syncthing/test/http_test.go

// Copyright (C) 2014 The Syncthing Authors.
//
// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this file,
// You can obtain one at https://mozilla.org/MPL/2.0/.

//go:build integration
// +build integration

package integration

import (
	"bytes"
	"io"
	"net/http"
	"os"
	"strings"
	"testing"

	"github.com/syncthing/syncthing/lib/protocol"
	"github.com/syncthing/syncthing/lib/rc"
)

func TestHTTPGetIndex(t *testing.T) {
	p := startInstance(t, 2)
	defer checkedStop(t, p)

	// Check for explicit index.html

	res, err := http.Get("http://localhost:8082/index.html")
	if err != nil {
		t.Fatal(err)
	}
	if res.StatusCode != 200 {
		t.Errorf("Status %d != 200", res.StatusCode)
	}
	bs, err := io.ReadAll(res.Body)
	if err != nil {
		t.Fatal(err)
	}
	if len(bs) < 1024 {
		t.Errorf("Length %d < 1024", len(bs))
	}
	if !bytes.Contains(bs, []byte("</html>")) {
		t.Error("Incorrect response")
	}
	if res.Header.Get("Set-Cookie") == "" {
		t.Error("No set-cookie header")
	}
	res.Body.Close()

	// Check for implicit index.html

	res, err = http.Get("http://localhost:8082/")
	if err != nil {
		t.Fatal(err)
	}
	if res.StatusCode != 200 {
		t.Errorf("Status %d != 200", res.StatusCode)
	}
	bs, err = io.ReadAll(res.Body)
	if err != nil {
		t.Fatal(err)
	}
	if len(bs) < 1024 {
		t.Errorf("Length %d < 1024", len(bs))
	}
	if !bytes.Contains(bs, []byte("</html>")) {
		t.Error("Incorrect response")
	}
	if res.Header.Get("Set-Cookie") == "" {
		t.Error("No set-cookie header")
	}
	res.Body.Close()
}

func TestHTTPGetIndexAuth(t *testing.T) {
	p := startInstance(t, 1)
	defer checkedStop(t, p)

	// Without auth should give 401

	res, err := http.Get("http://127.0.0.1:8081/")
	if err != nil {
		t.Fatal(err)
	}
	res.Body.Close()
	if res.StatusCode != 401 {
		t.Errorf("Status %d != 401", res.StatusCode)
	}

	// With wrong username/password should give 401

	req, err := http.NewRequest("GET", "http://127.0.0.1:8081/", nil)
	if err != nil {
		t.Fatal(err)
	}
	req.SetBasicAuth("testuser", "wrongpass")

	res, err = http.DefaultClient.Do(req)
	if err != nil {
		t.Fatal(err)
	}
	res.Body.Close()
	if res.StatusCode != 401 {
		t.Fatalf("Status %d != 401", res.StatusCode)
	}

	// With correct username/password should succeed

	req, err = http.NewRequest("GET", "http://127.0.0.1:8081/", nil)
	if err != nil {
		t.Fatal(err)
	}
	req.SetBasicAuth("testuser", "testpass")

	res, err = http.DefaultClient.Do(req)
	if err != nil {
		t.Fatal(err)
	}
	res.Body.Close()
	if res.StatusCode != 200 {
		t.Fatalf("Status %d != 200", res.StatusCode)
	}
}

func TestHTTPOptions(t *testing.T) {
	p := startInstance(t, 2)
	defer checkedStop(t, p)

	req, err := http.NewRequest("OPTIONS", "http://127.0.0.1:8082/rest/system/error/clear", nil)
	if err != nil {
		t.Fatal(err)
	}
	res, err := http.DefaultClient.Do(req)
	if err != nil {
		t.Fatal(err)
	}
	res.Body.Close()
	if res.StatusCode != 204 {
		t.Fatalf("Status %d != 204 for OPTIONS", res.StatusCode)
	}
}

func TestHTTPPOSTWithoutCSRF(t *testing.T) {
	p := startInstance(t, 2)
	defer checkedStop(t, p)

	// Should fail without CSRF

	req, err := http.NewRequest("POST", "http://127.0.0.1:8082/rest/system/error/clear", nil)
	if err != nil {
		t.Fatal(err)
	}
	res, err := http.DefaultClient.Do(req)
	if err != nil {
		t.Fatal(err)
	}
	res.Body.Close()
	if res.StatusCode != 403 {
		t.Fatalf("Status %d != 403 for POST", res.StatusCode)
	}

