graphql-engine/server/tests-py/test_auth_webhook_cookie.py

import json
import threading
from urllib.parse import urlparse

import websocket
import pytest
from validate import check_query
from context import PytestConf

if not PytestConf.config.getoption("--hge-webhook"):
    pytest.skip("--hge-webhook flag is missing, skipping tests", allow_module_level=True)

if not PytestConf.config.getoption("--test-auth-webhook-header"):
    pytest.skip("--test-auth-webhook-header flag is missing, skipping tests", allow_module_level=True)

@pytest.mark.usefixtures('auth_hook', 'per_class_tests_db_state')
class TestWebhookHeaderCookie(object):
    '''
        To run the test, run an instance of the auth_webhook server using `python3 auth_webhook_server.py`
    '''
    @classmethod
    def dir(cls):
        return 'webhook/insecure'

    def test_single_set_cookie_header_in_response(self, hge_ctx):
        query = """
          query allUsers {
            author {
              id
              name
            }
          }
        """

        query_obj = {
            "query": query,
            "operationName": "allUsers"
        }

        headers = {}

        headers['cookie'] = "Test"
        headers['response-set-cookie-1'] = "__Host-id=1; Secure; Path=/; Domain=example.com"

        code, resp, respHeaders = hge_ctx.anyq('/v1/graphql', query_obj, headers)
        print("Status Code: ", code)
        print("Response: ", resp)
        print("Headers: ", respHeaders)

        assert 'Set-Cookie' in respHeaders
        assert respHeaders['Set-Cookie'] == "__Host-id=1; Secure; Path=/; Domain=example.com"

    def test_duplicate_set_cookie_header_in_response(self, hge_ctx):
        query = """
          query allUsers {
            author {
              id
              name
            }
          }
        """

        query_obj = {
            "query": query,
            "operationName": "allUsers"
        }

        headers = {}

        headers['cookie'] = "Test"
        headers['response-set-cookie-1'] = "__Host-id=1; Secure; Path=/; Domain=example1.com"
        headers['response-set-cookie-2'] = "__Host-id=2; Secure; Path=/; Domain=example2.com"

        code, resp, respHeaders = hge_ctx.anyq('/v1/graphql', query_obj, headers)
        print("Status Code: ", code)
        print("Response: ", resp)
        print("Headers: ", respHeaders)

        assert 'Set-Cookie' in respHeaders

        # In python, multiple headers with the same key are concatenated with a comma and
        # then sent back in the response. Refer to: https://github.com/psf/requests/issues/4520
        assert respHeaders['Set-Cookie'] == "__Host-id=2; Secure; Path=/; Domain=example2.com, __Host-id=1; Secure; Path=/; Domain=example1.com"
server: forward auth webhook set-cookies header on response > High-Level TODO: * [x] Code Changes * [x] Tests * [x] Check that pro/multitenant build ok * [x] Documentation Changes * [x] Updating this PR with full details * [ ] Reviews * [ ] Ensure code has all FIXMEs and TODOs addressed * [x] Ensure no files are checked in mistakenly * [x] Consider impact on console, cli, etc. ### Description > This PR adds support for adding set-cookie header on the response from the auth webhook. If the set-cookie header is sent by the webhook, it will be forwarded in the graphQL engine response. Fixes a bug in test-server.sh: testing of get-webhook tests was done by POST method and vice versa. To fix, the parameters were swapped. ### Changelog - [x] `CHANGELOG.md` is updated with user-facing content relevant to this PR. ### Affected components - [x] Server - [ ] Console - [ ] CLI - [x] Docs - [ ] Community Content - [ ] Build System - [x] Tests - [ ] Other (list it) ### Related Issues -> Closes [#2269](https://github.com/hasura/graphql-engine/issues/2269) ### Solution and Design > ### Steps to test and verify > Please refer to the docs to see how to send the set-cookie header from webhook. ### Limitations, known bugs & workarounds > - Support for only set-cookie header forwarding is added - the value forwarded in the set-cookie header cannot be validated completely, the [Cookie](https://hackage.haskell.org/package/cookie) package has been used to parse the header value and any unnecessary information is stripped off before forwarding the header. The standard given in [RFC6265](https://datatracker.ietf.org/doc/html/rfc6265) has been followed for the Set-Cookie format. ### Server checklist #### Catalog upgrade Does this PR change Hasura Catalog version? - [x] No - [ ] Yes - [ ] Updated docs with SQL for downgrading the catalog #### Metadata Does this PR add a new Metadata feature? - [x] No #### GraphQL - [x] No new GraphQL schema is generated - [ ] New GraphQL schema is being generated: - [ ] New types and typenames are correlated #### Breaking changes - [x] No Breaking changes PR-URL: https://github.com/hasura/graphql-engine-mono/pull/2538 Co-authored-by: Robert <132113+robx@users.noreply.github.com> GitOrigin-RevId: d9047e997dd221b7ce4fef51911c3694037e7c3f 2021-11-09 15:00:21 +03:00			`import json`
			`import threading`
			`from urllib.parse import urlparse`

