Add stricter protocol fields validation for accounts (#25937)

shrike
Claire 2023-07-20 18:23:48 +02:00 committed by GitHub
parent 1cceb62afd
commit 1e3b19230a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
19 changed files with 96 additions and 49 deletions

View File

@ -89,12 +89,19 @@ class Account < ApplicationRecord
# Remote user validations, also applies to internal actors # Remote user validations, also applies to internal actors
validates :username, format: { with: USERNAME_ONLY_RE }, if: -> { (!local? || actor_type == 'Application') && will_save_change_to_username? } validates :username, format: { with: USERNAME_ONLY_RE }, if: -> { (!local? || actor_type == 'Application') && will_save_change_to_username? }
# Remote user validations
validates :uri, presence: true, unless: :local?, on: :create
# Local user validations # Local user validations
validates :username, format: { with: /\A[a-z0-9_]+\z/i }, length: { maximum: 30 }, if: -> { local? && will_save_change_to_username? && actor_type != 'Application' } validates :username, format: { with: /\A[a-z0-9_]+\z/i }, length: { maximum: 30 }, if: -> { local? && will_save_change_to_username? && actor_type != 'Application' }
validates_with UnreservedUsernameValidator, if: -> { local? && will_save_change_to_username? && actor_type != 'Application' } validates_with UnreservedUsernameValidator, if: -> { local? && will_save_change_to_username? && actor_type != 'Application' }
validates :display_name, length: { maximum: 30 }, if: -> { local? && will_save_change_to_display_name? } validates :display_name, length: { maximum: 30 }, if: -> { local? && will_save_change_to_display_name? }
validates :note, note_length: { maximum: 500 }, if: -> { local? && will_save_change_to_note? } validates :note, note_length: { maximum: 500 }, if: -> { local? && will_save_change_to_note? }
validates :fields, length: { maximum: 4 }, if: -> { local? && will_save_change_to_fields? } validates :fields, length: { maximum: 4 }, if: -> { local? && will_save_change_to_fields? }
validates :uri, absence: true, if: :local?, on: :create
validates :inbox_url, absence: true, if: :local?, on: :create
validates :shared_inbox_url, absence: true, if: :local?, on: :create
validates :followers_url, absence: true, if: :local?, on: :create
scope :remote, -> { where.not(domain: nil) } scope :remote, -> { where.not(domain: nil) }
scope :local, -> { where(domain: nil) } scope :local, -> { where(domain: nil) }

View File

@ -79,7 +79,7 @@ class ActivityPub::ProcessAccountService < BaseService
set_immediate_protocol_attributes! set_immediate_protocol_attributes!
@account.save @account.save!
end end
def update_account def update_account

View File

@ -13,5 +13,6 @@ Fabricator(:account) do
suspended_at { |attrs| attrs[:suspended] ? Time.now.utc : nil } suspended_at { |attrs| attrs[:suspended] ? Time.now.utc : nil }
silenced_at { |attrs| attrs[:silenced] ? Time.now.utc : nil } silenced_at { |attrs| attrs[:silenced] ? Time.now.utc : nil }
user { |attrs| attrs[:domain].nil? ? Fabricate.build(:user, account: nil) : nil } user { |attrs| attrs[:domain].nil? ? Fabricate.build(:user, account: nil) : nil }
uri { |attrs| attrs[:domain].nil? ? '' : "https://#{attrs[:domain]}/users/#{attrs[:username]}" }
discoverable true discoverable true
end end

