[github/Chocobozzz/PeerTube.git] / server / tests / api / activitypub / security.ts

/* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */

import { expect } from 'chai'
import { buildDigest } from '@server/helpers/peertube-crypto'
import { ACTIVITY_PUB, HTTP_SIGNATURE } from '@server/initializers/constants'
import { activityPubContextify } from '@server/lib/activitypub/context'
import { buildGlobalHeaders, signAndContextify } from '@server/lib/activitypub/send'
import { makePOSTAPRequest, SQLCommand } from '@server/tests/shared'
import { buildAbsoluteFixturePath, wait } from '@shared/core-utils'
import { HttpStatusCode } from '@shared/models'
import { cleanupTests, createMultipleServers, killallServers, PeerTubeServer } from '@shared/server-commands'

function setKeysOfServer (onServer: SQLCommand, ofServerUrl: string, publicKey: string, privateKey: string) {
  const url = ofServerUrl + '/accounts/peertube'

  return Promise.all([
    onServer.setActorField(url, 'publicKey', publicKey),
    onServer.setActorField(url, 'privateKey', privateKey)
  ])
}

function setUpdatedAtOfServer (onServer: SQLCommand, ofServerUrl: string, updatedAt: string) {
  const url = ofServerUrl + '/accounts/peertube'

  return Promise.all([
    onServer.setActorField(url, 'createdAt', updatedAt),
    onServer.setActorField(url, 'updatedAt', updatedAt)
  ])
}

function getAnnounceWithoutContext (server: PeerTubeServer) {
  const json = require(buildAbsoluteFixturePath('./ap-json/peertube/announce-without-context.json'))
  const result: typeof json = {}

  for (const key of Object.keys(json)) {
    if (Array.isArray(json[key])) {
      result[key] = json[key].map(v => v.replace(':9002', `:${server.port}`))
    } else {
      result[key] = json[key].replace(':9002', `:${server.port}`)
    }
  }

  return result
}

async function makeFollowRequest (to: { url: string }, by: { url: string, privateKey }) {
  const follow = {
    type: 'Follow',
    id: by.url + '/' + new Date().getTime(),
    actor: by.url,
    object: to.url
  }

  const body = await activityPubContextify(follow, 'Follow')

  const httpSignature = {
    algorithm: HTTP_SIGNATURE.ALGORITHM,
    authorizationHeaderName: HTTP_SIGNATURE.HEADER_NAME,
    keyId: by.url,
    key: by.privateKey,
    headers: HTTP_SIGNATURE.HEADERS_TO_SIGN
  }
  const headers = {
    'digest': buildDigest(body),
    'content-type': 'application/activity+json',
    'accept': ACTIVITY_PUB.ACCEPT_HEADER
  }

  return makePOSTAPRequest(to.url + '/inbox', body, httpSignature, headers)
}

describe('Test ActivityPub security', function () {
  let servers: PeerTubeServer[]
  let sqlCommands: SQLCommand[] = []

  let url: string

  const keys = require(buildAbsoluteFixturePath('./ap-json/peertube/keys.json'))
  const invalidKeys = require(buildAbsoluteFixturePath('./ap-json/peertube/invalid-keys.json'))
  const baseHttpSignature = () => ({
    algorithm: HTTP_SIGNATURE.ALGORITHM,
    authorizationHeaderName: HTTP_SIGNATURE.HEADER_NAME,
    keyId: 'acct:peertube@' + servers[1].host,
    key: keys.privateKey,
    headers: HTTP_SIGNATURE.HEADERS_TO_SIGN
  })

  // ---------------------------------------------------------------

  before(async function () {
    this.timeout(60000)

    servers = await createMultipleServers(3)

    sqlCommands = servers.map(s => new SQLCommand(s))

    url = servers[0].url + '/inbox'

    await setKeysOfServer(sqlCommands[0], servers[1].url, keys.publicKey, null)
    await setKeysOfServer(sqlCommands[1], servers[1].url, keys.publicKey, keys.privateKey)

    const to = { url: servers[0].url + '/accounts/peertube' }
    const by = { url: servers[1].url + '/accounts/peertube', privateKey: keys.privateKey }
    await makeFollowRequest(to, by)
  })

