def test_is_trusted(self, configured_ips, user_ip, expected_result):
validator = TrustedIpValidator(configured_ips)
trusted = validator.is_trusted(user_ip)
self.assertEqual(
expected_result, trusted,
user_ip + ' is trusted=' + str(trusted) + ' but should be ' +
str(expected_result) + ' for ' + str(configured_ips))
def test_change_to_untrusted(self):
request_handler = mock_request_handler(ip='192.168.21.13')
trusted_identification = IpBasedIdentification(TrustedIpValidator(['192.168.21.13']), None)
old_id = trusted_identification.identify(request_handler)
new_id = IpBasedIdentification(TrustedIpValidator([]), None).identify(request_handler)
self.assertNotEqual(old_id, new_id)
self.assertNotEqual(new_id, '192.168.21.13')
self.assertIsNotNone(request_handler.get_cookie(COOKIE_KEY))
def test_proxied_ip_behind_untrusted(self):
identification = IpBasedIdentification(TrustedIpValidator([]), None)
request_handler = mock_request_handler(ip='127.0.0.1', x_forwarded_for='192.168.21.13')
id = identification.identify(request_handler)
self.assertNotEqual('192.168.21.13', id)
self.assertNotEqual('127.0.0.1', id)
def test_ip_untrusted_identification_same_connection(self):
identification = IpBasedIdentification(TrustedIpValidator([]), None)
request_handler = mock_request_handler(ip='192.168.21.13')
id1 = identification.identify(request_handler)
id2 = identification.identify(request_handler)
self.assertEqual(id1, id2)
def test_ip_untrusted_identification_for_different_connections(self):
identification = IpBasedIdentification(TrustedIpValidator([]), None)
ids = set()
for _ in range(0, 100):
ids.add(identification.identify(mock_request_handler(ip='192.168.21.13')))
self.assertEqual(100, len(ids))
def test_broken_token_structure(self):
request_handler = mock_request_handler(ip='192.168.21.13')
request_handler.set_secure_cookie(COOKIE_KEY, 'something')
IpBasedIdentification(TrustedIpValidator([]), None).identify(request_handler)
new_token = request_handler.get_cookie(COOKIE_KEY)
self.assertNotEqual(new_token, 'something')
def test_old_token_timestamp(self):
request_handler = mock_request_handler(ip='192.168.21.13')
request_handler.set_secure_cookie(COOKIE_KEY, 'something&100000')
id = IpBasedIdentification(TrustedIpValidator([]), None).identify(request_handler)
new_token = request_handler.get_cookie(COOKIE_KEY)
self.assertNotEqual('something', id)
self.assertNotEqual(new_token, 'something&100000')
def test_no_cookie_change_for_same_user(self):
request_handler = mock_request_handler(ip='192.168.21.13')
identification = IpBasedIdentification(TrustedIpValidator([]), None)
identification.identify(request_handler)
cookie1 = request_handler.get_cookie(COOKIE_KEY)
identification.identify(request_handler)
cookie2 = request_handler.get_cookie(COOKIE_KEY)
self.assertEqual(cookie1, cookie2)
def setUp(self):
super().setUp()
self.socket = None
application = tornado.web.Application(
[(r'/scripts/([^/]*)', ScriptConfigSocket)],
login_url='/login.html',
cookie_secret='12345')
application.auth = TornadoAuth(None)
application.authorizer = Authorizer(ANY_USER, [], [],
EmptyGroupProvider())
application.identification = IpBasedIdentification(
TrustedIpValidator(['127.0.0.1']), None)
application.config_service = ConfigService(application.authorizer,
test_utils.temp_folder)
server = httpserver.HTTPServer(application)
socket, self.port = testing.bind_unused_port()
server.add_socket(socket)
test_utils.setup()
for dir in ['x', 'y', 'z']:
for file in range(1, 4):
filename = dir + str(file) + '.txt'
test_utils.create_file(
os.path.join('test1_files', dir, filename))
test1_files_path = os.path.join(test_utils.temp_folder, 'test1_files')
test_utils.write_script_config(
{
'name':
'Test script 1',
'script_path':
'ls',
'parameters': [
test_utils.create_script_param_config('text 1',
required=True),
test_utils.create_script_param_config(
'list 1', type='list', allowed_values=['A', 'B', 'C']),
test_utils.create_script_param_config(
'file 1',
type='server_file',
file_dir=test1_files_path),
test_utils.create_script_param_config(
'list 2',
type='list',
values_script='ls ' + test1_files_path + '/${file 1}')
]
}, 'test_script_1')
def test_refresh_old_cookie_with_same_id(self):
request_handler = mock_request_handler(ip='192.168.21.13')
identification = IpBasedIdentification(TrustedIpValidator([]), None)
id = '1234567'
token_expiry = str(date_utils.get_current_millis() + date_utils.days_to_ms(2))
old_token = id + '&' + token_expiry
request_handler.set_secure_cookie(COOKIE_KEY, old_token)
new_id = identification.identify(request_handler)
new_token = request_handler.get_cookie(COOKIE_KEY)
self.assertEqual(new_id, id)
self.assertNotEqual(old_token, new_token)
def mock_request_handler(ip=None, x_forwarded_for=None, x_real_ip=None, saved_token=None, user_header_name=None, user_header_name_value=None):
handler_mock = mock_object()
handler_mock.application = mock_object()
