Commit Graph

133 Commits (3227-tests)

Author SHA1 Message Date
John McLear 4682460b00 Merge branch 'develop' of github.com:ether/etherpad-lite into 3227-tests 2021-02-02 22:51:03 +00:00
Richard Hansen 05e0e8dbf7 hooks: New `callAllSerial()` function
This is necessary to migrate away from `callAll()` (which only
supports synchronous hook functions).
2021-02-02 09:09:02 +00:00
Richard Hansen ba0544ea9e hooks: Add unit tests for `callFirst()`, `aCallFirst()` 2021-02-02 09:09:02 +00:00
Richard Hansen ba02e70020 tests: Make the fake webaccess hook registrations look more real
The additional properties will be needed once `aCallAll()` is upgraded
to use `callHookFnAsync()`.
2021-02-02 09:09:02 +00:00
Richard Hansen 47f0a7dacf lint: Fix more ESLint errors 2021-02-02 09:09:02 +00:00
Richard Hansen ecdb105bfe server: Refine process lifetime management
Define states and use them to properly handle multiple calls to
`start()`, `stop()`, and `exit()`. (Multiple calls to `exit()` can
happen if there is an uncaught exception or signal during shutdown.)

This should also make it easier to add support for cleanly restarting
the server after a shutdown (for tests or via an `/admin` page).
2021-01-30 08:05:08 +00:00
Richard Hansen 56f617060a tests: Fix missing call to `done` callback 2021-01-27 04:59:36 +00:00
Richard Hansen b164f9b431 tests: Replace "expected" with "want", "received" with "got"
"Got" and "want" are common terms for testing, plus this fixes a
spelling mistake ("received" was misspelled as "recieved").
2021-01-27 04:59:36 +00:00
Richard Hansen fc69ae78aa tests: Use `assert.deepEqual()` to simplify equality checks 2021-01-27 04:59:36 +00:00
Richard Hansen dd815892f2 tests: Delete erroneous `describe()` calls
`describe()` is meant to be used by independent tests, but the tests
in this file are not independent. Add a higher-level `describe()` call
and delete all of the `describe()` calls that wrap a single test.
2021-01-27 04:59:36 +00:00
Richard Hansen 32a0df4883 tests: Fix invalid HTML in contentcollector tests
The HTML spec does not permit `<pre>` as a child of `<p>`.
2021-01-27 04:59:36 +00:00
Richard Hansen 53160f4a21 tests: Delete invalid contentcollector test
The HTML spec doesn't allow `<ul>` to be a child of `<ol>` (it must be
a child of `<li>` instead).
2021-01-27 04:59:36 +00:00
Richard Hansen 906b2624ed tests: Re-enable import/export test that is now working 2021-01-27 04:59:36 +00:00
Richard Hansen 54a3dbb9a0 lint: Fix some straightforward ESLint errors 2021-01-27 04:59:36 +00:00
John McLear 44c2bc040c lint: tests/backend/specs/api/tidy.js 2021-01-25 22:53:11 -05:00
Richard Hansen 610326b496 lint: tests/backend/specs/api/importexportGetPost.js 2021-01-25 22:53:11 -05:00
John McLear e9bf5509ff test coverage for 3227 2021-01-22 22:49:48 +00:00
John McLear f0a77cb98c
lint: contentcollector and domline
Various tidy up and linting of contentcollector.js and domline.js.

3 Tests disabled which are not due to be covered.

Co-authored-by: Richard Hansen <rhansen@rhansen.org>
2021-01-22 20:41:14 +00:00
Richard Hansen ff19181cd1 lint: Fix some straightforward ESLint errors 2020-12-23 16:18:28 -05:00
Richard Hansen d34a70c940 Delete merge conflict marker
This fixes a bug introduced in commit
040057239e.
2020-12-20 18:32:30 -05:00
webzwo0i 040057239e
tests for spaces (#4594) 2020-12-20 06:18:19 +00:00
webzwo0i a637920e55
add list-style:none for ul.indents in exported HTML (#4586)
* add list-style:none for ul.indents in exported HTML

