1 // Copyright (C) The Arvados Authors. All rights reserved.
3 // SPDX-License-Identifier: AGPL-3.0
17 "git.curoverse.com/arvados.git/sdk/go/arvadostest"
18 "git.curoverse.com/arvados.git/sdk/go/auth"
19 check "gopkg.in/check.v1"
22 var _ = check.Suite(&UnitSuite{})
24 type UnitSuite struct{}
26 func (s *UnitSuite) TestCORSPreflight(c *check.C) {
27 h := handler{Config: DefaultConfig()}
28 u, _ := url.Parse("http://keep-web.example/c=" + arvadostest.FooCollection + "/foo")
33 RequestURI: u.RequestURI(),
35 "Origin": {"https://workbench.example"},
36 "Access-Control-Request-Method": {"POST"},
40 // Check preflight for an allowed request
41 resp := httptest.NewRecorder()
42 h.ServeHTTP(resp, req)
43 c.Check(resp.Code, check.Equals, http.StatusOK)
44 c.Check(resp.Body.String(), check.Equals, "")
45 c.Check(resp.Header().Get("Access-Control-Allow-Origin"), check.Equals, "*")
46 c.Check(resp.Header().Get("Access-Control-Allow-Methods"), check.Equals, "GET, POST")
47 c.Check(resp.Header().Get("Access-Control-Allow-Headers"), check.Equals, "Range")
49 // Check preflight for a disallowed request
50 resp = httptest.NewRecorder()
51 req.Header.Set("Access-Control-Request-Method", "DELETE")
52 h.ServeHTTP(resp, req)
53 c.Check(resp.Body.String(), check.Equals, "")
54 c.Check(resp.Code, check.Equals, http.StatusMethodNotAllowed)
57 func (s *UnitSuite) TestInvalidUUID(c *check.C) {
58 bogusID := strings.Replace(arvadostest.FooPdh, "+", "-", 1) + "-"
59 token := arvadostest.ActiveToken
60 for _, trial := range []string{
61 "http://keep-web/c=" + bogusID + "/foo",
62 "http://keep-web/c=" + bogusID + "/t=" + token + "/foo",
63 "http://keep-web/collections/download/" + bogusID + "/" + token + "/foo",
64 "http://keep-web/collections/" + bogusID + "/foo",
65 "http://" + bogusID + ".keep-web/" + bogusID + "/foo",
66 "http://" + bogusID + ".keep-web/t=" + token + "/" + bogusID + "/foo",
69 u, err := url.Parse(trial)
70 c.Assert(err, check.IsNil)
75 RequestURI: u.RequestURI(),
77 resp := httptest.NewRecorder()
78 cfg := DefaultConfig()
79 cfg.AnonymousTokens = []string{arvadostest.AnonymousToken}
80 h := handler{Config: cfg}
81 h.ServeHTTP(resp, req)
82 c.Check(resp.Code, check.Equals, http.StatusNotFound)
86 func mustParseURL(s string) *url.URL {
87 r, err := url.Parse(s)
89 panic("parse URL: " + s)
94 func (s *IntegrationSuite) TestVhost404(c *check.C) {
95 for _, testURL := range []string{
96 arvadostest.NonexistentCollection + ".example.com/theperthcountyconspiracy",
97 arvadostest.NonexistentCollection + ".example.com/t=" + arvadostest.ActiveToken + "/theperthcountyconspiracy",
99 resp := httptest.NewRecorder()
100 u := mustParseURL(testURL)
101 req := &http.Request{
104 RequestURI: u.RequestURI(),
106 s.testServer.Handler.ServeHTTP(resp, req)
107 c.Check(resp.Code, check.Equals, http.StatusNotFound)
108 c.Check(resp.Body.String(), check.Equals, "")
112 // An authorizer modifies an HTTP request to make use of the given
113 // token -- by adding it to a header, cookie, query param, or whatever
114 // -- and returns the HTTP status code we should expect from keep-web if
115 // the token is invalid.
