Commit Graph

6545 Commits (4b4b685bba0ce1a37870b165e524df4623a22cf1)

Author SHA1 Message Date
Richard Hansen 7bd5435f50 webaccess: Log hook errors 2020-09-28 09:35:42 +01:00
John McLear 8919608d45 tests: disable a version of safari for now as its too buggy on sauce labs 2020-09-27 23:13:29 +01:00
Richard Hansen 180983736d security: Enable authorize plugins to grant read-only access 2020-09-27 22:55:49 +01:00
John McLear 505d67ed1c allowing longer for FF to do timeslider rev test 2020-09-27 21:44:43 +01:00
Richard Hansen 304318b618 webaccess: Move pre-authn authz check to a separate hook
Before this change, the authorize hook was invoked twice: once before
authentication and again after (if settings.requireAuthorization is
true). Now pre-authentication authorization is instead handled by a
new preAuthorize hook, and the authorize hook is only invoked after
the user has authenticated.

Rationale: Without this change it is too easy to write an
authorization plugin that is too permissive. Specifically:

  * If the plugin does not check the path for /admin then a non-admin
    user might be able to access /admin pages.
  * If the plugin assumes that the user has already been authenticated
    by the time the authorize function is called then unauthenticated
    users might be able to gain access to restricted resources.

This change also avoids calling the plugin's authorize function twice
per access, which makes it easier for plugin authors to write an
authorization plugin that is easy to understand.

This change may break existing authorization plugins: After this
change, the authorize hook will no longer be able to authorize
non-admin access to /admin pages. This is intentional. Access to admin
pages should instead be controlled via the `is_admin` user setting,
which can be set in the config file or by an authentication plugin.

Also:
  * Add tests for the authenticate and authorize hooks.
  * Disable the authentication failure delay when testing.
2020-09-27 21:19:58 +01:00
John McLear a51132d712
tests: test coverage for read only pad ids (#4364) 2020-09-27 19:12:11 +01:00
John McLear 53b80d6280
tests: adding a check before finishing responsiveness test - allowing load test to run for 25 instead of 30 seconds to facilitate travis performance. (#4363)
The goal of this PR is to make tests break less frequently.  It is yet confirmed if this has worked but time will tell.
2020-09-27 15:13:55 +01:00
Richard Hansen 411b278881 webaccess: Log all authentication successes/failures
This loses some of the granularity of the default HTTP basic auth
(unknown username vs. bad password), but there is considerable value
in having logging that is consistent no matter what authentication
plugins are installed.
2020-09-26 21:57:50 +01:00
John McLear ea4b9bf7d7
tests: support even slower safari (#4361) 2020-09-26 21:57:21 +01:00
Pedro Beschorner Marin c56973ce74 Fix readOnly pad export
The export request hook wasn't testing if the pad's id was from a read-only
pad before validating with the pad manager.

This includes an extra step that makes the read-only id verification and also
avoids setting the original pad's id as the file's name.
2020-09-26 21:47:35 +01:00
Richard Hansen 9f63d9b76a tests: Check for true/false, not truthiness 2020-09-26 21:40:19 +01:00
Richard Hansen c18831c333 tests: Fix typo (publicstatus -> publicStatus) 2020-09-26 21:40:19 +01:00
Richard Hansen e01e575c86 tests: Use async/await instead of callbacks, use assert 2020-09-26 21:40:19 +01:00
Richard Hansen 24345bf9a8 tests: Group session and group tests to improve readability 2020-09-26 21:40:19 +01:00
Richard Hansen 4527254bcc tests: Use `let` and `const` instead of `var` 2020-09-26 21:40:19 +01:00
Richard Hansen e88c532172 tests: Delete unused variable 2020-09-26 21:40:19 +01:00
John McLear 90adc50289
tests: Include some plugins in tests (#4339)
This PR introduces testing of plugins from the ether/ organization on Github.  Each plugin is added into ``.travis``.  Frontend plugins tests are run exclusive to core tests.  Backend runs both core and plugins with core.

