Mercurial Repository: p/roundup/code: test/rest

comparison test/rest_common.py @ 7155:89a59e46b3af

improve REST interface security When using REST, we reflect the client's origin. If the wildcard '*' is used in allowed_api_origins all origins are allowed. When this is done, it also added an 'Access-Control-Allow-Credentials: true' header. This Credentials header should not be added if the site is matched only by '*'. This header should be provided only for explicit origins (e.g. https://example.org) not for the wildcard. This is now fixed for CORS preflight OPTIONS request as well as normal GET, PUT, DELETE, POST, PATCH and OPTIONS requests. A missing Access-Control-Allow-Credentials will prevent the tracker from being accessed using credentials. This prevents an unauthorized third party web site from using a user's credentials to access information in the tracker that is not publicly available. Added test for this specific case. In addition, allowed_api_origins can include explicit origins in addition to '*'. '*' must be first in the list. Also adapted numerous tests to work with these changes. Doc updates.

author	John Rouillard <rouilj@ieee.org>
date	Thu, 23 Feb 2023 12:01:33 -0500
parents	32c6e98e5a21
children	6f09103a6522

comparison

equal deleted inserted replaced

-:f614176903d0
+:89a59e46b3af
 self.db.post_init()
 tx_Source_init(self.db)
-env = {
+self.client_env = {
 'PATH_INFO': 'http://localhost/rounduptest/rest/',
 'HTTP_HOST': 'localhost',
-'TRACKER_NAME': 'rounduptest'
+'TRACKER_NAME': 'rounduptest',
-}
+'HTTP_ORIGIN': 'http://tracker.example'
-self.dummy_client = client.Client(self.instance, MockNull(), env, [], None)
+}
+self.dummy_client = client.Client(self.instance, MockNull(),
+self.client_env, [], None)
 self.dummy_client.request.headers.get = self.get_header
+self.dummy_client.db = self.db
 self.empty_form = cgi.FieldStorage()
 self.terse_form = cgi.FieldStorage()
 self.terse_form.list = [
 cgi.MiniFieldStorage('@verbose', '0'),
 ]
 def get_header (self, header, not_found=None):
 try:
 return self.headers[header.lower()]
 except (AttributeError, KeyError, TypeError):
+if header.upper() in self.client_env:
+return self.client_env[header.upper()]
 return not_found
 def create_stati(self):
 try:
 self.db.status.create(name='open', order='9')
 def testGet(self):
 """
 Retrieve all three users
 obtain data for 'joe'
 """
+self.server.client.env.update({'REQUEST_METHOD': 'GET'})
 # Retrieve all three users.
 results = self.server.get_collection('user', self.empty_form)
 self.assertEqual(self.dummy_client.response_code, 200)
 self.assertEqual(len(results['data']['collection']), 3)
 self.assertEqual(results['data']['@total_size'], 3)
 # don't set an accept header; json should be the default
 # use up all our allowed api calls
 for i in range(20):
 # i is 0 ... 19
 self.client_error_message = []
+self.server.client.env.update({'REQUEST_METHOD': 'GET'})
 results = self.server.dispatch('GET',
 "/rest/data/user/%s/realname"%self.joeid,
 self.empty_form)
 # is successful
 }'
 env = { "CONTENT_TYPE": "application/json",
 "CONTENT_LENGTH": len(body),
 "REQUEST_METHOD": "POST"
 }
+self.server.client.env.update(env)
 headers={"accept": "application/json; version=1",
 "content-type": env['CONTENT_TYPE'],
 "content-length": env['CONTENT_LENGTH'],
 }
 self.headers=headers
 }'
 env = { "CONTENT_TYPE": "application/json",
 "CONTENT_LENGTH": len(body),
 "REQUEST_METHOD": "POST"
 }
+self.server.client.env.update(env)
 headers={"accept": "application/json; version=1",
 "content-type": env['CONTENT_TYPE'],
 "content-length": env['CONTENT_LENGTH'],
 }
 self.headers=headers
 self.assertEqual(self.server.client.response_code, 201)
 json_dict = json.loads(b2s(results))
 self.assertEqual(json_dict['data']['link'],
 "http://tracker.example/cgi-bin/roundup.cgi/bugs/rest/data/issue/1")
