Fail closed on unresolved signed payloads

Reject unknown remote Update targets and invalidate signed payloads when their signer identity cannot be mapped, avoiding crashes and fail-open signature state.

test/pleroma/web/activity_pub/object_validators/update_handling_test.exs

@@ -90,6 +90,23 @@ defmodule Pleroma.Web.ActivityPub.ObjectValidators.UpdateHandlingTest do
       refute cng.valid?
       assert Keyword.has_key?(cng.errors, :object)
     end
+
+    test "returns an error if the remote update target IRI is unknown" do
+      remote_user = insert(:user, local: false, ap_id: "https://example.com/users/alice")
+
+      update = %{
+        "type" => "Update",
+        "actor" => remote_user.ap_id,
+        "id" => "https://example.com/activities/update-unknown-object-iri",
+        "to" => ["https://www.w3.org/ns/activitystreams#Public"],
+        "cc" => [],
+        "object" => "https://example.com/objects/unknown-iri"
+      }
+
+      assert {:error, %Ecto.Changeset{} = cng} = ObjectValidator.validate(update, local: false)
+      refute cng.valid?
+      assert Keyword.has_key?(cng.errors, :object)
+    end
   end
 
   describe "update note" do

test/pleroma/web/plugs/mapped_signature_to_identity_plug_test.exs

@@ -58,4 +58,16 @@ defmodule Pleroma.Web.Plugs.MappedSignatureToIdentityPlugTest do
     assert conn.assigns.valid_signature == false
     refute Map.has_key?(conn.assigns, :user)
   end
+
+  test "it considers a mapped identity to be invalid when embedded actor identity cannot be found" do
+    actor = "http://niu.moe/users/rye"
+
+    conn =
+      build_conn(:post, "/doesntmattter", %{"actor" => %{"id" => actor}})
+      |> set_signature(actor)
+      |> MappedSignatureToIdentityPlug.call(%{})
+
+    assert conn.assigns.valid_signature == false
+    refute Map.has_key?(conn.assigns, :user)
+  end
 end