Apq
/
syncthing
mirror of https://github.com/syncthing/syncthing.git


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357
							// Copyright (C) 2014 Jakob Borg and Contributors (see the CONTRIBUTORS file).
// All rights reserved. Use of this source code is governed by an MIT-style
// license that can be found in the LICENSE file.

// +build ignore

package main

import (
	"bufio"
	"bytes"
	"flag"
	"fmt"
	"io/ioutil"
	"log"
	"net/http"
	"os"
	"regexp"
	"testing"
)

var (
	target    string
	authUser  string
	authPass  string
	csrfToken string
	csrfFile  string
	apiKey    string
)

var jsonEndpoints = []string{
	"/rest/completion?node=I6KAH76-66SLLLB-5PFXSOA-UFJCDZC-YAOMLEK-CP2GB32-BV5RQST-3PSROAU&repo=default",
	"/rest/config",
	"/rest/config/sync",
	"/rest/connections",
	"/rest/errors",
	"/rest/events",
	"/rest/lang",
	"/rest/model/version?repo=default",
	"/rest/model?repo=default",
	"/rest/need",
	"/rest/nodeid?id=I6KAH7666SLLLB5PFXSOAUFJCDZCYAOMLEKCP2GB32BV5RQST3PSROAU",
	"/rest/report",
	"/rest/system",
}

func main() {
	flag.StringVar(&target, "target", "localhost:8080", "Test target")
	flag.StringVar(&authUser, "user", "", "Username")
	flag.StringVar(&authPass, "pass", "", "Password")
	flag.StringVar(&csrfFile, "csrf", "", "CSRF token file")
	flag.StringVar(&apiKey, "api", "", "API key")
	flag.Parse()

	if len(csrfFile) > 0 {
		fd, err := os.Open(csrfFile)
		if err != nil {
			log.Fatal(err)
		}
		s := bufio.NewScanner(fd)
		for s.Scan() {
			csrfToken = s.Text()
		}
		fd.Close()
	}

	var tests []testing.InternalTest
	tests = append(tests, testing.InternalTest{"TestGetIndex", TestGetIndex})
	tests = append(tests, testing.InternalTest{"TestJSONEndpoints", TestJSONEndpoints})
	tests = append(tests, testing.InternalTest{"TestPOSTNoCSRF", TestPOSTNoCSRF})

	if len(authUser) > 0 {
		// If we expect authentication, verify that it fails with the wrong password and wrong API key
		tests = append(tests, testing.InternalTest{"TestJSONEndpointsNoAuth", TestJSONEndpointsNoAuth})
		tests = append(tests, testing.InternalTest{"TestJSONEndpointsIncorrectAuth", TestJSONEndpointsIncorrectAuth})
	}

	if len(csrfToken) > 0 {
		// If we have a CSRF token, verify that POST succeeds with it
		tests = append(tests, testing.InternalTest{"TestPostWitchCSRF", TestPostWitchCSRF})
		tests = append(tests, testing.InternalTest{"TestGetPostConfigOK", TestGetPostConfigOK})
		tests = append(tests, testing.InternalTest{"TestGetPostConfigFail", TestGetPostConfigFail})
	}

	fmt.Printf("Testing HTTP: CSRF=%v, API=%v, Auth=%v\n", len(csrfToken) > 0, len(apiKey) > 0, len(authUser) > 0)
	testing.Main(matcher, tests, nil, nil)
}

func matcher(s0, s1 string) (bool, error) {
	return true, nil
}

func TestGetIndex(t *testing.T) {
	res, err := get("/index.html")
	if err != nil {
		t.Fatal(err)
	}
	if res.StatusCode != 200 {
		t.Errorf("Status %d != 200", res.StatusCode)
	}
	if res.ContentLength < 1024 {
		t.Errorf("Length %d < 1024", res.ContentLength)
	}
	res.Body.Close()

