mirror
/
libresilient
kopia lustrzana https://gitlab.com/rysiekpl/libresilient
1
0
Forkuj 0
Kod Zgłoszenia Projekty Wydania Wiki Aktywność

simple integrity plugin

merge-requests/9/merge
Michał "rysiek" Woźniak 2021-11-11 22:39:26 +00:00
rodzic ffe2b2c40c
commit 9330f9f796
2 zmienionych plików z 283 dodań i 0 usunięć
Pokaż statystyki Ściągnij plik aktualizacji Ściągnij plik porównania Expand all files Collapse all files

181
__tests__/plugins/basic-integrity.test.js 100644
Wyświetl plik

@ -0,0 +1,181 @@
const makeServiceWorkerEnv = require('service-worker-mock');
describe("plugin: basic-integrity", () => {
beforeEach(() => {
Object.assign(global, makeServiceWorkerEnv());
jest.resetModules();
global.LibResilientPluginConstructors = new Map()
LR = {
log: (component, ...items)=>{
console.debug(component + ' :: ', ...items)
}
}
global.resolvingFetch = jest.fn((url, init)=>{
return Promise.resolve(
new Response(
new Blob(
[JSON.stringify({ test: "success" })],
{type: "application/json"}
),
{
status: 200,
statusText: "OK",
headers: {
'ETag': 'TestingETagHeader'
},
url: url
}
)
)
})
init = {
name: 'basic-integrity',
uses: [
{
name: 'resolve-all',
description: 'Resolves all',
version: '0.0.1',
fetch: resolvingFetch
}
],
integrity: {
"https://resilient.is/test.json": "sha384-kn5dhxz4RpBmx7xC7Dmq2N43PclV9U/niyh+4Km7oz5W0FaWdz3Op+3K0Qxz8y3z"
},
requireIntegrity: true
}
self.log = function(component, ...items) {
console.debug(component + ' :: ', ...items)
}
})
test("it should register in LibResilientPluginConstructors", () => {
require("../../plugins/basic-integrity.js");
expect(LibResilientPluginConstructors.get('basic-integrity')(LR, init).name).toEqual('basic-integrity');
});
test("it should throw an error when there aren't any wrapped plugins configured", async () => {
require("../../plugins/basic-integrity.js");
init = {
name: 'basic-integrity',
uses: []
}
expect.assertions(2);
try {
await LibResilientPluginConstructors.get('basic-integrity')(LR, init).fetch('https://resilient.is/test.json')
} catch (e) {
expect(e).toBeInstanceOf(Error)
expect(e.toString()).toMatch('Expected exactly one plugin to wrap')
}
});
test("it should throw an error when there are more than one wrapped plugins configured", async () => {
require("../../plugins/basic-integrity.js");
init = {
name: 'basic-integrity',
uses: [{
name: 'plugin-1'
},{
name: 'plugin-2'
}]
}
expect.assertions(2);
try {
await LibResilientPluginConstructors.get('basic-integrity')(LR, init).fetch('https://resilient.is/test.json')
} catch (e) {
expect(e).toBeInstanceOf(Error)
expect(e.toString()).toMatch('Expected exactly one plugin to wrap')
}
});
test("it should return data from the wrapped plugin", async () => {
require("../../plugins/basic-integrity.js");
const response = await LibResilientPluginConstructors.get('basic-integrity')(LR, init).fetch('https://resilient.is/test.json');
expect(resolvingFetch).toHaveBeenCalled();
expect(await response.json()).toEqual({test: "success"})
expect(response.url).toEqual('https://resilient.is/test.json')
});
test("it should provide the wrapped plugin with integrity data for a configured URL", async () => {
require("../../plugins/basic-integrity.js");
const response = await LibResilientPluginConstructors.get('basic-integrity')(LR, init).fetch('https://resilient.is/test.json');
expect(resolvingFetch).toHaveBeenCalledWith(
'https://resilient.is/test.json',
{
integrity: init.integrity['https://resilient.is/test.json']
});
expect(await response.json()).toEqual({test: "success"})
expect(response.url).toEqual('https://resilient.is/test.json')
});
test("it should error out for an URL with no integrity data, when requireIntegrity is true", async () => {
require("../../plugins/basic-integrity.js");
expect.assertions(3)
try {
const response = await LibResilientPluginConstructors.get('basic-integrity')(LR, init).fetch('https://resilient.is/test2.json');
} catch (e) {
expect(e).toBeInstanceOf(Error)
expect(e.toString()).toMatch('Integrity data required but not provided for')
}
expect(resolvingFetch).not.toHaveBeenCalled()
});
test("it should return data from the wrapped plugin with no integrity data if requireIntegrity is false", async () => {
require("../../plugins/basic-integrity.js");
init.integrity = {}
init.requireIntegrity = false
const response = await LibResilientPluginConstructors.get('basic-integrity')(LR, init).fetch('https://resilient.is/test.json');
expect(resolvingFetch).toHaveBeenCalled();
expect(resolvingFetch).toHaveBeenCalledWith('https://resilient.is/test.json', {});
expect(await response.json()).toEqual({test: "success"})
expect(response.url).toEqual('https://resilient.is/test.json')
});
test("it should return data from the wrapped plugin with no integrity data configured when requireIntegrity is true and integrity data is provided in Request() init data", async () => {
require("../../plugins/basic-integrity.js");
init.integrity = {}
const response = await LibResilientPluginConstructors
.get('basic-integrity')(LR, init)
.fetch('https://resilient.is/test.json', {
integrity: "sha256-Aj9x0DWq9GUL1L8HibLCMa8YLKnV7IYAfpYurqrFwiQ="
});
expect(resolvingFetch).toHaveBeenCalled();
expect(resolvingFetch).toHaveBeenCalledWith('https://resilient.is/test.json', {integrity: "sha256-Aj9x0DWq9GUL1L8HibLCMa8YLKnV7IYAfpYurqrFwiQ="});
expect(await response.json()).toEqual({test: "success"})
expect(response.url).toEqual('https://resilient.is/test.json')
});
test("it should return data from the wrapped plugin with integrity data both configured and coming from Request() init", async () => {
require("../../plugins/basic-integrity.js");
const response = await LibResilientPluginConstructors
.get('basic-integrity')(LR, init)
.fetch('https://resilient.is/test.json', {
integrity: "sha256-Aj9x0DWq9GUL1L8HibLCMa8YLKnV7IYAfpYurqrFwiQ="
});
expect(resolvingFetch).toHaveBeenCalled();
expect(resolvingFetch).toHaveBeenCalledWith('https://resilient.is/test.json', {integrity: "sha256-Aj9x0DWq9GUL1L8HibLCMa8YLKnV7IYAfpYurqrFwiQ= sha384-kn5dhxz4RpBmx7xC7Dmq2N43PclV9U/niyh+4Km7oz5W0FaWdz3Op+3K0Qxz8y3z"});
expect(await response.json()).toEqual({test: "success"})
expect(response.url).toEqual('https://resilient.is/test.json')
});
});

