[github/Chocobozzz/PeerTube.git] / server / tests / api / activitypub / security.ts

/* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */

import { expect } from 'chai'
import { buildDigest } from '@server/helpers/peertube-crypto'
import { HTTP_SIGNATURE } from '@server/initializers/constants'
import { activityPubContextify } from '@server/lib/activitypub/context'
import { buildGlobalHeaders, signAndContextify } from '@server/lib/activitypub/send'
import { makeFollowRequest, makePOSTAPRequest } from '@server/tests/shared'
import { buildAbsoluteFixturePath, wait } from '@shared/core-utils'
import { HttpStatusCode } from '@shared/models'
import { cleanupTests, createMultipleServers, killallServers, PeerTubeServer } from '@shared/server-commands'

function setKeysOfServer (onServer: PeerTubeServer, ofServer: PeerTubeServer, publicKey: string, privateKey: string) {
  const url = ofServer.url + '/accounts/peertube'

  return Promise.all([
    onServer.sql.setActorField(url, 'publicKey', publicKey),
    onServer.sql.setActorField(url, 'privateKey', privateKey)
  ])
}

function setUpdatedAtOfServer (onServer: PeerTubeServer, ofServer: PeerTubeServer, updatedAt: string) {
  const url = ofServer.url + '/accounts/peertube'

  return Promise.all([
    onServer.sql.setActorField(url, 'createdAt', updatedAt),
    onServer.sql.setActorField(url, 'updatedAt', updatedAt)
  ])
}

function getAnnounceWithoutContext (server: PeerTubeServer) {
  const json = require(buildAbsoluteFixturePath('./ap-json/peertube/announce-without-context.json'))
  const result: typeof json = {}

  for (const key of Object.keys(json)) {
    if (Array.isArray(json[key])) {
      result[key] = json[key].map(v => v.replace(':9002', `:${server.port}`))
    } else {
      result[key] = json[key].replace(':9002', `:${server.port}`)
    }
  }

  return result
}

describe('Test ActivityPub security', function () {
  let servers: PeerTubeServer[]
  let url: string

  const keys = require(buildAbsoluteFixturePath('./ap-json/peertube/keys.json'))
  const invalidKeys = require(buildAbsoluteFixturePath('./ap-json/peertube/invalid-keys.json'))
  const baseHttpSignature = () => ({
    algorithm: HTTP_SIGNATURE.ALGORITHM,
    authorizationHeaderName: HTTP_SIGNATURE.HEADER_NAME,
    keyId: 'acct:peertube@' + servers[1].host,
    key: keys.privateKey,
    headers: HTTP_SIGNATURE.HEADERS_TO_SIGN
  })

  // ---------------------------------------------------------------

  before(async function () {
    this.timeout(60000)

    servers = await createMultipleServers(3)

    url = servers[0].url + '/inbox'

    await setKeysOfServer(servers[0], servers[1], keys.publicKey, null)
    await setKeysOfServer(servers[1], servers[1], keys.publicKey, keys.privateKey)

    const to = { url: servers[0].url + '/accounts/peertube' }
    const by = { url: servers[1].url + '/accounts/peertube', privateKey: keys.privateKey }
    await makeFollowRequest(to, by)
  })

  describe('When checking HTTP signature', function () {

    it('Should fail with an invalid digest', async function () {
      const body = activityPubContextify(getAnnounceWithoutContext(servers[1]), 'Announce')
      const headers = {
        Digest: buildDigest({ hello: 'coucou' })
      }

      try {
        await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
        expect(true, 'Did not throw').to.be.false
      } catch (err) {
        expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
      }
    })

    it('Should fail with an invalid date', async function () {
      const body = activityPubContextify(getAnnounceWithoutContext(servers[1]), 'Announce')
      const headers = buildGlobalHeaders(body)
      headers['date'] = 'Wed, 21 Oct 2015 07:28:00 GMT'

      try {
        await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
        expect(true, 'Did not throw').to.be.false
      } catch (err) {
        expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
      }
    })

    it('Should fail with bad keys', async function () {
      await setKeysOfServer(servers[0], servers[1], invalidKeys.publicKey, invalidKeys.privateKey)
      await setKeysOfServer(servers[1], servers[1], invalidKeys.publicKey, invalidKeys.privateKey)