	res, err = get("/")
	if err != nil {
		t.Fatal(err)
	}
	if res.StatusCode != 200 {
		t.Errorf("Status %d != 200", res.StatusCode)
	}
	if res.ContentLength < 1024 {
		t.Errorf("Length %d < 1024", res.ContentLength)
	}
	res.Body.Close()
}

func TestGetVersion(t *testing.T) {
	res, err := get("/rest/version")
	if err != nil {
		t.Fatal(err)
	}
	if res.StatusCode != 200 {
		t.Fatalf("Status %d != 200", res.StatusCode)
	}
	ver, err := ioutil.ReadAll(res.Body)
	if err != nil {
		t.Fatal(err)
	}
	res.Body.Close()

	if !regexp.MustCompile(`v\d+\.\d+\.\d+`).Match(ver) {
		t.Errorf("Invalid version %q", ver)
	}
}

func TestGetVersionNoCSRF(t *testing.T) {
	r, err := http.NewRequest("GET", "http://"+target+"/rest/version", nil)
	if err != nil {
		t.Fatal(err)
	}
	if len(authUser) > 0 {
		r.SetBasicAuth(authUser, authPass)
	}
	res, err := http.DefaultClient.Do(r)
	if err != nil {
		t.Fatal(err)
	}
	if res.StatusCode != 403 {
		t.Fatalf("Status %d != 403", res.StatusCode)
	}
}

func TestJSONEndpoints(t *testing.T) {
	for _, p := range jsonEndpoints {
		res, err := get(p)
		if err != nil {
			t.Error(err)
			continue
		}
		if res.StatusCode != 200 {
			t.Errorf("Status %d != 200 for %q", res.StatusCode, p)
			continue
		}
		if ct := res.Header.Get("Content-Type"); ct != "application/json; charset=utf-8" {
			t.Errorf("Content-Type %q != \"application/json\" for %q", ct, p)
			continue
		}
	}
}

func TestPOSTNoCSRF(t *testing.T) {
	r, err := http.NewRequest("POST", "http://"+target+"/rest/error/clear", nil)
	if err != nil {
		t.Fatal(err)
	}
	if len(authUser) > 0 {
		r.SetBasicAuth(authUser, authPass)
	}
	res, err := http.DefaultClient.Do(r)
	if err != nil {
		t.Fatal(err)
	}
	if res.StatusCode != 403 && res.StatusCode != 401 {
		t.Fatalf("Status %d != 403/401 for POST", res.StatusCode)
	}
}

func TestPostWitchCSRF(t *testing.T) {
	r, err := http.NewRequest("POST", "http://"+target+"/rest/error/clear", nil)
	if err != nil {
		t.Fatal(err)
	}
	if len(csrfToken) > 0 {
		r.Header.Set("X-CSRF-Token", csrfToken)
	}
	if len(authUser) > 0 {
		r.SetBasicAuth(authUser, authPass)
	}
	res, err := http.DefaultClient.Do(r)
	if err != nil {
		t.Fatal(err)
	}
	if res.StatusCode != 200 {
		t.Fatalf("Status %d != 200 for POST", res.StatusCode)
	}
}

func TestGetPostConfigOK(t *testing.T) {
	// Get config
	r, err := http.NewRequest("GET", "http://"+target+"/rest/config", nil)
	if err != nil {
		t.Fatal(err)
	}
	if len(csrfToken) > 0 {
		r.Header.Set("X-CSRF-Token", csrfToken)
	}
	if len(authUser) > 0 {
		r.SetBasicAuth(authUser, authPass)
	}
	res, err := http.DefaultClient.Do(r)
	if err != nil {
		t.Fatal(err)
	}
	if res.StatusCode != 200 {
		t.Fatalf("Status %d != 200 for POST", res.StatusCode)
	}
	bs, err := ioutil.ReadAll(res.Body)
	if err != nil {
		t.Fatal(err)
	}
	res.Body.Close()

