Skip to content

Commit

Permalink
More security tests
Browse files Browse the repository at this point in the history
  • Loading branch information
fonsp committed Oct 27, 2023
1 parent 3e46cc1 commit 292c881
Showing 1 changed file with 49 additions and 7 deletions.
56 changes: 49 additions & 7 deletions test/Configuration.jl
Original file line number Diff line number Diff line change
Expand Up @@ -71,8 +71,8 @@ end
local_url(suffix) = "http://$host:$port/$suffix"
withsecret(url) = occursin('?', url) ? "$url&secret=$secret" : "$url?secret=$secret"

function request(url, method)
HTTP.request(method, url, nothing, method == "POST" ? read(basic_nb_path) : UInt8[]; status_exception=false, redirect=false)
function request(url, method; kwargs...)
HTTP.request(method, url, nothing, method == "POST" ? read(basic_nb_path) : UInt8[]; status_exception=false, redirect=false, cookies=false, kwargs...)
end

function shares_secret(response)
Expand Down Expand Up @@ -140,7 +140,7 @@ end
("notebookupload?execution_allowed=asdf", "POST"),
]

@testset "simple w/o auth $suffix $method" for (suffix, method) in simple_routes βˆͺ effect_routes
@testset "simple & effect w/o auth $suffix $method" for (suffix, method) in simple_routes βˆͺ effect_routes
url = local_url(suffix)
r = request(url, method)
@test r.status == 403
Expand All @@ -150,12 +150,54 @@ end
# no notebooks were opened
@test length(🍭.notebooks) == 1

@test shares_secret(request(local_url(""), "GET"))
@testset "require secret only for open links" begin
@test !shares_secret(request(local_url(""), "GET"))
jar = HTTP.Cookies.CookieJar()

# Let's test the config
# require_secret_for_access = false
# require_secret_for_open_links = true
🍭.options.security.require_secret_for_access = false

# Effectful paths should not work without a secret.
@testset "simple & effect w/o auth 1 $suffix $method" for (suffix, method) in effect_routes
url = local_url(suffix)
r = request(url, method; cookies=true, jar)
@test r.status == 403
@test !shares_secret(r)
end

# With this config, the / path should work and share the secret, even when requested without a secret.
r = request(local_url(""), "GET"; cookies=true, jar)
@test r.status == 200
@test shares_secret(r)

# Now, the other effectful paths should work bc of the secret.
@testset "simple w/o auth 2 $suffix $method" for (suffix, method) in simple_routes
url = local_url(suffix)
r = request(url, method; cookies=true, jar)
@test r.status ∈ 200:299 # 2xx is OK
@test shares_secret(r)
end

🍭.options.security.require_secret_for_access = true
end

jar = HTTP.Cookies.CookieJar()

@test shares_secret(request(local_url("") |> withsecret, "GET"; cookies=true, jar))


@testset "simple w/ auth $suffix $method" for (suffix, method) in simple_routes
url = local_url(suffix) |> withsecret
r = request(url, method)
@test r.status ∈ 200:299
# should work because of cookie
url = local_url(suffix)
r = request(url, method; cookies=true, jar)
@test r.status ∈ 200:299 # 2xx is OK
@test shares_secret(r) # see reasoning in of https://github.com/fonsp/Pluto.jl/commit/20515dd46678a49ca90e042fcfa3eab1e5c8e162

# Without cookies, but with secret in URL
r = request(url |> withsecret, method)
@test r.status ∈ 200:299 # 2xx is OK
@test shares_secret(r)
end

Expand Down

0 comments on commit 292c881

Please sign in to comment.