      const body = activityPubContextify(getAnnounceWithoutContext(servers[1]), 'Announce')
      const headers = buildGlobalHeaders(body)

      try {
        await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
        expect(true, 'Did not throw').to.be.false
      } catch (err) {
        expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
      }
    })

    it('Should reject requests without appropriate signed headers', async function () {
      await setKeysOfServer(servers[0], servers[1], keys.publicKey, keys.privateKey)
      await setKeysOfServer(servers[1], servers[1], keys.publicKey, keys.privateKey)

      const body = activityPubContextify(getAnnounceWithoutContext(servers[1]), 'Announce')
      const headers = buildGlobalHeaders(body)

      const signatureOptions = baseHttpSignature()
      const badHeadersMatrix = [
        [ '(request-target)', 'date', 'digest' ],
        [ 'host', 'date', 'digest' ],
        [ '(request-target)', 'host', 'digest' ]
      ]

      for (const badHeaders of badHeadersMatrix) {
        signatureOptions.headers = badHeaders

        try {
          await makePOSTAPRequest(url, body, signatureOptions, headers)
          expect(true, 'Did not throw').to.be.false
        } catch (err) {
          expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
        }
      }
    })

    it('Should succeed with a valid HTTP signature draft 11 (without date but with (created))', async function () {
      const body = activityPubContextify(getAnnounceWithoutContext(servers[1]), 'Announce')
      const headers = buildGlobalHeaders(body)

      const signatureOptions = baseHttpSignature()
      signatureOptions.headers = [ '(request-target)', '(created)', 'host', 'digest' ]

      const { statusCode } = await makePOSTAPRequest(url, body, signatureOptions, headers)
      expect(statusCode).to.equal(HttpStatusCode.NO_CONTENT_204)
    })

    it('Should succeed with a valid HTTP signature', async function () {
      const body = activityPubContextify(getAnnounceWithoutContext(servers[1]), 'Announce')
      const headers = buildGlobalHeaders(body)

      const { statusCode } = await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
      expect(statusCode).to.equal(HttpStatusCode.NO_CONTENT_204)
    })

    it('Should refresh the actor keys', async function () {
      this.timeout(20000)

      // Update keys of server 2 to invalid keys
      // Server 1 should refresh the actor and fail
      await setKeysOfServer(servers[1], servers[1], invalidKeys.publicKey, invalidKeys.privateKey)
      await setUpdatedAtOfServer(servers[0], servers[1], '2015-07-17 22:00:00+00')

      // Invalid peertube actor cache
      await killallServers([ servers[1] ])
      await servers[1].run()

      const body = activityPubContextify(getAnnounceWithoutContext(servers[1]), 'Announce')
      const headers = buildGlobalHeaders(body)

      try {
        await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
        expect(true, 'Did not throw').to.be.false
      } catch (err) {
        console.error(err)
        expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
      }
    })
  })

  describe('When checking Linked Data Signature', function () {
    before(async function () {
      this.timeout(10000)

      await setKeysOfServer(servers[0], servers[1], keys.publicKey, keys.privateKey)
      await setKeysOfServer(servers[1], servers[1], keys.publicKey, keys.privateKey)
      await setKeysOfServer(servers[2], servers[2], keys.publicKey, keys.privateKey)

      const to = { url: servers[0].url + '/accounts/peertube' }
      const by = { url: servers[2].url + '/accounts/peertube', privateKey: keys.privateKey }
      await makeFollowRequest(to, by)
    })

    it('Should fail with bad keys', async function () {
      this.timeout(10000)

      await setKeysOfServer(servers[0], servers[2], invalidKeys.publicKey, invalidKeys.privateKey)
      await setKeysOfServer(servers[2], servers[2], invalidKeys.publicKey, invalidKeys.privateKey)

      const body = getAnnounceWithoutContext(servers[1])
      body.actor = servers[2].url + '/accounts/peertube'

      const signer: any = { privateKey: invalidKeys.privateKey, url: servers[2].url + '/accounts/peertube' }
      const signedBody = await signAndContextify(signer, body, 'Announce')

      const headers = buildGlobalHeaders(signedBody)

      try {
        await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers)
        expect(true, 'Did not throw').to.be.false
      } catch (err) {
        expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
      }
    })

