graphql-engine/server/tests-py/test_auth_webhook_cookie.py

import pytest

@pytest.mark.usefixtures('auth_hook', 'per_class_tests_db_state')
@pytest.mark.admin_secret
class TestWebhookHeaderCookie(object):
    @classmethod
    def dir(cls):
        return 'webhook/insecure'

    def test_single_set_cookie_header_in_response(self, hge_ctx):
        query = """
          query allUsers {
            author {
              id
              name
            }
          }
        """

        query_obj = {
            "query": query,
            "operationName": "allUsers"
        }

        headers = {}

        headers['cookie'] = "Test"
        headers['response-set-cookie-1'] = "__Host-id=1; Secure; Path=/; Domain=example.com"

        code, resp, respHeaders = hge_ctx.anyq('/v1/graphql', query_obj, headers)
        print("Status Code: ", code)
        print("Response: ", resp)
        print("Headers: ", respHeaders)

        assert 'Set-Cookie' in respHeaders
        assert respHeaders['Set-Cookie'] == "__Host-id=1; Secure; Path=/; Domain=example.com"

    def test_duplicate_set_cookie_header_in_response(self, hge_ctx):
        query = """
          query allUsers {
            author {
              id
              name
            }
          }
        """

        query_obj = {
            "query": query,
            "operationName": "allUsers"
        }

        headers = {}

        headers['cookie'] = "Test"
        headers['response-set-cookie-1'] = "__Host-id=1; Secure; Path=/; Domain=example1.com"
        headers['response-set-cookie-2'] = "__Host-id=2; Secure; Path=/; Domain=example2.com"

        code, resp, respHeaders = hge_ctx.anyq('/v1/graphql', query_obj, headers)
        print("Status Code: ", code)
        print("Response: ", resp)
        print("Headers: ", respHeaders)

        assert 'Set-Cookie' in respHeaders

        # In python, multiple headers with the same key are concatenated with a comma and
        # then sent back in the response. Refer to: https://github.com/psf/requests/issues/4520
        assert respHeaders['Set-Cookie'] == "__Host-id=2; Secure; Path=/; Domain=example2.com, __Host-id=1; Secure; Path=/; Domain=example1.com"
server: forward auth webhook set-cookies header on response > High-Level TODO: * [x] Code Changes * [x] Tests * [x] Check that pro/multitenant build ok * [x] Documentation Changes * [x] Updating this PR with full details * [ ] Reviews * [ ] Ensure code has all FIXMEs and TODOs addressed * [x] Ensure no files are checked in mistakenly * [x] Consider impact on console, cli, etc. ### Description > This PR adds support for adding set-cookie header on the response from the auth webhook. If the set-cookie header is sent by the webhook, it will be forwarded in the graphQL engine response. Fixes a bug in test-server.sh: testing of get-webhook tests was done by POST method and vice versa. To fix, the parameters were swapped. ### Changelog - [x] `CHANGELOG.md` is updated with user-facing content relevant to this PR. ### Affected components - [x] Server - [ ] Console - [ ] CLI - [x] Docs - [ ] Community Content - [ ] Build System - [x] Tests - [ ] Other (list it) ### Related Issues -> Closes [#2269](https://github.com/hasura/graphql-engine/issues/2269) ### Solution and Design > ### Steps to test and verify > Please refer to the docs to see how to send the set-cookie header from webhook. ### Limitations, known bugs & workarounds > - Support for only set-cookie header forwarding is added - the value forwarded in the set-cookie header cannot be validated completely, the [Cookie](https://hackage.haskell.org/package/cookie) package has been used to parse the header value and any unnecessary information is stripped off before forwarding the header. The standard given in [RFC6265](https://datatracker.ietf.org/doc/html/rfc6265) has been followed for the Set-Cookie format. ### Server checklist #### Catalog upgrade Does this PR change Hasura Catalog version? - [x] No - [ ] Yes - [ ] Updated docs with SQL for downgrading the catalog #### Metadata Does this PR add a new Metadata feature? - [x] No #### GraphQL - [x] No new GraphQL schema is generated - [ ] New GraphQL schema is being generated: - [ ] New types and typenames are correlated #### Breaking changes - [x] No Breaking changes PR-URL: https://github.com/hasura/graphql-engine-mono/pull/2538 Co-authored-by: Robert <132113+robx@users.noreply.github.com> GitOrigin-RevId: d9047e997dd221b7ce4fef51911c3694037e7c3f 2021-11-09 15:00:21 +03:00			`import pytest`

