From ecdaf52bac011cdd0f17c94abf1174fc722331fa Mon Sep 17 00:00:00 2001 From: Vitaly Takmazov Date: Mon, 18 Mar 2019 22:33:48 +0300 Subject: WebFinger is HTTPS-only protocol --- .../java/com/juick/server/SignatureManager.java | 30 +++++++++++++--------- .../java/com/juick/server/tests/ServerTests.java | 14 +++++++--- 2 files changed, 28 insertions(+), 16 deletions(-) diff --git a/src/main/java/com/juick/server/SignatureManager.java b/src/main/java/com/juick/server/SignatureManager.java index 755575ce..904f89af 100644 --- a/src/main/java/com/juick/server/SignatureManager.java +++ b/src/main/java/com/juick/server/SignatureManager.java @@ -9,11 +9,11 @@ import com.juick.server.api.webfinger.model.Account; import com.juick.server.api.webfinger.model.Link; import com.juick.service.UserService; import com.juick.util.DateFormattersHolder; -import org.apache.commons.lang3.StringUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.http.HttpEntity; import org.springframework.http.HttpHeaders; +import org.springframework.http.HttpMethod; import org.springframework.http.ResponseEntity; import org.springframework.stereotype.Component; import org.springframework.web.client.RestTemplate; @@ -130,17 +130,23 @@ public class SignatureManager { return Optional.empty(); } public Optional discoverPerson(String acct) { - String[] accountParts = acct.split(":", 2); - String account = accountParts[0]; - int port = accountParts.length > 1 ? Integer.valueOf(accountParts[1]) : 80; - Jid acctId = Jid.of(account); - URI resourceUri = UriComponentsBuilder.fromUriString( - String.format("http://%s:%d/.well-known/webfinger?resource=acct:%s", acctId.getDomain(), port, account)).build().toUri(); - Account acctData = apClient.getForEntity(resourceUri, Account.class).getBody(); - if (acctData != null) { - for (Link l : acctData.getLinks()) { - if (l.getRel().equals("self") && l.getType().equals(ACTIVITY_MEDIA_TYPE)) { - return getContext(URI.create(l.getHref())); + Jid acctId = Jid.of(acct); + URI resourceUri = UriComponentsBuilder.fromPath("/.well-known/webfinger") + .host(acctId.getDomain()) + .scheme("https") + .queryParam("resource", String.format("%s", acctId.toEscapedString())).build().toUri(); + HttpHeaders headers = new HttpHeaders(); + headers.add("Accept", "application/jrd+json"); + HttpEntity webfingerRequest = new HttpEntity<>(headers); + ResponseEntity response = apClient.exchange( + resourceUri, HttpMethod.GET, webfingerRequest, Account.class); + if (response.getStatusCode().is2xxSuccessful()) { + Account acctData = response.getBody(); + if (acctData != null) { + for (Link l : acctData.getLinks()) { + if (l.getRel().equals("self") && l.getType().equals(ACTIVITY_MEDIA_TYPE)) { + return getContext(URI.create(l.getHref())); + } } } } diff --git a/src/test/java/com/juick/server/tests/ServerTests.java b/src/test/java/com/juick/server/tests/ServerTests.java index 7f46968f..ea99fac3 100644 --- a/src/test/java/com/juick/server/tests/ServerTests.java +++ b/src/test/java/com/juick/server/tests/ServerTests.java @@ -33,6 +33,7 @@ import com.juick.model.CommandResult; import com.juick.model.PrivateChats; import com.juick.model.TagStats; import com.juick.server.*; +import com.juick.server.api.activity.Profile; import com.juick.server.api.activity.model.Context; import com.juick.server.api.activity.model.activities.*; import com.juick.server.api.activity.model.objects.Note; @@ -198,6 +199,8 @@ public class ServerTests { private WebApp webApp; @Inject private RestTemplate apClient; + @Inject + private Profile profileController; @Value("classpath:mocks/activity/testuser.json") private Resource testuserResponse; @@ -1408,8 +1411,6 @@ public class ServerTests { .andExpect(jsonPath("$.links[0].href", is("http://localhost:8080/u/ugnich"))); mockMvc.perform(get("/.well-known/webfinger?resource=acct:durov@localhost")) .andExpect(status().isNotFound()); - Person ugnich = (Person) signatureManager.discoverPerson("ugnich@juick.com").get(); - assertThat(ugnich.getName(), is(ugnichName)); } @Test public void userProfileAndBlogShouldBeExposedAsActivityStream() throws Exception { @@ -1747,10 +1748,15 @@ public class ServerTests { @Test public void serviceSignatureAuth() throws Exception { String meUri = "/api/me"; - String testHost = "localhost:8080"; - Person ugnichPerson = (Person) signatureManager.discoverPerson("ugnich@localhost:8080").get(); Instant now = Instant.now(); String requestDate = DateFormattersHolder.getHttpDateFormatter().format(now); + mockMvc.perform(get("/api/me") + .header("Date", requestDate)) + .andExpect(status().isUnauthorized()); + String testHost = "localhost"; + Person ugnichPerson = profileController.getUser("ugnich"); + now = Instant.now(); + requestDate = DateFormattersHolder.getHttpDateFormatter().format(now); String signatureString = signatureManager.addSignature(ugnichPerson, testHost, "GET", meUri, requestDate); MvcResult me = mockMvc.perform(get("/api/me") .header("Host", testHost) -- cgit v1.2.3