[github/Chocobozzz/PeerTube.git] / server / tests / api / activitypub / security.ts

/* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */

import 'mocha'

import { cleanupTests, closeAllSequelize, flushAndRunMultipleServers, ServerInfo, setActorField } from '../../../../shared/extra-utils'
import { HTTP_SIGNATURE } from '../../../initializers/constants'
import { buildGlobalHeaders } from '../../../lib/job-queue/handlers/utils/activitypub-http-utils'
import * as chai from 'chai'
import { activityPubContextify, buildSignedActivity } from '../../../helpers/activitypub'
import { makeFollowRequest, makePOSTAPRequest } from '../../../../shared/extra-utils/requests/activitypub'
import { buildDigest } from '@server/helpers/peertube-crypto'

const expect = chai.expect

function setKeysOfServer (onServer: ServerInfo, ofServer: ServerInfo, publicKey: string, privateKey: string) {
  return Promise.all([
    setActorField(onServer.internalServerNumber, 'http://localhost:' + ofServer.port + '/accounts/peertube', 'publicKey', publicKey),
    setActorField(onServer.internalServerNumber, 'http://localhost:' + ofServer.port + '/accounts/peertube', 'privateKey', privateKey)
  ])
}

function getAnnounceWithoutContext (server2: ServerInfo) {
  const json = require('./json/peertube/announce-without-context.json')
  const result: typeof json = {}

  for (const key of Object.keys(json)) {
    if (Array.isArray(json[key])) {
      result[key] = json[key].map(v => v.replace(':9002', `:${server2.port}`))
    } else {
      result[key] = json[key].replace(':9002', `:${server2.port}`)
    }
  }

  return result
}

describe('Test ActivityPub security', function () {
  let servers: ServerInfo[]
  let url: string

  const keys = require('./json/peertube/keys.json')
  const invalidKeys = require('./json/peertube/invalid-keys.json')
  const baseHttpSignature = () => ({
    algorithm: HTTP_SIGNATURE.ALGORITHM,
    authorizationHeaderName: HTTP_SIGNATURE.HEADER_NAME,
    keyId: 'acct:peertube@localhost:' + servers[1].port,
    key: keys.privateKey,
    headers: HTTP_SIGNATURE.HEADERS_TO_SIGN
  })

  // ---------------------------------------------------------------

  before(async function () {
    this.timeout(60000)

    servers = await flushAndRunMultipleServers(3)

    url = servers[0].url + '/inbox'

    await setKeysOfServer(servers[0], servers[1], keys.publicKey, keys.privateKey)

    const to = { url: 'http://localhost:' + servers[0].port + '/accounts/peertube' }
    const by = { url: 'http://localhost:' + servers[1].port + '/accounts/peertube', privateKey: keys.privateKey }
    await makeFollowRequest(to, by)
  })

  describe('When checking HTTP signature', function () {

    it('Should fail with an invalid digest', async function () {
      const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
      const headers = {
        Digest: buildDigest({ hello: 'coucou' })
      }

      const { response } = await makePOSTAPRequest(url, body, baseHttpSignature(), headers)

      expect(response.statusCode).to.equal(403)
    })

    it('Should fail with an invalid date', async function () {
      const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
      const headers = buildGlobalHeaders(body)
      headers['date'] = 'Wed, 21 Oct 2015 07:28:00 GMT'

      const { response } = await makePOSTAPRequest(url, body, baseHttpSignature(), headers)

      expect(response.statusCode).to.equal(403)
    })

    it('Should fail with bad keys', async function () {
      await setKeysOfServer(servers[0], servers[1], invalidKeys.publicKey, invalidKeys.privateKey)
      await setKeysOfServer(servers[1], servers[1], invalidKeys.publicKey, invalidKeys.privateKey)

      const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
      const headers = buildGlobalHeaders(body)

      const { response } = await makePOSTAPRequest(url, body, baseHttpSignature(), headers)

      expect(response.statusCode).to.equal(403)
    })

    it('Should reject requests without appropriate signed headers', async function () {
      await setKeysOfServer(servers[0], servers[1], keys.publicKey, keys.privateKey)
      await setKeysOfServer(servers[1], servers[1], keys.publicKey, keys.privateKey)

      const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
      const headers = buildGlobalHeaders(body)

      const signatureOptions = baseHttpSignature()
      const badHeadersMatrix = [
        [ '(request-target)', 'date', 'digest' ],
        [ 'host', 'date', 'digest' ],
        [ '(request-target)', 'host', 'digest' ]
      ]