	// Get CSRF

	req, err = http.NewRequest("GET", "http://127.0.0.1:8082/", nil)
	if err != nil {
		t.Fatal(err)
	}
	res, err = http.DefaultClient.Do(req)
	if err != nil {
		t.Fatal(err)
	}
	res.Body.Close()
	hdr := res.Header.Get("Set-Cookie")
	id := res.Header.Get("X-Syncthing-ID")[:protocol.ShortIDStringLength]
	if !strings.Contains(hdr, "CSRF-Token") {
		t.Error("Missing CSRF-Token in", hdr)
	}

	// Should succeed with CSRF

	req, err = http.NewRequest("POST", "http://127.0.0.1:8082/rest/system/error/clear", nil)
	if err != nil {
		t.Fatal(err)
	}

	req.Header.Set("X-CSRF-Token-"+id, hdr[len("CSRF-Token-"+id+"="):])
	res, err = http.DefaultClient.Do(req)
	if err != nil {
		t.Fatal(err)
	}
	res.Body.Close()
	if res.StatusCode != 200 {
		t.Fatalf("Status %d != 200 for POST", res.StatusCode)
	}

	// Should fail with incorrect CSRF

	req, err = http.NewRequest("POST", "http://127.0.0.1:8082/rest/system/error/clear", nil)
	if err != nil {
		t.Fatal(err)
	}
	req.Header.Set("X-CSRF-Token-"+id, hdr[len("CSRF-Token-"+id+"="):]+"X")
	res, err = http.DefaultClient.Do(req)
	if err != nil {
		t.Fatal(err)
	}
	res.Body.Close()
	if res.StatusCode != 403 {
		t.Fatalf("Status %d != 403 for POST", res.StatusCode)
	}
}

func setupAPIBench() *rc.Process {
	err := removeAll("s1", "s2", "h1/index*", "h2/index*")
	if err != nil {
		panic(err)
	}

	err = generateFiles("s1", 25000, 20, "../LICENSE")
	if err != nil {
		panic(err)
	}

	err = os.WriteFile("s1/knownfile", []byte("somedatahere"), 0644)
	if err != nil {
		panic(err)
	}

	// This will panic if there is an actual failure to start, when we try to
	// call nil.Fatal(...)
	return startInstance(nil, 1)
}

func benchmarkURL(b *testing.B, url string) {
	p := setupAPIBench()
	defer p.Stop()
	b.ResetTimer()
	for i := 0; i < b.N; i++ {
		_, err := p.Get(url)
		if err != nil {
			b.Fatal(err)
		}
	}
}

func BenchmarkAPI_db_completion(b *testing.B) {
	benchmarkURL(b, "/rest/db/completion?folder=default&device="+protocol.LocalDeviceID.String())
}

func BenchmarkAPI_db_file(b *testing.B) {
	benchmarkURL(b, "/rest/db/file?folder=default&file=knownfile")
}

func BenchmarkAPI_db_ignores(b *testing.B) {
	benchmarkURL(b, "/rest/db/ignores?folder=default")
}

func BenchmarkAPI_db_need(b *testing.B) {
	benchmarkURL(b, "/rest/db/need?folder=default")
}

func BenchmarkAPI_db_status(b *testing.B) {
	benchmarkURL(b, "/rest/db/status?folder=default")
}

func BenchmarkAPI_db_browse_dirsonly(b *testing.B) {
	benchmarkURL(b, "/rest/db/browse?folder=default&dirsonly=true")
}
Use more inclusive copyright header 2014-11-16 21:13:20 +01:00			`// Copyright (C) 2014 The Syncthing Authors.`
Simplify HTTP testing 2014-10-06 12:03:49 +02:00			`//`
MPLv2 2015-03-07 21:36:35 +01:00			`// This Source Code Form is subject to the terms of the Mozilla Public`
			`// License, v. 2.0. If a copy of the MPL was not distributed with this file,`
all: Update license url to https (ref #3976) 2017-02-09 07:52:18 +01:00			`// You can obtain one at https://mozilla.org/MPL/2.0/.`
Simplify HTTP testing 2014-10-06 12:03:49 +02:00
all: Update build constraints to Go 1.17 style (#7894) 2021-08-17 10:10:41 +02:00			`//go:build integration`
Simplify HTTP testing 2014-10-06 12:03:49 +02:00			`// +build integration`

