Commit graph

463 commits

Author SHA1 Message Date
Richard Hansen
6408d2313c webaccess: Be extra paranoid about nullish password
If `settings.json` contains a user without a `password` property then
nobody should be able to log in as that user using the built-in HTTP
basic authentication. This is true both with and without this change,
but before this change it wasn't immediately obvious that a malicious
user couldn't use an empty or null password to log in as such a user.
This commit adds an explicit nullish check and some unit tests to
ensure that an empty or null password will not work if the `password`
property is null or undefined.
2020-11-04 18:06:08 +00:00
webzwo0i
b67c9cc136
tests: Speed up and fix travis (#4453)
Various test runner fixes.
2020-10-30 10:40:11 +00:00
Richard Hansen
b41d9762fa tests: Clear auth hooks before running import/export unit tests
Also fix some ESLint complaints.
2020-10-29 19:06:24 -04:00
Richard Hansen
03d8882383 tests: Clear auth hooks before running socket.io unit tests 2020-10-29 18:53:10 -04:00
Richard Hansen
4829bb8962 tests: Delete unnecessary describe() wrapper 2020-10-29 18:53:10 -04:00
Richard Hansen
dbe9151d89 tests: Clear hooks before running webaccess tests
Also factor out common test setup code.
2020-10-29 15:33:05 -04:00
Richard Hansen
36aceb3aba hooks: Rewrite callAll and aCallAll for consistency
Rewrite the `callAll` and `aCallAll` functions to support all
reasonable hook behaviors and to report errors for unreasonable
behaviors (e.g., calling the callback twice).

Now a hook function like the following works as expected when invoked
by `aCallAll`:

```
exports.myHookFn = (hookName, context, cb) => {
  cb('some value');
  return;
};
```
2020-10-24 16:08:50 +01:00
webzwo0i
069e9997dd
tests: 10 sec maximum wait time for timeslider (#4430) 2020-10-23 12:43:38 +01:00
webzwo0i
047dfcdee9
tests: relaxed constraint on the number of interval triggers (#4427) 2020-10-22 16:01:51 +01:00
webzwo0i
69c7033a86
tests: refactor some frontend tests (#4408)
* don't include sendkeys in index.html as it's included in helper.init
mocha opts: add default timeout and replace ignoreLeaks with checkLeaks,
as the former is deprecated

* introduce helper.edit to write to a pad

* add test to check if helper.edit() supports line numbers

* helper tests: waitFor/waitForPromise seem to be a little bit faster sometimes

* tests: refactor chat.js

* tests: refactor timeslider_numeric_padID

* tests: refactor timeslider_labels

* tests: refactor timeslider_follow

* ensure followContents is enabled, although it should be by default

* timeslider_follow: increase number of revision for Edge

* make textLines() depend on linesDiv()

Co-authored-by: Richard Hansen <rhansen@rhansen.org>

* make linesDiv return standard Array

* use `contain` instead of `indexOf`

* more fixes from the review

* review fixes

* align waitFor and waitForPromise behaviour

* timeslider_follow: check if it's following to the correct lines

* lower expected waitFor/waitForPromise interval check

* disable responsivness and regression test in timeslider_follow

* timeslider_follow: fix Range detection

* more explicit test for linesDiv

Co-authored-by: Richard Hansen <rhansen@rhansen.org>
2020-10-21 18:43:17 +01:00
Richard Hansen
1dba121aff tests: Tune waitForPromise() poll count test some more
Looks like the test machines can be quite slow, which causes noise in
the count.
2020-10-14 18:16:20 +01:00
Richard Hansen
e0542f903a tests: Tune waitForPromise() poll count test
This should have been done in c222fc5d0b
but I forgot.
2020-10-14 16:59:03 +01:00
Richard Hansen
3e14016214 tests: Include the filename in the test output
Also some minor consistency cleanups.
2020-10-14 11:16:39 +01:00
Richard Hansen
50e402193b tests: waitForPromise() test improvements
* Avoid a false positive if a Promise that is expected to reject
    doesn't reject.
  * Use modern JavaScript language features: arrow functions,
    `const`/`let` instead of `var`.
  * Remove the tests that test Promise behavior.
  * Add new test that checks that it returns a Promise.
2020-10-14 10:38:52 +01:00
webzwo0i
a3f062af96 tests: add waitForPromise method and test for it 2020-10-14 10:38:52 +01:00
webzwo0i
86c0648ede tests: don't force a callback in it, so we can use async in tests 2020-10-14 10:38:52 +01:00
Richard Hansen
c222fc5d0b tests: Change waitFor() to check before first sleep
There are a few problems with sleeping before checking the condition
for the first time:

  * It slows down tests.
  * The predicate is never checked if the interval duration is greater
    than the timeout.
  * 0 can't be used to test if the condition is currently true.

