server/tests/api/object-storage/video-static-file-privacy.ts

   1 /* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */
   2
   3 import { expect } from 'chai'
   4 import { basename } from 'path'
   5 import { checkVideoFileTokenReinjection, expectStartWith } from '@server/tests/shared'
   6 import { areScalewayObjectStorageTestsDisabled, getAllFiles, getHLS } from '@shared/core-utils'
   7 import { HttpStatusCode, LiveVideo, VideoDetails, VideoPrivacy } from '@shared/models'
   8 import {
   9   cleanupTests,
  10   createSingleServer,
  11   findExternalSavedVideo,
  12   makeRawRequest,
  13   ObjectStorageCommand,
  14   PeerTubeServer,
  15   sendRTMPStream,
  16   setAccessTokensToServers,
  17   setDefaultVideoChannel,
  18   stopFfmpeg,
  19   waitJobs
  20 } from '@shared/server-commands'
  21
  22 function extractFilenameFromUrl (url: string) {
  23   const parts = basename(url).split(':')
  24
  25   return parts[parts.length - 1]
  26 }
  27
  28 describe('Object storage for video static file privacy', function () {
  29   // We need real world object storage to check ACL
  30   if (areScalewayObjectStorageTestsDisabled()) return
  31
  32   let server: PeerTubeServer
  33   let userToken: string
  34
  35   // ---------------------------------------------------------------------------
  36
  37   async function checkPrivateVODFiles (uuid: string) {
  38     const video = await server.videos.getWithToken({ id: uuid })
  39
  40     for (const file of video.files) {
  41       expectStartWith(file.fileUrl, server.url + '/object-storage-proxy/webseed/private/')
  42
  43       await makeRawRequest({ url: file.fileUrl, token: server.accessToken, expectedStatus: HttpStatusCode.OK_200 })
  44     }
  45
  46     for (const file of getAllFiles(video)) {
  47       const internalFileUrl = await server.sql.getInternalFileUrl(file.id)
  48       expectStartWith(internalFileUrl, ObjectStorageCommand.getScalewayBaseUrl())
  49       await makeRawRequest({ url: internalFileUrl, token: server.accessToken, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
  50     }
  51
  52     const hls = getHLS(video)
  53
  54     if (hls) {
  55       for (const url of [ hls.playlistUrl, hls.segmentsSha256Url ]) {
  56         expectStartWith(url, server.url + '/object-storage-proxy/streaming-playlists/hls/private/')
  57       }
  58
  59       await makeRawRequest({ url: hls.playlistUrl, token: server.accessToken, expectedStatus: HttpStatusCode.OK_200 })
  60       await makeRawRequest({ url: hls.segmentsSha256Url, token: server.accessToken, expectedStatus: HttpStatusCode.OK_200 })
  61
  62       for (const file of hls.files) {
  63         expectStartWith(file.fileUrl, server.url + '/object-storage-proxy/streaming-playlists/hls/private/')
  64
  65         await makeRawRequest({ url: file.fileUrl, token: server.accessToken, expectedStatus: HttpStatusCode.OK_200 })
  66       }
  67     }
  68   }
  69
  70   async function checkPublicVODFiles (uuid: string) {
  71     const video = await server.videos.getWithToken({ id: uuid })
  72
  73     for (const file of getAllFiles(video)) {
  74       expectStartWith(file.fileUrl, ObjectStorageCommand.getScalewayBaseUrl())
  75
  76       await makeRawRequest({ url: file.fileUrl, expectedStatus: HttpStatusCode.OK_200 })
  77     }
  78
  79     const hls = getHLS(video)
  80
  81     if (hls) {
  82       expectStartWith(hls.playlistUrl, ObjectStorageCommand.getScalewayBaseUrl())
  83       expectStartWith(hls.segmentsSha256Url, ObjectStorageCommand.getScalewayBaseUrl())
  84
  85       await makeRawRequest({ url: hls.playlistUrl, expectedStatus: HttpStatusCode.OK_200 })
  86       await makeRawRequest({ url: hls.segmentsSha256Url, expectedStatus: HttpStatusCode.OK_200 })
  87     }
  88   }
  89
  90   // ---------------------------------------------------------------------------
  91
  92   before(async function () {
  93     this.timeout(120000)
  94
  95     server = await createSingleServer(1, ObjectStorageCommand.getDefaultScalewayConfig({ serverNumber: 1 }))
  96     await setAccessTokensToServers([ server ])
  97     await setDefaultVideoChannel([ server ])
  98
  99     await server.config.enableMinimumTranscoding()
 100
 101     userToken = await server.users.generateUserAndToken('user1')
 102   })
 103
 104   describe('VOD', function () {
 105     let privateVideoUUID: string
 106     let publicVideoUUID: string
 107     let userPrivateVideoUUID: string
 108
 109     // ---------------------------------------------------------------------------
 110
 111     async function getSampleFileUrls (videoId: string) {
 112       const video = await server.videos.getWithToken({ id: videoId })
 113
 114       return {
