diff --git a/__tests__/plugins/integrity-check.test.js b/__tests__/plugins/integrity-check.test.js new file mode 100644 index 0000000..b4c2bf0 --- /dev/null +++ b/__tests__/plugins/integrity-check.test.js @@ -0,0 +1,208 @@ +describe("plugin: integrity-check", () => { + + beforeEach(() => { + global.nodeFetch = require('node-fetch') + global.Request = global.nodeFetch.Request + global.Response = global.nodeFetch.Response + global.crypto = require('crypto').webcrypto + global.Blob = require('buffer').Blob; + jest.resetModules(); + self = global + global.btoa = (bin) => { + return Buffer.from(bin, 'binary').toString('base64') + } + + global.LibResilientPluginConstructors = new Map() + LR = { + log: (component, ...items)=>{ + console.debug(component + ' :: ', ...items) + } + } + + global.resolvingFetch = jest.fn((url, init)=>{ + return Promise.resolve( + new Response( + ['{"test": "success"}'], + { + type: "application/json", + status: 200, + statusText: "OK", + headers: { + 'ETag': 'TestingETagHeader' + }, + url: url + } + ) + ) + }) + + init = { + name: 'integrity-check', + uses: [ + { + name: 'resolve-all', + description: 'Resolves all', + version: '0.0.1', + fetch: resolvingFetch + } + ], + requireIntegrity: false + } + requestInit = { + integrity: "sha256-eiMrFuthzteJuj8fPwUMyNQMb2SMW7VITmmt2oAxGj0=" + } + self.log = function(component, ...items) { + console.debug(component + ' :: ', ...items) + } + }) + + test("it should register in LibResilientPluginConstructors", () => { + require("../../plugins/integrity-check.js"); + expect(LibResilientPluginConstructors.get('integrity-check')(LR, init).name).toEqual('integrity-check'); + }); + + test("it should throw an error when there aren't any wrapped plugins configured", async () => { + require("../../plugins/integrity-check.js"); + init = { + name: 'integrity-check', + uses: [] + } + + expect.assertions(2); + try { + await LibResilientPluginConstructors.get('integrity-check')(LR, init).fetch('https://resilient.is/test.json') + } catch (e) { + expect(e).toBeInstanceOf(Error) + expect(e.toString()).toMatch('Expected exactly one plugin to wrap') + } + }); + + test("it should throw an error when there are more than one wrapped plugins configured", async () => { + require("../../plugins/integrity-check.js"); + init = { + name: 'integrity-check', + uses: [{ + name: 'plugin-1' + },{ + name: 'plugin-2' + }] + } + + expect.assertions(2); + try { + await LibResilientPluginConstructors.get('integrity-check')(LR, init).fetch('https://resilient.is/test.json') + } catch (e) { + expect(e).toBeInstanceOf(Error) + expect(e.toString()).toMatch('Expected exactly one plugin to wrap') + } + }); + + test("it should throw an error when an unsupported digest algorithm is used", async () => { + require("../../plugins/integrity-check.js"); + + expect.assertions(1); + try { + await LibResilientPluginConstructors.get('integrity-check')(LR, init).fetch('https://resilient.is/test.json', { + integrity: "sha000-eiMrFuthzteJuj8fPwUMyNQMb2SMW7VITmmt2oAxGj0=" + }) + } catch (e) { + expect(e.toString()).toMatch('No digest matched') + } + }); + + test("it should return data from the wrapped plugin when no integrity data is available and requireIntegrity is false", async () => { + require("../../plugins/integrity-check.js"); + + const response = await LibResilientPluginConstructors.get('integrity-check')(LR, init).fetch('https://resilient.is/test.json'); + + expect(resolvingFetch).toHaveBeenCalled(); + expect(await response.json()).toEqual({test: "success"}) + expect(response.url).toEqual('https://resilient.is/test.json') + }); + + test("it should reject no integrity data is available but requireIntegrity is true", async () => { + require("../../plugins/integrity-check.js"); + init.requireIntegrity = true + + expect.assertions(2); + try { + await LibResilientPluginConstructors.get('integrity-check')(LR, init).fetch('https://resilient.is/test.json') + } catch (e) { + expect(e).toBeInstanceOf(Error) + expect(e.toString()).toMatch('Integrity data required but not provided for') + } + }); + + test("it should check integrity and return data from the wrapped plugin if SHA-256 integrity data matches", async () => { + require("../../plugins/integrity-check.js"); + + const response = await LibResilientPluginConstructors.get('integrity-check')(LR, init).fetch('https://resilient.is/test.json', requestInit); + + expect(resolvingFetch).toHaveBeenCalled(); + expect(await response.json()).toEqual({test: "success"}) + expect(response.url).toEqual('https://resilient.is/test.json') + }); + + test("it should check integrity and return data from the wrapped plugin if SHA-384 integrity data matches", async () => { + require("../../plugins/integrity-check.js"); + + const response = await LibResilientPluginConstructors.get('integrity-check')(LR, init).fetch('https://resilient.is/test.json', { + integrity: "sha384-x4iqiH3PIPD51TibGEhTju/WhidcIEcnrpdklYEtIS87f96c4nLyj6CuwUp8kyOo" + }); + + expect(resolvingFetch).toHaveBeenCalled(); + expect(await response.json()).toEqual({test: "success"}) + expect(response.url).toEqual('https://resilient.is/test.json') + }); + + test("it should check integrity and return data from the wrapped plugin if SHA-512 integrity data matches", async () => { + require("../../plugins/integrity-check.js"); + + const response = await LibResilientPluginConstructors.get('integrity-check')(LR, init).fetch('https://resilient.is/test.json', { + integrity: "sha512-o+J3lPk7DU8xOJaNfZI5T4Upmaoc9XOVxOWPCFAy4pTgvS8LrJZ8iNis/2ZaryU4bB33cNSXQBxUDvwDxknEBQ==" + }); + + expect(resolvingFetch).toHaveBeenCalled(); + expect(await response.json()).toEqual({test: "success"}) + expect(response.url).toEqual('https://resilient.is/test.json') + }); + + test("it should check integrity of the data returned from the wrapped plugin and reject if it doesn't match", async () => { + require("../../plugins/integrity-check.js"); + + expect.assertions(1); + try { + await LibResilientPluginConstructors.get('integrity-check')(LR, init).fetch('https://resilient.is/test.json', { + integrity: "sha256-INCORRECTINCORRECTINCORRECTINCORRECTINCORREC" + }); + } catch(e) { + expect(e.toString()).toMatch('No digest matched') + } + }); + + test("it should check integrity of the data returned from the wrapped plugin and resolve if at least one of multiple integrity hash matches", async () => { + require("../../plugins/integrity-check.js"); + + const response = await LibResilientPluginConstructors.get('integrity-check')(LR, init).fetch('https://resilient.is/test.json', { + integrity: "sha256-INCORRECTINCORRECTINCORRECTINCORRECTINCORREC sha256-eiMrFuthzteJuj8fPwUMyNQMb2SMW7VITmmt2oAxGj0=" + }); + + expect(resolvingFetch).toHaveBeenCalled(); + expect(await response.json()).toEqual({test: "success"}) + expect(response.url).toEqual('https://resilient.is/test.json') + }); + + test("it should check integrity of the data returned from the wrapped plugin and reject if all out of multiple integrity hash do not match", async () => { + require("../../plugins/integrity-check.js"); + + expect.assertions(1); + try { + await LibResilientPluginConstructors.get('integrity-check')(LR, init).fetch('https://resilient.is/test.json', { + integrity: "sha256-INCORRECTINCORRECTINCORRECTINCORRECTINCORREC sha256-WRONGWRONGWRONGWRONGWRONGWRONGWRONGWRONGWRON" + }); + } catch(e) { + expect(e.toString()).toMatch('No digest matched') + } + }); + +}); diff --git a/plugins/integrity-check.js b/plugins/integrity-check.js new file mode 100644 index 0000000..9cc2a8f --- /dev/null +++ b/plugins/integrity-check.js @@ -0,0 +1,184 @@ +/* ========================================================================= *\ +|* === integrity-check: subresource integrity checks for wrapped plugins === *| +\* ========================================================================= */ + +/** + * this plugin does not implement any push method + */ + +// no polluting of the global namespace please +(function(LRPC){ + // this never changes + const pluginName = "integrity-check" + LRPC.set(pluginName, (LR, init={})=>{ + + /* + * plugin config settings + */ + + // sane defaults + let defaultConfig = { + + // list of plugins to wrap + // this should always contain exactly one element, but still needs to be an array + // as this is what the Service Worker script expects + uses: [{ + name: "alt-fetch" + }], + + // if there is no integrity data available for an URL, should the request be allowed to proceed? + requireIntegrity: false, + + // should *all* available hashes for the resource be checked and required? + // + // by default, if the resource matches *any* of the hashes, it's considered good to go + // this follows the spec; from the documentation: + // + // Note: An integrity value may contain multiple hashes separated by whitespace. + // A resource will be loaded if it matches one of those hashes. + // https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity#using_subresource_integrity + // + // TODO: not implemented yet! + // TODO: https://gitlab.com/rysiekpl/libresilient/-/issues/22 + //enforceAllHashes: false + } + + // merge the defaults with settings from LibResilientConfig + let config = {...defaultConfig, ...init} + + // reality check: if no wrapped plugin configured, complain + if (config.uses.length != 1) { + throw new Error(`Expected exactly one plugin to wrap, but ${config.uses.length} configured.