See #853: force authenticated ActivityPub checks when allow-list is enabled

api/tests/federation/test_authentication.py

@@ -178,3 +178,28 @@ def test_autenthicate_supports_blind_key_rotation(factories, mocker, api_request
     assert user.is_anonymous is True
     assert actor.public_key == new_public.decode("utf-8")
     assert actor.fid == actor_url
+
+
+def test_authenticate_checks_signature_with_allow_list(
+    preferences, factories, api_request
+):
+    preferences["moderation__allow_list_enabled"] = True
+    domain = factories["federation.Domain"](allowed=False)
+    private, public = keys.get_key_pair()
+    actor_url = "https://{}/actor".format(domain.name)
+
+    signed_request = factories["federation.SignedRequest"](
+        auth__key=private, auth__key_id=actor_url + "#main-key", auth__headers=["date"]
+    )
+    prepared = signed_request.prepare()
+    django_request = api_request.get(
+        "/",
+        **{
+            "HTTP_DATE": prepared.headers["date"],
+            "HTTP_SIGNATURE": prepared.headers["signature"],
+        }
+    )
+    authenticator = authentication.SignatureAuthentication()
+
+    with pytest.raises(exceptions.BlockedActorOrDomain):
+        authenticator.authenticate(django_request)

api/tests/federation/test_views.py

@@ -5,6 +5,20 @@ from django.urls import reverse
 from funkwhale_api.federation import actors, serializers, webfinger
 
 
+def test_authenticate_skips_anonymous_fetch_when_allow_list_enabled(
+    preferences, api_client
+):
+    preferences["moderation__allow_list_enabled"] = True
+    actor = actors.get_service_actor()
+    url = reverse(
+        "federation:actors-detail",
+        kwargs={"preferred_username": actor.preferred_username},
+    )
+    response = api_client.get(url)
+
+    assert response.status_code == 403
+
+
 def test_wellknown_webfinger_validates_resource(db, api_client, settings, mocker):
     clean = mocker.spy(webfinger, "clean_resource")
     url = reverse("federation:well-known-webfinger")