 115         webTorrentFile: video.files[0].fileUrl,
 116         hlsFile: getHLS(video).files[0].fileUrl
 117       }
 118     }
 119
 120     // ---------------------------------------------------------------------------
 121
 122     it('Should upload a private video and have appropriate object storage ACL', async function () {
 123       this.timeout(120000)
 124
 125       {
 126         const { uuid } = await server.videos.quickUpload({ name: 'video', privacy: VideoPrivacy.PRIVATE })
 127         privateVideoUUID = uuid
 128       }
 129
 130       {
 131         const { uuid } = await server.videos.quickUpload({ name: 'user video', token: userToken, privacy: VideoPrivacy.PRIVATE })
 132         userPrivateVideoUUID = uuid
 133       }
 134
 135       await waitJobs([ server ])
 136
 137       await checkPrivateVODFiles(privateVideoUUID)
 138     })
 139
 140     it('Should upload a public video and have appropriate object storage ACL', async function () {
 141       this.timeout(120000)
 142
 143       const { uuid } = await server.videos.quickUpload({ name: 'video', privacy: VideoPrivacy.UNLISTED })
 144       await waitJobs([ server ])
 145
 146       publicVideoUUID = uuid
 147
 148       await checkPublicVODFiles(publicVideoUUID)
 149     })
 150
 151     it('Should not get files without appropriate OAuth token', async function () {
 152       this.timeout(60000)
 153
 154       const { webTorrentFile, hlsFile } = await getSampleFileUrls(privateVideoUUID)
 155
 156       await makeRawRequest({ url: webTorrentFile, token: userToken, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
 157       await makeRawRequest({ url: webTorrentFile, token: server.accessToken, expectedStatus: HttpStatusCode.OK_200 })
 158
 159       await makeRawRequest({ url: hlsFile, token: userToken, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
 160       await makeRawRequest({ url: hlsFile, token: server.accessToken, expectedStatus: HttpStatusCode.OK_200 })
 161     })
 162
 163     it('Should not get HLS file of another video', async function () {
 164       this.timeout(60000)
 165
 166       const privateVideo = await server.videos.getWithToken({ id: privateVideoUUID })
 167       const hlsFilename = basename(getHLS(privateVideo).files[0].fileUrl)
 168
 169       const badUrl = server.url + '/object-storage-proxy/streaming-playlists/hls/private/' + userPrivateVideoUUID + '/' + hlsFilename
 170       const goodUrl = server.url + '/object-storage-proxy/streaming-playlists/hls/private/' + privateVideoUUID + '/' + hlsFilename
 171
 172       await makeRawRequest({ url: badUrl, token: server.accessToken, expectedStatus: HttpStatusCode.NOT_FOUND_404 })
 173       await makeRawRequest({ url: goodUrl, token: server.accessToken, expectedStatus: HttpStatusCode.OK_200 })
 174     })
 175
 176     it('Should correctly check OAuth or video file token', async function () {
 177       this.timeout(60000)
 178
 179       const badVideoFileToken = await server.videoToken.getVideoFileToken({ token: userToken, videoId: userPrivateVideoUUID })
 180       const goodVideoFileToken = await server.videoToken.getVideoFileToken({ videoId: privateVideoUUID })
 181
 182       const { webTorrentFile, hlsFile } = await getSampleFileUrls(privateVideoUUID)
 183
 184       for (const url of [ webTorrentFile, hlsFile ]) {
 185         await makeRawRequest({ url, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
 186         await makeRawRequest({ url, token: userToken, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
 187         await makeRawRequest({ url, token: server.accessToken, expectedStatus: HttpStatusCode.OK_200 })
 188
 189         await makeRawRequest({ url, query: { videoFileToken: badVideoFileToken }, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
 190         await makeRawRequest({ url, query: { videoFileToken: goodVideoFileToken }, expectedStatus: HttpStatusCode.OK_200 })
 191       }
 192     })
 193
 194     it('Should reinject video file token', async function () {
 195       this.timeout(120000)
 196
 197       const videoFileToken = await server.videoToken.getVideoFileToken({ videoId: privateVideoUUID })
 198
 199       await checkVideoFileTokenReinjection({
 200         server,
 201         videoUUID: privateVideoUUID,
 202         videoFileToken,
 203         resolutions: [ 240, 720 ],
 204         isLive: false
 205       })
 206     })
 207
 208     it('Should update public video to private', async function () {
 209       this.timeout(60000)
 210
 211       await server.videos.update({ id: publicVideoUUID, attributes: { privacy: VideoPrivacy.INTERNAL } })
 212
 213       await checkPrivateVODFiles(publicVideoUUID)
 214     })
 215
 216     it('Should update private video to public', async function () {
