webssh/tests/test_handler.py

import unittest
import paramiko

from tornado.httputil import HTTPServerRequest
from tornado.options import options
from tests.utils import read_file, make_tests_data_path
from webssh import handler
from webssh.handler import (
    MixinHandler, IndexHandler, WsockHandler, InvalidValueError
)

try:
    from unittest.mock import Mock
except ImportError:
    from mock import Mock


class TestMixinHandler(unittest.TestCase):

    def test_is_forbidden(self):
        mhandler = MixinHandler()
        handler.redirecting = True
        options.fbidhttp = True

        context = Mock(
            address=('8.8.8.8', 8888),
            trusted_downstream=['127.0.0.1'],
            _orig_protocol='http'
        )
        hostname = '4.4.4.4'
        self.assertTrue(mhandler.is_forbidden(context, hostname))

        context = Mock(
            address=('8.8.8.8', 8888),
            trusted_downstream=[],
            _orig_protocol='http'
        )
        hostname = 'www.google.com'
        self.assertEqual(mhandler.is_forbidden(context, hostname), False)

        context = Mock(
            address=('8.8.8.8', 8888),
            trusted_downstream=[],
            _orig_protocol='http'
        )
        hostname = '4.4.4.4'
        self.assertTrue(mhandler.is_forbidden(context, hostname))

        context = Mock(
            address=('192.168.1.1', 8888),
            trusted_downstream=[],
            _orig_protocol='http'
        )
        hostname = 'www.google.com'
        self.assertIsNone(mhandler.is_forbidden(context, hostname))

        options.fbidhttp = False
        self.assertIsNone(mhandler.is_forbidden(context, hostname))

        hostname = '4.4.4.4'
        self.assertIsNone(mhandler.is_forbidden(context, hostname))

        handler.redirecting = False
        self.assertIsNone(mhandler.is_forbidden(context, hostname))

        context._orig_protocol = 'https'
        self.assertIsNone(mhandler.is_forbidden(context, hostname))

    def test_get_redirect_url(self):
        mhandler = MixinHandler()
        hostname = 'www.example.com'
        uri = '/'
        port = 443

        self.assertEqual(
            mhandler.get_redirect_url(hostname, port, uri=uri),
            'https://www.example.com/'
        )

        port = 4433
        self.assertEqual(
            mhandler.get_redirect_url(hostname, port, uri),
            'https://www.example.com:4433/'
        )

    def test_get_client_addr(self):
        mhandler = MixinHandler()
        client_addr = ('8.8.8.8', 8888)
        context_addr = ('127.0.0.1', 1234)
        options.xheaders = True

        mhandler.context = Mock(address=context_addr)
        mhandler.get_real_client_addr = lambda: None
        self.assertEqual(mhandler.get_client_addr(), context_addr)

        mhandler.context = Mock(address=context_addr)
        mhandler.get_real_client_addr = lambda: client_addr
        self.assertEqual(mhandler.get_client_addr(), client_addr)

        options.xheaders = False
        mhandler.context = Mock(address=context_addr)
        mhandler.get_real_client_addr = lambda: client_addr
        self.assertEqual(mhandler.get_client_addr(), context_addr)

    def test_get_real_client_addr(self):
        x_forwarded_for = '1.1.1.1'
        x_forwarded_port = 1111
        x_real_ip = '2.2.2.2'
        x_real_port = 2222
        fake_port = 65535

        mhandler = MixinHandler()
        mhandler.request = HTTPServerRequest(uri='/')
        mhandler.request.remote_ip = x_forwarded_for

        self.assertIsNone(mhandler.get_real_client_addr())

        mhandler.request.headers.add('X-Forwarded-For', x_forwarded_for)
        self.assertEqual(mhandler.get_real_client_addr(),
                         (x_forwarded_for, fake_port))

        mhandler.request.headers.add('X-Forwarded-Port', fake_port + 1)
        self.assertEqual(mhandler.get_real_client_addr(),
                         (x_forwarded_for, fake_port))

        mhandler.request.headers['X-Forwarded-Port'] = x_forwarded_port
        self.assertEqual(mhandler.get_real_client_addr(),
                         (x_forwarded_for, x_forwarded_port))

