Fix: Fixes digest authentication with Cookies #235
Conversation
spec/rack/test_spec.rb
Outdated
|
|
||
| session.request('/') | ||
| auth_headers = session.last_request.env['HTTP_AUTHORIZATION'] | ||
| challange_data = 'realm="test-realm", qop="auth", nonce="nonsensenonce", opaque="morenonsense"' |
spec/rack/test_spec.rb
Outdated
| @@ -356,6 +356,73 @@ def close | |||
| end | |||
| end | |||
|
|
|||
| describe '#digest_authorize' do | |||
| let(:challange_data) do | |||
|
I will try to review it tomorrow. |
spec/rack/test_spec.rb
Outdated
| @@ -341,7 +341,7 @@ def close | |||
|
|
|||
| describe '#basic_authorize' do | |||
| it 'sets the HTTP_AUTHORIZATION header' do | |||
| authorize 'bryan', 'secret' | |||
| basic_authorize 'bryan', 'secret' | |||
There was a problem hiding this comment.
This modification is not related to this fix directly, right?
There was a problem hiding this comment.
Yes, exactly. I just noticed while I was working on the new tests.
There was a problem hiding this comment.
As basic_authorize is the alias of authorize and it is not harmful without changing, I feel we can create another PR.
There was a problem hiding this comment.
Yeah, this can go in another PR for tidiness.
| @@ -356,6 +356,69 @@ def close | |||
| end | |||
| end | |||
|
|
|||
| describe '#digest_authorize' do | |||
There was a problem hiding this comment.
The unit tests for the digest auth has already been at spec/rack/test/digest_auth_spec.rb.
It might be good to add the new tests to spec/rack/test/digest_auth_spec.rb.
But in other words, in this time the code we want to test is at lib/rack/test.rb.
So, adding the unit tests at spec/rack/test_spec.rb might be good.
How do you think?
There was a problem hiding this comment.
I vote for spec/rack/test_spec.rb, so it's easier to find the specs by looking at the file structure.
spec/spec_helper.rb
Outdated
| @@ -18,6 +18,8 @@ | |||
| config.mock_with :rspec | |||
| config.include Rack::Test::Methods | |||
|
|
|||
| config.filter_run_when_matching :focus | |||
There was a problem hiding this comment.
This line for focus and to manage this kind of test it 'raises an error if no requests have been issued', focus: true is not related to the main issue directly isn't it?
We can create another PR for that.
How do you think?
There was a problem hiding this comment.
I agree. I actually just left it in the PR to ask you and @perlun for your opinion of having it in our configuration. If it is fine with both of you, I will remove the line and add a new PR.
There was a problem hiding this comment.
I'm fine with that change. For reference: https://relishapp.com/rspec/rspec-core/docs/filtering/filter-run-when-matching
(We shouldn't have any specs focused in the committed tree, so please remove the focus: true in your PR for that also.)
spec/rack/test_spec.rb
Outdated
| @@ -446,7 +509,7 @@ def close | |||
| expect(last_response['Content-Type']).to eq('text/html;charset=utf-8') | |||
| end | |||
|
|
|||
| it 'raises an error if no requests have been issued', focus: true do | |||
| it 'raises an error if no requests have been issued' do | |||
There was a problem hiding this comment.
Same with spec/spec_helper.rb the line config.filter_run_when_matching :focus.
There was a problem hiding this comment.
I think removing it is quiet important, otherwise it might lead to unexpected and invalidly green tests by accident. So I would remove it asap, because I guess its a leftover and its not intended to be there.
There was a problem hiding this comment.
@scepticulous yes that's true.
How about creating new 1 PR to modify the 2 lines at first before merging this PR?
config.filter_run_when_matching :focus
and
it 'raises an error if no requests have been issued', focus: true
|
@scepticulous I commented some things. Thanks for the PR! |
|
Yes thanks @scepticulous. Some feedback from me also. |
|
@scepticulous Ping, any updates on this? |
|
@perlun I did not have time since your initial review. I am going to implement the suggestions during July, as soon as I have time. 🤞 |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
|
I will have time to address the mentioned issues during the coming week. I hope we can get the PR merged then. |
In order to focus on single tests during development rspec supports the option `filter_run_when_matching`. We agreed, that it is fine for us to support this in rack#235. Since it is important to not push :focus tags to the sourcetree, a leftover has been removed `focus: true`. Finally an inconsistency in the use of `basic_authorize` and `authorize` has been fixed. This has additional value, since this PR is the base for PR rack#235, which is supposed to add more tests for digest_authorization. Since we will have different ways to authorize, it is very helpful to make the method explicit within our tests.
