Force signed headers in http signatures

Thanks Roger
author: Chocobozzz <me@florianbigard.com> 2020-11-12 10:42:25 +0100
committer: Chocobozzz <me@florianbigard.com> 2020-11-12 16:29:32 +0100
commit: 797d05bdd99b63104522051d0f61f1e0f003e780 (patch)
tree: a0e356958e03aa62c4539afacbf7715eba305954 /server/tests/api/activitypub/security.ts
parent: 2a9562fc5894509e63016b1fe09f6dce0c4b6e5e (diff)
download: PeerTube-797d05bdd99b63104522051d0f61f1e0f003e780.tar.gz
PeerTube-797d05bdd99b63104522051d0f61f1e0f003e780.tar.zst
PeerTube-797d05bdd99b63104522051d0f61f1e0f003e780.zip
1 files changed, 20 insertions, 1 deletions
diff --git a/server/tests/api/activitypub/security.ts b/server/tests/api/activitypub/security.ts
index ac4bc7c6a..e6002b661 100644
--- a/server/tests/api/activitypub/security.ts
+++ b/server/tests/api/activitypub/security.ts
@@ -99,13 +99,32 @@ describe('Test ActivityPub security', function () {
      expect(response.statusCode).to.equal(403)
    })
-    it('Should succeed with a valid HTTP signature', async function () {
+    it('Should reject requests without appropriate signed headers', async function () {
      await setKeysOfServer(servers[0], servers[1], keys.publicKey, keys.privateKey)
      await setKeysOfServer(servers[1], servers[1], keys.publicKey, keys.privateKey)
      const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
      const headers = buildGlobalHeaders(body)
+      const signatureOptions = baseHttpSignature()
+      const badHeadersMatrix = [
+        [ '(request-target)', 'date', 'digest' ],
+        [ 'host', 'date', 'digest' ],
+        [ '(request-target)', 'host', 'digest' ]
+      ]
+      for (const badHeaders of badHeadersMatrix) {
+        signatureOptions.headers = badHeaders
+        const { response } = await makePOSTAPRequest(url, body, signatureOptions, headers)
+        expect(response.statusCode).to.equal(403)
+      }
+    })
+    it('Should succeed with a valid HTTP signature', async function () {
+      const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
+      const headers = buildGlobalHeaders(body)
      const { response } = await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
      expect(response.statusCode).to.equal(204)
author	Chocobozzz <me@florianbigard.com>	2020-11-12 10:42:25 +0100
committer	Chocobozzz <me@florianbigard.com>	2020-11-12 16:29:32 +0100
commit	797d05bdd99b63104522051d0f61f1e0f003e780 (patch)
tree	a0e356958e03aa62c4539afacbf7715eba305954 /server/tests/api/activitypub/security.ts
parent	2a9562fc5894509e63016b1fe09f6dce0c4b6e5e (diff)
download	PeerTube-797d05bdd99b63104522051d0f61f1e0f003e780.tar.gz PeerTube-797d05bdd99b63104522051d0f61f1e0f003e780.tar.zst PeerTube-797d05bdd99b63104522051d0f61f1e0f003e780.zip

diff --git a/server/tests/api/activitypub/security.ts b/server/tests/api/activitypub/security.ts index ac4bc7c6a..e6002b661 100644 --- a/server/tests/api/activitypub/security.ts +++ b/server/tests/api/activitypub/security.ts
@@ -99,13 +99,32 @@ describe('Test ActivityPub security', function () {
99	expect(response.statusCode).to.equal(403)	99	expect(response.statusCode).to.equal(403)
100	})	100	})
101		101
102	it('Should succeed with a valid HTTP signature', async function () {	102	it('Should reject requests without appropriate signed headers', async function () {
103	await setKeysOfServer(servers[0], servers[1], keys.publicKey, keys.privateKey)	103	await setKeysOfServer(servers[0], servers[1], keys.publicKey, keys.privateKey)
104	await setKeysOfServer(servers[1], servers[1], keys.publicKey, keys.privateKey)	104	await setKeysOfServer(servers[1], servers[1], keys.publicKey, keys.privateKey)
105		105
106	const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))	106	const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
107	const headers = buildGlobalHeaders(body)	107	const headers = buildGlobalHeaders(body)
108		108
		109	const signatureOptions = baseHttpSignature()
		110	const badHeadersMatrix = [
		111	[ '(request-target)', 'date', 'digest' ],
		112	[ 'host', 'date', 'digest' ],
		113	[ '(request-target)', 'host', 'digest' ]
		114	]
		115
		116	for (const badHeaders of badHeadersMatrix) {
		117	signatureOptions.headers = badHeaders
		118
		119	const { response } = await makePOSTAPRequest(url, body, signatureOptions, headers)
		120	expect(response.statusCode).to.equal(403)
		121	}
		122	})
		123
		124	it('Should succeed with a valid HTTP signature', async function () {
		125	const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
		126	const headers = buildGlobalHeaders(body)
		127
109	const { response } = await makePOSTAPRequest(url, body, baseHttpSignature(), headers)	128	const { response } = await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
110		129
111	expect(response.statusCode).to.equal(204)	130	expect(response.statusCode).to.equal(204)