def test_is_trusted(self, configured_ips, user_ip, expected_result): validator = TrustedIpValidator(configured_ips) trusted = validator.is_trusted(user_ip) self.assertEqual( expected_result, trusted, user_ip + ' is trusted=' + str(trusted) + ' but should be ' + str(expected_result) + ' for ' + str(configured_ips))
def test_change_to_untrusted(self): request_handler = mock_request_handler(ip='192.168.21.13') trusted_identification = IpBasedIdentification(TrustedIpValidator(['192.168.21.13']), None) old_id = trusted_identification.identify(request_handler) new_id = IpBasedIdentification(TrustedIpValidator([]), None).identify(request_handler) self.assertNotEqual(old_id, new_id) self.assertNotEqual(new_id, '192.168.21.13') self.assertIsNotNone(request_handler.get_cookie(COOKIE_KEY))
def test_proxied_ip_behind_untrusted(self): identification = IpBasedIdentification(TrustedIpValidator([]), None) request_handler = mock_request_handler(ip='127.0.0.1', x_forwarded_for='192.168.21.13') id = identification.identify(request_handler) self.assertNotEqual('192.168.21.13', id) self.assertNotEqual('127.0.0.1', id)
def test_ip_untrusted_identification_same_connection(self): identification = IpBasedIdentification(TrustedIpValidator([]), None) request_handler = mock_request_handler(ip='192.168.21.13') id1 = identification.identify(request_handler) id2 = identification.identify(request_handler) self.assertEqual(id1, id2)
def test_ip_untrusted_identification_for_different_connections(self): identification = IpBasedIdentification(TrustedIpValidator([]), None) ids = set() for _ in range(0, 100): ids.add(identification.identify(mock_request_handler(ip='192.168.21.13'))) self.assertEqual(100, len(ids))
def test_broken_token_structure(self): request_handler = mock_request_handler(ip='192.168.21.13') request_handler.set_secure_cookie(COOKIE_KEY, 'something') IpBasedIdentification(TrustedIpValidator([]), None).identify(request_handler) new_token = request_handler.get_cookie(COOKIE_KEY) self.assertNotEqual(new_token, 'something')
def test_old_token_timestamp(self): request_handler = mock_request_handler(ip='192.168.21.13') request_handler.set_secure_cookie(COOKIE_KEY, 'something&100000') id = IpBasedIdentification(TrustedIpValidator([]), None).identify(request_handler) new_token = request_handler.get_cookie(COOKIE_KEY) self.assertNotEqual('something', id) self.assertNotEqual(new_token, 'something&100000')
def test_no_cookie_change_for_same_user(self): request_handler = mock_request_handler(ip='192.168.21.13') identification = IpBasedIdentification(TrustedIpValidator([]), None) identification.identify(request_handler) cookie1 = request_handler.get_cookie(COOKIE_KEY) identification.identify(request_handler) cookie2 = request_handler.get_cookie(COOKIE_KEY) self.assertEqual(cookie1, cookie2)
def setUp(self): super().setUp() self.socket = None application = tornado.web.Application( [(r'/scripts/([^/]*)', ScriptConfigSocket)], login_url='/login.html', cookie_secret='12345') application.auth = TornadoAuth(None) application.authorizer = Authorizer(ANY_USER, [], [], EmptyGroupProvider()) application.identification = IpBasedIdentification( TrustedIpValidator(['127.0.0.1']), None) application.config_service = ConfigService(application.authorizer, test_utils.temp_folder) server = httpserver.HTTPServer(application) socket, self.port = testing.bind_unused_port() server.add_socket(socket) test_utils.setup() for dir in ['x', 'y', 'z']: for file in range(1, 4): filename = dir + str(file) + '.txt' test_utils.create_file( os.path.join('test1_files', dir, filename)) test1_files_path = os.path.join(test_utils.temp_folder, 'test1_files') test_utils.write_script_config( { 'name': 'Test script 1', 'script_path': 'ls', 'parameters': [ test_utils.create_script_param_config('text 1', required=True), test_utils.create_script_param_config( 'list 1', type='list', allowed_values=['A', 'B', 'C']), test_utils.create_script_param_config( 'file 1', type='server_file', file_dir=test1_files_path), test_utils.create_script_param_config( 'list 2', type='list', values_script='ls ' + test1_files_path + '/${file 1}') ] }, 'test_script_1')
def test_refresh_old_cookie_with_same_id(self): request_handler = mock_request_handler(ip='192.168.21.13') identification = IpBasedIdentification(TrustedIpValidator([]), None) id = '1234567' token_expiry = str(date_utils.get_current_millis() + date_utils.days_to_ms(2)) old_token = id + '&' + token_expiry request_handler.set_secure_cookie(COOKIE_KEY, old_token) new_id = identification.identify(request_handler) new_token = request_handler.get_cookie(COOKIE_KEY) self.assertEqual(new_id, id) self.assertNotEqual(old_token, new_token)
