X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=server%2Ftests%2Fapi%2Factivitypub%2Fsecurity.ts;h=95e2aebb4f49d184a66aed896acd241041497ee8;hb=e08ec7a723724c247d9bbcdbf157da08d3ba31a7;hp=9745052a393ae38e9c8a1387fe5734f4f2ef0f80;hpb=b5c361089f03f4d459fa1cdc49ff66dee736af12;p=github%2FChocobozzz%2FPeerTube.git diff --git a/server/tests/api/activitypub/security.ts b/server/tests/api/activitypub/security.ts index 9745052a3..95e2aebb4 100644 --- a/server/tests/api/activitypub/security.ts +++ b/server/tests/api/activitypub/security.ts @@ -3,38 +3,43 @@ import 'mocha' import * as chai from 'chai' import { buildDigest } from '@server/helpers/peertube-crypto' -import { HttpStatusCode } from '../../../../shared/core-utils/miscs/http-error-codes' -import { - cleanupTests, - closeAllSequelize, - flushAndRunMultipleServers, - ServerInfo, - setActorField, - wait -} from '../../../../shared/extra-utils' -import { makeFollowRequest, makePOSTAPRequest } from '../../../../shared/extra-utils/requests/activitypub' -import { activityPubContextify, buildSignedActivity } from '../../../helpers/activitypub' -import { HTTP_SIGNATURE } from '../../../initializers/constants' -import { buildGlobalHeaders } from '../../../lib/job-queue/handlers/utils/activitypub-http-utils' +import { HTTP_SIGNATURE } from '@server/initializers/constants' +import { activityPubContextify } from '@server/lib/activitypub/context' +import { buildGlobalHeaders, signAndContextify } from '@server/lib/activitypub/send' +import { makeFollowRequest, makePOSTAPRequest } from '@server/tests/shared' +import { buildAbsoluteFixturePath, wait } from '@shared/core-utils' +import { HttpStatusCode } from '@shared/models' +import { cleanupTests, createMultipleServers, killallServers, PeerTubeServer } from '@shared/server-commands' const expect = chai.expect -function setKeysOfServer (onServer: ServerInfo, ofServer: ServerInfo, publicKey: string, privateKey: string) { +function setKeysOfServer (onServer: PeerTubeServer, ofServer: PeerTubeServer, publicKey: string, privateKey: string) { + const url = 'http://localhost:' + ofServer.port + '/accounts/peertube' + return Promise.all([ - setActorField(onServer.internalServerNumber, 'http://localhost:' + ofServer.port + '/accounts/peertube', 'publicKey', publicKey), - setActorField(onServer.internalServerNumber, 'http://localhost:' + ofServer.port + '/accounts/peertube', 'privateKey', privateKey) + onServer.sql.setActorField(url, 'publicKey', publicKey), + onServer.sql.setActorField(url, 'privateKey', privateKey) ]) } -function getAnnounceWithoutContext (server2: ServerInfo) { - const json = require('./json/peertube/announce-without-context.json') +function setUpdatedAtOfServer (onServer: PeerTubeServer, ofServer: PeerTubeServer, updatedAt: string) { + const url = 'http://localhost:' + ofServer.port + '/accounts/peertube' + + return Promise.all([ + onServer.sql.setActorField(url, 'createdAt', updatedAt), + onServer.sql.setActorField(url, 'updatedAt', updatedAt) + ]) +} + +function getAnnounceWithoutContext (server: PeerTubeServer) { + const json = require(buildAbsoluteFixturePath('./ap-json/peertube/announce-without-context.json')) const result: typeof json = {} for (const key of Object.keys(json)) { if (Array.isArray(json[key])) { - result[key] = json[key].map(v => v.replace(':9002', `:${server2.port}`)) + result[key] = json[key].map(v => v.replace(':9002', `:${server.port}`)) } else { - result[key] = json[key].replace(':9002', `:${server2.port}`) + result[key] = json[key].replace(':9002', `:${server.port}`) } } @@ -42,11 +47,11 @@ function getAnnounceWithoutContext (server2: ServerInfo) { } describe('Test ActivityPub security', function () { - let servers: ServerInfo[] + let servers: PeerTubeServer[] let url: string - const keys = require('./json/peertube/keys.json') - const invalidKeys = require('./json/peertube/invalid-keys.json') + const keys = require(buildAbsoluteFixturePath('./ap-json/peertube/keys.json')) + const invalidKeys = require(buildAbsoluteFixturePath('./ap-json/peertube/invalid-keys.json')) const baseHttpSignature = () => ({ algorithm: HTTP_SIGNATURE.ALGORITHM, authorizationHeaderName: HTTP_SIGNATURE.HEADER_NAME, @@ -60,11 +65,12 @@ describe('Test ActivityPub security', function () { before(async function () { this.timeout(60000) - servers = await flushAndRunMultipleServers(3) + servers = await createMultipleServers(3) url = servers[0].url + '/inbox' - await setKeysOfServer(servers[0], servers[1], keys.publicKey, keys.privateKey) + await setKeysOfServer(servers[0], servers[1], keys.publicKey, null) + await setKeysOfServer(servers[1], servers[1], keys.publicKey, keys.privateKey) const to = { url: 'http://localhost:' + servers[0].port + '/accounts/peertube' } const by = { url: 'http://localhost:' + servers[1].port + '/accounts/peertube', privateKey: keys.privateKey } @@ -74,7 +80,7 @@ describe('Test ActivityPub security', function () { describe('When checking HTTP signature', function () { it('Should fail with an invalid digest', async function () { - const body = activityPubContextify(getAnnounceWithoutContext(servers[1])) + const body = activityPubContextify(getAnnounceWithoutContext(servers[1]), 'Announce') const headers = { Digest: buildDigest({ hello: 'coucou' }) } @@ -88,7 +94,7 @@ describe('Test ActivityPub security', function () { }) it('Should fail with an invalid date', async function () { - const body = activityPubContextify(getAnnounceWithoutContext(servers[1])) + const body = activityPubContextify(getAnnounceWithoutContext(servers[1]), 'Announce') const headers = buildGlobalHeaders(body) headers['date'] = 'Wed, 21 Oct 2015 07:28:00 GMT' @@ -104,7 +110,7 @@ describe('Test ActivityPub security', function () { await setKeysOfServer(servers[0], servers[1], invalidKeys.publicKey, invalidKeys.privateKey) await setKeysOfServer(servers[1], servers[1], invalidKeys.publicKey, invalidKeys.privateKey) - const body = activityPubContextify(getAnnounceWithoutContext(servers[1])) + const body = activityPubContextify(getAnnounceWithoutContext(servers[1]), 'Announce') const headers = buildGlobalHeaders(body) try { @@ -119,7 +125,7 @@ describe('Test ActivityPub security', function () { await setKeysOfServer(servers[0], servers[1], keys.publicKey, keys.privateKey) await setKeysOfServer(servers[1], servers[1], keys.publicKey, keys.privateKey) - const body = activityPubContextify(getAnnounceWithoutContext(servers[1])) + const body = activityPubContextify(getAnnounceWithoutContext(servers[1]), 'Announce') const headers = buildGlobalHeaders(body) const signatureOptions = baseHttpSignature() @@ -141,8 +147,19 @@ describe('Test ActivityPub security', function () { } }) + it('Should succeed with a valid HTTP signature draft 11 (without date but with (created))', async function () { + const body = activityPubContextify(getAnnounceWithoutContext(servers[1]), 'Announce') + const headers = buildGlobalHeaders(body) + + const signatureOptions = baseHttpSignature() + signatureOptions.headers = [ '(request-target)', '(created)', 'host', 'digest' ] + + const { statusCode } = await makePOSTAPRequest(url, body, signatureOptions, headers) + expect(statusCode).to.equal(HttpStatusCode.NO_CONTENT_204) + }) + it('Should succeed with a valid HTTP signature', async function () { - const body = activityPubContextify(getAnnounceWithoutContext(servers[1])) + const body = activityPubContextify(getAnnounceWithoutContext(servers[1]), 'Announce') const headers = buildGlobalHeaders(body) const { statusCode } = await makePOSTAPRequest(url, body, baseHttpSignature(), headers) @@ -152,20 +169,23 @@ describe('Test ActivityPub security', function () { it('Should refresh the actor keys', async function () { this.timeout(20000) - // Wait refresh invalidation - await wait(10000) - // Update keys of server 2 to invalid keys // Server 1 should refresh the actor and fail await setKeysOfServer(servers[1], servers[1], invalidKeys.publicKey, invalidKeys.privateKey) + await setUpdatedAtOfServer(servers[0], servers[1], '2015-07-17 22:00:00+00') - const body = activityPubContextify(getAnnounceWithoutContext(servers[1])) + // Invalid peertube actor cache + await killallServers([ servers[1] ]) + await servers[1].run() + + const body = activityPubContextify(getAnnounceWithoutContext(servers[1]), 'Announce') const headers = buildGlobalHeaders(body) try { await makePOSTAPRequest(url, body, baseHttpSignature(), headers) expect(true, 'Did not throw').to.be.false } catch (err) { + console.error(err) expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403) } }) @@ -194,7 +214,7 @@ describe('Test ActivityPub security', function () { body.actor = 'http://localhost:' + servers[2].port + '/accounts/peertube' const signer: any = { privateKey: invalidKeys.privateKey, url: 'http://localhost:' + servers[2].port + '/accounts/peertube' } - const signedBody = await buildSignedActivity(signer, body) + const signedBody = await signAndContextify(signer, body, 'Announce') const headers = buildGlobalHeaders(signedBody) @@ -216,7 +236,7 @@ describe('Test ActivityPub security', function () { body.actor = 'http://localhost:' + servers[2].port + '/accounts/peertube' const signer: any = { privateKey: keys.privateKey, url: 'http://localhost:' + servers[2].port + '/accounts/peertube' } - const signedBody = await buildSignedActivity(signer, body) + const signedBody = await signAndContextify(signer, body, 'Announce') signedBody.actor = 'http://localhost:' + servers[2].port + '/account/peertube' @@ -237,7 +257,7 @@ describe('Test ActivityPub security', function () { body.actor = 'http://localhost:' + servers[2].port + '/accounts/peertube' const signer: any = { privateKey: keys.privateKey, url: 'http://localhost:' + servers[2].port + '/accounts/peertube' } - const signedBody = await buildSignedActivity(signer, body) + const signedBody = await signAndContextify(signer, body, 'Announce') const headers = buildGlobalHeaders(signedBody) @@ -259,7 +279,7 @@ describe('Test ActivityPub security', function () { body.actor = 'http://localhost:' + servers[2].port + '/accounts/peertube' const signer: any = { privateKey: keys.privateKey, url: 'http://localhost:' + servers[2].port + '/accounts/peertube' } - const signedBody = await buildSignedActivity(signer, body) + const signedBody = await signAndContextify(signer, body, 'Announce') const headers = buildGlobalHeaders(signedBody) @@ -276,7 +296,5 @@ describe('Test ActivityPub security', function () { this.timeout(10000) await cleanupTests(servers) - - await closeAllSequelize(servers) }) })