 self.assertEqual(json_dict['data']['id'], "1")
+self.server.client.env.update({'REQUEST_METHOD': 'GET'})
 results = self.server.dispatch('GET',
 "/rest/data/issue/1", self.empty_form)
 print(results)
 json_dict = json.loads(b2s(results))
 self.assertEqual(json_dict['data']['link'],
 # TEST #0
 # Delete class raises unauthorized error
 # simulate: /rest/data/issue
 env = { "REQUEST_METHOD": "DELETE"
 }
+self.server.client.env.update(env)
 headers={"accept": "application/json; version=1",
 }
 self.headers=headers
 self.server.client.request.headers.get=self.get_header
 results = self.server.dispatch(env["REQUEST_METHOD"],
 }'
 env = { "CONTENT_TYPE": "application/jzot",
 "CONTENT_LENGTH": len(body),
 "REQUEST_METHOD": "POST"
 }
+self.server.client.env.update(env)
 headers={"accept": "application/json; version=1",
 "content-type": env['CONTENT_TYPE'],
 "content-length": env['CONTENT_LENGTH'],
 }
 }'
 env = { "CONTENT_TYPE": "application/json",
 "CONTENT_LENGTH": len(body),
 "REQUEST_METHOD": "POST"
 }
+self.server.client.env.update(env)
 headers={"accept": "application/zot; version=1; q=0.5",
 "content-type": env['CONTENT_TYPE'],
 "content-length": env['CONTENT_LENGTH'],
 }
 # is valid
 env = { "CONTENT_TYPE": "application/json",
 "CONTENT_LENGTH": len(body),
 "REQUEST_METHOD": "POST"
 }
+self.server.client.env.update(env)
 headers={"accept": "application/zot; version=1; q=0.75, "
 "application/json; version=1; q=0.5",
 "content-type": env['CONTENT_TYPE'],
 "content-length": env['CONTENT_LENGTH'],
 }
 # Make sure false value works to suppress @stats
 form = cgi.FieldStorage()
 form.list = [
 cgi.MiniFieldStorage('@stats', 'False'),
 ]
+self.server.client.env.update({'REQUEST_METHOD': 'GET'})
 results = self.server.dispatch('GET',
 "/rest/data/user/1/realname",
 form)
 self.assertEqual(self.dummy_client.response_code, 200)
 json_dict = json.loads(b2s(results))
 cgi.MiniFieldStorage('@stats', 'true'),
 ]
 self.headers = headers
 self.server.client.request.headers.get = self.get_header
 self.db.setCurrentUser('admin') # must be admin to change user
+self.server.client.env.update({'REQUEST_METHOD': 'PUT'})
 results = self.server.dispatch('PUT',
 "/rest/data/user/1/realname",
 form)
 self.assertEqual(self.dummy_client.response_code, 200)
 json_dict = json.loads(b2s(results))
 etag = calculate_etag(self.db.user.getnode(self.joeid),
 self.db.config['WEB_SECRET_KEY'])
 body=b'{ "data": "Joe Doe 1" }'
 env = { "CONTENT_TYPE": "application/json",
 "CONTENT_LENGTH": len(body),
-"REQUEST_METHOD": "PUT"
+"REQUEST_METHOD": "PUT",
-}
+"HTTP_ORIGIN": "https://invalid.origin"
+}
+self.server.client.env.update(env)
 headers={"accept": "application/json; version=1",
 "content-type": env['CONTENT_TYPE'],
 "content-length": env['CONTENT_LENGTH'],
 "if-match": etag
 }
 self.server.client.request.headers.get=self.get_header
 results = self.server.dispatch('PUT',
 "/rest/data/user/%s/realname"%self.joeid,
 form)
+# invalid origin, no credentials allowed.
+self.assertNotIn("Access-Control-Allow-Credentials",
+self.server.client.additional_headers)
 self.assertEqual(self.server.client.response_code, 200)
 results = self.server.get_element('user', self.joeid, self.empty_form)
 self.assertEqual(self.dummy_client.response_code, 200)
 self.assertEqual(results['data']['attributes']['realname'],
 'Joe Doe 1')
 self.server.client.request.headers.get = self.get_header
 results = self.server.dispatch('PUT',
 "/rest/data/user/%s/realname"%self.joeid,
 form)
 self.assertEqual(self.dummy_client.response_code, 200)
+self.server.client.env.update({'REQUEST_METHOD': "GET"})
 results = self.server.dispatch('GET',
 "/rest/data/user/%s/realname"%self.joeid,
 self.empty_form)
 self.assertEqual(self.dummy_client.response_code, 200)
 json_dict = json.loads(b2s(results))
