From b483ae0a724a2b76e8c61f63a96d7867339dacb1 Mon Sep 17 00:00:00 2001
From: William Pitcock <nenolod@dereferenced.org>
Date: Sat, 17 Nov 2018 18:24:58 +0000
Subject: [PATCH] tests: add a second spoofing variant

---
 .../https__info.pleroma.site_activity3.json   | 13 ++++++++++++
 test/support/httpoison_mock.ex                |  8 +++++++
 test/web/activity_pub/transmogrifier_test.exs | 21 +++++++++++++++++--
 3 files changed, 40 insertions(+), 2 deletions(-)
 create mode 100644 test/fixtures/httpoison_mock/https__info.pleroma.site_activity3.json

diff --git a/test/fixtures/httpoison_mock/https__info.pleroma.site_activity3.json b/test/fixtures/httpoison_mock/https__info.pleroma.site_activity3.json
new file mode 100644
index 000000000..1df73f2c5
--- /dev/null
+++ b/test/fixtures/httpoison_mock/https__info.pleroma.site_activity3.json
@@ -0,0 +1,13 @@
+{
+        "@context": "https://www.w3.org/ns/activitystreams",
+        "attributedTo": "http://mastodon.example.org/users/admin",
+        "attachment": [],
+        "content": "<p>this post was not actually written by Haelwenn</p>",
+        "id": "https://info.pleroma.site/activity2.json",
+        "published": "2018-09-01T22:15:00Z",
+        "tag": [],
+        "to": [
+            "https://www.w3.org/ns/activitystreams#Public"
+        ],
+        "type": "Note"
+}
diff --git a/test/support/httpoison_mock.ex b/test/support/httpoison_mock.ex
index 2ea10910e..ebd1e9c4d 100644
--- a/test/support/httpoison_mock.ex
+++ b/test/support/httpoison_mock.ex
@@ -48,6 +48,14 @@ def get("https://info.pleroma.site/activity2.json", _, _) do
      }}
   end
 
+  def get("https://info.pleroma.site/activity3.json", _, _) do
+    {:ok,
+     %Response{
+       status_code: 200,
+       body: File.read!("test/fixtures/httpoison_mock/https__info.pleroma.site_activity3.json")
+     }}
+  end
+
   def get("https://info.pleroma.site/actor.json", _, _) do
     {:ok,
      %Response{
diff --git a/test/web/activity_pub/transmogrifier_test.exs b/test/web/activity_pub/transmogrifier_test.exs
index e5308d125..6320b5b6e 100644
--- a/test/web/activity_pub/transmogrifier_test.exs
+++ b/test/web/activity_pub/transmogrifier_test.exs
@@ -884,11 +884,11 @@ test "it rejects activities which reference objects with bogus origins" do
       :error = Transmogrifier.handle_incoming(data)
     end
 
-    test "it rejects objects when the ID does not match the fetched URI" do
+    test "it rejects objects when attributedTo is wrong (variant 1)" do
       {:error, _} = ActivityPub.fetch_object_from_id("https://info.pleroma.site/activity2.json")
     end
 
-    test "it rejects activities which reference objects by mismatched URI" do
+    test "it rejects activities which reference objects that have an incorrect attribution (variant 1)" do
       data = %{
         "@context" => "https://www.w3.org/ns/activitystreams",
         "id" => "http://mastodon.example.org/users/admin/activities/1234",
@@ -900,5 +900,22 @@ test "it rejects activities which reference objects by mismatched URI" do
 
       :error = Transmogrifier.handle_incoming(data)
     end
+
+    test "it rejects objects when attributedTo is wrong (variant 2)" do
+      {:error, _} = ActivityPub.fetch_object_from_id("https://info.pleroma.site/activity3.json")
+    end
+
+    test "it rejects activities which reference objects that have an incorrect attribution (variant 2)" do
+      data = %{
+        "@context" => "https://www.w3.org/ns/activitystreams",
+        "id" => "http://mastodon.example.org/users/admin/activities/1234",
+        "actor" => "http://mastodon.example.org/users/admin",
+        "to" => ["https://www.w3.org/ns/activitystreams#Public"],
+        "object" => "https://info.pleroma.site/activity3.json",
+        "type" => "Announce"
+      }
+
+      :error = Transmogrifier.handle_incoming(data)
+    end
   end
 end