Merge remote-tracking branch 'parent/main' into upstream-20240524

spec/controllers/admin/accounts_controller_spec.rb

@@ -53,11 +53,32 @@ RSpec.describe Admin::AccountsController do
 
   describe 'GET #show' do
     let(:current_user) { Fabricate(:user, role: UserRole.find_by(name: 'Admin')) }
-    let(:account) { Fabricate(:account) }
 
-    it 'returns http success' do
-      get :show, params: { id: account.id }
-      expect(response).to have_http_status(200)
+    context 'with a remote account' do
+      let(:account) { Fabricate(:account, domain: 'example.com') }
+
+      it 'returns http success' do
+        get :show, params: { id: account.id }
+        expect(response).to have_http_status(200)
+      end
+    end
+
+    context 'with a local account' do
+      let(:account) { Fabricate(:account, domain: nil) }
+
+      it 'returns http success' do
+        get :show, params: { id: account.id }
+        expect(response).to have_http_status(200)
+      end
+    end
+
+    context 'with a local deleted account' do
+      let(:account) { Fabricate(:account, domain: nil, user: nil) }
+
+      it 'returns http success' do
+        get :show, params: { id: account.id }
+        expect(response).to have_http_status(200)
+      end
     end
   end
 

spec/fabricators/canonical_email_block_fabricator.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
 Fabricator(:canonical_email_block) do
-  email { |attrs| attrs[:reference_account] ? attrs[:reference_account].user_email : sequence(:email) { |i| "#{i}#{Faker::Internet.email}" } }
+  email { sequence(:email) { |i| "#{i}#{Faker::Internet.email}" } }
   reference_account { Fabricate.build(:account) }
 end

spec/helpers/self_destruct_helper_spec.rb

@@ -0,0 +1,70 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe SelfDestructHelper do
+  describe 'self_destruct?' do
+    context 'when SELF_DESTRUCT is unset' do
+      it 'returns false' do
+        expect(helper.self_destruct?).to be false
+      end
+    end
+
+    context 'when SELF_DESTRUCT is set to an invalid value' do
+      around do |example|
+        ClimateControl.modify SELF_DESTRUCT: 'true' do
+          example.run
+        end
+      end
+
+      it 'returns false' do
+        expect(helper.self_destruct?).to be false
+      end
+    end
+
+    context 'when SELF_DESTRUCT is set to value signed for the wrong purpose' do
+      around do |example|
+        ClimateControl.modify(
+          SELF_DESTRUCT: Rails.application.message_verifier('foo').generate('example.com'),
+          LOCAL_DOMAIN: 'example.com'
+        ) do
+          example.run
+        end
+      end
+
+      it 'returns false' do
+        expect(helper.self_destruct?).to be false
+      end
+    end
+
+    context 'when SELF_DESTRUCT is set to value signed for the wrong domain' do
+      around do |example|
+        ClimateControl.modify(
+          SELF_DESTRUCT: Rails.application.message_verifier('self-destruct').generate('foo.com'),
+          LOCAL_DOMAIN: 'example.com'
+        ) do
+          example.run
+        end
+      end
+
+      it 'returns false' do
+        expect(helper.self_destruct?).to be false
+      end
+    end
+
+    context 'when SELF_DESTRUCT is set to a correctly-signed value' do
+      around do |example|
+        ClimateControl.modify(
+          SELF_DESTRUCT: Rails.application.message_verifier('self-destruct').generate('example.com'),
+          LOCAL_DOMAIN: 'example.com'
+        ) do
+          example.run
+        end
+      end
+
+      it 'returns true' do
+        expect(helper.self_destruct?).to be true
+      end
+    end
+  end
+end