 body=s2b('{ "address": "demo2@example.com", "@etag": "\\"%s\\""}'%etagb)
 env = { "CONTENT_TYPE": "application/json",
 "CONTENT_LENGTH": len(body),
 "REQUEST_METHOD": "PATCH"
 }
+self.server.client.env.update(env)
 headers={"accept": "application/json",
 "content-type": env['CONTENT_TYPE'],
 "content-length": len(body)
 }
 self.headers=headers
 body=b'{ "title": "foo bar", "priority": "critical" }'
 env = { "CONTENT_TYPE": "application/json",
 "CONTENT_LENGTH": len(body),
 "REQUEST_METHOD": "POST"
 }
+self.server.client.env.update(env)
 headers={"accept": "application/json",
 "content-type": env['CONTENT_TYPE'],
 "content-length": len(body)
 }
 self.headers=headers
 body=b'{ "title": "foo bar", "priority": "critical" }'
 env = { "CONTENT_TYPE": "application/json",
 "CONTENT_LENGTH": len(body),
 "REQUEST_METHOD": "POST"
 }
+self.server.client.env.update(env)
 headers={"accept": "application/json",
 "content-type": env['CONTENT_TYPE'],
 "content-length": len(body)
 }
 self.headers=headers
 body=b'{ "order": 5 }'
 env = { "CONTENT_TYPE": "application/json",
 "CONTENT_LENGTH": len(body),
 "REQUEST_METHOD": "POST"
 }
+self.server.client.env.update(env)
 headers={"accept": "application/json; version=1",
 "content-type": env['CONTENT_TYPE'],
 "content-length": len(body)
 }
 self.headers=headers
 self.server.client.request.headers.get=self.get_header
 self.db.setCurrentUser('admin') # must be admin to create status
 results = self.server.dispatch('POST',
 "/rest/data/status",
 form)
+self.server.client.env.update(env)
 self.assertEqual(self.server.client.response_code, 400)
 json_dict = json.loads(b2s(results))
 status=json_dict['error']['status']
 msg=json_dict['error']['msg']
 self.assertEqual(status, 400)
 self.db.config['WEB_SECRET_KEY'])
 etagb = etag.strip ('"')
 env = {"CONTENT_TYPE": "application/json",
 "CONTENT_LEN": 0,
 "REQUEST_METHOD": "DELETE" }
+self.server.client.env.update(env)
 # use text/plain header and request json output by appending
 # .json to the url.
 headers={"accept": "text/plain",
 "content-type": env['CONTENT_TYPE'],
 "if-match": '"%s"'%etagb,
 print(results)
 json_dict = json.loads(b2s(results))
 status=json_dict['data']['status']
 self.assertEqual(status, 'ok')
+self.server.client.env.update({'REQUEST_METHOD': 'GET'})
 results = self.server.dispatch('GET',
 "/rest/data/issuetitle:=asdf.jon",
 form)
 self.assertEqual(self.server.client.response_code, 406)
 print(results)
 # simulate: /rest/data/issue
 form = cgi.FieldStorage()
 form.list = [
 cgi.MiniFieldStorage('@apiver', 'L'),
 ]
+self.server.client.env.update({'REQUEST_METHOD': 'GET'})
 headers={"accept": "application/json; notversion=z" }
 self.headers=headers
 self.server.client.request.headers.get=self.get_header
 results = self.server.dispatch('GET',
 "/rest/data/issue/1", form)
 self.assertEqual(self.server.client.response_code, 404)
 del(self.headers)
 def testAcceptHeaderParsing(self):
+self.server.client.env['REQUEST_METHOD'] = 'GET'
 # TEST #1
 # json highest priority
 self.server.client.request.headers.get=self.get_header
 headers={"accept": "application/json; version=1,"
 "application/xml; q=0.5; version=2,"
 self.headers=headers
 form = client.BinaryFieldStorage(body_file,
 headers=headers,
 environ=env)
 self.db.setCurrentUser('admin') # must be admin to create status
+self.server.client.env.update({'REQUEST_METHOD': method})
 results = self.server.dispatch(method,
 "/rest/data/status",
 form)
 self.assertEqual(self.server.client.response_code, 400)
 form = client.BinaryFieldStorage(body_file,
 headers=headers,
 environ=env)
 self.server.client.request.headers.get=self.get_header
 self.db.setCurrentUser('admin') # must be admin to delete issue
+self.server.client.env.update({'REQUEST_METHOD': 'POST'})
 results = self.server.dispatch('POST',
 "/rest/data/status/1",
 form)
 print(results)
