From 9c4cbdbafb0324ae259e10865b90ed1ed0255bdd Mon Sep 17 00:00:00 2001 From: Eugen Rochko Date: Mon, 18 Mar 2019 21:00:55 +0100 Subject: Add Keybase integration (#10297) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * create account_identity_proofs table * add endpoint for keybase to check local proofs * add async task to update validity and liveness of proofs from keybase * first pass keybase proof CRUD * second pass keybase proof creation * clean up proof list and add badges * add avatar url to keybase api * Always highlight the “Identity Proofs” navigation item when interacting with proofs. * Update translations. * Add profile URL. * Reorder proofs. * Add proofs to bio. * Update settings/identity_proofs front-end. * Use `link_to`. * Only encode query params if they exist. URLs without params had a trailing `?`. * Only show live proofs. * change valid to active in proof list and update liveness before displaying * minor fixes * add keybase config at well-known path * extremely naive feature flagging off the identity proof UI * fixes for rubocop * make identity proofs page resilient to potential keybase issues * normalize i18n * tweaks for brakeman * remove two unused translations * cleanup and add more localizations * make keybase_contacts an admin setting * fix ExternalProofService my_domain * use Addressable::URI in identity proofs * use active model serializer for keybase proof config * more cleanup of keybase proof config * rename proof is_valid and is_live to proof_valid and proof_live * cleanup * assorted tweaks for more robust communication with keybase * Clean up * Small fixes * Display verified identity identically to verified links * Clean up unused CSS * Add caching for Keybase avatar URLs * Remove keybase_contacts setting --- spec/controllers/api/proofs_controller_spec.rb | 96 ++++++++++++++++++ .../settings/identity_proofs_controller_spec.rb | 112 +++++++++++++++++++++ .../keybase_proof_config_controller_spec.rb | 15 +++ .../account_identity_proof_fabricator.rb | 8 ++ spec/lib/proof_provider/keybase/verifier_spec.rb | 82 +++++++++++++++ 5 files changed, 313 insertions(+) create mode 100644 spec/controllers/api/proofs_controller_spec.rb create mode 100644 spec/controllers/settings/identity_proofs_controller_spec.rb create mode 100644 spec/controllers/well_known/keybase_proof_config_controller_spec.rb create mode 100644 spec/fabricators/account_identity_proof_fabricator.rb create mode 100644 spec/lib/proof_provider/keybase/verifier_spec.rb (limited to 'spec') diff --git a/spec/controllers/api/proofs_controller_spec.rb b/spec/controllers/api/proofs_controller_spec.rb new file mode 100644 index 000000000..dbde4927f --- /dev/null +++ b/spec/controllers/api/proofs_controller_spec.rb @@ -0,0 +1,96 @@ +require 'rails_helper' + +describe Api::ProofsController do + let(:alice) { Fabricate(:account, username: 'alice') } + + before do + stub_request(:get, 'https://keybase.io/_/api/1.0/sig/proof_valid.json?domain=cb6e6126.ngrok.io&kb_username=crypto_alice&sig_hash=111111111111111111111111111111111111111111111111111111111111111111&username=alice').to_return(status: 200, body: '{"proof_valid":true,"proof_live":false}') + stub_request(:get, 'https://keybase.io/_/api/1.0/sig/proof_live.json?domain=cb6e6126.ngrok.io&kb_username=crypto_alice&sig_hash=111111111111111111111111111111111111111111111111111111111111111111&username=alice').to_return(status: 200, body: '{"proof_valid":true,"proof_live":true}') + stub_request(:get, 'https://keybase.io/_/api/1.0/sig/proof_valid.json?domain=cb6e6126.ngrok.io&kb_username=hidden_alice&sig_hash=222222222222222222222222222222222222222222222222222222222222222222&username=alice').to_return(status: 200, body: '{"proof_valid":true,"proof_live":true}') + stub_request(:get, 'https://keybase.io/_/api/1.0/sig/proof_live.json?domain=cb6e6126.ngrok.io&kb_username=hidden_alice&sig_hash=222222222222222222222222222222222222222222222222222222222222222222&username=alice').to_return(status: 200, body: '{"proof_valid":true,"proof_live":true}') + end + + describe 'GET #index' do + describe 'with a non-existent username' do + it '404s' do + get :index, params: { username: 'nonexistent', provider: 'keybase' } + + expect(response).to have_http_status(:not_found) + end + end + + describe 'with a user that has no proofs' do + it 'is an empty list of signatures' do + get :index, params: { username: alice.username, provider: 'keybase' } + + expect(body_as_json[:signatures]).to eq [] + end + end + + describe 'with a user that has a live, valid proof' do + let(:token1) { '111111111111111111111111111111111111111111111111111111111111111111' } + let(:kb_name1) { 'crypto_alice' } + + before do + Fabricate(:account_identity_proof, account: alice, verified: true, live: true, token: token1, provider_username: kb_name1) + end + + it 'is a list with that proof in it' do + get :index, params: { username: alice.username, provider: 'keybase' } + + expect(body_as_json[:signatures]).to eq [ + { kb_username: kb_name1, sig_hash: token1 }, + ] + end + + describe 'add one that is neither live nor valid' do + let(:token2) { '222222222222222222222222222222222222222222222222222222222222222222' } + let(:kb_name2) { 'hidden_alice' } + + before do + Fabricate(:account_identity_proof, account: alice, verified: false, live: false, token: token2, provider_username: kb_name2) + end + + it 'is a list with both proofs' do + get :index, params: { username: alice.username, provider: 'keybase' } + + expect(body_as_json[:signatures]).to eq [ + { kb_username: kb_name1, sig_hash: token1 }, + { kb_username: kb_name2, sig_hash: token2 }, + ] + end + end + end + + describe 'a user that has an avatar' do + let(:alice) { Fabricate(:account, username: 'alice', avatar: attachment_fixture('avatar.gif')) } + + context 'and a proof' do + let(:token1) { '111111111111111111111111111111111111111111111111111111111111111111' } + let(:kb_name1) { 'crypto_alice' } + + before do + Fabricate(:account_identity_proof, account: alice, verified: true, live: true, token: token1, provider_username: kb_name1) + get :index, params: { username: alice.username, provider: 'keybase' } + end + + it 'has two keys: signatures and avatar' do + expect(body_as_json.keys).to match_array [:signatures, :avatar] + end + + it 'has the correct signatures' do + expect(body_as_json[:signatures]).to eq [ + { kb_username: kb_name1, sig_hash: token1 }, + ] + end + + it 'has the correct avatar url' do + first_part = 'https://cb6e6126.ngrok.io/system/accounts/avatars/' + last_part = 'original/avatar.gif' + + expect(body_as_json[:avatar]).to match /#{Regexp.quote(first_part)}(?:\d{3,5}\/){3}#{Regexp.quote(last_part)}/ + end + end + end + end +end diff --git a/spec/controllers/settings/identity_proofs_controller_spec.rb b/spec/controllers/settings/identity_proofs_controller_spec.rb new file mode 100644 index 000000000..46af3ccf4 --- /dev/null +++ b/spec/controllers/settings/identity_proofs_controller_spec.rb @@ -0,0 +1,112 @@ +require 'rails_helper' + +describe Settings::IdentityProofsController do + render_views + + let(:user) { Fabricate(:user) } + let(:valid_token) { '1'*66 } + let(:kbname) { 'kbuser' } + let(:provider) { 'keybase' } + let(:findable_id) { Faker::Number.number(5) } + let(:unfindable_id) { Faker::Number.number(5) } + let(:postable_params) do + { account_identity_proof: { provider: provider, provider_username: kbname, token: valid_token } } + end + + before do + allow_any_instance_of(ProofProvider::Keybase::Verifier).to receive(:status) { { 'proof_valid' => true, 'proof_live' => true } } + sign_in user, scope: :user + end + + describe 'new proof creation' do + context 'GET #new with no existing proofs' do + it 'redirects to :index' do + get :new + expect(response).to redirect_to settings_identity_proofs_path + end + end + + context 'POST #create' do + context 'when saving works' do + before do + allow(ProofProvider::Keybase::Worker).to receive(:perform_async) + allow_any_instance_of(ProofProvider::Keybase::Verifier).to receive(:valid?) { true } + allow_any_instance_of(AccountIdentityProof).to receive(:on_success_path) { root_url } + end + + it 'serializes a ProofProvider::Keybase::Worker' do + expect(ProofProvider::Keybase::Worker).to receive(:perform_async) + post :create, params: postable_params + end + + it 'delegates redirection to the proof provider' do + expect_any_instance_of(AccountIdentityProof).to receive(:on_success_path) + post :create, params: postable_params + expect(response).to redirect_to root_url + end + end + + context 'when saving fails' do + before do + allow_any_instance_of(ProofProvider::Keybase::Verifier).to receive(:valid?) { false } + end + + it 'redirects to :index' do + post :create, params: postable_params + expect(response).to redirect_to settings_identity_proofs_path + end + + it 'flashes a helpful message' do + post :create, params: postable_params + expect(flash[:alert]).to eq I18n.t('identity_proofs.errors.failed', provider: 'Keybase') + end + end + + context 'it can also do an update if the provider and username match an existing proof' do + before do + allow_any_instance_of(ProofProvider::Keybase::Verifier).to receive(:valid?) { true } + allow(ProofProvider::Keybase::Worker).to receive(:perform_async) + Fabricate(:account_identity_proof, account: user.account, provider: provider, provider_username: kbname) + allow_any_instance_of(AccountIdentityProof).to receive(:on_success_path) { root_url } + end + + it 'calls update with the new token' do + expect_any_instance_of(AccountIdentityProof).to receive(:save) do |proof| + expect(proof.token).to eq valid_token + end + + post :create, params: postable_params + end + end + end + end + + describe 'GET #index' do + context 'with no existing proofs' do + it 'shows the helpful explanation' do + get :index + expect(response.body).to match I18n.t('identity_proofs.explanation_html') + end + end + + context 'with two proofs' do + before do + allow_any_instance_of(ProofProvider::Keybase::Verifier).to receive(:valid?) { true } + @proof1 = Fabricate(:account_identity_proof, account: user.account) + @proof2 = Fabricate(:account_identity_proof, account: user.account) + allow_any_instance_of(AccountIdentityProof).to receive(:badge) { double(avatar_url: '', profile_url: '', proof_url: '') } + allow_any_instance_of(AccountIdentityProof).to receive(:refresh!) { } + end + + it 'has the first proof username on the page' do + get :index + expect(response.body).to match /#{Regexp.quote(@proof1.provider_username)}/ + end + + it 'has the second proof username on the page' do + get :index + expect(response.body).to match /#{Regexp.quote(@proof2.provider_username)}/ + end + end + end +end diff --git a/spec/controllers/well_known/keybase_proof_config_controller_spec.rb b/spec/controllers/well_known/keybase_proof_config_controller_spec.rb new file mode 100644 index 000000000..9067e676d --- /dev/null +++ b/spec/controllers/well_known/keybase_proof_config_controller_spec.rb @@ -0,0 +1,15 @@ +require 'rails_helper' + +describe WellKnown::KeybaseProofConfigController, type: :controller do + render_views + + describe 'GET #show' do + it 'renders json' do + get :show + + expect(response).to have_http_status(200) + expect(response.content_type).to eq 'application/json' + expect { JSON.parse(response.body) }.not_to raise_exception + end + end +end diff --git a/spec/fabricators/account_identity_proof_fabricator.rb b/spec/fabricators/account_identity_proof_fabricator.rb new file mode 100644 index 000000000..94f40dfd6 --- /dev/null +++ b/spec/fabricators/account_identity_proof_fabricator.rb @@ -0,0 +1,8 @@ +Fabricator(:account_identity_proof) do + account + provider 'keybase' + provider_username { sequence(:provider_username) { |i| "#{Faker::Lorem.characters(15)}" } } + token { sequence(:token) { |i| "#{i}#{Faker::Crypto.sha1()*2}"[0..65] } } + verified false + live false +end diff --git a/spec/lib/proof_provider/keybase/verifier_spec.rb b/spec/lib/proof_provider/keybase/verifier_spec.rb new file mode 100644 index 000000000..4ce67da9c --- /dev/null +++ b/spec/lib/proof_provider/keybase/verifier_spec.rb @@ -0,0 +1,82 @@ +require 'rails_helper' + +describe ProofProvider::Keybase::Verifier do + let(:my_domain) { Rails.configuration.x.local_domain } + + let(:keybase_proof) do + local_proof = AccountIdentityProof.new( + provider: 'Keybase', + provider_username: 'cryptoalice', + token: '11111111111111111111111111' + ) + + described_class.new('alice', 'cryptoalice', '11111111111111111111111111') + end + + let(:query_params) do + "domain=#{my_domain}&kb_username=cryptoalice&sig_hash=11111111111111111111111111&username=alice" + end + + describe '#valid?' do + let(:base_url) { 'https://keybase.io/_/api/1.0/sig/proof_valid.json' } + + context 'when valid' do + before do + json_response_body = '{"status":{"code":0,"name":"OK"},"proof_valid":true}' + stub_request(:get, "#{base_url}?#{query_params}").to_return(status: 200, body: json_response_body) + end + + it 'calls out to keybase and returns true' do + expect(keybase_proof.valid?).to eq true + end + end + + context 'when invalid' do + before do + json_response_body = '{"status":{"code":0,"name":"OK"},"proof_valid":false}' + stub_request(:get, "#{base_url}?