server/tests/api/object-storage/video-static-file-privacy.ts

   1 /* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */
   2
   3 import { expect } from 'chai'
   4 import { basename } from 'path'
   5 import { expectStartWith } from '@server/tests/shared'
   6 import { areScalewayObjectStorageTestsDisabled, getAllFiles, getHLS } from '@shared/core-utils'
   7 import { HttpStatusCode, LiveVideo, VideoDetails, VideoPrivacy } from '@shared/models'
   8 import {
   9   cleanupTests,
  10   createSingleServer,
  11   findExternalSavedVideo,
  12   makeRawRequest,
  13   ObjectStorageCommand,
  14   PeerTubeServer,
  15   sendRTMPStream,
  16   setAccessTokensToServers,
  17   setDefaultVideoChannel,
  18   stopFfmpeg,
  19   waitJobs
  20 } from '@shared/server-commands'
  21
  22 describe('Object storage for video static file privacy', function () {
  23   // We need real world object storage to check ACL
  24   if (areScalewayObjectStorageTestsDisabled()) return
  25
  26   let server: PeerTubeServer
  27   let userToken: string
  28
  29   before(async function () {
  30     this.timeout(120000)
  31
  32     server = await createSingleServer(1, ObjectStorageCommand.getDefaultScalewayConfig(1))
  33     await setAccessTokensToServers([ server ])
  34     await setDefaultVideoChannel([ server ])
  35
  36     await server.config.enableMinimumTranscoding()
  37
  38     userToken = await server.users.generateUserAndToken('user1')
  39   })
  40
  41   describe('VOD', function () {
  42     let privateVideoUUID: string
  43     let publicVideoUUID: string
  44     let userPrivateVideoUUID: string
  45
  46     async function checkPrivateFiles (uuid: string) {
  47       const video = await server.videos.getWithToken({ id: uuid })
  48
  49       for (const file of video.files) {
  50         expectStartWith(file.fileUrl, server.url + '/object-storage-proxy/webseed/private/')
  51
  52         await makeRawRequest({ url: file.fileUrl, token: server.accessToken, expectedStatus: HttpStatusCode.OK_200 })
  53       }
  54
  55       for (const file of getAllFiles(video)) {
  56         const internalFileUrl = await server.sql.getInternalFileUrl(file.id)
  57         expectStartWith(internalFileUrl, ObjectStorageCommand.getScalewayBaseUrl())
  58         await makeRawRequest({ url: internalFileUrl, token: server.accessToken, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
  59       }
  60
  61       const hls = getHLS(video)
  62
  63       if (hls) {
  64         for (const url of [ hls.playlistUrl, hls.segmentsSha256Url ]) {
  65           expectStartWith(url, server.url + '/object-storage-proxy/streaming-playlists/hls/private/')
  66         }
  67
  68         await makeRawRequest({ url: hls.playlistUrl, token: server.accessToken, expectedStatus: HttpStatusCode.OK_200 })
  69         await makeRawRequest({ url: hls.segmentsSha256Url, token: server.accessToken, expectedStatus: HttpStatusCode.OK_200 })
  70
  71         for (const file of hls.files) {
  72           expectStartWith(file.fileUrl, server.url + '/object-storage-proxy/streaming-playlists/hls/private/')
  73
  74           await makeRawRequest({ url: file.fileUrl, token: server.accessToken, expectedStatus: HttpStatusCode.OK_200 })
  75         }
  76       }
  77     }
  78
  79     async function checkPublicFiles (uuid: string) {
  80       const video = await server.videos.getWithToken({ id: uuid })
  81
  82       for (const file of getAllFiles(video)) {
  83         expectStartWith(file.fileUrl, ObjectStorageCommand.getScalewayBaseUrl())
  84
  85         await makeRawRequest({ url: file.fileUrl, expectedStatus: HttpStatusCode.OK_200 })
  86       }
  87
  88       const hls = getHLS(video)
  89
  90       if (hls) {
  91         expectStartWith(hls.playlistUrl, ObjectStorageCommand.getScalewayBaseUrl())
  92         expectStartWith(hls.segmentsSha256Url, ObjectStorageCommand.getScalewayBaseUrl())
  93
  94         await makeRawRequest({ url: hls.playlistUrl, expectedStatus: HttpStatusCode.OK_200 })
  95         await makeRawRequest({ url: hls.segmentsSha256Url, expectedStatus: HttpStatusCode.OK_200 })
  96       }
  97     }
  98
  99     async function getSampleFileUrls (videoId: string) {
 100       const video = await server.videos.getWithToken({ id: videoId })
 101
 102       return {
 103         webTorrentFile: video.files[0].fileUrl,
 104         hlsFile: getHLS(video).files[0].fileUrl
 105       }
 106     }
 107
 108     it('Should upload a private video and have appropriate object storage ACL', async function () {
 109       this.timeout(60000)
 110
 111       {
 112         const { uuid } = await server.videos.quickUpload({ name: 'video', privacy: VideoPrivacy.PRIVATE })
 113         privateVideoUUID = uuid
 114       }
 115
 116       {
 117         const { uuid } = await server.videos.quickUpload({ name: 'user video', token: userToken, privacy: VideoPrivacy.PRIVATE })
 118         userPrivateVideoUUID = uuid
 119       }
 120
 121       await waitJobs([ server ])
 122
 123       await checkPrivateFiles(privateVideoUUID)
