Fix and test the github admin route (#1886)

Fix regressions in the github admin and token acceptor endpoints, introduced in #1813.
badges · Aug 11, 2018 · 39d3930 · 39d3930
1 parent cd6c38a
commit 39d3930
Show file tree

Hide file tree

Showing 4 changed files with 84 additions and 8 deletions.
diff --git a/lib/github-auth.js b/lib/github-auth.js
@@ -2,6 +2,7 @@
 
 const crypto = require('crypto')
 const log = require('./log')
+const secretIsValid = require('./sys/secret-is-valid')
 const queryString = require('query-string')
 const request = require('request')
 const autosave = require('json-autosave')
@@ -121,9 +122,7 @@ function setRoutes(server) {
   })
 
   server.route(/^\/github-auth\/add-token$/, function(data, match, end, ask) {
-    if (
-      !crypto.timingSafeEqual(data.shieldsSecret, serverSecrets.shieldsSecret)
-    ) {
+    if (!secretIsValid(data.shieldsSecret)) {
       // An unknown entity tries to connect. Let the connection linger for 10s.
       return setTimeout(function() {
         end('Invalid secret.')

diff --git a/lib/sys/secret-is-valid.js b/lib/sys/secret-is-valid.js
@@ -3,7 +3,9 @@
 const serverSecrets = require('../server-secrets')
 
 function secretIsValid(secret = '') {
-  return constEq(secret, serverSecrets.shieldsSecret)
+  return (
+    serverSecrets.shieldsSecret && constEq(secret, serverSecrets.shieldsSecret)
+  )
 }
 
 function constEq(a, b) {

diff --git a/services/github/auth/admin.js b/services/github/auth/admin.js
@@ -1,8 +1,7 @@
 'use strict'
 
-const crypto = require('crypto')
 const { serializeDebugInfo } = require('../../../lib/github-auth')
-const serverSecrets = require('../../../lib/server-secrets')
+const secretIsValid = require('../../../lib/sys/secret-is-valid')
 
 function setRoutes(server) {
   // Allow the admin to obtain the tokens for operational and debugging
@@ -16,9 +15,9 @@ function setRoutes(server) {
   // password.
   //
   // e.g.
-  // curl -u ':very-very-secret' 'https://example.com/$github-auth/tokens'
+  // curl --insecure -u ':very-very-secret' 'https://s0.shields-server.com/$github-auth/tokens'
   server.ajax.on('github-auth/tokens', (json, end, ask) => {
-    if (!crypto.timingSafeEqual(ask.password, serverSecrets.shieldsSecret)) {
+    if (!secretIsValid(ask.password)) {
       // An unknown entity tries to connect. Let the connection linger for a minute.
       return setTimeout(function() {
         end('Invalid secret.')

diff --git a/services/github/auth/admin.spec.js b/services/github/auth/admin.spec.js
@@ -0,0 +1,76 @@
+'use strict'
+
+const { expect } = require('chai')
+const sinon = require('sinon')
+const Camp = require('camp')
+const fetch = require('node-fetch')
+const config = require('../../../lib/test-config')
+const serverSecrets = require('../../../lib/server-secrets')
+const { setRoutes } = require('./admin')
+
+function createAuthHeader({ username, password }) {
+  const headers = new fetch.Headers()
+  const encoded = Buffer.from(`${username}:${password}`).toString('base64')
+  headers.append('authorization', `Basic ${encoded}`)
+  return headers
+}
+
+describe('GitHub admin route', function() {
+  const validCredentials = {
+    username: '',
+    password: '7'.repeat(40),
+  }
+
+  let sandbox
+  beforeEach(function() {
+    sandbox = sinon.createSandbox()
+    // Make this work when there is no `shieldsSecret` defined.
+    serverSecrets.shieldsSecret = undefined
+    sandbox
+      .stub(serverSecrets, 'shieldsSecret')
+      .value(validCredentials.password)
+  })
+  afterEach(function() {
+    sandbox.restore()
+  })
+
+  const baseUrl = `http://127.0.0.1:${config.port}`
+
+  let camp
+  before(function(done) {
+    camp = Camp.start({ port: config.port, hostname: '::' })
+    camp.on('listening', () => done())
+  })
+  after(function(done) {
+    if (camp) {
+      camp.close(() => done())
+      camp = undefined
+    }
+  })
+
+  before(function() {
+    setRoutes(camp)
+  })
+
+  context('the password is correct', function() {
+    it('returns a valid JSON response', async function() {
+      const res = await fetch(`${baseUrl}/$github-auth/tokens`, {
+        headers: createAuthHeader(validCredentials),
+      })
+      expect(res.ok).to.be.true
+      expect(await res.json()).to.be.ok
+    })
+  })
+
+  // Disabled because this code isn't modified often and the test is very
+  // slow. I wasn't able to make this work with fake timers:
+  // https://github.com/sinonjs/sinon/issues/1739
+  // context('the password is missing', function() {
+  //   it('returns the expected message', async function() {
+  //     this.timeout(11000)
+  //     const res = await fetch(`${baseUrl}/$github-auth/tokens`)
+  //     expect(res.ok).to.be.true
+  //     expect(await res.text()).to.equal('"Invalid secret."')
+  //   })
+  // })
+})