2015-10-23 18:26:54 +03:00
|
|
|
<?php
|
|
|
|
/**
|
2016-07-21 17:49:16 +03:00
|
|
|
* @copyright Copyright (c) 2016, ownCloud, Inc.
|
|
|
|
*
|
2016-05-26 20:56:05 +03:00
|
|
|
* @author Arthur Schiwon <blizzz@arthur-schiwon.de>
|
|
|
|
* @author Christoph Wurst <christoph@owncloud.com>
|
2016-07-21 17:49:16 +03:00
|
|
|
* @author Joas Schilling <coding@schilljs.com>
|
2016-05-26 20:56:05 +03:00
|
|
|
* @author Lukas Reschke <lukas@statuscode.ch>
|
2017-11-06 17:56:42 +03:00
|
|
|
* @author Morris Jobke <hey@morrisjobke.de>
|
2016-07-21 17:49:16 +03:00
|
|
|
* @author Roeland Jago Douma <roeland@famdouma.nl>
|
2016-01-12 17:02:16 +03:00
|
|
|
* @author Thomas Müller <thomas.mueller@tmit.eu>
|
|
|
|
* @author Vincent Petry <pvince81@owncloud.com>
|
2015-10-23 18:26:54 +03:00
|
|
|
*
|
|
|
|
* @license AGPL-3.0
|
|
|
|
*
|
|
|
|
* This code is free software: you can redistribute it and/or modify
|
|
|
|
* it under the terms of the GNU Affero General Public License, version 3,
|
|
|
|
* as published by the Free Software Foundation.
|
|
|
|
*
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
* GNU Affero General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU Affero General Public License, version 3,
|
|
|
|
* along with this program. If not, see <http://www.gnu.org/licenses/>
|
|
|
|
*
|
|
|
|
*/
|
2015-10-30 18:05:25 +03:00
|
|
|
|
2016-05-25 17:04:15 +03:00
|
|
|
namespace OCA\DAV\Tests\unit\Connector\Sabre;
|
2015-10-23 18:26:54 +03:00
|
|
|
|
2016-06-01 11:42:38 +03:00
|
|
|
use OC\Authentication\TwoFactorAuth\Manager;
|
2016-07-20 19:36:15 +03:00
|
|
|
use OC\Security\Bruteforce\Throttler;
|
2016-06-01 11:42:38 +03:00
|
|
|
use OC\User\Session;
|
2016-02-16 15:16:52 +03:00
|
|
|
use OCP\IRequest;
|
2016-06-01 11:42:38 +03:00
|
|
|
use OCP\ISession;
|
2016-01-06 22:48:33 +03:00
|
|
|
use OCP\IUser;
|
2017-10-24 16:26:53 +03:00
|
|
|
use Sabre\DAV\Server;
|
2016-10-13 13:15:10 +03:00
|
|
|
use Sabre\HTTP\RequestInterface;
|
|
|
|
use Sabre\HTTP\ResponseInterface;
|
2015-10-23 18:26:54 +03:00
|
|
|
use Test\TestCase;
|
|
|
|
|
|
|
|
/**
|
2016-05-25 17:04:15 +03:00
|
|
|
* Class AuthTest
|
2015-10-23 18:26:54 +03:00
|
|
|
*
|
2016-05-25 17:04:15 +03:00
|
|
|
* @package OCA\DAV\Tests\unit\Connector\Sabre
|
2016-01-06 22:48:33 +03:00
|
|
|
* @group DB
|
2015-10-23 18:26:54 +03:00
|
|
|
*/
|
2016-05-25 17:04:15 +03:00
|
|
|
class AuthTest extends TestCase {
|
2015-10-23 18:26:54 +03:00
|
|
|
/** @var ISession */
|
|
|
|
private $session;
|
|
|
|
/** @var \OCA\DAV\Connector\Sabre\Auth */
|
|
|
|
private $auth;
|
2016-05-09 16:33:56 +03:00
|
|
|
/** @var Session */
|
2015-10-23 18:26:54 +03:00
|
|
|
private $userSession;
|
2016-02-16 15:16:52 +03:00
|
|
|
/** @var IRequest */
|
|
|
|
private $request;
|
2016-06-01 11:42:38 +03:00
|
|
|
/** @var Manager */
|
|
|
|
private $twoFactorManager;
|
2016-07-20 19:36:15 +03:00
|
|
|
/** @var Throttler */
|
|
|
|
private $throttler;
|
2015-10-23 18:26:54 +03:00
|
|
|
|
2019-11-27 17:27:18 +03:00
|
|
|
protected function setUp(): void {
|
2015-10-23 18:26:54 +03:00
|
|
|
parent::setUp();
|
2017-10-24 16:26:53 +03:00
|
|
|
$this->session = $this->getMockBuilder(ISession::class)
|
2015-10-23 18:26:54 +03:00
|
|
|
->disableOriginalConstructor()->getMock();
|