        mhandler.request.remote_ip = x_real_ip

        mhandler.request.headers.add('X-Real-Ip', x_real_ip)
        self.assertEqual(mhandler.get_real_client_addr(),
                         (x_real_ip, fake_port))

        mhandler.request.headers.add('X-Real-Port', fake_port + 1)
        self.assertEqual(mhandler.get_real_client_addr(),
                         (x_real_ip, fake_port))

        mhandler.request.headers['X-Real-Port'] = x_real_port
        self.assertEqual(mhandler.get_real_client_addr(),
                         (x_real_ip, x_real_port))


class TestIndexHandler(unittest.TestCase):

    def test_get_specific_pkey_with_plain_key(self):
        fname = 'test_rsa.key'
        cls = paramiko.RSAKey
        key = read_file(make_tests_data_path(fname))

        pkey = IndexHandler.get_specific_pkey(cls, key, None)
        self.assertIsInstance(pkey, cls)

        pkey = IndexHandler.get_specific_pkey(cls, key, 'iginored')
        self.assertIsInstance(pkey, cls)

        pkey = IndexHandler.get_specific_pkey(cls, 'x'+key, None)
        self.assertIsNone(pkey)

    def test_get_specific_pkey_with_encrypted_key(self):
        fname = 'test_rsa_password.key'
        cls = paramiko.RSAKey
        password = 'television'

        key = read_file(make_tests_data_path(fname))
        pkey = IndexHandler.get_specific_pkey(cls, key, password)
        self.assertIsInstance(pkey, cls)

        pkey = IndexHandler.get_specific_pkey(cls, 'x'+key, None)
        self.assertIsNone(pkey)

        with self.assertRaises(paramiko.PasswordRequiredException):
            pkey = IndexHandler.get_specific_pkey(cls, key, None)

    def test_get_pkey_obj_with_plain_key(self):
        fname = 'test_ed25519.key'
        cls = paramiko.Ed25519Key
        key = read_file(make_tests_data_path(fname))

        pkey = IndexHandler.get_pkey_obj(key, None, fname)
        self.assertIsInstance(pkey, cls)

        pkey = IndexHandler.get_pkey_obj(key, 'iginored', fname)
        self.assertIsInstance(pkey, cls)

        with self.assertRaises(InvalidValueError) as ctx:
            pkey = IndexHandler.get_pkey_obj('x'+key, None, fname)
        self.assertIn('Invalid private key', str(ctx.exception))

    def test_get_pkey_obj_with_encrypted_key(self):
        fname = 'test_ed25519_password.key'
        password = 'abc123'
        cls = paramiko.Ed25519Key
        key = read_file(make_tests_data_path(fname))

        pkey = IndexHandler.get_pkey_obj(key, password, fname)
        self.assertIsInstance(pkey, cls)

        with self.assertRaises(InvalidValueError) as ctx:
            pkey = IndexHandler.get_pkey_obj(key, 'wrongpass', fname)
        self.assertIn('Wrong password', str(ctx.exception))

        with self.assertRaises(InvalidValueError) as ctx:
            pkey = IndexHandler.get_pkey_obj('x'+key, '', fname)
        self.assertIn('Invalid private key', str(ctx.exception))

        with self.assertRaises(paramiko.PasswordRequiredException):
            pkey = IndexHandler.get_pkey_obj(key, '', fname)


class TestWsockHandler(unittest.TestCase):

    def test_check_origin(self):
        request = HTTPServerRequest(uri='/')
        obj = Mock(spec=WsockHandler, request=request)

        obj.origin_policy = 'same'
        request.headers['Host'] = 'www.example.com:4433'
        origin = 'https://www.example.com:4433'
        self.assertTrue(WsockHandler.check_origin(obj, origin))

        origin = 'https://www.example.com'
        self.assertFalse(WsockHandler.check_origin(obj, origin))

        obj.origin_policy = 'primary'
        self.assertTrue(WsockHandler.check_origin(obj, origin))

        origin = 'https://blog.example.com'
        self.assertTrue(WsockHandler.check_origin(obj, origin))

        origin = 'https://blog.example.org'
        self.assertFalse(WsockHandler.check_origin(obj, origin))