* use list-style-type not list-style
2020-12-20 06:00:18 +00:00
webzwo0i c5cf7ab144
tests: Ignore head tag on import / improved contentcollector tests
* fix accidental write to global variable
properly show pending tests
log test name in suite
better log output for received/expected strings

* cc tests: enable second nestedOL test

* ignore the head tag on import
2020-12-18 09:37:37 +00:00
webzwo0i 5673a76b38 cc tests: enable second nestedOL test 2020-12-18 09:30:18 +00:00
webzwo0i c989a8e279 fix accidental write to global variable
properly show pending tests
log test name in suite
better log output for received/expected strings
2020-12-18 09:30:18 +00:00
Richard Hansen b8d07a42eb lint: Run `eslint --fix` on `bin/` and `tests/` 2020-11-24 20:06:12 +00:00
Richard Hansen 7df3ded66f lint: Put opening brace on same line as `function`
Normally I would let `eslint --fix` do this for me, but there's a bug
that causes:

    const x = function ()
    {
      // ...
    };

to become:

    const x = ()
    => {
      // ...
    };

which ESLint thinks is a syntax error. (It probably is; I don't know
enough about the automatic semicolon insertion rules to be confident.)
2020-11-24 20:06:12 +00:00
Richard Hansen cc988bd67b lint: Convert CR+LF line endings to LF 2020-11-24 20:06:12 +00:00
webzwo0i f2febcfc7e
minify: Fix gzip not triggered for packages (#4491)
* caching_middleware: fix gzip compression not triggered

* packages: If a client sets `Accept-Encoding: gzip`, the responseCache will
include `Content-Encoding: gzip` in all future responses, even
if a subsequent request does not set `Accept-Encoding` or another client
requests the file without setting `Accept-Encoding`.
Fix that.

* caching_middleware: use `test` instead of `match`

* add tests

* make code easier to understand

* make the regex more clear
2020-11-22 09:23:33 +00:00
Richard Hansen a05e8198c9
bugfix: Fix bad paren placement in `/javascript` handler (#4496)
* Fix bad paren placement in `/javascript` handler

This fixes a bug introduced in commit
ed5a635f4c.

* add regression test for #4495

* Move `/javascript` test to `specialpages.js`

Co-authored-by: webzwo0i <webzwo0i@c3d2.de>
2020-11-19 08:19:13 +00:00
Richard Hansen d624aa936e plugins: Fix plugin name in error messages 2020-11-13 20:30:27 +00:00
Richard Hansen 6408d2313c webaccess: Be extra paranoid about nullish password
If `settings.json` contains a user without a `password` property then
nobody should be able to log in as that user using the built-in HTTP
basic authentication. This is true both with and without this change,
but before this change it wasn't immediately obvious that a malicious
user couldn't use an empty or null password to log in as such a user.
This commit adds an explicit nullish check and some unit tests to
ensure that an empty or null password will not work if the `password`
property is null or undefined.
2020-11-04 18:06:08 +00:00
Richard Hansen b41d9762fa tests: Clear auth hooks before running import/export unit tests
Also fix some ESLint complaints.
2020-10-29 19:06:24 -04:00
Richard Hansen 03d8882383 tests: Clear auth hooks before running socket.io unit tests 2020-10-29 18:53:10 -04:00
Richard Hansen 4829bb8962 tests: Delete unnecessary `describe()` wrapper 2020-10-29 18:53:10 -04:00
Richard Hansen dbe9151d89 tests: Clear hooks before running webaccess tests
Also factor out common test setup code.
2020-10-29 15:33:05 -04:00
Richard Hansen 36aceb3aba hooks: Rewrite `callAll` and `aCallAll` for consistency
Rewrite the `callAll` and `aCallAll` functions to support all
reasonable hook behaviors and to report errors for unreasonable
behaviors (e.g., calling the callback twice).

Now a hook function like the following works as expected when invoked
by `aCallAll`:

```
exports.myHookFn = (hookName, context, cb) => {
  cb('some value');
  return;
};
```
2020-10-24 16:08:50 +01:00
Richard Hansen 3e14016214 tests: Include the filename in the test output
Also some minor consistency cleanups.
2020-10-14 11:16:39 +01:00
Richard Hansen 048bd0f50d tests: Simplify API key reading
Also delete unused imports.
2020-10-08 22:50:18 +01:00
John McLear 66df0a572f
Security: FEATURE REMOVAL: Remove all plain text password logic and ui (#4178)
This will be a breaking change for some people.  