102
plugins/basic-integrity.js 100644
Wyświetl plik

@ -0,0 +1,102 @@
/* ========================================================================= *\
|* === basic-integrity: pre-configured subresource integrity for content === *|
\* ========================================================================= */
/**
* this plugin does not implement any push method
*/
// no polluting of the global namespace please
(function(LRPC){
// this never changes
const pluginName = "basic-integrity"
LRPC.set(pluginName, (LR, init={})=>{
/*
* plugin config settings
*/
// sane defaults
let defaultConfig = {
// list of plugins to wrap
// this should always contain exactly one element, but still needs to be an array
// as this is what the Service Worker script expects
uses: [{
name: "alt-fetch"
}],
// integrity data for each piece of content
// relative URL -> integrity data (string)
// integrity data can contain multiple integrity hashes, space-separated, as per:
// https://w3c.github.io/webappsec-subresource-integrity/#agility
integrity: {},
// if an URL has no integrity data associated with it, should it be allowed or not?
requireIntegrity: true
}
// merge the defaults with settings from LibResilientConfig
let config = {...defaultConfig, ...init}
// reality check: if no wrapped plugin configured, complain
if (config.uses.length != 1) {
throw new Error(`Expected exactly one plugin to wrap, but ${config.uses.length} configured.`)
}
/**
* getting content using regular HTTP(S) fetch()
*/
let fetchContent = (url, init={}) => {
// integrity data
// a string, where we will combine integrity data from init
// and from the plugin config, if they exist
let integrity = ""
// do we have integrity data in init?
if ('integrity' in init) {
integrity = init.integrity
}
// do we have integrity data in config?
if (url in config.integrity) {
integrity += ' ' + config.integrity[url]
}
// some cleanup
integrity = integrity.trim()
// reality check
if (integrity != '') {
// so we have some integrity data; great, let's use it!
init.integrity = integrity
// no integrity data available, are we even allowed to proceed?
} else if (config.requireIntegrity) {
// bail if integrity data is not available
throw new Error(`Integrity data required but not provided for: ${url}`)
}
// log
LR.log(pluginName, `integrity for: ${url}\n- ${integrity}`)
// fetch using the configured wrapped plugin
//
// NOTICE: we have no way of knowing if the wrapped plugin performs any actual integrity check
// NOTICE: if the wrapped plugin doesn't actually check integrity,
// NOTICE: setting integrity here is not going to do anything
return config.uses[0].fetch(url, init)
}
// and add ourselves to it
// with some additional metadata
return {
name: pluginName,
description: `verifying subresource integrity for resources fetched by other pluginsh`,
version: 'COMMIT_UNKNOWN',
fetch: fetchContent,
uses: config.uses
}
})
// done with not polluting the global namespace
})(LibResilientPluginConstructors)