server/tests-py: Run the auth hook inside the test harness. This teaches `hge_server` how to run more tests, thanks to `hge_env`. It also simplifies the logic a bit more. I have also modified _run.sh_ and _docker-compose.yml_ so we can run multiple test suites, one after another. PR-URL: https://github.com/hasura/graphql-engine-mono/pull/6105 GitOrigin-RevId: eff009362eb6bb90c07cedaf96dfe6ec9336ff32 2022-09-29 13:42:47 +03:00			`@pytest.mark.usefixtures('auth_hook', 'per_class_tests_db_state')`
server/tests-py: Provide the admin secret to the HGE server. When we run the HGE server inside the test harness, it needs to run with an admin secret for some tests to make sense. This tags each test that requires an admin secret with `pytest.mark.admin_secret`, which then generates a UUID and injects that into both the server and the test case (if required). It also simplifies the way the test harness picks up an existing admin secret, allowing it to use the environment variable instead of requiring it via a parameter. PR-URL: https://github.com/hasura/graphql-engine-mono/pull/6120 GitOrigin-RevId: 55c5b9e8c99bdad9c8304098444ddb9516749a2c 2022-09-29 20:18:49 +03:00			`@pytest.mark.admin_secret`
server: forward auth webhook set-cookies header on response > High-Level TODO: * [x] Code Changes * [x] Tests * [x] Check that pro/multitenant build ok * [x] Documentation Changes * [x] Updating this PR with full details * [ ] Reviews * [ ] Ensure code has all FIXMEs and TODOs addressed * [x] Ensure no files are checked in mistakenly * [x] Consider impact on console, cli, etc. ### Description > This PR adds support for adding set-cookie header on the response from the auth webhook. If the set-cookie header is sent by the webhook, it will be forwarded in the graphQL engine response. Fixes a bug in test-server.sh: testing of get-webhook tests was done by POST method and vice versa. To fix, the parameters were swapped. ### Changelog - [x] `CHANGELOG.md` is updated with user-facing content relevant to this PR. ### Affected components - [x] Server - [ ] Console - [ ] CLI - [x] Docs - [ ] Community Content - [ ] Build System - [x] Tests - [ ] Other (list it) ### Related Issues -> Closes [#2269](https://github.com/hasura/graphql-engine/issues/2269) ### Solution and Design > ### Steps to test and verify > Please refer to the docs to see how to send the set-cookie header from webhook. ### Limitations, known bugs & workarounds > - Support for only set-cookie header forwarding is added - the value forwarded in the set-cookie header cannot be validated completely, the [Cookie](https://hackage.haskell.org/package/cookie) package has been used to parse the header value and any unnecessary information is stripped off before forwarding the header. The standard given in [RFC6265](https://datatracker.ietf.org/doc/html/rfc6265) has been followed for the Set-Cookie format. ### Server checklist #### Catalog upgrade Does this PR change Hasura Catalog version? - [x] No - [ ] Yes - [ ] Updated docs with SQL for downgrading the catalog #### Metadata Does this PR add a new Metadata feature? - [x] No #### GraphQL - [x] No new GraphQL schema is generated - [ ] New GraphQL schema is being generated: - [ ] New types and typenames are correlated #### Breaking changes - [x] No Breaking changes PR-URL: https://github.com/hasura/graphql-engine-mono/pull/2538 Co-authored-by: Robert <132113+robx@users.noreply.github.com> GitOrigin-RevId: d9047e997dd221b7ce4fef51911c3694037e7c3f 2021-11-09 15:00:21 +03:00			`class TestWebhookHeaderCookie(object):`
			`@classmethod`
			`def dir(cls):`
			`return 'webhook/insecure'`