  describe('When checking HTTP signature', function () {

    it('Should fail with an invalid digest', async function () {
      const body = await activityPubContextify(getAnnounceWithoutContext(servers[1]), 'Announce')
      const headers = {
        Digest: buildDigest({ hello: 'coucou' })
      }

      try {
        await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
        expect(true, 'Did not throw').to.be.false
      } catch (err) {
        expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
      }
    })

    it('Should fail with an invalid date', async function () {
      const body = await activityPubContextify(getAnnounceWithoutContext(servers[1]), 'Announce')
      const headers = buildGlobalHeaders(body)
      headers['date'] = 'Wed, 21 Oct 2015 07:28:00 GMT'

      try {
        await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
        expect(true, 'Did not throw').to.be.false
      } catch (err) {
        expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
      }
    })

    it('Should fail with bad keys', async function () {
      await setKeysOfServer(sqlCommands[0], servers[1].url, invalidKeys.publicKey, invalidKeys.privateKey)
      await setKeysOfServer(sqlCommands[1], servers[1].url, invalidKeys.publicKey, invalidKeys.privateKey)

      const body = await activityPubContextify(getAnnounceWithoutContext(servers[1]), 'Announce')
      const headers = buildGlobalHeaders(body)

      try {
        await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
        expect(true, 'Did not throw').to.be.false
      } catch (err) {
        expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
      }
    })

    it('Should reject requests without appropriate signed headers', async function () {
      await setKeysOfServer(sqlCommands[0], servers[1].url, keys.publicKey, keys.privateKey)
      await setKeysOfServer(sqlCommands[1], servers[1].url, keys.publicKey, keys.privateKey)

      const body = await activityPubContextify(getAnnounceWithoutContext(servers[1]), 'Announce')
      const headers = buildGlobalHeaders(body)

      const signatureOptions = baseHttpSignature()
      const badHeadersMatrix = [
        [ '(request-target)', 'date', 'digest' ],
        [ 'host', 'date', 'digest' ],
        [ '(request-target)', 'host', 'digest' ]
      ]

      for (const badHeaders of badHeadersMatrix) {
        signatureOptions.headers = badHeaders

        try {
          await makePOSTAPRequest(url, body, signatureOptions, headers)
          expect(true, 'Did not throw').to.be.false
        } catch (err) {
          expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
        }
      }
    })

    it('Should succeed with a valid HTTP signature draft 11 (without date but with (created))', async function () {
      const body = await activityPubContextify(getAnnounceWithoutContext(servers[1]), 'Announce')
      const headers = buildGlobalHeaders(body)

      const signatureOptions = baseHttpSignature()
      signatureOptions.headers = [ '(request-target)', '(created)', 'host', 'digest' ]

      const { statusCode } = await makePOSTAPRequest(url, body, signatureOptions, headers)
      expect(statusCode).to.equal(HttpStatusCode.NO_CONTENT_204)
    })

    it('Should succeed with a valid HTTP signature', async function () {
      const body = await activityPubContextify(getAnnounceWithoutContext(servers[1]), 'Announce')
      const headers = buildGlobalHeaders(body)

      const { statusCode } = await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
      expect(statusCode).to.equal(HttpStatusCode.NO_CONTENT_204)
    })

    it('Should refresh the actor keys', async function () {
      this.timeout(20000)

      // Update keys of server 2 to invalid keys
      // Server 1 should refresh the actor and fail
      await setKeysOfServer(sqlCommands[1], servers[1].url, invalidKeys.publicKey, invalidKeys.privateKey)
      await setUpdatedAtOfServer(sqlCommands[0], servers[1].url, '2015-07-17 22:00:00+00')

      // Invalid peertube actor cache
      await killallServers([ servers[1] ])
      await servers[1].run()

      const body = await activityPubContextify(getAnnounceWithoutContext(servers[1]), 'Announce')
      const headers = buildGlobalHeaders(body)

      try {
        await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
        expect(true, 'Did not throw').to.be.false
      } catch (err) {
        console.error(err)
        expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
      }
    })
  })

  describe('When checking Linked Data Signature', function () {
    before(async function () {
      this.timeout(10000)

      await setKeysOfServer(sqlCommands[0], servers[1].url, keys.publicKey, keys.privateKey)
      await setKeysOfServer(sqlCommands[1], servers[1].url, keys.publicKey, keys.privateKey)
      await setKeysOfServer(sqlCommands[2], servers[2].url, keys.publicKey, keys.privateKey)