2017-10-24 16:26:53 +03:00
|
|
|
$this->userSession = $this->getMockBuilder(Session::class)
|
2015-10-23 18:26:54 +03:00
|
|
|
->disableOriginalConstructor()->getMock();
|
2017-10-24 16:26:53 +03:00
|
|
|
$this->request = $this->getMockBuilder(IRequest::class)
|
2016-02-16 15:16:52 +03:00
|
|
|
->disableOriginalConstructor()->getMock();
|
2017-10-24 16:26:53 +03:00
|
|
|
$this->twoFactorManager = $this->getMockBuilder(Manager::class)
|
2016-06-01 11:42:38 +03:00
|
|
|
->disableOriginalConstructor()
|
|
|
|
->getMock();
|
2017-10-24 16:26:53 +03:00
|
|
|
$this->throttler = $this->getMockBuilder(Throttler::class)
|
2016-07-20 19:36:15 +03:00
|
|
|
->disableOriginalConstructor()
|
|
|
|
->getMock();
|
2016-02-16 15:16:52 +03:00
|
|
|
$this->auth = new \OCA\DAV\Connector\Sabre\Auth(
|
|
|
|
$this->session,
|
|
|
|
$this->userSession,
|
2016-06-01 11:42:38 +03:00
|
|
|
$this->request,
|
2016-07-20 19:36:15 +03:00
|
|
|
$this->twoFactorManager,
|
|
|
|
$this->throttler
|
2016-02-16 15:16:52 +03:00
|
|
|
);
|
2015-10-23 18:26:54 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
public function testIsDavAuthenticatedWithoutDavSession() {
|
|
|
|
$this->session
|
|
|
|
->expects($this->once())
|
|
|
|
->method('get')
|
|
|
|
->with('AUTHENTICATED_TO_DAV_BACKEND')
|
|
|
|
->will($this->returnValue(null));
|
|
|
|
|
|
|
|
$this->assertFalse($this->invokePrivate($this->auth, 'isDavAuthenticated', ['MyTestUser']));
|
|
|
|
}
|
|
|
|
|
|
|
|
public function testIsDavAuthenticatedWithWrongDavSession() {
|
|
|
|
$this->session
|
|
|
|
->expects($this->exactly(2))
|
|
|
|
->method('get')
|
|
|
|
->with('AUTHENTICATED_TO_DAV_BACKEND')
|
|
|
|
->will($this->returnValue('AnotherUser'));
|
|
|
|
|
|
|
|
$this->assertFalse($this->invokePrivate($this->auth, 'isDavAuthenticated', ['MyTestUser']));
|
|
|
|
}
|
|
|
|
|
|
|
|
public function testIsDavAuthenticatedWithCorrectDavSession() {
|
|
|
|
$this->session
|
|
|
|
->expects($this->exactly(2))
|
|
|
|
->method('get')
|
|
|
|
->with('AUTHENTICATED_TO_DAV_BACKEND')
|
|
|
|
->will($this->returnValue('MyTestUser'));
|
|
|
|
|
|
|
|
$this->assertTrue($this->invokePrivate($this->auth, 'isDavAuthenticated', ['MyTestUser']));
|
|
|
|
}
|
|
|
|
|
|
|
|
public function testValidateUserPassOfAlreadyDAVAuthenticatedUser() {
|
2017-10-24 16:26:53 +03:00
|
|
|
$user = $this->getMockBuilder(IUser::class)
|
2015-10-23 18:26:54 +03:00
|
|
|
->disableOriginalConstructor()
|
|
|
|
->getMock();
|
|
|
|
$user->expects($this->exactly(2))
|
|
|
|
->method('getUID')
|
|
|
|
->will($this->returnValue('MyTestUser'));
|
|
|
|
$this->userSession
|
|
|
|
->expects($this->once())
|
|
|
|
->method('isLoggedIn')
|
|
|
|
->will($this->returnValue(true));
|
|
|
|
$this->userSession
|
|
|
|
->expects($this->exactly(2))
|
|
|
|
->method('getUser')
|
|
|
|
->will($this->returnValue($user));
|
|
|
|
$this->session
|
|
|
|
->expects($this->exactly(2))
|
|
|
|
->method('get')
|
|
|
|
->with('AUTHENTICATED_TO_DAV_BACKEND')
|
|
|
|
->will($this->returnValue('MyTestUser'));
|
|
|
|
$this->session
|
|
|
|
->expects($this->once())
|
|
|
|
->method('close');
|
|
|
|
|
|
|
|
$this->assertTrue($this->invokePrivate($this->auth, 'validateUserPass', ['MyTestUser', 'MyTestPassword']));
|
|
|
|
}
|
|
|
|
|
|
|
|