spec/lib/activitypub/parser/status_parser_spec.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe ActivityPub::Parser::StatusParser do
+  subject { described_class.new(json) }
+
+  let(:sender) { Fabricate(:account, followers_url: 'http://example.com/followers', domain: 'example.com', uri: 'https://example.com/actor') }
+  let(:follower) { Fabricate(:account, username: 'bob') }
+
+  let(:json) do
+    {
+      '@context': 'https://www.w3.org/ns/activitystreams',
+      id: [ActivityPub::TagManager.instance.uri_for(sender), '#foo'].join,
+      type: 'Create',
+      actor: ActivityPub::TagManager.instance.uri_for(sender),
+      object: object_json,
+    }.with_indifferent_access
+  end
+
+  let(:object_json) do
+    {
+      id: [ActivityPub::TagManager.instance.uri_for(sender), 'post1'].join('/'),
+      type: 'Note',
+      to: [
+        'https://www.w3.org/ns/activitystreams#Public',
+        ActivityPub::TagManager.instance.uri_for(follower),
+      ],
+      content: '@bob lorem ipsum',
+      contentMap: {
+        EN: '@bob lorem ipsum',
+      },
+      published: 1.hour.ago.utc.iso8601,
+      updated: 1.hour.ago.utc.iso8601,
+      tag: {
+        type: 'Mention',
+        href: ActivityPub::TagManager.instance.uri_for(follower),
+      },
+    }
+  end
+
+  it 'correctly parses status' do
+    expect(subject).to have_attributes(
+      text: '@bob lorem ipsum',
+      uri: [ActivityPub::TagManager.instance.uri_for(sender), 'post1'].join('/'),
+      reply: false,
+      language: :en
+    )
+  end
+end

spec/mailers/admin_mailer_spec.rb

@@ -145,4 +145,22 @@ RSpec.describe AdminMailer do
         .and(have_header('X-Priority', '1'))
     end
   end
+
+  describe '.auto_close_registrations' do
+    let(:recipient) { Fabricate(:account, username: 'Bob') }
+    let(:mail) { described_class.with(recipient: recipient).auto_close_registrations }
+
+    before do
+      recipient.user.update(locale: :en)
+    end
+
+    it 'renders the email' do
+      expect(mail)
+        .to be_present
+        .and(deliver_to(recipient.user_email))
+        .and(deliver_from('notifications@localhost'))
+        .and(have_subject('Registrations for cb6e6126.ngrok.io have been automatically switched to requiring approval'))
+        .and(have_body_text('have been automatically switched'))
+    end
+  end
 end

spec/mailers/previews/admin_mailer_preview.rb

@@ -37,4 +37,9 @@ class AdminMailerPreview < ActionMailer::Preview
   def new_critical_software_updates
     AdminMailer.with(recipient: Account.first).new_critical_software_updates
   end
+
+  # Preview this email at http://localhost:3000/rails/mailers/admin_mailer/auto_close_registrations
+  def auto_close_registrations
+    AdminMailer.with(recipient: Account.first).auto_close_registrations
+  end
 end

spec/requests/api/v1/apps/credentials_spec.rb

@@ -20,14 +20,26 @@ describe 'Credentials' do
 
         expect(body_as_json).to match(
           a_hash_including(
+            id: token.application.id.to_s,
             name: token.application.name,
             website: token.application.website,
-            vapid_key: Rails.configuration.x.vapid_public_key,
             scopes: token.application.scopes.map(&:to_s),
-            client_id: token.application.uid
+            redirect_uris: token.application.redirect_uris,
+            # Deprecated properties as of 4.3:
+            redirect_uri: token.application.redirect_uri.split.first,
+            vapid_key: Rails.configuration.x.vapid_public_key
           )
         )
       end
+
+      it 'does not expose the client_id or client_secret' do
+        subject
+
+        expect(response).to have_http_status(200)
+
+        expect(body_as_json[:client_id]).to_not be_present
+        expect(body_as_json[:client_secret]).to_not be_present
+      end
     end
 
     context 'with a non-read scoped oauth token' do
@@ -46,11 +58,14 @@ describe 'Credentials' do
 
         expect(body_as_json).to match(
           a_hash_including(
+            id: token.application.id.to_s,
             name: token.application.name,
             website: token.application.website,
-            vapid_key: Rails.configuration.x.vapid_public_key,
             scopes: token.application.scopes.map(&:to_s),
-            client_id: token.application.uid
+            redirect_uris: token.application.redirect_uris,
+            # Deprecated properties as of 4.3:
+            redirect_uri: token.application.redirect_uri.split.first,
+            vapid_key: Rails.configuration.x.vapid_public_key
           )
         )
       end

