server/tests/api/videos/video-static-file-privacy.ts

   1 /* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */
   2
   3 import { expect } from 'chai'
   4 import { decode } from 'magnet-uri'
   5 import { checkVideoFileTokenReinjection, expectStartWith } from '@server/tests/shared'
   6 import { getAllFiles, wait } from '@shared/core-utils'
   7 import { HttpStatusCode, LiveVideo, VideoDetails, VideoPrivacy } from '@shared/models'
   8 import {
   9   cleanupTests,
  10   createSingleServer,
  11   findExternalSavedVideo,
  12   makeRawRequest,
  13   parseTorrentVideo,
  14   PeerTubeServer,
  15   sendRTMPStream,
  16   setAccessTokensToServers,
  17   setDefaultVideoChannel,
  18   stopFfmpeg,
  19   waitJobs
  20 } from '@shared/server-commands'
  21
  22 describe('Test video static file privacy', function () {
  23   let server: PeerTubeServer
  24   let userToken: string
  25
  26   before(async function () {
  27     this.timeout(50000)
  28
  29     server = await createSingleServer(1)
  30     await setAccessTokensToServers([ server ])
  31     await setDefaultVideoChannel([ server ])
  32
  33     userToken = await server.users.generateUserAndToken('user1')
  34   })
  35
  36   describe('VOD static file path', function () {
  37
  38     function runSuite () {
  39
  40       async function checkPrivateFiles (uuid: string) {
  41         const video = await server.videos.getWithToken({ id: uuid })
  42
  43         for (const file of video.files) {
  44           expect(file.fileDownloadUrl).to.not.include('/private/')
  45           expectStartWith(file.fileUrl, server.url + '/static/webseed/private/')
  46
  47           const torrent = await parseTorrentVideo(server, file)
  48           expect(torrent.urlList).to.have.lengthOf(0)
  49
  50           const magnet = decode(file.magnetUri)
  51           expect(magnet.urlList).to.have.lengthOf(0)
  52
  53           await makeRawRequest({ url: file.fileUrl, token: server.accessToken, expectedStatus: HttpStatusCode.OK_200 })
  54         }
  55
  56         const hls = video.streamingPlaylists[0]
  57         if (hls) {
  58           expectStartWith(hls.playlistUrl, server.url + '/static/streaming-playlists/hls/private/')
  59           expectStartWith(hls.segmentsSha256Url, server.url + '/static/streaming-playlists/hls/private/')
  60
  61           await makeRawRequest({ url: hls.playlistUrl, token: server.accessToken, expectedStatus: HttpStatusCode.OK_200 })
  62           await makeRawRequest({ url: hls.segmentsSha256Url, token: server.accessToken, expectedStatus: HttpStatusCode.OK_200 })
  63         }
  64       }
  65
  66       async function checkPublicFiles (uuid: string) {
  67         const video = await server.videos.get({ id: uuid })
  68
  69         for (const file of getAllFiles(video)) {
  70           expect(file.fileDownloadUrl).to.not.include('/private/')
  71           expect(file.fileUrl).to.not.include('/private/')
  72
  73           const torrent = await parseTorrentVideo(server, file)
  74           expect(torrent.urlList[0]).to.not.include('private')
  75
  76           const magnet = decode(file.magnetUri)
  77           expect(magnet.urlList[0]).to.not.include('private')
  78
  79           await makeRawRequest({ url: file.fileUrl, expectedStatus: HttpStatusCode.OK_200 })
  80           await makeRawRequest({ url: torrent.urlList[0], expectedStatus: HttpStatusCode.OK_200 })
  81           await makeRawRequest({ url: magnet.urlList[0], expectedStatus: HttpStatusCode.OK_200 })
  82         }
  83
  84         const hls = video.streamingPlaylists[0]
  85         if (hls) {
  86           expect(hls.playlistUrl).to.not.include('private')
  87           expect(hls.segmentsSha256Url).to.not.include('private')
  88
  89           await makeRawRequest({ url: hls.playlistUrl, expectedStatus: HttpStatusCode.OK_200 })
  90           await makeRawRequest({ url: hls.segmentsSha256Url, expectedStatus: HttpStatusCode.OK_200 })
  91         }
  92       }
  93