public function testValidateUserPassOfInvalidDAVAuthenticatedUser() {
|
2017-10-24 16:26:53 +03:00
|
|
|
$user = $this->getMockBuilder(IUser::class)
|
2015-10-23 18:26:54 +03:00
|
|
|
->disableOriginalConstructor()
|
|
|
|
->getMock();
|
|
|
|
$user->expects($this->once())
|
|
|
|
->method('getUID')
|
|
|
|
->will($this->returnValue('MyTestUser'));
|
|
|
|
$this->userSession
|
|
|
|
->expects($this->once())
|
|
|
|
->method('isLoggedIn')
|
|
|
|
->will($this->returnValue(true));
|
|
|
|
$this->userSession
|
|
|
|
->expects($this->once())
|
|
|
|
->method('getUser')
|
|
|
|
->will($this->returnValue($user));
|
|
|
|
$this->session
|
|
|
|
->expects($this->exactly(2))
|
|
|
|
->method('get')
|
|
|
|
->with('AUTHENTICATED_TO_DAV_BACKEND')
|
|
|
|
->will($this->returnValue('AnotherUser'));
|
|
|
|
$this->session
|
|
|
|
->expects($this->once())
|
|
|
|
->method('close');
|
|
|
|
|
|
|
|
$this->assertFalse($this->invokePrivate($this->auth, 'validateUserPass', ['MyTestUser', 'MyTestPassword']));
|
|
|
|
}
|
|
|
|
|
|
|
|
public function testValidateUserPassOfInvalidDAVAuthenticatedUserWithValidPassword() {
|
2017-10-24 16:26:53 +03:00
|
|
|
$user = $this->getMockBuilder(IUser::class)
|
2015-10-23 18:26:54 +03:00
|
|
|
->disableOriginalConstructor()
|
|
|
|
->getMock();
|
2016-06-13 17:00:49 +03:00
|
|
|
$user->expects($this->exactly(3))
|
2015-10-23 18:26:54 +03:00
|
|
|
->method('getUID')
|
|
|
|
->will($this->returnValue('MyTestUser'));
|
|
|
|
$this->userSession
|
|
|
|
->expects($this->once())
|
|
|
|
->method('isLoggedIn')
|
|
|
|
->will($this->returnValue(true));
|
|
|
|
$this->userSession
|
2016-06-13 17:00:49 +03:00
|
|
|
->expects($this->exactly(3))
|
2015-10-23 18:26:54 +03:00
|
|
|
->method('getUser')
|
|
|
|
->will($this->returnValue($user));
|
|
|
|
$this->session
|
|
|
|
->expects($this->exactly(2))
|
|
|
|
->method('get')
|
|
|
|
->with('AUTHENTICATED_TO_DAV_BACKEND')
|
|
|
|
->will($this->returnValue('AnotherUser'));
|
|
|
|
$this->userSession
|
|
|
|
->expects($this->once())
|
2016-05-24 15:08:42 +03:00
|
|
|
->method('logClientIn')
|
2016-06-13 17:00:49 +03:00
|
|
|
->with('MyTestUser', 'MyTestPassword', $this->request)
|
2015-10-23 18:26:54 +03:00
|
|
|
->will($this->returnValue(true));
|
|
|
|
$this->session
|
|
|
|
->expects($this->once())
|
|
|
|
->method('set')
|
|
|
|
->with('AUTHENTICATED_TO_DAV_BACKEND', 'MyTestUser');
|
|
|
|
$this->session
|
|
|
|
->expects($this->once())
|
|
|
|
->method('close');
|
|
|
|
|
|
|
|
$this->assertTrue($this->invokePrivate($this->auth, 'validateUserPass', ['MyTestUser', 'MyTestPassword']));
|
|
|
|
}
|
|
|
|
|
|
|
|
public function testValidateUserPassWithInvalidPassword() {
|
|
|
|
$this->userSession
|
|
|
|
->expects($this->once())
|
|
|
|
->method('isLoggedIn')
|
|
|
|
->will($this->returnValue(false));
|
|
|
|
$this->userSession
|
|
|
|
->expects($this->once())
|
2016-05-24 15:08:42 +03:00
|
|
|
->method('logClientIn')
|
2015-10-23 18:26:54 +03:00
|
|
|
->with('MyTestUser', 'MyTestPassword')
|
|
|
|
->will($this->returnValue(false));
|
|
|
|
$this->session
|
|
|
|
->expects($this->once())
|
|
|
|
->method('close');
|
|
|
|
|
|
|
|
$this->assertFalse($this->invokePrivate($this->auth, 'validateUserPass', ['MyTestUser', 'MyTestPassword']));
|
|
|
|
}
|
|
|
|
|
2019-11-27 17:27:18 +03:00
