Commit graph

85 commits

Author SHA1 Message Date
Richard Hansen
180983736d security: Enable authorize plugins to grant read-only access 2020-09-27 22:55:49 +01:00
Richard Hansen
304318b618 webaccess: Move pre-authn authz check to a separate hook
Before this change, the authorize hook was invoked twice: once before
authentication and again after (if settings.requireAuthorization is
true). Now pre-authentication authorization is instead handled by a
new preAuthorize hook, and the authorize hook is only invoked after
the user has authenticated.

Rationale: Without this change it is too easy to write an
authorization plugin that is too permissive. Specifically:

  * If the plugin does not check the path for /admin then a non-admin
    user might be able to access /admin pages.
  * If the plugin assumes that the user has already been authenticated
    by the time the authorize function is called then unauthenticated
    users might be able to gain access to restricted resources.

This change also avoids calling the plugin's authorize function twice
per access, which makes it easier for plugin authors to write an
authorization plugin that is easy to understand.

This change may break existing authorization plugins: After this
change, the authorize hook will no longer be able to authorize
non-admin access to /admin pages. This is intentional. Access to admin
pages should instead be controlled via the `is_admin` user setting,
which can be set in the config file or by an authentication plugin.

Also:
  * Add tests for the authenticate and authorize hooks.
  * Disable the authentication failure delay when testing.
2020-09-27 21:19:58 +01:00
John McLear
a51132d712
tests: test coverage for read only pad ids (#4364) 2020-09-27 19:12:11 +01:00
Richard Hansen
9f63d9b76a tests: Check for true/false, not truthiness 2020-09-26 21:40:19 +01:00
Richard Hansen
c18831c333 tests: Fix typo (publicstatus -> publicStatus) 2020-09-26 21:40:19 +01:00
Richard Hansen
e01e575c86 tests: Use async/await instead of callbacks, use assert 2020-09-26 21:40:19 +01:00
Richard Hansen
24345bf9a8 tests: Group session and group tests to improve readability 2020-09-26 21:40:19 +01:00
Richard Hansen
4527254bcc tests: Use let and const instead of var 2020-09-26 21:40:19 +01:00
Richard Hansen
e88c532172 tests: Delete unused variable 2020-09-26 21:40:19 +01:00
Richard Hansen
ab5934cbda webaccess: Split authFailure hook into authnFailure and authzFailure
This makes it possible for plugins to return different pages to the
user depending on whether the auth failure was authn or authz.
2020-09-26 19:37:11 +01:00
Richard Hansen
02757079c0 security: Enable authorize plugins to grant modify-only access 2020-09-26 18:36:36 +01:00
Richard Hansen
72ed1816ec security: Fix authz check for pad names with encoded characters
Also:
  * Minor test cleanups (`function` instead of arrow functions, etc.).
  * Add a test for a case that was previously not covered.
2020-09-26 10:47:27 +01:00
Richard Hansen
23131a501c tests: Rewrite import/export tests to use async and supertest 2020-09-26 10:46:16 +01:00
Richard Hansen
54c999fe83 tests: Factor out common skip checks 2020-09-26 10:46:16 +01:00
Richard Hansen
1c3c5b744c tests: Skip all import/export tests if !allowAnyoneToImport
Three of the four tests fail if `settings.allowAnyoneToImport` is
false. The fourth ("tries to import Plain Text to a pad that does not
exist") isn't particularly useful when `settings.allowAnyoneToImport`
is false: That test tests an import failure mode, and when
`settings.allowAnyoneToImport` is false the failure could be caused by
that instead of the expected cause.
2020-09-26 10:46:16 +01:00
Richard Hansen
c148e673a8 tests: Use this.skip() when skipping tests 2020-09-26 10:46:16 +01:00
Richard Hansen
668373b80f tests: Fix abiword/soffice check 2020-09-26 10:46:16 +01:00
Richard Hansen
89de03795a tests: Delete unused imports and code 2020-09-26 10:46:16 +01:00
Richard Hansen
94f944160d security: Don't require express_sid if authn not required
This should make it possible to embed a pad in an iframe from another
site as long as `settings.requireAuthentication` is false.
2020-09-24 10:42:41 +01:00
Richard Hansen
53fd0b4f98 webaccess: Return 401 for authn failure, 403 for authz failure
This makes it possible for reverse proxies to transform 403 errors
into something like "upgrade to a premium account to access this
pad".

