Option to disable static files auth check/s3 proxy

author: Chocobozzz <me@florianbigard.com> 2022-10-26 16:23:39 +0200
committer: Chocobozzz <me@florianbigard.com> 2022-10-27 09:13:10 +0200
commit: 5a122dddc5aab1b2ae1843411032d5f392bdd216 (patch)
tree: 39778c4372c4b371f1294c94bf22d8a6e7a26456 /server/tests/api/object-storage
parent: 49e7e4d9ffd16cba7a721f6d3d3203decf4f4b2c (diff)
download: PeerTube-5a122dddc5aab1b2ae1843411032d5f392bdd216.tar.gz
PeerTube-5a122dddc5aab1b2ae1843411032d5f392bdd216.tar.zst
PeerTube-5a122dddc5aab1b2ae1843411032d5f392bdd216.zip
1 files changed, 115 insertions, 51 deletions
diff --git a/server/tests/api/object-storage/video-static-file-privacy.ts b/server/tests/api/object-storage/video-static-file-privacy.ts
index c6d7a1a2c..ed8855b3b 100644
--- a/server/tests/api/object-storage/video-static-file-privacy.ts
+++ b/server/tests/api/object-storage/video-static-file-privacy.ts
@@ -19,6 +19,12 @@ import {
  waitJobs
 } from '@shared/server-commands'
+function extractFilenameFromUrl (url: string) {
+  const parts = basename(url).split(':')
+  return parts[parts.length - 1]
+}
 describe('Object storage for video static file privacy', function () {
  // We need real world object storage to check ACL
  if (areScalewayObjectStorageTestsDisabled()) return
@@ -26,75 +32,81 @@ describe('Object storage for video static file privacy', function () {
  let server: PeerTubeServer
  let userToken: string
-  before(async function () {
+  // ---------------------------------------------------------------------------
-    this.timeout(120000)
-    server = await createSingleServer(1, ObjectStorageCommand.getDefaultScalewayConfig(1))
+  async function checkPrivateVODFiles (uuid: string) {
-    await setAccessTokensToServers([ server ])
+    const video = await server.videos.getWithToken({ id: uuid })
-    await setDefaultVideoChannel([ server ])
-    await server.config.enableMinimumTranscoding()
+    for (const file of video.files) {
+      expectStartWith(file.fileUrl, server.url + '/object-storage-proxy/webseed/private/')
-    userToken = await server.users.generateUserAndToken('user1')
+      await makeRawRequest({ url: file.fileUrl, token: server.accessToken, expectedStatus: HttpStatusCode.OK_200 })
-  })
+    }
-  describe('VOD', function () {
+    for (const file of getAllFiles(video)) {
-    let privateVideoUUID: string
+      const internalFileUrl = await server.sql.getInternalFileUrl(file.id)
-    let publicVideoUUID: string
+      expectStartWith(internalFileUrl, ObjectStorageCommand.getScalewayBaseUrl())
-    let userPrivateVideoUUID: string
+      await makeRawRequest({ url: internalFileUrl, token: server.accessToken, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
+    }
+    const hls = getHLS(video)
+    if (hls) {
+      for (const url of [ hls.playlistUrl, hls.segmentsSha256Url ]) {
+        expectStartWith(url, server.url + '/object-storage-proxy/streaming-playlists/hls/private/')
+      }
-    async function checkPrivateFiles (uuid: string) {
+      await makeRawRequest({ url: hls.playlistUrl, token: server.accessToken, expectedStatus: HttpStatusCode.OK_200 })
-      const video = await server.videos.getWithToken({ id: uuid })
+      await makeRawRequest({ url: hls.segmentsSha256Url, token: server.accessToken, expectedStatus: HttpStatusCode.OK_200 })
-      for (const file of video.files) {
+      for (const file of hls.files) {
-        expectStartWith(file.fileUrl, server.url + '/object-storage-proxy/webseed/private/')
+        expectStartWith(file.fileUrl, server.url + '/object-storage-proxy/streaming-playlists/hls/private/')
        await makeRawRequest({ url: file.fileUrl, token: server.accessToken, expectedStatus: HttpStatusCode.OK_200 })
      }
+    }
+  }
-      for (const file of getAllFiles(video)) {
+  async function checkPublicVODFiles (uuid: string) {
-        const internalFileUrl = await server.sql.getInternalFileUrl(file.id)
