From ca3a3817c7c5de0b89e5105adb88a0f7419df8e1 Mon Sep 17 00:00:00 2001 From: Felix Hammerl Date: Fri, 26 Feb 2016 18:27:13 +0100 Subject: Issue #617: Serve content from Sandbox resource --- service/pixelated/resources/root_resource.py | 2 ++ service/pixelated/resources/sandbox_resource.py | 34 +++++++++++++++++++ .../test/unit/resources/test_sandbox_resource.py | 38 ++++++++++++++++++++++ 3 files changed, 74 insertions(+) create mode 100644 service/pixelated/resources/sandbox_resource.py create mode 100644 service/test/unit/resources/test_sandbox_resource.py (limited to 'service') diff --git a/service/pixelated/resources/root_resource.py b/service/pixelated/resources/root_resource.py index 86435d89..109dc08e 100644 --- a/service/pixelated/resources/root_resource.py +++ b/service/pixelated/resources/root_resource.py @@ -20,6 +20,7 @@ from string import Template from pixelated.resources import BaseResource, UnAuthorizedResource from pixelated.resources.attachments_resource import AttachmentsResource +from pixelated.resources.sandbox_resource import SandboxResource from pixelated.resources.contacts_resource import ContactsResource from pixelated.resources.features_resource import FeaturesResource from pixelated.resources.feedback_resource import FeedbackResource @@ -75,6 +76,7 @@ class RootResource(BaseResource): return csrf_input and csrf_input == xsrf_token def initialize(self, portal=None, disclaimer_banner=None): + self._child_resources.add('sandbox', SandboxResource(self._static_folder)) self._child_resources.add('assets', File(self._static_folder)) self._child_resources.add('keys', KeysResource(self._services_factory)) self._child_resources.add(AttachmentsResource.BASE_URL, AttachmentsResource(self._services_factory)) diff --git a/service/pixelated/resources/sandbox_resource.py b/service/pixelated/resources/sandbox_resource.py new file mode 100644 index 00000000..28e8c9be --- /dev/null +++ b/service/pixelated/resources/sandbox_resource.py @@ -0,0 +1,34 @@ +# +# Copyright (c) 2016 ThoughtWorks, Inc. +# +# Pixelated is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# Pixelated is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with Pixelated. If not, see . + +from twisted.web.static import File + + +class SandboxResource(File): + CSP_HEADER_VALUES = "sandbox allow-popups allow-scripts;" \ + "default-src 'self';" \ + "style-src *;" \ + "script-src *;" \ + "font-src *;" \ + "img-src *;" \ + "object-src 'none';" \ + "connect-src 'none';" + + def render_GET(self, request): + request.setHeader('Content-Security-Policy', self.CSP_HEADER_VALUES) + request.setHeader('X-Content-Security-Policy', self.CSP_HEADER_VALUES) + request.setHeader('X-Webkit-CSP', self.CSP_HEADER_VALUES) + return super(SandboxResource, self).render_GET(request) diff --git a/service/test/unit/resources/test_sandbox_resource.py b/service/test/unit/resources/test_sandbox_resource.py new file mode 100644 index 00000000..3db43e12 --- /dev/null +++ b/service/test/unit/resources/test_sandbox_resource.py @@ -0,0 +1,38 @@ +import os +import unittest + +from twisted.internet import defer +from twisted.web.test.requesthelper import DummyRequest + +from pixelated.resources.sandbox_resource import SandboxResource +from test.unit.resources import DummySite + + +class TestSandBoxResource(unittest.TestCase): + def setUp(self): + static_folder = os.path.dirname(os.path.abspath(__file__)) + self.resource = SandboxResource(static_folder) + self.resource.isLeaf = True + self.web = DummySite(self.resource) + + @defer.inlineCallbacks + def test_render_GET_should_set_sandbox_csp_header(self): + request = DummyRequest(['/sandbox']) + request.method = 'GET' + request.isSecure = lambda: True + request.redirect = lambda _: 'irrelevant' + + expected_csp_headers = "sandbox allow-popups allow-scripts;" \ + "default-src 'self';" \ + "style-src *;" \ + "script-src *;" \ + "font-src *;" \ + "img-src *;" \ + "object-src 'none';" \ + "connect-src 'none';" + + yield self.web.get(request) + + self.assertEquals(expected_csp_headers, request.outgoingHeaders.get('X-Content-Security-Policy'.lower())) + self.assertEquals(expected_csp_headers, request.outgoingHeaders.get('Content-Security-Policy'.lower())) + self.assertEquals(expected_csp_headers, request.outgoingHeaders.get('X-Webkit-CSP'.lower())) -- cgit v1.2.3 From 9cbf33071f895a3ca1c9dad398d964e189e4a766 Mon Sep 17 00:00:00 2001 From: Felix Hammerl Date: Fri, 26 Feb 2016 18:33:10 +0100 Subject: Issue #617: Add sandbox to user-agent --- service/test/functional/features/steps/mail_view.