      const to = { url: servers[0].url + '/accounts/peertube' }
      const by = { url: servers[2].url + '/accounts/peertube', privateKey: keys.privateKey }
      await makeFollowRequest(to, by)
    })

    it('Should fail with bad keys', async function () {
      this.timeout(10000)

      await setKeysOfServer(sqlCommands[0], servers[2].url, invalidKeys.publicKey, invalidKeys.privateKey)
      await setKeysOfServer(sqlCommands[2], servers[2].url, invalidKeys.publicKey, invalidKeys.privateKey)

      const body = getAnnounceWithoutContext(servers[1])
      body.actor = servers[2].url + '/accounts/peertube'

      const signer: any = { privateKey: invalidKeys.privateKey, url: servers[2].url + '/accounts/peertube' }
      const signedBody = await signAndContextify(signer, body, 'Announce')

      const headers = buildGlobalHeaders(signedBody)

      try {
        await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers)
        expect(true, 'Did not throw').to.be.false
      } catch (err) {
        expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
      }
    })

    it('Should fail with an altered body', async function () {
      this.timeout(10000)

      await setKeysOfServer(sqlCommands[0], servers[2].url, keys.publicKey, keys.privateKey)
      await setKeysOfServer(sqlCommands[0], servers[2].url, keys.publicKey, keys.privateKey)

      const body = getAnnounceWithoutContext(servers[1])
      body.actor = servers[2].url + '/accounts/peertube'

      const signer: any = { privateKey: keys.privateKey, url: servers[2].url + '/accounts/peertube' }
      const signedBody = await signAndContextify(signer, body, 'Announce')

      signedBody.actor = servers[2].url + '/account/peertube'

      const headers = buildGlobalHeaders(signedBody)

      try {
        await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers)
        expect(true, 'Did not throw').to.be.false
      } catch (err) {
        expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
      }
    })

    it('Should succeed with a valid signature', async function () {
      this.timeout(10000)

      const body = getAnnounceWithoutContext(servers[1])
      body.actor = servers[2].url + '/accounts/peertube'

      const signer: any = { privateKey: keys.privateKey, url: servers[2].url + '/accounts/peertube' }
      const signedBody = await signAndContextify(signer, body, 'Announce')

      const headers = buildGlobalHeaders(signedBody)

      const { statusCode } = await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers)
      expect(statusCode).to.equal(HttpStatusCode.NO_CONTENT_204)
    })

    it('Should refresh the actor keys', async function () {
      this.timeout(20000)

      // Wait refresh invalidation
      await wait(10000)

      // Update keys of server 3 to invalid keys
      // Server 1 should refresh the actor and fail
      await setKeysOfServer(sqlCommands[2], servers[2].url, invalidKeys.publicKey, invalidKeys.privateKey)

      const body = getAnnounceWithoutContext(servers[1])
      body.actor = servers[2].url + '/accounts/peertube'

      const signer: any = { privateKey: keys.privateKey, url: servers[2].url + '/accounts/peertube' }
      const signedBody = await signAndContextify(signer, body, 'Announce')

      const headers = buildGlobalHeaders(signedBody)

      try {
        await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers)
        expect(true, 'Did not throw').to.be.false
      } catch (err) {
        expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
      }
    })
  })

  after(async function () {
    for (const sql of sqlCommands) {
      await sql.cleanup()
    }

