mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
nextcloud/tests/lib/AppFramework/Middleware/Security/CORSMiddlewareTest.php

237 lines
6.9 KiB
PHP
Raw Normal View History

add cors middleware remove methodannotationreader namespace fix namespace for server container fix tests fail if with cors credentials header is set to true, implement a reusable preflighted cors method in the controller baseclass, make corsmiddleware private and register it for every request remove uneeded local in cors middleware registratio dont uppercase cors to easily use it from routes fix indention comment fixes explicitely set allow credentials header to false dont depend on better controllers PR, fix that stuff later split cors methods to be in a seperate controller for exposing apis remove protected definitions from apicontroller since controller has it
2014-05-08 13:47:18 +04:00
<?php
/**
* ownCloud - App Framework
*
* This file is licensed under the Affero General Public License version 3 or
* later. See the COPYING file.
*
* @author Bernhard Posselt <dev@bernhard-posselt.com>
* @copyright Bernhard Posselt 2014
*/
Fix namespaces in AppFramework tests
2016-05-18 19:40:34 +03:00
namespace Test\AppFramework\Middleware\Security;
add cors middleware remove methodannotationreader namespace fix namespace for server container fix tests fail if with cors credentials header is set to true, implement a reusable preflighted cors method in the controller baseclass, make corsmiddleware private and register it for every request remove uneeded local in cors middleware registratio dont uppercase cors to easily use it from routes fix indention comment fixes explicitely set allow credentials header to false dont depend on better controllers PR, fix that stuff later split cors methods to be in a seperate controller for exposing apis remove protected definitions from apicontroller since controller has it
2014-05-08 13:47:18 +04:00
use OC\AppFramework\Http\Request;
Fix namespaces in AppFramework tests
2016-05-18 19:40:34 +03:00
use OC\AppFramework\Middleware\Security\CORSMiddleware;
use new controllermethodreflector for corsmiddleware
2014-05-11 19:55:59 +04:00
use OC\AppFramework\Utility\ControllerMethodReflector;
Show error template Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
2015-11-28 13:06:46 +03:00
use OC\AppFramework\Middleware\Security\Exceptions\SecurityException;
Return proper status code in case of a CORS exception When returning a 500 statuscode external applications may interpret this as an error instead of handling this more gracefully. This will now make return a 401 thus. Fixes https://github.com/owncloud/core/issues/17742
2015-07-20 13:54:22 +03:00
use OCP\AppFramework\Http;
use OCP\AppFramework\Http\JSONResponse;
add cors middleware remove methodannotationreader namespace fix namespace for server container fix tests fail if with cors credentials header is set to true, implement a reusable preflighted cors method in the controller baseclass, make corsmiddleware private and register it for every request remove uneeded local in cors middleware registratio dont uppercase cors to easily use it from routes fix indention comment fixes explicitely set allow credentials header to false dont depend on better controllers PR, fix that stuff later split cors methods to be in a seperate controller for exposing apis remove protected definitions from apicontroller since controller has it
2014-05-08 13:47:18 +04:00
use OCP\AppFramework\Http\Response;
Make remaining files extend the test base
2014-11-11 01:30:38 +03:00
class CORSMiddlewareTest extends \Test\TestCase {
add cors middleware remove methodannotationreader namespace fix namespace for server container fix tests fail if with cors credentials header is set to true, implement a reusable preflighted cors method in the controller baseclass, make corsmiddleware private and register it for every request remove uneeded local in cors middleware registratio dont uppercase cors to easily use it from routes fix indention comment fixes explicitely set allow credentials header to false dont depend on better controllers PR, fix that stuff later split cors methods to be in a seperate controller for exposing apis remove protected definitions from apicontroller since controller has it
2014-05-08 13:47:18 +04:00
use new controllermethodreflector for corsmiddleware
2014-05-11 19:55:59 +04:00
private $reflector;