  94       it('Should upload a private/internal video and have a private static path', async function () {
  95         this.timeout(120000)
  96
  97         for (const privacy of [ VideoPrivacy.PRIVATE, VideoPrivacy.INTERNAL ]) {
  98           const { uuid } = await server.videos.quickUpload({ name: 'video', privacy })
  99           await waitJobs([ server ])
 100
 101           await checkPrivateFiles(uuid)
 102         }
 103       })
 104
 105       it('Should upload a public video and update it as private/internal to have a private static path', async function () {
 106         this.timeout(120000)
 107
 108         for (const privacy of [ VideoPrivacy.PRIVATE, VideoPrivacy.INTERNAL ]) {
 109           const { uuid } = await server.videos.quickUpload({ name: 'video', privacy: VideoPrivacy.PUBLIC })
 110           await waitJobs([ server ])
 111
 112           await server.videos.update({ id: uuid, attributes: { privacy } })
 113           await waitJobs([ server ])
 114
 115           await checkPrivateFiles(uuid)
 116         }
 117       })
 118
 119       it('Should upload a private video and update it to unlisted to have a public static path', async function () {
 120         this.timeout(120000)
 121
 122         const { uuid } = await server.videos.quickUpload({ name: 'video', privacy: VideoPrivacy.PRIVATE })
 123         await waitJobs([ server ])
 124
 125         await server.videos.update({ id: uuid, attributes: { privacy: VideoPrivacy.UNLISTED } })
 126         await waitJobs([ server ])
 127
 128         await checkPublicFiles(uuid)
 129       })
 130
 131       it('Should upload an internal video and update it to public to have a public static path', async function () {
 132         this.timeout(120000)
 133
 134         const { uuid } = await server.videos.quickUpload({ name: 'video', privacy: VideoPrivacy.INTERNAL })
 135         await waitJobs([ server ])
 136
 137         await server.videos.update({ id: uuid, attributes: { privacy: VideoPrivacy.PUBLIC } })
 138         await waitJobs([ server ])
 139
 140         await checkPublicFiles(uuid)
 141       })
 142
 143       it('Should upload an internal video and schedule a public publish', async function () {
 144         this.timeout(120000)
 145
 146         const attributes = {
 147           name: 'video',
 148           privacy: VideoPrivacy.PRIVATE,
 149           scheduleUpdate: {
 150             updateAt: new Date(Date.now() + 1000).toISOString(),
 151             privacy: VideoPrivacy.PUBLIC as VideoPrivacy.PUBLIC
 152           }
 153         }
 154
 155         const { uuid } = await server.videos.upload({ attributes })
 156
 157         await waitJobs([ server ])
 158         await wait(1000)
 159         await server.debug.sendCommand({ body: { command: 'process-update-videos-scheduler' } })
 160
 161         await waitJobs([ server ])
 162
 163         await checkPublicFiles(uuid)
 164       })
 165     }
 166
 167     describe('Without transcoding', function () {
 168       runSuite()
 169     })
 170
 171     describe('With transcoding', function () {
 172
 173       before(async function () {
 174         await server.config.enableMinimumTranscoding()
 175       })
 176
 177       runSuite()
 178     })
 179   })
 180
 181   describe('VOD static file right check', function () {
 182     let unrelatedFileToken: string
 183
 184     async function checkVideoFiles (options: {
 185       id: string
 186       expectedStatus: HttpStatusCode
 187       token: string
 188       videoFileToken: string
 189     }) {
 190       const { id, expectedStatus, token, videoFileToken } = options
 191
 192       const video = await server.videos.getWithToken({ id })
 193
 194       for (const file of getAllFiles(video)) {
 195         await makeRawRequest({ url: file.fileUrl, token, expectedStatus })
 196         await makeRawRequest({ url: file.fileDownloadUrl, token, expectedStatus })
 197
 198         await makeRawRequest({ url: file.fileUrl, query: { videoFileToken }, expectedStatus })