Improve and clean up integration tests, benchmark. 2014-12-17 12:31:03 +01:00			`package integration`
Simplify HTTP testing 2014-10-06 12:03:49 +02:00
			`import (`
Enable gzip encoding static files for webgui 2015-04-04 19:06:20 +02:00			`"bytes"`
all: Remove usage of deprecated io/ioutil (#7971) As of Go 1.16 io/ioutil is deprecated. This replaces usage with the corresponding functions in package os and package io. 2021-11-22 08:59:47 +01:00			`"io"`
Simplify HTTP testing 2014-10-06 12:03:49 +02:00			`"net/http"`
all: Remove usage of deprecated io/ioutil (#7971) As of Go 1.16 io/ioutil is deprecated. This replaces usage with the corresponding functions in package os and package io. 2021-11-22 08:59:47 +01:00			`"os"`
Simplify HTTP testing 2014-10-06 12:03:49 +02:00			`"strings"`
			`"testing"`
Add some REST API benchmarks 2015-05-23 20:15:54 +02:00
Fix import paths 2015-09-22 19:38:46 +02:00			`"github.com/syncthing/syncthing/lib/protocol"`
mv internal lib 2015-08-06 11:29:25 +02:00			`"github.com/syncthing/syncthing/lib/rc"`
Simplify HTTP testing 2014-10-06 12:03:49 +02:00			`)`

test: Clean & unflake HTTP / filetype tests 2017-11-13 01:00:06 +01:00			`func TestHTTPGetIndex(t *testing.T) {`
Refactored integration tests Added internal/rc to remote control a Syncthing process and made the "awaiting sync" determination reliable. 2015-06-18 15:22:45 +02:00			`p := startInstance(t, 2)`
			`defer checkedStop(t, p)`
Simplify HTTP testing 2014-10-06 12:03:49 +02:00
Fix typos. 2015-11-12 03:20:34 +01:00			`// Check for explicit index.html`
Refactored integration tests Added internal/rc to remote control a Syncthing process and made the "awaiting sync" determination reliable. 2015-06-18 15:22:45 +02:00
			`res, err := http.Get("http://localhost:8082/index.html")`
Simplify HTTP testing 2014-10-06 12:03:49 +02:00			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`if res.StatusCode != 200 {`
			`t.Errorf("Status %d != 200", res.StatusCode)`
			`}`
all: Remove usage of deprecated io/ioutil (#7971) As of Go 1.16 io/ioutil is deprecated. This replaces usage with the corresponding functions in package os and package io. 2021-11-22 08:59:47 +01:00			`bs, err := io.ReadAll(res.Body)`
Enable gzip encoding static files for webgui 2015-04-04 19:06:20 +02:00			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`if len(bs) < 1024 {`
			`t.Errorf("Length %d < 1024", len(bs))`
			`}`
			`if !bytes.Contains(bs, []byte("</html>")) {`
			`t.Error("Incorrect response")`
Simplify HTTP testing 2014-10-06 12:03:49 +02:00			`}`
			`if res.Header.Get("Set-Cookie") == "" {`
			`t.Error("No set-cookie header")`
			`}`
			`res.Body.Close()`

Refactored integration tests Added internal/rc to remote control a Syncthing process and made the "awaiting sync" determination reliable. 2015-06-18 15:22:45 +02:00			`// Check for implicit index.html`

			`res, err = http.Get("http://localhost:8082/")`
Simplify HTTP testing 2014-10-06 12:03:49 +02:00			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`if res.StatusCode != 200 {`
			`t.Errorf("Status %d != 200", res.StatusCode)`
			`}`
all: Remove usage of deprecated io/ioutil (#7971) As of Go 1.16 io/ioutil is deprecated. This replaces usage with the corresponding functions in package os and package io. 2021-11-22 08:59:47 +01:00			`bs, err = io.ReadAll(res.Body)`
Enable gzip encoding static files for webgui 2015-04-04 19:06:20 +02:00			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`if len(bs) < 1024 {`
			`t.Errorf("Length %d < 1024", len(bs))`
			`}`
			`if !bytes.Contains(bs, []byte("</html>")) {`
			`t.Error("Incorrect response")`
Simplify HTTP testing 2014-10-06 12:03:49 +02:00			`}`
			`if res.Header.Get("Set-Cookie") == "" {`
			`t.Error("No set-cookie header")`
			`}`
			`res.Body.Close()`
			`}`

test: Clean & unflake HTTP / filetype tests 2017-11-13 01:00:06 +01:00			`func TestHTTPGetIndexAuth(t *testing.T) {`
Refactored integration tests Added internal/rc to remote control a Syncthing process and made the "awaiting sync" determination reliable. 2015-06-18 15:22:45 +02:00			`p := startInstance(t, 1)`
			`defer checkedStop(t, p)`
Simplify HTTP testing 2014-10-06 12:03:49 +02:00
			`// Without auth should give 401`