    await cleanupTests(servers)
  })
})
Commit	Line	Data
	1	/* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */
	2
	3	import { expect } from 'chai'
	4	import { buildDigest } from '@server/helpers/peertube-crypto'
	5	import { ACTIVITY_PUB, HTTP_SIGNATURE } from '@server/initializers/constants'
	6	import { activityPubContextify } from '@server/lib/activitypub/context'
	7	import { buildGlobalHeaders, signAndContextify } from '@server/lib/activitypub/send'
	8	import { makePOSTAPRequest, SQLCommand } from '@server/tests/shared'
	9	import { buildAbsoluteFixturePath, wait } from '@shared/core-utils'
	10	import { HttpStatusCode } from '@shared/models'
	11	import { cleanupTests, createMultipleServers, killallServers, PeerTubeServer } from '@shared/server-commands'
	12
	13	function setKeysOfServer (onServer: SQLCommand, ofServerUrl: string, publicKey: string, privateKey: string) {
	14	const url = ofServerUrl + '/accounts/peertube'
	15
	16	return Promise.all([
	17	onServer.setActorField(url, 'publicKey', publicKey),
	18	onServer.setActorField(url, 'privateKey', privateKey)
	19	])
	20	}
	21
	22	function setUpdatedAtOfServer (onServer: SQLCommand, ofServerUrl: string, updatedAt: string) {
	23	const url = ofServerUrl + '/accounts/peertube'
	24
	25	return Promise.all([
	26	onServer.setActorField(url, 'createdAt', updatedAt),
	27	onServer.setActorField(url, 'updatedAt', updatedAt)
	28	])
	29	}
	30
	31	function getAnnounceWithoutContext (server: PeerTubeServer) {
	32	const json = require(buildAbsoluteFixturePath('./ap-json/peertube/announce-without-context.json'))
	33	const result: typeof json = {}
	34
	35	for (const key of Object.keys(json)) {
	36	if (Array.isArray(json[key])) {
	37	result[key] = json[key].map(v => v.replace(':9002', `:${server.port}`))
	38	} else {
	39	result[key] = json[key].replace(':9002', `:${server.port}`)
	40	}
	41	}
	42
	43	return result
	44	}
	45
	46	async function makeFollowRequest (to: { url: string }, by: { url: string, privateKey }) {
	47	const follow = {
	48	type: 'Follow',
	49	id: by.url + '/' + new Date().getTime(),
	50	actor: by.url,
	51	object: to.url
	52	}
	53
	54	const body = await activityPubContextify(follow, 'Follow')
	55
	56	const httpSignature = {
	57	algorithm: HTTP_SIGNATURE.ALGORITHM,
	58	authorizationHeaderName: HTTP_SIGNATURE.HEADER_NAME,
	59	keyId: by.url,
	60	key: by.privateKey,
	61	headers: HTTP_SIGNATURE.HEADERS_TO_SIGN
	62	}
	63	const headers = {
	64	'digest': buildDigest(body),
	65	'content-type': 'application/activity+json',
	66	'accept': ACTIVITY_PUB.ACCEPT_HEADER
	67	}
	68
	69	return makePOSTAPRequest(to.url + '/inbox', body, httpSignature, headers)
	70	}
	71
	72	describe('Test ActivityPub security', function () {
	73	let servers: PeerTubeServer[]
	74	let sqlCommands: SQLCommand[] = []
	75
	76	let url: string
	77
	78	const keys = require(buildAbsoluteFixturePath('./ap-json/peertube/keys.json'))
	79	const invalidKeys = require(buildAbsoluteFixturePath('./ap-json/peertube/invalid-keys.json'))
	80	const baseHttpSignature = () => ({
	81	algorithm: HTTP_SIGNATURE.ALGORITHM,
	82	authorizationHeaderName: HTTP_SIGNATURE.HEADER_NAME,
	83	keyId: 'acct:peertube@' + servers[1].host,
	84	key: keys.privateKey,
	85	headers: HTTP_SIGNATURE.HEADERS_TO_SIGN
	86	})
	87
	88	// ---------------------------------------------------------------
	89
	90	before(async function () {
	91	this.timeout(60000)
	92
	93	servers = await createMultipleServers(3)
	94
	95	sqlCommands = servers.map(s => new SQLCommand(s))
	96
	97	url = servers[0].url + '/inbox'
	98
	99	await setKeysOfServer(sqlCommands[0], servers[1].url, keys.publicKey, null)
	100	await setKeysOfServer(sqlCommands[1], servers[1].url, keys.publicKey, keys.privateKey)
	101
	102	const to = { url: servers[0].url + '/accounts/peertube' }
	103	const by = { url: servers[1].url + '/accounts/peertube', privateKey: keys.privateKey }
	104	await makeFollowRequest(to, by)
	105	})
	106
	107	describe('When checking HTTP signature', function () {
	108
	109	it('Should fail with an invalid digest', async function () {
	110	const body = await activityPubContextify(getAnnounceWithoutContext(servers[1]), 'Announce')
	111	const headers = {
	112	Digest: buildDigest({ hello: 'coucou' })
