graphql-engine/server/tests-py/test_websocket_init_cookie.py

import json
from urllib.parse import urlparse

import websocket
import pytest
from context import PytestConf

if not PytestConf.config.getoption("--test-ws-init-cookie"):
    pytest.skip("--test-ws-init-cookie flag is missing, skipping tests", allow_module_level=True)

def url(hge_ctx):
    ws_url = urlparse(hge_ctx.hge_url)._replace(scheme='ws', path='/v1alpha1/graphql')
    return ws_url.geturl()

@pytest.mark.usefixtures('auth_hook')
class TestWebsocketInitCookie():
    """
    test if cookie is sent when initing the websocket connection, is our auth
    webhook receiving the cookie
    """
    dir = 'queries/remote_schemas'

    @pytest.fixture(autouse=True)
    def transact(self, hge_ctx):
        hge_ctx.v1q_f(self.dir + '/person_table.yaml')
        yield
        hge_ctx.v1q_f(self.dir + '/drop_person_table.yaml')

    def _send_query(self, hge_ctx):
        ws_url = url(hge_ctx)
        headers = {'Cookie': 'foo=bar;'}
        ws = websocket.create_connection(ws_url, header=headers)
        init_payload = {
            'type': 'connection_init',
            'payload': {'headers': {}}
        }
        ws.send(json.dumps(init_payload))
        payload = {
            'type': 'start',
            'id': '1',
            'payload': {'query': 'query { person {name}}'}
        }
        ws.send(json.dumps(payload))
        return ws

    def test_websocket_init_cookie_used(self, hge_ctx):
        if hge_ctx.ws_read_cookie == 'noread':
            pytest.skip('cookie is not to be read')
        ws = self._send_query(hge_ctx)
        it = 0
        while True:
            raw = ws.recv()
            frame = json.loads(raw)
            if frame['type'] == 'data':
                assert 'person' in frame['payload']['data']
                break
            elif it == 10:
                print('max try over')
                assert False
                break
            elif frame['type'] == 'connection_error' or frame['type'] == 'error':
                print(frame)
                assert False
                break
            it = it + 1

    def test_websocket_init_cookie_not_used(self, hge_ctx):
        if hge_ctx.ws_read_cookie == 'read':
            pytest.skip('cookie is read')

        ws = self._send_query(hge_ctx)
        it = 0
        while True:
            raw = ws.recv()
            frame = json.loads(raw)
            if frame['type'] ==  'data':
                print('got data')
                assert False
                break
            elif it == 10:
                print('max try over')
                assert False
                break
            elif frame['type'] == 'connection_error':
                print(frame)
                assert frame['payload'] == 'Authentication hook unauthorized this request'
                break
            elif frame['type'] == 'error':
                print(frame)
                assert False
                break
            it = it + 1
read cookie while initialising websocket connection (fix #1660) (#1668) * read cookie while initialising websocket connection (fix #1660) * add tests for cookie on websocket init * fix logic for tests * enforce cors, and flag to force read cookie when cors disabled - as browsers don't enforce SOP on websockets, we enforce CORS policy on websocket handshake - if CORS is disabled, by default cookie is not read (because XSS risk!). Add special flag to force override this behaviour * add log and forward origin header to webhook - add log notice when cors is disabled, and cookie is not read on websocket handshake - forward origin header to webhook in POST mode. So that when CORS is disabled, webhook can also enforce CORS independently. * add docs, and forward all client headers to webhook 2019-03-04 10:46:53 +03:00			`import json`
			`from urllib.parse import urlparse`