    it('Should fail with an altered body', async function () {
      this.timeout(10000)

      await setKeysOfServer(servers[0], servers[2], keys.publicKey, keys.privateKey)
      await setKeysOfServer(servers[0], servers[2], keys.publicKey, keys.privateKey)

      const body = getAnnounceWithoutContext(servers[1])
      body.actor = servers[2].url + '/accounts/peertube'

      const signer: any = { privateKey: keys.privateKey, url: servers[2].url + '/accounts/peertube' }
      const signedBody = await signAndContextify(signer, body, 'Announce')

      signedBody.actor = servers[2].url + '/account/peertube'

      const headers = buildGlobalHeaders(signedBody)

      try {
        await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers)
        expect(true, 'Did not throw').to.be.false
      } catch (err) {
        expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
      }
    })

    it('Should succeed with a valid signature', async function () {
      this.timeout(10000)

      const body = getAnnounceWithoutContext(servers[1])
      body.actor = servers[2].url + '/accounts/peertube'

      const signer: any = { privateKey: keys.privateKey, url: servers[2].url + '/accounts/peertube' }
      const signedBody = await signAndContextify(signer, body, 'Announce')

      const headers = buildGlobalHeaders(signedBody)

      const { statusCode } = await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers)
      expect(statusCode).to.equal(HttpStatusCode.NO_CONTENT_204)
    })

    it('Should refresh the actor keys', async function () {
      this.timeout(20000)

      // Wait refresh invalidation
      await wait(10000)

      // Update keys of server 3 to invalid keys
      // Server 1 should refresh the actor and fail
      await setKeysOfServer(servers[2], servers[2], invalidKeys.publicKey, invalidKeys.privateKey)

      const body = getAnnounceWithoutContext(servers[1])
      body.actor = servers[2].url + '/accounts/peertube'

      const signer: any = { privateKey: keys.privateKey, url: servers[2].url + '/accounts/peertube' }
      const signedBody = await signAndContextify(signer, body, 'Announce')

      const headers = buildGlobalHeaders(signedBody)

      try {
        await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers)
        expect(true, 'Did not throw').to.be.false
      } catch (err) {
        expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
      }
    })
  })

  after(async function () {
    this.timeout(10000)