In order to focus on single tests during development rspec supports the option `filter_run_when_matching`. We agreed, that it is fine for us to support this in #235. Since it is important to not push :focus tags to the sourcetree, a leftover has been removed `focus: true`. Finally an inconsistency in the use of `basic_authorize` and `authorize` has been fixed. This has additional value, since this PR is the base for PR #235, which is supposed to add more tests for digest_authorization. Since we will have different ways to authorize, it is very helpful to make the method explicit within our tests.
|
@scepticulous Yeah, I can help for the review. As #237 was merged now, can you rebase this PR? |
Bug description ----- In issue rack#234 a bug regarding digest authentication has been reported. In order to reproduce it there are two steps necessary: 1. Make sure the app responds with 401 and a digest challange 2. Make sure a Set-Cookie header is set. If these two conditions are fulfilled, the reported error will occur: ``` NoMethodError: undefined method `host' for "/digest":String ``` The stack trace already indicates that the issue is taking effect in the cookie jar class. ``` .../ruby-2.5.1/gems/rack-test-1.0.0/lib/rack/test/cookie_jar.rb:25:in `initialize' .../ruby-2.5.1/gems/rack-test-1.0.0/lib/rack/test/cookie_jar.rb:149:in `new' .../ruby-2.5.1/gems/rack-test-1.0.0/lib/rack/test/cookie_jar.rb:149:in `block in merge' .../ruby-2.5.1/gems/rack-test-1.0.0/lib/rack/test/cookie_jar.rb:148:in `each' .../ruby-2.5.1/gems/rack-test-1.0.0/lib/rack/test/cookie_jar.rb:148:in `merge' .../ruby-2.5.1/gems/rack-test-1.0.0/lib/rack/mock_session.rb:36:in `request' .../ruby-2.5.1/gems/rack-test-1.0.0/lib/rack/test.rb:261:in `process_request' .../ruby-2.5.1/gems/rack-test-1.0.0/lib/rack/test.rb:267:in `process_request' .../ruby-2.5.1/gems/rack-test-1.0.0/lib/rack/test.rb:119:in `request' ./spec/requests/api_spec.rb:16:in `block (3 levels) in <top (required)>' ``` Problem (root cause) description ----- When a cookie is set and digest authentication is requested, we invalidly pass `uri.path` to `process_request` instead of just `uri`. Detailled explanation ---- After some research I came to the following result. When a digest request is issued the following if-condition is executed: * https://github.com/rack-test/rack-test/blob/v1.0.0/lib/rack/test.rb#L261 There `process_request` calls itself with `uri.path` instead of `uri`. Next `@rack_mock_session.request` is called, which in turn calls [CookieJar#merge](https://github.com/rack-test/rack-test/blob/v1.0.0/lib/rack/mock_session.rb#L34) with `last_response.headers['Set-Cookie']`. Merge has a early return if nil is passed as the argument [see code](https://github.com/rack-test/rack-test/blob/v1.0.0/lib/rack/test/cookie_jar.rb#L139). However if Set-Cookie is provided (a cookie is sent), then the cookie is split and cookie objects are created per line. When this happends the uri is passed (which in case of the .path invocation is just a string), and then the initializer calls uri.host [here](https://github.com/rack-test/rack-test/blob/v1.0.0/lib/rack/test/cookie_jar.rb#L23). This will then trigger the exception above. This description also makes clear that this bugs only occurs, when the user is testing auth-digest and also setting a header during the authentication. However according to the sample rails app provided, this might be a normal case for rails apps. (depending for what they use cookies)
Fixes rubocop complains and refactors challange_data so that it is reused in the request setup and the verification. This removes duplication and makes clear that we expect the same data in both parts.
dennissivia
force-pushed
the
bugfix/fix-digest-authentication-with-cookies
branch
from
fc3f874 to
12f3ba1
Compare
|
Rebase is done :) |
|
@scepticulous It looks good to me! |
|
Thanks for your working! |
In order to focus on single tests during development rspec supports the option `filter_run_when_matching`. We agreed, that it is fine for us to support this in rack#235. Since it is important to not push :focus tags to the sourcetree, a leftover has been removed `focus: true`. Finally an inconsistency in the use of `basic_authorize` and `authorize` has been fixed. This has additional value, since this PR is the base for PR rack#235, which is supposed to add more tests for digest_authorization. Since we will have different ways to authorize, it is very helpful to make the method explicit within our tests.
