librewolf
/
bunkerized-nginx
mirror of https://github.com/bunkerity/bunkerized-nginx
4
0
Fork 1
Code Issues Projects Releases Wiki Activity

core - Optimize cors tests

This commit is contained in:
Théophile Diot 2023-05-18 09:05:07 -04:00
parent 3f51f59bcb
commit 7158e7e9a1
No known key found for this signature in database
GPG Key ID: E752C80DB72BB014
4 changed files with 165 additions and 156 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
tests/core/cors/docker-compose.test.yml
View File

@ -5,6 +5,7 @@ services:
build: .
environment:
PYTHONUNBUFFERED: "1"
GENERATE_SELF_SIGNED_SSL: "no"
USE_CORS: "no"
CORS_ALLOW_ORIGIN: "*"
CORS_EXPOSE_HEADERS: "Content-Length,Content-Range"

2
tests/core/cors/docker-compose.yml
View File

@ -15,7 +15,7 @@ services:
USE_BUNKERNET: "no"
USE_BLACKLIST: "no"
LOG_LEVEL: "info"
GENERATE_SELF_SIGNED_SSL: "yes"
GENERATE_SELF_SIGNED_SSL: "no"
ALLOWED_METHODS: "GET|POST|HEAD|OPTIONS"
# ? CORS settings