        origin = 'https://blog.example.org'
        obj.origin_policy = {'https://blog.example.org'}
        self.assertTrue(WsockHandler.check_origin(obj, origin))

        origin = 'http://blog.example.org'
        obj.origin_policy = {'http://blog.example.org'}
        self.assertTrue(WsockHandler.check_origin(obj, origin))

        origin = 'http://blog.example.org'
        obj.origin_policy = {'https://blog.example.org'}
        self.assertFalse(WsockHandler.check_origin(obj, origin))

        obj.origin_policy = '*'
        origin = 'https://blog.example.org'
        self.assertTrue(WsockHandler.check_origin(obj, origin))
Added test_handler.py 7 years ago			`import unittest`
Updated test_handler.py 7 years ago			`import paramiko`
Added test_handler.py 7 years ago
Use HTTPServerRequest instead 7 years ago			`from tornado.httputil import HTTPServerRequest`
Always reset fbidhttp to False if not open to public 6 years ago			`from tornado.options import options`
Move all tests data into a separate directory 6 years ago			`from tests.utils import read_file, make_tests_data_path`
Removed function for detecting whether the http(s) server is open to public 6 years ago			`from webssh import handler`
Use open_to_public to store the status of the http(s) server 6 years ago			`from webssh.handler import (`
Removed function for detecting whether the http(s) server is open to public 6 years ago			`MixinHandler, IndexHandler, WsockHandler, InvalidValueError`
Use open_to_public to store the status of the http(s) server 6 years ago			`)`
Added test_handler.py 7 years ago
Block requests not come from trusted_downstream and public non-https requests 6 years ago			`try:`
			`from unittest.mock import Mock`
			`except ImportError:`
			`from mock import Mock`

Added test_handler.py 7 years ago
			`class TestMixinHandler(unittest.TestCase):`

Block requests not come from trusted_downstream and public non-https requests 6 years ago			`def test_is_forbidden(self):`
Removed function for detecting whether the http(s) server is open to public 6 years ago			`mhandler = MixinHandler()`
Refactored method is_forbidden 6 years ago			`handler.redirecting = True`
Always reset fbidhttp to False if not open to public 6 years ago			`options.fbidhttp = True`
Block requests not come from trusted_downstream and public non-https requests 6 years ago
Refactored handler.py 6 years ago			`context = Mock(`
Block requests not come from trusted_downstream and public non-https requests 6 years ago			`address=('8.8.8.8', 8888),`
			`trusted_downstream=['127.0.0.1'],`
			`_orig_protocol='http'`
			`)`
Refactored method is_forbidden 6 years ago			`hostname = '4.4.4.4'`
			`self.assertTrue(mhandler.is_forbidden(context, hostname))`
Block requests not come from trusted_downstream and public non-https requests 6 years ago
Refactored handler.py 6 years ago			`context = Mock(`
Block requests not come from trusted_downstream and public non-https requests 6 years ago			`address=('8.8.8.8', 8888),`
			`trusted_downstream=[],`
			`_orig_protocol='http'`
			`)`
Support redirecting http to https 6 years ago			`hostname = 'www.google.com'`
Removed function for detecting whether the http(s) server is open to public 6 years ago			`self.assertEqual(mhandler.is_forbidden(context, hostname), False)`

Refactored handler.py 6 years ago			`context = Mock(`
Block requests not come from trusted_downstream and public non-https requests 6 years ago			`address=('8.8.8.8', 8888),`
			`trusted_downstream=[],`
Refactored method is_forbidden 6 years ago			`_orig_protocol='http'`
Block requests not come from trusted_downstream and public non-https requests 6 years ago			`)`
Refactored method is_forbidden 6 years ago			`hostname = '4.4.4.4'`
			`self.assertTrue(mhandler.is_forbidden(context, hostname))`
Support redirecting http to https 6 years ago
			`context = Mock(`
Refactored method is_forbidden 6 years ago			`address=('192.168.1.1', 8888),`
Support redirecting http to https 6 years ago			`trusted_downstream=[],`
			`_orig_protocol='http'`
			`)`
Refactored method is_forbidden 6 years ago			`hostname = 'www.google.com'`
			`self.assertIsNone(mhandler.is_forbidden(context, hostname))`
Removed function for detecting whether the http(s) server is open to public 6 years ago
			`options.fbidhttp = False`
			`self.assertIsNone(mhandler.is_forbidden(context, hostname))`
Refactored method is_forbidden 6 years ago
			`hostname = '4.4.4.4'`
			`self.assertIsNone(mhandler.is_forbidden(context, hostname))`