116 type authorizer func(*http.Request, string) int
118 func (s *IntegrationSuite) TestVhostViaAuthzHeader(c *check.C) {
119 s.doVhostRequests(c, authzViaAuthzHeader)
121 func authzViaAuthzHeader(r *http.Request, tok string) int {
122 r.Header.Add("Authorization", "OAuth2 "+tok)
123 return http.StatusUnauthorized
126 func (s *IntegrationSuite) TestVhostViaCookieValue(c *check.C) {
127 s.doVhostRequests(c, authzViaCookieValue)
129 func authzViaCookieValue(r *http.Request, tok string) int {
130 r.AddCookie(&http.Cookie{
131 Name: "arvados_api_token",
132 Value: auth.EncodeTokenCookie([]byte(tok)),
134 return http.StatusUnauthorized
137 func (s *IntegrationSuite) TestVhostViaPath(c *check.C) {
138 s.doVhostRequests(c, authzViaPath)
140 func authzViaPath(r *http.Request, tok string) int {
141 r.URL.Path = "/t=" + tok + r.URL.Path
142 return http.StatusNotFound
145 func (s *IntegrationSuite) TestVhostViaQueryString(c *check.C) {
146 s.doVhostRequests(c, authzViaQueryString)
148 func authzViaQueryString(r *http.Request, tok string) int {
149 r.URL.RawQuery = "api_token=" + tok
150 return http.StatusUnauthorized
153 func (s *IntegrationSuite) TestVhostViaPOST(c *check.C) {
154 s.doVhostRequests(c, authzViaPOST)
156 func authzViaPOST(r *http.Request, tok string) int {
158 r.Header.Add("Content-Type", "application/x-www-form-urlencoded")
159 r.Body = ioutil.NopCloser(strings.NewReader(
160 url.Values{"api_token": {tok}}.Encode()))
161 return http.StatusUnauthorized
164 func (s *IntegrationSuite) TestVhostViaXHRPOST(c *check.C) {
165 s.doVhostRequests(c, authzViaPOST)
167 func authzViaXHRPOST(r *http.Request, tok string) int {
169 r.Header.Add("Content-Type", "application/x-www-form-urlencoded")
170 r.Header.Add("Origin", "https://origin.example")
171 r.Body = ioutil.NopCloser(strings.NewReader(
174 "disposition": {"attachment"},
176 return http.StatusUnauthorized
179 // Try some combinations of {url, token} using the given authorization
180 // mechanism, and verify the result is correct.
181 func (s *IntegrationSuite) doVhostRequests(c *check.C, authz authorizer) {
182 for _, hostPath := range []string{
183 arvadostest.FooCollection + ".example.com/foo",
184 arvadostest.FooCollection + "--collections.example.com/foo",
185 arvadostest.FooCollection + "--collections.example.com/_/foo",
186 arvadostest.FooPdh + ".example.com/foo",
187 strings.Replace(arvadostest.FooPdh, "+", "-", -1) + "--collections.example.com/foo",
188 arvadostest.FooBarDirCollection + ".example.com/dir1/foo",
190 c.Log("doRequests: ", hostPath)
191 s.doVhostRequestsWithHostPath(c, authz, hostPath)
195 func (s *IntegrationSuite) doVhostRequestsWithHostPath(c *check.C, authz authorizer, hostPath string) {
196 for _, tok := range []string{
197 arvadostest.ActiveToken,
198 arvadostest.ActiveToken[:15],
199 arvadostest.SpectatorToken,
203 u := mustParseURL("http://" + hostPath)
204 req := &http.Request{
208 RequestURI: u.RequestURI(),
209 Header: http.Header{},
211 failCode := authz(req, tok)
212 req, resp := s.doReq(req)
213 code, body := resp.Code, resp.Body.String()
215 // If the initial request had a (non-empty) token
216 // showing in the query string, we should have been
217 // redirected in order to hide it in a cookie.
