2014-05-08 13:47:18 +04:00
|
|
|
<?php
|
|
|
|
/**
|
|
|
|
* ownCloud - App Framework
|
|
|
|
*
|
|
|
|
* This file is licensed under the Affero General Public License version 3 or
|
|
|
|
* later. See the COPYING file.
|
|
|
|
*
|
|
|
|
* @author Bernhard Posselt <dev@bernhard-posselt.com>
|
|
|
|
* @copyright Bernhard Posselt 2014
|
|
|
|
*/
|
|
|
|
|
2016-05-18 19:40:34 +03:00
|
|
|
namespace Test\AppFramework\Middleware\Security;
|
2014-05-08 13:47:18 +04:00
|
|
|
|
|
|
|
use OC\AppFramework\Http\Request;
|
2016-05-18 19:40:34 +03:00
|
|
|
use OC\AppFramework\Middleware\Security\CORSMiddleware;
|
2015-11-28 13:06:46 +03:00
|
|
|
use OC\AppFramework\Middleware\Security\Exceptions\SecurityException;
|
2019-11-22 22:52:10 +03:00
|
|
|
use OC\AppFramework\Utility\ControllerMethodReflector;
|
2016-07-20 19:36:15 +03:00
|
|
|
use OC\Security\Bruteforce\Throttler;
|
2017-07-26 11:50:39 +03:00
|
|
|
use OC\User\Session;
|
|
|
|
use OCP\AppFramework\Controller;
|
2015-07-20 13:54:22 +03:00
|
|
|
use OCP\AppFramework\Http\JSONResponse;
|
2014-05-08 13:47:18 +04:00
|
|
|
use OCP\AppFramework\Http\Response;
|
2017-07-26 11:50:39 +03:00
|
|
|
use OCP\IConfig;
|
|
|
|
use OCP\Security\ISecureRandom;
|
2014-05-08 13:47:18 +04:00
|
|
|
|
2014-11-11 01:30:38 +03:00
|
|
|
class CORSMiddlewareTest extends \Test\TestCase {
|
2014-05-08 13:47:18 +04:00
|
|
|
|
2017-07-26 11:50:39 +03:00
|
|
|
/** @var ControllerMethodReflector */
|
2014-05-11 19:55:59 +04:00
|
|
|
private $reflector;
|
2017-07-26 11:50:39 +03:00
|
|
|
/** @var Session|\PHPUnit_Framework_MockObject_MockObject */
|
2015-05-22 14:17:27 +03:00
|
|
|
private $session;
|
2016-07-20 19:36:15 +03:00
|
|
|
/** @var Throttler */
|
|
|
|
private $throttler;
|
2017-07-26 11:50:39 +03:00
|
|
|
/** @var Controller */
|
|
|
|
private $controller;
|
2014-05-11 19:55:59 +04:00
|
|
|
|
2019-11-21 18:40:38 +03:00
|
|
|
protected function setUp(): void {
|
2014-11-11 01:30:38 +03:00
|
|
|
parent::setUp();
|
2014-05-11 19:55:59 +04:00
|
|
|
$this->reflector = new ControllerMethodReflector();
|
2017-07-26 11:50:39 +03:00
|
|
|
$this->session = $this->createMock(Session::class);
|
|
|
|
$this->throttler = $this->createMock(Throttler::class);
|
|
|
|
$this->controller = $this->createMock(Controller::class);
|
2014-05-11 19:55:59 +04:00
|
|
|
}
|
|
|
|
|
2014-05-08 13:47:18 +04:00
|
|
|
/**
|
|
|
|
* @CORS
|
|
|
|
*/
|
|
|
|
public function testSetCORSAPIHeader() {
|
|
|
|
$request = new Request(
|
2015-02-09 13:41:48 +03:00
|
|
|
[
|
|
|
|
'server' => [
|
|
|
|
'HTTP_ORIGIN' => 'test'
|
|
|
|
]
|
|
|
|
],
|
2017-07-26 11:50:39 +03:00
|
|
|
$this->createMock(ISecureRandom::class),
|
|
|
|
$this->createMock(IConfig::class)
|
2014-05-08 13:47:18 +04:00
|
|
|
);
|
2014-05-11 19:55:59 +04:00
|
|
|
$this->reflector->reflect($this, __FUNCTION__);
|
2016-07-20 19:36:15 +03:00
|
|
|
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
|
2014-05-08 13:47:18 +04:00
|
|
|
|
2017-07-26 11:50:39 +03:00
|
|
|
$response = $middleware->afterController($this->controller, __FUNCTION__, new Response());
|
2014-05-08 13:47:18 +04:00
|
|
|
$headers = $response->getHeaders();
|
|
|
|
$this->assertEquals('test', $headers['Access-Control-Allow-Origin']);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public function testNoAnnotationNoCORSHEADER() {