			`handler.redirecting = False`
			`self.assertIsNone(mhandler.is_forbidden(context, hostname))`

			`context._orig_protocol = 'https'`
			`self.assertIsNone(mhandler.is_forbidden(context, hostname))`
Support redirecting http to https 6 years ago
			`def test_get_redirect_url(self):`
Removed function for detecting whether the http(s) server is open to public 6 years ago			`mhandler = MixinHandler()`
Support redirecting http to https 6 years ago			`hostname = 'www.example.com'`
			`uri = '/'`
			`port = 443`

Fixed test_get_redirect_url 6 years ago			`self.assertEqual(`
Removed function for detecting whether the http(s) server is open to public 6 years ago			`mhandler.get_redirect_url(hostname, port, uri=uri),`
Support redirecting http to https 6 years ago			`'https://www.example.com/'`
			`)`

			`port = 4433`
Fixed test_get_redirect_url 6 years ago			`self.assertEqual(`
Removed function for detecting whether the http(s) server is open to public 6 years ago			`mhandler.get_redirect_url(hostname, port, uri),`
Support redirecting http to https 6 years ago			`'https://www.example.com:4433/'`
			`)`
Block requests not come from trusted_downstream and public non-https requests 6 years ago
Added a command line option xheaders 6 years ago			`def test_get_client_addr(self):`
Removed function for detecting whether the http(s) server is open to public 6 years ago			`mhandler = MixinHandler()`
Added a command line option xheaders 6 years ago			`client_addr = ('8.8.8.8', 8888)`
			`context_addr = ('127.0.0.1', 1234)`
			`options.xheaders = True`

Removed function for detecting whether the http(s) server is open to public 6 years ago			`mhandler.context = Mock(address=context_addr)`
			`mhandler.get_real_client_addr = lambda: None`
			`self.assertEqual(mhandler.get_client_addr(), context_addr)`
Added a command line option xheaders 6 years ago
Removed function for detecting whether the http(s) server is open to public 6 years ago			`mhandler.context = Mock(address=context_addr)`
			`mhandler.get_real_client_addr = lambda: client_addr`
			`self.assertEqual(mhandler.get_client_addr(), client_addr)`
Added a command line option xheaders 6 years ago
			`options.xheaders = False`
Removed function for detecting whether the http(s) server is open to public 6 years ago			`mhandler.context = Mock(address=context_addr)`
			`mhandler.get_real_client_addr = lambda: client_addr`
			`self.assertEqual(mhandler.get_client_addr(), context_addr)`
Added a command line option xheaders 6 years ago
Updated handler.py and test_hanlder.py 7 years ago			`def test_get_real_client_addr(self):`
Let tornado parse xheaders 6 years ago			`x_forwarded_for = '1.1.1.1'`
			`x_forwarded_port = 1111`
			`x_real_ip = '2.2.2.2'`
			`x_real_port = 2222`
			`fake_port = 65535`

Removed function for detecting whether the http(s) server is open to public 6 years ago			`mhandler = MixinHandler()`
			`mhandler.request = HTTPServerRequest(uri='/')`
			`mhandler.request.remote_ip = x_forwarded_for`
Let tornado parse xheaders 6 years ago
Removed function for detecting whether the http(s) server is open to public 6 years ago			`self.assertIsNone(mhandler.get_real_client_addr())`
Added test_handler.py 7 years ago
Removed function for detecting whether the http(s) server is open to public 6 years ago			`mhandler.request.headers.add('X-Forwarded-For', x_forwarded_for)`
			`self.assertEqual(mhandler.get_real_client_addr(),`
Let tornado parse xheaders 6 years ago			`(x_forwarded_for, fake_port))`