|
|
|
|
2016-06-17 12:01:35 +03:00
|
|
|
public function testValidateUserPassWithPasswordLoginForbidden() {
|
2019-11-27 17:27:18 +03:00
|
|
|
$this->expectException(\OCA\DAV\Connector\Sabre\Exception\PasswordLoginForbidden::class);
|
|
|
|
|
2016-06-17 12:01:35 +03:00
|
|
|
$this->userSession
|
|
|
|
->expects($this->once())
|
|
|
|
->method('isLoggedIn')
|
|
|
|
->will($this->returnValue(false));
|
|
|
|
$this->userSession
|
|
|
|
->expects($this->once())
|
|
|
|
->method('logClientIn')
|
|
|
|
->with('MyTestUser', 'MyTestPassword')
|
|
|
|
->will($this->throwException(new \OC\Authentication\Exceptions\PasswordLoginForbiddenException()));
|
|
|
|
$this->session
|
|
|
|
->expects($this->once())
|
|
|
|
->method('close');
|
|
|
|
|
2016-06-17 12:18:27 +03:00
|
|
|
$this->invokePrivate($this->auth, 'validateUserPass', ['MyTestUser', 'MyTestPassword']);
|
2016-06-17 12:01:35 +03:00
|
|
|
}
|
2016-03-23 21:31:17 +03:00
|
|
|
|
2016-02-16 15:16:52 +03:00
|
|
|
public function testAuthenticateAlreadyLoggedInWithoutCsrfTokenForNonGet() {
|
2016-10-13 13:15:10 +03:00
|
|
|
$request = $this->getMockBuilder(RequestInterface::class)
|
2016-02-16 15:16:52 +03:00
|
|
|
->disableOriginalConstructor()
|
|
|
|
->getMock();
|
2016-10-13 13:15:10 +03:00
|
|
|
$response = $this->getMockBuilder(ResponseInterface::class)
|
2016-02-16 15:16:52 +03:00
|
|
|
->disableOriginalConstructor()
|
|
|
|
->getMock();
|
|
|
|
$this->userSession
|
2016-03-23 21:31:17 +03:00
|
|
|
->expects($this->any())
|
2016-02-16 15:16:52 +03:00
|
|
|
->method('isLoggedIn')
|
|
|
|
->will($this->returnValue(true));
|
2016-03-23 21:31:17 +03:00
|
|
|
$this->request
|
|
|
|
->expects($this->any())
|
|
|
|
->method('getMethod')
|
|
|
|
->willReturn('POST');
|
2016-02-16 15:16:52 +03:00
|
|
|
$this->session
|
2016-03-23 21:31:17 +03:00
|
|
|
->expects($this->any())
|
2016-02-16 15:16:52 +03:00
|
|
|
->method('get')
|
|
|
|
->with('AUTHENTICATED_TO_DAV_BACKEND')
|
|
|
|
->will($this->returnValue(null));
|
2017-10-24 16:26:53 +03:00
|
|
|
$user = $this->getMockBuilder(IUser::class)
|
2015-10-23 18:26:54 +03:00
|
|
|
->disableOriginalConstructor()
|
|
|
|
->getMock();
|
2016-03-23 21:31:17 +03:00
|
|
|
$user->expects($this->any())
|
2015-10-23 18:26:54 +03:00
|
|
|
->method('getUID')
|
2016-02-16 15:16:52 +03:00
|
|
|
->will($this->returnValue('MyWrongDavUser'));
|
2015-10-23 18:26:54 +03:00
|
|
|
$this->userSession
|
2016-03-23 21:31:17 +03:00
|
|
|
->expects($this->any())
|
2015-10-23 18:26:54 +03:00
|
|
|
->method('getUser')
|
|
|
|
->will($this->returnValue($user));
|
2016-03-23 21:31:17 +03:00
|
|
|
$this->request
|
|
|
|
->expects($this->once())
|
|
|
|
->method('passesCSRFCheck')
|
|
|
|
->willReturn(false);
|
2015-10-23 18:26:54 +03:00
|
|
|
|
2016-03-23 21:31:17 +03:00
|
|
|
$expectedResponse = [
|
|
|
|
false,
|
2016-10-13 13:15:10 +03:00
|
|
|
"No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured",
|
2016-03-23 21:31:17 +03:00
|
|
|
];
|
2016-02-16 15:16:52 +03:00
|
|
|
$response = $this->auth->check($request, $response);
|
2016-03-23 21:31:17 +03:00
|
|
|
$this->assertSame($expectedResponse, $response);
|
2015-10-23 18:26:54 +03:00
|
|
|
}
|
|
|
|
|
2016-03-23 21:31:17 +03:00
|
|
|
public function testAuthenticateAlreadyLoggedInWithoutCsrfTokenAndCorrectlyDavAuthenticated() {
