From 10efe4d1b4893647677a3457aa6dfd833a2b0d63 Mon Sep 17 00:00:00 2001
From: Adam Kelly <adam@cthulahoops.org>
Date: Wed, 13 May 2020 11:18:48 +0100
Subject: [PATCH] Add test for use of the wrong signature.

---
 fedireads/tests/test_signing.py | 43 +++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)
 create mode 100644 fedireads/tests/test_signing.py

diff --git a/fedireads/tests/test_signing.py b/fedireads/tests/test_signing.py
new file mode 100644
index 00000000..9650f552
--- /dev/null
+++ b/fedireads/tests/test_signing.py
@@ -0,0 +1,43 @@
+from urllib.parse import urlsplit
+
+from django.test import TestCase, Client
+from django.utils.http import http_date
+
+from fedireads.models import User
+from fedireads.broadcast import make_signature
+from fedireads.activitypub import get_follow_request
+from fedireads.settings import DOMAIN
+
+class Signature(TestCase):
+    def setUp(self):
+        self.mouse = User.objects.create_user('mouse', 'mouse@example.com', '')
+        self.rat = User.objects.create_user('rat', 'rat@example.com', '')
+        self.cat = User.objects.create_user('cat', 'cat@example.com', '')
+
+    def test_wrong_signature(self):
+        ''' All messages must be signed by the right actor.
+
+            (cat cannot sign messages on behalf of mouse)
+        '''
+        activity = get_follow_request(
+            self.mouse,
+            self.rat,
+        )
+
+        now = http_date()
+        signature = make_signature(self.cat, self.rat.inbox, now)
+
+        c = Client()
+        response = c.post(
+            urlsplit(self.rat.inbox).path,
+            data=activity,
+            content_type='application/json',
+            **{
+                'HTTP_DATE': now,
+                'HTTP_SIGNATURE': signature,
+                'HTTP_CONTENT_TYPE': 'application/activity+json; charset=utf-8',
+                'HTTP_HOST': DOMAIN,
+            }
+        )
+
+        assert response.status_code == 401