1 /* tslint:disable:no-unused-expression */
7 flushAndRunMultipleServers,
14 } from '../../../../shared/utils'
15 import { HTTP_SIGNATURE } from '../../../initializers'
16 import { buildDigest, buildGlobalHeaders } from '../../../lib/job-queue/handlers/utils/activitypub-http-utils'
17 import * as chai from 'chai'
18 import { activityPubContextify, buildSignedActivity } from '../../../helpers/activitypub'
20 const expect = chai.expect
22 function setKeysOfServer2 (serverNumber: number, publicKey: string, privateKey: string) {
24 setActorField(serverNumber, 'http://localhost:9002/accounts/peertube', 'publicKey', publicKey),
25 setActorField(serverNumber, 'http://localhost:9002/accounts/peertube', 'privateKey', privateKey)
29 function setKeysOfServer3 (serverNumber: number, publicKey: string, privateKey: string) {
31 setActorField(serverNumber, 'http://localhost:9003/accounts/peertube', 'publicKey', publicKey),
32 setActorField(serverNumber, 'http://localhost:9003/accounts/peertube', 'privateKey', privateKey)
36 describe('Test ActivityPub security', function () {
37 let servers: ServerInfo[]
40 const keys = require('./json/peertube/keys.json')
41 const invalidKeys = require('./json/peertube/invalid-keys.json')
42 const baseHttpSignature = {
43 algorithm: HTTP_SIGNATURE.ALGORITHM,
44 authorizationHeaderName: HTTP_SIGNATURE.HEADER_NAME,
45 keyId: 'acct:peertube@localhost:9002',
47 headers: HTTP_SIGNATURE.HEADERS_TO_SIGN
50 // ---------------------------------------------------------------
52 before(async function () {
55 servers = await flushAndRunMultipleServers(3)
57 url = servers[0].url + '/inbox'
59 await setKeysOfServer2(1, keys.publicKey, keys.privateKey)
61 const to = { url: 'http://localhost:9001/accounts/peertube' }
62 const by = { url: 'http://localhost:9002/accounts/peertube', privateKey: keys.privateKey }
63 await makeFollowRequest(to, by)
66 describe('When checking HTTP signature', function () {
68 it('Should fail with an invalid digest', async function () {
69 const body = activityPubContextify(require('./json/peertube/announce-without-context.json'))
71 Digest: buildDigest({ hello: 'coucou' })
74 const { response } = await makePOSTAPRequest(url, body, baseHttpSignature, headers)
76 expect(response.statusCode).to.equal(403)
79 it('Should fail with an invalid date', async function () {
80 const body = activityPubContextify(require('./json/peertube/announce-without-context.json'))
81 const headers = buildGlobalHeaders(body)
82 headers['date'] = 'Wed, 21 Oct 2015 07:28:00 GMT'
84 const { response } = await makePOSTAPRequest(url, body, baseHttpSignature, headers)
86 expect(response.statusCode).to.equal(403)
89 it('Should fail with bad keys', async function () {
90 await setKeysOfServer2(1, invalidKeys.publicKey, invalidKeys.privateKey)
91 await setKeysOfServer2(2, invalidKeys.publicKey, invalidKeys.privateKey)
93 const body = activityPubContextify(require('./json/peertube/announce-without-context.json'))
94 const headers = buildGlobalHeaders(body)
96 const { response } = await makePOSTAPRequest(url, body, baseHttpSignature, headers)
98 expect(response.statusCode).to.equal(403)
101 it('Should succeed with a valid HTTP signature', async function () {
102 await setKeysOfServer2(1, keys.publicKey, keys.privateKey)
103 await setKeysOfServer2(2, keys.publicKey, keys.privateKey)
105 const body = activityPubContextify(require('./json/peertube/announce-without-context.json'))
106 const headers = buildGlobalHeaders(body)
108 const { response } = await makePOSTAPRequest(url, body, baseHttpSignature, headers)
110 expect(response.statusCode).to.equal(204)
114 describe('When checking Linked Data Signature', function () {
116 await setKeysOfServer3(3, keys.publicKey, keys.privateKey)
118 const to = { url: 'http://localhost:9001/accounts/peertube' }
119 const by = { url: 'http://localhost:9003/accounts/peertube', privateKey: keys.privateKey }
120 await makeFollowRequest(to, by)
123 it('Should fail with bad keys', async function () {
126 await setKeysOfServer3(1, invalidKeys.publicKey, invalidKeys.privateKey)
127 await setKeysOfServer3(3, invalidKeys.publicKey, invalidKeys.privateKey)
129 const body = require('./json/peertube/announce-without-context.json')
130 body.actor = 'http://localhost:9003/accounts/peertube'
132 const signer: any = { privateKey: invalidKeys.privateKey, url: 'http://localhost:9003/accounts/peertube' }
133 const signedBody = await buildSignedActivity(signer, body)
135 const headers = buildGlobalHeaders(signedBody)
137 const { response } = await makePOSTAPRequest(url, signedBody, baseHttpSignature, headers)
139 expect(response.statusCode).to.equal(403)
142 it('Should fail with an altered body', async function () {
145 await setKeysOfServer3(1, keys.publicKey, keys.privateKey)
146 await setKeysOfServer3(3, keys.publicKey, keys.privateKey)
148 const body = require('./json/peertube/announce-without-context.json')
149 body.actor = 'http://localhost:9003/accounts/peertube'
151 const signer: any = { privateKey: keys.privateKey, url: 'http://localhost:9003/accounts/peertube' }
152 const signedBody = await buildSignedActivity(signer, body)
154 signedBody.actor = 'http://localhost:9003/account/peertube'
156 const headers = buildGlobalHeaders(signedBody)
158 const { response } = await makePOSTAPRequest(url, signedBody, baseHttpSignature, headers)
160 expect(response.statusCode).to.equal(403)
163 it('Should succeed with a valid signature', async function () {
166 const body = require('./json/peertube/announce-without-context.json')
167 body.actor = 'http://localhost:9003/accounts/peertube'
169 const signer: any = { privateKey: keys.privateKey, url: 'http://localhost:9003/accounts/peertube' }
170 const signedBody = await buildSignedActivity(signer, body)
172 const headers = buildGlobalHeaders(signedBody)
174 const { response } = await makePOSTAPRequest(url, signedBody, baseHttpSignature, headers)
176 expect(response.statusCode).to.equal(204)
180 after(async function () {
181 killallServers(servers)
183 await closeAllSequelize(servers)
185 // Keep the logs if the test failed