    await cleanupTests(servers)
  })
})
Commit	Line	Data
a1587156	1	/* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */
df66d815	2
86347717	3	import { expect } from 'chai'
8dc8a34e	4	import { buildDigest } from '@server/helpers/peertube-crypto'
c0e8b12e	5	import { HTTP_SIGNATURE } from '@server/initializers/constants'
7e98a7df	6	import { activityPubContextify } from '@server/lib/activitypub/context'
a219c910	7	import { buildGlobalHeaders, signAndContextify } from '@server/lib/activitypub/send'
06aad801	8	import { makeFollowRequest, makePOSTAPRequest } from '@server/tests/shared'
c55e3d72	9	import { buildAbsoluteFixturePath, wait } from '@shared/core-utils'
c0e8b12e	10	import { HttpStatusCode } from '@shared/models'
c55e3d72	11	import { cleanupTests, createMultipleServers, killallServers, PeerTubeServer } from '@shared/server-commands'
df66d815	12
254d3579	13	function setKeysOfServer (onServer: PeerTubeServer, ofServer: PeerTubeServer, publicKey: string, privateKey: string) {
2732eeff	14	const url = ofServer.url + '/accounts/peertube'
e7053b1d C	15
e7053b1d C	16	return Promise.all([
89d241a7 C	17	onServer.sql.setActorField(url, 'publicKey', publicKey),
89d241a7 C	18	onServer.sql.setActorField(url, 'privateKey', privateKey)
e7053b1d C	19	])
	20	}
	21
254d3579	22	function setUpdatedAtOfServer (onServer: PeerTubeServer, ofServer: PeerTubeServer, updatedAt: string) {
2732eeff	23	const url = ofServer.url + '/accounts/peertube'
e7053b1d	24
df66d815	25	return Promise.all([
89d241a7 C	26	onServer.sql.setActorField(url, 'createdAt', updatedAt),
89d241a7 C	27	onServer.sql.setActorField(url, 'updatedAt', updatedAt)
df66d815 C	28	])
	29	}
	30
254d3579	31	function getAnnounceWithoutContext (server: PeerTubeServer) {
3d470a53	32	const json = require(buildAbsoluteFixturePath('./ap-json/peertube/announce-without-context.json'))
48f07b4a C	33	const result: typeof json = {}
	34
	35	for (const key of Object.keys(json)) {
	36	if (Array.isArray(json[key])) {
e7053b1d	37	result[key] = json[key].map(v => v.replace(':9002', `:${server.port}`))
48f07b4a	38	} else {
e7053b1d	39	result[key] = json[key].replace(':9002', `:${server.port}`)
48f07b4a C	40	}
	41	}
	42
	43	return result
df66d815 C	44	}
	45
	46	describe('Test ActivityPub security', function () {
254d3579	47	let servers: PeerTubeServer[]
df66d815 C	48	let url: string
df66d815 C	49
3d470a53 C	50	const keys = require(buildAbsoluteFixturePath('./ap-json/peertube/keys.json'))
3d470a53 C	51	const invalidKeys = require(buildAbsoluteFixturePath('./ap-json/peertube/invalid-keys.json'))
48f07b4a	52	const baseHttpSignature = () => ({
df66d815 C	53	algorithm: HTTP_SIGNATURE.ALGORITHM,
df66d815 C	54	authorizationHeaderName: HTTP_SIGNATURE.HEADER_NAME,
2732eeff	55	keyId: 'acct:peertube@' + servers[1].host,
df66d815 C	56	key: keys.privateKey,
df66d815 C	57	headers: HTTP_SIGNATURE.HEADERS_TO_SIGN
48f07b4a	58	})
df66d815 C	59
	60	// ---------------------------------------------------------------
	61
	62	before(async function () {
	63	this.timeout(60000)
	64
254d3579	65	servers = await createMultipleServers(3)
df66d815 C	66
	67	url = servers[0].url + '/inbox'
	68
e7053b1d C	69	await setKeysOfServer(servers[0], servers[1], keys.publicKey, null)
e7053b1d C	70	await setKeysOfServer(servers[1], servers[1], keys.publicKey, keys.privateKey)
df66d815	71
2732eeff C	72	const to = { url: servers[0].url + '/accounts/peertube' }
2732eeff C	73	const by = { url: servers[1].url + '/accounts/peertube', privateKey: keys.privateKey }
df66d815 C	74	await makeFollowRequest(to, by)
	75	})
	76
	77	describe('When checking HTTP signature', function () {
	78
	79	it('Should fail with an invalid digest', async function () {
a219c910	80	const body = activityPubContextify(getAnnounceWithoutContext(servers[1]), 'Announce')
df66d815 C	81	const headers = {
	82	Digest: buildDigest({ hello: 'coucou' })
	83	}
	84
b5c36108 C	85	try {
	86	await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
	87	expect(true, 'Did not throw').to.be.false
	88	} catch (err) {
	89	expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
	90	}
df66d815 C	91	})
	92
	93	it('Should fail with an invalid date', async function () {
a219c910	94	const body = activityPubContextify(getAnnounceWithoutContext(servers[1]), 'Announce')
df66d815 C	95	const headers = buildGlobalHeaders(body)