218 c.Check(req.URL.String(), check.Not(check.Matches), `.*api_token=.+`)
220 if tok == arvadostest.ActiveToken {
221 c.Check(code, check.Equals, http.StatusOK)
222 c.Check(body, check.Equals, "foo")
225 c.Check(code >= 400, check.Equals, true)
226 c.Check(code < 500, check.Equals, true)
227 if tok == arvadostest.SpectatorToken {
228 // Valid token never offers to retry
229 // with different credentials.
230 c.Check(code, check.Equals, http.StatusNotFound)
232 // Invalid token can ask to retry
233 // depending on the authz method.
234 c.Check(code, check.Equals, failCode)
236 c.Check(body, check.Equals, "")
241 func (s *IntegrationSuite) doReq(req *http.Request) (*http.Request, *httptest.ResponseRecorder) {
242 resp := httptest.NewRecorder()
243 s.testServer.Handler.ServeHTTP(resp, req)
244 if resp.Code != http.StatusSeeOther {
247 cookies := (&http.Response{Header: resp.Header()}).Cookies()
248 u, _ := req.URL.Parse(resp.Header().Get("Location"))
253 RequestURI: u.RequestURI(),
254 Header: http.Header{},
256 for _, c := range cookies {
262 func (s *IntegrationSuite) TestVhostRedirectQueryTokenToCookie(c *check.C) {
263 s.testVhostRedirectTokenToCookie(c, "GET",
264 arvadostest.FooCollection+".example.com/foo",
265 "?api_token="+arvadostest.ActiveToken,
273 func (s *IntegrationSuite) TestSingleOriginSecretLink(c *check.C) {
274 s.testVhostRedirectTokenToCookie(c, "GET",
275 "example.com/c="+arvadostest.FooCollection+"/t="+arvadostest.ActiveToken+"/foo",
284 // Bad token in URL is 404 Not Found because it doesn't make sense to
285 // retry the same URL with different authorization.
286 func (s *IntegrationSuite) TestSingleOriginSecretLinkBadToken(c *check.C) {
287 s.testVhostRedirectTokenToCookie(c, "GET",
288 "example.com/c="+arvadostest.FooCollection+"/t=bogus/foo",
297 // Bad token in a cookie (even if it got there via our own
298 // query-string-to-cookie redirect) is, in principle, retryable at the
299 // same URL so it's 401 Unauthorized.
300 func (s *IntegrationSuite) TestVhostRedirectQueryTokenToBogusCookie(c *check.C) {
301 s.testVhostRedirectTokenToCookie(c, "GET",
302 arvadostest.FooCollection+".example.com/foo",
303 "?api_token=thisisabogustoken",
306 http.StatusUnauthorized,
311 func (s *IntegrationSuite) TestVhostRedirectQueryTokenSingleOriginError(c *check.C) {
312 s.testVhostRedirectTokenToCookie(c, "GET",
313 "example.com/c="+arvadostest.FooCollection+"/foo",
314 "?api_token="+arvadostest.ActiveToken,
317 http.StatusBadRequest,
322 // If client requests an attachment by putting ?disposition=attachment
323 // in the query string, and gets redirected, the redirect target
324 // should respond with an attachment.