Fix: Fixes digest authentication with Cookies Bug description ----- In issue rack#234 a bug regarding digest authentication has been reported. In order to reproduce it there are two steps necessary: 1. Make sure the app responds with 401 and a digest challange 2. Make sure a Set-Cookie header is set. If these two conditions are fulfilled, the reported error will occur: ``` NoMethodError: undefined method `host' for "/digest":String ``` The stack trace already indicates that the issue is taking effect in the cookie jar class. ``` .../ruby-2.5.1/gems/rack-test-1.0.0/lib/rack/test/cookie_jar.rb:25:in `initialize' .../ruby-2.5.1/gems/rack-test-1.0.0/lib/rack/test/cookie_jar.rb:149:in `new' .../ruby-2.5.1/gems/rack-test-1.0.0/lib/rack/test/cookie_jar.rb:149:in `block in merge' .../ruby-2.5.1/gems/rack-test-1.0.0/lib/rack/test/cookie_jar.rb:148:in `each' .../ruby-2.5.1/gems/rack-test-1.0.0/lib/rack/test/cookie_jar.rb:148:in `merge' .../ruby-2.5.1/gems/rack-test-1.0.0/lib/rack/mock_session.rb:36:in `request' .../ruby-2.5.1/gems/rack-test-1.0.0/lib/rack/test.rb:261:in `process_request' .../ruby-2.5.1/gems/rack-test-1.0.0/lib/rack/test.rb:267:in `process_request' .../ruby-2.5.1/gems/rack-test-1.0.0/lib/rack/test.rb:119:in `request' ./spec/requests/api_spec.rb:16:in `block (3 levels) in <top (required)>' ``` Problem (root cause) description ----- When a cookie is set and digest authentication is requested, we invalidly pass `uri.path` to `process_request` instead of just `uri`. Detailled explanation ---- After some research I came to the following result. When a digest request is issued the following if-condition is executed: * https://github.com/rack-test/rack-test/blob/v1.0.0/lib/rack/test.rb#L261 There `process_request` calls itself with `uri.path` instead of `uri`. Next `@rack_mock_session.request` is called, which in turn calls [CookieJar#merge](https://github.com/rack-test/rack-test/blob/v1.0.0/lib/rack/mock_session.rb#L34) with `last_response.headers['Set-Cookie']`. Merge has a early return if nil is passed as the argument [see code](https://github.com/rack-test/rack-test/blob/v1.0.0/lib/rack/test/cookie_jar.rb#L139). However if Set-Cookie is provided (a cookie is sent), then the cookie is split and cookie objects are created per line. When this happends the uri is passed (which in case of the .path invocation is just a string), and then the initializer calls uri.host [here](https://github.com/rack-test/rack-test/blob/v1.0.0/lib/rack/test/cookie_jar.rb#L23). This will then trigger the exception above. This description also makes clear that this bugs only occurs, when the user is testing auth-digest and also setting a header during the authentication. However according to the sample rails app provided, this might be a normal case for rails apps. (depending for what they use cookies)
Bug description
In issue #234 a bug regarding digest authentication has been reported.
In order to reproduce it there are two steps necessary:
If these two conditions are fulfilled, the reported error will
occur:
The stack trace already indicates that the issue is taking effect in
the cookie jar class.
Problem (root cause) description
When a cookie is set and digest authentication is requested, we
invalidly pass
uri.pathtoprocess_requestinstead of justuri.Detailled explanation
After some research I came to the following result.
When a digest request is issued the following if-condition is executed:
There
process_requestcalls itself withuri.pathinstead ofuri.Next
@rack_mock_session.requestis called, which in turn callsCookieJar#merge
with
last_response.headers['Set-Cookie'].Merge has a early return if nil is passed as the argument see code.
However if Set-Cookie is provided (a cookie is sent), then the cookie
is split and cookie objects are created per line. When this happends
the uri is passed (which in case of the .path invocation is just a string),
and then the initializer calls uri.host here.
This will then trigger the exception above.
This description also makes clear that this bugs only occurs, when the
user is testing auth-digest and also setting a header during the
authentication. However according to the sample rails app provided,
this might be a normal case for rails apps.
(depending for what they use cookies)