graphql-engine/server/tests-py/test_webhook.py

from datetime import datetime, timedelta
import math
import json
import time
import base64

import ruamel.yaml as yaml
import pytest
from test_subscriptions import init_ws_conn
from context import PytestConf


if not PytestConf.config.getoption('--hge-webhook'):
    pytest.skip('--hge-webhook is missing, skipping webhook expiration tests', allow_module_level=True)

usefixtures = pytest.mark.usefixtures

@pytest.fixture(scope='function')
def ws_conn_recreate(ws_client):
    ws_client.recreate_conn()

def connect_with(hge_ctx, ws_client, headers):
    headers['X-Hasura-Role']      = 'user'
    headers['X-Hasura-User-Id']   = '1234321'
    headers['X-Hasura-Auth-Mode'] = 'webhook'

    token = base64.b64encode(json.dumps(headers).encode('utf-8')).decode('utf-8')
    headers['Authorization'] = 'Bearer ' + token
    payload = {'headers': headers}
    init_ws_conn(hge_ctx, ws_client, payload)

EXPIRE_TIME_FORMAT = '%a, %d %b %Y %T GMT'


@usefixtures('ws_conn_recreate')
class TestWebhookSubscriptionExpiry(object):
    def test_expiry_with_no_header(self, hge_ctx, ws_client):
        # no expiry time => the connextion will remain alive
        connect_with(hge_ctx, ws_client, {})
        time.sleep(5)
        assert ws_client.remote_closed == False, ws_client.remote_closed

    def test_expiry_with_expires_header(self, hge_ctx, ws_client):
        exp = datetime.utcnow() + timedelta(seconds=6)
        connect_with(hge_ctx, ws_client, {
            'Expires': exp.strftime(EXPIRE_TIME_FORMAT)
        })
        time.sleep(4)
        assert ws_client.remote_closed == False, ws_client.remote_closed
        time.sleep(4)
        assert ws_client.remote_closed == True, ws_client.remote_closed

    def test_expiry_with_cache_control(self, hge_ctx, ws_client):
        connect_with(hge_ctx, ws_client, {
            'Cache-Control': 'max-age=6'
        })
        time.sleep(4)
        assert ws_client.remote_closed == False, ws_client.remote_closed
        time.sleep(4)
        assert ws_client.remote_closed == True, ws_client.remote_closed

    def test_expiry_with_both(self, hge_ctx, ws_client):
        exp = datetime.utcnow() + timedelta(seconds=6)
        connect_with(hge_ctx, ws_client, {
            'Expires': exp.strftime(EXPIRE_TIME_FORMAT),
            'Cache-Control': 'max-age=10',
        })
        # cache-control has precedence, so the expiry time will be five seconds
        time.sleep(4)
        assert ws_client.remote_closed == False, ws_client.remote_closed
        time.sleep(4)
        assert ws_client.remote_closed == False, ws_client.remote_closed
        time.sleep(4)
        assert ws_client.remote_closed == True, ws_client.remote_closed

    def test_expiry_with_parse_error(self, hge_ctx, ws_client):
        exp = datetime.utcnow() + timedelta(seconds=3)
        connect_with(hge_ctx, ws_client, {
            'Expires': exp.strftime('%a, %d %m %Y %T UTC'),
            'Cache-Control': 'maxage=3',
        })
        # neither will parse, the connection will remain alive
        time.sleep(5)
        assert ws_client.remote_closed == False, ws_client.remote_closed
server: add support for webhook connection expiration (#4196) * add expiry time to webhook user info This also adds an optional message to webhook errors: if we fail to parse an expiry time, we will log a warning with the parse error. * refactored Auth This change had one main goal: put in common all expiry time extraction code between the JWT and WebHook parts of the code. Furthermore, this change also moves all WebHook specific code to its own module, similarly to what is done for JWT. * Remove dependency on string-conversions in favor of text-conversions string-conversions silently uses UTF8 instead of being explicit about it, and it uses lenientDecode when decoding ByteStrings when it’s usually better to reject invalid UTF8 input outright. text-conversions solves both those problems. Co-authored-by: Alexis King <lexi.lambda@gmail.com> 2020-04-03 03:00:13 +03:00			`from datetime import datetime, timedelta`
			`import math`
			`import json`
			`import time`
			`import base64`

			`import ruamel.yaml as yaml`
			`import pytest`
			`from test_subscriptions import init_ws_conn`
			`from context import PytestConf`


			`if not PytestConf.config.getoption('--hge-webhook'):`
			`pytest.skip('--hge-webhook is missing, skipping webhook expiration tests', allow_module_level=True)`

			`usefixtures = pytest.mark.usefixtures`

			`@pytest.fixture(scope='function')`
			`def ws_conn_recreate(ws_client):`
			`ws_client.recreate_conn()`

			`def connect_with(hge_ctx, ws_client, headers):`
			`headers['X-Hasura-Role'] = 'user'`
			`headers['X-Hasura-User-Id'] = '1234321'`
			`headers['X-Hasura-Auth-Mode'] = 'webhook'`

