Signer errors

2016-09-01 10:16:04 +02:00
parent 2789824a51
commit 9c4d31f548
16 changed files with 236 additions and 70 deletions
--- a/signer/Cargo.toml
+++ b/signer/Cargo.toml
@@ -19,6 +19,7 @@ ws = { git = "https://github.com/ethcore/ws-rs.git", branch = "mio-upstream-stab
 ethcore-util = { path = "../util" }
 ethcore-io = { path = "../util/io" }
 ethcore-rpc = { path = "../rpc" }
+ethcore-devtools = { path = "../devtools" }
 parity-dapps-signer = { git = "https://github.com/ethcore/parity-ui.git", version = "1.4", optional = true}

 clippy = { version = "0.0.85", optional = true}
--- a/signer/src/lib.rs
+++ b/signer/src/lib.rs
@@ -54,15 +54,13 @@ extern crate jsonrpc_core;
 extern crate ws;
 #[cfg(feature = "ui")]
 extern crate parity_dapps_signer as signer;
+#[cfg(test)]
+extern crate ethcore_devtools as devtools;

 mod authcode_store;
 mod ws_server;
+#[cfg(test)]
+mod tests;

 pub use authcode_store::*;
 pub use ws_server::*;
-
-#[cfg(test)]
-mod tests {
-	#[test]
-	fn should_work() {}
-}
--- a/signer/src/tests/mod.rs
+++ b/signer/src/tests/mod.rs
@@ -0,0 +1,81 @@
+// Copyright 2015, 2016 Ethcore (UK) Ltd.
+// This file is part of Parity.
+
+// Parity is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+
+// Parity is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+
+// You should have received a copy of the GNU General Public License
+// along with Parity.  If not, see <http://www.gnu.org/licenses/>.
+
+use std::env;
+use std::thread;
+use std::time::Duration;
+use std::sync::Arc;
+use devtools::http_client;
+use rpc::ConfirmationsQueue;
+use rand;
+
+use ServerBuilder;
+use Server;
+
+pub fn serve() -> Server {
+	let queue = Arc::new(ConfirmationsQueue::default());
+	let builder = ServerBuilder::new(queue, env::temp_dir());
+	let port = 35000 + rand::random::<usize>() % 10000;
+	let res = builder.start(format!("127.0.0.1:{}", port).parse().unwrap()).unwrap();
+	thread::sleep(Duration::from_millis(25));
+	res
+}
+
+pub fn request(server: Server, request: &str) -> http_client::Response {
+	http_client::request(server.addr(), request)
+}
+
+#[test]
+fn should_reject_invalid_host() {
+	// given
+	let server = serve();
+
+	// when
+	let response = request(server,
+		"\
+			GET / HTTP/1.1\r\n\
+			Host: test:8180\r\n\
+			Connection: close\r\n\
+			\r\n\
+			{}
+		"
+	);
+
+	// then
+	assert_eq!(response.status, "HTTP/1.1 403 FORBIDDEN".to_owned());
+	assert!(response.body.contains("URL Blocked"));
+}
+
+#[test]
+fn should_serve_styles_even_on_disallowed_domain() {
+	// given
+	let server = serve();
+
+	// when
+	let response = request(server,
+		"\
+			GET /styles.css HTTP/1.1\r\n\
+			Host: test:8180\r\n\
+			Connection: close\r\n\
+			\r\n\
+			{}
+		"
+	);
+
+	// then
+	assert_eq!(response.status, "HTTP/1.1 200 OK".to_owned());
+}
+
--- a/signer/src/ws_server/error_tpl.html
+++ b/signer/src/ws_server/error_tpl.html
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+	<head>
+		<meta charset="utf-8">
+		<meta name="viewport" content="width=device-width">
+		{meta}
+		<title>{title}</title>
+		<link rel="stylesheet" href="/styles.css">
+	</head>
+	<body>
+		<div class="parity-navbar"></div>
+		<div class="parity-box">
+			<h1>{title}</h1>
+			<h3>{message}</h3>
+			<p><code>{details}</code></p>
+		</div>
+		<div class="parity-status">
+			<small>{version}</small>
+		</div>
+	</body>
+</html>
--- a/signer/src/ws_server/mod.rs
+++ b/signer/src/ws_server/mod.rs
@@ -93,9 +93,15 @@ pub struct Server {
 	broadcaster_handle: Option<thread::JoinHandle<()>>,
 	queue: Arc<ConfirmationsQueue>,
 	panic_handler: Arc<PanicHandler>,
+	addr: SocketAddr,
 }

