[github/Chocobozzz/PeerTube.git] / server / tests / api / activitypub / security.ts

/* tslint:disable:no-unused-expression */

import 'mocha'

import {
  cleanupTests,
  closeAllSequelize,
  flushAndRunMultipleServers,
  killallServers,
  ServerInfo,
  setActorField
} from '../../../../shared/extra-utils'
import { HTTP_SIGNATURE } from '../../../initializers/constants'
import { buildDigest, buildGlobalHeaders } from '../../../lib/job-queue/handlers/utils/activitypub-http-utils'
import * as chai from 'chai'
import { activityPubContextify, buildSignedActivity } from '../../../helpers/activitypub'
import { makeFollowRequest, makePOSTAPRequest } from '../../../../shared/extra-utils/requests/activitypub'

const expect = chai.expect

function setKeysOfServer (onServer: ServerInfo, ofServer: ServerInfo, publicKey: string, privateKey: string) {
  return Promise.all([
    setActorField(onServer.internalServerNumber, 'http://localhost:' + ofServer.port + '/accounts/peertube', 'publicKey', publicKey),
    setActorField(onServer.internalServerNumber, 'http://localhost:' + ofServer.port + '/accounts/peertube', 'privateKey', privateKey)
  ])
}

function getAnnounceWithoutContext (server2: ServerInfo) {
  const json = require('./json/peertube/announce-without-context.json')
  const result: typeof json = {}

  for (const key of Object.keys(json)) {
    if (Array.isArray(json[key])) {
      result[key] = json[key].map(v => v.replace(':9002', `:${server2.port}`))
    } else {
      result[ key ] = json[ key ].replace(':9002', `:${server2.port}`)
    }
  }

  return result
}

describe('Test ActivityPub security', function () {
  let servers: ServerInfo[]
  let url: string

  const keys = require('./json/peertube/keys.json')
  const invalidKeys = require('./json/peertube/invalid-keys.json')
  const baseHttpSignature = () => ({
    algorithm: HTTP_SIGNATURE.ALGORITHM,
    authorizationHeaderName: HTTP_SIGNATURE.HEADER_NAME,
    keyId: 'acct:peertube@localhost:' + servers[1].port,
    key: keys.privateKey,
    headers: HTTP_SIGNATURE.HEADERS_TO_SIGN
  })

  // ---------------------------------------------------------------

  before(async function () {
    this.timeout(60000)

    servers = await flushAndRunMultipleServers(3)

    url = servers[0].url + '/inbox'

    await setKeysOfServer(servers[0], servers[1], keys.publicKey, keys.privateKey)

    const to = { url: 'http://localhost:' + servers[0].port + '/accounts/peertube' }
    const by = { url: 'http://localhost:' + servers[1].port + '/accounts/peertube', privateKey: keys.privateKey }
    await makeFollowRequest(to, by)
  })

  describe('When checking HTTP signature', function () {

    it('Should fail with an invalid digest', async function () {
      const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
      const headers = {
        Digest: buildDigest({ hello: 'coucou' })
      }

      const { response } = await makePOSTAPRequest(url, body, baseHttpSignature(), headers)

      expect(response.statusCode).to.equal(403)
    })

    it('Should fail with an invalid date', async function () {
      const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
      const headers = buildGlobalHeaders(body)
      headers['date'] = 'Wed, 21 Oct 2015 07:28:00 GMT'

      const { response } = await makePOSTAPRequest(url, body, baseHttpSignature(), headers)

      expect(response.statusCode).to.equal(403)
    })

    it('Should fail with bad keys', async function () {
      await setKeysOfServer(servers[0], servers[1], invalidKeys.publicKey, invalidKeys.privateKey)
      await setKeysOfServer(servers[1], servers[1], invalidKeys.publicKey, invalidKeys.privateKey)

      const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
      const headers = buildGlobalHeaders(body)

      const { response } = await makePOSTAPRequest(url, body, baseHttpSignature(), headers)

      expect(response.statusCode).to.equal(403)
    })

    it('Should succeed with a valid HTTP signature', async function () {
      await setKeysOfServer(servers[0], servers[1], keys.publicKey, keys.privateKey)
      await setKeysOfServer(servers[1], servers[1], keys.publicKey, keys.privateKey)