spec/requests/api/v1/apps_spec.rb

@@ -9,8 +9,9 @@ RSpec.describe 'Apps' do
     end
 
     let(:client_name)   { 'Test app' }
-    let(:scopes)        { nil }
-    let(:redirect_uris) { 'urn:ietf:wg:oauth:2.0:oob' }
+    let(:scopes)        { 'read write' }
+    let(:redirect_uri)  { 'urn:ietf:wg:oauth:2.0:oob' }
+    let(:redirect_uris) { [redirect_uri] }
     let(:website)       { nil }
 
     let(:params) do
@@ -26,13 +27,63 @@ RSpec.describe 'Apps' do
       it 'creates an OAuth app', :aggregate_failures do
         subject
 
+        expect(response).to have_http_status(200)
+
+        app = Doorkeeper::Application.find_by(name: client_name)
+
+        expect(app).to be_present
+        expect(app.scopes.to_s).to eq scopes
+        expect(app.redirect_uris).to eq redirect_uris
+
+        expect(body_as_json).to match(
+          a_hash_including(
+            id: app.id.to_s,
+            client_id: app.uid,
+            client_secret: app.secret,
+            name: client_name,
+            website: website,
+            scopes: ['read', 'write'],
+            redirect_uris: redirect_uris,
+            # Deprecated properties as of 4.3:
+            redirect_uri: redirect_uri,
+            vapid_key: Rails.configuration.x.vapid_public_key
+          )
+        )
+      end
+    end
+
+    context 'without scopes being supplied' do
+      let(:scopes) { nil }
+
+      it 'creates an OAuth App with the default scope' do
+        subject
+
         expect(response).to have_http_status(200)
         expect(Doorkeeper::Application.find_by(name: client_name)).to be_present
 
         body = body_as_json
 
-        expect(body[:client_id]).to be_present
-        expect(body[:client_secret]).to be_present
+        expect(body[:scopes]).to eq Doorkeeper.config.default_scopes.to_a
+      end
+    end
+
+    # FIXME: This is a bug: https://github.com/mastodon/mastodon/issues/30152
+    context 'with scopes as an array' do
+      let(:scopes) { %w(read write follow) }
+
+      it 'creates an OAuth App with the default scope' do
+        subject
+
+        expect(response).to have_http_status(200)
+
+        app = Doorkeeper::Application.find_by(name: client_name)
+
+        expect(app).to be_present
+        expect(app.scopes.to_s).to eq 'read'
+
+        body = body_as_json
+
+        expect(body[:scopes]).to eq ['read']
       end
     end
 
@@ -77,8 +128,8 @@ RSpec.describe 'Apps' do
       end
     end
 
-    context 'with a too-long redirect_uris' do
-      let(:redirect_uris) { "https://foo.bar/#{'hoge' * 2_000}" }
+    context 'with a too-long redirect_uri' do
+      let(:redirect_uris) { "https://app.example/#{'hoge' * 2_000}" }
 
       it 'returns http unprocessable entity' do
         subject
@@ -87,8 +138,80 @@ RSpec.describe 'Apps' do
       end
     end
 
