Skip to content
This repository has been archived by the owner on Jul 24, 2021. It is now read-only.

Commit

Permalink
Merge pull request #1087 from joyent/ether/v3.2.1-fixes
Browse files Browse the repository at this point in the history 
v3.2.1 fixes
  • Loading branch information
@karenetheridge
karenetheridge authored Jan 13, 2021
2 parents 545b54a + fec6139 commit dcf55c4
Show file tree
Hide file tree
Showing 5 changed files with 57 additions and 17 deletions.
20 changes: 20 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,26 @@ including database connectivity information.

* `make run`

## Creating Local Credentials

First, you need to get a login token into the local database. We can do this by leveraging the
knowledge that an encrypted password entry of `''` will match against all supplied inputs:

$ psql -U conch conch --command="insert into user_account (name, password, email) values ('me', '', '[email protected]')"

Now, we use this email and password to generate a login token:

make run
curl -i -H'Content-Type: application/json' --url http://127.0.0.1:5001/login -d '{"email":"[email protected]","password":"anything"}'

You will see output like this:

{"jwt_token":"eyJInR5cCI6Iwhargarbl.eyJl9pZCI6ImM1MGYwhargarbl.WV3uJEvg0bqInI9pEtl04ZZ8ECN4yQOSmehello"}

Save that token somewhere, such as in an environment variable or a file, for use in future API calls. You will include it in the "Authorization" header, for example:

curl -i --url https://staging.conch.joyent.us/user/me --header "Authorization: Bearer eyJInR5cCI6Iwhargarbl.eyJl9pZCI6ImM1MGYwhargarbl.WV3uJEvg0bqInI9pEtl04ZZ8ECN4yQOSmehello"

## Docker

### Compose
Expand Down
12 changes: 7 additions & 5 deletions lib/Conch/Plugin/ClientVerification.pm
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,10 +34,11 @@ sub register ($self, $app, $config) {
my $user_agent = $headers->user_agent;

if (my $conch_ui_version = $headers->header('X-Conch-UI')) {
my ($major, $minor, $tiny, $rest) = $conch_ui_version =~ /^v(\d+)\.(\d+)\.(\d+)(?:\.(\d+))?/;
my ($major, $minor, $tiny, $rest) = $conch_ui_version =~ /^v(\d+)\.(\d+)(?:\.(\d+)(?:\.(\d+))?)?/;
if (not $major or $major < 4) {
$c->log->warn('Conch UI too old: requires at least 4.x');
return $c->status(403);
my $error = 'Conch UI too old: requires at least 4.x';
$c->log->warn($error.' -- got major='.($major//'<undef>').', minor='.($minor//'<undef>'));
return $c->status(403, { error => $error });
}
}
elsif ($user_agent and $user_agent =~ /^conch shell/) {
Expand All @@ -47,8 +48,9 @@ sub register ($self, $app, $config) {
elsif ($user_agent and $user_agent =~ /^Conch\/((\d+)\.(\d+)\.(\d+)) /) {
my ($all, $major, $minor, $rest) = ($1, $2, $3, $4);
if ($all eq '0.0.0' or $major < 3) {
$c->log->warn('Conch Shell too old');
return $c->status(403);
my $error = 'Conch Shell too old';
$c->log->warn($error.' -- got major='.($major//'<undef>').', minor='.($minor//'<undef>'));
return $c->status(403, { error => $error });
}
}
});
Expand Down
15 changes: 10 additions & 5 deletions lib/Conch/Plugin/Logging.pm
View file
Original file line number Diff line number Diff line change
Expand Up @@ -153,15 +153,20 @@ Logs the request and its response.
headers => $req_headers,
query_params => $c->req->query_params->to_hash,
# no body_params: presently we do not permit application/x-www-form-urlencoded
$verbose && !(ref $req_json eq 'HASH' and exists $req_json->{password})
? ( body => $c->req->json // $c->req->text ) : (),
!$verbose ? ()
: !defined $req_json ? ( body => $c->req->text )
: ref $req_json ne 'HASH' || !exists $req_json->{password} ? ( body => $req_json )
: ( body => +{ $req_json->%*, password => '--REDACTED--' } ),
},
res => {
headers => $res_headers,
statusCode => $c->res->code,
$c->res->code >= 400
|| ($verbose && !(ref $res_json eq 'HASH' and grep /token/, keys $res_json->%*))
? ( body => $c->res->json // $c->res->text ) : (),
!$verbose && $c->res->code < 400 ? ()
: !defined $res_json ? ( body => $c->res->text )
: (ref $res_json ne 'HASH' || !grep /token/, keys $res_json->%*)
? ( body => $res_json )
: ( body => +{ $res_json->%*,
map +($_ => '--REDACTED--'), grep /token/, keys $res_json->%* } ),
},
latency => int(1000 * $c->timing->elapsed('request_latency')),
};
Expand Down
12 changes: 9 additions & 3 deletions t/client-verification.t
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,8 @@ $t->get_ok('/ping', { 'User-Agent' => 'Mozilla/5.0' })