      const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
      const headers = buildGlobalHeaders(body)

      const { response } = await makePOSTAPRequest(url, body, baseHttpSignature(), headers)

      expect(response.statusCode).to.equal(204)
    })
  })

  describe('When checking Linked Data Signature', function () {
    before(async () => {
      await setKeysOfServer(servers[2], servers[2], keys.publicKey, keys.privateKey)

      const to = { url: 'http://localhost:' + servers[0].port + '/accounts/peertube' }
      const by = { url: 'http://localhost:' + servers[2].port + '/accounts/peertube', privateKey: keys.privateKey }
      await makeFollowRequest(to, by)
    })

    it('Should fail with bad keys', async function () {
      this.timeout(10000)

      await setKeysOfServer(servers[0], servers[2], invalidKeys.publicKey, invalidKeys.privateKey)
      await setKeysOfServer(servers[2], servers[2], invalidKeys.publicKey, invalidKeys.privateKey)

      const body = getAnnounceWithoutContext(servers[1])
      body.actor = 'http://localhost:' + servers[2].port + '/accounts/peertube'

      const signer: any = { privateKey: invalidKeys.privateKey, url: 'http://localhost:' + servers[2].port + '/accounts/peertube' }
      const signedBody = await buildSignedActivity(signer, body)

      const headers = buildGlobalHeaders(signedBody)

      const { response } = await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers)

      expect(response.statusCode).to.equal(403)
    })

    it('Should fail with an altered body', async function () {
      this.timeout(10000)

      await setKeysOfServer(servers[0], servers[2], keys.publicKey, keys.privateKey)
      await setKeysOfServer(servers[0], servers[2], keys.publicKey, keys.privateKey)

      const body = getAnnounceWithoutContext(servers[1])
      body.actor = 'http://localhost:' + servers[2].port + '/accounts/peertube'

      const signer: any = { privateKey: keys.privateKey, url: 'http://localhost:' + servers[2].port + '/accounts/peertube' }
      const signedBody = await buildSignedActivity(signer, body)

      signedBody.actor = 'http://localhost:' + servers[2].port + '/account/peertube'

      const headers = buildGlobalHeaders(signedBody)

      const { response } = await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers)

      expect(response.statusCode).to.equal(403)
    })

    it('Should succeed with a valid signature', async function () {
      this.timeout(10000)

      const body = getAnnounceWithoutContext(servers[1])
      body.actor = 'http://localhost:' + servers[2].port + '/accounts/peertube'

      const signer: any = { privateKey: keys.privateKey, url: 'http://localhost:' + servers[2].port + '/accounts/peertube' }
      const signedBody = await buildSignedActivity(signer, body)

      const headers = buildGlobalHeaders(signedBody)

      const { response } = await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers)

      expect(response.statusCode).to.equal(204)
    })
  })

  after(async function () {
    this.timeout(10000)

    await cleanupTests(servers)