|
2016-10-13 13:15:10 +03:00
|
|
|
$request = $this->getMockBuilder(RequestInterface::class)
|
2016-02-16 15:16:52 +03:00
|
|
|
->disableOriginalConstructor()
|
|
|
|
->getMock();
|
2016-10-13 13:15:10 +03:00
|
|
|
$response = $this->getMockBuilder(ResponseInterface::class)
|
2015-10-23 18:26:54 +03:00
|
|
|
->disableOriginalConstructor()
|
|
|
|
->getMock();
|
|
|
|
$this->userSession
|
2016-03-23 21:31:17 +03:00
|
|
|
->expects($this->any())
|
2016-02-16 15:16:52 +03:00
|
|
|
->method('isLoggedIn')
|
2016-03-23 21:31:17 +03:00
|
|
|
->willReturn(true);
|
|
|
|
$this->request
|
|
|
|
->expects($this->any())
|
|
|
|
->method('getMethod')
|
|
|
|
->willReturn('PROPFIND');
|
|
|
|
$this->request
|
|
|
|
->expects($this->any())
|
|
|
|
->method('isUserAgent')
|
|
|
|
->with([
|
|
|
|
'/^Mozilla\/5\.0 \([A-Za-z ]+\) (mirall|csyncoC)\/.*$/',
|
2017-12-12 15:55:32 +03:00
|
|
|
'/^Mozilla\/5\.0 \(Android\) (ownCloud|Nextcloud)\-android.*$/',
|
2017-02-10 12:05:24 +03:00
|
|
|
'/^Mozilla\/5\.0 \(iOS\) (ownCloud|Nextcloud)\-iOS.*$/',
|
2016-03-23 21:31:17 +03:00
|
|
|
])
|
|
|
|
->willReturn(false);
|
2015-10-23 18:26:54 +03:00
|
|
|
$this->session
|
2016-03-23 21:31:17 +03:00
|
|
|
->expects($this->any())
|
|
|
|
->method('get')
|
|
|
|
->with('AUTHENTICATED_TO_DAV_BACKEND')
|
|
|
|
->will($this->returnValue('LoggedInUser'));
|
2017-10-24 16:26:53 +03:00
|
|
|
$user = $this->getMockBuilder(IUser::class)
|
2016-03-23 21:31:17 +03:00
|
|
|
->disableOriginalConstructor()
|
|
|
|
->getMock();
|
|
|
|
$user->expects($this->any())
|
|
|
|
->method('getUID')
|
|
|
|
->will($this->returnValue('LoggedInUser'));
|
|
|
|
$this->userSession
|
|
|
|
->expects($this->any())
|
|
|
|
->method('getUser')
|
|
|
|
->will($this->returnValue($user));
|
|
|
|
$this->request
|
2016-02-16 15:16:52 +03:00
|
|
|
->expects($this->once())
|
2016-03-23 21:31:17 +03:00
|
|
|
->method('passesCSRFCheck')
|
|
|
|
->willReturn(false);
|
|
|
|
$this->auth->check($request, $response);
|
|
|
|
}
|
|
|
|
|
2019-11-27 17:27:18 +03:00
|
|
|
|
2016-06-01 11:42:38 +03:00
|
|
|
public function testAuthenticateAlreadyLoggedInWithoutTwoFactorChallengePassed() {
|
2019-11-27 17:27:18 +03:00
|
|
|
$this->expectException(\Sabre\DAV\Exception\NotAuthenticated::class);
|
|
|
|
$this->expectExceptionMessage('2FA challenge not passed.');
|
|
|
|
|
2016-10-13 13:15:10 +03:00
|
|
|
$request = $this->getMockBuilder(RequestInterface::class)
|
2016-06-01 11:42:38 +03:00
|
|
|
->disableOriginalConstructor()
|
|
|
|
->getMock();
|
2016-10-13 13:15:10 +03:00
|
|
|
$response = $this->getMockBuilder(ResponseInterface::class)
|
2016-06-01 11:42:38 +03:00
|
|
|
->disableOriginalConstructor()
|
|
|
|
->getMock();
|
|
|
|
$this->userSession
|
|
|
|
->expects($this->any())
|
|
|
|
->method('isLoggedIn')
|
|
|
|
->willReturn(true);
|
|
|
|
$this->request
|
|
|
|
->expects($this->any())
|
|
|
|
->method('getMethod')
|
|
|
|
->willReturn('PROPFIND');
|
|
|
|
$this->request
|
|
|
|
->expects($this->any())
|
|
|
|
->method('isUserAgent')
|
|
|
|
->with([
|
|
|
|
'/^Mozilla\/5\.0 \([A-Za-z ]+\) (mirall|csyncoC)\/.*$/',
|
|
|
|
'/^Mozilla\/5\.0 \(Android\) ownCloud\-android.*$/',
|
2017-02-10 12:05:24 +03:00
|
|
|
'/^Mozilla\/5\.0 \(iOS\) (ownCloud|Nextcloud)\-iOS.*$/',