$t->get_ok('/ping', { 'User-Agent' => 'Mozilla/5.0 Macintosh', 'X-Conch-UI' => 'v3.0.2.1-gdeadbeef' })
->status_is(403)
->log_warn_is('Conch UI too old: requires at least 4.x')
->json_is({ error => 'Conch UI too old: requires at least 4.x' })
->log_warn_is('Conch UI too old: requires at least 4.x -- got major=3, minor=0')
->log_info_is(superhashof({
req => superhashof({
user => 'NOT AUTHED',
Expand All @@ -33,18 +34,23 @@ $t->get_ok('/ping', { 'User-Agent' => 'Mozilla/5.0 Macintosh', 'X-Conch-UI' => '

$t->get_ok('/ping', { 'User-Agent' => 'Mozilla/5.0 Macintosh', 'x-conch-ui' => 'v3.0.2.1-gdeadbeef' })
->status_is(403)
->log_warn_is('Conch UI too old: requires at least 4.x');
->json_is({ error => 'Conch UI too old: requires at least 4.x' })
->log_warn_is('Conch UI too old: requires at least 4.x -- got major=3, minor=0');

$t->get_ok('/ping', { 'User-Agent' => 'Mozilla/5.0 Macintosh', 'X-Conch-UI' => 'v4.0.0.3.gdeadbeef' })
->status_is(200);

$t->get_ok('/ping', { 'User-Agent' => 'Mozilla/5.0 Macintosh', 'X-Conch-UI' => 'v4.1-0-gdeadbeef' })
->status_is(200);

$t->get_ok('/ping', { 'User-Agent' => 'conch shell v1.11.11-v1.11-0-g0ad9598' })
->status_is(403)
->log_warn_is('Conch Shell too old');

$t->get_ok('/ping', { 'User-Agent' => 'Conch/0.0.0 ConchShell/blahblah...' })
->status_is(403)
->log_warn_is('Conch Shell too old');
->json_is({ error => 'Conch Shell too old' })
->log_warn_is('Conch Shell too old -- got major=0, minor=0');

$t->get_ok('/ping', { 'User-Agent' => 'Conch/3.12.0 ConchShell/blahblah...' })
->status_is(200);
Expand Down
15 changes: 11 additions & 4 deletions t/conch-log.t
View file
Original file line number Diff line number Diff line change
Expand Up @@ -724,7 +724,7 @@ sub add_test_routes ($t) {
remotePort => ignore,
headers => superhashof({}),
query_params => {},
# no body! that contains the password!!!
body => { email => '[email protected]', password => '--REDACTED--' },
},
res => {
headers => superhashof({}),
Expand Down Expand Up @@ -759,11 +759,13 @@ sub add_test_routes ($t) {
remotePort => ignore,
headers => superhashof({}),
query_params => {},
# Test::Conch::authenticate sets set_session -> true
body => { email => '[email protected]', password => '--REDACTED--', set_session => JSON::PP::true },
},
res => {
headers => superhashof({}),
statusCode => 200,
# no body! that contains the JWT!!!
body => { jwt_token => '--REDACTED--' },
},
},
'dispatch line for /login success in verbose mode',
Expand Down Expand Up @@ -799,7 +801,12 @@ sub add_test_routes ($t) {
res => {
headers => superhashof({}),
statusCode => 201,
# no body! that contains the api token!!!
body => {
name => 'my api token',
token => '--REDACTED--',
(map +($_ => re(qr/^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d{3,9}Z$/)), qw(created expires)),
last_used => undef,
},
},
},
'dispatch line for creating a token in verbose mode does not contain the token string',
Expand Down Expand Up @@ -830,7 +837,7 @@ sub add_test_routes ($t) {
remotePort => ignore,
headers => superhashof({ Authorization => '--REDACTED--' }),
query_params => {},
# no body! that contains the password!!!
body => { password => '--REDACTED--' },
},
res => {
headers => superhashof({}),
Expand Down

0 comments on commit dcf55c4

Please sign in to comment.