From 506a70d0d83c32030c59f118d51ae0b7456972a2 Mon Sep 17 00:00:00 2001 From: Matt Jankowski Date: Wed, 12 Feb 2025 03:33:25 -0500 Subject: [PATCH] Convert "http signatures" portion of statuses controller spec to request spec (#33890) --- spec/controllers/statuses_controller_spec.rb | 201 ------------------- spec/requests/statuses_spec.rb | 180 +++++++++++++++++ 2 files changed, 180 insertions(+), 201 deletions(-) diff --git a/spec/controllers/statuses_controller_spec.rb b/spec/controllers/statuses_controller_spec.rb index e589693b17..a6318badfa 100644 --- a/spec/controllers/statuses_controller_spec.rb +++ b/spec/controllers/statuses_controller_spec.rb @@ -275,206 +275,5 @@ RSpec.describe StatusesController do end end end - - context 'with signature' do - let(:remote_account) { Fabricate(:account, domain: 'example.com') } - - before do - allow(controller).to receive(:signed_request_actor).and_return(remote_account) - end - - context 'when account blocks account' do - before do - account.block!(remote_account) - get :show, params: { account_username: status.account.username, id: status.id } - end - - it 'returns http not found' do - expect(response).to have_http_status(404) - end - end - - context 'when account domain blocks account' do - before do - account.block_domain!(remote_account.domain) - get :show, params: { account_username: status.account.username, id: status.id } - end - - it 'returns http not found' do - expect(response).to have_http_status(404) - end - end - - context 'when status is public' do - before do - get :show, params: { account_username: status.account.username, id: status.id, format: format } - end - - context 'with HTML' do - let(:format) { 'html' } - - it 'renders status successfully', :aggregate_failures do - expect(response) - .to have_http_status(200) - .and render_template(:show) - expect(response.headers).to include( - 'Vary' => 'Accept, Accept-Language, Cookie', - 'Cache-Control' => include('private'), - 'Link' => include('activity+json') - ) - expect(response.body).to include status.text - end - end - - context 'with JSON' do - let(:format) { 'json' } - - it 'renders ActivityPub Note object successfully', :aggregate_failures do - expect(response) - .to have_http_status(200) - .and have_cacheable_headers.with_vary('Accept, Accept-Language, Cookie') - expect(response.headers).to include( - 'Content-Type' => include('application/activity+json'), - 'Link' => include('activity+json') - ) - expect(response.parsed_body) - .to include(content: include(status.text)) - end - end - end - - context 'when status is private' do - let(:status) { Fabricate(:status, account: account, visibility: :private) } - - context 'when user is authorized to see it' do - before do - remote_account.follow!(account) - get :show, params: { account_username: status.account.username, id: status.id, format: format } - end - - context 'with HTML' do - let(:format) { 'html' } - - it 'renders status successfully', :aggregate_failures do - expect(response) - .to have_http_status(200) - .and render_template(:show) - expect(response.headers).to include( - 'Vary' => 'Accept, Accept-Language, Cookie', - 'Cache-Control' => include('private'), - 'Link' => include('activity+json') - ) - expect(response.body).to include status.text - end - end - - context 'with JSON' do - let(:format) { 'json' } - - it 'renders ActivityPub Note object successfully' do - expect(response) - .to have_http_status(200) - expect(response.headers).to include( - 'Vary' => 'Accept, Accept-Language, Cookie', - 'Cache-Control' => include('private'), - 'Content-Type' => include('application/activity+json'), - 'Link' => include('activity+json') - ) - - expect(response.parsed_body) - .to include(content: include(status.text)) - end - end - end - - context 'when user is not authorized to see it' do - before do - get :show, params: { account_username: status.account.username, id: status.id, format: format } - end - - context 'with JSON' do - let(:format) { 'json' } - - it 'returns http not found' do - expect(response).to have_http_status(404) - end - end - - context 'with HTML' do - let(:format) { 'html' } - - it 'returns http not found' do - expect(response).to have_http_status(404) - end - end - end - end - - context 'when status is direct' do - let(:status) { Fabricate(:status, account: account, visibility: :direct) } - - context 'when user is authorized to see it' do - before do - Fabricate(:mention, account: remote_account, status: status) - get :show, params: { account_username: status.account.username, id: status.id, format: format } - end - - context 'with HTML' do - let(:format) { 'html' } - - it 'renders status successfully', :aggregate_failures do - expect(response) - .to have_http_status(200) - .and render_template(:show) - expect(response.headers).to include( - 'Vary' => 'Accept, Accept-Language, Cookie', - 'Cache-Control' => include('private'), - 'Link' => include('activity+json') - ) - expect(response.body).to include status.text - end - end - - context 'with JSON' do - let(:format) { 'json' } - - it 'renders ActivityPub Note object', :aggregate_failures do - expect(response) - .to have_http_status(200) - expect(response.headers).to include( - 'Vary' => 'Accept, Accept-Language, Cookie', - 'Cache-Control' => include('private'), - 