      for (const badHeaders of badHeadersMatrix) {
        signatureOptions.headers = badHeaders

        const { response } = await makePOSTAPRequest(url, body, signatureOptions, headers)
        expect(response.statusCode).to.equal(403)
      }
    })

    it('Should succeed with a valid HTTP signature', async function () {
      const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
      const headers = buildGlobalHeaders(body)

      const { response } = await makePOSTAPRequest(url, body, baseHttpSignature(), headers)

      expect(response.statusCode).to.equal(204)
    })
  })

  describe('When checking Linked Data Signature', function () {
    before(async () => {
      await setKeysOfServer(servers[2], servers[2], keys.publicKey, keys.privateKey)

      const to = { url: 'http://localhost:' + servers[0].port + '/accounts/peertube' }
      const by = { url: 'http://localhost:' + servers[2].port + '/accounts/peertube', privateKey: keys.privateKey }
      await makeFollowRequest(to, by)
    })

    it('Should fail with bad keys', async function () {
      this.timeout(10000)

      await setKeysOfServer(servers[0], servers[2], invalidKeys.publicKey, invalidKeys.privateKey)
      await setKeysOfServer(servers[2], servers[2], invalidKeys.publicKey, invalidKeys.privateKey)

      const body = getAnnounceWithoutContext(servers[1])
      body.actor = 'http://localhost:' + servers[2].port + '/accounts/peertube'

      const signer: any = { privateKey: invalidKeys.privateKey, url: 'http://localhost:' + servers[2].port + '/accounts/peertube' }
      const signedBody = await buildSignedActivity(signer, body)

      const headers = buildGlobalHeaders(signedBody)

      const { response } = await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers)

      expect(response.statusCode).to.equal(403)
    })

    it('Should fail with an altered body', async function () {
      this.timeout(10000)

      await setKeysOfServer(servers[0], servers[2], keys.publicKey, keys.privateKey)
      await setKeysOfServer(servers[0], servers[2], keys.publicKey, keys.privateKey)

      const body = getAnnounceWithoutContext(servers[1])
      body.actor = 'http://localhost:' + servers[2].port + '/accounts/peertube'

      const signer: any = { privateKey: keys.privateKey, url: 'http://localhost:' + servers[2].port + '/accounts/peertube' }
      const signedBody = await buildSignedActivity(signer, body)

      signedBody.actor = 'http://localhost:' + servers[2].port + '/account/peertube'

      const headers = buildGlobalHeaders(signedBody)

      const { response } = await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers)

      expect(response.statusCode).to.equal(403)
    })

    it('Should succeed with a valid signature', async function () {
      this.timeout(10000)

      const body = getAnnounceWithoutContext(servers[1])
      body.actor = 'http://localhost:' + servers[2].port + '/accounts/peertube'

      const signer: any = { privateKey: keys.privateKey, url: 'http://localhost:' + servers[2].port + '/accounts/peertube' }
      const signedBody = await buildSignedActivity(signer, body)

      const headers = buildGlobalHeaders(signedBody)

      const { response } = await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers)

      expect(response.statusCode).to.equal(204)
    })
  })

  after(async function () {
    this.timeout(10000)

    await cleanupTests(servers)

