Commit Graph

6174 Commits (92d4b8b649fadc54e9781c8f332f96a3b7588d1c)

Author SHA1 Message Date
John McLear 92d4b8b649
tests: re-enable docker tests in travis (#4395)
Thanks to node10 having better support we can re-enable these tests.
2020-10-06 14:21:09 +01:00
jeanfabrice 52f8fc9ba3
legacySupport: Run node 10 with '--experimental_worker' flags (#4392)
* Run node 10 with '--experimental_worker' flags
* Use dedicated function to retrieve node/npm program version

The goal of this commit is to ensure that any linux based node 10 deployments run with the experimental_worker flag.  This flag is required for workers to "work" in node 10.  This will not affect other versions of node.  This resolves #4335 where Docker would fail due to being based on node 10.
2020-10-06 13:28:11 +01:00
Richard Hansen c74b254334 tests: Disable non-test logging unless level <= DEBUG
This makes it easier to see the test results, and it hides some
scary-looking but intentional error messages.

This code will likely have to be updated if/when we change the logging
library (see issue #1922).
2020-10-06 09:19:58 +01:00
Richard Hansen 34b232d658
Update `CHANGELOG.md` with the changes so far (#4393) 2020-10-06 09:16:21 +02:00
Richard Hansen a8cf434d1d import: Replace the `allowAnyoneToImport` check with `userCanModify`
This reduces the number of hoops a user or tool must jump through to
import.
2020-10-05 18:48:16 +01:00
Richard Hansen 831528e8bc import: Allow import if pad does not yet exist 2020-10-05 18:48:16 +01:00
Richard Hansen ed6fcefb67 webaccess: Fix pad ID extraction for import and export paths 2020-10-05 18:48:16 +01:00
Richard Hansen f4eae40c6b webaccess: Check for read-only pad ID in `userCanModify`
This currently isn't absolutely necessary because all current callers
of `userCanModify` already check for a read-only pad ID themselves.
However:

  * This adds defense in depth.
  * This makes it possible to simply replace the import handler's
    `allowAnyoneToImport` check with a call to `userCanModify`.
2020-10-05 18:48:16 +01:00
Richard Hansen 9a6f286441 tests: Always run the import unsupported file type test 2020-10-05 18:48:16 +01:00
Richard Hansen 2f17849b7b tests: Switch import/export tests to self-contained server
This makes it possible to test various settings combinations and
examine internal state to confirm correct behavior. Also, the user
doesn't need to start an Etherpad server before running these tests.
2020-10-05 18:48:16 +01:00
Richard Hansen 32b6d8e37f tests: Factor out common server setup/teardown 2020-10-05 18:48:16 +01:00
Richard Hansen 377560eb51 express: Move general Express setup from `webaccess.js`
The `express-session`, `cookie-parser`, etc. middleware is not
specific to access checks.
2020-10-05 18:12:04 +01:00
Richard Hansen 821c06cc3a socketio: Reuse the `express-session` middleware 2020-10-05 18:12:04 +01:00
Richard Hansen f7953ece85 socketio: Delete redundant authentication check
There's no need to perform an authentication check in the socket.io
middleware because `PadMessageHandler.handleMessage` calls
`SecurityMananger.checkAccess` and that now performs authentication
and authorization checks.

This change also improves the user experience: Before, access denials
caused socket.io error events in the client, which `pad.js` mostly
ignores (the user doesn't see anything). Now a deny message is sent
back to the client, which causes `pad.js` to display an obvious
permission denied message.

