]> git.immae.eu Git - github/Chocobozzz/PeerTube.git/blob - server/tests/api/activitypub/security.ts
projects / github / Chocobozzz / PeerTube.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge branch 'release/2.1.0' into develop
[github/Chocobozzz/PeerTube.git] / server / tests / api / activitypub / security.ts
1 /* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */
2
3 import 'mocha'
4
5 import { cleanupTests, closeAllSequelize, flushAndRunMultipleServers, ServerInfo, setActorField } from '../../../../shared/extra-utils'
6 import { HTTP_SIGNATURE } from '../../../initializers/constants'
7 import { buildDigest, buildGlobalHeaders } from '../../../lib/job-queue/handlers/utils/activitypub-http-utils'
8 import * as chai from 'chai'
9 import { activityPubContextify, buildSignedActivity } from '../../../helpers/activitypub'
10 import { makeFollowRequest, makePOSTAPRequest } from '../../../../shared/extra-utils/requests/activitypub'
11
12 const expect = chai.expect
13
14 function setKeysOfServer (onServer: ServerInfo, ofServer: ServerInfo, publicKey: string, privateKey: string) {
15 return Promise.all([
16 setActorField(onServer.internalServerNumber, 'http://localhost:' + ofServer.port + '/accounts/peertube', 'publicKey', publicKey),
17 setActorField(onServer.internalServerNumber, 'http://localhost:' + ofServer.port + '/accounts/peertube', 'privateKey', privateKey)
18 ])
19 }
20
21 function getAnnounceWithoutContext (server2: ServerInfo) {
22 const json = require('./json/peertube/announce-without-context.json')
23 const result: typeof json = {}
24
25 for (const key of Object.keys(json)) {
26 if (Array.isArray(json[key])) {
27 result[key] = json[key].map(v => v.replace(':9002', `:${server2.port}`))
28 } else {
29 result[key] = json[key].replace(':9002', `:${server2.port}`)
30 }
31 }
32
33 return result
34 }
35
36 describe('Test ActivityPub security', function () {
37 let servers: ServerInfo[]
38 let url: string
39
40 const keys = require('./json/peertube/keys.json')
41 const invalidKeys = require('./json/peertube/invalid-keys.json')
42 const baseHttpSignature = () => ({
43 algorithm: HTTP_SIGNATURE.ALGORITHM,
44 authorizationHeaderName: HTTP_SIGNATURE.HEADER_NAME,
45 keyId: 'acct:peertube@localhost:' + servers[1].port,
46 key: keys.privateKey,
47 headers: HTTP_SIGNATURE.HEADERS_TO_SIGN
48 })
49
50 // ---------------------------------------------------------------
51
52 before(async function () {
53 this.timeout(60000)
54
55 servers = await flushAndRunMultipleServers(3)
56
57 url = servers[0].url + '/inbox'
58
59 await setKeysOfServer(servers[0], servers[1], keys.publicKey, keys.privateKey)
60
61 const to = { url: 'http://localhost:' + servers[0].port + '/accounts/peertube' }
62 const by = { url: 'http://localhost:' + servers[1].port + '/accounts/peertube', privateKey: keys.privateKey }
63 await makeFollowRequest(to, by)
64 })
65
66 describe('When checking HTTP signature', function () {
67
68 it('Should fail with an invalid digest', async function () {
69 const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
70 const headers = {
71 Digest: buildDigest({ hello: 'coucou' })
72 }
73
74 const { response } = await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
75
76 expect(response.statusCode).to.equal(403)
77 })
78
79 it('Should fail with an invalid date', async function () {
80 const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
81 const headers = buildGlobalHeaders(body)
82 headers['date'] = 'Wed, 21 Oct 2015 07:28:00 GMT'
83
84 const { response } = await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
85
86 expect(response.statusCode).to.equal(403)
87 })
88
89 it('Should fail with bad keys', async function () {
90 await setKeysOfServer(servers[0], servers[1], invalidKeys.publicKey, invalidKeys.privateKey)
