discourse/spec/lib/hijack_spec.rb

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

236 lines
6.6 KiB
Ruby
Raw Normal View History

# frozen_string_literal: true
RSpec.describe Hijack do
class Hijack::Tester < ApplicationController
attr_reader :io
include Hijack
2017-11-28 00:47:20 -05:00
def initialize(env = {})
@io = StringIO.new
2017-11-28 00:47:20 -05:00
env.merge!("rack.hijack" => lambda { @io }, "rack.input" => StringIO.new)
2017-11-28 00:47:20 -05:00
self.request = ActionController::TestRequest.new(env, nil, nil)
# we need this for the 418
set_response!(ActionDispatch::Response.new)
end
def hijack_test(&blk)
hijack(&blk)
end
end
let(:tester) { Hijack::Tester.new }
describe "Request Tracker integration" do
let(:logger) do
2017-11-28 00:47:20 -05:00
lambda do |env, data|
@calls += 1
@status = data[:status]
@total = data[:timing][:total_duration]
end
end
before do
Middleware::RequestTracker.register_detailed_request_logger logger
@calls = 0
end
after { Middleware::RequestTracker.unregister_detailed_request_logger logger }
it "can properly track execution" do
app =
lambda do |env|
tester = Hijack::Tester.new(env)
tester.hijack_test { render body: "hello", status: 201 }
end
FEATURE: Apply rate limits per user instead of IP for trusted users (#14706) Currently, Discourse rate limits all incoming requests by the IP address they originate from regardless of the user making the request. This can be frustrating if there are multiple users using Discourse simultaneously while sharing the same IP address (e.g. employees in an office). This commit implements a new feature to make Discourse apply rate limits by user id rather than IP address for users at or higher than the configured trust level (1 is the default). For example, let's say a Discourse instance is configured to allow 200 requests per minute per IP address, and we have 10 users at trust level 4 using Discourse simultaneously from the same IP address. Before this feature, the 10 users could only make a total of 200 requests per minute before they got rate limited. But with the new feature, each user is allowed to make 200 requests per minute because the rate limits are applied on user id rather than the IP address. The minimum trust level for applying user-id-based rate limits can be configured by the `skip_per_ip_rate_limit_trust_level` global setting. The default is 1, but it can be changed by either adding the `DISCOURSE_SKIP_PER_IP_RATE_LIMIT_TRUST_LEVEL` environment variable with the desired value to your `app.yml`, or changing the setting's value in the `discourse.conf` file. Requests made with API keys are still rate limited by IP address and the relevant global settings that control API keys rate limits. Before this commit, Discourse's auth cookie (`_t`) was simply a 32 characters string that Discourse used to lookup the current user from the database and the cookie contained no additional information about the user. However, we had to change the cookie content in this commit so we could identify the user from the cookie without making a database query before the rate limits logic and avoid introducing a bottleneck on busy sites. Besides the 32 characters auth token, the cookie now includes the user id, trust level and the cookie's generation date, and we encrypt/sign the cookie to prevent tampering. Internal ticket number: t54739.
2021-11-17 15:27:30 -05:00
env = create_request_env(path: "/")
2017-11-28 00:47:20 -05:00
middleware = Middleware::RequestTracker.new(app)
middleware.call(env)
expect(@calls).to eq(1)
expect(@status).to eq(201)
end
end
it "dupes the request params and env" do
orig_req = tester.request
copy_req = nil
tester.hijack_test do
copy_req = request
render body: "hello world", status: 200
end
expect(copy_req.object_id).not_to eq(orig_req.object_id)
end
2017-12-06 18:30:50 -05:00
it "handles cors" do
SiteSetting.cors_origins = "www.rainbows.com"
global_setting :enable_cors, true
2017-12-06 18:30:50 -05:00
app =
lambda do |env|
tester = Hijack::Tester.new(env)
tester.hijack_test { render body: "hello", status: 201 }
expect(tester.io.string).to include("Access-Control-Allow-Origin: www.rainbows.com")
end
env = {}
middleware = Discourse::Cors.new(app)
middleware.call(env)
