Commit Graph

439 Commits (34b232d6588575321455a94208a128909a9c4267)

Author SHA1 Message Date
Richard Hansen a8cf434d1d import: Replace the `allowAnyoneToImport` check with `userCanModify`
This reduces the number of hoops a user or tool must jump through to
import.
2020-10-05 18:48:16 +01:00
Richard Hansen 831528e8bc import: Allow import if pad does not yet exist 2020-10-05 18:48:16 +01:00
Richard Hansen 9a6f286441 tests: Always run the import unsupported file type test 2020-10-05 18:48:16 +01:00
Richard Hansen 2f17849b7b tests: Switch import/export tests to self-contained server
This makes it possible to test various settings combinations and
examine internal state to confirm correct behavior. Also, the user
doesn't need to start an Etherpad server before running these tests.
2020-10-05 18:48:16 +01:00
Richard Hansen 32b6d8e37f tests: Factor out common server setup/teardown 2020-10-05 18:48:16 +01:00
Richard Hansen f7953ece85 socketio: Delete redundant authentication check
There's no need to perform an authentication check in the socket.io
middleware because `PadMessageHandler.handleMessage` calls
`SecurityMananger.checkAccess` and that now performs authentication
and authorization checks.

This change also improves the user experience: Before, access denials
caused socket.io error events in the client, which `pad.js` mostly
ignores (the user doesn't see anything). Now a deny message is sent
back to the client, which causes `pad.js` to display an obvious
permission denied message.

This also fixes a minor bug: `settings.loadTest` is supposed to bypass
authentication and authorization checks, but they weren't bypassed
because `SecurityManager.checkAccess` did not check
`settings.loadTest`.
2020-10-05 18:12:04 +01:00
webzwo0i ceb09ce99a
security: Support proxy with rate limiting and include CI test coverage for nginx rev proxy (#4373)
Previously Etherpad would not pass the correct client IP address through and this caused the rate limiter to limit users behind reverse proxies.  This change allows Etherpad to use a client IP passed from a reverse proxy.

Note to devs: This header can be spoofed and spoofing the header could be used in an attack.  To mitigate additional *steps should be taken by Etherpad site admins IE doing rate limiting at proxy.*  This only really applies to large scale deployments but it's worth noting.
2020-10-01 10:39:01 +01:00
Richard Hansen bf9d613e95
feature: New user-specific `readOnly` and `canCreate` settings (#4370)
Also:
  * Group the tests for readability.
  * Factor out some common test setup.
2020-09-28 11:22:06 +01:00
John McLear 8919608d45 tests: disable a version of safari for now as its too buggy on sauce labs 2020-09-27 23:13:29 +01:00
Richard Hansen 180983736d security: Enable authorize plugins to grant read-only access 2020-09-27 22:55:49 +01:00
John McLear 505d67ed1c allowing longer for FF to do timeslider rev test 2020-09-27 21:44:43 +01:00
Richard Hansen 304318b618 webaccess: Move pre-authn authz check to a separate hook
Before this change, the authorize hook was invoked twice: once before
authentication and again after (if settings.requireAuthorization is
true). Now pre-authentication authorization is instead handled by a
new preAuthorize hook, and the authorize hook is only invoked after
the user has authenticated.

Rationale: Without this change it is too easy to write an
authorization plugin that is too permissive. Specifically:

  * If the plugin does not check the path for /admin then a non-admin
    user might be able to access /admin pages.
  * If the plugin assumes that the user has already been authenticated
    by the time the authorize function is called then unauthenticated
    users might be able to gain access to restricted resources.

This change also avoids calling the plugin's authorize function twice
per access, which makes it easier for plugin authors to write an
authorization plugin that is easy to understand.

This change may break existing authorization plugins: After this
change, the authorize hook will no longer be able to authorize
non-admin access to /admin pages. This is intentional. Access to admin
pages should instead be controlled via the `is_admin` user setting,
which can be set in the config file or by an authentication plugin.