View File

@ -5,15 +5,15 @@ require 'rails_helper'
RSpec.describe AccountReachFinder do RSpec.describe AccountReachFinder do
let(:account) { Fabricate(:account) } let(:account) { Fabricate(:account) }
let(:ap_follower_example_com) { Fabricate(:account, protocol: :activitypub, inbox_url: 'https://example.com/inbox-1') } let(:ap_follower_example_com) { Fabricate(:account, protocol: :activitypub, inbox_url: 'https://example.com/inbox-1', domain: 'example.com') }
let(:ap_follower_example_org) { Fabricate(:account, protocol: :activitypub, inbox_url: 'https://example.org/inbox-2') } let(:ap_follower_example_org) { Fabricate(:account, protocol: :activitypub, inbox_url: 'https://example.org/inbox-2', domain: 'example.org') }
let(:ap_follower_with_shared) { Fabricate(:account, protocol: :activitypub, inbox_url: 'https://foo.bar/users/a/inbox', shared_inbox_url: 'https://foo.bar/inbox') } let(:ap_follower_with_shared) { Fabricate(:account, protocol: :activitypub, inbox_url: 'https://foo.bar/users/a/inbox', domain: 'foo.bar', shared_inbox_url: 'https://foo.bar/inbox') }
let(:ap_mentioned_with_shared) { Fabricate(:account, protocol: :activitypub, inbox_url: 'https://foo.bar/users/b/inbox', shared_inbox_url: 'https://foo.bar/inbox') } let(:ap_mentioned_with_shared) { Fabricate(:account, protocol: :activitypub, inbox_url: 'https://foo.bar/users/b/inbox', domain: 'foo.bar', shared_inbox_url: 'https://foo.bar/inbox') }
let(:ap_mentioned_example_com) { Fabricate(:account, protocol: :activitypub, inbox_url: 'https://example.com/inbox-3') } let(:ap_mentioned_example_com) { Fabricate(:account, protocol: :activitypub, inbox_url: 'https://example.com/inbox-3', domain: 'example.com') }
let(:ap_mentioned_example_org) { Fabricate(:account, protocol: :activitypub, inbox_url: 'https://example.org/inbox-4') } let(:ap_mentioned_example_org) { Fabricate(:account, protocol: :activitypub, inbox_url: 'https://example.org/inbox-4', domain: 'example.org') }
let(:unrelated_account) { Fabricate(:account, protocol: :activitypub, inbox_url: 'https://example.com/unrelated-inbox') } let(:unrelated_account) { Fabricate(:account, protocol: :activitypub, inbox_url: 'https://example.com/unrelated-inbox', domain: 'example.com') }
before do before do
ap_follower_example_com.follow!(account) ap_follower_example_com.follow!(account)

View File

@ -5,7 +5,7 @@ require 'rails_helper'
RSpec.describe ActivityPub::Activity::Announce do RSpec.describe ActivityPub::Activity::Announce do
subject { described_class.new(json, sender) } subject { described_class.new(json, sender) }
let(:sender) { Fabricate(:account, followers_url: 'http://example.com/followers', uri: 'https://example.com/actor') } let(:sender) { Fabricate(:account, followers_url: 'http://example.com/followers', uri: 'https://example.com/actor', domain: 'example.com') }
let(:recipient) { Fabricate(:account) } let(:recipient) { Fabricate(:account) }
let(:status) { Fabricate(:status, account: recipient) } let(:status) { Fabricate(:status, account: recipient) }
@ -114,7 +114,7 @@ RSpec.describe ActivityPub::Activity::Announce do
context 'when the sender is relayed' do context 'when the sender is relayed' do
subject { described_class.new(json, sender, relayed_through_actor: relay_account) } subject { described_class.new(json, sender, relayed_through_actor: relay_account) }
let!(:relay_account) { Fabricate(:account, inbox_url: 'https://relay.example.com/inbox') } let!(:relay_account) { Fabricate(:account, inbox_url: 'https://relay.example.com/inbox', domain: 'relay.example.com') }
let!(:relay) { Fabricate(:relay, inbox_url: 'https://relay.example.com/inbox') } let!(:relay) { Fabricate(:relay, inbox_url: 'https://relay.example.com/inbox') }
let(:object_json) { 'https://example.com/actor/hello-world' } let(:object_json) { 'https://example.com/actor/hello-world' }

