ok,
  70.            %Tesla.Env{
  71.              status: 200,
  72.              body: File.read!("test/fixtures/tesla_mock/social.heldscal.la_host_meta")
  73.            }}
  75.         %{
  76.           url:
  77.             "https://social.heldscal.la/.well-known/webfinger?resource=acct:invalid_content@social.heldscal.la"
  78.         } ->
  79.           {:ok, %Tesla.Env{status: 200, body: ""}}
  80.       end)
  82.       user = "invalid_content@social.heldscal.la"
  83.       assert {:error, {:content_type, nil}} = WebFinger.finger(user)
  84.     end
  86.     test "returns error when fails parse xml or json" do
  87.       user = "invalid_content@social.heldscal.la"
  88.       assert {:error, %Jason.DecodeError{}} = WebFinger.finger(user)
  89.     end
  91.     test "returns the ActivityPub actor URI for an ActivityPub user" do
  92.       user = "framasoft@framatube.org"
  94.       {:ok, _data} = WebFinger.finger(user)
  95.     end
  97.     test "it works for AP-only user" do
  98.       user = "kpherox@mstdn.jp"
  100.       {:ok, data} = WebFinger.finger(user)
  102.       assert data["magic_key"] == nil
  103.       assert data["salmon"] == nil
  105.       assert data["topic"] == nil
  106.       assert data["subject"] == "acct:kPherox@mstdn.jp"
  107.       assert data["ap_id"] == "https://mstdn.jp/users/kPherox"
  108.       assert data["subscribe_address"] == "https://mstdn.jp/authorize_interaction?acct={uri}"
  109.     end
  111.     test "it gets the xrd endpoint" do
  112.       {:ok, template} = WebFinger.find_lrdd_template("social.heldscal.la")
  114.       assert template == "https://social.heldscal.la/.well-known/webfinger?resource={uri}"
  115.     end
  117.     test "it gets the xrd endpoint for hubzilla" do
  118.       {:ok, template} = WebFinger.find_lrdd_template("macgirvin.com")
  120.       assert template == "https://macgirvin.com/xrd/?uri={uri}"
  121.     end
  123.     test "it gets the xrd endpoint for statusnet" do
  124.       {:ok, template} = WebFinger.find_lrdd_template("status.alpicola.com")
  126.       assert template == "https://status.alpicola.com/main/xrd?uri={uri}"
  127.     end
  129.     test "it works with idna domains as nickname" do
  130.       nickname = "lain@" <> to_string(:idna.encode("zetsubou.みんな"))
  132.       {:ok, _data} = WebFinger.finger(nickname)
  133.     end
  135.     test "it works with idna domains as link" do
  136.       ap_id = "https://" <> to_string(:idna.encode("zetsubou.みんな")) <> "/users/lain"
  137.       {:ok, _data} = WebFinger.finger(ap_id)
  138.     end
  140.     test "respects json content-type" do
  141.       Tesla.Mock.mock(fn
  142.         %{
  143.           url:
  144.             "https://mastodon.social/.well-known/webfinger?resource=acct:emelie@mastodon.social"
  145.         } ->
  146.           {:ok,
  147.            %Tesla.Env{
  148.              status: 200,
  149.              body: File.read!("test/fixtures/tesla_mock/webfinger_emelie.json"),
  150.              headers: [{"content-type", "application/jrd+json"}]
  151.            }}
  153.         %{url: "https://mastodon.social/.well-known/host-meta"} ->
  154.           {:ok,
  155.            %Tesla.Env{
  156.              status: 200,
  157.              body: File.read!("test/fixtures/tesla_mock/mastodon.social_host_meta")
  158.            }}
  159.       end)
  161.       {:ok, _data} = WebFinger.finger("emelie@mastodon.social")
  162.     end
  164.     test "respects xml content-type" do
  165.       Tesla.Mock.mock(fn
  166.         %{
  167.           url: "https://pawoo.net/.well-known/webfinger?resource=acct:pekorino@pawoo.net"
  168.         } ->
  169.           {:ok,
  170.            %Tesla.Env{
  171.              status: 200,
  172.              body: File.read!("test/fixtures/tesla_mock/https___pawoo.net_users_pekorino.xml"),
  173.              headers: [{"content-type", "application/xrd+xml"}]
  174.            }}
  176.         %{url: "https://pawoo.net/.well-known/host-meta"} ->
  177.           {:ok,
  178.            %Tesla.Env{
  179.              status: 200,
  180.              body: File.read!("test/fixtures/tesla_mock/pawoo.net_host_meta")
  181.            }}
  182.       end)
  184.       {:ok, _data} = WebFinger.finger("pekorino@pawoo.net")
  185.     end
  187.     test "refuses to process XML remote entities" do
  188.       Tesla.Mock.mock(fn
  189.         %{
  190.           url: "https://pawoo.net/.well-known/webfinger?resource=acct:pekorino@pawoo.net"