|
2016-06-01 11:42:38 +03:00
|
|
|
])
|
|
|
|
->willReturn(false);
|
|
|
|
$this->session
|
|
|
|
->expects($this->any())
|
|
|
|
->method('get')
|
|
|
|
->with('AUTHENTICATED_TO_DAV_BACKEND')
|
|
|
|
->will($this->returnValue('LoggedInUser'));
|
2017-10-24 16:26:53 +03:00
|
|
|
$user = $this->getMockBuilder(IUser::class)
|
2016-06-01 11:42:38 +03:00
|
|
|
->disableOriginalConstructor()
|
|
|
|
->getMock();
|
|
|
|
$user->expects($this->any())
|
|
|
|
->method('getUID')
|
|
|
|
->will($this->returnValue('LoggedInUser'));
|
|
|
|
$this->userSession
|
|
|
|
->expects($this->any())
|
|
|
|
->method('getUser')
|
|
|
|
->will($this->returnValue($user));
|
|
|
|
$this->request
|
|
|
|
->expects($this->once())
|
|
|
|
->method('passesCSRFCheck')
|
|
|
|
->willReturn(true);
|
|
|
|
$this->twoFactorManager->expects($this->once())
|
|
|
|
->method('needsSecondFactor')
|
2016-08-24 11:42:07 +03:00
|
|
|
->with($user)
|
2016-06-01 11:42:38 +03:00
|
|
|
->will($this->returnValue(true));
|
|
|
|
$this->auth->check($request, $response);
|
|
|
|
}
|
|
|
|
|
2019-11-27 17:27:18 +03:00
|
|
|
|
2016-03-23 21:31:17 +03:00
|
|
|
public function testAuthenticateAlreadyLoggedInWithoutCsrfTokenAndIncorrectlyDavAuthenticated() {
|
2019-11-27 17:27:18 +03:00
|
|
|
$this->expectException(\Sabre\DAV\Exception\NotAuthenticated::class);
|
|
|
|
$this->expectExceptionMessage('CSRF check not passed.');
|
|
|
|
|
2016-10-13 13:15:10 +03:00
|
|
|
$request = $this->getMockBuilder(RequestInterface::class)
|
2016-03-23 21:31:17 +03:00
|
|
|
->disableOriginalConstructor()
|
|
|
|
->getMock();
|
2016-10-13 13:15:10 +03:00
|
|
|
$response = $this->getMockBuilder(ResponseInterface::class)
|
2016-03-23 21:31:17 +03:00
|
|
|
->disableOriginalConstructor()
|
|
|
|
->getMock();
|
|
|
|
$this->userSession
|
|
|
|
->expects($this->any())
|
|
|
|
->method('isLoggedIn')
|
|
|
|
->willReturn(true);
|
|
|
|
$this->request
|
|
|
|
->expects($this->any())
|
|
|
|
->method('getMethod')
|
|
|
|
->willReturn('PROPFIND');
|
|
|
|
$this->request
|
|
|
|
->expects($this->any())
|
|
|
|
->method('isUserAgent')
|
|
|
|
->with([
|
|
|
|
'/^Mozilla\/5\.0 \([A-Za-z ]+\) (mirall|csyncoC)\/.*$/',
|
2017-12-12 15:55:32 +03:00
|
|
|
'/^Mozilla\/5\.0 \(Android\) (ownCloud|Nextcloud)\-android.*$/',
|
2017-02-10 12:05:24 +03:00
|
|
|
'/^Mozilla\/5\.0 \(iOS\) (ownCloud|Nextcloud)\-iOS.*$/',
|
2016-03-23 21:31:17 +03:00
|
|
|
])
|
|
|
|
->willReturn(false);
|
|
|
|
$this->session
|
|
|
|
->expects($this->any())
|
|
|
|
->method('get')
|
|
|
|
->with('AUTHENTICATED_TO_DAV_BACKEND')
|
|
|
|
->will($this->returnValue('AnotherUser'));
|
2017-10-24 16:26:53 +03:00
|
|
|
$user = $this->getMockBuilder(IUser::class)
|
2016-03-23 21:31:17 +03:00
|
|
|
->disableOriginalConstructor()
|
|
|
|
->getMock();
|
|
|
|
$user->expects($this->any())
|
|
|
|
->method('getUID')
|
|
|
|
->will($this->returnValue('LoggedInUser'));
|
|
|
|
$this->userSession
|
|
|
|
->expects($this->any())
|
|
|
|
->method('getUser')
|
|
|
|
->will($this->returnValue($user));
|
|
|
|
$this->request
|
|
|
|
->expects($this->once())
|
|
|
|
->method('passesCSRFCheck')
|
|
|
|
->willReturn(false);
|
|
|
|
$this->auth->check($request, $response);
|
|
|
|
}
|
|
|
|
|
|
|
|