	113	}
	114
	115	try {
	116	await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
	117	expect(true, 'Did not throw').to.be.false
	118	} catch (err) {
	119	expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
	120	}
	121	})
	122
	123	it('Should fail with an invalid date', async function () {
	124	const body = await activityPubContextify(getAnnounceWithoutContext(servers[1]), 'Announce')
	125	const headers = buildGlobalHeaders(body)
	126	headers['date'] = 'Wed, 21 Oct 2015 07:28:00 GMT'
	127
	128	try {
	129	await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
	130	expect(true, 'Did not throw').to.be.false
	131	} catch (err) {
	132	expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
	133	}
	134	})
	135
	136	it('Should fail with bad keys', async function () {
	137	await setKeysOfServer(sqlCommands[0], servers[1].url, invalidKeys.publicKey, invalidKeys.privateKey)
	138	await setKeysOfServer(sqlCommands[1], servers[1].url, invalidKeys.publicKey, invalidKeys.privateKey)
	139
	140	const body = await activityPubContextify(getAnnounceWithoutContext(servers[1]), 'Announce')
	141	const headers = buildGlobalHeaders(body)
	142
	143	try {
	144	await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
	145	expect(true, 'Did not throw').to.be.false
	146	} catch (err) {
	147	expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
	148	}
	149	})
	150
	151	it('Should reject requests without appropriate signed headers', async function () {
	152	await setKeysOfServer(sqlCommands[0], servers[1].url, keys.publicKey, keys.privateKey)
	153	await setKeysOfServer(sqlCommands[1], servers[1].url, keys.publicKey, keys.privateKey)
	154
	155	const body = await activityPubContextify(getAnnounceWithoutContext(servers[1]), 'Announce')
	156	const headers = buildGlobalHeaders(body)
	157
	158	const signatureOptions = baseHttpSignature()
	159	const badHeadersMatrix = [
	160	[ '(request-target)', 'date', 'digest' ],
	161	[ 'host', 'date', 'digest' ],
	162	[ '(request-target)', 'host', 'digest' ]
	163	]
	164
	165	for (const badHeaders of badHeadersMatrix) {
	166	signatureOptions.headers = badHeaders
	167
	168	try {
	169	await makePOSTAPRequest(url, body, signatureOptions, headers)
	170	expect(true, 'Did not throw').to.be.false
	171	} catch (err) {
	172	expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
	173	}
	174	}
	175	})
	176
	177	it('Should succeed with a valid HTTP signature draft 11 (without date but with (created))', async function () {
	178	const body = await activityPubContextify(getAnnounceWithoutContext(servers[1]), 'Announce')
	179	const headers = buildGlobalHeaders(body)
	180
	181	const signatureOptions = baseHttpSignature()
	182	signatureOptions.headers = [ '(request-target)', '(created)', 'host', 'digest' ]
	183
	184	const { statusCode } = await makePOSTAPRequest(url, body, signatureOptions, headers)
	185	expect(statusCode).to.equal(HttpStatusCode.NO_CONTENT_204)
	186	})
	187
	188	it('Should succeed with a valid HTTP signature', async function () {
	189	const body = await activityPubContextify(getAnnounceWithoutContext(servers[1]), 'Announce')
	190	const headers = buildGlobalHeaders(body)
	191
	192	const { statusCode } = await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
	193	expect(statusCode).to.equal(HttpStatusCode.NO_CONTENT_204)
	194	})
	195
	196	it('Should refresh the actor keys', async function () {
	197	this.timeout(20000)
	198
	199	// Update keys of server 2 to invalid keys
	200	// Server 1 should refresh the actor and fail
	201	await setKeysOfServer(sqlCommands[1], servers[1].url, invalidKeys.publicKey, invalidKeys.privateKey)
	202	await setUpdatedAtOfServer(sqlCommands[0], servers[1].url, '2015-07-17 22:00:00+00')
	203
	204	// Invalid peertube actor cache
	205	await killallServers([ servers[1] ])
	206	await servers[1].run()
	207
	208	const body = await activityPubContextify(getAnnounceWithoutContext(servers[1]), 'Announce')
	209	const headers = buildGlobalHeaders(body)
	210
	211	try {
	212	await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
	213	expect(true, 'Did not throw').to.be.false
	214	} catch (err) {
	215	console.error(err)
	216	expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