# it can do pre-flight
env = { "REQUEST_METHOD" => "OPTIONS", "HTTP_ACCESS_CONTROL_REQUEST_METHOD" => "GET" }
status, headers, _body = middleware.call(env)
expect(status).to eq(200)
expected = {
"Access-Control-Allow-Origin" => "www.rainbows.com",
"Access-Control-Allow-Headers" =>
"Content-Type, Cache-Control, X-Requested-With, X-CSRF-Token, Discourse-Present, User-Api-Key, User-Api-Client-Id, Authorization",
"Access-Control-Allow-Credentials" => "true",
"Access-Control-Allow-Methods" => "POST, PUT, GET, OPTIONS, DELETE",
"Access-Control-Max-Age" => "7200",
}
expect(headers).to eq(expected)
end
it "removes trailing slash in cors origin" do
GlobalSetting.stubs(:enable_cors).returns(true)
GlobalSetting.stubs(:cors_origin).returns("https://www.rainbows.com/")
app =
lambda do |env|
tester = Hijack::Tester.new(env)
tester.hijack_test { render body: "hello", status: 201 }
expect(tester.io.string).to include("Access-Control-Allow-Origin: https://www.rainbows.com")
end
env = {}
middleware = Discourse::Cors.new(app)
middleware.call(env)
# it can do pre-flight
env = { "REQUEST_METHOD" => "OPTIONS", "HTTP_ACCESS_CONTROL_REQUEST_METHOD" => "GET" }
status, headers, _body = middleware.call(env)
expect(status).to eq(200)
expected = {
"Access-Control-Allow-Origin" => "https://www.rainbows.com",
"Access-Control-Allow-Headers" =>
"Content-Type, Cache-Control, X-Requested-With, X-CSRF-Token, Discourse-Present, User-Api-Key, User-Api-Client-Id, Authorization",
2018-09-16 21:37:01 -04:00
"Access-Control-Allow-Credentials" => "true",
"Access-Control-Allow-Methods" => "POST, PUT, GET, OPTIONS, DELETE",
"Access-Control-Max-Age" => "7200",
2017-12-06 18:30:50 -05:00
}
expect(headers).to eq(expected)
end
it "handles transfers headers" do
tester.response.headers["Hello-World"] = "sam"
tester.hijack_test do
expires_in 1.year
render body: "hello world", status: 402
end
expect(tester.io.string).to include("Hello-World: sam")
end
it "handles expires_in" do
tester.hijack_test do
expires_in 1.year
render body: "hello world", status: 402
end
expect(tester.io.string).to include("max-age=31556952")
end
it "renders non 200 status if asked for" do
tester.hijack_test { render body: "hello world", status: 402 }
expect(tester.io.string).to include("402")
expect(tester.io.string).to include("world")
end
it "handles send_file correctly" do
tester.hijack_test { send_file __FILE__, disposition: nil }
expect(tester.io.string).to start_with("HTTP/1.1 200")
end
it "renders a redirect correctly" do
Process.stubs(:clock_gettime).returns(1.0)
tester.hijack_test do
Process.stubs(:clock_gettime).returns(2.0)
redirect_to "http://awesome.com", allow_other_host: true
end
result =
"HTTP/1.1 302 Found\r\nLocation: http://awesome.com\r\nContent-Type: text/html; charset=utf-8\r\nContent-Length: 0\r\nConnection: close\r\nX-Runtime: 1.000000\r\n\r\n"
expect(tester.io.string).to eq(result)
end
it "renders stuff correctly if is empty" do
Process.stubs(:clock_gettime).returns(1.0)
tester.hijack_test do
Process.stubs(:clock_gettime).returns(2.0)
render body: nil
end
result =
"HTTP/1.1 200 OK\r\nContent-Type: text/plain; charset=utf-8\r\nContent-Length: 0\r\nConnection: close\r\nX-Runtime: 1.000000\r\n\r\n"
expect(tester.io.string).to eq(result)
end
it "renders stuff correctly if it works" do
Process.stubs(:clock_gettime).returns(1.0)
tester.hijack_test do
Process.stubs(:clock_gettime).returns(2.0)
render plain: "hello world"
end
result =
"HTTP/1.1 200 OK\r\nContent-Type: text/plain; charset=utf-8\r\nContent-Length: 11\r\nConnection: close\r\nX-Runtime: 1.000000\r\n\r\nhello world"
expect(tester.io.string).to eq(result)
end
it "returns 500 by default" do
Process.stubs(:clock_gettime).returns(1.0)
tester.hijack_test
expected =
"HTTP/1.1 500 Internal Server Error\r\nContent-Type: text/html; charset=utf-8\r\nContent-Length: 0\r\nConnection: close\r\nX-Runtime: 0.000000\r\n\r\n"
expect(tester.io.string).to eq(expected)
end
it "does not run the block if io is closed" do
tester.io.close
ran = false
tester.hijack_test { ran = true }
expect(ran).to eq(false)
end
it "handles the queue being full" do
Scheduler::Defer.stubs(:later).raises(WorkQueue::WorkQueueFull.new)
tester.hijack_test {}
expect(tester.response.status).to eq(503)
end
end