291
tests/core/cors/main.py
View File

@ -9,12 +9,14 @@ from time import sleep
try:
ssl = getenv("GENERATE_SELF_SIGNED_SSL", "no") == "yes"
ready = False
retries = 0
while not ready:
with suppress(RequestException):
status_code = get(
"https://www.example.com",
f"http{'s' if ssl else ''}://www.example.com",
headers={"Host": "www.example.com"},
verify=False,
).status_code
@ -35,180 +37,199 @@ try:
)
sleep(5)
firefox_options = Options()
firefox_options.add_argument("--headless")
use_cors = getenv("USE_CORS", "no")
cors_allow_origin = getenv("CORS_ALLOW_ORIGIN", "*").replace("\\", "").replace("^", "").replace("$", "")
use_cors = getenv("USE_CORS", "no") == "yes"
cors_allow_origin = (
getenv("CORS_ALLOW_ORIGIN", "*")
.replace("\\", "")
.replace("^", "")
.replace("$", "")
)
cors_expose_headers = getenv("CORS_EXPOSE_HEADERS", "Content-Length,Content-Range")
cors_max_age = getenv("CORS_MAX_AGE", "86400")
cors_allow_credentials = getenv("CORS_ALLOW_CREDENTIALS", "no") == "yes"
cors_allow_credentials = (
"true" if getenv("CORS_ALLOW_CREDENTIALS", "no") == "yes" else "false"
)
cors_allow_methods = getenv("CORS_ALLOW_METHODS", "GET, POST, OPTIONS")
cors_allow_headers = getenv(
"CORS_ALLOW_HEADERS",
"DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range",
)
print(
f" Sending a HEAD request to http{'s' if ssl else ''}://www.example.com ...",
flush=True,
)
response = head(
f"http{'s' if ssl else ''}://www.example.com",
headers={
"Host": "www.example.com",
"Origin": f"http{'s' if ssl else ''}://bwadm.example.com",
},
verify=False,
)
response.raise_for_status()
if any(
header in response.headers
for header in (
"Access-Control-Max-Age",
"Access-Control-Allow-Credentials",
"Access-Control-Allow-Methods",
"Access-Control-Allow-Headers",
)
):
print(
f"❌ One of the preflight request headers is present in the response headers, it should not be ...\nheaders: {response.headers}",
)
exit(1)
for header, value in (
("Access-Control-Allow-Origin", cors_allow_origin),
("Access-Control-Expose-Headers", cors_expose_headers),
):
if use_cors:
if value != response.headers.get(header):
print(
f"❌ The {header} header is set to \"{response.headers.get(header, 'header missing')}\", it should be \"{value}\" ...\nheaders: {response.headers}",
flush=True,
)
exit(1)
print(
f'✅ The {header} header is set to "{value}" ...',
flush=True,
)
else:
if header in response.headers:
print(
f'❌ The {header} header is present in the response headers while the setting USE_CORS is set to "no", it should not be ...\nheaders: {response.headers}',
)
exit(1)
print(
f"✅ The {header} header is not present in the response headers as expected ...",
flush=True,
)
sleep(1)
print(
f" Sending a preflight request to http{'s' if ssl else ''}://www.example.com ...",
flush=True,
)
response = options(
f"http{'s' if ssl else ''}://www.example.com",
headers={
"Host": "www.example.com",
"Origin": f"http{'s' if ssl else ''}://bwadm.example.com",
},
verify=False,
)
response.raise_for_status()
if use_cors:
if (
cors_allow_credentials == "false"
and "Access-Control-Allow-Credentials" in response.headers
):
print(
f'❌ The Access-Control-Allow-Credentials header is present in the response headers while the setting CORS_ALLOW_CREDENTIALS is set to "no", it should not be ...\nheaders: {response.headers}',
)
exit(1)
elif (
cors_allow_credentials == "true"
and "Access-Control-Allow-Credentials" not in response.headers
):
print(
f'❌ The Access-Control-Allow-Credentials header is not present in the response headers while the setting CORS_ALLOW_CREDENTIALS is set to "yes", it should be ...\nheaders: {response.headers}',
)
exit(1)
print(
f"✅ The Access-Control-Allow-Credentials header is{' not' if cors_allow_credentials == 'false' else ''} present as expected ...",
flush=True,
)
for header, value in (
("Access-Control-Allow-Credentials", cors_allow_credentials),
("Access-Control-Max-Age", cors_max_age),
("Access-Control-Allow-Methods", cors_allow_methods),
("Access-Control-Allow-Headers", cors_allow_headers),
):
if use_cors:
if (
header == "Access-Control-Allow-Credentials"
and cors_allow_credentials == "false"
):
continue
if value != response.headers.get(header):
print(
f"❌ The {header} header is set to \"{response.headers.get(header, 'header missing')}\", it should be \"{value}\" ...\nheaders: {response.headers}",
flush=True,
)
exit(1)
print(
f'✅ The {header} header is set to "{value}" ...',
flush=True,
)
else:
if header in response.headers:
print(
f'❌ The {header} header is present in the response headers while the setting USE_CORS is set to "no", it should not be ...\nheaders: {response.headers}',
)
exit(1)
print(
f"✅ The {header} header is not present in the response headers as expected ...",
flush=True,
)
if any(
[
cors_allow_origin != "*",
cors_expose_headers != "Content-Length,Content-Range",
]
):
print(
" Sending a HEAD request to https://www.example.com ...",
flush=True,
)
response = head(
"https://www.example.com", headers={"Host": "www.example.com", "Origin": "https://www.example.com"}, verify=False
)