#{query_params}").to_return(status: 200, body: json_response_body) + end + + it 'calls out to keybase and returns false' do + expect(keybase_proof.valid?).to eq false + end + end + + context 'with an unexpected api response' do + before do + json_response_body = '{"status":{"code":100,"desc":"wrong size hex_id","fields":{"sig_hash":"wrong size hex_id"},"name":"INPUT_ERROR"}}' + stub_request(:get, "#{base_url}?#{query_params}").to_return(status: 200, body: json_response_body) + end + + it 'swallows the error and returns false' do + expect(keybase_proof.valid?).to eq false + end + end + end + + describe '#status' do + let(:base_url) { 'https://keybase.io/_/api/1.0/sig/proof_live.json' } + + context 'with a normal response' do + before do + json_response_body = '{"status":{"code":0,"name":"OK"},"proof_live":false,"proof_valid":true}' + stub_request(:get, "#{base_url}?#{query_params}").to_return(status: 200, body: json_response_body) + end + + it 'calls out to keybase and returns the status fields as proof_valid and proof_live' do + expect(keybase_proof.status).to include({ 'proof_valid' => true, 'proof_live' => false }) + end + end + + context 'with an unexpected keybase response' do + before do + json_response_body = '{"status":{"code":100,"desc":"missing non-optional field sig_hash","fields":{"sig_hash":"missing non-optional field sig_hash"},"name":"INPUT_ERROR"}}' + stub_request(:get, "#{base_url}?#{query_params}").to_return(status: 200, body: json_response_body) + end + + it 'raises a ProofProvider::Keybase::UnexpectedResponseError' do + expect { keybase_proof.status }.to raise_error ProofProvider::Keybase::UnexpectedResponseError + end + end + end +end -- cgit From 66d945209278c9344d503fe4e7a58d5c6f040e50 Mon Sep 17 00:00:00 2001 From: ThibG Date: Wed, 20 Mar 2019 17:20:16 +0100 Subject: Do not try fetching keys of unknown accounts on a Delete from them (#10326) --- app/controllers/activitypub/inboxes_controller.rb | 16 +++++++++++++--- spec/controllers/activitypub/inboxes_controller_spec.rb | 4 ++-- 2 files changed, 15 insertions(+), 5 deletions(-) (limited to 'spec') diff --git a/app/controllers/activitypub/inboxes_controller.rb b/app/controllers/activitypub/inboxes_controller.rb index 8f5e1887e..1501b914e 100644 --- a/app/controllers/activitypub/inboxes_controller.rb +++ b/app/controllers/activitypub/inboxes_controller.rb @@ -2,11 +2,14 @@ class ActivityPub::InboxesController < Api::BaseController include SignatureVerification + include JsonLdHelper before_action :set_account def create - if signed_request_account + if unknown_deleted_account? + head 202 + elsif signed_request_account upgrade_account process_payload head 202 @@ -17,12 +20,19 @@ class ActivityPub::InboxesController < Api::BaseController private + def unknown_deleted_account? + json = Oj.load(body, mode: :strict) + json['type'] == 'Delete' && json['actor'].present? && json['actor'] == value_or_id(json['object']) && !Account.where(uri: json['actor']).exists? + rescue Oj::ParseError + false + end + def set_account @account = Account.find_local!(params[:account_username]) if params[:account_username] end def body - @body ||= request.body.read + @body ||= request.body.read.force_encoding('UTF-8') end def upgrade_account @@ -36,6 +46,6 @@ class ActivityPub::InboxesController < Api::BaseController end def process_payload - ActivityPub::ProcessingWorker.perform_async(signed_request_account.id, body.force_encoding('UTF-8'), @account&.id) + ActivityPub::ProcessingWorker.perform_async(signed_request_account.id, body, @account&.id) end end diff --git a/spec/controllers/activitypub/inboxes_controller_spec.rb b/spec/controllers/activitypub/inboxes_controller_spec.rb index 4055d9342..eab4b8c3e 100644 --- a/spec/controllers/activitypub/inboxes_controller_spec.rb +++ b/spec/controllers/activitypub/inboxes_controller_spec.rb @@ -10,7 +10,7 @@ RSpec.describe ActivityPub::InboxesController, type: :controller do Fabricate(:account) end - post :create + post :create, body: '{}' expect(response).to have_http_status(202) end end @@ -21,7 +21,7 @@ RSpec.describe ActivityPub::InboxesController, type: :controller do false end - post :create + post :create, body: '{}' expect(response).to have_http_status(401) end end -- cgit