Removed function for detecting whether the http(s) server is open to public 6 years ago			`mhandler.request.headers.add('X-Forwarded-Port', fake_port + 1)`
			`self.assertEqual(mhandler.get_real_client_addr(),`
Let tornado parse xheaders 6 years ago			`(x_forwarded_for, fake_port))`

Removed function for detecting whether the http(s) server is open to public 6 years ago			`mhandler.request.headers['X-Forwarded-Port'] = x_forwarded_port`
			`self.assertEqual(mhandler.get_real_client_addr(),`
Let tornado parse xheaders 6 years ago			`(x_forwarded_for, x_forwarded_port))`
Updated test_handler.py 7 years ago
Removed function for detecting whether the http(s) server is open to public 6 years ago			`mhandler.request.remote_ip = x_real_ip`
Updated test_handler.py 7 years ago
Removed function for detecting whether the http(s) server is open to public 6 years ago			`mhandler.request.headers.add('X-Real-Ip', x_real_ip)`
			`self.assertEqual(mhandler.get_real_client_addr(),`
Let tornado parse xheaders 6 years ago			`(x_real_ip, fake_port))`
Added test_handler.py 7 years ago
Removed function for detecting whether the http(s) server is open to public 6 years ago			`mhandler.request.headers.add('X-Real-Port', fake_port + 1)`
			`self.assertEqual(mhandler.get_real_client_addr(),`
Let tornado parse xheaders 6 years ago			`(x_real_ip, fake_port))`
Updated handler.py and test_hanlder.py 7 years ago
Removed function for detecting whether the http(s) server is open to public 6 years ago			`mhandler.request.headers['X-Real-Port'] = x_real_port`
			`self.assertEqual(mhandler.get_real_client_addr(),`
Let tornado parse xheaders 6 years ago			`(x_real_ip, x_real_port))`
Updated test_handler.py 7 years ago

			`class TestIndexHandler(unittest.TestCase):`

			`def test_get_specific_pkey_with_plain_key(self):`
			`fname = 'test_rsa.key'`
			`cls = paramiko.RSAKey`
Move all tests data into a separate directory 6 years ago			`key = read_file(make_tests_data_path(fname))`
Fixed assertion in rasied exception context 6 years ago
Updated test_handler.py 7 years ago			`pkey = IndexHandler.get_specific_pkey(cls, key, None)`
			`self.assertIsInstance(pkey, cls)`
Fixed assertion in rasied exception context 6 years ago
Added to_bytes function to utils 6 years ago			`pkey = IndexHandler.get_specific_pkey(cls, key, 'iginored')`
Updated test_handler.py 7 years ago			`self.assertIsInstance(pkey, cls)`
Fixed assertion in rasied exception context 6 years ago
Updated test_handler.py 7 years ago			`pkey = IndexHandler.get_specific_pkey(cls, 'x'+key, None)`
			`self.assertIsNone(pkey)`

			`def test_get_specific_pkey_with_encrypted_key(self):`
			`fname = 'test_rsa_password.key'`
			`cls = paramiko.RSAKey`
Added to_bytes function to utils 6 years ago			`password = 'television'`
Updated test_handler.py 7 years ago
Move all tests data into a separate directory 6 years ago			`key = read_file(make_tests_data_path(fname))`
Updated test_handler.py 7 years ago			`pkey = IndexHandler.get_specific_pkey(cls, key, password)`
			`self.assertIsInstance(pkey, cls)`
Fixed assertion in rasied exception context 6 years ago
Updated test_handler.py 7 years ago			`pkey = IndexHandler.get_specific_pkey(cls, 'x'+key, None)`
			`self.assertIsNone(pkey)`

Return 400 http error for invalid post requests 6 years ago			`with self.assertRaises(paramiko.PasswordRequiredException):`
Updated test_handler.py 7 years ago			`pkey = IndexHandler.get_specific_pkey(cls, key, None)`