|
|
|
|
$request = new Request(
|
2015-02-09 13:41:48 +03:00
|
|
|
[
|
|
|
|
'server' => [
|
|
|
|
'HTTP_ORIGIN' => 'test'
|
|
|
|
]
|
|
|
|
],
|
2017-07-26 11:50:39 +03:00
|
|
|
$this->createMock(ISecureRandom::class),
|
|
|
|
$this->createMock(IConfig::class)
|
2014-05-08 13:47:18 +04:00
|
|
|
);
|
2016-07-20 19:36:15 +03:00
|
|
|
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
|
2014-05-08 13:47:18 +04:00
|
|
|
|
2017-07-26 11:50:39 +03:00
|
|
|
$response = $middleware->afterController($this->controller, __FUNCTION__, new Response());
|
2014-05-08 13:47:18 +04:00
|
|
|
$headers = $response->getHeaders();
|
|
|
|
$this->assertFalse(array_key_exists('Access-Control-Allow-Origin', $headers));
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @CORS
|
|
|
|
*/
|
|
|
|
public function testNoOriginHeaderNoCORSHEADER() {
|
2015-02-10 15:02:48 +03:00
|
|
|
$request = new Request(
|
|
|
|
[],
|
2017-07-26 11:50:39 +03:00
|
|
|
$this->createMock(ISecureRandom::class),
|
|
|
|
$this->createMock(IConfig::class)
|
2015-02-10 15:02:48 +03:00
|
|
|
);
|
2014-05-11 19:55:59 +04:00
|
|
|
$this->reflector->reflect($this, __FUNCTION__);
|
2016-07-20 19:36:15 +03:00
|
|
|
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
|
2014-05-08 13:47:18 +04:00
|
|
|
|
2017-07-26 11:50:39 +03:00
|
|
|
$response = $middleware->afterController($this->controller, __FUNCTION__, new Response());
|
2014-05-08 13:47:18 +04:00
|
|
|
$headers = $response->getHeaders();
|
|
|
|
$this->assertFalse(array_key_exists('Access-Control-Allow-Origin', $headers));
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @CORS
|
|
|
|
*/
|
|
|
|
public function testCorsIgnoredIfWithCredentialsHeaderPresent() {
|
2019-11-27 17:27:18 +03:00
|
|
|
$this->expectException(\OC\AppFramework\Middleware\Security\Exceptions\SecurityException::class);
|
|
|
|
|
2014-05-08 13:47:18 +04:00
|
|
|
$request = new Request(
|
2015-02-09 13:41:48 +03:00
|
|
|
[
|
|
|
|
'server' => [
|
|
|
|
'HTTP_ORIGIN' => 'test'
|
|
|
|
]
|
|
|
|
],
|
2017-07-26 11:50:39 +03:00
|
|
|
$this->createMock(ISecureRandom::class),
|
|
|
|
$this->createMock(IConfig::class)
|
2014-05-08 13:47:18 +04:00
|
|
|
);
|
2014-05-11 19:55:59 +04:00
|
|
|
$this->reflector->reflect($this, __FUNCTION__);
|
2016-07-20 19:36:15 +03:00
|
|
|
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
|
2014-05-08 13:47:18 +04:00
|
|
|
|
|
|
|
$response = new Response();
|
|
|
|
$response->addHeader('AcCess-control-Allow-Credentials ', 'TRUE');
|
2017-07-26 11:50:39 +03:00
|
|
|
$middleware->afterController($this->controller, __FUNCTION__, $response);
|
2014-05-08 13:47:18 +04:00
|
|
|
}
|
|
|
|
|
2015-05-22 14:17:27 +03:00
|
|
|
/**
|
|
|
|
* @CORS
|
|
|
|
* @PublicPage
|
|
|
|
*/
|
|
|
|
public function testNoCORSShouldAllowCookieAuth() {
|
|
|
|
$request = new Request(
|
|
|
|
[],
|
2017-07-26 11:50:39 +03:00
|
|
|
$this->createMock(ISecureRandom::class),
|
|
|
|
$this->createMock(IConfig::class)
|
2015-05-22 14:17:27 +03:00
|
|
|
);
|
|
|
|
$this->reflector->reflect($this, __FUNCTION__);
|
2016-07-20 19:36:15 +03:00
|
|
|
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
|
2015-06-03 13:56:50 +03:00
|
|
|
$this->session->expects($this->never())
|
|
|
|
->method('logout');
|
|
|
|
$this->session->expects($this->never())