 199         await makeRawRequest({ url: file.fileDownloadUrl, query: { videoFileToken }, expectedStatus })
 200       }
 201
 202       const hls = video.streamingPlaylists[0]
 203       await makeRawRequest({ url: hls.playlistUrl, token, expectedStatus })
 204       await makeRawRequest({ url: hls.segmentsSha256Url, token, expectedStatus })
 205
 206       await makeRawRequest({ url: hls.playlistUrl, query: { videoFileToken }, expectedStatus })
 207       await makeRawRequest({ url: hls.segmentsSha256Url, query: { videoFileToken }, expectedStatus })
 208     }
 209
 210     before(async function () {
 211       await server.config.enableMinimumTranscoding()
 212
 213       const { uuid } = await server.videos.quickUpload({ name: 'another video' })
 214       unrelatedFileToken = await server.videoToken.getVideoFileToken({ videoId: uuid })
 215     })
 216
 217     it('Should not be able to access a private video files without OAuth token and file token', async function () {
 218       this.timeout(120000)
 219
 220       const { uuid } = await server.videos.quickUpload({ name: 'video', privacy: VideoPrivacy.INTERNAL })
 221       await waitJobs([ server ])
 222
 223       await checkVideoFiles({ id: uuid, expectedStatus: HttpStatusCode.FORBIDDEN_403, token: null, videoFileToken: null })
 224     })
 225
 226     it('Should not be able to access an internal video files without appropriate OAuth token and file token', async function () {
 227       this.timeout(120000)
 228
 229       const { uuid } = await server.videos.quickUpload({ name: 'video', privacy: VideoPrivacy.PRIVATE })
 230       await waitJobs([ server ])
 231
 232       await checkVideoFiles({
 233         id: uuid,
 234         expectedStatus: HttpStatusCode.FORBIDDEN_403,
 235         token: userToken,
 236         videoFileToken: unrelatedFileToken
 237       })
 238     })
 239
 240     it('Should be able to access a private video files with appropriate OAuth token or file token', async function () {
 241       this.timeout(120000)
 242
 243       const { uuid } = await server.videos.quickUpload({ name: 'video', privacy: VideoPrivacy.PRIVATE })
 244       const videoFileToken = await server.videoToken.getVideoFileToken({ videoId: uuid })
 245
 246       await waitJobs([ server ])
 247
 248       await checkVideoFiles({ id: uuid, expectedStatus: HttpStatusCode.OK_200, token: server.accessToken, videoFileToken })
 249     })
 250
 251     it('Should reinject video file token', async function () {
 252       this.timeout(120000)
 253
 254       const { uuid } = await server.videos.quickUpload({ name: 'video', privacy: VideoPrivacy.PRIVATE })
 255
 256       const videoFileToken = await server.videoToken.getVideoFileToken({ videoId: uuid })
 257       await waitJobs([ server ])
 258
 259       const video = await server.videos.getWithToken({ id: uuid })
 260       const hls = video.streamingPlaylists[0]
 261
 262       {
 263         const query = { videoFileToken }
 264         const { text } = await makeRawRequest({ url: hls.playlistUrl, query, expectedStatus: HttpStatusCode.OK_200 })
 265
 266         expect(text).to.not.include(videoFileToken)
 267       }
 268
 269       {
 270         await checkVideoFileTokenReinjection({
 271           server,
 272           videoUUID: uuid,
 273           videoFileToken,
 274           resolutions: [ 240, 720 ],
 275           isLive: false
 276         })
 277       }
 278     })
 279
 280     it('Should be able to access a private video of another user with an admin OAuth token or file token', async function () {
 281       this.timeout(120000)
 282
 283       const { uuid } = await server.videos.quickUpload({ name: 'video', token: userToken, privacy: VideoPrivacy.PRIVATE })
 284       const videoFileToken = await server.videoToken.getVideoFileToken({ videoId: uuid })
 285
 286       await waitJobs([ server ])
 287
 288       await checkVideoFiles({ id: uuid, expectedStatus: HttpStatusCode.OK_200, token: server.accessToken, videoFileToken })
 289     })
 290   })
 291
 292   describe('Live static file path and check', function () {