This also fixes a minor bug: `settings.loadTest` is supposed to bypass
authentication and authorization checks, but they weren't bypassed
because `SecurityManager.checkAccess` did not check
`settings.loadTest`.
2020-10-05 18:12:04 +01:00
Richard Hansen 3f8365a995 express: Use `const` and `let` instead of `var`
Also:
  * Sort imports.
  * Use single quotes.
  * Abbreviate module names.
2020-10-05 18:12:04 +01:00
Richard Hansen b68969fbac webaccess: Simplify Express and express-session setup 2020-10-05 18:12:04 +01:00
Richard Hansen 275e5c31c8 webaccess: Wrap long lines 2020-10-05 18:12:04 +01:00
translatewiki.net 29ee63f2ba Localisation updates from https://translatewiki.net. 2020-10-05 15:56:29 +02:00
Richard Hansen 2db4b04af3 cookies: Use `SameSite=None` if in an iframe from another site 2020-10-04 08:57:44 +01:00
Richard Hansen bf53162cdd cookies: Use `Lax` instead of `Strict` for `SameSite` 2020-10-04 08:57:44 +01:00
Richard Hansen 3ab0f30ac8 cookies: Use js-cookie to read and write cookies
Rather than reinvent the wheel, use a well-tested library to parse and
write cookies. This should also help prevent XSS vulnerabilities
because the library handles special characters such as semicolon.
2020-10-04 08:57:44 +01:00
Richard Hansen d55edebddd cookies: Refactor `pad_cookie.js`
* Use the cookie functions from `pad_utils.js`.
  * Delete unused methods, variables, and parameters.
  * Simplify the logic.
  * Use an ES6 class instead of a weird literal thingy.
  * Use `const` instead of `var`.
2020-10-04 08:57:44 +01:00
translatewiki.net 891d2600fa Localisation updates from https://translatewiki.net. 2020-10-02 09:05:33 +02:00
webzwo0i ceb09ce99a
security: Support proxy with rate limiting and include CI test coverage for nginx rev proxy (#4373)
Previously Etherpad would not pass the correct client IP address through and this caused the rate limiter to limit users behind reverse proxies.  This change allows Etherpad to use a client IP passed from a reverse proxy.

Note to devs: This header can be spoofed and spoofing the header could be used in an attack.  To mitigate additional *steps should be taken by Etherpad site admins IE doing rate limiting at proxy.*  This only really applies to large scale deployments but it's worth noting.
2020-10-01 10:39:01 +01:00
Richard Hansen dbef630f44
i18n: Localize `/admin` pages (#4380)
Not every string was localized:

  * `/admin/plugins` has some CSS magic to draw the tables of plugins
    differently on narrow (mobile) screens, and the l10n library we
    use does not support that particular magic. The strings that were
    not localized are "Name", "Description", "Version", and "Time".
    These strings are only stuck in English when the page is viewed on
    a narrow screen; normal desktop users will see translated strings.
    The CSS magic ought to be replaced with something more robust
    (lots of nested `div`s); those remaining strings can be localized
    whenever that happens.

  * Strings from external sources such as plugin descriptions, error
    messages, and `settings.json` comments are not localized.
2020-10-01 10:15:27 +01:00
Richard Hansen 554eef7770 webaccess: Exempt `/favicon.ico` and `/locales.json` from auth checks 2020-09-29 19:40:24 +01:00
John McLear 5964055dec
package updates: update deps and resolve some potential security issues (#4369) 2020-09-29 13:21:35 +01:00
translatewiki.net 837ca6ec1e Localisation updates from https://translatewiki.net. 2020-09-28 17:15:23 +02:00
Richard Hansen bf9d613e95
feature: New user-specific `readOnly` and `canCreate` settings (#4370)
Also:
  * Group the tests for readability.
  * Factor out some common test setup.
2020-09-28 11:22:06 +01:00
Richard Hansen 7bd5435f50 webaccess: Log hook errors 2020-09-28 09:35:42 +01:00
John McLear 8919608d45 tests: disable a version of safari for now as its too buggy on sauce labs 2020-09-27 23:13:29 +01:00
Richard Hansen 180983736d security: Enable authorize plugins to grant read-only access 2020-09-27 22:55:49 +01:00
John McLear 505d67ed1c allowing longer for FF to do timeslider rev test 2020-09-27 21:44:43 +01:00
Richard Hansen 304318b618 webaccess: Move pre-authn authz check to a separate hook
Before this change, the authorize hook was invoked twice: once before
authentication and again after (if settings.requireAuthorization is
true). Now pre-authentication authorization is instead handled by a
new preAuthorize hook, and the authorize hook is only invoked after
the user has authenticated.

