Commit 415133a5 authored by Francesc Guasch's avatar Francesc Guasch
Browse files

Fix anonymous access error (#1640)



* test(frontend): anonymous users

issue #1590

* Solved anonymous access issues (test 40_anonymous) (#1631)

Fixed anonymous access issues

closes issue #1590

* wip(frontend): fix anonymous crashed

* refactor(frontend): allow anonymous on start machine

* refactor(frontend): best practice on return
Co-authored-by: default avatarrobertperez-upc <72500868+robertperez-upc@users.noreply.github.com>
parent f1c9e58d
......@@ -201,9 +201,10 @@ hook before_routes => sub {
if (($url =~ m{^/machine/(clone|display|info|view)/}
|| $url =~ m{^/(list_bases_anonymous|request/)}i
|| $url =~ m{^/ws/subscribe}
|| $url =~ m{^/execution_machines_limit$}
) && !_logged_in($c)) {
$USER = _anonymous_user($c);
return if $USER->is_temporary;
return if (! $USER) || ($USER->is_temporary);
}
return access_denied($c)
if $url =~ /(screenshot|\.json)/
......@@ -272,7 +273,7 @@ get '/anonymous' => sub {
my $c = shift;
# $c->render(template => 'bases', base => list_bases());
$USER = _anonymous_user($c);
return list_bases_anonymous($c);
return list_bases_anonymous($c) if ($USER);
};
get '/anonymous_logout.html' => sub {
......@@ -290,7 +291,7 @@ get '/anonymous/(#base_id).html' => sub {
my $base = $RAVADA->search_domain_by_id($base_id);
$USER = _anonymous_user($c);
return quick_start_domain($c,$base->id, $USER->name);
return quick_start_domain($c,$base->id, $USER->name) if ($USER);
};
get '/settings_global.json' => sub($c) {
......@@ -1588,7 +1589,7 @@ get '/anonymous/request/(:id).(:type)' => sub {
$USER = _anonymous_user($c);
return _show_request($c,$id);
return _show_request($c,$id) if ($USER);
};
get '/requests.json' => sub {
......@@ -2089,17 +2090,19 @@ get '/iso/download/(#id).json' => sub {
websocket '/ws/subscribe' => sub {
my $c = shift;
my $expiration = $SESSION_TIMEOUT;
$USER = _logged_in($c) if !$USER;
return if !$USER;
$expiration = $SESSION_TIMEOUT_ADMIN if $USER->is_operator;
$c->inactivity_timeout( $expiration );
$c->on(message => sub {
my ($ws, $channel ) = @_;
$USER = _logged_in($c) if !$USER;
if (!$USER) {
cluck "Warning: USER unknown";
return;
}
return access_denied($c)
if !$ALLOWED_ANONYMOUS_WS{$channel} && $USER->is_temporary;
if !_allowed_anonymous_ws($channel) && $USER->is_temporary;
$WS->subscribe( ws => $ws
, channel => $channel
......@@ -2112,6 +2115,11 @@ websocket '/ws/subscribe' => sub {
$c->on(finish => sub { my $ws = shift; $WS->unsubscribe($ws) });
} => 'ws_subscribe';
sub _allowed_anonymous_ws($channel) {
return 1 if $channel =~ m{^(machine_info|request)/} || $ALLOWED_ANONYMOUS_WS{$channel};
return 0;
}
sub _headers($c) {
my %client;
for my $name (@{$c->req->headers->names}) {
......@@ -3296,7 +3304,7 @@ sub resume_machine {
sub get_execution_machines_limit_per_current_user {
my $c = shift;
return login($c) if !_logged_in($c);
return login($c) if !$USER && !_logged_in($c);
my %grants = $USER->grants();
my $start_limit = ((exists($grants{'start_limit'})) && (defined($grants{'start_limit'})) && ($grants{'start_limit'} > 0)) ? $grants{'start_limit'} : $RAVADA->settings_global()->{'backend'}->{'start_limit'}->{'value'};
......@@ -3318,6 +3326,15 @@ sub list_requests {
$c->render(json => $list_requests);
}
sub access_denied_if_no_anonymous_bases
{
my $c = shift;
my $bases_anonymous = $RAVADA->list_bases_anonymous(_remote_ip($c));
return access_denied($c) if !scalar @$bases_anonymous;
}
sub list_bases_anonymous {
my $c = shift;
......@@ -3357,9 +3374,10 @@ sub _get_anonymous_user {
sub _anonymous_user {
my $c = shift;
return if (access_denied_if_no_anonymous_bases($c));
$c->stash(_user => undef);
my $name = $c->session('anonymous_user');
if (!$name) {
$name = _new_anonymous_user($c);
$c->session(anonymous_user => $name);
......@@ -3374,6 +3392,7 @@ sub _anonymous_user {
confess "USER $name has no id after creation"
if !$user->id;
}
$c->stash( _user => $user );
return $user;
}
......
use warnings;
use strict;
use Carp qw(confess);
use Data::Dumper;
use HTML::Lint;
use Test::More;
use Test::Mojo;
use Mojo::File 'path';
use Mojo::JSON qw(decode_json);
use lib 't/lib';
use Test::Ravada;
no warnings "experimental::signatures";
use feature qw(signatures);
$ENV{MOJO_MODE} = 'development';
my $SCRIPT = path(__FILE__)->dirname->sibling('../script/rvd_front');
init('/etc/ravada.conf',0);
my $connector = rvd_back->connector;
like($connector->{driver} , qr/mysql/i) or BAIL_OUT;
$Test::Ravada::BACKGROUND=1;
my $t;
sub list_anonymous_users() {
my $sth = $connector->dbh->prepare("SELECT count(*) FROM users WHERE is_temporary=1");
$sth->execute();
my ($n) = $sth->fetchrow;
return $n;
}
$t = Test::Mojo->new($SCRIPT);
$t->ua->inactivity_timeout(900);
$t->ua->connect_timeout(60);
my $n_anonymous = list_anonymous_users();
$t->get_ok("/anonymous");
is($t->tx->res->code(), 403 );
is(list_anonymous_users(), $n_anonymous);
$t->get_ok("/logout");
for my $action ( qw(clone display info view ) ) {
my $url = "/machine/$action/1.html";
$n_anonymous = list_anonymous_users();
$t->reset_session;
$t->get_ok($url);
is($t->tx->res->code(), 403 );
is(list_anonymous_users(), $n_anonymous, $url);
}
for my $route ( qw( list_bases_anonymous request/1.json ws/subscribe anonymous_logout.html anonymous/1.html anonymous/request/1.html) ) {
my $url = "/$route";
$n_anonymous = list_anonymous_users();
$t->reset_session;
$t->get_ok($url);
is($t->tx->res->code(), $route eq "anonymous_logout.html" ? 302 : 403 );
is(list_anonymous_users(), $n_anonymous, $url);
}
done_testing();
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment