X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=server%2Ftests%2Fapi%2Factivitypub%2Fsecurity.ts;h=c6f1716336030f1de3f569a90483ab6cf8055205;hb=3b504f6ed4e890bebb46d0481aba15b43050323a;hp=b71a61c8c0b3ec46d53385df5f6feb3f94a348f0;hpb=bc22d60899e14631cba0fb6450f4e85fc9528293;p=github%2FChocobozzz%2FPeerTube.git diff --git a/server/tests/api/activitypub/security.ts b/server/tests/api/activitypub/security.ts index b71a61c8c..c6f171633 100644 --- a/server/tests/api/activitypub/security.ts +++ b/server/tests/api/activitypub/security.ts @@ -1,186 +1,323 @@ -/* tslint:disable:no-unused-expression */ - -import 'mocha' - -import { - flushAndRunMultipleServers, - flushTests, - killallServers, - ServerInfo -} from '../../../../shared/utils' -import { HTTP_SIGNATURE } from '../../../initializers' -import { buildDigest, buildGlobalHeaders } from '../../../lib/job-queue/handlers/utils/activitypub-http-utils' -import * as chai from 'chai' -import { setActorField } from '../../utils/miscs/sql' -import { activityPubContextify, buildSignedActivity } from '../../../helpers/activitypub' -import { makeFollowRequest, makePOSTAPRequest } from '../../utils/requests/activitypub' - -const expect = chai.expect - -function setKeysOfServer2 (serverNumber: number, publicKey: string, privateKey: string) { +/* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */ + +import { expect } from 'chai' +import { buildDigest } from '@server/helpers/peertube-crypto' +import { ACTIVITY_PUB, HTTP_SIGNATURE } from '@server/initializers/constants' +import { activityPubContextify } from '@server/lib/activitypub/context' +import { buildGlobalHeaders, signAndContextify } from '@server/lib/activitypub/send' +import { makePOSTAPRequest } from '@server/tests/shared' +import { buildAbsoluteFixturePath, wait } from '@shared/core-utils' +import { HttpStatusCode } from '@shared/models' +import { cleanupTests, createMultipleServers, killallServers, PeerTubeServer } from '@shared/server-commands' + +function setKeysOfServer (onServer: PeerTubeServer, ofServer: PeerTubeServer, publicKey: string, privateKey: string) { + const url = ofServer.url + '/accounts/peertube' + return Promise.all([ - setActorField(serverNumber, 'http://localhost:9002/accounts/peertube', 'publicKey', publicKey), - setActorField(serverNumber, 'http://localhost:9002/accounts/peertube', 'privateKey', privateKey) + onServer.sql.setActorField(url, 'publicKey', publicKey), + onServer.sql.setActorField(url, 'privateKey', privateKey) ]) } -function setKeysOfServer3 (serverNumber: number, publicKey: string, privateKey: string) { +function setUpdatedAtOfServer (onServer: PeerTubeServer, ofServer: PeerTubeServer, updatedAt: string) { + const url = ofServer.url + '/accounts/peertube' + return Promise.all([ - setActorField(serverNumber, 'http://localhost:9003/accounts/peertube', 'publicKey', publicKey), - setActorField(serverNumber, 'http://localhost:9003/accounts/peertube', 'privateKey', privateKey) + onServer.sql.setActorField(url, 'createdAt', updatedAt), + onServer.sql.setActorField(url, 'updatedAt', updatedAt) ]) } +function getAnnounceWithoutContext (server: PeerTubeServer) { + const json = require(buildAbsoluteFixturePath('./ap-json/peertube/announce-without-context.json')) + const result: typeof json = {} + + for (const key of Object.keys(json)) { + if (Array.isArray(json[key])) { + result[key] = json[key].map(v => v.replace(':9002', `:${server.port}`)) + } else { + result[key] = json[key].replace(':9002', `:${server.port}`) + } + } + + return result +} + +async function makeFollowRequest (to: { url: string }, by: { url: string, privateKey }) { + const follow = { + type: 'Follow', + id: by.url + '/' + new Date().getTime(), + actor: by.url, + object: to.url + } + + const body = await activityPubContextify(follow, 'Follow') + + const httpSignature = { + algorithm: HTTP_SIGNATURE.ALGORITHM, + authorizationHeaderName: HTTP_SIGNATURE.HEADER_NAME, + keyId: by.url, + key: by.privateKey, + headers: HTTP_SIGNATURE.HEADERS_TO_SIGN + } + const headers = { + 'digest': buildDigest(body), + 'content-type': 'application/activity+json', + 'accept': ACTIVITY_PUB.ACCEPT_HEADER + } + + return makePOSTAPRequest(to.url + '/inbox', body, httpSignature, headers) +} + describe('Test ActivityPub security', function () { - let servers: ServerInfo[] + let servers: PeerTubeServer[] let url: string - const keys = require('./json/peertube/keys.json') - const invalidKeys = require('./json/peertube/invalid-keys.json') - const baseHttpSignature = { + const keys = require(buildAbsoluteFixturePath('./ap-json/peertube/keys.json')) + const invalidKeys = require(buildAbsoluteFixturePath('./ap-json/peertube/invalid-keys.json')) + const baseHttpSignature = () => ({ algorithm: HTTP_SIGNATURE.ALGORITHM, authorizationHeaderName: HTTP_SIGNATURE.HEADER_NAME, - keyId: 'acct:peertube@localhost:9002', + keyId: 'acct:peertube@' + servers[1].host, key: keys.privateKey, headers: HTTP_SIGNATURE.HEADERS_TO_SIGN - } + }) // --------------------------------------------------------------- before(async function () { this.timeout(60000) - servers = await flushAndRunMultipleServers(3) + servers = await createMultipleServers(3) url = servers[0].url + '/inbox' - await setKeysOfServer2(1, keys.publicKey, keys.privateKey) + await setKeysOfServer(servers[0], servers[1], keys.publicKey, null) + await setKeysOfServer(servers[1], servers[1], keys.publicKey, keys.privateKey) - const to = { url: 'http://localhost:9001/accounts/peertube' } - const by = { url: 'http://localhost:9002/accounts/peertube', privateKey: keys.privateKey } + const to = { url: servers[0].url + '/accounts/peertube' } + const by = { url: servers[1].url + '/accounts/peertube', privateKey: keys.privateKey } await makeFollowRequest(to, by) }) describe('When checking HTTP signature', function () { it('Should fail with an invalid digest', async function () { - const body = activityPubContextify(require('./json/peertube/announce-without-context.json')) + const body = await activityPubContextify(getAnnounceWithoutContext(servers[1]), 'Announce') const headers = { Digest: buildDigest({ hello: 'coucou' }) } - const { response } = await makePOSTAPRequest(url, body, baseHttpSignature, headers) - - expect(response.statusCode).to.equal(403) + try { + await makePOSTAPRequest(url, body, baseHttpSignature(), headers) + expect(true, 'Did not throw').to.be.false + } catch (err) { + expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403) + } }) it('Should fail with an invalid date', async function () { - const body = activityPubContextify(require('./json/peertube/announce-without-context.json')) + const body = await activityPubContextify(getAnnounceWithoutContext(servers[1]), 'Announce') const headers = buildGlobalHeaders(body) headers['date'] = 'Wed, 21 Oct 2015 07:28:00 GMT' - const { response } = await makePOSTAPRequest(url, body, baseHttpSignature, headers) - - expect(response.statusCode).to.equal(403) + try { + await makePOSTAPRequest(url, body, baseHttpSignature(), headers) + expect(true, 'Did not throw').to.be.false + } catch (err) { + expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403) + } }) it('Should fail with bad keys', async function () { - await setKeysOfServer2(1, invalidKeys.publicKey, invalidKeys.privateKey) - await setKeysOfServer2(2, invalidKeys.publicKey, invalidKeys.privateKey) + await setKeysOfServer(servers[0], servers[1], invalidKeys.publicKey, invalidKeys.privateKey) + await setKeysOfServer(servers[1], servers[1], invalidKeys.publicKey, invalidKeys.privateKey) + + const body = await activityPubContextify(getAnnounceWithoutContext(servers[1]), 'Announce') + const headers = buildGlobalHeaders(body) + + try { + await makePOSTAPRequest(url, body, baseHttpSignature(), headers) + expect(true, 'Did not throw').to.be.false + } catch (err) { + expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403) + } + }) + + it('Should reject requests without appropriate signed headers', async function () { + await setKeysOfServer(servers[0], servers[1], keys.publicKey, keys.privateKey) + await setKeysOfServer(servers[1], servers[1], keys.publicKey, keys.privateKey) + + const body = await activityPubContextify(getAnnounceWithoutContext(servers[1]), 'Announce') + const headers = buildGlobalHeaders(body) - const body = activityPubContextify(require('./json/peertube/announce-without-context.json')) + const signatureOptions = baseHttpSignature() + const badHeadersMatrix = [ + [ '(request-target)', 'date', 'digest' ], + [ 'host', 'date', 'digest' ], + [ '(request-target)', 'host', 'digest' ] + ] + + for (const badHeaders of badHeadersMatrix) { + signatureOptions.headers = badHeaders + + try { + await makePOSTAPRequest(url, body, signatureOptions, headers) + expect(true, 'Did not throw').to.be.false + } catch (err) { + expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403) + } + } + }) + + it('Should succeed with a valid HTTP signature draft 11 (without date but with (created))', async function () { + const body = await activityPubContextify(getAnnounceWithoutContext(servers[1]), 'Announce') const headers = buildGlobalHeaders(body) - const { response } = await makePOSTAPRequest(url, body, baseHttpSignature, headers) + const signatureOptions = baseHttpSignature() + signatureOptions.headers = [ '(request-target)', '(created)', 'host', 'digest' ] - expect(response.statusCode).to.equal(403) + const { statusCode } = await makePOSTAPRequest(url, body, signatureOptions, headers) + expect(statusCode).to.equal(HttpStatusCode.NO_CONTENT_204) }) it('Should succeed with a valid HTTP signature', async function () { - await setKeysOfServer2(1, keys.publicKey, keys.privateKey) - await setKeysOfServer2(2, keys.publicKey, keys.privateKey) - - const body = activityPubContextify(require('./json/peertube/announce-without-context.json')) + const body = await activityPubContextify(getAnnounceWithoutContext(servers[1]), 'Announce') const headers = buildGlobalHeaders(body) - const { response } = await makePOSTAPRequest(url, body, baseHttpSignature, headers) + const { statusCode } = await makePOSTAPRequest(url, body, baseHttpSignature(), headers) + expect(statusCode).to.equal(HttpStatusCode.NO_CONTENT_204) + }) + + it('Should refresh the actor keys', async function () { + this.timeout(20000) + + // Update keys of server 2 to invalid keys + // Server 1 should refresh the actor and fail + await setKeysOfServer(servers[1], servers[1], invalidKeys.publicKey, invalidKeys.privateKey) + await setUpdatedAtOfServer(servers[0], servers[1], '2015-07-17 22:00:00+00') + + // Invalid peertube actor cache + await killallServers([ servers[1] ]) + await servers[1].run() - expect(response.statusCode).to.equal(204) + const body = await activityPubContextify(getAnnounceWithoutContext(servers[1]), 'Announce') + const headers = buildGlobalHeaders(body) + + try { + await makePOSTAPRequest(url, body, baseHttpSignature(), headers) + expect(true, 'Did not throw').to.be.false + } catch (err) { + console.error(err) + expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403) + } }) }) describe('When checking Linked Data Signature', function () { - before(async () => { - await setKeysOfServer3(3, keys.publicKey, keys.privateKey) + before(async function () { + this.timeout(10000) - const to = { url: 'http://localhost:9001/accounts/peertube' } - const by = { url: 'http://localhost:9003/accounts/peertube', privateKey: keys.privateKey } + await setKeysOfServer(servers[0], servers[1], keys.publicKey, keys.privateKey) + await setKeysOfServer(servers[1], servers[1], keys.publicKey, keys.privateKey) + await setKeysOfServer(servers[2], servers[2], keys.publicKey, keys.privateKey) + + const to = { url: servers[0].url + '/accounts/peertube' } + const by = { url: servers[2].url + '/accounts/peertube', privateKey: keys.privateKey } await makeFollowRequest(to, by) }) it('Should fail with bad keys', async function () { this.timeout(10000) - await setKeysOfServer3(1, invalidKeys.publicKey, invalidKeys.privateKey) - await setKeysOfServer3(3, invalidKeys.publicKey, invalidKeys.privateKey) + await setKeysOfServer(servers[0], servers[2], invalidKeys.publicKey, invalidKeys.privateKey) + await setKeysOfServer(servers[2], servers[2], invalidKeys.publicKey, invalidKeys.privateKey) - const body = require('./json/peertube/announce-without-context.json') - body.actor = 'http://localhost:9003/accounts/peertube' + const body = getAnnounceWithoutContext(servers[1]) + body.actor = servers[2].url + '/accounts/peertube' - const signer: any = { privateKey: invalidKeys.privateKey, url: 'http://localhost:9003/accounts/peertube' } - const signedBody = await buildSignedActivity(signer, body) + const signer: any = { privateKey: invalidKeys.privateKey, url: servers[2].url + '/accounts/peertube' } + const signedBody = await signAndContextify(signer, body, 'Announce') const headers = buildGlobalHeaders(signedBody) - const { response } = await makePOSTAPRequest(url, signedBody, baseHttpSignature, headers) - - expect(response.statusCode).to.equal(403) + try { + await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers) + expect(true, 'Did not throw').to.be.false + } catch (err) { + expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403) + } }) it('Should fail with an altered body', async function () { this.timeout(10000) - await setKeysOfServer3(1, keys.publicKey, keys.privateKey) - await setKeysOfServer3(3, keys.publicKey, keys.privateKey) + await setKeysOfServer(servers[0], servers[2], keys.publicKey, keys.privateKey) + await setKeysOfServer(servers[0], servers[2], keys.publicKey, keys.privateKey) - const body = require('./json/peertube/announce-without-context.json') - body.actor = 'http://localhost:9003/accounts/peertube' + const body = getAnnounceWithoutContext(servers[1]) + body.actor = servers[2].url + '/accounts/peertube' - const signer: any = { privateKey: keys.privateKey, url: 'http://localhost:9003/accounts/peertube' } - const signedBody = await buildSignedActivity(signer, body) + const signer: any = { privateKey: keys.privateKey, url: servers[2].url + '/accounts/peertube' } + const signedBody = await signAndContextify(signer, body, 'Announce') - signedBody.actor = 'http://localhost:9003/account/peertube' + signedBody.actor = servers[2].url + '/account/peertube' const headers = buildGlobalHeaders(signedBody) - const { response } = await makePOSTAPRequest(url, signedBody, baseHttpSignature, headers) - - expect(response.statusCode).to.equal(403) + try { + await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers) + expect(true, 'Did not throw').to.be.false + } catch (err) { + expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403) + } }) it('Should succeed with a valid signature', async function () { this.timeout(10000) - const body = require('./json/peertube/announce-without-context.json') - body.actor = 'http://localhost:9003/accounts/peertube' + const body = getAnnounceWithoutContext(servers[1]) + body.actor = servers[2].url + '/accounts/peertube' - const signer: any = { privateKey: keys.privateKey, url: 'http://localhost:9003/accounts/peertube' } - const signedBody = await buildSignedActivity(signer, body) + const signer: any = { privateKey: keys.privateKey, url: servers[2].url + '/accounts/peertube' } + const signedBody = await signAndContextify(signer, body, 'Announce') const headers = buildGlobalHeaders(signedBody) - const { response } = await makePOSTAPRequest(url, signedBody, baseHttpSignature, headers) + const { statusCode } = await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers) + expect(statusCode).to.equal(HttpStatusCode.NO_CONTENT_204) + }) + + it('Should refresh the actor keys', async function () { + this.timeout(20000) + + // Wait refresh invalidation + await wait(10000) - expect(response.statusCode).to.equal(204) + // Update keys of server 3 to invalid keys + // Server 1 should refresh the actor and fail + await setKeysOfServer(servers[2], servers[2], invalidKeys.publicKey, invalidKeys.privateKey) + + const body = getAnnounceWithoutContext(servers[1]) + body.actor = servers[2].url + '/accounts/peertube' + + const signer: any = { privateKey: keys.privateKey, url: servers[2].url + '/accounts/peertube' } + const signedBody = await signAndContextify(signer, body, 'Announce') + + const headers = buildGlobalHeaders(signedBody) + + try { + await makePOSTAPRequest(url, signedBody, baseHttpSignature(), headers) + expect(true, 'Did not throw').to.be.false + } catch (err) { + expect(err.statusCode).to.equal(HttpStatusCode.FORBIDDEN_403) + } }) }) after(async function () { - killallServers(servers) + this.timeout(10000) - // Keep the logs if the test failed - if (this['ok']) { - await flushTests() - } + await cleanupTests(servers) }) })