disallow cookie auth for cors requests testing ... fixes fix test add php doc fix small mistake add another phpdoc remove not working cors annotations from files app
2015-05-22 14:17:27 +03:00
private $session;
use new controllermethodreflector for corsmiddleware
2014-05-11 19:55:59 +04:00
protected function setUp() {
Make remaining files extend the test base
2014-11-11 01:30:38 +03:00
parent::setUp();
use new controllermethodreflector for corsmiddleware
2014-05-11 19:55:59 +04:00
$this->reflector = new ControllerMethodReflector();
disallow cookie auth for cors requests testing ... fixes fix test add php doc fix small mistake add another phpdoc remove not working cors annotations from files app
2015-05-22 14:17:27 +03:00
$this->session = $this->getMock('\OCP\IUserSession');
use new controllermethodreflector for corsmiddleware
2014-05-11 19:55:59 +04:00
}
add cors middleware remove methodannotationreader namespace fix namespace for server container fix tests fail if with cors credentials header is set to true, implement a reusable preflighted cors method in the controller baseclass, make corsmiddleware private and register it for every request remove uneeded local in cors middleware registratio dont uppercase cors to easily use it from routes fix indention comment fixes explicitely set allow credentials header to false dont depend on better controllers PR, fix that stuff later split cors methods to be in a seperate controller for exposing apis remove protected definitions from apicontroller since controller has it
2014-05-08 13:47:18 +04:00
/**
* @CORS
*/
public function testSetCORSAPIHeader() {
$request = new Request(
Respect `mod_unique_id` and refactor `OC_Request::getRequestId` When `mod_unique_id` is enabled the ID generated by it will be used for logging. This allows for correlation of the Apache logs and the ownCloud logs. Testplan: - [ ] When `mod_unique_id` is enabled the request ID equals the one generated by `mod_unique_id`. - [ ] When `mod_unique_id` is not available the request ID is a 20 character long random string - [ ] The generated Id is stable over the lifespan of one request Changeset looks a little bit larger since I had to adjust every unit test using the HTTP\Request class for proper DI. Fixes https://github.com/owncloud/core/issues/13366
2015-02-09 13:41:48 +03:00
[
'server' => [
'HTTP_ORIGIN' => 'test'
]
],
Refactor OC_Request into TrustedDomainHelper and IRequest This changeset removes the static class `OC_Request` and moves the functions either into `IRequest` which is accessible via `\OC::$server::->getRequest()` or into a separated `TrustedDomainHelper` class for some helper methods which should not be publicly exposed. This changes only internal methods and nothing on the public API. Some public functions in `util.php` have been deprecated though in favour of the new non-static functions. Unfortunately some part of this code uses things like `__DIR__` and thus is not completely unit-testable. Where tests where possible they ahve been added though. Fixes https://github.com/owncloud/core/issues/13976 which was requested in https://github.com/owncloud/core/pull/13973#issuecomment-73492969
2015-02-10 15:02:48 +03:00
$this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\IConfig')
add cors middleware remove methodannotationreader namespace fix namespace for server container fix tests fail if with cors credentials header is set to true, implement a reusable preflighted cors method in the controller baseclass, make corsmiddleware private and register it for every request remove uneeded local in cors middleware registratio dont uppercase cors to easily use it from routes fix indention comment fixes explicitely set allow credentials header to false dont depend on better controllers PR, fix that stuff later split cors methods to be in a seperate controller for exposing apis remove protected definitions from apicontroller since controller has it
2014-05-08 13:47:18 +04:00
);
use new controllermethodreflector for corsmiddleware
2014-05-11 19:55:59 +04:00
$this->reflector->reflect($this, __FUNCTION__);
disallow cookie auth for cors requests testing ... fixes fix test add php doc fix small mistake add another phpdoc remove not working cors annotations from files app
2015-05-22 14:17:27 +03:00
$middleware = new CORSMiddleware($request, $this->reflector, $this->session);