Also:
  * Add tests for the authenticate and authorize hooks.
  * Disable the authentication failure delay when testing.
2020-09-27 21:19:58 +01:00
John McLear a51132d712
tests: test coverage for read only pad ids (#4364) 2020-09-27 19:12:11 +01:00
John McLear 53b80d6280
tests: adding a check before finishing responsiveness test - allowing load test to run for 25 instead of 30 seconds to facilitate travis performance. (#4363)
The goal of this PR is to make tests break less frequently.  It is yet confirmed if this has worked but time will tell.
2020-09-27 15:13:55 +01:00
John McLear ea4b9bf7d7
tests: support even slower safari (#4361) 2020-09-26 21:57:21 +01:00
Richard Hansen 9f63d9b76a tests: Check for true/false, not truthiness 2020-09-26 21:40:19 +01:00
Richard Hansen c18831c333 tests: Fix typo (publicstatus -> publicStatus) 2020-09-26 21:40:19 +01:00
Richard Hansen e01e575c86 tests: Use async/await instead of callbacks, use assert 2020-09-26 21:40:19 +01:00
Richard Hansen 24345bf9a8 tests: Group session and group tests to improve readability 2020-09-26 21:40:19 +01:00
Richard Hansen 4527254bcc tests: Use `let` and `const` instead of `var` 2020-09-26 21:40:19 +01:00
Richard Hansen e88c532172 tests: Delete unused variable 2020-09-26 21:40:19 +01:00
Richard Hansen ab5934cbda webaccess: Split authFailure hook into authnFailure and authzFailure
This makes it possible for plugins to return different pages to the
user depending on whether the auth failure was authn or authz.
2020-09-26 19:37:11 +01:00
Richard Hansen 02757079c0 security: Enable authorize plugins to grant modify-only access 2020-09-26 18:36:36 +01:00
Richard Hansen 72ed1816ec security: Fix authz check for pad names with encoded characters
Also:
  * Minor test cleanups (`function` instead of arrow functions, etc.).
  * Add a test for a case that was previously not covered.
2020-09-26 10:47:27 +01:00
Richard Hansen 23131a501c tests: Rewrite import/export tests to use async and supertest 2020-09-26 10:46:16 +01:00
Richard Hansen 54c999fe83 tests: Factor out common skip checks 2020-09-26 10:46:16 +01:00
Richard Hansen 1c3c5b744c tests: Skip all import/export tests if `!allowAnyoneToImport`
Three of the four tests fail if `settings.allowAnyoneToImport` is
false. The fourth ("tries to import Plain Text to a pad that does not
exist") isn't particularly useful when `settings.allowAnyoneToImport`
is false: That test tests an import failure mode, and when
`settings.allowAnyoneToImport` is false the failure could be caused by
that instead of the expected cause.
2020-09-26 10:46:16 +01:00
Richard Hansen c148e673a8 tests: Use `this.skip()` when skipping tests 2020-09-26 10:46:16 +01:00
Richard Hansen 668373b80f tests: Fix abiword/soffice check 2020-09-26 10:46:16 +01:00
Richard Hansen 89de03795a tests: Delete unused imports and code 2020-09-26 10:46:16 +01:00
Richard Hansen 94f944160d security: Don't require express_sid if authn not required
This should make it possible to embed a pad in an iframe from another
site as long as `settings.requireAuthentication` is false.
2020-09-24 10:42:41 +01:00
Richard Hansen 53fd0b4f98 webaccess: Return 401 for authn failure, 403 for authz failure
This makes it possible for reverse proxies to transform 403 errors
into something like "upgrade to a premium account to access this
pad".

Also add some webaccess tests.
2020-09-24 10:41:58 +01:00
John McLear ca7b8e278f allow slower for Safari 2020-09-22 16:32:40 +01:00
Richard Hansen a000a93dc6 Refactor startup/shutdown for tests
* `src/node/server.js` can now be run as a script (for normal
    operation) or imported as a module (for tests).
  * Move shutdown actions to `src/node/server.js` to be close to the
    startup actions.
  * Put startup and shutdown in functions so that tests can call them.
  * Use `await` instead of callbacks.
  * Block until the HTTP server is listening to avoid races during
    test startup.
  * Add a new `shutdown` hook.
  * Use the `shutdown` hook to:
      * close the HTTP server
      * call `end()` on the stats collection to cancel its timers
      * call `terminate()` on the Threads.Pool to stop the workers
  * Exit with exit code 0 (instead of 1) on SIGTERM.
  * Export the HTTP server so that tests can get the HTTP server's
    port via `server.address().port` when `settings.port` is 0.
2020-09-22 11:07:21 +01:00
Richard Hansen 346111250e utils: Fix promise creation accounting bug in promises.timesLimit
Before this change, `promises.timesLimit()` created `concurrency - 1`
too many promises. The only users of this function use a concurrency
of 500, so this meant that 499 extra promises were created each time
it was used. The bug didn't affect correctness, but it did result in a
large number of unnecessary database operations whenever a pad was
deleted. This change fixes that bug.