public function testAuthenticateAlreadyLoggedInWithoutCsrfTokenForNonGetAndDesktopClient() {
|
2016-10-13 13:15:10 +03:00
|
|
|
$request = $this->getMockBuilder(RequestInterface::class)
|
2016-03-23 21:31:17 +03:00
|
|
|
->disableOriginalConstructor()
|
|
|
|
->getMock();
|
2016-10-13 13:15:10 +03:00
|
|
|
$response = $this->getMockBuilder(ResponseInterface::class)
|
2016-03-23 21:31:17 +03:00
|
|
|
->disableOriginalConstructor()
|
|
|
|
->getMock();
|
|
|
|
$this->userSession
|
|
|
|
->expects($this->any())
|
|
|
|
->method('isLoggedIn')
|
|
|
|
->will($this->returnValue(true));
|
|
|
|
$this->request
|
|
|
|
->expects($this->any())
|
|
|
|
->method('getMethod')
|
|
|
|
->willReturn('POST');
|
|
|
|
$this->request
|
|
|
|
->expects($this->any())
|
|
|
|
->method('isUserAgent')
|
|
|
|
->with([
|
|
|
|
'/^Mozilla\/5\.0 \([A-Za-z ]+\) (mirall|csyncoC)\/.*$/',
|
2017-12-12 15:55:32 +03:00
|
|
|
'/^Mozilla\/5\.0 \(Android\) (ownCloud|Nextcloud)\-android.*$/',
|
2017-02-10 12:05:24 +03:00
|
|
|
'/^Mozilla\/5\.0 \(iOS\) (ownCloud|Nextcloud)\-iOS.*$/',
|
2016-03-23 21:31:17 +03:00
|
|
|
])
|
|
|
|
->willReturn(true);
|
|
|
|
$this->session
|
|
|
|
->expects($this->any())
|
2015-10-23 18:26:54 +03:00
|
|
|
->method('get')
|
|
|
|
->with('AUTHENTICATED_TO_DAV_BACKEND')
|
|
|
|
->will($this->returnValue(null));
|
2017-10-24 16:26:53 +03:00
|
|
|
$user = $this->getMockBuilder(IUser::class)
|
2015-10-23 18:26:54 +03:00
|
|
|
->disableOriginalConstructor()
|
|
|
|
->getMock();
|
2016-03-23 21:31:17 +03:00
|
|
|
$user->expects($this->any())
|
2015-10-23 18:26:54 +03:00
|
|
|
->method('getUID')
|
|
|
|
->will($this->returnValue('MyWrongDavUser'));
|
|
|
|
$this->userSession
|
2016-03-23 21:31:17 +03:00
|
|
|
->expects($this->any())
|
2015-10-23 18:26:54 +03:00
|
|
|
->method('getUser')
|
|
|
|
->will($this->returnValue($user));
|
2016-02-16 15:16:52 +03:00
|
|
|
$this->request
|
|
|
|
->expects($this->once())
|
2016-03-23 21:31:17 +03:00
|
|
|
->method('passesCSRFCheck')
|
|
|
|
->willReturn(false);
|
|
|
|
|
|
|
|
$this->auth->check($request, $response);
|
|
|
|
}
|
|
|
|
|
|
|
|
public function testAuthenticateAlreadyLoggedInWithoutCsrfTokenForGet() {
|
2016-10-13 13:15:10 +03:00
|
|
|
$request = $this->getMockBuilder(RequestInterface::class)
|
2016-03-23 21:31:17 +03:00
|
|
|
->disableOriginalConstructor()
|
|
|
|
->getMock();
|
2016-10-13 13:15:10 +03:00
|
|
|
$response = $this->getMockBuilder(ResponseInterface::class)
|
2016-03-23 21:31:17 +03:00
|
|
|
->disableOriginalConstructor()
|
|
|
|
->getMock();
|
|
|
|
$this->userSession
|
|
|
|
->expects($this->any())
|
|
|
|
->method('isLoggedIn')
|
|
|
|
->will($this->returnValue(true));
|
|
|
|
$this->session
|
|
|
|
->expects($this->any())
|
|
|
|
->method('get')
|
|
|
|
->with('AUTHENTICATED_TO_DAV_BACKEND')
|
|
|
|
->will($this->returnValue(null));
|
2017-10-24 16:26:53 +03:00
|
|
|
$user = $this->getMockBuilder(IUser::class)
|
2016-03-23 21:31:17 +03:00
|
|
|
->disableOriginalConstructor()
|
|
|
|
->getMock();
|
|
|
|
$user->expects($this->any())
|
|
|
|
->method('getUID')
|
|
|
|
->will($this->returnValue('MyWrongDavUser'));
|
|
|
|
$this->userSession
|
|
|
|
->expects($this->any())
|
|
|
|
->method('getUser')
|
|
|
|
->will($this->returnValue($user));
|
|
|
|
$this->request
|
|
|
|
->expects($this->any())
|