			`def test_get_pkey_obj_with_plain_key(self):`
			`fname = 'test_ed25519.key'`
			`cls = paramiko.Ed25519Key`
Move all tests data into a separate directory 6 years ago			`key = read_file(make_tests_data_path(fname))`
Fixed assertion in rasied exception context 6 years ago
Changed validation error messages 6 years ago			`pkey = IndexHandler.get_pkey_obj(key, None, fname)`
Updated test_handler.py 7 years ago			`self.assertIsInstance(pkey, cls)`
Fixed assertion in rasied exception context 6 years ago
Changed validation error messages 6 years ago			`pkey = IndexHandler.get_pkey_obj(key, 'iginored', fname)`
Updated test_handler.py 7 years ago			`self.assertIsInstance(pkey, cls)`
Fixed assertion in rasied exception context 6 years ago
			`with self.assertRaises(InvalidValueError) as ctx:`
Changed validation error messages 6 years ago			`pkey = IndexHandler.get_pkey_obj('x'+key, None, fname)`
Fixed assertion in rasied exception context 6 years ago			`self.assertIn('Invalid private key', str(ctx.exception))`
Updated test_handler.py 7 years ago
			`def test_get_pkey_obj_with_encrypted_key(self):`
			`fname = 'test_ed25519_password.key'`
			`password = 'abc123'`
			`cls = paramiko.Ed25519Key`
Move all tests data into a separate directory 6 years ago			`key = read_file(make_tests_data_path(fname))`
Fixed assertion in rasied exception context 6 years ago
Changed validation error messages 6 years ago			`pkey = IndexHandler.get_pkey_obj(key, password, fname)`
Updated test_handler.py 7 years ago			`self.assertIsInstance(pkey, cls)`
Fixed assertion in rasied exception context 6 years ago
			`with self.assertRaises(InvalidValueError) as ctx:`
Changed validation error messages 6 years ago			`pkey = IndexHandler.get_pkey_obj(key, 'wrongpass', fname)`
Fixed assertion in rasied exception context 6 years ago			`self.assertIn('Wrong password', str(ctx.exception))`

			`with self.assertRaises(InvalidValueError) as ctx:`
			`pkey = IndexHandler.get_pkey_obj('x'+key, '', fname)`
			`self.assertIn('Invalid private key', str(ctx.exception))`

Pass None for empty password 6 years ago			`with self.assertRaises(paramiko.PasswordRequiredException):`
			`pkey = IndexHandler.get_pkey_obj(key, '', fname)`
Added an option for configuring cross-origin websocket level 6 years ago

			`class TestWsockHandler(unittest.TestCase):`

			`def test_check_origin(self):`
			`request = HTTPServerRequest(uri='/')`
			`obj = Mock(spec=WsockHandler, request=request)`

Support custom origin configuration 6 years ago			`obj.origin_policy = 'same'`
Added an option for configuring cross-origin websocket level 6 years ago			`request.headers['Host'] = 'www.example.com:4433'`
			`origin = 'https://www.example.com:4433'`
			`self.assertTrue(WsockHandler.check_origin(obj, origin))`

			`origin = 'https://www.example.com'`
			`self.assertFalse(WsockHandler.check_origin(obj, origin))`

Support custom origin configuration 6 years ago			`obj.origin_policy = 'primary'`
Added an option for configuring cross-origin websocket level 6 years ago			`self.assertTrue(WsockHandler.check_origin(obj, origin))`

			`origin = 'https://blog.example.com'`
			`self.assertTrue(WsockHandler.check_origin(obj, origin))`

			`origin = 'https://blog.example.org'`
			`self.assertFalse(WsockHandler.check_origin(obj, origin))`

Support custom origin configuration 6 years ago			`origin = 'https://blog.example.org'`
			`obj.origin_policy = {'https://blog.example.org'}`
			`self.assertTrue(WsockHandler.check_origin(obj, origin))`

			`origin = 'http://blog.example.org'`
			`obj.origin_policy = {'http://blog.example.org'}`
			`self.assertTrue(WsockHandler.check_origin(obj, origin))`

			`origin = 'http://blog.example.org'`
			`obj.origin_policy = {'https://blog.example.org'}`
			`self.assertFalse(WsockHandler.check_origin(obj, origin))`

			`obj.origin_policy = '*'`
			`origin = 'https://blog.example.org'`
Added an option for configuring cross-origin websocket level 6 years ago			`self.assertTrue(WsockHandler.check_origin(obj, origin))`