 217       this.timeout(60000)
 218
 219       await server.videos.update({ id: publicVideoUUID, attributes: { privacy: VideoPrivacy.PUBLIC } })
 220
 221       await checkPublicVODFiles(publicVideoUUID)
 222     })
 223   })
 224
 225   describe('Live', function () {
 226     let normalLiveId: string
 227     let normalLive: LiveVideo
 228
 229     let permanentLiveId: string
 230     let permanentLive: LiveVideo
 231
 232     let unrelatedFileToken: string
 233
 234     // ---------------------------------------------------------------------------
 235
 236     async function checkLiveFiles (live: LiveVideo, liveId: string) {
 237       const ffmpegCommand = sendRTMPStream({ rtmpBaseUrl: live.rtmpUrl, streamKey: live.streamKey })
 238       await server.live.waitUntilPublished({ videoId: liveId })
 239
 240       const video = await server.videos.getWithToken({ id: liveId })
 241       const fileToken = await server.videoToken.getVideoFileToken({ videoId: video.uuid })
 242
 243       const hls = video.streamingPlaylists[0]
 244
 245       for (const url of [ hls.playlistUrl, hls.segmentsSha256Url ]) {
 246         expectStartWith(url, server.url + '/object-storage-proxy/streaming-playlists/hls/private/')
 247
 248         await makeRawRequest({ url: hls.playlistUrl, token: server.accessToken, expectedStatus: HttpStatusCode.OK_200 })
 249         await makeRawRequest({ url: hls.segmentsSha256Url, token: server.accessToken, expectedStatus: HttpStatusCode.OK_200 })
 250
 251         await makeRawRequest({ url, token: server.accessToken, expectedStatus: HttpStatusCode.OK_200 })
 252         await makeRawRequest({ url, query: { videoFileToken: fileToken }, expectedStatus: HttpStatusCode.OK_200 })
 253
 254         await makeRawRequest({ url, token: userToken, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
 255         await makeRawRequest({ url, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
 256         await makeRawRequest({ url, query: { videoFileToken: unrelatedFileToken }, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
 257       }
 258
 259       await stopFfmpeg(ffmpegCommand)
 260     }
 261
 262     async function checkReplay (replay: VideoDetails) {
 263       const fileToken = await server.videoToken.getVideoFileToken({ videoId: replay.uuid })
 264
 265       const hls = replay.streamingPlaylists[0]
 266       expect(hls.files).to.not.have.lengthOf(0)
 267
 268       for (const file of hls.files) {
 269         await makeRawRequest({ url: file.fileUrl, token: server.accessToken, expectedStatus: HttpStatusCode.OK_200 })
 270         await makeRawRequest({ url: file.fileUrl, query: { videoFileToken: fileToken }, expectedStatus: HttpStatusCode.OK_200 })
 271
 272         await makeRawRequest({ url: file.fileUrl, token: userToken, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
 273         await makeRawRequest({ url: file.fileUrl, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
 274         await makeRawRequest({
 275           url: file.fileUrl,
 276           query: { videoFileToken: unrelatedFileToken },
 277           expectedStatus: HttpStatusCode.FORBIDDEN_403
 278         })
 279       }
 280
 281       for (const url of [ hls.playlistUrl, hls.segmentsSha256Url ]) {
 282         expectStartWith(url, server.url + '/object-storage-proxy/streaming-playlists/hls/private/')
 283
 284         await makeRawRequest({ url, token: server.accessToken, expectedStatus: HttpStatusCode.OK_200 })
 285         await makeRawRequest({ url, query: { videoFileToken: fileToken }, expectedStatus: HttpStatusCode.OK_200 })
 286
 287         await makeRawRequest({ url, token: userToken, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
 288         await makeRawRequest({ url, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
 289         await makeRawRequest({ url, query: { videoFileToken: unrelatedFileToken }, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
 290       }
 291     }
 292
 293     // ---------------------------------------------------------------------------
 294
 295     before(async function () {
 296       await server.config.enableMinimumTranscoding()
 297
 298       const { uuid } = await server.videos.quickUpload({ name: 'another video' })
 299       unrelatedFileToken = await server.videoToken.getVideoFileToken({ videoId: uuid })
 300
 301       await server.config.enableLive({
 302         allowReplay: true,
 303         transcoding: true,
 304         resolutions: 'min'
 305       })
 306
 307       {
 308         const { video, live } = await server.live.quickCreate({
 309           saveReplay: true,
 310           permanentLive: false,
 311           privacy: VideoPrivacy.PRIVATE
 312         })
 313         normalLiveId = video.uuid