	217	}
	218	})
	219	})
	220
	221	describe('When checking Linked Data Signature', function () {
	222	before(async function () {
	223	this.timeout(10000)
	224
	225	await setKeysOfServer(sqlCommands[0], servers[1].url, keys.publicKey, keys.privateKey)
	226	await setKeysOfServer(sqlCommands[1], servers[1].url, keys.publicKey, keys.privateKey)
	227	await setKeysOfServer(sqlCommands[2], servers[2].url, keys.publicKey, keys.privateKey)
	228
	229	const to = { url: servers[0].url + '/accounts/peertube' }
	230	const by = { url: servers[2].url + '/accounts/peertube', privateKey: keys.privateKey }
	231	await makeFollowRequest(to, by)
	232	})
	233
	234	it('Should fail with bad keys', async function () {
	235	this.timeout(10000)
	236
	237	await setKeysOfServer(sqlCommands[0], servers[2].url, invalidKeys.publicKey, invalidKeys.privateKey)
	238	await setKeysOfServer(sqlCommands[2], servers[2].url, invalidKeys.publicKey, invalidKeys.privateKey)
	239
	240	const body = getAnnounceWithoutContext(servers[1])
	241	body.actor = servers[2].url + '/accounts/peertube'
	242
	243	const signer: any = { privateKey: invalidKeys.privateKey, url: servers[2].url + '/accounts/peertube' }
	244	const signedBody = await signAndContextify(signer, body, 'Announce')
	245
	246	const headers = buildGlobalHeaders(signedBody)
	247
	248	try {
	249	await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers)
	250	expect(true, 'Did not throw').to.be.false
	251	} catch (err) {
	252	expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
	253	}
	254	})
	255
	256	it('Should fail with an altered body', async function () {
	257	this.timeout(10000)
	258
	259	await setKeysOfServer(sqlCommands[0], servers[2].url, keys.publicKey, keys.privateKey)
	260	await setKeysOfServer(sqlCommands[0], servers[2].url, keys.publicKey, keys.privateKey)
	261
	262	const body = getAnnounceWithoutContext(servers[1])
	263	body.actor = servers[2].url + '/accounts/peertube'
	264
	265	const signer: any = { privateKey: keys.privateKey, url: servers[2].url + '/accounts/peertube' }
	266	const signedBody = await signAndContextify(signer, body, 'Announce')
	267
	268	signedBody.actor = servers[2].url + '/account/peertube'
	269
	270	const headers = buildGlobalHeaders(signedBody)
	271
	272	try {
	273	await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers)
	274	expect(true, 'Did not throw').to.be.false
	275	} catch (err) {
	276	expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
	277	}
	278	})
	279
	280	it('Should succeed with a valid signature', async function () {
	281	this.timeout(10000)
	282
	283	const body = getAnnounceWithoutContext(servers[1])
	284	body.actor = servers[2].url + '/accounts/peertube'
	285
	286	const signer: any = { privateKey: keys.privateKey, url: servers[2].url + '/accounts/peertube' }
	287	const signedBody = await signAndContextify(signer, body, 'Announce')
	288
	289	const headers = buildGlobalHeaders(signedBody)
	290
	291	const { statusCode } = await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers)
	292	expect(statusCode).to.equal(HttpStatusCode.NO_CONTENT_204)
	293	})
	294
	295	it('Should refresh the actor keys', async function () {
	296	this.timeout(20000)
	297
	298	// Wait refresh invalidation
	299	await wait(10000)
	300
	301	// Update keys of server 3 to invalid keys
	302	// Server 1 should refresh the actor and fail
	303	await setKeysOfServer(sqlCommands[2], servers[2].url, invalidKeys.publicKey, invalidKeys.privateKey)
	304
	305	const body = getAnnounceWithoutContext(servers[1])
	306	body.actor = servers[2].url + '/accounts/peertube'
	307
	308	const signer: any = { privateKey: keys.privateKey, url: servers[2].url + '/accounts/peertube' }
	309	const signedBody = await signAndContextify(signer, body, 'Announce')
	310
	311	const headers = buildGlobalHeaders(signedBody)
	312
	313	try {
	314	await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers)
	315	expect(true, 'Did not throw').to.be.false
	316	} catch (err) {
	317	expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403)
	318	}
	319	})
	320	})
	321
	322	after(async function () {
	323	for (const sql of sqlCommands) {
	324	await sql.cleanup()
	325	}
	326
	327	await cleanupTests(servers)
	328	})
	329	})