			`import websocket`
			`import pytest`
remove usage of deprecated 'pytest.config' (#3434) pytest is now at version 5.3 2019-11-29 08:14:26 +03:00			`from context import PytestConf`
read cookie while initialising websocket connection (fix #1660) (#1668) * read cookie while initialising websocket connection (fix #1660) * add tests for cookie on websocket init * fix logic for tests * enforce cors, and flag to force read cookie when cors disabled - as browsers don't enforce SOP on websockets, we enforce CORS policy on websocket handshake - if CORS is disabled, by default cookie is not read (because XSS risk!). Add special flag to force override this behaviour * add log and forward origin header to webhook - add log notice when cors is disabled, and cookie is not read on websocket handshake - forward origin header to webhook in POST mode. So that when CORS is disabled, webhook can also enforce CORS independently. * add docs, and forward all client headers to webhook 2019-03-04 10:46:53 +03:00
remove usage of deprecated 'pytest.config' (#3434) pytest is now at version 5.3 2019-11-29 08:14:26 +03:00			`if not PytestConf.config.getoption("--test-ws-init-cookie"):`
read cookie while initialising websocket connection (fix #1660) (#1668) * read cookie while initialising websocket connection (fix #1660) * add tests for cookie on websocket init * fix logic for tests * enforce cors, and flag to force read cookie when cors disabled - as browsers don't enforce SOP on websockets, we enforce CORS policy on websocket handshake - if CORS is disabled, by default cookie is not read (because XSS risk!). Add special flag to force override this behaviour * add log and forward origin header to webhook - add log notice when cors is disabled, and cookie is not read on websocket handshake - forward origin header to webhook in POST mode. So that when CORS is disabled, webhook can also enforce CORS independently. * add docs, and forward all client headers to webhook 2019-03-04 10:46:53 +03:00			`pytest.skip("--test-ws-init-cookie flag is missing, skipping tests", allow_module_level=True)`

			`def url(hge_ctx):`
			`ws_url = urlparse(hge_ctx.hge_url)._replace(scheme='ws', path='/v1alpha1/graphql')`
			`return ws_url.geturl()`

server/tests-py: Run the auth hook inside the test harness. This teaches `hge_server` how to run more tests, thanks to `hge_env`. It also simplifies the logic a bit more. I have also modified _run.sh_ and _docker-compose.yml_ so we can run multiple test suites, one after another. PR-URL: https://github.com/hasura/graphql-engine-mono/pull/6105 GitOrigin-RevId: eff009362eb6bb90c07cedaf96dfe6ec9336ff32 2022-09-29 13:42:47 +03:00			`@pytest.mark.usefixtures('auth_hook')`
read cookie while initialising websocket connection (fix #1660) (#1668) * read cookie while initialising websocket connection (fix #1660) * add tests for cookie on websocket init * fix logic for tests * enforce cors, and flag to force read cookie when cors disabled - as browsers don't enforce SOP on websockets, we enforce CORS policy on websocket handshake - if CORS is disabled, by default cookie is not read (because XSS risk!). Add special flag to force override this behaviour * add log and forward origin header to webhook - add log notice when cors is disabled, and cookie is not read on websocket handshake - forward origin header to webhook in POST mode. So that when CORS is disabled, webhook can also enforce CORS independently. * add docs, and forward all client headers to webhook 2019-03-04 10:46:53 +03:00			`class TestWebsocketInitCookie():`
			`"""`
			`test if cookie is sent when initing the websocket connection, is our auth`
			`webhook receiving the cookie`
			`"""`
			`dir = 'queries/remote_schemas'`