|
2016-05-25 10:58:01 +03:00
|
|
|
->method('logClientIn')
|
2015-06-03 13:56:50 +03:00
|
|
|
->with($this->equalTo('user'), $this->equalTo('pass'))
|
2020-03-26 00:21:27 +03:00
|
|
|
->willReturn(true);
|
2015-06-03 13:56:50 +03:00
|
|
|
$this->reflector->reflect($this, __FUNCTION__);
|
2015-05-22 14:17:27 +03:00
|
|
|
|
2017-07-26 11:50:39 +03:00
|
|
|
$middleware->beforeController($this->controller, __FUNCTION__);
|
2015-05-22 14:17:27 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @CORS
|
|
|
|
*/
|
|
|
|
public function testCORSShouldRelogin() {
|
|
|
|
$request = new Request(
|
|
|
|
['server' => [
|
|
|
|
'PHP_AUTH_USER' => 'user',
|
|
|
|
'PHP_AUTH_PW' => 'pass'
|
|
|
|
]],
|
2017-07-26 11:50:39 +03:00
|
|
|
$this->createMock(ISecureRandom::class),
|
|
|
|
$this->createMock(IConfig::class)
|
2015-05-22 14:17:27 +03:00
|
|
|
);
|
|
|
|
$this->session->expects($this->once())
|
|
|
|
->method('logout');
|
|
|
|
$this->session->expects($this->once())
|
2016-05-25 10:58:01 +03:00
|
|
|
->method('logClientIn')
|
2015-05-22 14:17:27 +03:00
|
|
|
->with($this->equalTo('user'), $this->equalTo('pass'))
|
2020-03-26 00:21:27 +03:00
|
|
|
->willReturn(true);
|
2015-05-22 14:17:27 +03:00
|
|
|
$this->reflector->reflect($this, __FUNCTION__);
|
2016-07-20 19:36:15 +03:00
|
|
|
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
|
2015-05-22 14:17:27 +03:00
|
|
|
|
2017-07-26 11:50:39 +03:00
|
|
|
$middleware->beforeController($this->controller, __FUNCTION__);
|
2015-05-22 14:17:27 +03:00
|
|
|
}
|
|
|
|
|
2016-06-17 12:01:35 +03:00
|
|
|
/**
|
|
|
|
* @CORS
|
|
|
|
*/
|
|
|
|
public function testCORSShouldFailIfPasswordLoginIsForbidden() {
|
2019-11-27 17:27:18 +03:00
|
|
|
$this->expectException(\OC\AppFramework\Middleware\Security\Exceptions\SecurityException::class);
|
|
|
|
|
2016-06-17 12:01:35 +03:00
|
|
|
$request = new Request(
|
|
|
|
['server' => [
|
|
|
|
'PHP_AUTH_USER' => 'user',
|
|
|
|
'PHP_AUTH_PW' => 'pass'
|
|
|
|
]],
|
2017-07-26 11:50:39 +03:00
|
|
|
$this->createMock(ISecureRandom::class),
|
|
|
|
$this->createMock(IConfig::class)
|
2016-06-17 12:01:35 +03:00
|
|
|
);
|
|
|
|
$this->session->expects($this->once())
|
|
|
|
->method('logout');
|
|
|
|
$this->session->expects($this->once())
|
|
|
|
->method('logClientIn')
|
|
|
|
->with($this->equalTo('user'), $this->equalTo('pass'))
|
|
|
|
->will($this->throwException(new \OC\Authentication\Exceptions\PasswordLoginForbiddenException));
|
|
|
|
$this->reflector->reflect($this, __FUNCTION__);
|
2016-07-20 19:36:15 +03:00
|
|
|
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
|
2016-06-17 12:01:35 +03:00
|
|
|
|
2017-07-26 11:50:39 +03:00
|
|
|
$middleware->beforeController($this->controller, __FUNCTION__);
|
2016-06-17 12:01:35 +03:00
|
|
|
}
|
|
|
|
|
2015-05-22 14:17:27 +03:00
|
|
|
/**
|
|
|
|
* @CORS
|
|
|
|
*/
|
|
|
|
public function testCORSShouldNotAllowCookieAuth() {
|
2019-11-27 17:27:18 +03:00
|
|
|
$this->expectException(\OC\AppFramework\Middleware\Security\Exceptions\SecurityException::class);
|
|
|
|
|
2015-05-22 14:17:27 +03:00
|
|
|
$request = new Request(
|
|
|
|
['server' => [
|
|
|
|
'PHP_AUTH_USER' => 'user',
|
|
|
|
'PHP_AUTH_PW' => 'pass'
|
|
|
|
]],
|
2017-07-26 11:50:39 +03:00
|
|
|
$this->createMock(ISecureRandom::class),