def mock_request_handler(ip=None, x_forwarded_for=None, x_real_ip=None, saved_token=None, user_header_name=None, user_header_name_value=None): handler_mock = mock_object() handler_mock.application = mock_object() handler_mock.application.auth = TornadoAuth(None) handler_mock.application.identification = IpBasedIdentification(TrustedIpValidator(['127.0.0.1']), user_header_name) handler_mock.request = mock_object() handler_mock.request.headers = {} handler_mock.request.remote_ip = ip if x_forwarded_for: handler_mock.request.headers['X-Forwarded-For'] = x_forwarded_for if x_real_ip: handler_mock.request.headers['X-Real-IP'] = x_real_ip if user_header_name and user_header_name_value: handler_mock.request.headers[user_header_name] = user_header_name_value cookies = {COOKIE_KEY: saved_token} def get_secure_cookie(name): values = cookies[name] if values is not None: return values.encode('utf8') return None def set_secure_cookie(key, value, expires_days=30): cookies[key] = value def clear_cookie(key): if cookies[key] is not None: cookies[key] = None handler_mock.get_cookie = lambda key: cookies[key] handler_mock.get_secure_cookie = get_secure_cookie handler_mock.set_secure_cookie = set_secure_cookie handler_mock.clear_cookie = clear_cookie return handler_mock
def __init__(self) -> None: self.address = None self.port = None self.ssl = False self.ssl_key_path = None self.ssl_cert_path = None self.authenticator = None self.allowed_users = None self.alerts_config = None self.logging_config = None self.admin_config = None self.title = None self.enable_script_titles = None self.ip_validator = TrustedIpValidator([]) self.user_groups = None self.admin_users = [] self.full_history_users = [] self.max_request_size_mb = None self.callbacks_config = None self.user_header_name = None self.secret_storage_file = None
def from_json(conf_path, temp_folder): if os.path.exists(conf_path): file_content = file_utils.read_file(conf_path) else: file_content = "{}" config = ServerConfig() json_object = json.loads(file_content) address = "0.0.0.0" port = 5000 ssl = json_object.get("ssl") if ssl is not None: key_path = model_helper.read_obligatory(ssl, 'key_path', ' for ssl') cert_path = model_helper.read_obligatory(ssl, 'cert_path', ' for ssl') config.ssl = True config.ssl_key_path = key_path config.ssl_cert_path = cert_path port = 5443 if json_object.get("address"): address = json_object.get("address") config.address = address if json_object.get("port"): port = json_object.get("port") config.port = port if json_object.get('title'): config.title = json_object.get('title') config.enable_script_titles = read_bool_from_config('enable_script_titles', json_object, default=True) access_config = json_object.get('access') if access_config: allowed_users = access_config.get('allowed_users') user_groups = model_helper.read_dict(access_config, 'groups') user_header_name = access_config.get('user_header_name') else: allowed_users = None user_groups = {} user_header_name = None auth_config = json_object.get('auth') if auth_config: config.authenticator = create_authenticator(auth_config, temp_folder) auth_type = config.authenticator.auth_type if auth_type == 'google_oauth' and allowed_users is None: raise Exception('access.allowed_users field is mandatory for ' + auth_type) def_trusted_ips = [] def_admins = [] else: def_trusted_ips = ['127.0.0.1', '::1'] def_admins = def_trusted_ips if access_config: trusted_ips = strip( read_list(access_config, 'trusted_ips', default=def_trusted_ips)) admin_users = _parse_admin_users(access_config, default_admins=def_admins) full_history_users = _parse_history_users(access_config) code_editor_users = _parse_code_editor_users(access_config, admin_users) else: trusted_ips = def_trusted_ips admin_users = def_admins full_history_users = [] code_editor_users = def_admins security = model_helper.read_dict(json_object, 'security') config.allowed_users = _prepare_allowed_users(allowed_users, admin_users, user_groups) config.alerts_config = json_object.get('alerts') config.callbacks_config = json_object.get('callbacks') config.logging_config = parse_logging_config(json_object) config.user_groups = user_groups config.admin_users = admin_users config.full_history_users = full_history_users config.code_editor_users = code_editor_users config.user_header_name = user_header_name config.ip_validator = TrustedIpValidator(trusted_ips) config.max_request_size_mb = read_int_from_config('max_request_size', json_object, default=10) config.secret_storage_file = json_object.get( 'secret_storage_file', os.path.join(temp_folder, 'secret.dat')) config.xsrf_protection = _parse_xsrf_protection(security) return config
def test_ip_untrusted_identification(self): identification = IpBasedIdentification(TrustedIpValidator([]), None) id = identification.identify(mock_request_handler(ip='192.168.21.13')) self.assertNotEqual('192.168.21.13', id)
def test_localhost_ip_trusted_identification(self): identification = IpBasedIdentification(TrustedIpValidator(['127.0.0.1']), None) id = identification.identify(mock_request_handler(ip='127.0.0.1')) self.assertEqual('127.0.0.1', id)