 self.assertEqual(self.server.client.response_code, 200)
 empty_body=b''
 env = { "CONTENT_TYPE": "application/json",
 "CONTENT_LENGTH": len(empty_body),
 "REQUEST_METHOD": "POST"
 }
+self.server.client.env.update(env)
 headers={"accept": "application/json",
 "content-type": env['CONTENT_TYPE'],
 "content-length": len(empty_body)
 }
 self.headers=headers
 body=b'{ "title": "foo bar", "priority": "critical" }'
 env = { "CONTENT_TYPE": "application/json",
 "CONTENT_LENGTH": len(body),
 "REQUEST_METHOD": "POST"
 }
+self.server.client.env.update(env)
 headers={"accept": "application/json",
 "content-type": env['CONTENT_TYPE'],
 "content-length": len(body)
 }
 self.headers=headers
 self.assertEqual(results['error']['msg'],
 "POE token \'%s\' not valid."%poe)
 ## Try using GET on POE url. Should fail with method not
 ## allowed (405)
+self.server.client.env.update({'REQUEST_METHOD': 'GET'})
 self.server.client.request.headers.get=self.get_header
 results = self.server.dispatch('GET',
 "/rest/data/issue/@poe",
 form)
 self.assertEqual(self.server.client.response_code, 405)
 body_file=BytesIO(body_poe)  # FieldStorage needs a file
 form = client.BinaryFieldStorage(body_file,
 headers=headers,
 environ=env)
 self.server.client.request.headers.get=self.get_header
+self.server.client.env.update({'REQUEST_METHOD': 'POST'})
 results = self.server.dispatch('POST',
 "/rest/data/issue/@poe",
 form)
 json_dict = json.loads(b2s(results))
 url=json_dict['data']['link']
 results = results['data']
 self.assertEqual(self.dummy_client.response_code, 200)
 self.assertEqual(len(results['attributes']['nosy']), 0)
 self.assertListEqual(results['attributes']['nosy'], [])
+def testRestMatchWildcardOrigin(self):
+# cribbed from testDispatch #1
+# PUT: joe's 'realname' using json data.
+# simulate: /rest/data/user/<id>/realname
+# use etag in header
+# verify that credential header is missing, valid allow origin
+# header and vary includes origin.
+local_client = self.server.client
+etag = calculate_etag(self.db.user.getnode(self.joeid),
+self.db.config['WEB_SECRET_KEY'])
+body = b'{ "data": "Joe Doe 1" }'
+env = { "CONTENT_TYPE": "application/json",
+"CONTENT_LENGTH": len(body),
+"REQUEST_METHOD": "PUT",
+"HTTP_ORIGIN": "https://bad.origin"
+}
+local_client.env.update(env)
+local_client.db.config["WEB_ALLOWED_API_ORIGINS"] = " * "
+headers={"accept": "application/json; version=1",
+"content-type": env['CONTENT_TYPE'],
+"content-length": env['CONTENT_LENGTH'],
+"if-match": etag,
+"origin": env['HTTP_ORIGIN']
+}
+self.headers=headers
+# we need to generate a FieldStorage the looks like
+#  FieldStorage(None, None, 'string') rather than
+#  FieldStorage(None, None, [])
+body_file=BytesIO(body)  # FieldStorage needs a file
+form = client.BinaryFieldStorage(body_file,
+headers=headers,
+environ=env)
+local_client.request.headers.get=self.get_header
+results = self.server.dispatch('PUT',
+"/rest/data/user/%s/realname"%self.joeid,
+form)
+self.assertNotIn("Access-Control-Allow-Credentials",
+local_client.additional_headers)
+self.assertIn("Access-Control-Allow-Origin",
+local_client.additional_headers)
+self.assertEqual(
+headers['origin'],
+local_client.additional_headers["Access-Control-Allow-Origin"])
+self.assertIn("Vary", local_client.additional_headers)
+self.assertIn("Origin",
+local_client.additional_headers['Vary'])
+self.assertEqual(local_client.response_code, 200)
+results = self.server.get_element('user', self.joeid, self.empty_form)
+self.assertEqual(self.dummy_client.response_code, 200)
+self.assertEqual(results['data']['attributes']['realname'],
+'Joe Doe 1')
 @skip_jwt
 def test_expired_jwt(self):
 # self.dummy_client.main() closes database, so
 # we need a new test with setup called for each test
 out = []

Mercurial > p > roundup > code

comparison test/rest_common.py @ 7155:89a59e46b3af