add cors middleware remove methodannotationreader namespace fix namespace for server container fix tests fail if with cors credentials header is set to true, implement a reusable preflighted cors method in the controller baseclass, make corsmiddleware private and register it for every request remove uneeded local in cors middleware registratio dont uppercase cors to easily use it from routes fix indention comment fixes explicitely set allow credentials header to false dont depend on better controllers PR, fix that stuff later split cors methods to be in a seperate controller for exposing apis remove protected definitions from apicontroller since controller has it
2014-05-08 13:47:18 +04:00
$response = $middleware->afterController($this, __FUNCTION__, new Response());
$headers = $response->getHeaders();
$this->assertEquals('test', $headers['Access-Control-Allow-Origin']);
}
public function testNoAnnotationNoCORSHEADER() {
$request = new Request(
Respect `mod_unique_id` and refactor `OC_Request::getRequestId` When `mod_unique_id` is enabled the ID generated by it will be used for logging. This allows for correlation of the Apache logs and the ownCloud logs. Testplan: - [ ] When `mod_unique_id` is enabled the request ID equals the one generated by `mod_unique_id`. - [ ] When `mod_unique_id` is not available the request ID is a 20 character long random string - [ ] The generated Id is stable over the lifespan of one request Changeset looks a little bit larger since I had to adjust every unit test using the HTTP\Request class for proper DI. Fixes https://github.com/owncloud/core/issues/13366
2015-02-09 13:41:48 +03:00
[
'server' => [
'HTTP_ORIGIN' => 'test'
]
],
Refactor OC_Request into TrustedDomainHelper and IRequest This changeset removes the static class `OC_Request` and moves the functions either into `IRequest` which is accessible via `\OC::$server::->getRequest()` or into a separated `TrustedDomainHelper` class for some helper methods which should not be publicly exposed. This changes only internal methods and nothing on the public API. Some public functions in `util.php` have been deprecated though in favour of the new non-static functions. Unfortunately some part of this code uses things like `__DIR__` and thus is not completely unit-testable. Where tests where possible they ahve been added though. Fixes https://github.com/owncloud/core/issues/13976 which was requested in https://github.com/owncloud/core/pull/13973#issuecomment-73492969
2015-02-10 15:02:48 +03:00
$this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\IConfig')
add cors middleware remove methodannotationreader namespace fix namespace for server container fix tests fail if with cors credentials header is set to true, implement a reusable preflighted cors method in the controller baseclass, make corsmiddleware private and register it for every request remove uneeded local in cors middleware registratio dont uppercase cors to easily use it from routes fix indention comment fixes explicitely set allow credentials header to false dont depend on better controllers PR, fix that stuff later split cors methods to be in a seperate controller for exposing apis remove protected definitions from apicontroller since controller has it
2014-05-08 13:47:18 +04:00
);
disallow cookie auth for cors requests testing ... fixes fix test add php doc fix small mistake add another phpdoc remove not working cors annotations from files app
2015-05-22 14:17:27 +03:00
$middleware = new CORSMiddleware($request, $this->reflector, $this->session);
add cors middleware remove methodannotationreader namespace fix namespace for server container fix tests fail if with cors credentials header is set to true, implement a reusable preflighted cors method in the controller baseclass, make corsmiddleware private and register it for every request remove uneeded local in cors middleware registratio dont uppercase cors to easily use it from routes fix indention comment fixes explicitely set allow credentials header to false dont depend on better controllers PR, fix that stuff later split cors methods to be in a seperate controller for exposing apis remove protected definitions from apicontroller since controller has it
2014-05-08 13:47:18 +04:00
$response = $middleware->afterController($this, __FUNCTION__, new Response());
$headers = $response->getHeaders();
$this->assertFalse(array_key_exists('Access-Control-Allow-Origin', $headers));
}
/**
* @CORS
*/
public function testNoOriginHeaderNoCORSHEADER() {