Also add some webaccess tests.
2020-09-24 10:41:58 +01:00
Richard Hansen
a000a93dc6 Refactor startup/shutdown for tests
* `src/node/server.js` can now be run as a script (for normal
    operation) or imported as a module (for tests).
  * Move shutdown actions to `src/node/server.js` to be close to the
    startup actions.
  * Put startup and shutdown in functions so that tests can call them.
  * Use `await` instead of callbacks.
  * Block until the HTTP server is listening to avoid races during
    test startup.
  * Add a new `shutdown` hook.
  * Use the `shutdown` hook to:
      * close the HTTP server
      * call `end()` on the stats collection to cancel its timers
      * call `terminate()` on the Threads.Pool to stop the workers
  * Exit with exit code 0 (instead of 1) on SIGTERM.
  * Export the HTTP server so that tests can get the HTTP server's
    port via `server.address().port` when `settings.port` is 0.
2020-09-22 11:07:21 +01:00
Richard Hansen
346111250e utils: Fix promise creation accounting bug in promises.timesLimit
Before this change, `promises.timesLimit()` created `concurrency - 1`
too many promises. The only users of this function use a concurrency
of 500, so this meant that 499 extra promises were created each time
it was used. The bug didn't affect correctness, but it did result in a
large number of unnecessary database operations whenever a pad was
deleted. This change fixes that bug.

Also:
  * Convert the function to async and have it resolve after all of the
    created promises are resolved.
  * Reject concurrency of 0 (unless total is 0).
  * Document the function.
  * Add tests.
2020-09-21 23:16:32 +01:00
Joas Souza
8c04fe8775
Feature: Copy Pad without history (#4295)
New feature to copy a pad without copying entire history.  This is useful to perform a low CPU intensive operation while still copying current pad state.
2020-09-16 19:24:09 +01:00
Richard Hansen
b80a37173e security: Fix authorization bypass vulnerability
Before, a malicious user could bypass authorization restrictions
imposed by the authorize hook:

 * Step 1: Fetch any resource that the malicious user is authorized to
   access (e.g., static content).
 * Step 2: Use the signed express_sid cookie generated in step 1 to
   create a socket.io connection.
 * Step 3: Perform the CLIENT_READY handshake for the desired pad.
 * Step 4: Profit!

Now the authorization decision made by the authorize hook is
propagated to SecurityManager so that it can approve or reject
socket.io messages as appropriate.

This also sets up future support for per-user read-only and
modify-only (no create) authorization levels.
2020-09-15 21:40:25 +01:00
Richard Hansen
9e6d3f3f63 tests: Add authentication, authorization bypass tests 2020-09-15 20:03:30 +01:00
John McLear
12c05c20b2
bugfix/import: doc import bugfix (#4235) 2020-08-30 14:11:12 +01:00
John McLear
4f5cf2dc63
tests and bugfix: test coverage and fix for 4165 - bad HTML export of list items (#4180)
Also fix for test max value for ratelimiter
2020-07-19 16:31:13 +01:00
John McLear
7b0fd4fb29
Bugfix / tests: Travis use LibreOffice PPA and fix import /export tests for good. (#4166)
Just final bits of test coverage for import/export of LibreOffice.  It turns out Travis by default installs an old LO that doesn't support PDF import.  To remedy that I use the LO PPA and also strict install the PDF import support.

Still to do in a future date is check LO exported contents includes expected strings, for now it just checks output length looks sane.
2020-07-16 10:46:45 +01:00
John McLear
ab8320d15b
WIP - Test Coverage: Import & Export include LibreOffice Test Coverage (#4163)
Runs on Travis
Will only run locally is ``allowAnyoneToImport`` and ``soffice`` or ``abiword`` is set.
2020-07-14 18:44:53 +01:00
John McLear
aff93d24dd
export: txt import include correct OL prefix (#4086)
Includes test coverage
Final part of solving https://github.com/ether/etherpad-lite/issues/3447
2020-06-06 14:30:13 +01:00
John McLear
fb68ac672b
tests: OL/UL further testing. 2020-06-05 22:18:58 +01:00
John McLear
a4bdcc3392
tests/editor/ul/li/ol/import/export: Introduce contentcollector.js tests & various OL/UL/LI related bugfixes
1. Introduce contentcollector.js backend tests
1. Fix issue with OL LI items not being properly numbered after import
1. Fix issue with nested OL LI items being improperly numbered on export
1. Fix issue with new lines not being introduced after lists in on import #3961
1. Sanitize HTML on the way in (import)
1. Fix ExportHTML CSS because it needs to support OL > LI > OL not OL > OL [The latter being the correct format]
1. Fix backend tests.
2020-06-05 20:54:16 +01:00
John McLear
4497d37af9 tests: path to request require fix 2020-06-01 18:45:01 +00:00
John McLear
0dd9db4e99
tests: fix for fix of fuzz tests
Commenting out fuzz tests for now