 impl Server {
+	/// Returns the address this server is listening on
+	pub fn addr(&self) -> &SocketAddr {
+		&self.addr
+	}
+
 	/// Starts a new `WebSocket` server in separate thread.
 	/// Returns a `Server` handle which closes the server when droped.
 	fn start(addr: SocketAddr, handler: Arc<IoHandler>, queue: Arc<ConfirmationsQueue>, authcodes_path: PathBuf, skip_origin_validation: bool) -> Result<Server, ServerError> {
@@ -121,7 +127,7 @@ impl Server {
 		// Spawn a thread with event loop
 		let handle = thread::spawn(move || {
 			ph.catch_panic(move || {
-				match ws.listen(addr).map_err(ServerError::from) {
+				match ws.listen(addr.clone()).map_err(ServerError::from) {
 					Err(ServerError::IoError(io)) => die(format!(
 						"Signer: Could not start listening on specified address. Make sure that no other instance is running on Signer's port. Details: {:?}",
 						io
@@ -158,6 +164,7 @@ impl Server {
 			broadcaster_handle: Some(broadcaster_handle),
 			queue: queue,
 			panic_handler: panic_handler,
+			addr: addr,
 		})
 	}
 }
--- a/signer/src/ws_server/session.rs
+++ b/signer/src/ws_server/session.rs
@@ -107,10 +107,15 @@ impl ws::Handler for Session {
 	fn on_request(&mut self, req: &ws::Request) -> ws::Result<(ws::Response)> {
 		let origin = req.header("origin").or_else(|| req.header("Origin")).map(|x| &x[..]);
 		let host = req.header("host").or_else(|| req.header("Host")).map(|x| &x[..]);
+		// Styles file is allowed for error pages to display nicely.
+		let is_styles_file = req.resource() == "/styles.css";

 		// Check request origin and host header.
 		if !self.skip_origin_validation {
-			if !origin_is_allowed(&self.self_origin, origin) && !(origin.is_none() && origin_is_allowed(&self.self_origin, host)) {
+			let is_valid = origin_is_allowed(&self.self_origin, origin) || (origin.is_none() && origin_is_allowed(&self.self_origin, host));
+			let is_valid = is_styles_file || is_valid;
+
+			if !is_valid {
 				warn!(target: "signer", "Blocked connection to Signer API from untrusted origin.");
 				return Ok(error(
 						ErrorType::Forbidden,
@@ -121,8 +126,9 @@ impl ws::Handler for Session {
 			}
 		}

-		// Detect if it's a websocket request.
-		if req.header("sec-websocket-key").is_some() {
+		// Detect if it's a websocket request
+		// (styles file skips origin validation, so make sure to prevent WS connections on this resource)
+		if req.header("sec-websocket-key").is_some() && !is_styles_file {
 			// Check authorization
 			if !auth_is_valid(&self.authcodes_path, req.protocols()) {
 				info!(target: "signer", "Unauthorized connection to Signer API blocked.");
@@ -198,7 +204,7 @@ enum ErrorType {

 fn error(error: ErrorType, title: &str, message: &str, details: Option<&str>) -> ws::Response {
 	let content = format!(
-		include_str!("../../../dapps/src/error_tpl.html"),
+		include_str!("./error_tpl.html"),
 		title=title,
 		meta="",
 		message=message,