 124     })
 125
 126     it('Should upload a public video and have appropriate object storage ACL', async function () {
 127       this.timeout(60000)
 128
 129       const { uuid } = await server.videos.quickUpload({ name: 'video', privacy: VideoPrivacy.UNLISTED })
 130       await waitJobs([ server ])
 131
 132       publicVideoUUID = uuid
 133
 134       await checkPublicFiles(publicVideoUUID)
 135     })
 136
 137     it('Should not get files without appropriate OAuth token', async function () {
 138       this.timeout(60000)
 139
 140       const { webTorrentFile, hlsFile } = await getSampleFileUrls(privateVideoUUID)
 141
 142       await makeRawRequest({ url: webTorrentFile, token: userToken, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
 143       await makeRawRequest({ url: webTorrentFile, token: server.accessToken, expectedStatus: HttpStatusCode.OK_200 })
 144
 145       await makeRawRequest({ url: hlsFile, token: userToken, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
 146       await makeRawRequest({ url: hlsFile, token: server.accessToken, expectedStatus: HttpStatusCode.OK_200 })
 147     })
 148
 149     it('Should not get HLS file of another video', async function () {
 150       this.timeout(60000)
 151
 152       const privateVideo = await server.videos.getWithToken({ id: privateVideoUUID })
 153       const hlsFilename = basename(getHLS(privateVideo).files[0].fileUrl)
 154
 155       const badUrl = server.url + '/object-storage-proxy/streaming-playlists/hls/private/' + userPrivateVideoUUID + '/' + hlsFilename
 156       const goodUrl = server.url + '/object-storage-proxy/streaming-playlists/hls/private/' + privateVideoUUID + '/' + hlsFilename
 157
 158       await makeRawRequest({ url: badUrl, token: server.accessToken, expectedStatus: HttpStatusCode.NOT_FOUND_404 })
 159       await makeRawRequest({ url: goodUrl, token: server.accessToken, expectedStatus: HttpStatusCode.OK_200 })
 160     })
 161
 162     it('Should correctly check OAuth or video file token', async function () {
 163       this.timeout(60000)
 164
 165       const badVideoFileToken = await server.videoToken.getVideoFileToken({ token: userToken, videoId: userPrivateVideoUUID })
 166       const goodVideoFileToken = await server.videoToken.getVideoFileToken({ videoId: privateVideoUUID })
 167
 168       const { webTorrentFile, hlsFile } = await getSampleFileUrls(privateVideoUUID)
 169
 170       for (const url of [ webTorrentFile, hlsFile ]) {
 171         await makeRawRequest({ url, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
 172         await makeRawRequest({ url, token: userToken, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
 173         await makeRawRequest({ url, token: server.accessToken, expectedStatus: HttpStatusCode.OK_200 })
 174
 175         await makeRawRequest({ url, query: { videoFileToken: badVideoFileToken }, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
 176         await makeRawRequest({ url, query: { videoFileToken: goodVideoFileToken }, expectedStatus: HttpStatusCode.OK_200 })
 177       }
 178     })
 179
 180     it('Should update public video to private', async function () {
 181       this.timeout(60000)
 182
 183       await server.videos.update({ id: publicVideoUUID, attributes: { privacy: VideoPrivacy.INTERNAL } })
 184
 185       await checkPrivateFiles(publicVideoUUID)
 186     })
 187
 188     it('Should update private video to public', async function () {
 189       this.timeout(60000)
 190
 191       await server.videos.update({ id: publicVideoUUID, attributes: { privacy: VideoPrivacy.PUBLIC } })
 192
 193       await checkPublicFiles(publicVideoUUID)
 194     })
 195   })
 196
 197   describe('Live', function () {
 198     let normalLiveId: string
 199     let normalLive: LiveVideo
 200
 201     let permanentLiveId: string
 202     let permanentLive: LiveVideo
 203
 204     let unrelatedFileToken: string
 205
 206     async function checkLiveFiles (live: LiveVideo, liveId: string) {
 207       const ffmpegCommand = sendRTMPStream({ rtmpBaseUrl: live.rtmpUrl, streamKey: live.streamKey })
 208       await server.live.waitUntilPublished({ videoId: liveId })
 209
 210       const video = await server.videos.getWithToken({ id: liveId })
 211       const fileToken = await server.videoToken.getVideoFileToken({ videoId: video.uuid })
 212
 213       const hls = video.streamingPlaylists[0]
 214
 215       for (const url of [ hls.playlistUrl, hls.segmentsSha256Url ]) {
 216         expectStartWith(url, server.url + '/object-storage-proxy/streaming-playlists/hls/private/')
 217
 218         await makeRawRequest({ url: hls.playlistUrl, token: server.accessToken, expectedStatus: HttpStatusCode.OK_200 })
 219         await makeRawRequest({ url: hls.segmentsSha256Url, token: server.accessToken, expectedStatus: HttpStatusCode.OK_200 })
 220
 221         await makeRawRequest({ url, token: server.accessToken, expectedStatus: HttpStatusCode.OK_200 })
 222         await makeRawRequest({ url, query: { videoFileToken: fileToken }, expectedStatus: HttpStatusCode.OK_200 })