			`import websocket`
			`import pytest`
			`from validate import check_query`
			`from context import PytestConf`

			`if not PytestConf.config.getoption("--hge-webhook"):`
			`pytest.skip("--hge-webhook flag is missing, skipping tests", allow_module_level=True)`

			`if not PytestConf.config.getoption("--test-auth-webhook-header"):`
			`pytest.skip("--test-auth-webhook-header flag is missing, skipping tests", allow_module_level=True)`

server/tests-py: Run the auth hook inside the test harness. This teaches `hge_server` how to run more tests, thanks to `hge_env`. It also simplifies the logic a bit more. I have also modified _run.sh_ and _docker-compose.yml_ so we can run multiple test suites, one after another. PR-URL: https://github.com/hasura/graphql-engine-mono/pull/6105 GitOrigin-RevId: eff009362eb6bb90c07cedaf96dfe6ec9336ff32 2022-09-29 13:42:47 +03:00			`@pytest.mark.usefixtures('auth_hook', 'per_class_tests_db_state')`
server: forward auth webhook set-cookies header on response > High-Level TODO: * [x] Code Changes * [x] Tests * [x] Check that pro/multitenant build ok * [x] Documentation Changes * [x] Updating this PR with full details * [ ] Reviews * [ ] Ensure code has all FIXMEs and TODOs addressed * [x] Ensure no files are checked in mistakenly * [x] Consider impact on console, cli, etc. ### Description > This PR adds support for adding set-cookie header on the response from the auth webhook. If the set-cookie header is sent by the webhook, it will be forwarded in the graphQL engine response. Fixes a bug in test-server.sh: testing of get-webhook tests was done by POST method and vice versa. To fix, the parameters were swapped. ### Changelog - [x] `CHANGELOG.md` is updated with user-facing content relevant to this PR. ### Affected components - [x] Server - [ ] Console - [ ] CLI - [x] Docs - [ ] Community Content - [ ] Build System - [x] Tests - [ ] Other (list it) ### Related Issues -> Closes [#2269](https://github.com/hasura/graphql-engine/issues/2269) ### Solution and Design > ### Steps to test and verify > Please refer to the docs to see how to send the set-cookie header from webhook. ### Limitations, known bugs & workarounds > - Support for only set-cookie header forwarding is added - the value forwarded in the set-cookie header cannot be validated completely, the [Cookie](https://hackage.haskell.org/package/cookie) package has been used to parse the header value and any unnecessary information is stripped off before forwarding the header. The standard given in [RFC6265](https://datatracker.ietf.org/doc/html/rfc6265) has been followed for the Set-Cookie format. ### Server checklist #### Catalog upgrade Does this PR change Hasura Catalog version? - [x] No - [ ] Yes - [ ] Updated docs with SQL for downgrading the catalog #### Metadata Does this PR add a new Metadata feature? - [x] No #### GraphQL - [x] No new GraphQL schema is generated - [ ] New GraphQL schema is being generated: - [ ] New types and typenames are correlated #### Breaking changes - [x] No Breaking changes PR-URL: https://github.com/hasura/graphql-engine-mono/pull/2538 Co-authored-by: Robert <132113+robx@users.noreply.github.com> GitOrigin-RevId: d9047e997dd221b7ce4fef51911c3694037e7c3f 2021-11-09 15:00:21 +03:00			`class TestWebhookHeaderCookie(object):`
			`'''`
			To run the test, run an instance of the auth_webhook server using `python3 auth_webhook_server.py`
			`'''`
			`@classmethod`
			`def dir(cls):`
			`return 'webhook/insecure'`

