|
| 1 | +# --------------------------------------------------------- |
| 2 | +# Copyright (c) Microsoft Corporation. All rights reserved. |
| 3 | +# --------------------------------------------------------- |
| 4 | + |
| 5 | +import getpass |
| 6 | + |
| 7 | +from promptflow._sdk._service.utils.local_user_auth import LocalUserAuthMiddleware |
| 8 | + |
| 9 | + |
| 10 | +def _remote_user_echo_app(environ, start_response): |
| 11 | + start_response("200 OK", []) |
| 12 | + return [environ.get("REMOTE_USER", "").encode()] |
| 13 | + |
| 14 | + |
| 15 | +def _call_middleware(remote_addr, extra_environ=None): |
| 16 | + environ = {"REMOTE_ADDR": remote_addr} |
| 17 | + if extra_environ: |
| 18 | + environ.update(extra_environ) |
| 19 | + |
| 20 | + response_status = [] |
| 21 | + |
| 22 | + def start_response(status, headers): |
| 23 | + response_status.append(status) |
| 24 | + |
| 25 | + response_body = b"".join(LocalUserAuthMiddleware(_remote_user_echo_app)(environ, start_response)).decode() |
| 26 | + return response_status[0], response_body, environ |
| 27 | + |
| 28 | + |
| 29 | +def test_loopback_request_injects_current_user(): |
| 30 | + status, remote_user, environ = _call_middleware("127.0.0.1") |
| 31 | + |
| 32 | + assert status == "200 OK" |
| 33 | + assert remote_user == getpass.getuser() |
| 34 | + assert environ["REMOTE_USER"] == getpass.getuser() |
| 35 | + |
| 36 | + |
| 37 | +def test_ipv6_loopback_request_injects_current_user(): |
| 38 | + _, remote_user, environ = _call_middleware("::1") |
| 39 | + |
| 40 | + assert remote_user == getpass.getuser() |
| 41 | + assert environ["REMOTE_USER"] == getpass.getuser() |
| 42 | + |
| 43 | + |
| 44 | +def test_non_loopback_request_does_not_inject_user(): |
| 45 | + _, remote_user, environ = _call_middleware("192.0.2.10") |
| 46 | + |
| 47 | + assert remote_user == "" |
| 48 | + assert "REMOTE_USER" not in environ |
| 49 | + |
| 50 | + |
| 51 | +def test_client_supplied_remote_user_header_is_not_trusted(): |
| 52 | + _, remote_user, environ = _call_middleware( |
| 53 | + "192.0.2.10", |
| 54 | + { |
| 55 | + "HTTP_REMOTE_USER": getpass.getuser(), |
| 56 | + "HTTP_X_REMOTE_USER": getpass.getuser(), |
| 57 | + }, |
| 58 | + ) |
| 59 | + |
| 60 | + assert remote_user == "" |
| 61 | + assert "REMOTE_USER" not in environ |
0 commit comments