View File

@ -5,22 +5,38 @@ require 'rails_helper'
RSpec.describe ActivityPub::Activity::Update do RSpec.describe ActivityPub::Activity::Update do
subject { described_class.new(json, sender) } subject { described_class.new(json, sender) }
let!(:sender) { Fabricate(:account) } let!(:sender) { Fabricate(:account, domain: 'example.com', inbox_url: 'https://example.com/foo/inbox', outbox_url: 'https://example.com/foo/outbox') }
before do
sender.update!(uri: ActivityPub::TagManager.instance.uri_for(sender))
end
describe '#perform' do describe '#perform' do
context 'with an Actor object' do context 'with an Actor object' do
let(:modified_sender) do
sender.tap do |modified_sender|
modified_sender.display_name = 'Totally modified now'
end
end
let(:actor_json) do let(:actor_json) do
ActiveModelSerializers::SerializableResource.new(modified_sender, serializer: ActivityPub::ActorSerializer, adapter: ActivityPub::Adapter).as_json {
'@context': [
'https://www.w3.org/ns/activitystreams',
'https://w3id.org/security/v1',
{
manuallyApprovesFollowers: 'as:manuallyApprovesFollowers',
toot: 'http://joinmastodon.org/ns#',
featured: { '@id': 'toot:featured', '@type': '@id' },
featuredTags: { '@id': 'toot:featuredTags', '@type': '@id' },
},
],
id: sender.uri,
type: 'Person',
following: 'https://example.com/users/dfsdf/following',
followers: 'https://example.com/users/dfsdf/followers',
inbox: sender.inbox_url,
outbox: sender.outbox_url,
featured: 'https://example.com/users/dfsdf/featured',
featuredTags: 'https://example.com/users/dfsdf/tags',
preferredUsername: sender.username,
name: 'Totally modified now',
publicKey: {
id: "#{sender.uri}#main-key",
owner: sender.uri,
publicKeyPem: sender.public_key,
},
}
end end
let(:json) do let(:json) do
@ -28,7 +44,7 @@ RSpec.describe ActivityPub::Activity::Update do
'@context': 'https://www.w3.org/ns/activitystreams', '@context': 'https://www.w3.org/ns/activitystreams',
id: 'foo', id: 'foo',
type: 'Update', type: 'Update',
actor: ActivityPub::TagManager.instance.uri_for(sender), actor: sender.uri,
object: actor_json, object: actor_json,
}.with_indifferent_access }.with_indifferent_access
end end
@ -38,6 +54,7 @@ RSpec.describe ActivityPub::Activity::Update do
stub_request(:get, actor_json[:followers]).to_return(status: 404) stub_request(:get, actor_json[:followers]).to_return(status: 404)
stub_request(:get, actor_json[:following]).to_return(status: 404) stub_request(:get, actor_json[:following]).to_return(status: 404)
stub_request(:get, actor_json[:featured]).to_return(status: 404) stub_request(:get, actor_json[:featured]).to_return(status: 404)
stub_request(:get, actor_json[:featuredTags]).to_return(status: 404)
subject.perform subject.perform
end end
@ -49,17 +66,17 @@ RSpec.describe ActivityPub::Activity::Update do
context 'with a Question object' do context 'with a Question object' do
let!(:at_time) { Time.now.utc } let!(:at_time) { Time.now.utc }
let!(:status) { Fabricate(:status, account: sender, poll: Poll.new(account: sender, options: %w(Bar Baz), cached_tallies: [0, 0], expires_at: at_time + 5.days)) } let!(:status) { Fabricate(:status, uri: 'https://example.com/statuses/poll', account: sender, poll: Poll.new(account: sender, options: %w(Bar Baz), cached_tallies: [0, 0], expires_at: at_time + 5.days)) }
let(:json) do let(:json) do
{ {
'@context': 'https://www.w3.org/ns/activitystreams', '@context': 'https://www.w3.org/ns/activitystreams',
id: 'foo', id: 'foo',
type: 'Update', type: 'Update',
actor: ActivityPub::TagManager.instance.uri_for(sender), actor: sender.uri,
object: { object: {
type: 'Question', type: 'Question',
id: ActivityPub::TagManager.instance.uri_for(status), id: status.uri,
content: 'Foo', content: 'Foo',
endTime: (at_time + 5.days).iso8601, endTime: (at_time + 5.days).iso8601,
oneOf: [ oneOf: [