			`token = base64.b64encode(json.dumps(headers).encode('utf-8')).decode('utf-8')`
			`headers['Authorization'] = 'Bearer ' + token`
			`payload = {'headers': headers}`
			`init_ws_conn(hge_ctx, ws_client, payload)`

			`EXPIRE_TIME_FORMAT = '%a, %d %b %Y %T GMT'`


			`@usefixtures('ws_conn_recreate')`
			`class TestWebhookSubscriptionExpiry(object):`
			`def test_expiry_with_no_header(self, hge_ctx, ws_client):`
			`# no expiry time => the connextion will remain alive`
			`connect_with(hge_ctx, ws_client, {})`
			`time.sleep(5)`
			`assert ws_client.remote_closed == False, ws_client.remote_closed`

			`def test_expiry_with_expires_header(self, hge_ctx, ws_client):`
			`exp = datetime.utcnow() + timedelta(seconds=6)`
			`connect_with(hge_ctx, ws_client, {`
			`'Expires': exp.strftime(EXPIRE_TIME_FORMAT)`
			`})`
			`time.sleep(4)`
			`assert ws_client.remote_closed == False, ws_client.remote_closed`
			`time.sleep(4)`
			`assert ws_client.remote_closed == True, ws_client.remote_closed`

			`def test_expiry_with_cache_control(self, hge_ctx, ws_client):`
			`connect_with(hge_ctx, ws_client, {`
			`'Cache-Control': 'max-age=6'`
			`})`
			`time.sleep(4)`
			`assert ws_client.remote_closed == False, ws_client.remote_closed`
			`time.sleep(4)`
			`assert ws_client.remote_closed == True, ws_client.remote_closed`

			`def test_expiry_with_both(self, hge_ctx, ws_client):`
			`exp = datetime.utcnow() + timedelta(seconds=6)`
			`connect_with(hge_ctx, ws_client, {`
			`'Expires': exp.strftime(EXPIRE_TIME_FORMAT),`
			`'Cache-Control': 'max-age=10',`
			`})`
			`# cache-control has precedence, so the expiry time will be five seconds`
			`time.sleep(4)`
			`assert ws_client.remote_closed == False, ws_client.remote_closed`
			`time.sleep(4)`
			`assert ws_client.remote_closed == False, ws_client.remote_closed`
			`time.sleep(4)`
			`assert ws_client.remote_closed == True, ws_client.remote_closed`

			`def test_expiry_with_parse_error(self, hge_ctx, ws_client):`
			`exp = datetime.utcnow() + timedelta(seconds=3)`
			`connect_with(hge_ctx, ws_client, {`
			`'Expires': exp.strftime('%a, %d %m %Y %T UTC'),`
			`'Cache-Control': 'maxage=3',`
			`})`
			`# neither will parse, the connection will remain alive`
			`time.sleep(5)`
server: forward auth webhook set-cookies header on response > High-Level TODO: * [x] Code Changes * [x] Tests * [x] Check that pro/multitenant build ok * [x] Documentation Changes * [x] Updating this PR with full details * [ ] Reviews * [ ] Ensure code has all FIXMEs and TODOs addressed * [x] Ensure no files are checked in mistakenly * [x] Consider impact on console, cli, etc. ### Description > This PR adds support for adding set-cookie header on the response from the auth webhook. If the set-cookie header is sent by the webhook, it will be forwarded in the graphQL engine response. Fixes a bug in test-server.sh: testing of get-webhook tests was done by POST method and vice versa. To fix, the parameters were swapped. ### Changelog - [x] `CHANGELOG.md` is updated with user-facing content relevant to this PR. ### Affected components - [x] Server - [ ] Console - [ ] CLI - [x] Docs - [ ] Community Content - [ ] Build System - [x] Tests - [ ] Other (list it) ### Related Issues -> Closes [#2269](https://github.com/hasura/graphql-engine/issues/2269) ### Solution and Design > ### Steps to test and verify > Please refer to the docs to see how to send the set-cookie header from webhook. ### Limitations, known bugs & workarounds > - Support for only set-cookie header forwarding is added - the value forwarded in the set-cookie header cannot be validated completely, the [Cookie](https://hackage.haskell.org/package/cookie) package has been used to parse the header value and any unnecessary information is stripped off before forwarding the header. The standard given in [RFC6265](https://datatracker.ietf.org/doc/html/rfc6265) has been followed for the Set-Cookie format. ### Server checklist #### Catalog upgrade Does this PR change Hasura Catalog version? - [x] No - [ ] Yes - [ ] Updated docs with SQL for downgrading the catalog #### Metadata Does this PR add a new Metadata feature? - [x] No #### GraphQL - [x] No new GraphQL schema is generated - [ ] New GraphQL schema is being generated: - [ ] New types and typenames are correlated #### Breaking changes - [x] No Breaking changes PR-URL: https://github.com/hasura/graphql-engine-mono/pull/2538 Co-authored-by: Robert <132113+robx@users.noreply.github.com> GitOrigin-RevId: d9047e997dd221b7ce4fef51911c3694037e7c3f 2021-11-09 15:00:21 +03:00			`assert ws_client.remote_closed == False, ws_client.remote_closed`