			`res, err := http.Get("http://127.0.0.1:8081/")`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`res.Body.Close()`
			`if res.StatusCode != 401 {`
			`t.Errorf("Status %d != 401", res.StatusCode)`
			`}`

			`// With wrong username/password should give 401`

			`req, err := http.NewRequest("GET", "http://127.0.0.1:8081/", nil)`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`req.SetBasicAuth("testuser", "wrongpass")`

			`res, err = http.DefaultClient.Do(req)`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`res.Body.Close()`
			`if res.StatusCode != 401 {`
			`t.Fatalf("Status %d != 401", res.StatusCode)`
			`}`

			`// With correct username/password should succeed`

			`req, err = http.NewRequest("GET", "http://127.0.0.1:8081/", nil)`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`req.SetBasicAuth("testuser", "testpass")`

			`res, err = http.DefaultClient.Do(req)`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`res.Body.Close()`
			`if res.StatusCode != 200 {`
			`t.Fatalf("Status %d != 200", res.StatusCode)`
			`}`
			`}`

test: Clean & unflake HTTP / filetype tests 2017-11-13 01:00:06 +01:00			`func TestHTTPOptions(t *testing.T) {`
Add a CORS handler to deal with preflight OPTIONS requests 2016-01-26 08:05:24 +01:00			`p := startInstance(t, 2)`
			`defer checkedStop(t, p)`

			`req, err := http.NewRequest("OPTIONS", "http://127.0.0.1:8082/rest/system/error/clear", nil)`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`res, err := http.DefaultClient.Do(req)`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`res.Body.Close()`
			`if res.StatusCode != 204 {`
			`t.Fatalf("Status %d != 204 for OPTIONS", res.StatusCode)`
			`}`
			`}`

test: Clean & unflake HTTP / filetype tests 2017-11-13 01:00:06 +01:00			`func TestHTTPPOSTWithoutCSRF(t *testing.T) {`
Refactored integration tests Added internal/rc to remote control a Syncthing process and made the "awaiting sync" determination reliable. 2015-06-18 15:22:45 +02:00			`p := startInstance(t, 2)`
			`defer checkedStop(t, p)`
Simplify HTTP testing 2014-10-06 12:03:49 +02:00
			`// Should fail without CSRF`

Tidy up the REST interface URLs (fixes #1593) 2015-04-06 10:23:27 +02:00			`req, err := http.NewRequest("POST", "http://127.0.0.1:8082/rest/system/error/clear", nil)`
Simplify HTTP testing 2014-10-06 12:03:49 +02:00			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`res, err := http.DefaultClient.Do(req)`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`res.Body.Close()`
			`if res.StatusCode != 403 {`
			`t.Fatalf("Status %d != 403 for POST", res.StatusCode)`
			`}`

			`// Get CSRF`

			`req, err = http.NewRequest("GET", "http://127.0.0.1:8082/", nil)`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`res, err = http.DefaultClient.Do(req)`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`res.Body.Close()`
			`hdr := res.Header.Get("Set-Cookie")`
lib/api: Add cache busting for basic auth (ref #9208) (#9215) This adds our short device ID to the basic auth realm. This has at least two consequences: - It is different from what's presented by another device on the same address (e.g., if I use SSH forwards to different dives on the same local address), preventing credentials for one from being sent to another. - It is different from what we did previously, meaning we avoid cached credentials from old versions interfering with the new login flow. I don't think there should be things that depend on our precise realm string, so this shouldn't break any existing setups... Sneakily this also changes the session cookie and CSRF name, because I think `id.Short().String()` is nicer than `id.String()[:5]` and the short ID is two characters longer. That's also not a problem... 2023-11-14 11:57:39 +01:00			`id := res.Header.Get("X-Syncthing-ID")[:protocol.ShortIDStringLength]`
Simplify HTTP testing 2014-10-06 12:03:49 +02:00			`if !strings.Contains(hdr, "CSRF-Token") {`
			`t.Error("Missing CSRF-Token in", hdr)`
			`}`

			`// Should succeed with CSRF`

Fix integration tests 2015-04-09 17:16:39 +02:00			`req, err = http.NewRequest("POST", "http://127.0.0.1:8082/rest/system/error/clear", nil)`
Simplify HTTP testing 2014-10-06 12:03:49 +02:00			`if err != nil {`
			`t.Fatal(err)`
			`}`
Fix CSRF tests (fixes #2009) 2015-06-30 20:38:27 +02:00
			`req.Header.Set("X-CSRF-Token-"+id, hdr[len("CSRF-Token-"+id+"="):])`
Simplify HTTP testing 2014-10-06 12:03:49 +02:00			`res, err = http.DefaultClient.Do(req)`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`res.Body.Close()`
			`if res.StatusCode != 200 {`
			`t.Fatalf("Status %d != 200 for POST", res.StatusCode)`
			`}`