View File

@ -7,7 +7,7 @@ RSpec.describe ActivityPub::LinkedDataSignature do
subject { described_class.new(json) } subject { described_class.new(json) }
let!(:sender) { Fabricate(:account, uri: 'http://example.com/alice') } let!(:sender) { Fabricate(:account, uri: 'http://example.com/alice', domain: 'example.com') }
let(:raw_json) do let(:raw_json) do
{ {

View File

@ -139,7 +139,7 @@ RSpec.describe ActivityPub::TagManager do
end end
it 'returns the remote account by matching URI without fragment part' do it 'returns the remote account by matching URI without fragment part' do
account = Fabricate(:account, uri: 'https://example.com/123') account = Fabricate(:account, uri: 'https://example.com/123', domain: 'example.com')
expect(subject.uri_to_resource('https://example.com/123#456', Account)).to eq account expect(subject.uri_to_resource('https://example.com/123#456', Account)).to eq account
end end

View File

@ -963,12 +963,12 @@ RSpec.describe Account do
context 'when is remote' do context 'when is remote' do
it 'does not generate keys' do it 'does not generate keys' do
key = OpenSSL::PKey::RSA.new(1024).public_key key = OpenSSL::PKey::RSA.new(1024).public_key
account = described_class.create!(domain: 'remote', username: Faker::Internet.user_name(separators: ['_']), public_key: key.to_pem) account = described_class.create!(domain: 'remote', uri: 'https://remote/actor', username: Faker::Internet.user_name(separators: ['_']), public_key: key.to_pem)
expect(account.keypair.params).to eq key.params expect(account.keypair.params).to eq key.params
end end
it 'normalizes domain' do it 'normalizes domain' do
account = described_class.create!(domain: 'にゃん', username: Faker::Internet.user_name(separators: ['_'])) account = described_class.create!(domain: 'にゃん', uri: 'https://xn--r9j5b5b/actor', username: Faker::Internet.user_name(separators: ['_']))
expect(account.domain).to eq 'xn--r9j5b5b' expect(account.domain).to eq 'xn--r9j5b5b'
end end
end end

View File

@ -65,8 +65,8 @@ RSpec.describe DeleteAccountService, type: :service do
stub_request(:post, 'https://bob.com/inbox').to_return(status: 201) stub_request(:post, 'https://bob.com/inbox').to_return(status: 201)
end end
let!(:remote_alice) { Fabricate(:account, inbox_url: 'https://alice.com/inbox', protocol: :activitypub) } let!(:remote_alice) { Fabricate(:account, inbox_url: 'https://alice.com/inbox', domain: 'alice.com', protocol: :activitypub) }
let!(:remote_bob) { Fabricate(:account, inbox_url: 'https://bob.com/inbox', protocol: :activitypub) } let!(:remote_bob) { Fabricate(:account, inbox_url: 'https://bob.com/inbox', domain: 'bob.com', protocol: :activitypub) }
include_examples 'common behavior' do include_examples 'common behavior' do
let!(:account) { Fabricate(:account) } let!(:account) { Fabricate(:account) }
@ -87,12 +87,34 @@ RSpec.describe DeleteAccountService, type: :service do
end end
include_examples 'common behavior' do include_examples 'common behavior' do
let!(:account) { Fabricate(:account, inbox_url: 'https://bob.com/inbox', protocol: :activitypub) } let!(:account) { Fabricate(:account, inbox_url: 'https://bob.com/inbox', protocol: :activitypub, domain: 'bob.com') }
let!(:local_follower) { Fabricate(:account) } let!(:local_follower) { Fabricate(:account) }
it 'sends a reject follow to follower inboxes' do it 'sends expected activities to followed and follower inboxes' do
subject subject
expect(a_request(:post, account.inbox_url)).to have_been_made.once
expect(a_request(:post, account.inbox_url).with(
body:
hash_including({
'type' => 'Reject',
'object' => hash_including({
'type' => 'Follow',
'actor' => account.uri,
'object' => ActivityPub::TagManager.instance.uri_for(local_follower),
}),
})
)).to have_been_made.once
expect(a_request(:post, account.inbox_url).with(
body: hash_including({
'type' => 'Undo',
'object' => hash_including({
'type' => 'Follow',
'actor' => ActivityPub::TagManager.instance.uri_for(local_follower),
'object' => account.uri,
}),
})
)).to have_been_made.once
end end
end end
end end