325 func (s *IntegrationSuite) TestVhostRedirectQueryTokenRequestAttachment(c *check.C) {
326 resp := s.testVhostRedirectTokenToCookie(c, "GET",
327 arvadostest.FooCollection+".example.com/foo",
328 "?disposition=attachment&api_token="+arvadostest.ActiveToken,
334 c.Check(strings.Split(resp.Header().Get("Content-Disposition"), ";")[0], check.Equals, "attachment")
337 func (s *IntegrationSuite) TestVhostRedirectQueryTokenTrustAllContent(c *check.C) {
338 s.testServer.Config.TrustAllContent = true
339 s.testVhostRedirectTokenToCookie(c, "GET",
340 "example.com/c="+arvadostest.FooCollection+"/foo",
341 "?api_token="+arvadostest.ActiveToken,
349 func (s *IntegrationSuite) TestVhostRedirectQueryTokenAttachmentOnlyHost(c *check.C) {
350 s.testServer.Config.AttachmentOnlyHost = "example.com:1234"
352 s.testVhostRedirectTokenToCookie(c, "GET",
353 "example.com/c="+arvadostest.FooCollection+"/foo",
354 "?api_token="+arvadostest.ActiveToken,
357 http.StatusBadRequest,
361 resp := s.testVhostRedirectTokenToCookie(c, "GET",
362 "example.com:1234/c="+arvadostest.FooCollection+"/foo",
363 "?api_token="+arvadostest.ActiveToken,
369 c.Check(resp.Header().Get("Content-Disposition"), check.Equals, "attachment")
372 func (s *IntegrationSuite) TestVhostRedirectPOSTFormTokenToCookie(c *check.C) {
373 s.testVhostRedirectTokenToCookie(c, "POST",
374 arvadostest.FooCollection+".example.com/foo",
376 "application/x-www-form-urlencoded",
377 url.Values{"api_token": {arvadostest.ActiveToken}}.Encode(),
383 func (s *IntegrationSuite) TestVhostRedirectPOSTFormTokenToCookie404(c *check.C) {
384 s.testVhostRedirectTokenToCookie(c, "POST",
385 arvadostest.FooCollection+".example.com/foo",
387 "application/x-www-form-urlencoded",
388 url.Values{"api_token": {arvadostest.SpectatorToken}}.Encode(),
394 func (s *IntegrationSuite) TestAnonymousTokenOK(c *check.C) {
395 s.testServer.Config.AnonymousTokens = []string{arvadostest.AnonymousToken}
396 s.testVhostRedirectTokenToCookie(c, "GET",
397 "example.com/c="+arvadostest.HelloWorldCollection+"/Hello%20world.txt",
406 func (s *IntegrationSuite) TestAnonymousTokenError(c *check.C) {
407 s.testServer.Config.AnonymousTokens = []string{"anonymousTokenConfiguredButInvalid"}
408 s.testVhostRedirectTokenToCookie(c, "GET",
409 "example.com/c="+arvadostest.HelloWorldCollection+"/Hello%20world.txt",
418 // XHRs can't follow redirect-with-cookie so they rely on method=POST
419 // and disposition=attachment (telling us it's acceptable to respond
420 // with content instead of a redirect) and an Origin header that gets
421 // added automatically by the browser (telling us it's desirable to do
423 func (s *IntegrationSuite) TestXHRNoRedirect(c *check.C) {
424 u, _ := url.Parse("http://example.com/c=" + arvadostest.FooCollection + "/foo")
425 req := &http.Request{
429 RequestURI: u.RequestURI(),
431 "Origin": {"https://origin.example"},
432 "Content-Type": {"application/x-www-form-urlencoded"},
434 Body: ioutil.NopCloser(strings.NewReader(url.Values{
435 "api_token": {arvadostest.ActiveToken},
436 "disposition": {"attachment"},
439 resp := httptest.NewRecorder()
440 s.testServer.Handler.ServeHTTP(resp, req)
441 c.Check(resp.Code, check.Equals, http.StatusOK)
442 c.Check(resp.Body.String(), check.Equals, "foo")
443 c.Check(resp.Header().Get("Access-Control-Allow-Origin"), check.Equals, "*")
446 func (s *IntegrationSuite) testVhostRedirectTokenToCookie(c *check.C, method, hostPath, queryString, contentType, reqBody string, expectStatus int, expectRespBody string) *httptest.ResponseRecorder {