`) + } + + /** + * helper function, converting binary to base64 + * this need not be extremely fast, since it will only be used on digests + * + * binary_data - data to convert to base64 + */ + let binToBase64 = (binary_data) => { + return btoa( + (new Uint8Array(binary_data)) + .reduce((bin, byte)=>{ + return bin += String.fromCharCode(byte) + }, '') + ) + } + + /** + * helper function, getting the digest algo + * from algorithm part of an integrity string + * + * integrity_algo - the algorithm part of an integrity string + */ + let getAlgo = (integrity_algo) => { + switch (integrity_algo.toLowerCase()) { + case 'sha256': + return 'SHA-256'; break; + case 'sha384': + return 'SHA-384'; break; + case 'sha512': + return 'SHA-512'; break; + default: + throw new Error(`Unsupported integrity digest algorithm: ${nextIntegrityHash[0]}`) + } + } + + /** + * getting content using regular HTTP(S) fetch() + * + * url - the url to fetch + * init - Request() init data + * + * NOTICE: we have no way of knowing if the wrapped plugin performs any actual integrity check + * NOTICE: if the wrapped plugin does check integrity, this will lead to checking it twice, + * NOTICE: wasting resources + */ + let fetchAndVerifyContent = (url, init={}) => { + + // integrity data + var integrity = [] + + // do we have integrity data in init? + if ('integrity' in init && init.integrity != "") { + // we need an array + integrity = init.integrity.split(' ') + LR.log(pluginName, `integrity for: ${url}\n- ${integrity}`) + + // no integrity data available, are we even allowed to proceed? + } else if (config.requireIntegrity) { + + // bail if integrity data is not available + throw new Error(`Integrity data required but not provided for: ${url}`) + } + + // fetch data using the configured wrapped plugin + responsePromise = config.uses[0].fetch(url, init) + + // if we have no integrity data, we really do not have anything to do + // apart from returning the response + if (integrity.length == 0) { + LR.log(pluginName, `no integrity data provided for: ${url}`) + return responsePromise; + } + + LR.log(pluginName, `preparing to check integrity of: ${url}`) + + // down the Promise slide we go + // + // TODO: what if responsePromise got rejected? + // TODO: how to handle split()-related artifacts (empty strings etc)? + return responsePromise + // get the blob from a cloned response + .then(response=>response.clone().blob()) + .then(blob=>blob.arrayBuffer()) + .then((ab)=>{ + // go sequentially, find the first match + return integrity + // c.f. https://css-tricks.com/why-using-reduce-to-sequentially-resolve-promises-works/ + .reduce( + (previousPromise, nextIntegrityHash)=>{ + return previousPromise + .catch((err)=>{ + // it's a string, we need an array + nextIntegrityHash = nextIntegrityHash.split('-') + // make sure the algo name is compatible with SubtleCrypto digest algo names + nextIntegrityHash[0] = getAlgo(nextIntegrityHash[0]) + LR.log(pluginName, `verifying integrity for: ${url}\n- algo: ${nextIntegrityHash[0]}\n- hash: ${nextIntegrityHash[1]}`) + return crypto + .subtle + .digest(nextIntegrityHash[0], ab) + }) + .then((digest)=>{ + let b64digest = binToBase64(digest) + LR.log(pluginName, `actual digest for: ${url}\n- algo: ${nextIntegrityHash[0]}\n- hash: ${b64digest}`) + if (b64digest == nextIntegrityHash[1]) { + LR.log(pluginName, `successfully verified integrity for: ${url}\n- algo: ${nextIntegrityHash[0]}\n- hash: ${nextIntegrityHash[1]}`) + return responsePromise + } else { + return Promise.reject('Digest does not match.') + } + }) + }, + // we need to start with a rejected promise, since we're doing a catch()-slide + Promise.reject()) + }) + .catch((err)=>{ + return Promise.reject(`No digest matched for: ${url}`) + }) + } + + // and add ourselves to it + // with some additional metadata + return { + name: pluginName, + description: `performing subresource integrity checks for resources fetched by other plugins`, + version: 'COMMIT_UNKNOWN', + fetch: fetchAndVerifyContent, + uses: config.uses + } + + }) +// done with not polluting the global namespace +})(LibResilientPluginConstructors)