-    context 'without required params' do
-      let(:client_name)   { '' }
+    # NOTE: This spec currently tests the same as the "with a too-long redirect_uri test case"
+    context 'with too many redirect_uris' do
+      let(:redirect_uris) { (0...500).map { |i| "https://app.example/#{i}/callback" } }
+
+      it 'returns http unprocessable entity' do
+        subject
+
+        expect(response).to have_http_status(422)
+      end
+    end
+
+    context 'with multiple redirect_uris as a string' do
+      let(:redirect_uris) { "https://redirect1.example/\napp://redirect2.example/" }
+
+      it 'creates an OAuth application with multiple redirect URIs' do
+        subject
+
+        expect(response).to have_http_status(200)
+
+        app = Doorkeeper::Application.find_by(name: client_name)
+
+        expect(app).to be_present
+        expect(app.redirect_uri).to eq redirect_uris
+        expect(app.redirect_uris).to eq redirect_uris.split
+
+        body = body_as_json
+
+        expect(body[:redirect_uri]).to eq redirect_uris
+        expect(body[:redirect_uris]).to eq redirect_uris.split
+      end
+    end
+
+    context 'with multiple redirect_uris as an array' do
+      let(:redirect_uris) { ['https://redirect1.example/', 'app://redirect2.example/'] }
+
+      it 'creates an OAuth application with multiple redirect URIs' do
+        subject
+
+        expect(response).to have_http_status(200)
+
+        app = Doorkeeper::Application.find_by(name: client_name)
+
+        expect(app).to be_present
+        expect(app.redirect_uri).to eq redirect_uris.join "\n"
+        expect(app.redirect_uris).to eq redirect_uris
+
+        body = body_as_json
+
+        expect(body[:redirect_uri]).to eq redirect_uris.join "\n"
+        expect(body[:redirect_uris]).to eq redirect_uris
+      end
+    end
+
+    context 'with an empty redirect_uris array' do
+      let(:redirect_uris) { [] }
+
+      it 'returns http unprocessable entity' do
+        subject
+
+        expect(response).to have_http_status(422)
+      end
+    end
+
+    context 'with just a newline as the redirect_uris string' do
+      let(:redirect_uris) { "\n" }
+
+      it 'returns http unprocessable entity' do
+        subject
+
+        expect(response).to have_http_status(422)
+      end
+    end
+
+    context 'with an empty redirect_uris string' do
       let(:redirect_uris) { '' }
 
       it 'returns http unprocessable entity' do
@@ -97,5 +220,30 @@ RSpec.describe 'Apps' do
         expect(response).to have_http_status(422)
       end
     end
+
+    context 'without a required param' do
+      let(:client_name) { '' }
+
+      it 'returns http unprocessable entity' do
+        subject
+
+        expect(response).to have_http_status(422)
+      end
+    end
+
+    context 'with a website' do
+      let(:website) { 'https://app.example/' }
+
+      it 'creates an OAuth application with the website specified' do
+        subject
+
+        expect(response).to have_http_status(200)
+
+        app = Doorkeeper::Application.find_by(name: client_name)
+
+        expect(app).to be_present
+        expect(app.website).to eq website
+      end
+    end
   end
 end

spec/requests/api/v2/admin/accounts_spec.rb

@@ -8,7 +8,6 @@ RSpec.describe 'API V2 Admin Accounts' do
   let(:scopes) { 'admin:read admin:write' }
   let(:token)  { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: scopes) }
   let(:headers) { { 'Authorization' => "Bearer #{token.token}" } }
-  let(:account) { Fabricate(:account) }
 
   describe 'GET #index' do
     let!(:remote_account)       { Fabricate(:account, domain: 'example.org') }