 293     let normalLiveId: string
 294     let normalLive: LiveVideo
 295
 296     let permanentLiveId: string
 297     let permanentLive: LiveVideo
 298
 299     let unrelatedFileToken: string
 300
 301     async function checkLiveFiles (live: LiveVideo, liveId: string) {
 302       const ffmpegCommand = sendRTMPStream({ rtmpBaseUrl: live.rtmpUrl, streamKey: live.streamKey })
 303       await server.live.waitUntilPublished({ videoId: liveId })
 304
 305       const video = await server.videos.getWithToken({ id: liveId })
 306       const fileToken = await server.videoToken.getVideoFileToken({ videoId: video.uuid })
 307
 308       const hls = video.streamingPlaylists[0]
 309
 310       for (const url of [ hls.playlistUrl, hls.segmentsSha256Url ]) {
 311         expectStartWith(url, server.url + '/static/streaming-playlists/hls/private/')
 312
 313         await makeRawRequest({ url, token: server.accessToken, expectedStatus: HttpStatusCode.OK_200 })
 314         await makeRawRequest({ url, query: { videoFileToken: fileToken }, expectedStatus: HttpStatusCode.OK_200 })
 315
 316         await makeRawRequest({ url, token: userToken, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
 317         await makeRawRequest({ url, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
 318         await makeRawRequest({ url, query: { videoFileToken: unrelatedFileToken }, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
 319       }
 320
 321       await stopFfmpeg(ffmpegCommand)
 322     }
 323
 324     async function checkReplay (replay: VideoDetails) {
 325       const fileToken = await server.videoToken.getVideoFileToken({ videoId: replay.uuid })
 326
 327       const hls = replay.streamingPlaylists[0]
 328       expect(hls.files).to.not.have.lengthOf(0)
 329
 330       for (const file of hls.files) {
 331         await makeRawRequest({ url: file.fileUrl, token: server.accessToken, expectedStatus: HttpStatusCode.OK_200 })
 332         await makeRawRequest({ url: file.fileUrl, query: { videoFileToken: fileToken }, expectedStatus: HttpStatusCode.OK_200 })
 333
 334         await makeRawRequest({ url: file.fileUrl, token: userToken, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
 335         await makeRawRequest({ url: file.fileUrl, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
 336         await makeRawRequest({
 337           url: file.fileUrl,
 338           query: { videoFileToken: unrelatedFileToken },
 339           expectedStatus: HttpStatusCode.FORBIDDEN_403
 340         })
 341       }
 342
 343       for (const url of [ hls.playlistUrl, hls.segmentsSha256Url ]) {
 344         expectStartWith(url, server.url + '/static/streaming-playlists/hls/private/')
 345
 346         await makeRawRequest({ url, token: server.accessToken, expectedStatus: HttpStatusCode.OK_200 })
 347         await makeRawRequest({ url, query: { videoFileToken: fileToken }, expectedStatus: HttpStatusCode.OK_200 })
 348
 349         await makeRawRequest({ url, token: userToken, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
 350         await makeRawRequest({ url, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
 351         await makeRawRequest({ url, query: { videoFileToken: unrelatedFileToken }, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
 352       }
 353     }
 354
 355     before(async function () {
 356       await server.config.enableMinimumTranscoding()
 357
 358       const { uuid } = await server.videos.quickUpload({ name: 'another video' })
 359       unrelatedFileToken = await server.videoToken.getVideoFileToken({ videoId: uuid })
 360
 361       await server.config.enableLive({
 362         allowReplay: true,
 363         transcoding: true,
 364         resolutions: 'min'
 365       })
 366
 367       {
 368         const { video, live } = await server.live.quickCreate({ saveReplay: true, permanentLive: false, privacy: VideoPrivacy.PRIVATE })
 369         normalLiveId = video.uuid
 370         normalLive = live
 371       }
 372
 373       {