There is a minor disadvantage to sleeping before checking: It will
cause more tests to run without an asynchronous interruption, which
could theoretically mask some async bugs.
2020-10-14 10:38:52 +01:00
Richard Hansen
8016bd225f tests: Teach waitFor() to reject if the predicate throws 2020-10-14 10:38:52 +01:00
Richard Hansen
262eb9af60 tests: Use default arguments for helper.waitFor
Now `helper.waitFor(fn, 0)` times out immediately (as expected in
tests) instead of waiting 1900ms.
2020-10-14 10:38:52 +01:00
Richard Hansen
16b0768a93 tests: Fix unchainable helper.waitFor().fail()
The `helper.waitFor()` function returns a jQuery Deferred object.
Deferred objects are supposed to have a `.fail()` method that is
chainable (it should return `this`). Before this change,
`helper.waitFor()` monkey-patched the `.fail()` method with a function
that returned `undefined`. Now the monkey-patched `.fail()` returns
the Deferred object.

Also modernize the code a bit.
2020-10-14 10:38:52 +01:00
Richard Hansen
048bd0f50d tests: Simplify API key reading
Also delete unused imports.
2020-10-08 22:50:18 +01:00
John McLear
66df0a572f
Security: FEATURE REMOVAL: Remove all plain text password logic and ui (#4178)
This will be a breaking change for some people.  

We removed all internal password control logic.  If this affects you, you have two options:

1. Use a plugin for authentication and use session based pad access (recommended).
1. Use a plugin for password setting.

The reasoning for removing this feature is to reduce the overall security footprint of Etherpad.  It is unnecessary and cumbersome to keep this feature and with the thousands of available authentication methods available in the world our focus should be on supporting those and allowing more granual access based on their implementations (instead of half assed baking our own).
2020-10-07 13:43:54 +01:00
John McLear
92d4b8b649
tests: re-enable docker tests in travis (#4395)
Thanks to node10 having better support we can re-enable these tests.
2020-10-06 14:21:09 +01:00
Richard Hansen
c74b254334 tests: Disable non-test logging unless level <= DEBUG
This makes it easier to see the test results, and it hides some
scary-looking but intentional error messages.

This code will likely have to be updated if/when we change the logging
library (see issue #1922).
2020-10-06 09:19:58 +01:00
Richard Hansen
a8cf434d1d import: Replace the allowAnyoneToImport check with userCanModify
This reduces the number of hoops a user or tool must jump through to
import.
2020-10-05 18:48:16 +01:00
Richard Hansen
831528e8bc import: Allow import if pad does not yet exist 2020-10-05 18:48:16 +01:00
Richard Hansen
9a6f286441 tests: Always run the import unsupported file type test 2020-10-05 18:48:16 +01:00
Richard Hansen
2f17849b7b tests: Switch import/export tests to self-contained server
This makes it possible to test various settings combinations and
examine internal state to confirm correct behavior. Also, the user
doesn't need to start an Etherpad server before running these tests.
2020-10-05 18:48:16 +01:00
Richard Hansen
32b6d8e37f tests: Factor out common server setup/teardown 2020-10-05 18:48:16 +01:00
Richard Hansen
f7953ece85 socketio: Delete redundant authentication check
There's no need to perform an authentication check in the socket.io
middleware because `PadMessageHandler.handleMessage` calls
`SecurityMananger.checkAccess` and that now performs authentication
and authorization checks.

This change also improves the user experience: Before, access denials
caused socket.io error events in the client, which `pad.js` mostly
ignores (the user doesn't see anything). Now a deny message is sent
back to the client, which causes `pad.js` to display an obvious
permission denied message.

This also fixes a minor bug: `settings.loadTest` is supposed to bypass
authentication and authorization checks, but they weren't bypassed
because `SecurityManager.checkAccess` did not check
`settings.loadTest`.
2020-10-05 18:12:04 +01:00
webzwo0i
ceb09ce99a
security: Support proxy with rate limiting and include CI test coverage for nginx rev proxy (#4373)
Previously Etherpad would not pass the correct client IP address through and this caused the rate limiter to limit users behind reverse proxies.  This change allows Etherpad to use a client IP passed from a reverse proxy.