Including frontend core tests with plugin tests caused the session to overrun causing errors.
2020-09-26 19:41:33 +01:00
Richard Hansen ab5934cbda webaccess: Split authFailure hook into authnFailure and authzFailure
This makes it possible for plugins to return different pages to the
user depending on whether the auth failure was authn or authz.
2020-09-26 19:37:11 +01:00
Richard Hansen 889a3f7261 Bump Etherpad version in src/package-lock.json 2020-09-26 19:37:05 +01:00
Richard Hansen 3bb71e14d1 PadMessageHandler: Logging improvements 2020-09-26 19:36:52 +01:00
Richard Hansen 4332affba6 Fix typo in session check (sesion -> session) 2020-09-26 19:36:44 +01:00
Richard Hansen 02757079c0 security: Enable authorize plugins to grant modify-only access 2020-09-26 18:36:36 +01:00
Richard Hansen 6ed11b7605 PadMessageHandler: Avoid redundant access checks 2020-09-26 18:32:22 +01:00
Richard Hansen 1e3aa9edff pad: Revert back to sending `CLIENT_READY` on reconnect
Commit 0bb8d73ba2 fixed the author ID
that is saved in the socket.io sessioninfo when the client sends a
`CLIENT_READY` with `reconnect` set to true, so it is now safe to undo
the workaround from PR #3868.

Fixes #4331.
2020-09-26 18:32:04 +01:00
Richard Hansen 72ed1816ec security: Fix authz check for pad names with encoded characters
Also:
  * Minor test cleanups (`function` instead of arrow functions, etc.).
  * Add a test for a case that was previously not covered.
2020-09-26 10:47:27 +01:00
Richard Hansen 3c9ae57bb3 PadMessageHandler: Block Promise resolution until message is handled
Benefits:
  * More functions are now async which makes it possible for future
    changes to use await in those functions.
  * This will help keep the server from drowning in too many messages
    if we ever add acknowledgements or if WebSocket backpressure ever
    becomes reality.
  * This might make tests less flaky because changes triggered by a
    message will complete before the Promise resolves.
2020-09-26 10:47:03 +01:00
Richard Hansen 23131a501c tests: Rewrite import/export tests to use async and supertest 2020-09-26 10:46:16 +01:00
Richard Hansen 54c999fe83 tests: Factor out common skip checks 2020-09-26 10:46:16 +01:00
Richard Hansen 1c3c5b744c tests: Skip all import/export tests if `!allowAnyoneToImport`
Three of the four tests fail if `settings.allowAnyoneToImport` is
false. The fourth ("tries to import Plain Text to a pad that does not
exist") isn't particularly useful when `settings.allowAnyoneToImport`
is false: That test tests an import failure mode, and when
`settings.allowAnyoneToImport` is false the failure could be caused by
that instead of the expected cause.
2020-09-26 10:46:16 +01:00
Richard Hansen c148e673a8 tests: Use `this.skip()` when skipping tests 2020-09-26 10:46:16 +01:00
Richard Hansen 668373b80f tests: Fix abiword/soffice check 2020-09-26 10:46:16 +01:00
Richard Hansen 89de03795a tests: Delete unused imports and code 2020-09-26 10:46:16 +01:00
Richard Hansen 0bb8d73ba2 PadMessageHandler: Always save the author ID in the session info
Before, the author ID was only saved in the session info during the
initial CLIENT_READY, not when the client sent a CLIENT_READY due to a
reconnect. This caused the handling of subsequent messages to use an
undefined author ID.
2020-09-26 10:43:06 +01:00
translatewiki.net 6cde6f5a98 Localisation updates from https://translatewiki.net. 2020-09-24 15:54:49 +02:00
Richard Hansen 94f944160d security: Don't require express_sid if authn not required
This should make it possible to embed a pad in an iframe from another
site as long as `settings.requireAuthentication` is false.
2020-09-24 10:42:41 +01:00
Richard Hansen 53fd0b4f98 webaccess: Return 401 for authn failure, 403 for authz failure
This makes it possible for reverse proxies to transform 403 errors
into something like "upgrade to a premium account to access this
pad".

Also add some webaccess tests.
2020-09-24 10:41:58 +01:00
John McLear ff4da04907 no need to ask for translations if no template files are included 2020-09-23 09:25:17 +01:00
Richard Hansen 1bb44098df PadMessageHandler: Move handleMessage hooks after access check
Move the handleMessageSecurity and handleMessage hooks after the call
to securityManager.checkAccess.

Benefits:

  * A handleMessage plugin can safely assume the message will be
    handled unless the plugin itself drops the message, so it doesn't
    need to repeat the access checks done by the `handleMessage`
    function.
  * This paves the way for a future enhancement: pass the author ID to
    the hooks.

