Mercurial > p > roundup > code
view test/test_instance.py @ 7155:89a59e46b3af
improve REST interface security
When using REST, we reflect the client's origin. If the wildcard '*'
is used in allowed_api_origins all origins are allowed. When this is
done, it also added an 'Access-Control-Allow-Credentials: true'
header.
This Credentials header should not be added if the site is matched
only by '*'. This header should be provided only for explicit origins
(e.g. https://example.org) not for the wildcard.
This is now fixed for CORS preflight OPTIONS request as well as normal
GET, PUT, DELETE, POST, PATCH and OPTIONS requests.
A missing Access-Control-Allow-Credentials will prevent the tracker
from being accessed using credentials. This prevents an unauthorized
third party web site from using a user's credentials to access
information in the tracker that is not publicly available.
Added test for this specific case.
In addition, allowed_api_origins can include explicit origins in
addition to '*'. '*' must be first in the list.
Also adapted numerous tests to work with these changes.
Doc updates.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Thu, 23 Feb 2023 12:01:33 -0500 |
| parents | 778a9f455067 |
| children | 9c3ec0a5c7fc |
line wrap: on
line source
# # Copyright (C) 2020 John Rouillard # All rights reserved. # For license terms see the file COPYING.txt. # from __future__ import print_function import unittest, os, shutil, errno, sys, difflib from roundup import instance from roundup.instance import TrackerError try: # python2 import pathlib2 as pathlib except ImportError: # python3 import pathlib from . import db_test_base class InstanceTest(unittest.TestCase): backend = 'anydbm' def setUp(self): self.dirname = '_test_instance' # set up and open a tracker self.instance = db_test_base.setupTracker(self.dirname, self.backend) # open the database self.db = self.instance.open('admin') self.db.commit() self.db.close() def tearDown(self): if self.db: self.db.close() try: shutil.rmtree(self.dirname) except OSError as error: if error.errno not in (errno.ENOENT, errno.ESRCH): raise def testOpenOldStyle(self): pathlib.Path(os.path.join(self.dirname, "dbinit.py")).touch() # no longer support old style tracker configs self.assertRaises(TrackerError, instance.open, self.dirname)