Rationale: Without this change it is too easy to write an
authorization plugin that is too permissive. Specifically:

  * If the plugin does not check the path for /admin then a non-admin
    user might be able to access /admin pages.
  * If the plugin assumes that the user has already been authenticated
    by the time the authorize function is called then unauthenticated
    users might be able to gain access to restricted resources.

This change also avoids calling the plugin's authorize function twice
per access, which makes it easier for plugin authors to write an
authorization plugin that is easy to understand.

This change may break existing authorization plugins: After this
change, the authorize hook will no longer be able to authorize
non-admin access to /admin pages. This is intentional. Access to admin
pages should instead be controlled via the `is_admin` user setting,
which can be set in the config file or by an authentication plugin.

Also:
  * Add tests for the authenticate and authorize hooks.
  * Disable the authentication failure delay when testing.
2020-09-27 21:19:58 +01:00
John McLear a51132d712
tests: test coverage for read only pad ids (#4364) 2020-09-27 19:12:11 +01:00
John McLear 53b80d6280
tests: adding a check before finishing responsiveness test - allowing load test to run for 25 instead of 30 seconds to facilitate travis performance. (#4363)
The goal of this PR is to make tests break less frequently.  It is yet confirmed if this has worked but time will tell.
2020-09-27 15:13:55 +01:00
Richard Hansen 411b278881 webaccess: Log all authentication successes/failures
This loses some of the granularity of the default HTTP basic auth
(unknown username vs. bad password), but there is considerable value
in having logging that is consistent no matter what authentication
plugins are installed.
2020-09-26 21:57:50 +01:00
John McLear ea4b9bf7d7
tests: support even slower safari (#4361) 2020-09-26 21:57:21 +01:00
Pedro Beschorner Marin c56973ce74 Fix readOnly pad export
The export request hook wasn't testing if the pad's id was from a read-only
pad before validating with the pad manager.

This includes an extra step that makes the read-only id verification and also
avoids setting the original pad's id as the file's name.
2020-09-26 21:47:35 +01:00
Richard Hansen 9f63d9b76a tests: Check for true/false, not truthiness 2020-09-26 21:40:19 +01:00
Richard Hansen c18831c333 tests: Fix typo (publicstatus -> publicStatus) 2020-09-26 21:40:19 +01:00
Richard Hansen e01e575c86 tests: Use async/await instead of callbacks, use assert 2020-09-26 21:40:19 +01:00
Richard Hansen 24345bf9a8 tests: Group session and group tests to improve readability 2020-09-26 21:40:19 +01:00
Richard Hansen 4527254bcc tests: Use `let` and `const` instead of `var` 2020-09-26 21:40:19 +01:00
Richard Hansen e88c532172 tests: Delete unused variable 2020-09-26 21:40:19 +01:00
John McLear 90adc50289
tests: Include some plugins in tests (#4339)
This PR introduces testing of plugins from the ether/ organization on Github.  Each plugin is added into ``.travis``.  Frontend plugins tests are run exclusive to core tests.  Backend runs both core and plugins with core.

Including frontend core tests with plugin tests caused the session to overrun causing errors.
2020-09-26 19:41:33 +01:00
Richard Hansen ab5934cbda webaccess: Split authFailure hook into authnFailure and authzFailure
This makes it possible for plugins to return different pages to the
user depending on whether the auth failure was authn or authz.
2020-09-26 19:37:11 +01:00
Richard Hansen 889a3f7261 Bump Etherpad version in src/package-lock.json 2020-09-26 19:37:05 +01:00
Richard Hansen 3bb71e14d1 PadMessageHandler: Logging improvements 2020-09-26 19:36:52 +01:00
Richard Hansen 4332affba6 Fix typo in session check (sesion -> session) 2020-09-26 19:36:44 +01:00