    await closeAllSequelize(servers)
  })
})
Commit	Line	Data
df66d815 C	1	/* tslint:disable:no-unused-expression */
	2
	3	import 'mocha'
	4
92e07c3b	5	import {
48f07b4a	6	cleanupTests,
c8000975	7	closeAllSequelize,
92e07c3b	8	flushAndRunMultipleServers,
92e07c3b	9	killallServers,
2a8c5d0a C	10	ServerInfo,
2a8c5d0a C	11	setActorField
94565d52	12	} from '../../../../shared/extra-utils'
74dc3bca	13	import { HTTP_SIGNATURE } from '../../../initializers/constants'
df66d815 C	14	import { buildDigest, buildGlobalHeaders } from '../../../lib/job-queue/handlers/utils/activitypub-http-utils'
df66d815 C	15	import * as chai from 'chai'
df66d815	16	import { activityPubContextify, buildSignedActivity } from '../../../helpers/activitypub'
94565d52	17	import { makeFollowRequest, makePOSTAPRequest } from '../../../../shared/extra-utils/requests/activitypub'
df66d815 C	18
	19	const expect = chai.expect
	20
48f07b4a	21	function setKeysOfServer (onServer: ServerInfo, ofServer: ServerInfo, publicKey: string, privateKey: string) {
df66d815	22	return Promise.all([
48f07b4a C	23	setActorField(onServer.internalServerNumber, 'http://localhost:' + ofServer.port + '/accounts/peertube', 'publicKey', publicKey),
48f07b4a C	24	setActorField(onServer.internalServerNumber, 'http://localhost:' + ofServer.port + '/accounts/peertube', 'privateKey', privateKey)
df66d815 C	25	])
	26	}
	27
48f07b4a C	28	function getAnnounceWithoutContext (server2: ServerInfo) {
	29	const json = require('./json/peertube/announce-without-context.json')
	30	const result: typeof json = {}
	31
	32	for (const key of Object.keys(json)) {
	33	if (Array.isArray(json[key])) {
	34	result[key] = json[key].map(v => v.replace(':9002', `:${server2.port}`))
	35	} else {
	36	result[ key ] = json[ key ].replace(':9002', `:${server2.port}`)
	37	}
	38	}
	39
	40	return result
df66d815 C	41	}
	42
	43	describe('Test ActivityPub security', function () {
	44	let servers: ServerInfo[]
	45	let url: string
	46
	47	const keys = require('./json/peertube/keys.json')
	48	const invalidKeys = require('./json/peertube/invalid-keys.json')
48f07b4a	49	const baseHttpSignature = () => ({
df66d815 C	50	algorithm: HTTP_SIGNATURE.ALGORITHM,
df66d815 C	51	authorizationHeaderName: HTTP_SIGNATURE.HEADER_NAME,
48f07b4a	52	keyId: 'acct:peertube@localhost:' + servers[1].port,
df66d815 C	53	key: keys.privateKey,
df66d815 C	54	headers: HTTP_SIGNATURE.HEADERS_TO_SIGN
48f07b4a	55	})
df66d815 C	56
	57	// ---------------------------------------------------------------
	58
	59	before(async function () {
	60	this.timeout(60000)
	61
	62	servers = await flushAndRunMultipleServers(3)
	63
	64	url = servers[0].url + '/inbox'
	65
48f07b4a	66	await setKeysOfServer(servers[0], servers[1], keys.publicKey, keys.privateKey)
df66d815	67
48f07b4a C	68	const to = { url: 'http://localhost:' + servers[0].port + '/accounts/peertube' }
48f07b4a C	69	const by = { url: 'http://localhost:' + servers[1].port + '/accounts/peertube', privateKey: keys.privateKey }
df66d815 C	70	await makeFollowRequest(to, by)
	71	})
	72
	73	describe('When checking HTTP signature', function () {
	74
	75	it('Should fail with an invalid digest', async function () {
48f07b4a	76	const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
df66d815 C	77	const headers = {
	78	Digest: buildDigest({ hello: 'coucou' })
	79	}
	80
48f07b4a	81	const { response } = await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
df66d815 C	82
	83	expect(response.statusCode).to.equal(403)
	84	})
	85
	86	it('Should fail with an invalid date', async function () {
48f07b4a	87	const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
df66d815 C	88	const headers = buildGlobalHeaders(body)
	89	headers['date'] = 'Wed, 21 Oct 2015 07:28:00 GMT'
	90
48f07b4a	91	const { response } = await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
df66d815 C	92
	93	expect(response.statusCode).to.equal(403)
	94	})
	95
	96	it('Should fail with bad keys', async function () {
48f07b4a C	97	await setKeysOfServer(servers[0], servers[1], invalidKeys.publicKey, invalidKeys.privateKey)
48f07b4a C	98	await setKeysOfServer(servers[1], servers[1], invalidKeys.publicKey, invalidKeys.privateKey)
df66d815	99