91 await setKeysOfServer(servers[1], servers[1], invalidKeys.publicKey, invalidKeys.privateKey)
92
93 const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
94 const headers = buildGlobalHeaders(body)
95
96 const { response } = await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
97
98 expect(response.statusCode).to.equal(403)
99 })
100
101 it('Should succeed with a valid HTTP signature', async function () {
102 await setKeysOfServer(servers[0], servers[1], keys.publicKey, keys.privateKey)
103 await setKeysOfServer(servers[1], servers[1], keys.publicKey, keys.privateKey)
104
105 const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
106 const headers = buildGlobalHeaders(body)
107
108 const { response } = await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
109
110 expect(response.statusCode).to.equal(204)
111 })
112 })
113
114 describe('When checking Linked Data Signature', function () {
115 before(async () => {
116 await setKeysOfServer(servers[2], servers[2], keys.publicKey, keys.privateKey)
117
118 const to = { url: 'http://localhost:' + servers[0].port + '/accounts/peertube' }
119 const by = { url: 'http://localhost:' + servers[2].port + '/accounts/peertube', privateKey: keys.privateKey }
120 await makeFollowRequest(to, by)
121 })
122
123 it('Should fail with bad keys', async function () {
124 this.timeout(10000)
125
126 await setKeysOfServer(servers[0], servers[2], invalidKeys.publicKey, invalidKeys.privateKey)
127 await setKeysOfServer(servers[2], servers[2], invalidKeys.publicKey, invalidKeys.privateKey)
128
129 const body = getAnnounceWithoutContext(servers[1])
130 body.actor = 'http://localhost:' + servers[2].port + '/accounts/peertube'
131
132 const signer: any = { privateKey: invalidKeys.privateKey, url: 'http://localhost:' + servers[2].port + '/accounts/peertube' }
133 const signedBody = await buildSignedActivity(signer, body)
134
135 const headers = buildGlobalHeaders(signedBody)
136
137 const { response } = await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers)
138
139 expect(response.statusCode).to.equal(403)
140 })
141
142 it('Should fail with an altered body', async function () {
143 this.timeout(10000)
144
145 await setKeysOfServer(servers[0], servers[2], keys.publicKey, keys.privateKey)
146 await setKeysOfServer(servers[0], servers[2], keys.publicKey, keys.privateKey)
147
148 const body = getAnnounceWithoutContext(servers[1])
149 body.actor = 'http://localhost:' + servers[2].port + '/accounts/peertube'
150
151 const signer: any = { privateKey: keys.privateKey, url: 'http://localhost:' + servers[2].port + '/accounts/peertube' }
152 const signedBody = await buildSignedActivity(signer, body)
153
154 signedBody.actor = 'http://localhost:' + servers[2].port + '/account/peertube'
155
156 const headers = buildGlobalHeaders(signedBody)
157
158 const { response } = await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers)
159
160 expect(response.statusCode).to.equal(403)
161 })
162
163 it('Should succeed with a valid signature', async function () {
164 this.timeout(10000)
165
166 const body = getAnnounceWithoutContext(servers[1])
167 body.actor = 'http://localhost:' + servers[2].port + '/accounts/peertube'
168
169 const signer: any = { privateKey: keys.privateKey, url: 'http://localhost:' + servers[2].port + '/accounts/peertube' }
170 const signedBody = await buildSignedActivity(signer, body)
171
172 const headers = buildGlobalHeaders(signedBody)
173
174 const { response } = await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers)
175
176 expect(response.statusCode).to.equal(204)
177 })
178 })
179
180 after(async function () {
181 this.timeout(10000)
182
183 await cleanupTests(servers)
184
185 await closeAllSequelize(servers)
186 })
187 })
ActivityPub-federated video streaming platform using P2P directly in your web browser