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'service') diff --git a/service/test/functional/features/steps/mail_view.py b/service/test/functional/features/steps/mail_view.py index 82fc28af..c0e9e22b 100644 --- a/service/test/functional/features/steps/mail_view.py +++ b/service/test/functional/features/steps/mail_view.py @@ -25,8 +25,11 @@ def impl(context, subject): @then('I see that the body reads \'{expected_body}\'') def impl(context, expected_body): - e = find_element_by_css_selector(context, '#mail-view .bodyArea') + find_element_by_css_selector(context, '#read-sandbox') + context.browser.switch_to_frame('read-sandbox') + e = find_element_by_css_selector(context, 'body') assert e.text == expected_body + context.browser.switch_to_default_content() @then('that email has the \'{tag}\' tag') -- cgit v1.2.3 From 0313e643e30cfe202a100a0b69e7ff3c3875fff5 Mon Sep 17 00:00:00 2001 From: Thais Siqueira Date: Fri, 11 Mar 2016 10:57:34 -0300 Subject: Update locust test to run after xsrf token implementation. - Adds port 8089 to vagrant file to be able to run inside vm. - Update requests version to 2.4.1, the minimum required version by locust. - Adds the xsrf token on locust post request headers. Issue #213 --- service/requirements.txt | 2 +- service/test/load/locustfile.py | 21 ++++++++++++++------- 2 files changed, 15 insertions(+), 8 deletions(-) (limited to 'service') diff --git a/service/requirements.txt b/service/requirements.txt index 95a0f4f8..7c9ee87c 100644 --- a/service/requirements.txt +++ b/service/requirements.txt @@ -4,7 +4,7 @@ https://launchpad.net/dirspec/stable-13-10/13.10/+download/dirspec-13.10.tar.gz --allow-external dirspec --allow-unverified dirspec https://launchpad.net/u1db/stable-13-10/13.10/+download/u1db-13.10.tar.bz2 pyasn1==0.1.8 -requests==2.0.0 +requests==2.4.1 srp==1.0.4 whoosh==2.5.7 pycryptopp diff --git a/service/test/load/locustfile.py b/service/test/load/locustfile.py index 68e39433..23142eee 100644 --- a/service/test/load/locustfile.py +++ b/service/test/load/locustfile.py @@ -1,6 +1,5 @@ import os import json -import time from random import randint from leap.auth import SRPAuth @@ -11,7 +10,7 @@ from pixelated.resources.login_resource import LoginResource LEAP_PROVIDER = os.environ.get('LEAP_PROVIDER', 'dev.pixelated-project.org') LEAP_SERVER_HOST = os.environ.get('LEAP_SERVER_HOST', 'https://api.%s:4430' % LEAP_PROVIDER) LEAP_VERIFY_CERTIFICATE = os.environ.get('LEAP_VERIFY_CERTIFICATE', '~/.leap/ca.crt') -MAX_NUMBER_USER = os.environ.get('MAX_NUMBER_USER', 10000) +MAX_NUMBER_USER = os.environ.get('MAX_NUMBER_USER', 100) INVITES_FILENAME = os.environ.get('INVITES_FILENAME', '/tmp/invite_codes.txt') INVITES_ENABLED = os.environ.get('INVITES_ENABLED', 'true') == 'true' @@ -23,6 +22,10 @@ def load_invite_from_number(number): class UserBehavior(TaskSet): + def __init__(self, *args, **kwargs): + super(UserBehavior, self).__init__(*args, **kwargs) + self.cookies = {} + def on_start(self): """ on_start is called when a Locust start before any task is scheduled """ self.login() @@ -40,9 +43,11 @@ class UserBehavior(TaskSet): def login(self): number = randint(1, int(MAX_NUMBER_USER)) username, password = self._get_or_create_user(number) - self.client.post("/%s" % LoginResource.BASE_URL, {"username": username, "password": password}) + response = self.client.post("/%s" % LoginResource.BASE_URL, {"username": username, "password": password}) + self.cookies.update(response.cookies.get_dict()) + resp = self.client.get("/") + self.cookies.update(resp.cookies.get_dict()) self.username = username - time.sleep(5) @task(1) def index(self): @@ -56,7 +61,9 @@ class UserBehavior(TaskSet): def send_mail(self): payload = {"tags": ["drafts"], "body": "some text lorem ipsum", "attachments": [], "ident": "", "header": {"to": ["%s@%s" % (self.username, LEAP_PROVIDER)], "cc": [], "bcc": [], "subject": "load testing"}} - with self.client.post('/mails', json=payload, catch_response=True) as email_response: + self.cookies.update(self.client.get("/").cookies.get_dict()) + print(self.cookies) + with self.client.post('/mails', json=payload, catch_response=True, cookies=self.cookies, headers={'X-Requested-With': 'XMLHttpRequest', 'X-XSRF-TOKEN':self.cookies['XSRF-TOKEN']}) as email_response: if email_response.status_code == 201: email_id = json.loads(email_response.content)['ident'] print email_id @@ -66,10 +73,10 @@ class UserBehavior(TaskSet): def delete_mail(self, ident): payload = {"idents": [ident]} - self.client.post('/mails/delete', json=payload) + self.client.post('/mails/delete', json=payload, cookies=self.cookies, headers={'X-Requested-With': 'XMLHttpRequest', 'X-XSRF-TOKEN':self.cookies['XSRF-TOKEN']}) class WebsiteUser(HttpLocust): task_set = UserBehavior - min_wait = 3000 + min_wait = 5000 max_wait = 15000 -- cgit v1.2.3 From 918ae543d94ea2c359c8608807fc251ac16ef1cc Mon Sep 17 00:00:00 2001 From: Thais Siqueira Date: Fri, 11 Mar 2016 14:46:06 -0300 Subject: Fixes pep8 errors and update requests to 2.9.1. Issue #213 --- service/requirements.txt | 2 +- service/test/load/locustfile.py | 63 ++++++++++++++++++++++++++++++++--------- 2 files changed, 50 insertions(+), 15 deletions(-) (limited to 'service') diff --git a/service/requirements.txt b/service/requirements.txt index 7c9ee87c..b74b7f94 100644 --- a/service/requirements.txt +++ b/service/requirements.txt @@ -4,7 +4,7 @@ https://launchpad.net/dirspec/stable-13-10/13.10/+download/dirspec-13.10.tar.gz --allow-external dirspec --allow-unverified dirspec https://launchpad.net/u1db/stable-13-10/13.10/+download/u1db-13.10.tar.bz2 pyasn1==0.1.8 -requests==2.4.1 +requests==2.9.1 srp==1.0.4 whoosh==2.5.7 pycryptopp diff --git a/service/test/load/locustfile.py b/service/test/load/locustfile.py index 23142eee..138f13db 100644 --- a/service/test/load/locustfile.py +++ b/service/test/load/locustfile.py @@ -8,8 +8,12 @@ from locust import HttpLocust, TaskSet, task from pixelated.resources.login_resource import LoginResource LEAP_PROVIDER = os.environ.get('LEAP_PROVIDER', 'dev.pixelated-project.org') -LEAP_SERVER_HOST = os.environ.get('LEAP_SERVER_HOST', 'https://api.%s:4430' % LEAP_PROVIDER) -LEAP_VERIFY_CERTIFICATE = os.environ.get('LEAP_VERIFY_CERTIFICATE', '~/.leap/ca.crt') +LEAP_SERVER_HOST = os.environ.get( + 'LEAP_SERVER_HOST', + 'https://api.%s:4430' % LEAP_PROVIDER) +LEAP_VERIFY_CERTIFICATE = os.environ.get( + 'LEAP_VERIFY_CERTIFICATE', + '~/.leap/ca.crt') MAX_NUMBER_USER = os.environ.get('MAX_NUMBER_USER', 100) INVITES_FILENAME = os.environ.get('INVITES_FILENAME', '/tmp/invite_codes.txt') INVITES_ENABLED = os.environ.get('INVITES_ENABLED', 'true') == 'true' @@ -23,27 +27,33 @@ def load_invite_from_number(number): class UserBehavior(TaskSet): def __init__(self, *args, **kwargs): - super(UserBehavior, self).__init__(*args, **kwargs) - self.cookies = {} + super(UserBehavior, self).__init__(*args, **kwargs) + self.cookies = {} def on_start(self): - """ on_start is called when a Locust start before any task is scheduled """ self.login() def _get_or_create_user(self, number): - srp_auth = SRPAuth(LEAP_SERVER_HOST, os.path.expanduser(LEAP_VERIFY_CERTIFICATE)) + srp_auth = SRPAuth( + LEAP_SERVER_HOST, + os.path.expanduser(LEAP_VERIFY_CERTIFICATE)) username, password = ('loadtest%d' % number), ('password_%d' % number) try: srp_auth.authenticate(username, password) except SRPAuthenticationError: - invite_code = load_invite_from_number(number) if INVITES_ENABLED else None + invite_code = None + if INVITES_ENABLED: + invite_code = load_invite_from_number(number) + srp_auth.register(username, password, invite_code) return