Fix anonymous access error (#1640)

* test(frontend): anonymous users

issue #1590

* Solved anonymous access issues (test 40_anonymous) (#1631)

Fixed anonymous access issues

closes issue #1590

* wip(frontend): fix anonymous crashed

* refactor(frontend): allow anonymous on start machine

* refactor(frontend): best practice on return
Co-authored-by: robertperez-upc <72500868+robertperez-upc@users.noreply.github.com>

script/rvd_front

@@ -201,9 +201,10 @@ hook before_routes => sub {
     if (($url =~ m{^/machine/(clone|display|info|view)/}
         || $url =~ m{^/(list_bases_anonymous|request/)}i
         || $url =~ m{^/ws/subscribe}
+        || $url =~ m{^/execution_machines_limit$}
         ) && !_logged_in($c)) {
         $USER = _anonymous_user($c);
-        return if $USER->is_temporary;
+        return if (! $USER) || ($USER->is_temporary);
     }
     return access_denied($c)
         if $url =~ /(screenshot|\.json)/
@@ -272,7 +273,7 @@ get '/anonymous' => sub {
     my $c = shift;
 #    $c->render(template => 'bases', base => list_bases());
     $USER = _anonymous_user($c);
-    return list_bases_anonymous($c);
+    return list_bases_anonymous($c) if ($USER);
 };
 
 get '/anonymous_logout.html' => sub {
@@ -290,7 +291,7 @@ get '/anonymous/(#base_id).html' => sub {
     my $base = $RAVADA->search_domain_by_id($base_id);
 
     $USER = _anonymous_user($c);
-    return quick_start_domain($c,$base->id, $USER->name);
+    return quick_start_domain($c,$base->id, $USER->name) if ($USER);
 };
 
 get '/settings_global.json' => sub($c) {
@@ -1588,7 +1589,7 @@ get '/anonymous/request/(:id).(:type)' => sub {
 
     $USER = _anonymous_user($c);
 
-    return _show_request($c,$id);
+    return _show_request($c,$id) if ($USER);
 };
 
 get '/requests.json' => sub {
@@ -2089,17 +2090,19 @@ get '/iso/download/(#id).json' => sub {
 websocket '/ws/subscribe' => sub {
     my $c = shift;
     my $expiration = $SESSION_TIMEOUT;
+    $USER = _logged_in($c) if !$USER;
     return if !$USER;
     $expiration = $SESSION_TIMEOUT_ADMIN    if $USER->is_operator;
     $c->inactivity_timeout( $expiration );
     $c->on(message => sub {
             my ($ws, $channel ) = @_;
+            $USER = _logged_in($c) if !$USER;
             if (!$USER) {
                 cluck "Warning: USER unknown";
                 return;
             }
             return access_denied($c)
-              if !$ALLOWED_ANONYMOUS_WS{$channel} && $USER->is_temporary;
+              if !_allowed_anonymous_ws($channel) && $USER->is_temporary;
 
             $WS->subscribe( ws => $ws
                 , channel => $channel
@@ -2112,6 +2115,11 @@ websocket '/ws/subscribe' => sub {
     $c->on(finish => sub { my $ws = shift; $WS->unsubscribe($ws) });
 } => 'ws_subscribe';
 
+sub _allowed_anonymous_ws($channel) {
+    return 1 if $channel =~ m{^(machine_info|request)/} || $ALLOWED_ANONYMOUS_WS{$channel};
+    return 0;
+}
+
 sub _headers($c) {
     my %client;
     for my $name (@{$c->req->headers->names}) {
@@ -3296,7 +3304,7 @@ sub resume_machine {
 
 sub get_execution_machines_limit_per_current_user {
     my $c = shift;
-    return login($c) if !_logged_in($c);
+    return login($c) if !$USER && !_logged_in($c);
 
     my %grants = $USER->grants();
     my $start_limit = ((exists($grants{'start_limit'})) && (defined($grants{'start_limit'})) && ($grants{'start_limit'} > 0)) ? $grants{'start_limit'} : $RAVADA->settings_global()->{'backend'}->{'start_limit'}->{'value'};
@@ -3318,6 +3326,15 @@ sub list_requests {
     $c->render(json => $list_requests);
 }
 
+sub access_denied_if_no_anonymous_bases
+{
+    my $c = shift;
+
+    my $bases_anonymous = $RAVADA->list_bases_anonymous(_remote_ip($c));
+
+    return access_denied($c)    if !scalar @$bases_anonymous;
+}
+
 sub list_bases_anonymous {
     my $c = shift;
 
@@ -3357,9 +3374,10 @@ sub _get_anonymous_user {
 sub _anonymous_user {
     my $c = shift;
 
+    return if (access_denied_if_no_anonymous_bases($c));
+
     $c->stash(_user => undef);
     my $name = $c->session('anonymous_user');
-
     if (!$name) {
         $name = _new_anonymous_user($c);
         $c->session(anonymous_user => $name);
@@ -3374,6 +3392,7 @@ sub _anonymous_user {
         confess "USER $name has no id after creation"
             if !$user->id;
     }
+    $c->stash( _user => $user );
 
     return $user;
 }

t/mojo/40_anonymous.t

+use warnings;
+use strict;
+
+use Carp qw(confess);
+use Data::Dumper;
+use HTML::Lint;
+use Test::More;
+use Test::Mojo;
+use Mojo::File 'path';
+use Mojo::JSON qw(decode_json);
+
+use lib 't/lib';
+use Test::Ravada;
+
+no warnings "experimental::signatures";
+use feature qw(signatures);
+
+$ENV{MOJO_MODE} = 'development';
+my $SCRIPT = path(__FILE__)->dirname->sibling('../script/rvd_front');
+
+init('/etc/ravada.conf',0);
+my $connector = rvd_back->connector;
+like($connector->{driver} , qr/mysql/i) or BAIL_OUT;
+
+$Test::Ravada::BACKGROUND=1;
+my $t;
+
+sub list_anonymous_users() {
+    my $sth = $connector->dbh->prepare("SELECT count(*) FROM users WHERE is_temporary=1");
+    $sth->execute();
+    my ($n) = $sth->fetchrow;
+    return $n;
+}
+
+$t = Test::Mojo->new($SCRIPT);
+$t->ua->inactivity_timeout(900);
+$t->ua->connect_timeout(60);
+
+my $n_anonymous = list_anonymous_users();
+
+$t->get_ok("/anonymous");
+
+is($t->tx->res->code(), 403 );
+is(list_anonymous_users(), $n_anonymous);
+
+$t->get_ok("/logout");
+
+for my $action ( qw(clone display info view ) ) {
+    my $url = "/machine/$action/1.html";
+    $n_anonymous = list_anonymous_users();
+    $t->reset_session;
+    $t->get_ok($url);
+    is($t->tx->res->code(), 403 );
+    is(list_anonymous_users(), $n_anonymous, $url);
+}
+
+for my $route ( qw( list_bases_anonymous request/1.json ws/subscribe anonymous_logout.html anonymous/1.html anonymous/request/1.html) ) {
+    my $url = "/$route";
+    $n_anonymous = list_anonymous_users();
+    $t->reset_session;
+    $t->get_ok($url);
+    is($t->tx->res->code(), $route eq "anonymous_logout.html" ? 302 : 403 );
+    is(list_anonymous_users(), $n_anonymous, $url);
+}
+
+done_testing();