Note to devs: This header can be spoofed and spoofing the header could be used in an attack.  To mitigate additional *steps should be taken by Etherpad site admins IE doing rate limiting at proxy.*  This only really applies to large scale deployments but it's worth noting.
2020-10-01 10:39:01 +01:00
Richard Hansen
bf9d613e95
feature: New user-specific readOnly and canCreate settings (#4370)
Also:
  * Group the tests for readability.
  * Factor out some common test setup.
2020-09-28 11:22:06 +01:00
John McLear
8919608d45 tests: disable a version of safari for now as its too buggy on sauce labs 2020-09-27 23:13:29 +01:00
Richard Hansen
180983736d security: Enable authorize plugins to grant read-only access 2020-09-27 22:55:49 +01:00
John McLear
505d67ed1c allowing longer for FF to do timeslider rev test 2020-09-27 21:44:43 +01:00
Richard Hansen
304318b618 webaccess: Move pre-authn authz check to a separate hook
Before this change, the authorize hook was invoked twice: once before
authentication and again after (if settings.requireAuthorization is
true). Now pre-authentication authorization is instead handled by a
new preAuthorize hook, and the authorize hook is only invoked after
the user has authenticated.

Rationale: Without this change it is too easy to write an
authorization plugin that is too permissive. Specifically:

  * If the plugin does not check the path for /admin then a non-admin
    user might be able to access /admin pages.
  * If the plugin assumes that the user has already been authenticated
    by the time the authorize function is called then unauthenticated
    users might be able to gain access to restricted resources.

This change also avoids calling the plugin's authorize function twice
per access, which makes it easier for plugin authors to write an
authorization plugin that is easy to understand.

This change may break existing authorization plugins: After this
change, the authorize hook will no longer be able to authorize
non-admin access to /admin pages. This is intentional. Access to admin
pages should instead be controlled via the `is_admin` user setting,
which can be set in the config file or by an authentication plugin.

Also:
  * Add tests for the authenticate and authorize hooks.
  * Disable the authentication failure delay when testing.
2020-09-27 21:19:58 +01:00
John McLear
a51132d712
tests: test coverage for read only pad ids (#4364) 2020-09-27 19:12:11 +01:00
John McLear
53b80d6280
tests: adding a check before finishing responsiveness test - allowing load test to run for 25 instead of 30 seconds to facilitate travis performance. (#4363)
The goal of this PR is to make tests break less frequently.  It is yet confirmed if this has worked but time will tell.
2020-09-27 15:13:55 +01:00
John McLear
ea4b9bf7d7
tests: support even slower safari (#4361) 2020-09-26 21:57:21 +01:00
Richard Hansen
9f63d9b76a tests: Check for true/false, not truthiness 2020-09-26 21:40:19 +01:00
Richard Hansen
c18831c333 tests: Fix typo (publicstatus -> publicStatus) 2020-09-26 21:40:19 +01:00
Richard Hansen
e01e575c86 tests: Use async/await instead of callbacks, use assert 2020-09-26 21:40:19 +01:00
Richard Hansen
24345bf9a8 tests: Group session and group tests to improve readability 2020-09-26 21:40:19 +01:00
Richard Hansen
4527254bcc tests: Use let and const instead of var 2020-09-26 21:40:19 +01:00
Richard Hansen
e88c532172 tests: Delete unused variable 2020-09-26 21:40:19 +01:00
Richard Hansen
ab5934cbda webaccess: Split authFailure hook into authnFailure and authzFailure
This makes it possible for plugins to return different pages to the
user depending on whether the auth failure was authn or authz.
2020-09-26 19:37:11 +01:00
Richard Hansen
02757079c0 security: Enable authorize plugins to grant modify-only access 2020-09-26 18:36:36 +01:00
Richard Hansen
72ed1816ec security: Fix authz check for pad names with encoded characters
Also:
  * Minor test cleanups (`function` instead of arrow functions, etc.).
  * Add a test for a case that was previously not covered.
2020-09-26 10:47:27 +01:00
Richard Hansen
23131a501c tests: Rewrite import/export tests to use async and supertest 2020-09-26 10:46:16 +01:00
Richard Hansen
54c999fe83 tests: Factor out common skip checks 2020-09-26 10:46:16 +01:00