From 07ebf86ab279811c365e8174807dbf36fc2f4ca4 Mon Sep 17 00:00:00 2001
From: Vitaly Takmazov
Date: Tue, 10 Nov 2020 16:36:02 +0300
Subject: ActivityPub: Digest header is mandatory now for POST requests

---
 .../java/com/juick/server/tests/ServerTests.java   | 25 ++++++++++++++++------
 1 file changed, 19 insertions(+), 6 deletions(-)

(limited to 'src/test/java')

diff --git a/src/test/java/com/juick/server/tests/ServerTests.java b/src/test/java/com/juick/server/tests/ServerTests.java
index 320ba6fd..925d42f6 100644
--- a/src/test/java/com/juick/server/tests/ServerTests.java
+++ b/src/test/java/com/juick/server/tests/ServerTests.java
@@ -104,6 +104,7 @@ import org.springframework.web.client.ResourceAccessException;
 import org.springframework.web.client.RestTemplate;
 import org.springframework.web.util.UriComponents;
 import org.springframework.web.util.UriComponentsBuilder;
+import org.tomitribe.auth.signatures.Base64;
 import org.w3c.dom.*;
 import org.xml.sax.SAXException;
 import rocks.xmpp.addr.Jid;
@@ -1889,7 +1890,7 @@ public class ServerTests {
     }
 
     @Test
-    public void signingSpec() throws IOException {
+    public void signingSpec() throws IOException, NoSuchAlgorithmException {
         Person from = (Person) signatureManager.getContext(URI.create("http://localhost:8080/u/freefd")).get();
         Person to = (Person) signatureManager.getContext(URI.create("http://localhost:8080/u/ugnich")).get();
         Follow follow = new Follow();
@@ -1910,7 +1911,7 @@ public class ServerTests {
         Person ugnichPerson = profileController.getUser("ugnich");
         now = Instant.now();
         requestDate = DateFormattersHolder.getHttpDateFormatter().format(now);
-        String signatureString = signatureManager.addSignature(ugnichPerson, testHost, "GET", meUri, requestDate);
+        String signatureString = signatureManager.addSignature(ugnichPerson, testHost, "GET", meUri, requestDate, StringUtils.EMPTY);
         MvcResult me = mockMvc.perform(get("/api/me")
                 .header("Host", testHost)
                 .header("Date", requestDate)
@@ -1924,24 +1925,28 @@ public class ServerTests {
         URI testuserUri = URI.create("https://example.com/u/testuser");
         URI testuserkeyUri = URI.create("https://example.com/u/testuser#main-key");
         MockRestServiceServer restServiceServer = MockRestServiceServer.createServer(apClient);
-        restServiceServer.expect(times(3), requestTo(testuserUri))
+        restServiceServer.expect(times(4), requestTo(testuserUri))
                 .andRespond(withSuccess(testuserResponseString, MediaType.APPLICATION_JSON));
-        restServiceServer.expect(times(3), requestTo(testuserkeyUri))
+        restServiceServer.expect(times(4), requestTo(testuserkeyUri))
                 .andRespond(withSuccess(testuserResponseString, MediaType.APPLICATION_JSON));
         Person testuser = (Person) signatureManager.getContext(testuserUri).get();
         assertThat(testuser.getPublicKey().getPublicKeyPem(), is(testKeystoreManager.getPublicKeyPem()));
         Instant now2 = Instant.now();
         String testRequestDate = DateFormattersHolder.getHttpDateFormatter().format(now2);
         String inboxUri = "/api/inbox";
+        var payload = IOUtils.toByteArray(testfollowRequest.getInputStream());
+        final byte[] digest = MessageDigest.getInstance("SHA-256").digest(payload); // (1)
+        final String digestHeader = "SHA-256=" + new String(Base64.encodeBase64(digest));
         String testSignatureString =
                 signatureManager.addSignature(testuser, testHost, "POST",
-                        inboxUri, testRequestDate, testKeystoreManager);
+                        inboxUri, testRequestDate, digestHeader, testKeystoreManager);
         mockMvc.perform(post(inboxUri)
                 .header("Host", testHost)
                 .header("Date", testRequestDate)
+                .header("Digest", digestHeader)
                 .header("Signature", testSignatureString)
                 .contentType(Context.LD_JSON_MEDIA_TYPE)
-                .content(IOUtils.toByteArray(testfollowRequest.getInputStream())))
+                .content(payload))
                 .andExpect(status().isAccepted());
         mockMvc.perform(post(inboxUri)
                 .header("Host", "wronghost")
@@ -1950,6 +1955,14 @@ public class ServerTests {
                 .contentType(Context.LD_JSON_MEDIA_TYPE)
                 .content(IOUtils.toByteArray(testfollowRequest.getInputStream())))
                 .andExpect(status().isUnauthorized());
+        // digest required but not present
+        mockMvc.perform(post(inboxUri)
+                .header("Host", testHost)
+                .header("Date", testRequestDate)
+                .header("Signature", testSignatureString)
+                .contentType(Context.LD_JSON_MEDIA_TYPE)
+                .content(payload))
+                .andExpect(status().isUnauthorized());
         apClient.setRequestFactory(originalRequestFactory);
     }
 
-- 
cgit v1.2.3