2021-10-20 05:52:15 +00:00
|
|
|
package session
|
|
|
|
|
|
|
|
import (
|
|
|
|
"errors"
|
|
|
|
"net/http"
|
|
|
|
"testing"
|
|
|
|
)
|
|
|
|
|
2022-03-17 00:33:59 +00:00
|
|
|
type config struct {
|
|
|
|
username string
|
|
|
|
password string
|
|
|
|
dangerousAllowPublicWithoutAuth bool
|
|
|
|
securityTripwireAccessedFromPublicInternet string
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *config) HasCredentials() bool {
|
|
|
|
return c.username != "" && c.password != ""
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *config) GetDangerousAllowPublicWithoutAuth() bool {
|
|
|
|
return c.dangerousAllowPublicWithoutAuth
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *config) GetSecurityTripwireAccessedFromPublicInternet() string {
|
|
|
|
return c.securityTripwireAccessedFromPublicInternet
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *config) IsNewSystem() bool {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
2021-10-20 05:52:15 +00:00
|
|
|
func TestCheckAllowPublicWithoutAuth(t *testing.T) {
|
2022-03-17 00:33:59 +00:00
|
|
|
c := &config{}
|
2021-10-20 05:52:15 +00:00
|
|
|
|
|
|
|
doTest := func(caseIndex int, r *http.Request, expectedErr interface{}) {
|
|
|
|
t.Helper()
|
|
|
|
err := CheckAllowPublicWithoutAuth(c, r)
|
|
|
|
|
|
|
|
if expectedErr == nil && err == nil {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
if expectedErr == nil {
|
|
|
|
t.Errorf("[%d]: unexpected error: %v", caseIndex, err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
if !errors.As(err, expectedErr) {
|
|
|
|
t.Errorf("[%d]: expected %T, got %v (%T)", caseIndex, expectedErr, err, err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
{
|
|
|
|
// direct connection tests
|
|
|
|
testCases := []struct {
|
|
|
|
address string
|
|
|
|
err error
|
|
|
|
}{
|
|
|
|
{"192.168.1.1:8080", nil},
|
|
|
|
{"192.168.1.1:8080", nil},
|
|
|
|
{"100.64.0.1:8080", nil},
|
|
|
|
{"127.0.0.1:8080", nil},
|
|
|
|
{"[::1]:8080", nil},
|
|
|
|
{"[fe80::c081:1c1a:ae39:d3cd%Ethernet 5]:9999", nil},
|
|
|
|
{"193.168.1.1:8080", &ExternalAccessError{}},
|
|
|
|
{"[2002:9fc4:ed97:e472:5170:5766:520c:c901]:9999", &ExternalAccessError{}},
|
|
|
|
}
|
|
|
|
|
|
|
|
// try with no X-FORWARDED-FOR and valid one
|
|
|
|
xFwdVals := []string{"", "192.168.1.1"}
|
|
|
|
|
|
|
|
for i, xFwdVal := range xFwdVals {
|
|
|
|
header := make(http.Header)
|
|
|
|
header.Set("X-FORWARDED-FOR", xFwdVal)
|
|
|
|
|
|
|
|
for ii, tc := range testCases {
|
|
|
|
r := &http.Request{
|
|
|
|
RemoteAddr: tc.address,
|
|
|
|
Header: header,
|
|
|
|
}
|
|
|
|
|
|
|
|
doTest((i*len(testCases) + ii), r, tc.err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
{
|
2022-02-02 23:16:22 +00:00
|
|
|
// X-FORWARDED-FOR
|
2021-10-20 05:52:15 +00:00
|
|
|
testCases := []struct {
|
|
|
|
proxyChain string
|
|
|
|
err error
|
|
|
|
}{
|
|
|
|
{"192.168.1.1, 192.168.1.2, 100.64.0.1, 127.0.0.1", nil},
|
|
|
|
{"192.168.1.1, 193.168.1.1", &ExternalAccessError{}},
|
|
|
|