			`def test_single_set_cookie_header_in_response(self, hge_ctx):`
			`query = """`
			`query allUsers {`
			`author {`
			`id`
			`name`
			`}`
			`}`
			`"""`

			`query_obj = {`
			`"query": query,`
			`"operationName": "allUsers"`
			`}`

			`headers = {}`

			`headers['cookie'] = "Test"`
			`headers['response-set-cookie-1'] = "__Host-id=1; Secure; Path=/; Domain=example.com"`

			`code, resp, respHeaders = hge_ctx.anyq('/v1/graphql', query_obj, headers)`
			`print("Status Code: ", code)`
			`print("Response: ", resp)`
			`print("Headers: ", respHeaders)`
server/tests-py: Run the auth hook inside the test harness. This teaches `hge_server` how to run more tests, thanks to `hge_env`. It also simplifies the logic a bit more. I have also modified _run.sh_ and _docker-compose.yml_ so we can run multiple test suites, one after another. PR-URL: https://github.com/hasura/graphql-engine-mono/pull/6105 GitOrigin-RevId: eff009362eb6bb90c07cedaf96dfe6ec9336ff32 2022-09-29 13:42:47 +03:00
server: forward auth webhook set-cookies header on response > High-Level TODO: * [x] Code Changes * [x] Tests * [x] Check that pro/multitenant build ok * [x] Documentation Changes * [x] Updating this PR with full details * [ ] Reviews * [ ] Ensure code has all FIXMEs and TODOs addressed * [x] Ensure no files are checked in mistakenly * [x] Consider impact on console, cli, etc. ### Description > This PR adds support for adding set-cookie header on the response from the auth webhook. If the set-cookie header is sent by the webhook, it will be forwarded in the graphQL engine response. Fixes a bug in test-server.sh: testing of get-webhook tests was done by POST method and vice versa. To fix, the parameters were swapped. ### Changelog - [x] `CHANGELOG.md` is updated with user-facing content relevant to this PR. ### Affected components - [x] Server - [ ] Console - [ ] CLI - [x] Docs - [ ] Community Content - [ ] Build System - [x] Tests - [ ] Other (list it) ### Related Issues -> Closes [#2269](https://github.com/hasura/graphql-engine/issues/2269) ### Solution and Design > ### Steps to test and verify > Please refer to the docs to see how to send the set-cookie header from webhook. ### Limitations, known bugs & workarounds > - Support for only set-cookie header forwarding is added - the value forwarded in the set-cookie header cannot be validated completely, the [Cookie](https://hackage.haskell.org/package/cookie) package has been used to parse the header value and any unnecessary information is stripped off before forwarding the header. The standard given in [RFC6265](https://datatracker.ietf.org/doc/html/rfc6265) has been followed for the Set-Cookie format. ### Server checklist #### Catalog upgrade Does this PR change Hasura Catalog version? - [x] No - [ ] Yes - [ ] Updated docs with SQL for downgrading the catalog #### Metadata Does this PR add a new Metadata feature? - [x] No #### GraphQL - [x] No new GraphQL schema is generated - [ ] New GraphQL schema is being generated: - [ ] New types and typenames are correlated #### Breaking changes - [x] No Breaking changes PR-URL: https://github.com/hasura/graphql-engine-mono/pull/2538 Co-authored-by: Robert <132113+robx@users.noreply.github.com> GitOrigin-RevId: d9047e997dd221b7ce4fef51911c3694037e7c3f 2021-11-09 15:00:21 +03:00			`assert 'Set-Cookie' in respHeaders`
			`assert respHeaders['Set-Cookie'] == "__Host-id=1; Secure; Path=/; Domain=example.com"`

			`def test_duplicate_set_cookie_header_in_response(self, hge_ctx):`
			`query = """`
			`query allUsers {`
			`author {`
			`id`
			`name`
			`}`
			`}`
			`"""`

			`query_obj = {`
			`"query": query,`
			`"operationName": "allUsers"`
			`}`

			`headers = {}`

			`headers['cookie'] = "Test"`
			`headers['response-set-cookie-1'] = "__Host-id=1; Secure; Path=/; Domain=example1.com"`
			`headers['response-set-cookie-2'] = "__Host-id=2; Secure; Path=/; Domain=example2.com"`

