1 /* tslint:disable:no-unused-expression */
6 flushAndRunMultipleServers,
10 } from '../../../../shared/utils'
11 import { HTTP_SIGNATURE } from '../../../initializers'
12 import { buildDigest, buildGlobalHeaders } from '../../../lib/job-queue/handlers/utils/activitypub-http-utils'
13 import * as chai from 'chai'
14 import { setActorField } from '../../utils/miscs/sql'
15 import { activityPubContextify, buildSignedActivity } from '../../../helpers/activitypub'
16 import { makeFollowRequest, makePOSTAPRequest } from '../../utils/requests/activitypub'
18 const expect = chai.expect
20 function setKeysOfServer2 (serverNumber: number, publicKey: string, privateKey: string) {
22 setActorField(serverNumber, 'http://localhost:9002/accounts/peertube', 'publicKey', publicKey),
23 setActorField(serverNumber, 'http://localhost:9002/accounts/peertube', 'privateKey', privateKey)
27 function setKeysOfServer3 (serverNumber: number, publicKey: string, privateKey: string) {
29 setActorField(serverNumber, 'http://localhost:9003/accounts/peertube', 'publicKey', publicKey),
30 setActorField(serverNumber, 'http://localhost:9003/accounts/peertube', 'privateKey', privateKey)
34 describe('Test ActivityPub security', function () {
35 let servers: ServerInfo[]
38 const keys = require('./json/peertube/keys.json')
39 const invalidKeys = require('./json/peertube/invalid-keys.json')
40 const baseHttpSignature = {
41 algorithm: HTTP_SIGNATURE.ALGORITHM,
42 authorizationHeaderName: HTTP_SIGNATURE.HEADER_NAME,
43 keyId: 'acct:peertube@localhost:9002',
45 headers: HTTP_SIGNATURE.HEADERS_TO_SIGN
48 // ---------------------------------------------------------------
50 before(async function () {
53 servers = await flushAndRunMultipleServers(3)
55 url = servers[0].url + '/inbox'
57 await setKeysOfServer2(1, keys.publicKey, keys.privateKey)
59 const to = { url: 'http://localhost:9001/accounts/peertube' }
60 const by = { url: 'http://localhost:9002/accounts/peertube', privateKey: keys.privateKey }
61 await makeFollowRequest(to, by)
64 describe('When checking HTTP signature', function () {
66 it('Should fail with an invalid digest', async function () {
67 const body = activityPubContextify(require('./json/peertube/announce-without-context.json'))
69 Digest: buildDigest({ hello: 'coucou' })
72 const { response } = await makePOSTAPRequest(url, body, baseHttpSignature, headers)
74 expect(response.statusCode).to.equal(403)
77 it('Should fail with an invalid date', async function () {
78 const body = activityPubContextify(require('./json/peertube/announce-without-context.json'))
79 const headers = buildGlobalHeaders(body)
80 headers['date'] = 'Wed, 21 Oct 2015 07:28:00 GMT'
82 const { response } = await makePOSTAPRequest(url, body, baseHttpSignature, headers)
84 expect(response.statusCode).to.equal(403)
87 it('Should fail with bad keys', async function () {
88 await setKeysOfServer2(1, invalidKeys.publicKey, invalidKeys.privateKey)
89 await setKeysOfServer2(2, invalidKeys.publicKey, invalidKeys.privateKey)
91 const body = activityPubContextify(require('./json/peertube/announce-without-context.json'))
92 const headers = buildGlobalHeaders(body)
94 const { response } = await makePOSTAPRequest(url, body, baseHttpSignature, headers)
96 expect(response.statusCode).to.equal(403)
99 it('Should succeed with a valid HTTP signature', async function () {
100 await setKeysOfServer2(1, keys.publicKey, keys.privateKey)
101 await setKeysOfServer2(2, keys.publicKey, keys.privateKey)
103 const body = activityPubContextify(require('./json/peertube/announce-without-context.json'))
104 const headers = buildGlobalHeaders(body)
106 const { response } = await makePOSTAPRequest(url, body, baseHttpSignature, headers)
108 expect(response.statusCode).to.equal(204)
112 describe('When checking Linked Data Signature', function () {
114 await setKeysOfServer3(3, keys.publicKey, keys.privateKey)
116 const to = { url: 'http://localhost:9001/accounts/peertube' }
117 const by = { url: 'http://localhost:9003/accounts/peertube', privateKey: keys.privateKey }
118 await makeFollowRequest(to, by)
121 it('Should fail with bad keys', async function () {
124 await setKeysOfServer3(1, invalidKeys.publicKey, invalidKeys.privateKey)
125 await setKeysOfServer3(3, invalidKeys.publicKey, invalidKeys.privateKey)
127 const body = require('./json/peertube/announce-without-context.json')
128 body.actor = 'http://localhost:9003/accounts/peertube'
130 const signer: any = { privateKey: invalidKeys.privateKey, url: 'http://localhost:9003/accounts/peertube' }
131 const signedBody = await buildSignedActivity(signer, body)
133 const headers = buildGlobalHeaders(signedBody)
135 const { response } = await makePOSTAPRequest(url, signedBody, baseHttpSignature, headers)
137 expect(response.statusCode).to.equal(403)
140 it('Should fail with an altered body', async function () {
143 await setKeysOfServer3(1, keys.publicKey, keys.privateKey)
144 await setKeysOfServer3(3, keys.publicKey, keys.privateKey)
146 const body = require('./json/peertube/announce-without-context.json')
147 body.actor = 'http://localhost:9003/accounts/peertube'
149 const signer: any = { privateKey: keys.privateKey, url: 'http://localhost:9003/accounts/peertube' }
150 const signedBody = await buildSignedActivity(signer, body)
152 signedBody.actor = 'http://localhost:9003/account/peertube'
154 const headers = buildGlobalHeaders(signedBody)
156 const { response } = await makePOSTAPRequest(url, signedBody, baseHttpSignature, headers)
158 expect(response.statusCode).to.equal(403)
161 it('Should succeed with a valid signature', async function () {
164 const body = require('./json/peertube/announce-without-context.json')
165 body.actor = 'http://localhost:9003/accounts/peertube'
167 const signer: any = { privateKey: keys.privateKey, url: 'http://localhost:9003/accounts/peertube' }
168 const signedBody = await buildSignedActivity(signer, body)
170 const headers = buildGlobalHeaders(signedBody)
172 const { response } = await makePOSTAPRequest(url, signedBody, baseHttpSignature, headers)
174 expect(response.statusCode).to.equal(204)
178 after(async function () {
179 killallServers(servers)
181 // Keep the logs if the test failed