mirror
/
libresilient
kopia lustrzana https://gitlab.com/rysiekpl/libresilient
1
0
Forkuj 0
Kod Zgłoszenia Projekty Wydania Wiki Aktywność

basic integrity plugin roughly functional; some tests written (ref. #19)

merge-requests/6/head
Michał 'rysiek' Woźniak 2021-11-11 10:02:32 +00:00
rodzic 9aab83b889
commit eb93241db3
3 zmienionych plików z 204 dodań i 64 usunięć
Pokaż statystyki Ściągnij plik aktualizacji Ściągnij plik porównania Expand all files Collapse all files

102
__tests__/plugins/basic-integrity.test.js 100644
Wyświetl plik

@ -0,0 +1,102 @@
const makeServiceWorkerEnv = require('service-worker-mock');
describe("plugin: basic-integrity", () => {
beforeEach(() => {
Object.assign(global, makeServiceWorkerEnv());
jest.resetModules();
global.LibResilientPluginConstructors = new Map()
LR = {
log: (component, ...items)=>{
console.debug(component + ' :: ', ...items)
}
}
global.resolvingFetch = jest.fn((url, init)=>{
return Promise.resolve(
new Response(
new Blob(
[JSON.stringify({ test: "success" })],
{type: "application/json"}
),
{
status: 200,
statusText: "OK",
headers: {
'ETag': 'TestingETagHeader'
},
url: url
}
)
)
})
init = {
name: 'basic-integrity',
uses: [
{
name: 'resolve-all',
description: 'Resolves all',
version: '0.0.1',
fetch: resolvingFetch
}
],
integrity: {
"https://resilient.is/test.json": "sha384-f0N6RLBmS+iCKtRHtVrzOV/tnE469hDiaBYV8jFF9LZj/VREe00W2ombY9xxUfZy"
},
requireIntegrity: true
}
self.log = function(component, ...items) {
console.debug(component + ' :: ', ...items)
}
})
test("it should register in LibResilientPluginConstructors", () => {
require("../../plugins/basic-integrity.js");
expect(LibResilientPluginConstructors.get('basic-integrity')(LR, init).name).toEqual('basic-integrity');
});
test("it should return data from the wrapped plugin", async () => {
require("../../plugins/basic-integrity.js");
const response = await LibResilientPluginConstructors.get('basic-integrity')(LR, init).fetch('https://resilient.is/test.json');
expect(resolvingFetch).toHaveBeenCalled();
expect(await response.json()).toEqual({test: "success"})
expect(response.url).toEqual('https://resilient.is/test.json')
});
test("it should provide the wrapped plugin with integrity data for a configured URL", async () => {
require("../../plugins/basic-integrity.js");
const response = await LibResilientPluginConstructors.get('basic-integrity')(LR, init).fetch('https://resilient.is/test.json');
expect(resolvingFetch).toHaveBeenCalledWith(
'https://resilient.is/test.json',
{
integrity: init.integrity['https://resilient.is/test.json']
});
expect(await response.json()).toEqual({test: "success"})
expect(response.url).toEqual('https://resilient.is/test.json')
});
test("it should error out for an URL with no integrity data, when requireIntegrity is true", async () => {
require("../../plugins/basic-integrity.js");
expect.assertions(3)
try {
const response = await LibResilientPluginConstructors.get('basic-integrity')(LR, init).fetch('https://resilient.is/test2.json');
} catch (e) {
expect(e).toBeInstanceOf(Error)
expect(e.toString()).toMatch('Integrity data required but not provided for')
}
expect(resolvingFetch).not.toHaveBeenCalled()
});
// TODO: test no configured integrity with requireIntegrity == false
// TODO: test integrity from init, no configured integrity
// TODO: test integrity from init, configured integrity
});