response.raise_for_status()
if any(
header in response.headers
for header in (
"Access-Control-Max-Age",
"Access-Control-Allow-Credentials",
"Access-Control-Allow-Methods",
"Access-Control-Allow-Headers",
)
):
print(
f"❌ One of the preflight request headers is present in the response headers, it should not be ...\nheaders: {response.headers}",
)
exit(1)
elif cors_allow_origin != response.headers.get("Access-Control-Allow-Origin"):
print(
f"❌ The Access-Control-Allow-Origin header is set to {response.headers.get('Access-Control-Allow-Origin', 'missing')}, it should be {cors_allow_origin} ...\nheaders: {response.headers}",
flush=True,
)
exit(1)
elif cors_allow_origin != "*":
print(
f"✅ The Access-Control-Allow-Origin header is set to {cors_allow_origin} ...",
flush=True,
)
elif cors_expose_headers != response.headers.get(
"Access-Control-Expose-Headers"
):
print(
f"❌ The Access-Control-Expose-Headers header is set to {response.headers.get('Access-Control-Expose-Headers', 'missing')}, it should be {cors_expose_headers} ...\nheaders: {response.headers}",
flush=True,
)
exit(1)
elif cors_expose_headers != "Content-Length,Content-Range":
print(
f"✅ The Access-Control-Expose-Headers header is set to {cors_expose_headers} ...",
flush=True,
)
exit(0)
elif any(
[
cors_max_age != "86400",
cors_allow_credentials,
cors_allow_credentials == "true",
cors_allow_methods != "GET, POST, OPTIONS",
cors_allow_headers
!= "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range",
]
):
print(
" Sending a preflight request to https://www.example.com ...",
flush=True,
)
response = options(
"https://www.example.com", headers={"Host": "www.example.com", "Origin": "https://www.example.com"}, verify=False
)
response.raise_for_status()
if (
not cors_allow_credentials
and "Access-Control-Allow-Credentials" in response.headers
):
print(
f"❌ The Access-Control-Allow-Credentials header is present in the response headers while the setting CORS_ALLOW_CREDENTIALS is set to {cors_allow_credentials}, it should not be ...\nheaders: {response.headers}",
)
exit(1)
elif cors_max_age != response.headers.get("Access-Control-Max-Age"):
print(
f"❌ The Access-Control-Max-Age header is set to {response.headers.get('Access-Control-Max-Age', 'missing')}, it should be {cors_max_age} ...\nheaders: {response.headers}",
flush=True,
)
exit(1)
elif cors_max_age != "86400":
print(
f"✅ The Access-Control-Max-Age header is set to {cors_max_age} ...",
flush=True,
)
elif (
cors_allow_credentials
and "Access-Control-Allow-Credentials" not in response.headers
):
print(
f"❌ The Access-Control-Allow-Credentials header is not present in the response headers while the setting CORS_ALLOW_CREDENTIALS is set to {cors_allow_credentials}, it should be ...\nheaders: {response.headers}",
)
exit(1)
elif cors_allow_methods != response.headers.get("Access-Control-Allow-Methods"):
print(
f"❌ The Access-Control-Allow-Methods header is set to {response.headers.get('Access-Control-Allow-Methods', 'missing')}, it should be {cors_allow_methods} ...\nheaders: {response.headers}",
)
exit(1)
elif cors_allow_methods != "GET, POST, OPTIONS":
print(
f"✅ The Access-Control-Allow-Methods is set to {cors_allow_methods} ...",
flush=True,
)
elif cors_allow_headers != response.headers.get("Access-Control-Allow-Headers"):
print(
f"❌ The Access-Control-Allow-Headers header is set to {response.headers.get('Access-Control-Allow-Headers', 'missing')}, it should be {cors_allow_headers} ...\nheaders: {response.headers}",
flush=True,
)
exit(1)
elif (
cors_allow_headers
!= "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range"
):
print(
f"✅ The Access-Control-Allow-Headers header is set to {cors_allow_headers} ...",
flush=True,
)
else:
print(
f"✅ The Access-Control-Allow-Credentials header is present and set to {cors_allow_credentials} ...",
flush=True,
)
exit(0)
sleep(0.5)
firefox_options = Options()
firefox_options.add_argument("--headless")
print(" Starting Firefox ...", flush=True)
with webdriver.Firefox(options=firefox_options) as driver:
driver.delete_all_cookies()
driver.maximize_window()
print(
" Sending a javascript request to https://www.example.com ...",
f" Sending a javascript request to http{'s' if ssl else ''}://www.example.com ...",
flush=True,
)
error = False
try:
driver.execute_script(
"""var xhttp = new XMLHttpRequest();
xhttp.open("GET", "https://www.example.com", false);
xhttp.setRequestHeader("Host", "www.example.com");
xhttp.send();"""
f"""
var xhttp = new XMLHttpRequest();
xhttp.open("GET", "http{'s' if ssl else ''}://www.example.com", false);
xhttp.setRequestHeader("Host", "www.example.com");
xhttp.send();
"""
)
except JavascriptException as e:
if not f"{e}".startswith("Message: NetworkError"):
print(f"{e}", flush=True)
error = True
if use_cors == "no" and not error:
if not use_cors and not error:
print("❌ CORS is enabled, it shouldn't be, exiting ...", flush=True)
exit(1)
elif use_cors == "yes" and error:
elif use_cors and error:
print("❌ CORS are not working as expected, exiting ...", flush=True)
exit(1)