 223
 224         await makeRawRequest({ url, token: userToken, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
 225         await makeRawRequest({ url, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
 226         await makeRawRequest({ url, query: { videoFileToken: unrelatedFileToken }, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
 227       }
 228
 229       await stopFfmpeg(ffmpegCommand)
 230     }
 231
 232     async function checkReplay (replay: VideoDetails) {
 233       const fileToken = await server.videoToken.getVideoFileToken({ videoId: replay.uuid })
 234
 235       const hls = replay.streamingPlaylists[0]
 236       expect(hls.files).to.not.have.lengthOf(0)
 237
 238       for (const file of hls.files) {
 239         await makeRawRequest({ url: file.fileUrl, token: server.accessToken, expectedStatus: HttpStatusCode.OK_200 })
 240         await makeRawRequest({ url: file.fileUrl, query: { videoFileToken: fileToken }, expectedStatus: HttpStatusCode.OK_200 })
 241
 242         await makeRawRequest({ url: file.fileUrl, token: userToken, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
 243         await makeRawRequest({ url: file.fileUrl, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
 244         await makeRawRequest({
 245           url: file.fileUrl,
 246           query: { videoFileToken: unrelatedFileToken },
 247           expectedStatus: HttpStatusCode.FORBIDDEN_403
 248         })
 249       }
 250
 251       for (const url of [ hls.playlistUrl, hls.segmentsSha256Url ]) {
 252         expectStartWith(url, server.url + '/object-storage-proxy/streaming-playlists/hls/private/')
 253
 254         await makeRawRequest({ url, token: server.accessToken, expectedStatus: HttpStatusCode.OK_200 })
 255         await makeRawRequest({ url, query: { videoFileToken: fileToken }, expectedStatus: HttpStatusCode.OK_200 })
 256
 257         await makeRawRequest({ url, token: userToken, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
 258         await makeRawRequest({ url, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
 259         await makeRawRequest({ url, query: { videoFileToken: unrelatedFileToken }, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
 260       }
 261     }
 262
 263     before(async function () {
 264       await server.config.enableMinimumTranscoding()
 265
 266       const { uuid } = await server.videos.quickUpload({ name: 'another video' })
 267       unrelatedFileToken = await server.videoToken.getVideoFileToken({ videoId: uuid })
 268
 269       await server.config.enableLive({
 270         allowReplay: true,
 271         transcoding: true,
 272         resolutions: 'min'
 273       })
 274
 275       {
 276         const { video, live } = await server.live.quickCreate({ saveReplay: true, permanentLive: false, privacy: VideoPrivacy.PRIVATE })
 277         normalLiveId = video.uuid
 278         normalLive = live
 279       }
 280
 281       {
 282         const { video, live } = await server.live.quickCreate({ saveReplay: true, permanentLive: true, privacy: VideoPrivacy.PRIVATE })
 283         permanentLiveId = video.uuid
 284         permanentLive = live
 285       }
 286     })
 287
 288     it('Should create a private normal live and have a private static path', async function () {
 289       this.timeout(240000)
 290
 291       await checkLiveFiles(normalLive, normalLiveId)
 292     })
 293
 294     it('Should create a private permanent live and have a private static path', async function () {
 295       this.timeout(240000)
 296
 297       await checkLiveFiles(permanentLive, permanentLiveId)
 298     })
 299
 300     it('Should have created a replay of the normal live with a private static path', async function () {
 301       this.timeout(240000)
 302
 303       await server.live.waitUntilReplacedByReplay({ videoId: normalLiveId })
 304
 305       const replay = await server.videos.getWithToken({ id: normalLiveId })
 306       await checkReplay(replay)
 307     })
 308
 309     it('Should have created a replay of the permanent live with a private static path', async function () {
 310       this.timeout(240000)
 311
 312       await server.live.waitUntilWaiting({ videoId: permanentLiveId })
 313       await waitJobs([ server ])
 314
 315       const live = await server.videos.getWithToken({ id: permanentLiveId })
 316       const replayFromList = await findExternalSavedVideo(server, live)
 317       const replay = await server.videos.getWithToken({ id: replayFromList.id })
 318
 319       await checkReplay(replay)
 320     })
 321   })
 322
 323   after(async function () {
 324     this.timeout(60000)
 325
 326     const { data } = await server.videos.listAllForAdmin()
 327
 328     for (const v of data) {
 329       await server.videos.remove({ id: v.uuid })
 330     }
 331
 332     for (const v of data) {
 333       await server.servers.waitUntilLog('Removed files of video ' + v.url, 1, true)
 334     }
 335
 336     await cleanupTests([ server ])
 337   })
 338 })