			`@pytest.fixture(autouse=True)`
			`def transact(self, hge_ctx):`
server/tests-py: Reduce the number of locations we check the status code. We have a lot of `assert st_code == 200` scattered about. This is a problem because (a) it makes the code harder to parse and (b) the error message is lacking; I have seen a few flaky tests which were impossible to diagnose because I didn't know what the response _should_ be. This reduces the number of places in which we perform this assertion (moving most of them to `HGECtx.execute_query`), so that we can have a better chance of seeing a useful error message on test failure. PR-URL: https://github.com/hasura/graphql-engine-mono/pull/4957 GitOrigin-RevId: 3ff388bccf49f96569aa6b7db85266a0c5ee27ea 2022-07-05 21:00:08 +03:00			`hge_ctx.v1q_f(self.dir + '/person_table.yaml')`
read cookie while initialising websocket connection (fix #1660) (#1668) * read cookie while initialising websocket connection (fix #1660) * add tests for cookie on websocket init * fix logic for tests * enforce cors, and flag to force read cookie when cors disabled - as browsers don't enforce SOP on websockets, we enforce CORS policy on websocket handshake - if CORS is disabled, by default cookie is not read (because XSS risk!). Add special flag to force override this behaviour * add log and forward origin header to webhook - add log notice when cors is disabled, and cookie is not read on websocket handshake - forward origin header to webhook in POST mode. So that when CORS is disabled, webhook can also enforce CORS independently. * add docs, and forward all client headers to webhook 2019-03-04 10:46:53 +03:00			`yield`
server/tests-py: Reduce the number of locations we check the status code. We have a lot of `assert st_code == 200` scattered about. This is a problem because (a) it makes the code harder to parse and (b) the error message is lacking; I have seen a few flaky tests which were impossible to diagnose because I didn't know what the response _should_ be. This reduces the number of places in which we perform this assertion (moving most of them to `HGECtx.execute_query`), so that we can have a better chance of seeing a useful error message on test failure. PR-URL: https://github.com/hasura/graphql-engine-mono/pull/4957 GitOrigin-RevId: 3ff388bccf49f96569aa6b7db85266a0c5ee27ea 2022-07-05 21:00:08 +03:00			`hge_ctx.v1q_f(self.dir + '/drop_person_table.yaml')`
read cookie while initialising websocket connection (fix #1660) (#1668) * read cookie while initialising websocket connection (fix #1660) * add tests for cookie on websocket init * fix logic for tests * enforce cors, and flag to force read cookie when cors disabled - as browsers don't enforce SOP on websockets, we enforce CORS policy on websocket handshake - if CORS is disabled, by default cookie is not read (because XSS risk!). Add special flag to force override this behaviour * add log and forward origin header to webhook - add log notice when cors is disabled, and cookie is not read on websocket handshake - forward origin header to webhook in POST mode. So that when CORS is disabled, webhook can also enforce CORS independently. * add docs, and forward all client headers to webhook 2019-03-04 10:46:53 +03:00
			`def _send_query(self, hge_ctx):`
			`ws_url = url(hge_ctx)`
			`headers = {'Cookie': 'foo=bar;'}`
			`ws = websocket.create_connection(ws_url, header=headers)`
			`init_payload = {`
			`'type': 'connection_init',`
			`'payload': {'headers': {}}`
			`}`
			`ws.send(json.dumps(init_payload))`
			`payload = {`
			`'type': 'start',`
			`'id': '1',`
			`'payload': {'query': 'query { person {name}}'}`
			`}`
			`ws.send(json.dumps(payload))`
			`return ws`

			`def test_websocket_init_cookie_used(self, hge_ctx):`
			`if hge_ctx.ws_read_cookie == 'noread':`
			`pytest.skip('cookie is not to be read')`
			`ws = self._send_query(hge_ctx)`
			`it = 0`
			`while True:`
			`raw = ws.recv()`
			`frame = json.loads(raw)`
			`if frame['type'] == 'data':`
			`assert 'person' in frame['payload']['data']`
			`break`
			`elif it == 10:`
			`print('max try over')`
			`assert False`
			`break`
			`elif frame['type'] == 'connection_error' or frame['type'] == 'error':`
			`print(frame)`
			`assert False`
			`break`
			`it = it + 1`

			`def test_websocket_init_cookie_not_used(self, hge_ctx):`
			`if hge_ctx.ws_read_cookie == 'read':`
			`pytest.skip('cookie is read')`

			`ws = self._send_query(hge_ctx)`
			`it = 0`
			`while True:`
			`raw = ws.recv()`
			`frame = json.loads(raw)`
			`if frame['type'] == 'data':`
			`print('got data')`
			`assert False`
			`break`
			`elif it == 10:`
			`print('max try over')`
			`assert False`
			`break`
			`elif frame['type'] == 'connection_error':`
			`print(frame)`
			`assert frame['payload'] == 'Authentication hook unauthorized this request'`
			`break`
			`elif frame['type'] == 'error':`
			`print(frame)`
			`assert False`
			`break`
server/tests-py: Reduce the number of locations we check the status code. We have a lot of `assert st_code == 200` scattered about. This is a problem because (a) it makes the code harder to parse and (b) the error message is lacking; I have seen a few flaky tests which were impossible to diagnose because I didn't know what the response _should_ be. This reduces the number of places in which we perform this assertion (moving most of them to `HGECtx.execute_query`), so that we can have a better chance of seeing a useful error message on test failure. PR-URL: https://github.com/hasura/graphql-engine-mono/pull/4957 GitOrigin-RevId: 3ff388bccf49f96569aa6b7db85266a0c5ee27ea 2022-07-05 21:00:08 +03:00			`it = it + 1`