Fixed up paths with request..  Pesky globals..
2020-06-01 19:26:49 +01:00
John McLear
71bffed190
tests: fix for fuzz tests (#4068) 2020-06-01 18:52:46 +01:00
John McLear
dc11b85e62
tests: fuzzing, binary imports 2020-06-01 17:26:55 +01:00
Christian Schröder
5537ef3950 test: fix settings loading in api/instance backend test
With commit 44186ed (tests: remove loadSettings.js for backend tests.)
the loading of the settings in backendtests changed. One test spec
was not updated.
2020-04-16 03:03:20 +02:00
muxator
44186edbc5 tests: remove loadSettings.js for backend tests.
The old loadSettings.js was a way of customizing settings upon load, because
the Settings module did not offer this functionality. But it did not work well,
since all the default settings were not loaded.

Let's get rid of loadSettings.js for the bulk of the tests (the "backend"
specs). For the "container" specs, we'll keep it in place until/if we rewrite
Settings.js making it less brittle.
2020-04-14 03:36:13 +02:00
Chocobozzz
8c4625ec50 tests: add tests for listAllPads() API call
--HG--
branch : padlist-use-set
2020-04-09 03:39:32 +02:00
muxator
e6251687bf api: test coverage for getStats() 2020-04-04 22:03:46 +02:00
Viljami Kuosmanen
ccf406708e openapi: support standard http error codes
API errors are now handled at the end of the request heap by
throwing exceptions from the handler
2020-04-03 01:03:11 +02:00
Viljami Kuosmanen
6aa30f213a openapi: add jsonp support + test 2020-04-03 01:03:11 +02:00
John McLear
6c12a7fb1f tests: backend tests for utf8 & emojis support 2020-03-31 02:11:25 +02:00
John McLear
352b432ed1 tests: in backend tests, use POST instead of GET for setText() and setHTML()
This is allowed starting from fc661ee13a ("core: allow URL parameters and POST
bodies to co-exist"), which landed in Etherpad 1.8.0. For the discussion, see
issue #3568.
2020-03-31 02:11:25 +02:00
muxator
b2dc446740 tests: typo in a comment in the backend tests 2020-03-31 02:11:25 +02:00
Pierre Prinetti
92f07a544b ci: test basic application response of the docker build
Note by muxator:
This commit introduced a copied & modified version of the testing files
loadSettings.js and pad.js.

It's Christmas night, and we want to shipt this feature, so I merged it anyway,
adding a note in both the original and copied files so that hopefully someone
in the distant future is going to merge them back again.
2019-12-25 00:28:38 +01:00
muxator
fe0cf4bdb0 tests: reorganize some files, because we are going to copy & paste them.
In the following commits Pierre is going to copy & modify some files.
This commit prepares the source files in order to minimize those differences,
so we can re-unify them as soon as possible.

No functional changes.
2019-12-25 00:28:38 +01:00
Ray Bellis
fc661ee13a core: allow URL parameters and POST bodies to co-exist.
Node 8.14.0 prohibits HTTP headers that exceed 8 KB (source:
https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/#denial-of-service-with-large-http-headers-cve-2018-12121).

This patch allows for the parameters within the body of an HTTP POST request to
be used in addition to those within the URL (and will override them).

Closes #3568.

---
Muxator 2019-10-19:
- this commit was cherry-picked from 882b93487f
- it was modified to include the necessary changes in the documentation
2019-06-27 00:52:53 +02:00
Ray Bellis
4622309dc2 TidyHtml.js: convert to promises
test case uses "nodeify" to convert the calls to TidyHtml back
into nodeback because it integrates better with the test framework
2019-01-31 13:42:41 +00:00
muxator
6d36bb2c53 node8: we can safely use os.tmpdir()
Since we are requiring node >= 8, we can safely use native functionalities.
2019-02-19 22:01:12 +01:00