  191.         } ->
  192.           {:ok,
  193.            %Tesla.Env{
  194.              status: 200,
  195.              body: File.read!("test/fixtures/xml_external_entities.xml"),
  196.              headers: [{"content-type", "application/xrd+xml"}]
  197.            }}
  199.         %{url: "https://pawoo.net/.well-known/host-meta"} ->
  200.           {:ok,
  201.            %Tesla.Env{
  202.              status: 200,
  203.              body: File.read!("test/fixtures/tesla_mock/pawoo.net_host_meta")
  204.            }}
  205.       end)
  207.       assert :error = WebFinger.finger("pekorino@pawoo.net")
  208.     end
  210.     test "prevents spoofing" do
  211.       Tesla.Mock.mock(fn
  212.         %{
  213.           url: "https://gleasonator.com/.well-known/webfinger?resource=acct:alex@gleasonator.com"
  214.         } ->
  215.           {:ok,
  216.            %Tesla.Env{
  217.              status: 200,
  218.              body: File.read!("test/fixtures/tesla_mock/webfinger_spoof.json"),
  219.              headers: [{"content-type", "application/jrd+json"}]
  220.            }}
  222.         %{url: "https://gleasonator.com/.well-known/host-meta"} ->
  223.           {:ok,
  224.            %Tesla.Env{
  225.              status: 200,
  226.              body: File.read!("test/fixtures/tesla_mock/gleasonator.com_host_meta")
  227.            }}
  229.         %{url: "https://whitehouse.gov/.well-known/webfinger?resource=acct:trump@whitehouse.gov"} ->
  230.           {:ok, %Tesla.Env{status: 404}}
  231.       end)
  233.       {:error, _data} = WebFinger.finger("alex@gleasonator.com")
  234.     end
  236.     test "prevents forgeries" do
  237.       Tesla.Mock.mock(fn
  238.         %{
  239.           url:
  240.             "https://fba.ryona.agency/.well-known/webfinger?resource=acct:graf@fba.ryona.agency"
  241.         } ->
  242.           fake_webfinger =
  243.             File.read!("test/fixtures/webfinger/graf-imposter-webfinger.json") |> Jason.decode!()
  245.           Tesla.Mock.json(fake_webfinger)
  247.         %{url: url}
  248.         when url in [
  249.                "https://poa.st/.well-known/webfinger?resource=acct:graf@poa.st",
  250.                "https://fba.ryona.agency/.well-known/host-meta"
  251.              ] ->
  252.           {:ok, %Tesla.Env{status: 404}}
  253.       end)
  255.       assert {:error, _} = WebFinger.finger("graf@fba.ryona.agency")
  256.     end
  258.     test "prevents forgeries even when the spoofed subject exists on the target domain" do
  259.       Tesla.Mock.mock(fn
  260.         %{url: url}
  261.         when url in [
  262.                "https://attacker.example/.well-known/host-meta",
  263.                "https://victim.example/.well-known/host-meta"
  264.              ] ->
  265.           {:ok, %Tesla.Env{status: 404}}
  267.         %{
  268.           url:
  269.             "https://attacker.example/.well-known/webfinger?resource=acct:alice@attacker.example"
  270.         } ->
  271.           Tesla.Mock.json(%{
  272.             "subject" => "acct:alice@victim.example",
  273.             "links" => [
  274.               %{
  275.                 "rel" => "self",
  276.                 "type" => "application/activity+json",
  277.                 "href" => "https://attacker.example/users/alice"
  278.               }
  279.             ]
  280.           })
  282.         %{url: "https://victim.example/.well-known/webfinger?resource=acct:alice@victim.example"} ->
  283.           Tesla.Mock.json(%{
  284.             "subject" => "acct:alice@victim.example",
  285.             "links" => [
  286.               %{
  287.                 "rel" => "self",
  288.                 "type" => "application/activity+json",
  289.                 "href" => "https://victim.example/users/alice"
  290.               }
  291.             ]
  292.           })
  293.       end)
  295.       assert {:error, _} = WebFinger.finger("alice@attacker.example")
  296.     end
  298.     test "works for correctly set up split-domain instances implementing host-meta redirect" do
  299.       {:ok, _data} = WebFinger.finger("a@pleroma.example")
  300.       {:ok, _data} = WebFinger.finger("a@sub.pleroma.example")
  301.     end
  303.     test "works for correctly set up split-domain instances without host-meta redirect" do
  304.       {:ok, _data} = WebFinger.finger("a@mastodon.example")
  305.       {:ok, _data} = WebFinger.finger("a@sub.mastodon.example")
  306.     end
  307.   end
  308. end