Note: The handleMessageSecurity hook is broken in several ways:

  * The hook result is ignored for `CLIENT_READY` and `SWITCH_TO_PAD`
    messages because the `handleClientReady` function overwrites the
    hook result. This causes the client to receive client vars with
    `readonly` set to true, which causes the client to display an
    immutable pad even though the pad is technically writable.
  * The formatting toolbar buttons are removed for read-only pads
    before the handleMessageSecurity hook even runs.
  * It is awkwardly named: Without reading the documentation, how is
    one supposed to know that "handle message security" actually means
    "grant one-time write access to a read-only pad"?
  * It is called for every message even though calls after a
    `CLIENT_READY` or `SWITCH_TO_PAD` are mostly pointless.
  * Why would anyone want to grant write access when the user visits a
    read-only pad URL? The user should just visit the writable pad URL
    instead.
  * Why would anyone want to grant write access that only lasts for a
    single socket.io connection?
  * There are better ways to temporarily grant write access (e.g., the
    authorize hook).
  * This hook is inviting bugs because it breaks a core assumption
    about `/p/r.*` URLs.

I think the hook should be deprecated and eventually removed.
2020-09-23 08:26:47 +01:00
Richard Hansen 0f6baac7b5
Revert "tests: Use wtfnode to determine why mocha isn't exiting" (#4315)
This reverts commit ae1142a799.

According to
https://github.com/ether/etherpad-lite/pull/4304#issuecomment-694833456
wtfnode always seems to exit with 0 even if the tests fail.
2020-09-22 22:47:26 +01:00
John McLear ca7b8e278f allow slower for Safari 2020-09-22 16:32:40 +01:00
Richard Hansen 6011ef426f PadMessageHandler: Make sessioninfo tracking more robust
A session's sessioninfo could go away asynchronously due to a
disconnect. Grab a reference once and use it throughout the function
to avoid dereferencing a null sessioninfo object.
2020-09-22 14:11:02 +01:00
Richard Hansen 3365e944bf async-ify more functions, and await completion
Where feasible I put the await at the end of the function to
minimize the impact on latency.

My motivation for this change: Eliminate a race condition in tests I
am writing.
2020-09-22 14:10:44 +01:00
Richard Hansen 45ec8326f0 Add a new 'rejected' disconnect reason
This reason will be used in a future commit that will reject erroneous
messages.
2020-09-22 14:09:07 +01:00
John McLear 13252c955c include hash auth in tests 2020-09-22 11:12:24 +01:00
Richard Hansen a000a93dc6 Refactor startup/shutdown for tests
* `src/node/server.js` can now be run as a script (for normal
    operation) or imported as a module (for tests).
  * Move shutdown actions to `src/node/server.js` to be close to the
    startup actions.
  * Put startup and shutdown in functions so that tests can call them.
  * Use `await` instead of callbacks.
  * Block until the HTTP server is listening to avoid races during
    test startup.
  * Add a new `shutdown` hook.
  * Use the `shutdown` hook to:
      * close the HTTP server
      * call `end()` on the stats collection to cancel its timers
      * call `terminate()` on the Threads.Pool to stop the workers
  * Exit with exit code 0 (instead of 1) on SIGTERM.
  * Export the HTTP server so that tests can get the HTTP server's
    port via `server.address().port` when `settings.port` is 0.
2020-09-22 11:07:21 +01:00
Richard Hansen a4be577ed1 SessionStore: Don't call callback until cached in DB layer 2020-09-21 23:21:05 +01:00
Richard Hansen 436cbb031d SessionStore: Avoid early DB.db dereference
Avoid dereferencing `DB.db` until it is used so that it is possible to
`require('SessionStore')` before calling `DB.init()`. (This is useful
when writing tests.)
2020-09-21 23:21:05 +01:00
Richard Hansen bee91a0bd1 SessionStore: Use EC6 class syntax
This fixes a minor bug where the SessionStore constructor did not call
the base class constructor.
2020-09-21 23:21:05 +01:00
Richard Hansen 0504e07eb4 SessionStore: Wrap long line 2020-09-21 23:21:05 +01:00
Richard Hansen 90775cec0d SessionStore: Rename `messageLogger` to `logger` 2020-09-21 23:21:05 +01:00