Refactor OC_Request into TrustedDomainHelper and IRequest This changeset removes the static class `OC_Request` and moves the functions either into `IRequest` which is accessible via `\OC::$server::->getRequest()` or into a separated `TrustedDomainHelper` class for some helper methods which should not be publicly exposed. This changes only internal methods and nothing on the public API. Some public functions in `util.php` have been deprecated though in favour of the new non-static functions. Unfortunately some part of this code uses things like `__DIR__` and thus is not completely unit-testable. Where tests where possible they ahve been added though. Fixes https://github.com/owncloud/core/issues/13976 which was requested in https://github.com/owncloud/core/pull/13973#issuecomment-73492969
2015-02-10 15:02:48 +03:00
$request = new Request(
[],
$this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\IConfig')
);
use new controllermethodreflector for corsmiddleware
2014-05-11 19:55:59 +04:00
$this->reflector->reflect($this, __FUNCTION__);
disallow cookie auth for cors requests testing ... fixes fix test add php doc fix small mistake add another phpdoc remove not working cors annotations from files app
2015-05-22 14:17:27 +03:00
$middleware = new CORSMiddleware($request, $this->reflector, $this->session);
add cors middleware remove methodannotationreader namespace fix namespace for server container fix tests fail if with cors credentials header is set to true, implement a reusable preflighted cors method in the controller baseclass, make corsmiddleware private and register it for every request remove uneeded local in cors middleware registratio dont uppercase cors to easily use it from routes fix indention comment fixes explicitely set allow credentials header to false dont depend on better controllers PR, fix that stuff later split cors methods to be in a seperate controller for exposing apis remove protected definitions from apicontroller since controller has it
2014-05-08 13:47:18 +04:00
$response = $middleware->afterController($this, __FUNCTION__, new Response());
$headers = $response->getHeaders();
$this->assertFalse(array_key_exists('Access-Control-Allow-Origin', $headers));
}
/**
* @CORS
Show error template Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
2015-11-28 13:06:46 +03:00
* @expectedException \OC\AppFramework\Middleware\Security\Exceptions\SecurityException
add cors middleware remove methodannotationreader namespace fix namespace for server container fix tests fail if with cors credentials header is set to true, implement a reusable preflighted cors method in the controller baseclass, make corsmiddleware private and register it for every request remove uneeded local in cors middleware registratio dont uppercase cors to easily use it from routes fix indention comment fixes explicitely set allow credentials header to false dont depend on better controllers PR, fix that stuff later split cors methods to be in a seperate controller for exposing apis remove protected definitions from apicontroller since controller has it
2014-05-08 13:47:18 +04:00
*/
public function testCorsIgnoredIfWithCredentialsHeaderPresent() {
$request = new Request(
Respect `mod_unique_id` and refactor `OC_Request::getRequestId` When `mod_unique_id` is enabled the ID generated by it will be used for logging. This allows for correlation of the Apache logs and the ownCloud logs. Testplan: - [ ] When `mod_unique_id` is enabled the request ID equals the one generated by `mod_unique_id`. - [ ] When `mod_unique_id` is not available the request ID is a 20 character long random string - [ ] The generated Id is stable over the lifespan of one request Changeset looks a little bit larger since I had to adjust every unit test using the HTTP\Request class for proper DI. Fixes https://github.com/owncloud/core/issues/13366
2015-02-09 13:41:48 +03:00
[
'server' => [
'HTTP_ORIGIN' => 'test'
]
],
Refactor OC_Request into TrustedDomainHelper and IRequest This changeset removes the static class `OC_Request` and moves the functions either into `IRequest` which is accessible via `\OC::$server::->getRequest()` or into a separated `TrustedDomainHelper` class for some helper methods which should not be publicly exposed. This changes only internal methods and nothing on the public API. Some public functions in `util.php` have been deprecated though in favour of the new non-static functions. Unfortunately some part of this code uses things like `__DIR__` and thus is not completely unit-testable. Where tests where possible they ahve been added though. Fixes https://github.com/owncloud/core/issues/13976 which was requested in https://github.com/owncloud/core/pull/13973#issuecomment-73492969