'Content-Type' => include('application/activity+json'), - 'Link' => include('activity+json') - ) - expect(response.parsed_body) - .to include(content: include(status.text)) - end - end - end - - context 'when user is not authorized to see it' do - before do - get :show, params: { account_username: status.account.username, id: status.id, format: format } - end - - context 'with JSON' do - let(:format) { 'json' } - - it 'returns http not found' do - expect(response).to have_http_status(404) - end - end - - context 'with HTML' do - let(:format) { 'html' } - - it 'returns http not found' do - expect(response).to have_http_status(404) - end - end - end - end - end end end diff --git a/spec/requests/statuses_spec.rb b/spec/requests/statuses_spec.rb index f86d67d405..58a7144b99 100644 --- a/spec/requests/statuses_spec.rb +++ b/spec/requests/statuses_spec.rb @@ -63,5 +63,185 @@ RSpec.describe 'Statuses' do end end end + + context 'with "HTTP Signature" access signed by a remote account' do + subject do + get short_account_status_path(account_username: status.account.username, id: status.id, format: format), + headers: nil, + sign_with: remote_account + end + + let(:format) { 'html' } + let(:remote_account) { Fabricate(:account, domain: 'host.example') } + + context 'when account blocks the remote account' do + before { account.block!(remote_account) } + + it 'returns http not found' do + subject + + expect(response) + .to have_http_status(404) + end + end + + context 'when account domain blocks the domain of the remote account' do + before { account.block_domain!(remote_account.domain) } + + it 'returns http not found' do + subject + + expect(response) + .to have_http_status(404) + end + end + + context 'when status has public visibility' do + context 'with HTML' do + let(:format) { 'html' } + + it 'renders status successfully', :aggregate_failures do + subject + + expect(response) + .to have_http_status(200) + expect(response.headers).to include( + 'Vary' => 'Accept, Accept-Language, Cookie', + 'Cache-Control' => include('private'), + 'Link' => include('activity+json') + ) + expect(response.body) + .to include(status.text) + end + end + + context 'with JSON' do + let(:format) { 'json' } + + it 'renders ActivityPub Note object successfully', :aggregate_failures do + subject + + expect(response) + .to have_http_status(200) + .and have_cacheable_headers.with_vary('Accept, Accept-Language, Cookie') + expect(response.headers).to include( + 'Content-Type' => include('application/activity+json'), + 'Link' => include('activity+json') + ) + expect(response.parsed_body) + .to include(content: include(status.text)) + end + end + end + + context 'when status has private visibility' do + let(:status) { Fabricate(:status, account: account, visibility: :private) } + + context 'when user is authorized to see it' do + before { remote_account.follow!(account) } + + context 'with HTML' do + let(:format) { 'html' } + + it 'renders status successfully', :aggregate_failures do + subject + + expect(response) + .to have_http_status(200) + expect(response.headers).to include( + 'Vary' => 'Accept, Accept-Language, Cookie', + 'Cache-Control' => include('private'), + 'Link' => include('activity+json') + ) + expect(response.body) + .to include(status.text) + end + end + + context 'with JSON' do + let(:format) { 'json' } + + it 'renders ActivityPub Note object successfully' do + subject + + expect(response) + .to have_http_status(200) + expect(response.headers).to include( + 'Vary' => 'Accept, Accept-Language, Cookie', + 'Cache-Control' => include('private'), + 'Content-Type' => include('application/activity+json'), + 'Link' => include('activity+json') + ) + + expect(response.parsed_body) + .to include(content: include(status.text)) + end + end + end + + context 'when user is not authorized to see it' do + it 'returns http not found' do + subject + + expect(response) + .to have_http_status(404) + end + end + end + + context 'when status is direct' do + let(:status) { Fabricate(:status, account: account, visibility: :direct) } + + context 'when user is authorized to see it' do + before { Fabricate(:mention, account: remote_account, status: status) } + + context 'with HTML' do + let(:format) { 'html' } + + it 'renders status successfully', :aggregate_failures do + subject + + expect(response) + .to have_http_status(200) + expect(response.headers).to include( + 'Vary' => 'Accept, Accept-Language, Cookie', + 'Cache-Control' => include('private'), + 'Link' => include('activity+json') + ) + expect(response.body) + .to include(status.text) + end + end + + context 'with JSON' do + let(:format) { 'json' } + + it 'renders ActivityPub Note object', :aggregate_failures do + subject + + expect(response) + .to have_http_status(200) + expect(response.headers).to include( + 'Vary' => 'Accept, Accept-Language, Cookie', + 'Cache-Control' => include('private'), + 'Content-Type' => include('application/activity+json'), + 'Link' => include('activity+json') + ) + expect(response.parsed_body) + .to include(content: include(status.text)) + end + end + end + + context 'when user is not authorized to see it' do + it 'returns http not found' do + subject + + expect(response) + .to have_http_status(404) + end + end + end + end end end