Also:
  * Convert the function to async and have it resolve after all of the
    created promises are resolved.
  * Reject concurrency of 0 (unless total is 0).
  * Document the function.
  * Add tests.
2020-09-21 23:16:32 +01:00
webzwo0i 85f52a2f23
tests: Plugin backend tests in ci (#4314) 2020-09-18 16:28:42 +01:00
Joas Souza 8c04fe8775
Feature: Copy Pad without history (#4295)
New feature to copy a pad without copying entire history.  This is useful to perform a low CPU intensive operation while still copying current pad state.
2020-09-16 19:24:09 +01:00
Richard Hansen b80a37173e security: Fix authorization bypass vulnerability
Before, a malicious user could bypass authorization restrictions
imposed by the authorize hook:

 * Step 1: Fetch any resource that the malicious user is authorized to
   access (e.g., static content).
 * Step 2: Use the signed express_sid cookie generated in step 1 to
   create a socket.io connection.
 * Step 3: Perform the CLIENT_READY handshake for the desired pad.
 * Step 4: Profit!

Now the authorization decision made by the authorize hook is
propagated to SecurityManager so that it can approve or reject
socket.io messages as appropriate.

This also sets up future support for per-user read-only and
modify-only (no create) authorization levels.
2020-09-15 21:40:25 +01:00
Richard Hansen 9e6d3f3f63 tests: Add authentication, authorization bypass tests 2020-09-15 20:03:30 +01:00
John McLear 4434e54368
Update responsiveness.js
Changing allowed delay from 300 to 400 because Safari OSX is consistently slow compared to every other modern browser.
2020-09-12 11:00:05 +01:00
webzwo0i e2b3b009e1
tests: skip responsivness test on firefox 52.0/windows (#4275) 2020-09-09 21:40:53 +01:00
John McLear 2b9915d00d commenting out responsiveness test in preperation for a release 2020-09-08 15:18:19 +01:00
webzwo0i d30364d3de
tests: make it more clear that test duration exceeded (#4237) 2020-08-30 16:41:12 +01:00
John McLear 12c05c20b2
bugfix/import: doc import bugfix (#4235) 2020-08-30 14:11:12 +01:00
John McLear 4db484e34e
tests: uncomment responsiveness tests
To make travis run them again and review to see what fails.
2020-08-27 22:45:32 +01:00
webzwo0i acfa1b6b4e
frontend tests: retry should retry with the same padName, which was not true in case there was no padName supplied (#4206) 2020-07-29 19:26:09 +01:00
webzwo0i 1b6a9d8be0
tests: Fix frontend tests (#4188), ugly work around for "Pad never loaded" (#4200)
* remote_runner.js: fix drain call (cf.
https://github.com/caolan/async/blob/master/CHANGELOG.md#breaking-changes)

* dont wait 30 seconds after remote_runner.js returned

* timeout frontend tests after 9.5 minutes to prevent travis from silently stop them

* log when not all tests finished

* prevent killTimeout to happen after last test

* log server messages to console

* remote_runner will take some time to setup sl, so this second is not necessary

* dont write to global mocha variable

* mochas `test end` event is not called when a before/beforeEach-hooks
failed, so we should only use pass/fail/pending-hooks for logging.
also some cruft removed

* pass test in `pending`-event handler

* remove some more cruft in tests/frontend/runner.js

* frontend tests: clarify why stats.tests and total differ

* move killTimeout to pass/fail/pending instead of `test end` to guarantee that it is run

* delete killTimeout on test end to prevent misleading log message

* unused variable

* fix regex

* unlikely edge case

* ensure `allowed test duration exceeded` message is printed for the last runner

* get rid of jquery.iframe.js, currently no support for IE<9

* retry up to 3 times when pad could not be loaded

* Call the logging code in stopSauce in a callback for `browser.quit()`.
This should fix cases like
https://app.saucelabs.com/tests/cb8225375d274cbcbb091309f5466cfd
Travis received all the logs and remote_runner.js exits, but there never
is a DELETE command for webdriver.
2020-07-28 19:57:33 +01:00
Daniel Krol 859a128c54
Command line argument for chromium test for fake webrtc (#4199) 2020-07-28 10:33:49 +01:00
John McLear 29e6daedcb
tests: Remove scroll tests again - Finally accept they will never work again due to browser changes. (#4183) 2020-07-20 00:11:59 +01:00
John McLear bf295d42d7
tests: fix follow test to work on larger screens (#4182) 2020-07-20 00:09:33 +01:00