102
plugins/basic-integrity.js 100644
Wyświetl plik

@ -0,0 +1,102 @@
/* ========================================================================= *\
|* === basic-integrity: pre-configured subresource integrity for content === *|
\* ========================================================================= */
/**
* this plugin does not implement any push method
*/
// no polluting of the global namespace please
(function(LRPC){
// this never changes
const pluginName = "basic-integrity"
LRPC.set(pluginName, (LR, init={})=>{
/*
* plugin config settings
*/
// sane defaults
let defaultConfig = {
// list of plugins to wrap
// this should always contain exactly one element, but still needs to be an array
// as this is what the Service Worker script expects
uses: [{
name: "alt-fetch"
}],
// integrity data for each piece of content
// relative URL -> integrity data (string)
// integrity data can contain multiple integrity hashes, space-separated, as per:
// https://w3c.github.io/webappsec-subresource-integrity/#agility
integrity: {},
// if an URL has no integrity data associated with it, should it be allowed or not?
requireIntegrity: true
}
// merge the defaults with settings from LibResilientConfig
let config = {...defaultConfig, ...init}
// reality check: if no wrapped plugin configured, complain
if (config.uses.length != 1) {
throw new Error(`Expected exactly one plugin to wrap, but ${config.uses.length} configured.`)
}
/**
* getting content using regular HTTP(S) fetch()
*/
let fetchContent = (url, init={}) => {
// integrity data
// a string, where we will combine integrity data from init
// and from the plugin config, if they exist
let integrity = ""
// do we have integrity data in init?
if ('integrity' in init) {
integrity = init.integrity
}
// do we have integrity data in config?
if (url in config.integrity) {
integrity += ' ' + config.integrity[url]
}
// some cleanup
integrity = integrity.trim()
// reality check
if (integrity != '') {
// so we have some integrity data; great, let's use it!
init.integrity = integrity
// no integrity data available, are we even allowed to proceed?
} else if (config.requireIntegrity) {
// bail if integrity data is not available
throw new Error(`Integrity data required but not provided for: ${url}`)
}
// log
LR.log(pluginName, `integrity for: ${url}\n- ${integrity}`)
// fetch using the configured wrapped plugin
//
// NOTICE: we have no way of knowing if the wrapped plugin performs any actual integrity check
// NOTICE: if the wrapped plugin doesn't actually check integrity,
// NOTICE: setting integrity here is not going to do anything
return config.uses[0].fetch(url, init)
}
// and add ourselves to it
// with some additional metadata
return {
name: pluginName,
description: `verifying subresource integrity for resources fetched by other pluginsh`,
version: 'COMMIT_UNKNOWN',
fetch: fetchContent,
uses: config.uses
}
})
// done with not polluting the global namespace
})(LibResilientPluginConstructors)

64
plugins/static-integrity.js
Wyświetl plik

@ -1,64 +0,0 @@
/* ========================================================================= *\
|* === static-integrity: pre-configured subresource integrity for content=== *|
\* ========================================================================= */
/**
* this plugin does not implement any push method
*/
// no polluting of the global namespace please
(function(LRPC){
// this never changes
const pluginName = "static-integrity"
LRPC.set(pluginName, (LR, init={})=>{
/*
* plugin config settings
*/
// sane defaults
let defaultConfig = {
// list of plugins to wrap
uses: {
name: "alt-fetch"
},
// integrity data for each piece of content
// relative URL -> integrity data
integrity: {},
// if an URL has no integrity data associated with it, should it be allowed or not?
requireIntegrity: true
}
// merge the defaults with settings from LibResilientConfig
let config = {...defaultConfig, ...init}
/**
* getting content using regular HTTP(S) fetch()
*/
let fetchContent = (url, init={}) => {
// TODO: get integrity data for the URL
// TODO: bail (or not) if integrity data is not available
// log
LR.log(pluginName, `integrity for: ${url}\n- `)
// fetch
// TODO: what if the plugin doesn't verify integrity itself?
// TODO: what if it does? we should not re-verify, wasteful
return config.uses.fetch(url, init)
}
// and add ourselves to it
// with some additional metadata
return {
name: pluginName,
description: `fetching resources with pre-configured subresource integrity data`,
version: 'COMMIT_UNKNOWN',
fetch: fetchContent,
uses: config.uses
}
})
// done with not polluting the global namespace
})(LibResilientPluginConstructors)