2015-02-10 15:02:48 +03:00
$this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\IConfig')
add cors middleware remove methodannotationreader namespace fix namespace for server container fix tests fail if with cors credentials header is set to true, implement a reusable preflighted cors method in the controller baseclass, make corsmiddleware private and register it for every request remove uneeded local in cors middleware registratio dont uppercase cors to easily use it from routes fix indention comment fixes explicitely set allow credentials header to false dont depend on better controllers PR, fix that stuff later split cors methods to be in a seperate controller for exposing apis remove protected definitions from apicontroller since controller has it
2014-05-08 13:47:18 +04:00
);
use new controllermethodreflector for corsmiddleware
2014-05-11 19:55:59 +04:00
$this->reflector->reflect($this, __FUNCTION__);
disallow cookie auth for cors requests testing ... fixes fix test add php doc fix small mistake add another phpdoc remove not working cors annotations from files app
2015-05-22 14:17:27 +03:00
$middleware = new CORSMiddleware($request, $this->reflector, $this->session);
add cors middleware remove methodannotationreader namespace fix namespace for server container fix tests fail if with cors credentials header is set to true, implement a reusable preflighted cors method in the controller baseclass, make corsmiddleware private and register it for every request remove uneeded local in cors middleware registratio dont uppercase cors to easily use it from routes fix indention comment fixes explicitely set allow credentials header to false dont depend on better controllers PR, fix that stuff later split cors methods to be in a seperate controller for exposing apis remove protected definitions from apicontroller since controller has it
2014-05-08 13:47:18 +04:00
$response = new Response();
$response->addHeader('AcCess-control-Allow-Credentials ', 'TRUE');
Refactor OC_Request into TrustedDomainHelper and IRequest This changeset removes the static class `OC_Request` and moves the functions either into `IRequest` which is accessible via `\OC::$server::->getRequest()` or into a separated `TrustedDomainHelper` class for some helper methods which should not be publicly exposed. This changes only internal methods and nothing on the public API. Some public functions in `util.php` have been deprecated though in favour of the new non-static functions. Unfortunately some part of this code uses things like `__DIR__` and thus is not completely unit-testable. Where tests where possible they ahve been added though. Fixes https://github.com/owncloud/core/issues/13976 which was requested in https://github.com/owncloud/core/pull/13973#issuecomment-73492969
2015-02-10 15:02:48 +03:00
$middleware->afterController($this, __FUNCTION__, $response);
add cors middleware remove methodannotationreader namespace fix namespace for server container fix tests fail if with cors credentials header is set to true, implement a reusable preflighted cors method in the controller baseclass, make corsmiddleware private and register it for every request remove uneeded local in cors middleware registratio dont uppercase cors to easily use it from routes fix indention comment fixes explicitely set allow credentials header to false dont depend on better controllers PR, fix that stuff later split cors methods to be in a seperate controller for exposing apis remove protected definitions from apicontroller since controller has it
2014-05-08 13:47:18 +04:00
}
disallow cookie auth for cors requests testing ... fixes fix test add php doc fix small mistake add another phpdoc remove not working cors annotations from files app
2015-05-22 14:17:27 +03:00
/**
* @CORS
* @PublicPage
*/
public function testNoCORSShouldAllowCookieAuth() {
$request = new Request(
[],
$this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\IConfig')
);
$this->reflector->reflect($this, __FUNCTION__);
$middleware = new CORSMiddleware($request, $this->reflector, $this->session);
fix #16713
2015-06-03 13:56:50 +03:00
$this->session->expects($this->never())
->method('logout');
$this->session->expects($this->never())
->method('login')
->with($this->equalTo('user'), $this->equalTo('pass'))
->will($this->returnValue(true));
$this->reflector->reflect($this, __FUNCTION__);