View File

@ -8,7 +8,7 @@ describe ResolveURLService, type: :service do
describe '#call' do describe '#call' do
it 'returns nil when there is no resource url' do it 'returns nil when there is no resource url' do
url = 'http://example.com/missing-resource' url = 'http://example.com/missing-resource'
known_account = Fabricate(:account, uri: url) known_account = Fabricate(:account, uri: url, domain: 'example.com')
service = instance_double(FetchResourceService) service = instance_double(FetchResourceService)
allow(FetchResourceService).to receive(:new).and_return service allow(FetchResourceService).to receive(:new).and_return service
@ -20,7 +20,7 @@ describe ResolveURLService, type: :service do
it 'returns known account on temporary error' do it 'returns known account on temporary error' do
url = 'http://example.com/missing-resource' url = 'http://example.com/missing-resource'
known_account = Fabricate(:account, uri: url) known_account = Fabricate(:account, uri: url, domain: 'example.com')
service = instance_double(FetchResourceService) service = instance_double(FetchResourceService)
allow(FetchResourceService).to receive(:new).and_return service allow(FetchResourceService).to receive(:new).and_return service

View File

@ -44,8 +44,8 @@ RSpec.describe SuspendAccountService, type: :service do
include_examples 'common behavior' do include_examples 'common behavior' do
let!(:account) { Fabricate(:account) } let!(:account) { Fabricate(:account) }
let!(:remote_follower) { Fabricate(:account, uri: 'https://alice.com', inbox_url: 'https://alice.com/inbox', protocol: :activitypub) } let!(:remote_follower) { Fabricate(:account, uri: 'https://alice.com', inbox_url: 'https://alice.com/inbox', protocol: :activitypub, domain: 'alice.com') }
let!(:remote_reporter) { Fabricate(:account, uri: 'https://bob.com', inbox_url: 'https://bob.com/inbox', protocol: :activitypub) } let!(:remote_reporter) { Fabricate(:account, uri: 'https://bob.com', inbox_url: 'https://bob.com/inbox', protocol: :activitypub, domain: 'bob.com') }
let!(:report) { Fabricate(:report, account: remote_reporter, target_account: account) } let!(:report) { Fabricate(:report, account: remote_reporter, target_account: account) }
before do before do

View File

@ -38,8 +38,8 @@ RSpec.describe UnsuspendAccountService, type: :service do
include_examples 'with common context' do include_examples 'with common context' do
let!(:account) { Fabricate(:account) } let!(:account) { Fabricate(:account) }
let!(:remote_follower) { Fabricate(:account, uri: 'https://alice.com', inbox_url: 'https://alice.com/inbox', protocol: :activitypub) } let!(:remote_follower) { Fabricate(:account, uri: 'https://alice.com', inbox_url: 'https://alice.com/inbox', protocol: :activitypub, domain: 'alice.com') }
let!(:remote_reporter) { Fabricate(:account, uri: 'https://bob.com', inbox_url: 'https://bob.com/inbox', protocol: :activitypub) } let!(:remote_reporter) { Fabricate(:account, uri: 'https://bob.com', inbox_url: 'https://bob.com/inbox', protocol: :activitypub, domain: 'bob.com') }
let!(:report) { Fabricate(:report, account: remote_reporter, target_account: account) } let!(:report) { Fabricate(:report, account: remote_reporter, target_account: account) }
before do before do