    await closeAllSequelize(servers)
  })
})
Commit	Line	Data
a1587156	1	/* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */
df66d815 C	2
	3	import 'mocha'
	4
a1587156	5	import { cleanupTests, closeAllSequelize, flushAndRunMultipleServers, ServerInfo, setActorField } from '../../../../shared/extra-utils'
74dc3bca	6	import { HTTP_SIGNATURE } from '../../../initializers/constants'
8dc8a34e	7	import { buildGlobalHeaders } from '../../../lib/job-queue/handlers/utils/activitypub-http-utils'
df66d815	8	import * as chai from 'chai'
df66d815	9	import { activityPubContextify, buildSignedActivity } from '../../../helpers/activitypub'
94565d52	10	import { makeFollowRequest, makePOSTAPRequest } from '../../../../shared/extra-utils/requests/activitypub'
8dc8a34e	11	import { buildDigest } from '@server/helpers/peertube-crypto'
df66d815 C	12
	13	const expect = chai.expect
	14
48f07b4a	15	function setKeysOfServer (onServer: ServerInfo, ofServer: ServerInfo, publicKey: string, privateKey: string) {
df66d815	16	return Promise.all([
48f07b4a C	17	setActorField(onServer.internalServerNumber, 'http://localhost:' + ofServer.port + '/accounts/peertube', 'publicKey', publicKey),
48f07b4a C	18	setActorField(onServer.internalServerNumber, 'http://localhost:' + ofServer.port + '/accounts/peertube', 'privateKey', privateKey)
df66d815 C	19	])
	20	}
	21
48f07b4a C	22	function getAnnounceWithoutContext (server2: ServerInfo) {
	23	const json = require('./json/peertube/announce-without-context.json')
	24	const result: typeof json = {}
	25
	26	for (const key of Object.keys(json)) {
	27	if (Array.isArray(json[key])) {
	28	result[key] = json[key].map(v => v.replace(':9002', `:${server2.port}`))
	29	} else {
a1587156	30	result[key] = json[key].replace(':9002', `:${server2.port}`)
48f07b4a C	31	}
	32	}
	33
	34	return result
df66d815 C	35	}
	36
	37	describe('Test ActivityPub security', function () {
	38	let servers: ServerInfo[]
	39	let url: string
	40
	41	const keys = require('./json/peertube/keys.json')
	42	const invalidKeys = require('./json/peertube/invalid-keys.json')
48f07b4a	43	const baseHttpSignature = () => ({
df66d815 C	44	algorithm: HTTP_SIGNATURE.ALGORITHM,
df66d815 C	45	authorizationHeaderName: HTTP_SIGNATURE.HEADER_NAME,
48f07b4a	46	keyId: 'acct:peertube@localhost:' + servers[1].port,
df66d815 C	47	key: keys.privateKey,
df66d815 C	48	headers: HTTP_SIGNATURE.HEADERS_TO_SIGN
48f07b4a	49	})
df66d815 C	50
	51	// ---------------------------------------------------------------
	52
	53	before(async function () {
	54	this.timeout(60000)
	55
	56	servers = await flushAndRunMultipleServers(3)
	57
	58	url = servers[0].url + '/inbox'
	59
48f07b4a	60	await setKeysOfServer(servers[0], servers[1], keys.publicKey, keys.privateKey)
df66d815	61
48f07b4a C	62	const to = { url: 'http://localhost:' + servers[0].port + '/accounts/peertube' }
48f07b4a C	63	const by = { url: 'http://localhost:' + servers[1].port + '/accounts/peertube', privateKey: keys.privateKey }
df66d815 C	64	await makeFollowRequest(to, by)
	65	})
	66
	67	describe('When checking HTTP signature', function () {
	68
	69	it('Should fail with an invalid digest', async function () {
48f07b4a	70	const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
df66d815 C	71	const headers = {
	72	Digest: buildDigest({ hello: 'coucou' })
	73	}
	74
48f07b4a	75	const { response } = await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
df66d815 C	76
	77	expect(response.statusCode).to.equal(403)
	78	})
	79
	80	it('Should fail with an invalid date', async function () {
48f07b4a	81	const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
df66d815 C	82	const headers = buildGlobalHeaders(body)
	83	headers['date'] = 'Wed, 21 Oct 2015 07:28:00 GMT'
	84
48f07b4a	85	const { response } = await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
df66d815 C	86
	87	expect(response.statusCode).to.equal(403)
	88	})
	89
	90	it('Should fail with bad keys', async function () {
48f07b4a C	91	await setKeysOfServer(servers[0], servers[1], invalidKeys.publicKey, invalidKeys.privateKey)
48f07b4a C	92	await setKeysOfServer(servers[1], servers[1], invalidKeys.publicKey, invalidKeys.privateKey)
df66d815	93
48f07b4a	94	const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
df66d815 C	95	const headers = buildGlobalHeaders(body)
df66d815 C	96
48f07b4a	97	const { response } = await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
df66d815 C	98
	99	expect(response.statusCode).to.equal(403)
	100	})
	101
797d05bd	102	it('Should reject requests without appropriate signed headers', async function () {