	96	headers['date'] = 'Wed, 21 Oct 2015 07:28:00 GMT'
	97
b5c36108 C	98	try {
	99	await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
	100	expect(true, 'Did not throw').to.be.false
	101	} catch (err) {
	102	expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
	103	}
df66d815 C	104	})
	105
	106	it('Should fail with bad keys', async function () {
48f07b4a C	107	await setKeysOfServer(servers[0], servers[1], invalidKeys.publicKey, invalidKeys.privateKey)
48f07b4a C	108	await setKeysOfServer(servers[1], servers[1], invalidKeys.publicKey, invalidKeys.privateKey)
df66d815	109
a219c910	110	const body = activityPubContextify(getAnnounceWithoutContext(servers[1]), 'Announce')
df66d815 C	111	const headers = buildGlobalHeaders(body)
df66d815 C	112
b5c36108 C	113	try {
	114	await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
	115	expect(true, 'Did not throw').to.be.false
	116	} catch (err) {
	117	expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
	118	}
df66d815 C	119	})
df66d815 C	120
797d05bd	121	it('Should reject requests without appropriate signed headers', async function () {
48f07b4a C	122	await setKeysOfServer(servers[0], servers[1], keys.publicKey, keys.privateKey)
48f07b4a C	123	await setKeysOfServer(servers[1], servers[1], keys.publicKey, keys.privateKey)
df66d815	124
a219c910	125	const body = activityPubContextify(getAnnounceWithoutContext(servers[1]), 'Announce')
df66d815	126	const headers = buildGlobalHeaders(body)
797d05bd C	127
	128	const signatureOptions = baseHttpSignature()
	129	const badHeadersMatrix = [
	130	[ '(request-target)', 'date', 'digest' ],
	131	[ 'host', 'date', 'digest' ],
	132	[ '(request-target)', 'host', 'digest' ]
	133	]
	134
	135	for (const badHeaders of badHeadersMatrix) {
	136	signatureOptions.headers = badHeaders
	137
b5c36108 C	138	try {
	139	await makePOSTAPRequest(url, body, signatureOptions, headers)
	140	expect(true, 'Did not throw').to.be.false
	141	} catch (err) {
	142	expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
	143	}
797d05bd C	144	}
	145	})
	146
e08ec7a7 C	147	it('Should succeed with a valid HTTP signature draft 11 (without date but with (created))', async function () {
	148	const body = activityPubContextify(getAnnounceWithoutContext(servers[1]), 'Announce')
	149	const headers = buildGlobalHeaders(body)
	150
	151	const signatureOptions = baseHttpSignature()
	152	signatureOptions.headers = [ '(request-target)', '(created)', 'host', 'digest' ]
	153
	154	const { statusCode } = await makePOSTAPRequest(url, body, signatureOptions, headers)
	155	expect(statusCode).to.equal(HttpStatusCode.NO_CONTENT_204)
	156	})
	157
797d05bd	158	it('Should succeed with a valid HTTP signature', async function () {
a219c910	159	const body = activityPubContextify(getAnnounceWithoutContext(servers[1]), 'Announce')
797d05bd	160	const headers = buildGlobalHeaders(body)
df66d815	161
db4b15f2	162	const { statusCode } = await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
db4b15f2	163	expect(statusCode).to.equal(HttpStatusCode.NO_CONTENT_204)
df66d815	164	})
095e2258 C	165
	166	it('Should refresh the actor keys', async function () {
	167	this.timeout(20000)
	168
095e2258 C	169	// Update keys of server 2 to invalid keys
	170	// Server 1 should refresh the actor and fail
	171	await setKeysOfServer(servers[1], servers[1], invalidKeys.publicKey, invalidKeys.privateKey)
e7053b1d C	172	await setUpdatedAtOfServer(servers[0], servers[1], '2015-07-17 22:00:00+00')
	173
	174	// Invalid peertube actor cache
9293139f	175	await killallServers([ servers[1] ])
254d3579	176	await servers[1].run()
095e2258	177
a219c910	178	const body = activityPubContextify(getAnnounceWithoutContext(servers[1]), 'Announce')
095e2258 C	179	const headers = buildGlobalHeaders(body)
095e2258 C	180
b5c36108 C	181	try {
	182	await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
	183	expect(true, 'Did not throw').to.be.false
	184	} catch (err) {
e7053b1d	185	console.error(err)
b5c36108 C	186	expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
b5c36108 C	187	}
095e2258	188	})
df66d815 C	189	})
	190
	191	describe('When checking Linked Data Signature', function () {
095e2258 C	192	before(async function () {
	193	this.timeout(10000)
	194
	195	await setKeysOfServer(servers[0], servers[1], keys.publicKey, keys.privateKey)