			`code, resp, respHeaders = hge_ctx.anyq('/v1/graphql', query_obj, headers)`
			`print("Status Code: ", code)`
			`print("Response: ", resp)`
			`print("Headers: ", respHeaders)`
server/tests-py: Run the auth hook inside the test harness. This teaches `hge_server` how to run more tests, thanks to `hge_env`. It also simplifies the logic a bit more. I have also modified _run.sh_ and _docker-compose.yml_ so we can run multiple test suites, one after another. PR-URL: https://github.com/hasura/graphql-engine-mono/pull/6105 GitOrigin-RevId: eff009362eb6bb90c07cedaf96dfe6ec9336ff32 2022-09-29 13:42:47 +03:00
server: forward auth webhook set-cookies header on response > High-Level TODO: * [x] Code Changes * [x] Tests * [x] Check that pro/multitenant build ok * [x] Documentation Changes * [x] Updating this PR with full details * [ ] Reviews * [ ] Ensure code has all FIXMEs and TODOs addressed * [x] Ensure no files are checked in mistakenly * [x] Consider impact on console, cli, etc. ### Description > This PR adds support for adding set-cookie header on the response from the auth webhook. If the set-cookie header is sent by the webhook, it will be forwarded in the graphQL engine response. Fixes a bug in test-server.sh: testing of get-webhook tests was done by POST method and vice versa. To fix, the parameters were swapped. ### Changelog - [x] `CHANGELOG.md` is updated with user-facing content relevant to this PR. ### Affected components - [x] Server - [ ] Console - [ ] CLI - [x] Docs - [ ] Community Content - [ ] Build System - [x] Tests - [ ] Other (list it) ### Related Issues -> Closes [#2269](https://github.com/hasura/graphql-engine/issues/2269) ### Solution and Design > ### Steps to test and verify > Please refer to the docs to see how to send the set-cookie header from webhook. ### Limitations, known bugs & workarounds > - Support for only set-cookie header forwarding is added - the value forwarded in the set-cookie header cannot be validated completely, the [Cookie](https://hackage.haskell.org/package/cookie) package has been used to parse the header value and any unnecessary information is stripped off before forwarding the header. The standard given in [RFC6265](https://datatracker.ietf.org/doc/html/rfc6265) has been followed for the Set-Cookie format. ### Server checklist #### Catalog upgrade Does this PR change Hasura Catalog version? - [x] No - [ ] Yes - [ ] Updated docs with SQL for downgrading the catalog #### Metadata Does this PR add a new Metadata feature? - [x] No #### GraphQL - [x] No new GraphQL schema is generated - [ ] New GraphQL schema is being generated: - [ ] New types and typenames are correlated #### Breaking changes - [x] No Breaking changes PR-URL: https://github.com/hasura/graphql-engine-mono/pull/2538 Co-authored-by: Robert <132113+robx@users.noreply.github.com> GitOrigin-RevId: d9047e997dd221b7ce4fef51911c3694037e7c3f 2021-11-09 15:00:21 +03:00			`assert 'Set-Cookie' in respHeaders`

			`# In python, multiple headers with the same key are concatenated with a comma and`
			`# then sent back in the response. Refer to: https://github.com/psf/requests/issues/4520`
server/tests-py: Run the auth hook inside the test harness. This teaches `hge_server` how to run more tests, thanks to `hge_env`. It also simplifies the logic a bit more. I have also modified _run.sh_ and _docker-compose.yml_ so we can run multiple test suites, one after another. PR-URL: https://github.com/hasura/graphql-engine-mono/pull/6105 GitOrigin-RevId: eff009362eb6bb90c07cedaf96dfe6ec9336ff32 2022-09-29 13:42:47 +03:00			`assert respHeaders['Set-Cookie'] == "__Host-id=2; Secure; Path=/; Domain=example2.com, __Host-id=1; Secure; Path=/; Domain=example1.com"`