linked_data_signature_spec.rb 3.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120
  1. require 'rails_helper'
  2. RSpec.describe ActivityPub::LinkedDataSignature do
  3. include JsonLdHelper
  4. let!(:sender) { Fabricate(:account, uri: 'http://example.com/alice') }
  5. let(:raw_json) do
  6. {
  7. '@context' => 'https://www.w3.org/ns/activitystreams',
  8. 'id' => 'http://example.com/hello-world',
  9. }
  10. end
  11. let(:json) { raw_json.merge('signature' => signature) }
  12. subject { described_class.new(json) }
  13. before do
  14. stub_jsonld_contexts!
  15. end
  16. describe '#verify_actor!' do
  17. context 'when signature matches' do
  18. let(:raw_signature) do
  19. {
  20. 'creator' => 'http://example.com/alice',
  21. 'created' => '2017-09-23T20:21:34Z',
  22. }
  23. end
  24. let(:signature) { raw_signature.merge('type' => 'RsaSignature2017', 'signatureValue' => sign(sender, raw_signature, raw_json)) }
  25. it 'returns creator' do
  26. expect(subject.verify_actor!).to eq sender
  27. end
  28. end
  29. context 'when local account record is missing a public key' do
  30. let(:raw_signature) do
  31. {
  32. 'creator' => 'http://example.com/alice',
  33. 'created' => '2017-09-23T20:21:34Z',
  34. }
  35. end
  36. let(:signature) { raw_signature.merge('type' => 'RsaSignature2017', 'signatureValue' => sign(sender, raw_signature, raw_json)) }
  37. let(:service_stub) { instance_double(ActivityPub::FetchRemoteKeyService) }
  38. before do
  39. # Ensure signature is computed with the old key
  40. signature
  41. # Unset key
  42. old_key = sender.public_key
  43. sender.update!(private_key: '', public_key: '')
  44. allow(ActivityPub::FetchRemoteKeyService).to receive(:new).and_return(service_stub)
  45. allow(service_stub).to receive(:call).with('http://example.com/alice') do
  46. sender.update!(public_key: old_key)
  47. sender
  48. end
  49. end
  50. it 'fetches key and returns creator' do
  51. expect(subject.verify_actor!).to eq sender
  52. expect(service_stub).to have_received(:call).with('http://example.com/alice').once
  53. end
  54. end
  55. context 'when signature is missing' do
  56. let(:signature) { nil }
  57. it 'returns nil' do
  58. expect(subject.verify_actor!).to be_nil
  59. end
  60. end
  61. context 'when signature is tampered' do
  62. let(:raw_signature) do
  63. {
  64. 'creator' => 'http://example.com/alice',
  65. 'created' => '2017-09-23T20:21:34Z',
  66. }
  67. end
  68. let(:signature) { raw_signature.merge('type' => 'RsaSignature2017', 'signatureValue' => 's69F3mfddd99dGjmvjdjjs81e12jn121Gkm1') }
  69. it 'returns nil' do
  70. expect(subject.verify_actor!).to be_nil
  71. end
  72. end
  73. end
  74. describe '#sign!' do
  75. subject { described_class.new(raw_json).sign!(sender) }
  76. it 'returns a hash' do
  77. expect(subject).to be_a Hash
  78. end
  79. it 'contains signature' do
  80. expect(subject['signature']).to be_a Hash
  81. expect(subject['signature']['signatureValue']).to be_present
  82. end
  83. it 'can be verified again' do
  84. expect(described_class.new(subject).verify_actor!).to eq sender
  85. end
  86. end
  87. def sign(from_actor, options, document)
  88. options_hash = Digest::SHA256.hexdigest(canonicalize(options.merge('@context' => ActivityPub::LinkedDataSignature::CONTEXT)))
  89. document_hash = Digest::SHA256.hexdigest(canonicalize(document))
  90. to_be_verified = options_hash + document_hash
  91. Base64.strict_encode64(from_actor.keypair.sign(OpenSSL::Digest.new('SHA256'), to_be_verified))
  92. end
  93. end