disallow cookie auth for cors requests testing ... fixes fix test add php doc fix small mistake add another phpdoc remove not working cors annotations from files app
2015-05-22 14:17:27 +03:00
$middleware->beforeController($this, __FUNCTION__, new Response());
}
/**
* @CORS
*/
public function testCORSShouldRelogin() {
$request = new Request(
['server' => [
'PHP_AUTH_USER' => 'user',
'PHP_AUTH_PW' => 'pass'
]],
$this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\IConfig')
);
$this->session->expects($this->once())
->method('logout');
$this->session->expects($this->once())
->method('login')
->with($this->equalTo('user'), $this->equalTo('pass'))
->will($this->returnValue(true));
$this->reflector->reflect($this, __FUNCTION__);
$middleware = new CORSMiddleware($request, $this->reflector, $this->session);
$middleware->beforeController($this, __FUNCTION__, new Response());
}
/**
* @CORS
Show error template Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
2015-11-28 13:06:46 +03:00
* @expectedException \OC\AppFramework\Middleware\Security\Exceptions\SecurityException
disallow cookie auth for cors requests testing ... fixes fix test add php doc fix small mistake add another phpdoc remove not working cors annotations from files app
2015-05-22 14:17:27 +03:00
*/
public function testCORSShouldNotAllowCookieAuth() {
$request = new Request(
['server' => [
'PHP_AUTH_USER' => 'user',
'PHP_AUTH_PW' => 'pass'
]],
$this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\IConfig')
);
$this->session->expects($this->once())
->method('logout');
$this->session->expects($this->once())
->method('login')
->with($this->equalTo('user'), $this->equalTo('pass'))
->will($this->returnValue(false));
$this->reflector->reflect($this, __FUNCTION__);
$middleware = new CORSMiddleware($request, $this->reflector, $this->session);
$middleware->beforeController($this, __FUNCTION__, new Response());
}
Return proper status code in case of a CORS exception When returning a 500 statuscode external applications may interpret this as an error instead of handling this more gracefully. This will now make return a 401 thus. Fixes https://github.com/owncloud/core/issues/17742
2015-07-20 13:54:22 +03:00
public function testAfterExceptionWithSecurityExceptionNoStatus() {
$request = new Request(
['server' => [
'PHP_AUTH_USER' => 'user',
'PHP_AUTH_PW' => 'pass'
]],
$this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\IConfig')
);
$middleware = new CORSMiddleware($request, $this->reflector, $this->session);
$response = $middleware->afterException($this, __FUNCTION__, new SecurityException('A security exception'));
$expected = new JSONResponse(['message' => 'A security exception'], 500);
$this->assertEquals($expected, $response);
}
public function testAfterExceptionWithSecurityExceptionWithStatus() {
$request = new Request(
['server' => [
'PHP_AUTH_USER' => 'user',
'PHP_AUTH_PW' => 'pass'
]],
$this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\IConfig')
);
$middleware = new CORSMiddleware($request, $this->reflector, $this->session);
$response = $middleware->afterException($this, __FUNCTION__, new SecurityException('A security exception', 501));
$expected = new JSONResponse(['message' => 'A security exception'], 501);
$this->assertEquals($expected, $response);
}
/**
* @expectedException \Exception
* @expectedExceptionMessage A regular exception
*/
public function testAfterExceptionWithRegularException() {
$request = new Request(
['server' => [
'PHP_AUTH_USER' => 'user',
'PHP_AUTH_PW' => 'pass'
]],
$this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\IConfig')
);
$middleware = new CORSMiddleware($request, $this->reflector, $this->session);
$middleware->afterException($this, __FUNCTION__, new \Exception('A regular exception'));
}
add cors middleware remove methodannotationreader namespace fix namespace for server container fix tests fail if with cors credentials header is set to true, implement a reusable preflighted cors method in the controller baseclass, make corsmiddleware private and register it for every request remove uneeded local in cors middleware registratio dont uppercase cors to easily use it from routes fix indention comment fixes explicitely set allow credentials header to false dont depend on better controllers PR, fix that stuff later split cors methods to be in a seperate controller for exposing apis remove protected definitions from apicontroller since controller has it
2014-05-08 13:47:18 +04:00
}