	196	await setKeysOfServer(servers[1], servers[1], keys.publicKey, keys.privateKey)
48f07b4a	197	await setKeysOfServer(servers[2], servers[2], keys.publicKey, keys.privateKey)
df66d815	198
2732eeff C	199	const to = { url: servers[0].url + '/accounts/peertube' }
2732eeff C	200	const by = { url: servers[2].url + '/accounts/peertube', privateKey: keys.privateKey }
df66d815 C	201	await makeFollowRequest(to, by)
	202	})
	203
	204	it('Should fail with bad keys', async function () {
	205	this.timeout(10000)
	206
48f07b4a C	207	await setKeysOfServer(servers[0], servers[2], invalidKeys.publicKey, invalidKeys.privateKey)
48f07b4a C	208	await setKeysOfServer(servers[2], servers[2], invalidKeys.publicKey, invalidKeys.privateKey)
df66d815	209
48f07b4a	210	const body = getAnnounceWithoutContext(servers[1])
2732eeff	211	body.actor = servers[2].url + '/accounts/peertube'
df66d815	212
2732eeff	213	const signer: any = { privateKey: invalidKeys.privateKey, url: servers[2].url + '/accounts/peertube' }
a219c910	214	const signedBody = await signAndContextify(signer, body, 'Announce')
df66d815 C	215
	216	const headers = buildGlobalHeaders(signedBody)
	217
b5c36108 C	218	try {
	219	await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers)
	220	expect(true, 'Did not throw').to.be.false
	221	} catch (err) {
	222	expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
	223	}
df66d815 C	224	})
	225
	226	it('Should fail with an altered body', async function () {
	227	this.timeout(10000)
	228
48f07b4a C	229	await setKeysOfServer(servers[0], servers[2], keys.publicKey, keys.privateKey)
48f07b4a C	230	await setKeysOfServer(servers[0], servers[2], keys.publicKey, keys.privateKey)
df66d815	231
48f07b4a	232	const body = getAnnounceWithoutContext(servers[1])
2732eeff	233	body.actor = servers[2].url + '/accounts/peertube'
df66d815	234
2732eeff	235	const signer: any = { privateKey: keys.privateKey, url: servers[2].url + '/accounts/peertube' }
a219c910	236	const signedBody = await signAndContextify(signer, body, 'Announce')
df66d815	237
2732eeff	238	signedBody.actor = servers[2].url + '/account/peertube'
df66d815 C	239
	240	const headers = buildGlobalHeaders(signedBody)
	241
b5c36108 C	242	try {
	243	await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers)
	244	expect(true, 'Did not throw').to.be.false
	245	} catch (err) {
	246	expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
	247	}
df66d815 C	248	})
	249
	250	it('Should succeed with a valid signature', async function () {
	251	this.timeout(10000)
	252
48f07b4a	253	const body = getAnnounceWithoutContext(servers[1])
2732eeff	254	body.actor = servers[2].url + '/accounts/peertube'
df66d815	255
2732eeff	256	const signer: any = { privateKey: keys.privateKey, url: servers[2].url + '/accounts/peertube' }
a219c910	257	const signedBody = await signAndContextify(signer, body, 'Announce')
df66d815 C	258
	259	const headers = buildGlobalHeaders(signedBody)
	260
db4b15f2	261	const { statusCode } = await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers)
db4b15f2	262	expect(statusCode).to.equal(HttpStatusCode.NO_CONTENT_204)
df66d815	263	})
095e2258 C	264
	265	it('Should refresh the actor keys', async function () {
	266	this.timeout(20000)
	267
	268	// Wait refresh invalidation
	269	await wait(10000)
	270
	271	// Update keys of server 3 to invalid keys
	272	// Server 1 should refresh the actor and fail
	273	await setKeysOfServer(servers[2], servers[2], invalidKeys.publicKey, invalidKeys.privateKey)
	274
	275	const body = getAnnounceWithoutContext(servers[1])
2732eeff	276	body.actor = servers[2].url + '/accounts/peertube'
095e2258	277
2732eeff	278	const signer: any = { privateKey: keys.privateKey, url: servers[2].url + '/accounts/peertube' }
a219c910	279	const signedBody = await signAndContextify(signer, body, 'Announce')
095e2258 C	280
	281	const headers = buildGlobalHeaders(signedBody)
	282
b5c36108 C	283	try {
	284	await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers)
	285	expect(true, 'Did not throw').to.be.false
	286	} catch (err) {
	287	expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
	288	}
095e2258	289	})
df66d815 C	290	})
	291
	292	after(async function () {
48f07b4a C	293	this.timeout(10000)
	294
	295	await cleanupTests(servers)
df66d815 C	296	})
df66d815 C	297	})