|
|
|
|
$this->createMock(IConfig::class)
|
2015-05-22 14:17:27 +03:00
|
|
|
);
|
|
|
|
$this->session->expects($this->once())
|
|
|
|
->method('logout');
|
|
|
|
$this->session->expects($this->once())
|
2016-05-25 10:58:01 +03:00
|
|
|
->method('logClientIn')
|
2015-05-22 14:17:27 +03:00
|
|
|
->with($this->equalTo('user'), $this->equalTo('pass'))
|
2020-03-26 00:21:27 +03:00
|
|
|
->willReturn(false);
|
2015-05-22 14:17:27 +03:00
|
|
|
$this->reflector->reflect($this, __FUNCTION__);
|
2016-07-20 19:36:15 +03:00
|
|
|
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
|
2015-05-22 14:17:27 +03:00
|
|
|
|
2017-07-26 11:50:39 +03:00
|
|
|
$middleware->beforeController($this->controller, __FUNCTION__);
|
2015-05-22 14:17:27 +03:00
|
|
|
}
|
|
|
|
|
2015-07-20 13:54:22 +03:00
|
|
|
public function testAfterExceptionWithSecurityExceptionNoStatus() {
|
|
|
|
$request = new Request(
|
|
|
|
['server' => [
|
|
|
|
'PHP_AUTH_USER' => 'user',
|
|
|
|
'PHP_AUTH_PW' => 'pass'
|
|
|
|
]],
|
2017-07-26 11:50:39 +03:00
|
|
|
$this->createMock(ISecureRandom::class),
|
|
|
|
$this->createMock(IConfig::class)
|
2015-07-20 13:54:22 +03:00
|
|
|
);
|
2016-07-20 19:36:15 +03:00
|
|
|
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
|
2017-07-26 11:50:39 +03:00
|
|
|
$response = $middleware->afterException($this->controller, __FUNCTION__, new SecurityException('A security exception'));
|
2015-07-20 13:54:22 +03:00
|
|
|
|
|
|
|
$expected = new JSONResponse(['message' => 'A security exception'], 500);
|
|
|
|
$this->assertEquals($expected, $response);
|
|
|
|
}
|
|
|
|
|
|
|
|
public function testAfterExceptionWithSecurityExceptionWithStatus() {
|
|
|
|
$request = new Request(
|
|
|
|
['server' => [
|
|
|
|
'PHP_AUTH_USER' => 'user',
|
|
|
|
'PHP_AUTH_PW' => 'pass'
|
|
|
|
]],
|
2017-07-26 11:50:39 +03:00
|
|
|
$this->createMock(ISecureRandom::class),
|
|
|
|
$this->createMock(IConfig::class)
|
2015-07-20 13:54:22 +03:00
|
|
|
);
|
2016-07-20 19:36:15 +03:00
|
|
|
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
|
2017-07-26 11:50:39 +03:00
|
|
|
$response = $middleware->afterException($this->controller, __FUNCTION__, new SecurityException('A security exception', 501));
|
2015-07-20 13:54:22 +03:00
|
|
|
|
|
|
|
$expected = new JSONResponse(['message' => 'A security exception'], 501);
|
|
|
|
$this->assertEquals($expected, $response);
|
|
|
|
}
|
|
|
|
|
2019-11-27 17:27:18 +03:00
|
|
|
|
2015-07-20 13:54:22 +03:00
|
|
|
public function testAfterExceptionWithRegularException() {
|
2019-11-27 17:27:18 +03:00
|
|
|
$this->expectException(\Exception::class);
|
|
|
|
$this->expectExceptionMessage('A regular exception');
|
|
|
|
|
2015-07-20 13:54:22 +03:00
|
|
|
$request = new Request(
|
|
|
|
['server' => [
|
|
|
|
'PHP_AUTH_USER' => 'user',
|
|
|
|
'PHP_AUTH_PW' => 'pass'
|
|
|
|
]],
|
2017-07-26 11:50:39 +03:00
|
|
|
$this->createMock(ISecureRandom::class),
|
|
|
|
$this->createMock(IConfig::class)
|
2015-07-20 13:54:22 +03:00
|
|
|
);
|
2016-07-20 19:36:15 +03:00
|
|
|
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
|
2017-07-26 11:50:39 +03:00
|
|
|
$middleware->afterException($this->controller, __FUNCTION__, new \Exception('A regular exception'));
|
2015-07-20 13:54:22 +03:00
|
|
|
}
|
|
|
|
|
2014-05-08 13:47:18 +04:00
|
|
|
}
|