UNPKG

kibana-123

Version:

Kibana is an open source (Apache Licensed), browser based analytics and search dashboard for Elasticsearch. Kibana is a snap to setup and start using. Kibana strives to be easy to get started with, while also being flexible and powerful, just like Elastic

www.elastic.co/products/kibana

elastic/kibana

119 lines (100 loc) 3.64 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
import expect from 'expect.js'; import { fromNode as fn } from 'bluebird'; import { resolve } from 'path'; import * as kbnTestServer from '../../../../test/utils/kbn_server'; const nonDestructiveMethods = ['GET', 'HEAD']; const destructiveMethods = ['POST', 'PUT', 'DELETE']; const src = resolve.bind(null, __dirname, '../../../../src'); const xsrfHeader = 'kbn-xsrf'; const versionHeader = 'kbn-version'; const actualVersion = require(src('../package.json')).version; describe('xsrf request filter', function () { function inject(kbnServer, opts) { return fn(cb => { kbnTestServer.makeRequest(kbnServer, opts, (resp) => { cb(null, resp); }); }); } const makeServer = async function () { const kbnServer = kbnTestServer.createServer({ server: { xsrf: { disableProtection: false } } }); await kbnServer.ready(); const routeMethods = nonDestructiveMethods.filter(method => method !== 'HEAD').concat(destructiveMethods); kbnServer.server.route({ path: '/xsrf/test/route', method: routeMethods, handler: function (req, reply) { reply(null, 'ok'); } }); return kbnServer; }; let kbnServer; beforeEach(async () => kbnServer = await makeServer()); afterEach(async () => await kbnServer.close()); for (const method of nonDestructiveMethods) { context(`nonDestructiveMethod: ${method}`, function () { // eslint-disable-line no-loop-func it('accepts requests without a token', async function () { const resp = await inject(kbnServer, { url: '/xsrf/test/route', method: method }); expect(resp.statusCode).to.be(200); if (method === 'HEAD') expect(resp.payload).to.be.empty(); else expect(resp.payload).to.be('ok'); }); it('accepts requests with the xsrf header', async function () { const resp = await inject(kbnServer, { url: '/xsrf/test/route', method: method, headers: { [xsrfHeader]: 'anything', }, }); expect(resp.statusCode).to.be(200); if (method === 'HEAD') expect(resp.payload).to.be.empty(); else expect(resp.payload).to.be('ok'); }); }); } for (const method of destructiveMethods) { context(`destructiveMethod: ${method}`, function () { // eslint-disable-line no-loop-func it('accepts requests with the xsrf header', async function () { const resp = await inject(kbnServer, { url: '/xsrf/test/route', method: method, headers: { [xsrfHeader]: 'anything', }, }); expect(resp.statusCode).to.be(200); expect(resp.payload).to.be('ok'); }); // this is still valid for existing csrf protection support // it does not actually do any validation on the version value itself it('accepts requests with the version header', async function () { const resp = await inject(kbnServer, { url: '/xsrf/test/route', method: method, headers: { [versionHeader]: actualVersion, }, }); expect(resp.statusCode).to.be(200); expect(resp.payload).to.be('ok'); }); it('rejects requests without either an xsrf or version header', async function () { const resp = await inject(kbnServer, { url: '/xsrf/test/route', method: method }); expect(resp.statusCode).to.be(400); expect(resp.payload).to.match(/"Request must contain an kbn-xsrf header/); }); }); } });