+    const video = await server.videos.getWithToken({ id: uuid })
-        expectStartWith(internalFileUrl, ObjectStorageCommand.getScalewayBaseUrl())
-        await makeRawRequest({ url: internalFileUrl, token: server.accessToken, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
-      }
-      const hls = getHLS(video)
+    for (const file of getAllFiles(video)) {
+      expectStartWith(file.fileUrl, ObjectStorageCommand.getScalewayBaseUrl())
-      if (hls) {
+      await makeRawRequest({ url: file.fileUrl, expectedStatus: HttpStatusCode.OK_200 })
-        for (const url of [ hls.playlistUrl, hls.segmentsSha256Url ]) {
+    }
-          expectStartWith(url, server.url + '/object-storage-proxy/streaming-playlists/hls/private/')
-        }
-        await makeRawRequest({ url: hls.playlistUrl, token: server.accessToken, expectedStatus: HttpStatusCode.OK_200 })
+    const hls = getHLS(video)
-        await makeRawRequest({ url: hls.segmentsSha256Url, token: server.accessToken, expectedStatus: HttpStatusCode.OK_200 })
-        for (const file of hls.files) {
+    if (hls) {
-          expectStartWith(file.fileUrl, server.url + '/object-storage-proxy/streaming-playlists/hls/private/')
+      expectStartWith(hls.playlistUrl, ObjectStorageCommand.getScalewayBaseUrl())
+      expectStartWith(hls.segmentsSha256Url, ObjectStorageCommand.getScalewayBaseUrl())
-          await makeRawRequest({ url: file.fileUrl, token: server.accessToken, expectedStatus: HttpStatusCode.OK_200 })
+      await makeRawRequest({ url: hls.playlistUrl, expectedStatus: HttpStatusCode.OK_200 })
-        }
+      await makeRawRequest({ url: hls.segmentsSha256Url, expectedStatus: HttpStatusCode.OK_200 })
-      }
    }
+  }
-    async function checkPublicFiles (uuid: string) {
+  // ---------------------------------------------------------------------------
-      const video = await server.videos.getWithToken({ id: uuid })
-      for (const file of getAllFiles(video)) {
+  before(async function () {
-        expectStartWith(file.fileUrl, ObjectStorageCommand.getScalewayBaseUrl())
+    this.timeout(120000)
-        await makeRawRequest({ url: file.fileUrl, expectedStatus: HttpStatusCode.OK_200 })
+    server = await createSingleServer(1, ObjectStorageCommand.getDefaultScalewayConfig({ serverNumber: 1 }))
-      }
+    await setAccessTokensToServers([ server ])
+    await setDefaultVideoChannel([ server ])
-      const hls = getHLS(video)
+    await server.config.enableMinimumTranscoding()
-      if (hls) {
+    userToken = await server.users.generateUserAndToken('user1')
-        expectStartWith(hls.playlistUrl, ObjectStorageCommand.getScalewayBaseUrl())
+  })
-        expectStartWith(hls.segmentsSha256Url, ObjectStorageCommand.getScalewayBaseUrl())
-        await makeRawRequest({ url: hls.playlistUrl, expectedStatus: HttpStatusCode.OK_200 })
+  describe('VOD', function () {
-        await makeRawRequest({ url: hls.segmentsSha256Url, expectedStatus: HttpStatusCode.OK_200 })
+    let privateVideoUUID: string
-      }
+    let publicVideoUUID: string
-    }
+    let userPrivateVideoUUID: string
+    // ---------------------------------------------------------------------------
    async function getSampleFileUrls (videoId: string) {
      const video = await server.videos.getWithToken({ id: videoId })
@@ -105,6 +117,8 @@ describe('Object storage for video static file privacy', function () {
      }
    }
+    // ---------------------------------------------------------------------------
    it('Should upload a private video and have appropriate object storage ACL', async function () {
      this.timeout(60000)
@@ -120,7 +134,7 @@ describe('Object storage for video static file privacy', function () {
      await waitJobs([ server ])
-      await checkPrivateFiles(privateVideoUUID)
+      await checkPrivateVODFiles(privateVideoUUID)
    })
    it('Should upload a public video and have appropriate object storage ACL', async function () {