handler_mock.application.auth = TornadoAuth(None)
handler_mock.application.identification = IpBasedIdentification(TrustedIpValidator(['127.0.0.1']), user_header_name)
handler_mock.request = mock_object()
handler_mock.request.headers = {}
handler_mock.request.remote_ip = ip
if x_forwarded_for:
handler_mock.request.headers['X-Forwarded-For'] = x_forwarded_for
if x_real_ip:
handler_mock.request.headers['X-Real-IP'] = x_real_ip
if user_header_name and user_header_name_value:
handler_mock.request.headers[user_header_name] = user_header_name_value
cookies = {COOKIE_KEY: saved_token}
def get_secure_cookie(name):
values = cookies[name]
if values is not None:
return values.encode('utf8')
return None
def set_secure_cookie(key, value, expires_days=30):
cookies[key] = value
def clear_cookie(key):
if cookies[key] is not None:
cookies[key] = None
handler_mock.get_cookie = lambda key: cookies[key]
handler_mock.get_secure_cookie = get_secure_cookie
handler_mock.set_secure_cookie = set_secure_cookie
handler_mock.clear_cookie = clear_cookie
return handler_mock
def __init__(self) -> None:
self.address = None
self.port = None
self.ssl = False
self.ssl_key_path = None
self.ssl_cert_path = None
self.authenticator = None
self.allowed_users = None
self.alerts_config = None
self.logging_config = None
self.admin_config = None
self.title = None
self.enable_script_titles = None
self.ip_validator = TrustedIpValidator([])
self.user_groups = None
self.admin_users = []
self.full_history_users = []
self.max_request_size_mb = None
self.callbacks_config = None
self.user_header_name = None
self.secret_storage_file = None
def from_json(conf_path, temp_folder):
if os.path.exists(conf_path):
file_content = file_utils.read_file(conf_path)
else:
file_content = "{}"
config = ServerConfig()
json_object = json.loads(file_content)
address = "0.0.0.0"
port = 5000
ssl = json_object.get("ssl")
if ssl is not None:
key_path = model_helper.read_obligatory(ssl, 'key_path', ' for ssl')
cert_path = model_helper.read_obligatory(ssl, 'cert_path', ' for ssl')
config.ssl = True
config.ssl_key_path = key_path
config.ssl_cert_path = cert_path
port = 5443
if json_object.get("address"):
address = json_object.get("address")
config.address = address
if json_object.get("port"):
port = json_object.get("port")
config.port = port
if json_object.get('title'):
config.title = json_object.get('title')
config.enable_script_titles = read_bool_from_config('enable_script_titles',
json_object,
default=True)
access_config = json_object.get('access')
if access_config:
allowed_users = access_config.get('allowed_users')
user_groups = model_helper.read_dict(access_config, 'groups')
user_header_name = access_config.get('user_header_name')
else:
allowed_users = None
user_groups = {}
user_header_name = None
auth_config = json_object.get('auth')
if auth_config:
config.authenticator = create_authenticator(auth_config, temp_folder)
auth_type = config.authenticator.auth_type
if auth_type == 'google_oauth' and allowed_users is None:
raise Exception('access.allowed_users field is mandatory for ' +
auth_type)
def_trusted_ips = []
def_admins = []
else:
def_trusted_ips = ['127.0.0.1', '::1']
def_admins = def_trusted_ips
if access_config:
trusted_ips = strip(
read_list(access_config, 'trusted_ips', default=def_trusted_ips))
admin_users = _parse_admin_users(access_config,
default_admins=def_admins)
full_history_users = _parse_history_users(access_config)
code_editor_users = _parse_code_editor_users(access_config,
admin_users)
else:
trusted_ips = def_trusted_ips
admin_users = def_admins
full_history_users = []
code_editor_users = def_admins
security = model_helper.read_dict(json_object, 'security')
config.allowed_users = _prepare_allowed_users(allowed_users, admin_users,
user_groups)
config.alerts_config = json_object.get('alerts')
config.callbacks_config = json_object.get('callbacks')
config.logging_config = parse_logging_config(json_object)
config.user_groups = user_groups
config.admin_users = admin_users
config.full_history_users = full_history_users
config.code_editor_users = code_editor_users
config.user_header_name = user_header_name
config.ip_validator = TrustedIpValidator(trusted_ips)
config.max_request_size_mb = read_int_from_config('max_request_size',
json_object,
default=10)
config.secret_storage_file = json_object.get(
'secret_storage_file', os.path.join(temp_folder, 'secret.dat'))
config.xsrf_protection = _parse_xsrf_protection(security)
return config
def test_ip_untrusted_identification(self):
identification = IpBasedIdentification(TrustedIpValidator([]), None)
id = identification.identify(mock_request_handler(ip='192.168.21.13'))
self.assertNotEqual('192.168.21.13', id)
def test_localhost_ip_trusted_identification(self):
identification = IpBasedIdentification(TrustedIpValidator(['127.0.0.1']), None)
id = identification.identify(mock_request_handler(ip='127.0.0.1'))
self.assertEqual('127.0.0.1', id)
