ExternalVendorCode/tahoe-lafs
1
0
Fork 0
mirror of https://github.com/tahoe-lafs/tahoe-lafs.git synced 2025-02-07 11:50:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #1232 from exarkun/3942.missing-authorization-handling

Browse Source 
3942 Handle missing Authorization in GBS server

Fixes: ticket:3942
This commit is contained in:
Jean-Paul Calderone 2022-12-21 19:01:28 -05:00 committed by GitHub
commit 3badd42321
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 17 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
newsfragments/3942.minor Normal file
View File

@ -0,0 +1 @@

2
src/allmydata/storage/http_server.py
View File

@ -100,7 +100,7 @@ def _authorization_decorator(required_secrets):
@wraps(f) @wraps(f)
def route(self, request, *args, **kwargs): def route(self, request, *args, **kwargs):
if not timing_safe_compare( if not timing_safe_compare(
request.requestHeaders.getRawHeaders("Authorization", [None])[0].encode( request.requestHeaders.getRawHeaders("Authorization", [""])[0].encode(
"utf-8" "utf-8"
), ),
swissnum_auth_header(self._swissnum), swissnum_auth_header(self._swissnum),

15
src/allmydata/test/test_storage_http.py
View File

@ -37,6 +37,7 @@ from twisted.web import http
from twisted.web.http_headers import Headers from twisted.web.http_headers import Headers
from werkzeug import routing from werkzeug import routing
from werkzeug.exceptions import NotFound as WNotFound from werkzeug.exceptions import NotFound as WNotFound
from testtools.matchers import Equals
from .common import SyncTestCase from .common import SyncTestCase
from ..storage.http_common import get_content_type, CBOR_MIME_TYPE from ..storage.http_common import get_content_type, CBOR_MIME_TYPE
@ -555,6 +556,20 @@ class GenericHTTPAPITests(SyncTestCase):
super(GenericHTTPAPITests, self).setUp() super(GenericHTTPAPITests, self).setUp()
self.http = self.useFixture(HttpTestFixture()) self.http = self.useFixture(HttpTestFixture())
def test_missing_authentication(self) -> None:
"""
If nothing is given in the ``Authorization`` header at all an
``Unauthorized`` response is returned.
"""
client = StubTreq(self.http.http_server.get_resource())
response = self.http.result_of_with_flush(
client.request(
"GET",
"http://127.0.0.1/storage/v1/version",
),
)
self.assertThat(response.code, Equals(http.UNAUTHORIZED))
def test_bad_authentication(self): def test_bad_authentication(self):
""" """
If the wrong swissnum is used, an ``Unauthorized`` response code is If the wrong swissnum is used, an ``Unauthorized`` response code is