Mercurial > p > roundup > code

view test/test_instance.py @ 8265:35beff316883

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
fix(api): issue2551384. Verify REST authorization earlier To reduce the ability of bad actors to spam (DOS) the REST endpoint with bad data and generate logs meant for debugging, modify the flow in client.py's REST handler to verify authorization earlier. If the anonymous user is allowed to use REST, this won't make a difference for a DOS attempt. The templates don't enable REST for the anonymous user by default. Most admins don't change this. The validation order for REST requests has been changed. CORS identfied an handled User authorization to use REST (return 403 on failure) REST request validated (Origin header valid etc.) (return 400 for bad request) Incorrectly formatted CORS preflight requests (e.g. missing Origin header) that are not recogized as a CORS request can now return HTTP status 403 as well as status 400 (when anonymous is allowed access). Note all CORS preflights are sent without authentication so appear as anonymous requests. The tests were updated to compensate, but it is not obvious to me from specs what the proper evaulation order/return codes should be for this case. Both 403/400 are failures and cause CORS to fail so there should be no difference but...
author John Rouillard <rouilj@ieee.org>
date Thu, 09 Jan 2025 09:30:08 -0500
parents 778a9f455067
children 9c3ec0a5c7fc
line wrap: on
line source

#
# Copyright (C) 2020 John Rouillard
# All rights reserved.
# For license terms see the file COPYING.txt.
#

from __future__ import print_function
import unittest, os, shutil, errno, sys, difflib

from roundup import instance
from roundup.instance import TrackerError

try:
  # python2
  import pathlib2 as pathlib
except ImportError:
  # python3
  import pathlib

from . import db_test_base

class InstanceTest(unittest.TestCase):

    backend = 'anydbm'

    def setUp(self):
        self.dirname = '_test_instance'
        # set up and open a tracker
        self.instance = db_test_base.setupTracker(self.dirname, self.backend)

        # open the database
        self.db = self.instance.open('admin')

        self.db.commit()
        self.db.close()

    def tearDown(self):
        if self.db:
            self.db.close()
        try:
            shutil.rmtree(self.dirname)
        except OSError as error:
            if error.errno not in (errno.ENOENT, errno.ESRCH): raise


    def testOpenOldStyle(self):
        pathlib.Path(os.path.join(self.dirname, "dbinit.py")).touch()
        # no longer support old style tracker configs
        self.assertRaises(TrackerError, instance.open, self.dirname)
Roundup Issue Tracker: http://roundup-tracker.org/