			`// Should fail with incorrect CSRF`

Tidy up the REST interface URLs (fixes #1593) 2015-04-06 10:23:27 +02:00			`req, err = http.NewRequest("POST", "http://127.0.0.1:8082/rest/system/error/clear", nil)`
Simplify HTTP testing 2014-10-06 12:03:49 +02:00			`if err != nil {`
			`t.Fatal(err)`
			`}`
Fix CSRF tests (fixes #2009) 2015-06-30 20:38:27 +02:00			`req.Header.Set("X-CSRF-Token-"+id, hdr[len("CSRF-Token-"+id+"="):]+"X")`
Simplify HTTP testing 2014-10-06 12:03:49 +02:00			`res, err = http.DefaultClient.Do(req)`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`res.Body.Close()`
			`if res.StatusCode != 403 {`
			`t.Fatalf("Status %d != 403 for POST", res.StatusCode)`
			`}`
			`}`
Add some REST API benchmarks 2015-05-23 20:15:54 +02:00
Refactored integration tests Added internal/rc to remote control a Syncthing process and made the "awaiting sync" determination reliable. 2015-06-18 15:22:45 +02:00			`func setupAPIBench() *rc.Process {`
Add some REST API benchmarks 2015-05-23 20:15:54 +02:00			`err := removeAll("s1", "s2", "h1/index", "h2/index")`
			`if err != nil {`
			`panic(err)`
			`}`

			`err = generateFiles("s1", 25000, 20, "../LICENSE")`
			`if err != nil {`
			`panic(err)`
			`}`

all: Remove usage of deprecated io/ioutil (#7971) As of Go 1.16 io/ioutil is deprecated. This replaces usage with the corresponding functions in package os and package io. 2021-11-22 08:59:47 +01:00			`err = os.WriteFile("s1/knownfile", []byte("somedatahere"), 0644)`
Add some REST API benchmarks 2015-05-23 20:15:54 +02:00			`if err != nil {`
			`panic(err)`
			`}`

Refactored integration tests Added internal/rc to remote control a Syncthing process and made the "awaiting sync" determination reliable. 2015-06-18 15:22:45 +02:00			`// This will panic if there is an actual failure to start, when we try to`
			`// call nil.Fatal(...)`
			`return startInstance(nil, 1)`
Add some REST API benchmarks 2015-05-23 20:15:54 +02:00			`}`

			`func benchmarkURL(b *testing.B, url string) {`
Refactored integration tests Added internal/rc to remote control a Syncthing process and made the "awaiting sync" determination reliable. 2015-06-18 15:22:45 +02:00			`p := setupAPIBench()`
			`defer p.Stop()`
Add some REST API benchmarks 2015-05-23 20:15:54 +02:00			`b.ResetTimer()`
			`for i := 0; i < b.N; i++ {`
Refactored integration tests Added internal/rc to remote control a Syncthing process and made the "awaiting sync" determination reliable. 2015-06-18 15:22:45 +02:00			`_, err := p.Get(url)`
Add some REST API benchmarks 2015-05-23 20:15:54 +02:00			`if err != nil {`
			`b.Fatal(err)`
			`}`
			`}`
			`}`

			`func BenchmarkAPI_db_completion(b *testing.B) {`
			`benchmarkURL(b, "/rest/db/completion?folder=default&device="+protocol.LocalDeviceID.String())`
			`}`

			`func BenchmarkAPI_db_file(b *testing.B) {`
			`benchmarkURL(b, "/rest/db/file?folder=default&file=knownfile")`
			`}`

			`func BenchmarkAPI_db_ignores(b *testing.B) {`
			`benchmarkURL(b, "/rest/db/ignores?folder=default")`
			`}`

			`func BenchmarkAPI_db_need(b *testing.B) {`
			`benchmarkURL(b, "/rest/db/need?folder=default")`
			`}`

			`func BenchmarkAPI_db_status(b *testing.B) {`
			`benchmarkURL(b, "/rest/db/status?folder=default")`
			`}`

			`func BenchmarkAPI_db_browse_dirsonly(b *testing.B) {`
			`benchmarkURL(b, "/rest/db/browse?folder=default&dirsonly=true")`
			`}`