A number of my tests use a DeleteCookies method which does this:
chromeDriver.Manage().Cookies.DeleteAllCookies();
This was great until today, when one of the tests made the app take exception:
The required anti-forgery cookie "__RequestVerificationToken" is not present.
So I decided to delete the specific cookie in question, rather than all of them:
chromeDriver.Manage().Cookies.DeleteCookieNamed("user%40user.com");
The specified cookie was not deleted.
To verify DeleteCookieNamed actually worked at all, I deleted two of the other cookies the app creates and it worked.
When a user logs in, the app sets the name of the cookie to their username (in this case, user#user.com) ...but presumably due to URL encoding, changes # to %40.
The cookies that did delete didn't contain %40.
If it was the case that you can't delete cookies where the name contains %40, then DeleteAllCookies wouldn't have worked. Therefore I suspect my targeted cookie has dependencies, similar to how foreign key constraints work in relational databases, such that I need to delete one or more other cookies in a specific order before I can delete the specified one.
A cursory glance at Google provides me with instructions on how to delete cookies in Chrome, rather than how Chrome deletes cookies. Joy. I've run out of time today, please do you have any insights?
The way I got round this issue when I had it was to create the cookie through selenium, and then I was able to delete it. I did find it easier though not to use the # in the cookie names. Hope that helps.
This seems an appropriate work-around for my particular situation - run the CanLogIn test last, using a Playlist:
https://stackoverflow.com/a/29039261/1875540
Use Chrome DevTools:
https://chromedevtools.github.io/devtools-protocol/tot/Network/#method-deleteCookies
The code will be like this:
ChromeDriver driver;
var parameters = new Dictionary<string, object>
{
["name"] = "user%40user.com";
};
driver.ExecuteChromeCommand("Network.deleteCookies", parameters);
You can do this by Selenium DevTools as well. But since they have some problems with integrations, and you may need to upgrade the library after every google update, using the above code can be more efficient and easier.
Related
I am writing a chrome extension that makes calls to an API and for that I am trying to get some existing session cookies in the service worker. My worker makes a call like this,
const cookies = await chrome.cookies.getAll({} )
const sessionToken = cookies.filter(
cookie =>
cookie.name === "__Secure-next-auth.session-token")[0].value
However the value I get back for the cookie is different than the value in chrome dev tools. Interestingly enough both values have the same prefix (the value is long, I only pasted enough to demonstrate my point):
Dev tools cookie: eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIn0..dCOoryziuSU3zkJl...
chrome.cookies.getAll: eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIn0..colJ2H6th0yLZ9Q8...
In case it's useful the cookies have the HttpOnly parameter set. Can anyone guess why the cookie values might be different?
My worker is running after the page has loaded (so there's no chance that I'm getting an old value), I know the value the chrome API is giving is completely invalid because when i try to use it with the API I'm calling, I get "invalid token". On the other hand, the cookie in dev tools works with my API.
I thought maybe the cookie value had been decoded/encoded in some way but then why would the prefix match? I thought maybe the chrome API is storing multiple cookies with the same name, but when I log cookies, there is only one cookie with this name.
Would appreciate any thoughts.
Currently, I use a single SSM parameter to store a set of properties separated by newlines, like this:
property1=value1
property2=value2
property3=value3
(I am aware of the 4K size limit, it's fine.)
This works well, for normal String type parameters that store non-sensitive information like environment configuration, but I'd also like to do similar for secrets using the SecureString parameter type.
The problem is that I can't edit the parameter value in the console because it's using a HTML input field of type="password" that doesn't handle newlines.
The multi-line value works fine with the actual parameter store backend - I can set a value with multiple lines with the SSM API no problem and they can be read with the EC2 CLI properly too.
But I can't edit them using the console. This is a problem because the whole point of using a SecureString parameter is that I intend the only place to edit/view these secrets to be via the console (so that permissions are controlled and access is audited).
There's a few infrastructure workarounds I could implement (one parameter for each secret, store the secrets on S3 or other secret storing service, etc.) but they all have drawbacks - I'm just trying to find out if there's a way around this using the console?
Is there any way I can work around this and use the console to edit multi-line SecureString parameters?
Any kind of browser workaround or hack that I might be able to use to tell the browser to use a textarea instead of a "password" type field?
I'm using Chrome, but I'd be happy to work around this by using another browser or something (editing the secrets is pretty rare, and viewing multi-line values in the console works fine).
EDIT
After posting this question, AWS notified me there was a whole new "AWS Systems Manager" UI, but it still has the same problem - I tried the below browser hacks on this new UI, but no luck.
Failed browser hack attempt 1: I tried opening the browser console, running document.getElementById("Value").value = "value1\nvalue2" and then clicking the save button, which set the value I injectec, but the newline was filtered out.
Failed browser hack attempt 2: I tried using the browser instpector to change the element to a TextArea and then typed in two lines of input and clicked save, but that didn't set the value at all.
From https://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-file, I learned you can pass a file as parameter to the --value argument. So if your file is called secrets.properties, you can do this:
aws ssm put-parameter --type SecureString --name secrets --value file://secrets.properties
I found a way to do it, but it's too much effort and too weird - if anyone can find a simpler way, I will mark that as the answer.
The hacky workaround is to install the "Tamper Chrome" extension + app, then capture the XHR request as the browser sends it and edit the new lines into the JSON.
Blech. Plus "Tamper Chrome" is pretty awful, I don't want to run it on my machine.
This might be better to use the new secrets manager that was launched recently. The interface for it is very close to parameter store but it has better support for multiple parameters in one place.