We removed all internal password control logic.  If this affects you, you have two options:

1. Use a plugin for authentication and use session based pad access (recommended).
1. Use a plugin for password setting.

The reasoning for removing this feature is to reduce the overall security footprint of Etherpad.  It is unnecessary and cumbersome to keep this feature and with the thousands of available authentication methods available in the world our focus should be on supporting those and allowing more granual access based on their implementations (instead of half assed baking our own).
2020-10-07 13:43:54 +01:00
Richard Hansen c74b254334 tests: Disable non-test logging unless level <= DEBUG
This makes it easier to see the test results, and it hides some
scary-looking but intentional error messages.

This code will likely have to be updated if/when we change the logging
library (see issue #1922).
2020-10-06 09:19:58 +01:00
Richard Hansen a8cf434d1d import: Replace the `allowAnyoneToImport` check with `userCanModify`
This reduces the number of hoops a user or tool must jump through to
import.
2020-10-05 18:48:16 +01:00
Richard Hansen 831528e8bc import: Allow import if pad does not yet exist 2020-10-05 18:48:16 +01:00
Richard Hansen 9a6f286441 tests: Always run the import unsupported file type test 2020-10-05 18:48:16 +01:00
Richard Hansen 2f17849b7b tests: Switch import/export tests to self-contained server
This makes it possible to test various settings combinations and
examine internal state to confirm correct behavior. Also, the user
doesn't need to start an Etherpad server before running these tests.
2020-10-05 18:48:16 +01:00
Richard Hansen 32b6d8e37f tests: Factor out common server setup/teardown 2020-10-05 18:48:16 +01:00
Richard Hansen f7953ece85 socketio: Delete redundant authentication check
There's no need to perform an authentication check in the socket.io
middleware because `PadMessageHandler.handleMessage` calls
`SecurityMananger.checkAccess` and that now performs authentication
and authorization checks.

This change also improves the user experience: Before, access denials
caused socket.io error events in the client, which `pad.js` mostly
ignores (the user doesn't see anything). Now a deny message is sent
back to the client, which causes `pad.js` to display an obvious
permission denied message.

This also fixes a minor bug: `settings.loadTest` is supposed to bypass
authentication and authorization checks, but they weren't bypassed
because `SecurityManager.checkAccess` did not check
`settings.loadTest`.
2020-10-05 18:12:04 +01:00
Richard Hansen bf9d613e95
feature: New user-specific `readOnly` and `canCreate` settings (#4370)
Also:
  * Group the tests for readability.
  * Factor out some common test setup.
2020-09-28 11:22:06 +01:00
Richard Hansen 180983736d security: Enable authorize plugins to grant read-only access 2020-09-27 22:55:49 +01:00
Richard Hansen 304318b618 webaccess: Move pre-authn authz check to a separate hook
Before this change, the authorize hook was invoked twice: once before
authentication and again after (if settings.requireAuthorization is
true). Now pre-authentication authorization is instead handled by a
new preAuthorize hook, and the authorize hook is only invoked after
the user has authenticated.

Rationale: Without this change it is too easy to write an
authorization plugin that is too permissive. Specifically:

  * If the plugin does not check the path for /admin then a non-admin
    user might be able to access /admin pages.
  * If the plugin assumes that the user has already been authenticated
    by the time the authorize function is called then unauthenticated
    users might be able to gain access to restricted resources.

This change also avoids calling the plugin's authorize function twice
per access, which makes it easier for plugin authors to write an
authorization plugin that is easy to understand.

This change may break existing authorization plugins: After this
change, the authorize hook will no longer be able to authorize
non-admin access to /admin pages. This is intentional. Access to admin
pages should instead be controlled via the `is_admin` user setting,
which can be set in the config file or by an authentication plugin.

Also:
  * Add tests for the authenticate and authorize hooks.
  * Disable the authentication failure delay when testing.
2020-09-27 21:19:58 +01:00