X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=server%2Ftests%2Fapi%2Factivitypub%2Fsecurity.ts;h=9745052a393ae38e9c8a1387fe5734f4f2ef0f80;hb=b5c361089f03f4d459fa1cdc49ff66dee736af12;hp=7e58bf0652fe834cd951d4a6000c175be6ba22de;hpb=7024e9120b381b5b3201212f5a18f5cdc14e15ff;p=github%2FChocobozzz%2FPeerTube.git diff --git a/server/tests/api/activitypub/security.ts b/server/tests/api/activitypub/security.ts index 7e58bf065..9745052a3 100644 --- a/server/tests/api/activitypub/security.ts +++ b/server/tests/api/activitypub/security.ts @@ -1,13 +1,21 @@ /* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */ import 'mocha' - -import { cleanupTests, closeAllSequelize, flushAndRunMultipleServers, ServerInfo, setActorField } from '../../../../shared/extra-utils' -import { HTTP_SIGNATURE } from '../../../initializers/constants' -import { buildDigest, buildGlobalHeaders } from '../../../lib/job-queue/handlers/utils/activitypub-http-utils' import * as chai from 'chai' -import { activityPubContextify, buildSignedActivity } from '../../../helpers/activitypub' +import { buildDigest } from '@server/helpers/peertube-crypto' +import { HttpStatusCode } from '../../../../shared/core-utils/miscs/http-error-codes' +import { + cleanupTests, + closeAllSequelize, + flushAndRunMultipleServers, + ServerInfo, + setActorField, + wait +} from '../../../../shared/extra-utils' import { makeFollowRequest, makePOSTAPRequest } from '../../../../shared/extra-utils/requests/activitypub' +import { activityPubContextify, buildSignedActivity } from '../../../helpers/activitypub' +import { HTTP_SIGNATURE } from '../../../initializers/constants' +import { buildGlobalHeaders } from '../../../lib/job-queue/handlers/utils/activitypub-http-utils' const expect = chai.expect @@ -71,9 +79,12 @@ describe('Test ActivityPub security', function () { Digest: buildDigest({ hello: 'coucou' }) } - const { response } = await makePOSTAPRequest(url, body, baseHttpSignature(), headers) - - expect(response.statusCode).to.equal(403) + try { + await makePOSTAPRequest(url, body, baseHttpSignature(), headers) + expect(true, 'Did not throw').to.be.false + } catch (err) { + expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403) + } }) it('Should fail with an invalid date', async function () { @@ -81,9 +92,12 @@ describe('Test ActivityPub security', function () { const headers = buildGlobalHeaders(body) headers['date'] = 'Wed, 21 Oct 2015 07:28:00 GMT' - const { response } = await makePOSTAPRequest(url, body, baseHttpSignature(), headers) - - expect(response.statusCode).to.equal(403) + try { + await makePOSTAPRequest(url, body, baseHttpSignature(), headers) + expect(true, 'Did not throw').to.be.false + } catch (err) { + expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403) + } }) it('Should fail with bad keys', async function () { @@ -93,26 +107,76 @@ describe('Test ActivityPub security', function () { const body = activityPubContextify(getAnnounceWithoutContext(servers[1])) const headers = buildGlobalHeaders(body) - const { response } = await makePOSTAPRequest(url, body, baseHttpSignature(), headers) - - expect(response.statusCode).to.equal(403) + try { + await makePOSTAPRequest(url, body, baseHttpSignature(), headers) + expect(true, 'Did not throw').to.be.false + } catch (err) { + expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403) + } }) - it('Should succeed with a valid HTTP signature', async function () { + it('Should reject requests without appropriate signed headers', async function () { await setKeysOfServer(servers[0], servers[1], keys.publicKey, keys.privateKey) await setKeysOfServer(servers[1], servers[1], keys.publicKey, keys.privateKey) const body = activityPubContextify(getAnnounceWithoutContext(servers[1])) const headers = buildGlobalHeaders(body) - const { response } = await makePOSTAPRequest(url, body, baseHttpSignature(), headers) + const signatureOptions = baseHttpSignature() + const badHeadersMatrix = [ + [ '(request-target)', 'date', 'digest' ], + [ 'host', 'date', 'digest' ], + [ '(request-target)', 'host', 'digest' ] + ] + + for (const badHeaders of