View File

@ -6,7 +6,7 @@ describe ActivityPub::DistributePollUpdateWorker do
subject { described_class.new } subject { described_class.new }
let(:account) { Fabricate(:account) } let(:account) { Fabricate(:account) }
let(:follower) { Fabricate(:account, protocol: :activitypub, inbox_url: 'http://example.com') } let(:follower) { Fabricate(:account, protocol: :activitypub, inbox_url: 'http://example.com', domain: 'example.com') }
let(:poll) { Fabricate(:poll, account: account) } let(:poll) { Fabricate(:poll, account: account) }
let!(:status) { Fabricate(:status, account: account, poll: poll) } let!(:status) { Fabricate(:status, account: account, poll: poll) }

View File

@ -6,7 +6,7 @@ describe ActivityPub::DistributionWorker do
subject { described_class.new } subject { described_class.new }
let(:status) { Fabricate(:status) } let(:status) { Fabricate(:status) }
let(:follower) { Fabricate(:account, protocol: :activitypub, inbox_url: 'http://example.com') } let(:follower) { Fabricate(:account, protocol: :activitypub, inbox_url: 'http://example.com', domain: 'example.com') }
describe '#perform' do describe '#perform' do
before do before do
@ -36,7 +36,7 @@ describe ActivityPub::DistributionWorker do
end end
context 'with direct status' do context 'with direct status' do
let(:mentioned_account) { Fabricate(:account, protocol: :activitypub, inbox_url: 'https://foo.bar/inbox') } let(:mentioned_account) { Fabricate(:account, protocol: :activitypub, inbox_url: 'https://foo.bar/inbox', domain: 'foo.bar') }
before do before do
status.update(visibility: :direct) status.update(visibility: :direct)

View File

@ -5,7 +5,7 @@ require 'rails_helper'
describe ActivityPub::FetchRepliesWorker do describe ActivityPub::FetchRepliesWorker do
subject { described_class.new } subject { described_class.new }
let(:account) { Fabricate(:account, uri: 'https://example.com/user/1') } let(:account) { Fabricate(:account, domain: 'example.com') }
let(:status) { Fabricate(:status, account: account) } let(:status) { Fabricate(:status, account: account) }
let(:payload) do let(:payload) do

View File

@ -6,8 +6,8 @@ describe ActivityPub::MoveDistributionWorker do
subject { described_class.new } subject { described_class.new }
let(:migration) { Fabricate(:account_migration) } let(:migration) { Fabricate(:account_migration) }
let(:follower) { Fabricate(:account, protocol: :activitypub, inbox_url: 'http://example.com') } let(:follower) { Fabricate(:account, protocol: :activitypub, inbox_url: 'http://example.com', domain: 'example.com') }
let(:blocker) { Fabricate(:account, protocol: :activitypub, inbox_url: 'http://example2.com') } let(:blocker) { Fabricate(:account, protocol: :activitypub, inbox_url: 'http://example2.com', domain: 'example2.com') }
describe '#perform' do describe '#perform' do
before do before do

View File

@ -6,7 +6,7 @@ describe ActivityPub::StatusUpdateDistributionWorker do
subject { described_class.new } subject { described_class.new }
let(:status) { Fabricate(:status, text: 'foo') } let(:status) { Fabricate(:status, text: 'foo') }
let(:follower) { Fabricate(:account, protocol: :activitypub, inbox_url: 'http://example.com') } let(:follower) { Fabricate(:account, protocol: :activitypub, inbox_url: 'http://example.com', domain: 'example.com') }
describe '#perform' do describe '#perform' do
before do before do

View File

@ -6,7 +6,7 @@ describe ActivityPub::UpdateDistributionWorker do
subject { described_class.new } subject { described_class.new }
let(:account) { Fabricate(:account) } let(:account) { Fabricate(:account) }
let(:follower) { Fabricate(:account, protocol: :activitypub, inbox_url: 'http://example.com') } let(:follower) { Fabricate(:account, protocol: :activitypub, inbox_url: 'http://example.com', domain: 'example.com') }
describe '#perform' do describe '#perform' do
before do before do