I wonder if the change in the console was due to the expected release of the service since they have a pricing model around secrets whereas parameter store is free
In the end, I decided the answer to this question is "don't do that". Not that I would've wanted to hear that when I was trying to make it work.
You should use a separate SSM param per secret for these reasons:
ability to grant permissions at fine grained level; e.g. you have an API password for calling your service, and a DB password for the service talk to a DB - if you store them in the same secret you couldn't only grant access to the API password.
ability to track key access separately - the SSM access logs can only tell you that the target machine/user accessed the SSM param at that time, it won't be able to tell you which secret was accessed
ability to use separate KMS keys to encrypt
Just watch out for the fact that you can only request a max of 10 SSM params at a time.
if you want, you can try with my app https://github.com/ledongthuc/awssecretsmanagerui
I try to create it to easier to update multi-line values and binary easier. Hope it's helpful with your case.
I want to restrict calls to a Feathers service method for externals calls with associateCurrentUser.
I also want to allow the server to call this service method without restricting it.
The use case is that through this service then clients use a lock table, all clients can see all locks, and occasionally the server should clear out abandoned rows in this table. Row abandonment can happen on network failures etc. When the server removes data then the normal Feathers remove events should be emitted to the clients.
I would imagine that this should be a mix of associateCurrentUser and disallow hooks but I can't even begin to experiment with this as I don't see how it would be put together.
How would one implement this, please?
Update:
I found this answer User's permissions in feathers.js API from Daff which implies that if the hook's context.params.provider is null then the call is internal, otherwise external. Can anyone confirm if this is really so in all cases, please?
It seems to be so from my own tests but I don't know if there are any special cases out there that might come and bite me down the line.
If the call is external params.provider will be set to the transport that has been used (currently either rest, socketio or primus, documented here, here and here).
If called internally on the server there is not really any magic. It will be whatever you pass as params. If you pass nothing it will be undefined if you pass (or merge with) hook.params in a hook it will be the same as what the original method was called with.
// `params` is an empty object so `params.provider` will be `undefined`
app.service('messages').find({})
// `params.provider` will be `server`
app.service('messages').find({ provider: 'server' })
// `params.provider` will be whatever the original hook was called with
function(hook) {
hook.app.service('otherservice').find(hook.params);
}
I'm using the latest Google Chrome stable (19.0.1084.56 m) on Windows 7 and experimenting with Mutation observers for the first time. (The project is a user script for a third party website, the server of which I have no access to.)
So it happens that MutationRecord has a field oldValue:
record . oldValue
The return value depends on type. For "attributes", it is the value of the changed attribute before the change. For "characterData", it is the data of the changed node before the change. For "childList", it is null.
So I'm monitoring for changes to the characterData but when I get the MutationRecord the oldValue field is always null.
Should it be working, is there a possibility I've got something wrong, or is this feature just too bleeding edge to expect to work yet?
Is there somewhere I can find Google's documentation, bug report, feature request, etc that might declare whether this is implemented or when it might be?
Configure your observer with:
observer.observe(container, {
attributeOldValue : true
});
Full API documentation:
https://developer.mozilla.org/pt-BR/docs/Web/API/MutationObserver
I've received an error report from a client recently and am having no luck resolving it. I'm hoping someone can give me some insight to what may be wrong.
The error seems simple enough:
Csla.DataPortalException: DataPortal.Delete failed (System.InvalidOperationException: Sequence contains more than one element at System.Linq.Enumerable.SingleOrDefault[TSource](IEnumerable`1 source)
Here is my DataPortal_Delete method, which takes the FileId (PK) as a parameter.
private void DataPortal_Delete(SingleCriteria<File, Guid> criteria)
{
using (var ctx = ContextManager<Ronin.Data.RoninDataContext>
.GetManager(Database.ApplicationConnection, false))
{
var data = ctx.DataContext.Files
.Single(row => row.FileId == criteria.Value);
ctx.DataContext.FileSources.DeleteAllOnSubmit(data.FileSources);
ctx.DataContext.Files.DeleteOnSubmit(data);
ctx.DataContext.SubmitChanges();
}
}
First thing I check was to see if there was another record with the same FileId (although being the primary key, this should be impossible). All FileIds were in fact unique. I launched the application connecting to the client database and tried to delete the record and it worked without any issues. The IT guy at the client site used the "Problem Step Recorder" to send me step by step screenshots of the actions taken by the user. Nothing out of the ordinary, and when he used a different machine, he was able to delete the record without any errors. Apparently this only happens when the application is run in Windows 7.
That said, any ideas as to what could be causing this?
Assuming the call to Single is the source of the problem, instead of:
ctx.DataContext.Files.Single(...)
change the code to allow the return of multiple rows from that query and then log what it's returning when it returns more than one row. This should point you toward your "duplicate" data problem.
Another thing to look at is the SQL that is being generated behind the scenes. Not sure that will help, but it can't hurt. I don't know your data model, so I can't understand your code as well as I would like to.
If it only happens in Windows 7 then this might be cause by the OS. Have you tried it on Vista? Vista's environment is simmilar on Windows 7. You can also use Windows Virtual PC + XP Mode. This is a virtualization application specially designed for Windows 7 to let users run applications like they use to in Windows XP. Note: XP Mode requires virtualization capable processor.
I had the same exception when deleting one entity. The problem turned out to be a foreign key relation defined in the dbml-File. So this was the reason for the exception in my case.
After I removed that it worked to delete the record (and I didn't want to cascade delete the records from the other table, I just need to find out how to configurate linq-to-sql to just set the foreign key column to null)