 314         normalLive = live
 315       }
 316
 317       {
 318         const { video, live } = await server.live.quickCreate({
 319           saveReplay: true,
 320           permanentLive: true,
 321           privacy: VideoPrivacy.PRIVATE
 322         })
 323         permanentLiveId = video.uuid
 324         permanentLive = live
 325       }
 326     })
 327
 328     it('Should create a private normal live and have a private static path', async function () {
 329       this.timeout(240000)
 330
 331       await checkLiveFiles(normalLive, normalLiveId)
 332     })
 333
 334     it('Should create a private permanent live and have a private static path', async function () {
 335       this.timeout(240000)
 336
 337       await checkLiveFiles(permanentLive, permanentLiveId)
 338     })
 339
 340     it('Should reinject video file token in permanent live', async function () {
 341       this.timeout(240000)
 342
 343       const ffmpegCommand = sendRTMPStream({ rtmpBaseUrl: permanentLive.rtmpUrl, streamKey: permanentLive.streamKey })
 344       await server.live.waitUntilPublished({ videoId: permanentLiveId })
 345
 346       const video = await server.videos.getWithToken({ id: permanentLiveId })
 347       const videoFileToken = await server.videoToken.getVideoFileToken({ videoId: video.uuid })
 348
 349       await checkVideoFileTokenReinjection({
 350         server,
 351         videoUUID: permanentLiveId,
 352         videoFileToken,
 353         resolutions: [ 720 ],
 354         isLive: true
 355       })
 356
 357       await stopFfmpeg(ffmpegCommand)
 358     })
 359
 360     it('Should have created a replay of the normal live with a private static path', async function () {
 361       this.timeout(240000)
 362
 363       await server.live.waitUntilReplacedByReplay({ videoId: normalLiveId })
 364
 365       const replay = await server.videos.getWithToken({ id: normalLiveId })
 366       await checkReplay(replay)
 367     })
 368
 369     it('Should have created a replay of the permanent live with a private static path', async function () {
 370       this.timeout(240000)
 371
 372       await server.live.waitUntilWaiting({ videoId: permanentLiveId })
 373       await waitJobs([ server ])
 374
 375       const live = await server.videos.getWithToken({ id: permanentLiveId })
 376       const replayFromList = await findExternalSavedVideo(server, live)
 377       const replay = await server.videos.getWithToken({ id: replayFromList.id })
 378
 379       await checkReplay(replay)
 380     })
 381   })
 382
 383   describe('With private files proxy disabled and public ACL for private files', function () {
 384     let videoUUID: string
 385
 386     before(async function () {
 387       this.timeout(240000)
 388
 389       await server.kill()
 390
 391       const config = ObjectStorageCommand.getDefaultScalewayConfig({
 392         serverNumber: 1,
 393         enablePrivateProxy: false,
 394         privateACL: 'public-read'
 395       })
 396       await server.run(config)
 397
 398       const { uuid } = await server.videos.quickUpload({ name: 'video', privacy: VideoPrivacy.PRIVATE })
 399       videoUUID = uuid
 400
 401       await waitJobs([ server ])
 402     })
 403
 404     it('Should display object storage path for a private video and be able to access them', async function () {
 405       this.timeout(60000)
 406
 407       await checkPublicVODFiles(videoUUID)
 408     })
 409
 410     it('Should not be able to access object storage proxy', async function () {
 411       const privateVideo = await server.videos.getWithToken({ id: videoUUID })
 412       const webtorrentFilename = extractFilenameFromUrl(privateVideo.files[0].fileUrl)
 413       const hlsFilename = extractFilenameFromUrl(getHLS(privateVideo).files[0].fileUrl)
 414
 415       await makeRawRequest({
 416         url: server.url + '/object-storage-proxy/webseed/private/' + webtorrentFilename,
 417         token: server.accessToken,
 418         expectedStatus: HttpStatusCode.BAD_REQUEST_400
 419       })
 420
 421       await makeRawRequest({
 422         url: server.url + '/object-storage-proxy/streaming-playlists/hls/private/' + videoUUID + '/' + hlsFilename,
 423         token: server.accessToken,
 424         expectedStatus: HttpStatusCode.BAD_REQUEST_400
 425       })
 426     })
 427   })
 428
 429   after(async function () {
 430     this.timeout(240000)
 431
 432     const { data } = await server.videos.listAllForAdmin()
 433
 434     for (const v of data) {
 435       await server.videos.remove({ id: v.uuid })
 436     }
 437
 438     for (const v of data) {
 439       await server.servers.waitUntilLog('Removed files of video ' + v.url)
 440     }
 441
 442     await cleanupTests([ server ])
 443   })
 444 })