hasura/graphql-engine
1
0
Fork 0
mirror of https://github.com/hasura/graphql-engine.git synced 2024-12-16 09:51:59 +03:00
Code Issues Projects Releases Wiki Activity
4a33d6c979
graphql-engine/server/tests-py/test_websocket_init_cookie.py

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

95 lines
3.0 KiB
Python
Raw Normal View History

read cookie while initialising websocket connection (fix #1660) (#1668) * read cookie while initialising websocket connection (fix #1660) * add tests for cookie on websocket init * fix logic for tests * enforce cors, and flag to force read cookie when cors disabled - as browsers don't enforce SOP on websockets, we enforce CORS policy on websocket handshake - if CORS is disabled, by default cookie is not read (because XSS risk!). Add special flag to force override this behaviour * add log and forward origin header to webhook - add log notice when cors is disabled, and cookie is not read on websocket handshake - forward origin header to webhook in POST mode. So that when CORS is disabled, webhook can also enforce CORS independently. * add docs, and forward all client headers to webhook
2019-03-04 10:46:53 +03:00
import json
import threading
from urllib.parse import urlparse
import websocket
import pytest
from validate import check_query
remove usage of deprecated 'pytest.config' (#3434) pytest is now at version 5.3
2019-11-29 08:14:26 +03:00
from context import PytestConf
read cookie while initialising websocket connection (fix #1660) (#1668) * read cookie while initialising websocket connection (fix #1660) * add tests for cookie on websocket init * fix logic for tests * enforce cors, and flag to force read cookie when cors disabled - as browsers don't enforce SOP on websockets, we enforce CORS policy on websocket handshake - if CORS is disabled, by default cookie is not read (because XSS risk!). Add special flag to force override this behaviour * add log and forward origin header to webhook - add log notice when cors is disabled, and cookie is not read on websocket handshake - forward origin header to webhook in POST mode. So that when CORS is disabled, webhook can also enforce CORS independently. * add docs, and forward all client headers to webhook
2019-03-04 10:46:53 +03:00
remove usage of deprecated 'pytest.config' (#3434) pytest is now at version 5.3
2019-11-29 08:14:26 +03:00
if not PytestConf.config.getoption("--test-ws-init-cookie"):
read cookie while initialising websocket connection (fix #1660) (#1668) * read cookie while initialising websocket connection (fix #1660) * add tests for cookie on websocket init * fix logic for tests * enforce cors, and flag to force read cookie when cors disabled - as browsers don't enforce SOP on websockets, we enforce CORS policy on websocket handshake - if CORS is disabled, by default cookie is not read (because XSS risk!). Add special flag to force override this behaviour * add log and forward origin header to webhook - add log notice when cors is disabled, and cookie is not read on websocket handshake - forward origin header to webhook in POST mode. So that when CORS is disabled, webhook can also enforce CORS independently. * add docs, and forward all client headers to webhook
2019-03-04 10:46:53 +03:00
pytest.skip("--test-ws-init-cookie flag is missing, skipping tests", allow_module_level=True)
def url(hge_ctx):
ws_url = urlparse(hge_ctx.hge_url)._replace(scheme='ws', path='/v1alpha1/graphql')
return ws_url.geturl()
class TestWebsocketInitCookie():
"""
test if cookie is sent when initing the websocket connection, is our auth
webhook receiving the cookie
"""
dir = 'queries/remote_schemas'
@pytest.fixture(autouse=True)
def transact(self, hge_ctx):
st_code, resp = hge_ctx.v1q_f(self.dir + '/person_table.yaml')
assert st_code == 200, resp
yield
assert st_code == 200, resp
st_code, resp = hge_ctx.v1q_f(self.dir + '/drop_person_table.yaml')
def _send_query(self, hge_ctx):
ws_url = url(hge_ctx)
headers = {'Cookie': 'foo=bar;'}
ws = websocket.create_connection(ws_url, header=headers)
init_payload = {
'type': 'connection_init',
'payload': {'headers': {}}
}
ws.send(json.dumps(init_payload))
payload = {
'type': 'start',
'id': '1',
'payload': {'query': 'query { person {name}}'}
}
ws.send(json.dumps(payload))
return ws
def test_websocket_init_cookie_used(self, hge_ctx):
if hge_ctx.ws_read_cookie == 'noread':
pytest.skip('cookie is not to be read')
ws = self._send_query(hge_ctx)
it = 0
while True:
raw = ws.recv()
frame = json.loads(raw)
if frame['type'] == 'data':
assert 'person' in frame['payload']['data']
break
elif it == 10:
print('max try over')
assert False
break
elif frame['type'] == 'connection_error' or frame['type'] == 'error':
print(frame)
assert False
break
it = it + 1
def test_websocket_init_cookie_not_used(self, hge_ctx):
if hge_ctx.ws_read_cookie == 'read':
pytest.skip('cookie is read')
ws = self._send_query(hge_ctx)
it = 0
while True:
raw = ws.recv()
frame = json.loads(raw)
if frame['type'] == 'data':
print('got data')
assert False
break
elif it == 10:
print('max try over')
assert False
break
elif frame['type'] == 'connection_error':
print(frame)
assert frame['payload'] == 'Authentication hook unauthorized this request'
break
elif frame['type'] == 'error':
print(frame)
assert False
break
server: forward auth webhook set-cookies header on response > High-Level TODO: * [x] Code Changes * [x] Tests * [x] Check that pro/multitenant build ok * [x] Documentation Changes * [x] Updating this PR with full details * [ ] Reviews * [ ] Ensure code has all FIXMEs and TODOs addressed * [x] Ensure no files are checked in mistakenly * [x] Consider impact on console, cli, etc. ### Description > This PR adds support for adding set-cookie header on the response from the auth webhook. If the set-cookie header is sent by the webhook, it will be forwarded in the graphQL engine response. Fixes a bug in test-server.sh: testing of get-webhook tests was done by POST method and vice versa. To fix, the parameters were swapped. ### Changelog - [x] `CHANGELOG.md` is updated with user-facing content relevant to this PR. ### Affected components - [x] Server - [ ] Console - [ ] CLI - [x] Docs - [ ] Community Content - [ ] Build System - [x] Tests - [ ] Other (list it) ### Related Issues -> Closes [#2269](https://github.com/hasura/graphql-engine/issues/2269) ### Solution and Design > ### Steps to test and verify > Please refer to the docs to see how to send the set-cookie header from webhook. ### Limitations, known bugs & workarounds > - Support for only set-cookie header forwarding is added - the value forwarded in the set-cookie header cannot be validated completely, the [Cookie](https://hackage.haskell.org/package/cookie) package has been used to parse the header value and any unnecessary information is stripped off before forwarding the header. The standard given in [RFC6265](https://datatracker.ietf.org/doc/html/rfc6265) has been followed for the Set-Cookie format. ### Server checklist #### Catalog upgrade Does this PR change Hasura Catalog version? - [x] No - [ ] Yes - [ ] Updated docs with SQL for downgrading the catalog #### Metadata Does this PR add a new Metadata feature? - [x] No #### GraphQL - [x] No new GraphQL schema is generated - [ ] New GraphQL schema is being generated: - [ ] New types and typenames are correlated #### Breaking changes - [x] No Breaking changes PR-URL: https://github.com/hasura/graphql-engine-mono/pull/2538 Co-authored-by: Robert <132113+robx@users.noreply.github.com> GitOrigin-RevId: d9047e997dd221b7ce4fef51911c3694037e7c3f
2021-11-09 15:00:21 +03:00
it = it + 1
Reference in New Issue Copy Permalink