48f07b4a	100	const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
df66d815 C	101	const headers = buildGlobalHeaders(body)
df66d815 C	102
48f07b4a	103	const { response } = await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
df66d815 C	104
	105	expect(response.statusCode).to.equal(403)
	106	})
	107
	108	it('Should succeed with a valid HTTP signature', async function () {
48f07b4a C	109	await setKeysOfServer(servers[0], servers[1], keys.publicKey, keys.privateKey)
48f07b4a C	110	await setKeysOfServer(servers[1], servers[1], keys.publicKey, keys.privateKey)
df66d815	111
48f07b4a	112	const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
df66d815 C	113	const headers = buildGlobalHeaders(body)
df66d815 C	114
48f07b4a	115	const { response } = await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
df66d815 C	116
	117	expect(response.statusCode).to.equal(204)
	118	})
	119	})
	120
	121	describe('When checking Linked Data Signature', function () {
	122	before(async () => {
48f07b4a	123	await setKeysOfServer(servers[2], servers[2], keys.publicKey, keys.privateKey)
df66d815	124
48f07b4a C	125	const to = { url: 'http://localhost:' + servers[0].port + '/accounts/peertube' }
48f07b4a C	126	const by = { url: 'http://localhost:' + servers[2].port + '/accounts/peertube', privateKey: keys.privateKey }
df66d815 C	127	await makeFollowRequest(to, by)
	128	})
	129
	130	it('Should fail with bad keys', async function () {
	131	this.timeout(10000)
	132
48f07b4a C	133	await setKeysOfServer(servers[0], servers[2], invalidKeys.publicKey, invalidKeys.privateKey)
48f07b4a C	134	await setKeysOfServer(servers[2], servers[2], invalidKeys.publicKey, invalidKeys.privateKey)
df66d815	135
48f07b4a C	136	const body = getAnnounceWithoutContext(servers[1])
48f07b4a C	137	body.actor = 'http://localhost:' + servers[2].port + '/accounts/peertube'
df66d815	138
48f07b4a	139	const signer: any = { privateKey: invalidKeys.privateKey, url: 'http://localhost:' + servers[2].port + '/accounts/peertube' }
df66d815 C	140	const signedBody = await buildSignedActivity(signer, body)
	141
	142	const headers = buildGlobalHeaders(signedBody)
	143
48f07b4a	144	const { response } = await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers)
df66d815 C	145
	146	expect(response.statusCode).to.equal(403)
	147	})
	148
	149	it('Should fail with an altered body', async function () {
	150	this.timeout(10000)
	151
48f07b4a C	152	await setKeysOfServer(servers[0], servers[2], keys.publicKey, keys.privateKey)
48f07b4a C	153	await setKeysOfServer(servers[0], servers[2], keys.publicKey, keys.privateKey)
df66d815	154
48f07b4a C	155	const body = getAnnounceWithoutContext(servers[1])
48f07b4a C	156	body.actor = 'http://localhost:' + servers[2].port + '/accounts/peertube'
df66d815	157
48f07b4a	158	const signer: any = { privateKey: keys.privateKey, url: 'http://localhost:' + servers[2].port + '/accounts/peertube' }
df66d815 C	159	const signedBody = await buildSignedActivity(signer, body)
df66d815 C	160
48f07b4a	161	signedBody.actor = 'http://localhost:' + servers[2].port + '/account/peertube'
df66d815 C	162
	163	const headers = buildGlobalHeaders(signedBody)
	164
48f07b4a	165	const { response } = await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers)
df66d815 C	166
	167	expect(response.statusCode).to.equal(403)
	168	})
	169
	170	it('Should succeed with a valid signature', async function () {
	171	this.timeout(10000)
	172
48f07b4a C	173	const body = getAnnounceWithoutContext(servers[1])
48f07b4a C	174	body.actor = 'http://localhost:' + servers[2].port + '/accounts/peertube'
df66d815	175
48f07b4a	176	const signer: any = { privateKey: keys.privateKey, url: 'http://localhost:' + servers[2].port + '/accounts/peertube' }
df66d815 C	177	const signedBody = await buildSignedActivity(signer, body)
	178
	179	const headers = buildGlobalHeaders(signedBody)
	180
48f07b4a	181	const { response } = await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers)
df66d815 C	182
	183	expect(response.statusCode).to.equal(204)
	184	})
	185	})
	186
	187	after(async function () {
48f07b4a C	188	this.timeout(10000)
	189
	190	await cleanupTests(servers)
df66d815	191
c8000975	192	await closeAllSequelize(servers)
df66d815 C	193	})
df66d815 C	194	})