48f07b4a C	103	await setKeysOfServer(servers[0], servers[1], keys.publicKey, keys.privateKey)
48f07b4a C	104	await setKeysOfServer(servers[1], servers[1], keys.publicKey, keys.privateKey)
df66d815	105
48f07b4a	106	const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
df66d815	107	const headers = buildGlobalHeaders(body)
797d05bd C	108
	109	const signatureOptions = baseHttpSignature()
	110	const badHeadersMatrix = [
	111	[ '(request-target)', 'date', 'digest' ],
	112	[ 'host', 'date', 'digest' ],
	113	[ '(request-target)', 'host', 'digest' ]
	114	]
	115
	116	for (const badHeaders of badHeadersMatrix) {
	117	signatureOptions.headers = badHeaders
	118
	119	const { response } = await makePOSTAPRequest(url, body, signatureOptions, headers)
	120	expect(response.statusCode).to.equal(403)
	121	}
	122	})
	123
	124	it('Should succeed with a valid HTTP signature', async function () {
	125	const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
	126	const headers = buildGlobalHeaders(body)
df66d815	127
48f07b4a	128	const { response } = await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
df66d815 C	129
	130	expect(response.statusCode).to.equal(204)
	131	})
	132	})
	133
	134	describe('When checking Linked Data Signature', function () {
	135	before(async () => {
48f07b4a	136	await setKeysOfServer(servers[2], servers[2], keys.publicKey, keys.privateKey)
df66d815	137
48f07b4a C	138	const to = { url: 'http://localhost:' + servers[0].port + '/accounts/peertube' }
48f07b4a C	139	const by = { url: 'http://localhost:' + servers[2].port + '/accounts/peertube', privateKey: keys.privateKey }
df66d815 C	140	await makeFollowRequest(to, by)
	141	})
	142
	143	it('Should fail with bad keys', async function () {
	144	this.timeout(10000)
	145
48f07b4a C	146	await setKeysOfServer(servers[0], servers[2], invalidKeys.publicKey, invalidKeys.privateKey)
48f07b4a C	147	await setKeysOfServer(servers[2], servers[2], invalidKeys.publicKey, invalidKeys.privateKey)
df66d815	148
48f07b4a C	149	const body = getAnnounceWithoutContext(servers[1])
48f07b4a C	150	body.actor = 'http://localhost:' + servers[2].port + '/accounts/peertube'
df66d815	151
48f07b4a	152	const signer: any = { privateKey: invalidKeys.privateKey, url: 'http://localhost:' + servers[2].port + '/accounts/peertube' }
df66d815 C	153	const signedBody = await buildSignedActivity(signer, body)
	154
	155	const headers = buildGlobalHeaders(signedBody)
	156
48f07b4a	157	const { response } = await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers)
df66d815 C	158
	159	expect(response.statusCode).to.equal(403)
	160	})
	161
	162	it('Should fail with an altered body', async function () {
	163	this.timeout(10000)
	164
48f07b4a C	165	await setKeysOfServer(servers[0], servers[2], keys.publicKey, keys.privateKey)
48f07b4a C	166	await setKeysOfServer(servers[0], servers[2], keys.publicKey, keys.privateKey)
df66d815	167
48f07b4a C	168	const body = getAnnounceWithoutContext(servers[1])
48f07b4a C	169	body.actor = 'http://localhost:' + servers[2].port + '/accounts/peertube'
df66d815	170
48f07b4a	171	const signer: any = { privateKey: keys.privateKey, url: 'http://localhost:' + servers[2].port + '/accounts/peertube' }
df66d815 C	172	const signedBody = await buildSignedActivity(signer, body)
df66d815 C	173
48f07b4a	174	signedBody.actor = 'http://localhost:' + servers[2].port + '/account/peertube'
df66d815 C	175
	176	const headers = buildGlobalHeaders(signedBody)
	177
48f07b4a	178	const { response } = await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers)
df66d815 C	179
	180	expect(response.statusCode).to.equal(403)
	181	})
	182
	183	it('Should succeed with a valid signature', async function () {
	184	this.timeout(10000)
	185
48f07b4a C	186	const body = getAnnounceWithoutContext(servers[1])
48f07b4a C	187	body.actor = 'http://localhost:' + servers[2].port + '/accounts/peertube'
df66d815	188
48f07b4a	189	const signer: any = { privateKey: keys.privateKey, url: 'http://localhost:' + servers[2].port + '/accounts/peertube' }
df66d815 C	190	const signedBody = await buildSignedActivity(signer, body)
	191
	192	const headers = buildGlobalHeaders(signedBody)
	193
48f07b4a	194	const { response } = await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers)
df66d815 C	195
	196	expect(response.statusCode).to.equal(204)
	197	})
	198	})
	199
	200	after(async function () {
48f07b4a C	201	this.timeout(10000)
	202
	203	await cleanupTests(servers)
df66d815	204
c8000975	205	await closeAllSequelize(servers)
df66d815 C	206	})
df66d815 C	207	})