Fix security context sometimes not being added in LD-Signed activities (#31871)

This commit is contained in:
Claire 2024-09-12 14:58:12 +02:00
parent 9bfbba3224
commit e66aaee1a4
2 changed files with 10 additions and 8 deletions

View file

@ -4,6 +4,7 @@ class ActivityPub::LinkedDataSignature
include JsonLdHelper include JsonLdHelper
CONTEXT = 'https://w3id.org/identity/v1' CONTEXT = 'https://w3id.org/identity/v1'
SIGNATURE_CONTEXT = 'https://w3id.org/security/v1'
def initialize(json) def initialize(json)
@json = json.with_indifferent_access @json = json.with_indifferent_access
@ -46,7 +47,13 @@ class ActivityPub::LinkedDataSignature
signature = Base64.strict_encode64(keypair.sign(OpenSSL::Digest.new('SHA256'), to_be_signed)) signature = Base64.strict_encode64(keypair.sign(OpenSSL::Digest.new('SHA256'), to_be_signed))
@json.merge('signature' => options.merge('signatureValue' => signature)) # Mastodon's context is either an array or a single URL
context_with_security = Array(@json['@context'])
context_with_security << 'https://w3id.org/security/v1'
context_with_security.uniq!
context_with_security = context_with_security.first if context_with_security.size == 1
@json.merge('signature' => options.merge('signatureValue' => signature), '@context' => context_with_security)
end end
private private

View file

@ -99,16 +99,11 @@ RSpec.describe ActivityPub::LinkedDataSignature do
describe '#sign!' do describe '#sign!' do
subject { described_class.new(raw_json).sign!(sender) } subject { described_class.new(raw_json).sign!(sender) }
it 'returns a hash' do it 'returns a hash with a signature, the expected context, and the signature can be verified', :aggregate_failures do
expect(subject).to be_a Hash expect(subject).to be_a Hash
end
it 'contains signature' do
expect(subject['signature']).to be_a Hash expect(subject['signature']).to be_a Hash
expect(subject['signature']['signatureValue']).to be_present expect(subject['signature']['signatureValue']).to be_present
end expect(Array(subject['@context'])).to include('https://w3id.org/security/v1')
it 'can be verified again' do
expect(described_class.new(subject).verify_actor!).to eq sender expect(described_class.new(subject).verify_actor!).to eq sender
end end
end end