spec/requests/self_destruct_spec.rb

@@ -0,0 +1,92 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+describe 'Self-destruct mode' do
+  before do
+    allow(SelfDestructHelper).to receive(:self_destruct?).and_return(true)
+  end
+
+  shared_examples 'generic logged out request' do |path|
+    it 'returns 410 gone and mentions self-destruct' do
+      get path, headers: { 'Accept' => 'text/html' }
+
+      expect(response).to have_http_status(410)
+      expect(response.body).to include(I18n.t('self_destruct.title'))
+    end
+  end
+
+  shared_examples 'accessible logged-in endpoint' do |path|
+    it 'returns 200 ok' do
+      get path
+
+      expect(response).to have_http_status(200)
+    end
+  end
+
+  shared_examples 'ActivityPub request' do |path|
+    context 'without signature' do
+      it 'returns 410 gone' do
+        get path, headers: {
+          'Accept' => 'application/activity+json, application/ld+json; profile="https://www.w3.org/ns/activitystreams"',
+        }
+
+        expect(response).to have_http_status(410)
+      end
+    end
+
+    context 'with invalid signature' do
+      it 'returns 410 gone' do
+        get path, headers: {
+          'Accept' => 'application/activity+json, application/ld+json; profile="https://www.w3.org/ns/activitystreams"',
+          'Signature' => 'keyId="https://remote.domain/users/bob#main-key",algorithm="rsa-sha256",headers="date host (request-target)",signature="bar"',
+        }
+
+        expect(response).to have_http_status(410)
+      end
+    end
+  end
+
+  context 'when requesting various unavailable endpoints' do
+    it_behaves_like 'generic logged out request', '/'
+    it_behaves_like 'generic logged out request', '/about'
+    it_behaves_like 'generic logged out request', '/public'
+  end
+
+  context 'when requesting a suspended account' do
+    let(:suspended) { Fabricate(:account, username: 'suspended') }
+
+    before do
+      suspended.suspend!
+    end
+
+    it_behaves_like 'generic logged out request', '/@suspended'
+    it_behaves_like 'ActivityPub request', '/users/suspended'
+    it_behaves_like 'ActivityPub request', '/users/suspended/followers'
+    it_behaves_like 'ActivityPub request', '/users/suspended/outbox'
+  end
+
+  context 'when requesting a non-suspended account' do
+    before do
+      Fabricate(:account, username: 'bob')
+    end
+
+    it_behaves_like 'generic logged out request', '/@bob'
+    it_behaves_like 'ActivityPub request', '/users/bob'
+    it_behaves_like 'ActivityPub request', '/users/bob/followers'
+    it_behaves_like 'ActivityPub request', '/users/bob/outbox'
+  end
+
+  context 'when accessing still-enabled endpoints when logged in' do
+    let(:user) { Fabricate(:user) }
+
+    before do
+      sign_in(user)
+    end
+
+    it_behaves_like 'accessible logged-in endpoint', '/auth/edit'
+    it_behaves_like 'accessible logged-in endpoint', '/settings/export'
+    it_behaves_like 'accessible logged-in endpoint', '/settings/login_activities'
+    it_behaves_like 'accessible logged-in endpoint', '/settings/exports/follows.csv'
+  end
+end

spec/system/filters_spec.rb

@@ -0,0 +1,72 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+describe 'Filters' do
+  let(:user) { Fabricate(:user) }
+  let(:filter_title) { 'Filter of fun and games' }
+
+  before { sign_in(user) }
+
+  describe 'Creating a filter' do
+    it 'Populates a new filter from form' do
+      navigate_to_filters
+
+      click_on I18n.t('filters.new.title')
+      fill_in_filter_form
+      expect(page).to have_content(filter_title)
+    end
+  end
+
+  describe 'Editing an existing filter' do
+    let(:new_title) { 'Change title value' }
+
+    before { Fabricate :custom_filter, account: user.account, title: filter_title }
+
+    it 'Updates the saved filter' do
+      navigate_to_filters
+
+      click_on filter_title
+
+      fill_in filter_title_field, with: new_title
+      click_on I18n.t('generic.save_changes')
+
+      expect(page).to have_content(new_title)
+    end
+  end
+
+  describe 'Destroying an existing filter' do
+    before { Fabricate :custom_filter, account: user.account, title: filter_title }
+
+    it 'Deletes the filter' do
+      navigate_to_filters
+
+      expect(page).to have_content filter_title
+      expect do
+        click_on I18n.t('filters.index.delete')
+      end.to change(CustomFilter, :count).by(-1)
+
+      expect(page).to_not have_content(filter_title)
+    end
+  end
+
+  def navigate_to_filters
+    visit settings_path
+
+    click_on I18n.t('filters.index.title')
+    expect(page).to have_content I18n.t('filters.index.title')
+  end
+
+  def fill_in_filter_form
+    fill_in filter_title_field, with: filter_title
+    check I18n.t('filters.contexts.home')
+    within('.custom_filter_keywords_keyword') do
+      fill_in with: 'Keyword'
+    end
+    click_on I18n.t('filters.new.save')
+  end
+
+  def filter_title_field
+    I18n.t('simple_form.labels.defaults.title')
+  end
+end

spec/workers/scheduler/accounts_statuses_cleanup_scheduler_spec.rb

@@ -163,7 +163,7 @@ describe Scheduler::AccountsStatusesCleanupScheduler do
       def cleanable_statuses_count
         Status
           .where(account_id: [account_alice, account_chris, account_erin]) # Accounts with enabled policies
-          .where('created_at < ?', 2.weeks.ago) # Policy defaults is 2.weeks
+          .where(created_at: ...2.weeks.ago) # Policy defaults is 2.weeks
           .count
       end
     end