447 u, _ := url.Parse(`http://` + hostPath + queryString)
448 req := &http.Request{
452 RequestURI: u.RequestURI(),
453 Header: http.Header{"Content-Type": {contentType}},
454 Body: ioutil.NopCloser(strings.NewReader(reqBody)),
457 resp := httptest.NewRecorder()
459 c.Check(resp.Code, check.Equals, expectStatus)
460 c.Check(resp.Body.String(), check.Equals, expectRespBody)
463 s.testServer.Handler.ServeHTTP(resp, req)
464 if resp.Code != http.StatusSeeOther {
467 c.Check(resp.Body.String(), check.Matches, `.*href="//`+regexp.QuoteMeta(html.EscapeString(hostPath))+`(\?[^"]*)?".*`)
468 cookies := (&http.Response{Header: resp.Header()}).Cookies()
470 u, _ = u.Parse(resp.Header().Get("Location"))
475 RequestURI: u.RequestURI(),
476 Header: http.Header{},
478 for _, c := range cookies {
482 resp = httptest.NewRecorder()
483 s.testServer.Handler.ServeHTTP(resp, req)
484 c.Check(resp.Header().Get("Location"), check.Equals, "")
488 func (s *IntegrationSuite) TestDirectoryListing(c *check.C) {
489 s.testServer.Config.AttachmentOnlyHost = "download.example.com"
490 authHeader := http.Header{
491 "Authorization": {"OAuth2 " + arvadostest.ActiveToken},
493 for _, trial := range []struct {
500 uri: strings.Replace(arvadostest.FooAndBarFilesInDirPDH, "+", "-", -1) + ".example.com/",
502 expect: []string{"dir1/foo", "dir1/bar"},
506 uri: strings.Replace(arvadostest.FooAndBarFilesInDirPDH, "+", "-", -1) + ".example.com/dir1/",
508 expect: []string{"foo", "bar"},
512 uri: "download.example.com/collections/" + arvadostest.FooAndBarFilesInDirUUID + "/",
514 expect: []string{"dir1/foo", "dir1/bar"},
518 uri: "collections.example.com/collections/download/" + arvadostest.FooAndBarFilesInDirUUID + "/" + arvadostest.ActiveToken + "/",
520 expect: []string{"dir1/foo", "dir1/bar"},
524 uri: "collections.example.com/c=" + arvadostest.FooAndBarFilesInDirUUID + "/t=" + arvadostest.ActiveToken + "/",
526 expect: []string{"dir1/foo", "dir1/bar"},
530 uri: "download.example.com/c=" + arvadostest.FooAndBarFilesInDirUUID + "/dir1/",
532 expect: []string{"foo", "bar"},
536 uri: "download.example.com/c=" + arvadostest.FooAndBarFilesInDirUUID + "/_/dir1/",
538 expect: []string{"foo", "bar"},
542 uri: arvadostest.FooAndBarFilesInDirUUID + ".example.com/dir1?api_token=" + arvadostest.ActiveToken,
544 expect: []string{"foo", "bar"},
548 uri: "collections.example.com/c=" + arvadostest.FooAndBarFilesInDirUUID + "/theperthcountyconspiracydoesnotexist/",
553 c.Logf("%q => %q", trial.uri, trial.expect)
554 resp := httptest.NewRecorder()
555 u := mustParseURL("//" + trial.uri)
556 req := &http.Request{
560 RequestURI: u.RequestURI(),
561 Header: trial.header,
563 s.testServer.Handler.ServeHTTP(resp, req)
564 var cookies []*http.Cookie
565 for resp.Code == http.StatusSeeOther {
566 u, _ := req.URL.Parse(resp.Header().Get("Location"))
571 RequestURI: u.RequestURI(),
572 Header: http.Header{},
574 cookies = append(cookies, (&http.Response{Header: resp.Header()}).Cookies()...)
575 for _, c := range cookies {
578 resp = httptest.NewRecorder()
579 s.testServer.Handler.ServeHTTP(resp, req)
581 if trial.expect == nil {
582 c.Check(resp.Code, check.Equals, http.StatusNotFound)
584 c.Check(resp.Code, check.Equals, http.StatusOK)
585 for _, e := range trial.expect {
586 c.Check(resp.Body.String(), check.Matches, `(?ms).*href="`+e+`".*`)
588 c.Check(resp.Body.String(), check.Matches, `(?ms).*--cut-dirs=`+fmt.Sprintf("%d", trial.cutDirs)+` .*`)
projects / arvados.git / blob