	// Post same config back
	r, err = http.NewRequest("POST", "http://"+target+"/rest/config", bytes.NewBuffer(bs))
	if err != nil {
		t.Fatal(err)
	}
	if len(csrfToken) > 0 {
		r.Header.Set("X-CSRF-Token", csrfToken)
	}
	if len(authUser) > 0 {
		r.SetBasicAuth(authUser, authPass)
	}
	res, err = http.DefaultClient.Do(r)
	if err != nil {
		t.Fatal(err)
	}
	if res.StatusCode != 200 {
		t.Fatalf("Status %d != 200 for POST", res.StatusCode)
	}
}

func TestGetPostConfigFail(t *testing.T) {
	// Get config
	r, err := http.NewRequest("GET", "http://"+target+"/rest/config", nil)
	if err != nil {
		t.Fatal(err)
	}
	if len(csrfToken) > 0 {
		r.Header.Set("X-CSRF-Token", csrfToken)
	}
	if len(authUser) > 0 {
		r.SetBasicAuth(authUser, authPass)
	}
	res, err := http.DefaultClient.Do(r)
	if err != nil {
		t.Fatal(err)
	}
	if res.StatusCode != 200 {
		t.Fatalf("Status %d != 200 for POST", res.StatusCode)
	}
	bs, err := ioutil.ReadAll(res.Body)
	if err != nil {
		t.Fatal(err)
	}
	res.Body.Close()

	// Post same config back, with some characters missing to create a syntax error
	r, err = http.NewRequest("POST", "http://"+target+"/rest/config", bytes.NewBuffer(bs[2:]))
	if err != nil {
		t.Fatal(err)
	}
	if len(csrfToken) > 0 {
		r.Header.Set("X-CSRF-Token", csrfToken)
	}
	if len(authUser) > 0 {
		r.SetBasicAuth(authUser, authPass)
	}
	res, err = http.DefaultClient.Do(r)
	if err != nil {
		t.Fatal(err)
	}
	if res.StatusCode != 500 {
		t.Fatalf("Status %d != 500 for POST", res.StatusCode)
	}
}

func TestJSONEndpointsNoAuth(t *testing.T) {
	for _, p := range jsonEndpoints {
		r, err := http.NewRequest("GET", "http://"+target+p, nil)
		if err != nil {
			t.Error(err)
			continue
		}
		if len(csrfToken) > 0 {
			r.Header.Set("X-CSRF-Token", csrfToken)
		}
		res, err := http.DefaultClient.Do(r)
		if err != nil {
			t.Error(err)
			continue
		}
		if res.StatusCode != 403 && res.StatusCode != 401 {
			t.Errorf("Status %d != 403/401 for %q", res.StatusCode, p)
			continue
		}
	}
}

func TestJSONEndpointsIncorrectAuth(t *testing.T) {
	for _, p := range jsonEndpoints {
		r, err := http.NewRequest("GET", "http://"+target+p, nil)
		if err != nil {
			t.Error(err)
			continue
		}
		if len(csrfToken) > 0 {
			r.Header.Set("X-CSRF-Token", csrfToken)
		}
		r.SetBasicAuth("wronguser", "wrongpass")
		res, err := http.DefaultClient.Do(r)
		if err != nil {
			t.Error(err)
			continue
		}
		if res.StatusCode != 403 && res.StatusCode != 401 {
			t.Errorf("Status %d != 403/401 for %q", res.StatusCode, p)
			continue
		}
	}
}

func get(path string) (*http.Response, error) {
	r, err := http.NewRequest("GET", "http://"+target+path, nil)
	if err != nil {
		return nil, err
	}
	if len(authUser) > 0 {
		r.SetBasicAuth(authUser, authPass)
	}
	if len(apiKey) > 0 {
		r.Header.Set("X-API-Key", apiKey)
	}
	return http.DefaultClient.Do(r)
}