			`def test_single_set_cookie_header_in_response(self, hge_ctx):`
			`query = """`
			`query allUsers {`
			`author {`
			`id`
			`name`
			`}`
			`}`
			`"""`

			`query_obj = {`
			`"query": query,`
			`"operationName": "allUsers"`
			`}`

			`headers = {}`

			`headers['cookie'] = "Test"`
			`headers['response-set-cookie-1'] = "__Host-id=1; Secure; Path=/; Domain=example.com"`

			`code, resp, respHeaders = hge_ctx.anyq('/v1/graphql', query_obj, headers)`
			`print("Status Code: ", code)`
			`print("Response: ", resp)`
			`print("Headers: ", respHeaders)`
server/tests-py: Run the auth hook inside the test harness. This teaches `hge_server` how to run more tests, thanks to `hge_env`. It also simplifies the logic a bit more. I have also modified _run.sh_ and _docker-compose.yml_ so we can run multiple test suites, one after another. PR-URL: https://github.com/hasura/graphql-engine-mono/pull/6105 GitOrigin-RevId: eff009362eb6bb90c07cedaf96dfe6ec9336ff32 2022-09-29 13:42:47 +03:00
server: forward auth webhook set-cookies header on response > High-Level TODO: * [x] Code Changes * [x] Tests * [x] Check that pro/multitenant build ok * [x] Documentation Changes * [x] Updating this PR with full details * [ ] Reviews * [ ] Ensure code has all FIXMEs and TODOs addressed * [x] Ensure no files are checked in mistakenly * [x] Consider impact on console, cli, etc. ### Description > This PR adds support for adding set-cookie header on the response from the auth webhook. If the set-cookie header is sent by the webhook, it will be forwarded in the graphQL engine response. Fixes a bug in test-server.sh: testing of get-webhook tests was done by POST method and vice versa. To fix, the parameters were swapped. ### Changelog - [x] `CHANGELOG.md` is updated with user-facing content relevant to this PR. ### Affected components - [x] Server - [ ] Console - [ ] CLI - [x] Docs - [ ] Community Content - [ ] Build System - [x] Tests - [ ] Other (list it) ### Related Issues -> Closes [#2269](https://github.com/hasura/graphql-engine/issues/2269) ### Solution and Design > ### Steps to test and verify > Please refer to the docs to see how to send the set-cookie header from webhook. ### Limitations, known bugs & workarounds > - Support for only set-cookie header forwarding is added - the value forwarded in the set-cookie header cannot be validated completely, the [Cookie](https://hackage.haskell.org/package/cookie) package has been used to parse the header value and any unnecessary information is stripped off before forwarding the header. The standard given in [RFC6265](https://datatracker.ietf.org/doc/html/rfc6265) has been followed for the Set-Cookie format. ### Server checklist #### Catalog upgrade Does this PR change Hasura Catalog version? - [x] No - [ ] Yes - [ ] Updated docs with SQL for downgrading the catalog #### Metadata Does this PR add a new Metadata feature? - [x] No #### GraphQL - [x] No new GraphQL schema is generated - [ ] New GraphQL schema is being generated: - [ ] New types and typenames are correlated #### Breaking changes - [x] No Breaking changes PR-URL: https://github.com/hasura/graphql-engine-mono/pull/2538 Co-authored-by: Robert <132113+robx@users.noreply.github.com> GitOrigin-RevId: d9047e997dd221b7ce4fef51911c3694037e7c3f 2021-11-09 15:00:21 +03:00			`assert 'Set-Cookie' in respHeaders`
			`assert respHeaders['Set-Cookie'] == "__Host-id=1; Secure; Path=/; Domain=example.com"`

			`def test_duplicate_set_cookie_header_in_response(self, hge_ctx):`
			`query = """`
			`query allUsers {`
			`author {`
			`id`
			`name`
			`}`
			`}`
			`"""`

