2020-06-03 19:28:32 +02:00
|
|
|
import unittest
|
|
|
|
|
|
|
|
from aiohttp.test_utils import make_mocked_request as request
|
2020-06-03 19:55:20 +02:00
|
|
|
from aiohttp.web import HTTPForbidden
|
2020-06-03 19:28:32 +02:00
|
|
|
|
|
|
|
from lbry.testcase import AsyncioTestCase
|
|
|
|
from lbry.conf import Config
|
2020-06-03 19:55:20 +02:00
|
|
|
from lbry.extras.daemon.security import is_request_allowed as allowed, ensure_request_allowed as ensure
|
2020-06-03 19:28:32 +02:00
|
|
|
|
|
|
|
|
|
|
|
class TestAllowedOrigin(unittest.TestCase):
|
|
|
|
|
|
|
|
def test_allowed_origin_default(self):
|
|
|
|
conf = Config()
|
2020-06-03 20:19:16 +02:00
|
|
|
# lack of Origin is always allowed
|
2020-06-03 19:28:32 +02:00
|
|
|
self.assertTrue(allowed(request('GET', '/'), conf))
|
|
|
|
# deny all other Origins
|
2020-06-03 20:19:16 +02:00
|
|
|
self.assertFalse(allowed(request('GET', '/', headers={'Origin': 'null'}), conf))
|
2020-06-03 19:28:32 +02:00
|
|
|
self.assertFalse(allowed(request('GET', '/', headers={'Origin': 'localhost'}), conf))
|
|
|
|
self.assertFalse(allowed(request('GET', '/', headers={'Origin': 'hackers.com'}), conf))
|
|
|
|
|
|
|
|
def test_allowed_origin_star(self):
|
|
|
|
conf = Config(allowed_origin='*')
|
|
|
|
# everything is allowed
|
|
|
|
self.assertTrue(allowed(request('GET', '/'), conf))
|
|
|
|
self.assertTrue(allowed(request('GET', '/', headers={'Origin': 'null'}), conf))
|
|
|
|
self.assertTrue(allowed(request('GET', '/', headers={'Origin': 'localhost'}), conf))
|
|
|
|
self.assertTrue(allowed(request('GET', '/', headers={'Origin': 'hackers.com'}), conf))
|
|
|
|
|
|
|
|
def test_allowed_origin_specified(self):
|
|
|
|
conf = Config(allowed_origin='localhost')
|
|
|
|
# no origin and only localhost are allowed
|
|
|
|
self.assertTrue(allowed(request('GET', '/'), conf))
|
|
|
|
self.assertTrue(allowed(request('GET', '/', headers={'Origin': 'localhost'}), conf))
|
2020-06-03 20:19:16 +02:00
|
|
|
self.assertFalse(allowed(request('GET', '/', headers={'Origin': 'null'}), conf))
|
2020-06-03 19:28:32 +02:00
|
|
|
self.assertFalse(allowed(request('GET', '/', headers={'Origin': 'hackers.com'}), conf))
|
2020-06-03 19:55:20 +02:00
|
|
|
|
|
|
|
def test_ensure_default(self):
|
|
|
|
conf = Config()
|
|
|
|
ensure(request('GET', '/'), conf)
|
|
|
|
with self.assertLogs() as log:
|
|
|
|
with self.assertRaises(HTTPForbidden):
|
|
|
|
ensure(request('GET', '/', headers={'Origin': 'localhost'}), conf)
|
|
|
|
self.assertIn("'localhost' are not allowed", log.output[0])
|
|
|
|
|
|
|
|
def test_ensure_specific(self):
|
|
|
|
conf = Config(allowed_origin='localhost')
|
|
|
|
ensure(request('GET', '/', headers={'Origin': 'localhost'}), conf)
|
|
|
|
with self.assertLogs() as log:
|
|
|
|
with self.assertRaises(HTTPForbidden):
|
|
|
|
ensure(request('GET', '/', headers={'Origin': 'hackers.com'}), conf)
|
|
|
|
self.assertIn("'hackers.com' are not allowed", log.output[0])
|
|
|
|
self.assertIn("'allowed_origin' limits requests to: 'localhost'", log.output[0])
|