 374         const { video, live } = await server.live.quickCreate({ saveReplay: true, permanentLive: true, privacy: VideoPrivacy.PRIVATE })
 375         permanentLiveId = video.uuid
 376         permanentLive = live
 377       }
 378     })
 379
 380     it('Should create a private normal live and have a private static path', async function () {
 381       this.timeout(240000)
 382
 383       await checkLiveFiles(normalLive, normalLiveId)
 384     })
 385
 386     it('Should create a private permanent live and have a private static path', async function () {
 387       this.timeout(240000)
 388
 389       await checkLiveFiles(permanentLive, permanentLiveId)
 390     })
 391
 392     it('Should reinject video file token on permanent live', async function () {
 393       this.timeout(240000)
 394
 395       const ffmpegCommand = sendRTMPStream({ rtmpBaseUrl: permanentLive.rtmpUrl, streamKey: permanentLive.streamKey })
 396       await server.live.waitUntilPublished({ videoId: permanentLiveId })
 397
 398       const video = await server.videos.getWithToken({ id: permanentLiveId })
 399       const videoFileToken = await server.videoToken.getVideoFileToken({ videoId: video.uuid })
 400       const hls = video.streamingPlaylists[0]
 401
 402       {
 403         const query = { videoFileToken }
 404         const { text } = await makeRawRequest({ url: hls.playlistUrl, query, expectedStatus: HttpStatusCode.OK_200 })
 405
 406         expect(text).to.not.include(videoFileToken)
 407       }
 408
 409       {
 410         await checkVideoFileTokenReinjection({
 411           server,
 412           videoUUID: permanentLiveId,
 413           videoFileToken,
 414           resolutions: [ 720 ],
 415           isLive: true
 416         })
 417       }
 418
 419       await stopFfmpeg(ffmpegCommand)
 420     })
 421
 422     it('Should have created a replay of the normal live with a private static path', async function () {
 423       this.timeout(240000)
 424
 425       await server.live.waitUntilReplacedByReplay({ videoId: normalLiveId })
 426
 427       const replay = await server.videos.getWithToken({ id: normalLiveId })
 428       await checkReplay(replay)
 429     })
 430
 431     it('Should have created a replay of the permanent live with a private static path', async function () {
 432       this.timeout(240000)
 433
 434       await server.live.waitUntilWaiting({ videoId: permanentLiveId })
 435       await waitJobs([ server ])
 436
 437       const live = await server.videos.getWithToken({ id: permanentLiveId })
 438       const replayFromList = await findExternalSavedVideo(server, live)
 439       const replay = await server.videos.getWithToken({ id: replayFromList.id })
 440
 441       await checkReplay(replay)
 442     })
 443   })
 444
 445   describe('With static file right check disabled', function () {
 446     let videoUUID: string
 447
 448     before(async function () {
 449       this.timeout(240000)
 450
 451       await server.kill()
 452
 453       await server.run({
 454         static_files: {
 455           private_files_require_auth: false
 456         }
 457       })
 458
 459       const { uuid } = await server.videos.quickUpload({ name: 'video', privacy: VideoPrivacy.INTERNAL })
 460       videoUUID = uuid
 461
 462       await waitJobs([ server ])
 463     })
 464
 465     it('Should not check auth for private static files', async function () {
 466       const video = await server.videos.getWithToken({ id: videoUUID })
 467
 468       for (const file of getAllFiles(video)) {
 469         await makeRawRequest({ url: file.fileUrl, expectedStatus: HttpStatusCode.OK_200 })
 470       }
 471
 472       const hls = video.streamingPlaylists[0]
 473       await makeRawRequest({ url: hls.playlistUrl, expectedStatus: HttpStatusCode.OK_200 })
 474       await makeRawRequest({ url: hls.segmentsSha256Url, expectedStatus: HttpStatusCode.OK_200 })
 475     })
 476   })
 477
 478   after(async function () {
 479     await cleanupTests([ server ])
 480   })
 481 })