			`query_obj = {`
			`"query": query,`
			`"operationName": "allUsers"`
			`}`

			`headers = {}`

			`headers['cookie'] = "Test"`
			`headers['response-set-cookie-1'] = "__Host-id=1; Secure; Path=/; Domain=example1.com"`
			`headers['response-set-cookie-2'] = "__Host-id=2; Secure; Path=/; Domain=example2.com"`

			`code, resp, respHeaders = hge_ctx.anyq('/v1/graphql', query_obj, headers)`
			`print("Status Code: ", code)`
			`print("Response: ", resp)`
			`print("Headers: ", respHeaders)`
server/tests-py: Run the auth hook inside the test harness. This teaches `hge_server` how to run more tests, thanks to `hge_env`. It also simplifies the logic a bit more. I have also modified _run.sh_ and _docker-compose.yml_ so we can run multiple test suites, one after another. PR-URL: https://github.com/hasura/graphql-engine-mono/pull/6105 GitOrigin-RevId: eff009362eb6bb90c07cedaf96dfe6ec9336ff32 2022-09-29 13:42:47 +03:00
server: forward auth webhook set-cookies header on response > High-Level TODO: * [x] Code Changes * [x] Tests * [x] Check that pro/multitenant build ok * [x] Documentation Changes * [x] Updating this PR with full details * [ ] Reviews * [ ] Ensure code has all FIXMEs and TODOs addressed * [x] Ensure no files are checked in mistakenly * [x] Consider impact on console, cli, etc. ### Description > This PR adds support for adding set-cookie header on the response from the auth webhook. If the set-cookie header is sent by the webhook, it will be forwarded in the graphQL engine response. Fixes a bug in test-server.sh: testing of get-webhook tests was done by POST method and vice versa. To fix, the parameters were swapped. ### Changelog - [x] `CHANGELOG.md` is updated with user-facing content relevant to this PR. ### Affected components - [x] Server - [ ] Console - [ ] CLI - [x] Docs - [ ] Community Content - [ ] Build System - [x] Tests - [ ] Other (list it) ### Related Issues -> Closes [#2269](https://github.com/hasura/graphql-engine/issues/2269) ### Solution and Design > ### Steps to test and verify > Please refer to the docs to see how to send the set-cookie header from webhook. ### Limitations, known bugs & workarounds > - Support for only set-cookie header forwarding is added - the value forwarded in the set-cookie header cannot be validated completely, the [Cookie](https://hackage.haskell.org/package/cookie) package has been used to parse the header value and any unnecessary information is stripped off before forwarding the header. The standard given in [RFC6265](https://datatracker.ietf.org/doc/html/rfc6265) has been followed for the Set-Cookie format. ### Server checklist #### Catalog upgrade Does this PR change Hasura Catalog version? - [x] No - [ ] Yes - [ ] Updated docs with SQL for downgrading the catalog #### Metadata Does this PR add a new Metadata feature? - [x] No #### GraphQL - [x] No new GraphQL schema is generated - [ ] New GraphQL schema is being generated: - [ ] New types and typenames are correlated #### Breaking changes - [x] No Breaking changes PR-URL: https://github.com/hasura/graphql-engine-mono/pull/2538 Co-authored-by: Robert <132113+robx@users.noreply.github.com> GitOrigin-RevId: d9047e997dd221b7ce4fef51911c3694037e7c3f 2021-11-09 15:00:21 +03:00			`assert 'Set-Cookie' in respHeaders`

			`# In python, multiple headers with the same key are concatenated with a comma and`
			`# then sent back in the response. Refer to: https://github.com/psf/requests/issues/4520`
server/tests-py: Run the auth hook inside the test harness. This teaches `hge_server` how to run more tests, thanks to `hge_env`. It also simplifies the logic a bit more. I have also modified _run.sh_ and _docker-compose.yml_ so we can run multiple test suites, one after another. PR-URL: https://github.com/hasura/graphql-engine-mono/pull/6105 GitOrigin-RevId: eff009362eb6bb90c07cedaf96dfe6ec9336ff32 2022-09-29 13:42:47 +03:00			`assert respHeaders['Set-Cookie'] == "__Host-id=2; Secure; Path=/; Domain=example2.com, __Host-id=1; Secure; Path=/; Domain=example1.com"`