{"193.168.1.1, 192.168.1.1", &ExternalAccessError{}},
|
|
|
|
}
|
|
|
|
|
|
|
|
const remoteAddr = "192.168.1.1:8080"
|
|
|
|
|
|
|
|
header := make(http.Header)
|
|
|
|
|
|
|
|
for i, tc := range testCases {
|
|
|
|
header.Set("X-FORWARDED-FOR", tc.proxyChain)
|
|
|
|
r := &http.Request{
|
|
|
|
RemoteAddr: remoteAddr,
|
|
|
|
Header: header,
|
|
|
|
}
|
|
|
|
|
|
|
|
doTest(i, r, tc.err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
{
|
|
|
|
// test invalid request IPs
|
|
|
|
invalidIPs := []string{"192.168.1.a:9999", "192.168.1.1"}
|
|
|
|
|
|
|
|
for _, remoteAddr := range invalidIPs {
|
|
|
|
r := &http.Request{
|
|
|
|
RemoteAddr: remoteAddr,
|
|
|
|
}
|
|
|
|
|
|
|
|
err := CheckAllowPublicWithoutAuth(c, r)
|
|
|
|
if err == nil {
|
|
|
|
t.Errorf("[%s]: expected error", remoteAddr)
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
{
|
|
|
|
// test overrides
|
|
|
|
r := &http.Request{
|
|
|
|
RemoteAddr: "193.168.1.1:8080",
|
|
|
|
}
|
|
|
|
|
2022-03-17 00:33:59 +00:00
|
|
|
c.username = "admin"
|
|
|
|
c.password = "admin"
|
2021-10-20 05:52:15 +00:00
|
|
|
|
|
|
|
if err := CheckAllowPublicWithoutAuth(c, r); err != nil {
|
|
|
|
t.Errorf("unexpected error: %v", err)
|
|
|
|
}
|
|
|
|
|
2022-03-17 00:33:59 +00:00
|
|
|
c.username = ""
|
|
|
|
c.password = ""
|
2021-10-20 05:52:15 +00:00
|
|
|
|
2022-03-17 00:33:59 +00:00
|
|
|
c.dangerousAllowPublicWithoutAuth = true
|
2021-10-20 05:52:15 +00:00
|
|
|
|
|
|
|
if err := CheckAllowPublicWithoutAuth(c, r); err != nil {
|
|
|
|
t.Errorf("unexpected error: %v", err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestCheckExternalAccessTripwire(t *testing.T) {
|
2022-03-17 00:33:59 +00:00
|
|
|
c := &config{}
|
|
|
|
c.securityTripwireAccessedFromPublicInternet = "4.4.4.4"
|
2021-10-20 05:52:15 +00:00
|
|
|
|
|
|
|
// always return nil if authentication configured or dangerous key set
|
2022-03-17 00:33:59 +00:00
|
|
|
c.username = "admin"
|
|
|
|
c.password = "admin"
|
2021-10-20 05:52:15 +00:00
|
|
|
|
|
|
|
if err := CheckExternalAccessTripwire(c); err != nil {
|
|
|
|
t.Errorf("unexpected error %v", err)
|
|
|
|
}
|
|
|
|
|
2022-03-17 00:33:59 +00:00
|
|
|
c.username = ""
|
|
|
|
c.password = ""
|
2021-10-20 05:52:15 +00:00
|
|
|
|
|
|
|
// HACK - this key isn't publically exposed
|
2022-03-17 00:33:59 +00:00
|
|
|
c.dangerousAllowPublicWithoutAuth = true
|
2021-10-20 05:52:15 +00:00
|
|
|
|
|
|
|
if err := CheckExternalAccessTripwire(c); err != nil {
|
|
|
|
t.Errorf("unexpected error %v", err)
|
|
|
|
}
|
|
|
|
|
2022-03-17 00:33:59 +00:00
|
|
|
c.dangerousAllowPublicWithoutAuth = false
|
2021-10-20 05:52:15 +00:00
|
|
|
|
|
|
|
if err := CheckExternalAccessTripwire(c); err == nil {
|
|
|
|
t.Errorf("expected error %v", ExternalAccessError("4.4.4.4"))
|
|
|
|
}
|
|
|
|
|
2022-03-17 00:33:59 +00:00
|
|
|
c.securityTripwireAccessedFromPublicInternet = ""
|
2021-10-20 05:52:15 +00:00
|
|
|
|
|
|
|
if err := CheckExternalAccessTripwire(c); err != nil {
|
|
|
|
t.Errorf("unexpected error %v", err)
|
|
|
|
}
|
|
|
|
}
|