username, password def login(self): number = randint(1, int(MAX_NUMBER_USER)) username, password = self._get_or_create_user(number) - response = self.client.post("/%s" % LoginResource.BASE_URL, {"username": username, "password": password}) + response = self.client.post( + "/%s" % LoginResource.BASE_URL, + {"username": username, "password": password}) self.cookies.update(response.cookies.get_dict()) resp = self.client.get("/") self.cookies.update(resp.cookies.get_dict()) @@ -59,21 +69,46 @@ class UserBehavior(TaskSet): @task(3) def send_mail(self): - payload = {"tags": ["drafts"], "body": "some text lorem ipsum", "attachments": [], "ident": "", - "header": {"to": ["%s@%s" % (self.username, LEAP_PROVIDER)], "cc": [], "bcc": [], "subject": "load testing"}} - self.cookies.update(self.client.get("/").cookies.get_dict()) + payload = { + "tags": ["drafts"], + "body": "some text lorem ipsum", + "attachments": [], + "ident": "", + "header": { + "to": ["%s@%s" % (self.username, LEAP_PROVIDER)], + "cc": [], + "bcc": [], + "subject": "load testing"}} + + self.cookies.update( + self.client.get("/").cookies.get_dict()) print(self.cookies) - with self.client.post('/mails', json=payload, catch_response=True, cookies=self.cookies, headers={'X-Requested-With': 'XMLHttpRequest', 'X-XSRF-TOKEN':self.cookies['XSRF-TOKEN']}) as email_response: + with self.client.post( + '/mails', + json=payload, + catch_response=True, + cookies=self.cookies, + headers={ + 'X-Requested-With': 'XMLHttpRequest', + 'X-XSRF-TOKEN': self.cookies['XSRF-TOKEN']}) as email_response: if email_response.status_code == 201: email_id = json.loads(email_response.content)['ident'] print email_id self.delete_mail(email_id) else: - email_response.failure('Error: email not Sent, status code: %s' % email_response.status_code) + email_response.failure( + 'Error: email not Sent, status code: %s' % ( + email_response.status_code)) def delete_mail(self, ident): payload = {"idents": [ident]} - self.client.post('/mails/delete', json=payload, cookies=self.cookies, headers={'X-Requested-With': 'XMLHttpRequest', 'X-XSRF-TOKEN':self.cookies['XSRF-TOKEN']}) + self.client.post( + '/mails/delete', + json=payload, + cookies=self.cookies, + headers={ + 'X-Requested-With': 'XMLHttpRequest', + 'X-XSRF-TOKEN': self.cookies['XSRF-TOKEN']}) class WebsiteUser(HttpLocust): -- cgit v1.2.3 From cf32471caf75b817b23339166002987726d3d6d8 Mon Sep 17 00:00:00 2001 From: Thais Siqueira Date: Fri, 11 Mar 2016 16:30:45 -0300 Subject: Sets SSL certifications to false. Issue #213 --- service/test/load/locustfile.py | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) (limited to 'service') diff --git a/service/test/load/locustfile.py b/service/test/load/locustfile.py index 138f13db..0c2ed518 100644 --- a/service/test/load/locustfile.py +++ b/service/test/load/locustfile.py @@ -53,19 +53,20 @@ class UserBehavior(TaskSet): username, password = self._get_or_create_user(number) response = self.client.post( "/%s" % LoginResource.BASE_URL, - {"username": username, "password": password}) + {"username": username, "password": password}, + verify=False) self.cookies.update(response.cookies.get_dict()) - resp = self.client.get("/") + resp = self.client.get("/", verify=False) self.cookies.update(resp.cookies.get_dict()) self.username = username @task(1) def index(self): - self.client.get("/") + self.client.get("/", verify=False) @task(2) def mail_box(self): - self.client.get("/mails?q=tag:'inbox'&p=1&w=25") + self.client.get("/mails?q=tag:'inbox'&p=1&w=25", verify=False) @task(3) def send_mail(self): @@ -81,7 +82,7 @@ class UserBehavior(TaskSet): "subject": "load testing"}} self.cookies.update( - self.client.get("/").cookies.get_dict()) + self.client.get("/", verify=False).cookies.get_dict()) print(self.cookies) with self.client.post( '/mails', @@ -106,6 +107,7 @@ class UserBehavior(TaskSet): '/mails/delete', json=payload, cookies=self.cookies, + verify=False, headers={ 'X-Requested-With': 'XMLHttpRequest', 'X-XSRF-TOKEN': self.cookies['XSRF-TOKEN']}) -- cgit v1.2.3