badHeadersMatrix) { + signatureOptions.headers = badHeaders + + try { + await makePOSTAPRequest(url, body, signatureOptions, headers) + expect(true, 'Did not throw').to.be.false + } catch (err) { + expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403) + } + } + }) + + it('Should succeed with a valid HTTP signature', async function () { + const body = activityPubContextify(getAnnounceWithoutContext(servers[1])) + const headers = buildGlobalHeaders(body) + + const { statusCode } = await makePOSTAPRequest(url, body, baseHttpSignature(), headers) + expect(statusCode).to.equal(HttpStatusCode.NO_CONTENT_204) + }) + + it('Should refresh the actor keys', async function () { + this.timeout(20000) + + // Wait refresh invalidation + await wait(10000) + + // Update keys of server 2 to invalid keys + // Server 1 should refresh the actor and fail + await setKeysOfServer(servers[1], servers[1], invalidKeys.publicKey, invalidKeys.privateKey) + + const body = activityPubContextify(getAnnounceWithoutContext(servers[1])) + const headers = buildGlobalHeaders(body) - expect(response.statusCode).to.equal(204) + try { + await makePOSTAPRequest(url, body, baseHttpSignature(), headers) + expect(true, 'Did not throw').to.be.false + } catch (err) { + expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403) + } }) }) describe('When checking Linked Data Signature', function () { - before(async () => { + before(async function () { + this.timeout(10000) + + await setKeysOfServer(servers[0], servers[1], keys.publicKey, keys.privateKey) + await setKeysOfServer(servers[1], servers[1], keys.publicKey, keys.privateKey) await setKeysOfServer(servers[2], servers[2], keys.publicKey, keys.privateKey) const to = { url: 'http://localhost:' + servers[0].port + '/accounts/peertube' } @@ -134,9 +198,12 @@ describe('Test ActivityPub security', function () { const headers = buildGlobalHeaders(signedBody) - const { response } = await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers) - - expect(response.statusCode).to.equal(403) + try { + await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers) + expect(true, 'Did not throw').to.be.false + } catch (err) { + expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403) + } }) it('Should fail with an altered body', async function () { @@ -155,9 +222,12 @@ describe('Test ActivityPub security', function () { const headers = buildGlobalHeaders(signedBody) - const { response } = await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers) - - expect(response.statusCode).to.equal(403) + try { + await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers) + expect(true, 'Did not throw').to.be.false + } catch (err) { + expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403) + } }) it('Should succeed with a valid signature', async function () { @@ -171,9 +241,34 @@ describe('Test ActivityPub security', function () { const headers = buildGlobalHeaders(signedBody) - const { response } = await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers) + const { statusCode } = await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers) + expect(statusCode).to.equal(HttpStatusCode.NO_CONTENT_204) + }) + + it('Should refresh the actor keys', async function () { + this.timeout(20000) - expect(response.statusCode).to.equal(204) + // Wait refresh invalidation + await wait(10000) + + // Update keys of server 3 to invalid keys + // Server 1 should refresh the actor and fail + await setKeysOfServer(servers[2], servers[2], invalidKeys.publicKey, invalidKeys.privateKey) + + const body = getAnnounceWithoutContext(servers[1]) + body.actor = 'http://localhost:' + servers[2].port + '/accounts/peertube' + + const signer: any = { privateKey: keys.privateKey, url: 'http://localhost:' + servers[2].port + '/accounts/peertube' } + const signedBody = await buildSignedActivity(signer, body) + + const headers = buildGlobalHeaders(signedBody) + + try { + await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers) + expect(true, 'Did not throw').to.be.false + } catch (err) { + expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403) + } }) })