27
tests/core/cors/test.sh
View File

@ -20,7 +20,8 @@ cleanup_stack () {
exit_code=$?
if [[ $end -eq 1 || $exit_code = 1 ]] || [[ $end -eq 0 && $exit_code = 0 ]] && [ $manual = 0 ] ; then
find . -type f -name 'docker-compose.*' -exec sed -i 's@USE_CORS: "yes"@USE_CORS: "no"@' {} \;
find . -type f -name 'docker-compose.*' -exec sed -i 's@CORS_ALLOW_ORIGIN: "^https://www\\\\.example\\\\.com$$"@CORS_ALLOW_ORIGIN: "\*"@' {} \;
find . -type f -name 'docker-compose.*' -exec sed -i 's@GENERATE_SELF_SIGNED_SSL: "yes"@GENERATE_SELF_SIGNED_SSL: "no"@' {} \;
find . -type f -name 'docker-compose.*' -exec sed -i 's@CORS_ALLOW_ORIGIN: ".*"$@CORS_ALLOW_ORIGIN: "\*"@' {} \;
find . -type f -name 'docker-compose.*' -exec sed -i 's@CORS_EXPOSE_HEADERS: "X-Test"@CORS_EXPOSE_HEADERS: "Content-Length,Content-Range"@' {} \;
find . -type f -name 'docker-compose.*' -exec sed -i 's@CORS_MAX_AGE: "3600"@CORS_MAX_AGE: "86400"@' {} \;
find . -type f -name 'docker-compose.*' -exec sed -i 's@CORS_ALLOW_CREDENTIALS: "yes"@CORS_ALLOW_CREDENTIALS: "no"@' {} \;
@ -46,35 +47,21 @@ cleanup_stack () {
# Cleanup stack on exit
trap cleanup_stack EXIT
for test in "deactivated" "activated" "allow_origin" "expose_headers" "max_age" "allow_credentials" "allow_methods" "allow_headers"
for test in "deactivated" "activated" "tweaked_settings"
do
if [ "$test" = "deactivated" ] ; then
echo "🛰️ Running tests without cors ..."
elif [ "$test" = "activated" ] ; then
echo "🛰️ Running tests with cors ..."
find . -type f -name 'docker-compose.*' -exec sed -i 's@USE_CORS: "no"@USE_CORS: "yes"@' {} \;
elif [ "$test" = "allow_origin" ] ; then
echo "🛰️ Running tests with cors allow origin set to https://www.example.com ..."
find . -type f -name 'docker-compose.*' -exec sed -i 's@CORS_ALLOW_ORIGIN: "\*"@CORS_ALLOW_ORIGIN: "^https://www\\\\.example\\\\.com$$"@' {} \;
elif [ "$test" = "expose_headers" ] ; then
echo "🛰️ Running tests with cors expose headers set to X-Test ..."
find . -type f -name 'docker-compose.*' -exec sed -i 's@CORS_ALLOW_ORIGIN: "^https://www\\\\.example\\\\.com$$"@CORS_ALLOW_ORIGIN: "\*"@' {} \;
elif [ "$test" = "tweaked_settings" ] ; then
echo "🛰️ Running tests with tweaked cors settings ..."
find . -type f -name 'docker-compose.*' -exec sed -i 's@GENERATE_SELF_SIGNED_SSL: "no"@GENERATE_SELF_SIGNED_SSL: "yes"@' {} \;
find . -type f -name 'docker-compose.*' -exec sed -i 's@CORS_ALLOW_ORIGIN: "\*"@CORS_ALLOW_ORIGIN: "^https://bwadm\\\\.example\\\\.com$$"@' {} \;
find . -type f -name 'docker-compose.*' -exec sed -i 's@CORS_EXPOSE_HEADERS: "Content-Length,Content-Range"@CORS_EXPOSE_HEADERS: "X-Test"@' {} \;
elif [ "$test" = "max_age" ] ; then
echo "🛰️ Running tests with cors max age set to 3600 ..."
find . -type f -name 'docker-compose.*' -exec sed -i 's@CORS_EXPOSE_HEADERS: "X-Test"@CORS_EXPOSE_HEADERS: "Content-Length,Content-Range"@' {} \;
find . -type f -name 'docker-compose.*' -exec sed -i 's@CORS_MAX_AGE: "86400"@CORS_MAX_AGE: "3600"@' {} \;
elif [ "$test" = "allow_credentials" ] ; then
echo "🛰️ Running tests with cors allow credentials is set to yes ..."
find . -type f -name 'docker-compose.*' -exec sed -i 's@CORS_MAX_AGE: "3600"@CORS_MAX_AGE: "86400"@' {} \;
find . -type f -name 'docker-compose.*' -exec sed -i 's@CORS_ALLOW_CREDENTIALS: "no"@CORS_ALLOW_CREDENTIALS: "yes"@' {} \;
elif [ "$test" = "allow_methods" ] ; then
echo "🛰️ Running tests with cors allow methods is set to GET, HEAD, POST, OPTIONS ..."
find . -type f -name 'docker-compose.*' -exec sed -i 's@CORS_ALLOW_CREDENTIALS: "yes"@CORS_ALLOW_CREDENTIALS: "no"@' {} \;
find . -type f -name 'docker-compose.*' -exec sed -i 's@CORS_ALLOW_METHODS: "GET, POST, OPTIONS"@CORS_ALLOW_METHODS: "GET, HEAD, POST, OPTIONS"@' {} \;
elif [ "$test" = "allow_headers" ] ; then
echo "🛰️ Running tests with cors allow headers is set to X-Test ..."
find . -type f -name 'docker-compose.*' -exec sed -i 's@CORS_ALLOW_METHODS: "GET, HEAD, POST, OPTIONS"@CORS_ALLOW_METHODS: "GET, POST, OPTIONS"@' {} \;
find . -type f -name 'docker-compose.*' -exec sed -i 's@CORS_ALLOW_HEADERS: "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range"@CORS_ALLOW_HEADERS: "X-Test"@' {} \;
fi