@@ -131,7 +145,7 @@ describe('Object storage for video static file privacy', function () {
      publicVideoUUID = uuid
-      await checkPublicFiles(publicVideoUUID)
+      await checkPublicVODFiles(publicVideoUUID)
    })
    it('Should not get files without appropriate OAuth token', async function () {
@@ -182,7 +196,7 @@ describe('Object storage for video static file privacy', function () {
      await server.videos.update({ id: publicVideoUUID, attributes: { privacy: VideoPrivacy.INTERNAL } })
-      await checkPrivateFiles(publicVideoUUID)
+      await checkPrivateVODFiles(publicVideoUUID)
    })
    it('Should update private video to public', async function () {
@@ -190,7 +204,7 @@ describe('Object storage for video static file privacy', function () {
      await server.videos.update({ id: publicVideoUUID, attributes: { privacy: VideoPrivacy.PUBLIC } })
-      await checkPublicFiles(publicVideoUUID)
+      await checkPublicVODFiles(publicVideoUUID)
    })
  })
@@ -203,6 +217,8 @@ describe('Object storage for video static file privacy', function () {
    let unrelatedFileToken: string
+    // ---------------------------------------------------------------------------
    async function checkLiveFiles (live: LiveVideo, liveId: string) {
      const ffmpegCommand = sendRTMPStream({ rtmpBaseUrl: live.rtmpUrl, streamKey: live.streamKey })
      await server.live.waitUntilPublished({ videoId: liveId })
@@ -260,6 +276,8 @@ describe('Object storage for video static file privacy', function () {
      }
    }
+    // ---------------------------------------------------------------------------
    before(async function () {
      await server.config.enableMinimumTranscoding()
@@ -320,6 +338,52 @@ describe('Object storage for video static file privacy', function () {
    })
  })
+  describe('With private files proxy disabled and public ACL for private files', function () {
+    let videoUUID: string
+    before(async function () {
+      this.timeout(240000)
+      await server.kill()
+      const config = ObjectStorageCommand.getDefaultScalewayConfig({
+        serverNumber: server.internalServerNumber,
+        enablePrivateProxy: false,
+        privateACL: 'public-read'
+      })
+      await server.run(config)
+      const { uuid } = await server.videos.quickUpload({ name: 'video', privacy: VideoPrivacy.PRIVATE })
+      videoUUID = uuid
+      await waitJobs([ server ])
+    })
+    it('Should display object storage path for a private video and be able to access them', async function () {
+      this.timeout(60000)
+      await checkPublicVODFiles(videoUUID)
+    })
+    it('Should not be able to access object storage proxy', async function () {
+      const privateVideo = await server.videos.getWithToken({ id: videoUUID })
+      const webtorrentFilename = extractFilenameFromUrl(privateVideo.files[0].fileUrl)
+      const hlsFilename = extractFilenameFromUrl(getHLS(privateVideo).files[0].fileUrl)
+      await makeRawRequest({
+        url: server.url + '/object-storage-proxy/webseed/private/' + webtorrentFilename,
+        token: server.accessToken,
+        expectedStatus: HttpStatusCode.BAD_REQUEST_400
+      })
+      await makeRawRequest({
+        url: server.url + '/object-storage-proxy/streaming-playlists/hls/private/' + videoUUID + '/' + hlsFilename,
+        token: server.accessToken,
+        expectedStatus: HttpStatusCode.BAD_REQUEST_400
+      })
+    })
+  })
  after(async function () {
    this.timeout(60000)
author	Chocobozzz <me@florianbigard.com>	2022-10-26 16:23:39 +0200
committer	Chocobozzz <me@florianbigard.com>	2022-10-27 09:13:10 +0200
commit	5a122dddc5aab1b2ae1843411032d5f392bdd216 (patch)
tree	39778c4372c4b371f1294c94bf22d8a6e7a26456 /server/tests/api/object-storage
parent	49e7e4d9ffd16cba7a721f6d3d3203decf4f4b2c (diff)
download	PeerTube-5a122dddc5aab1b2ae1843411032d5f392bdd216.tar.gz PeerTube-5a122dddc5aab1b2ae1843411032d5f392bdd216.tar.zst PeerTube-5a122dddc5aab1b2ae1843411032d5f392bdd216.zip