2016-02-16 15:16:52 +03:00
|
|
|
->method('getMethod')
|
|
|
|
->willReturn('GET');
|
2015-10-23 18:26:54 +03:00
|
|
|
|
2016-02-16 15:16:52 +03:00
|
|
|
$response = $this->auth->check($request, $response);
|
|
|
|
$this->assertEquals([true, 'principals/users/MyWrongDavUser'], $response);
|
2015-10-23 18:26:54 +03:00
|
|
|
}
|
|
|
|
|
2016-02-16 15:16:52 +03:00
|
|
|
public function testAuthenticateAlreadyLoggedInWithCsrfTokenForGet() {
|
2016-10-13 13:15:10 +03:00
|
|
|
$request = $this->getMockBuilder(RequestInterface::class)
|
2016-02-16 15:16:52 +03:00
|
|
|
->disableOriginalConstructor()
|
|
|
|
->getMock();
|
2016-10-13 13:15:10 +03:00
|
|
|
$response = $this->getMockBuilder(ResponseInterface::class)
|
2016-02-16 15:16:52 +03:00
|
|
|
->disableOriginalConstructor()
|
|
|
|
->getMock();
|
2015-10-23 18:26:54 +03:00
|
|
|
$this->userSession
|
2016-03-23 21:31:17 +03:00
|
|
|
->expects($this->any())
|
2015-10-23 18:26:54 +03:00
|
|
|
->method('isLoggedIn')
|
|
|
|
->will($this->returnValue(true));
|
|
|
|
$this->session
|
2016-03-23 21:31:17 +03:00
|
|
|
->expects($this->any())
|
2015-10-23 18:26:54 +03:00
|
|
|
->method('get')
|
|
|
|
->with('AUTHENTICATED_TO_DAV_BACKEND')
|
|
|
|
->will($this->returnValue(null));
|
2017-10-24 16:26:53 +03:00
|
|
|
$user = $this->getMockBuilder(IUser::class)
|
2015-10-23 18:26:54 +03:00
|
|
|
->disableOriginalConstructor()
|
|
|
|
->getMock();
|
2016-03-23 21:31:17 +03:00
|
|
|
$user->expects($this->any())
|
2015-10-23 18:26:54 +03:00
|
|
|
->method('getUID')
|
|
|
|
->will($this->returnValue('MyWrongDavUser'));
|
|
|
|
$this->userSession
|
2016-03-23 21:31:17 +03:00
|
|
|
->expects($this->any())
|
2015-10-23 18:26:54 +03:00
|
|
|
->method('getUser')
|
|
|
|
->will($this->returnValue($user));
|
2016-02-16 15:16:52 +03:00
|
|
|
$this->request
|
2015-10-23 18:26:54 +03:00
|
|
|
->expects($this->once())
|
2016-02-16 15:16:52 +03:00
|
|
|
->method('passesCSRFCheck')
|
|
|
|
->willReturn(true);
|
2015-10-23 18:26:54 +03:00
|
|
|
|
2015-11-20 15:35:23 +03:00
|
|
|
$response = $this->auth->check($request, $response);
|
2015-11-24 13:15:31 +03:00
|
|
|
$this->assertEquals([true, 'principals/users/MyWrongDavUser'], $response);
|
2015-10-23 18:26:54 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
public function testAuthenticateNoBasicAuthenticateHeadersProvided() {
|
2017-10-24 16:26:53 +03:00
|
|
|
$server = $this->getMockBuilder(Server::class)
|
2015-10-23 18:26:54 +03:00
|
|
|
->disableOriginalConstructor()
|
|
|
|
->getMock();
|
2016-10-13 13:15:10 +03:00
|
|
|
$server->httpRequest = $this->getMockBuilder(RequestInterface::class)
|
2015-10-23 18:26:54 +03:00
|
|
|
->disableOriginalConstructor()
|
|
|
|
->getMock();
|
2016-10-13 13:15:10 +03:00
|
|
|
$server->httpResponse = $this->getMockBuilder(ResponseInterface::class)
|
2015-10-23 18:26:54 +03:00
|
|
|
->disableOriginalConstructor()
|
|
|
|
->getMock();
|
2015-11-20 15:35:23 +03:00
|
|
|
$response = $this->auth->check($server->httpRequest, $server->httpResponse);
|
2016-10-13 13:15:10 +03:00
|
|
|
$this->assertEquals([false, 'No \'Authorization: Basic\' header found. Either the client didn\'t send one, or the server is misconfigured'], $response);
|
2015-10-23 18:26:54 +03:00
|
|
|
}
|
|
|
|
|
2019-11-27 17:27:18 +03:00
|
|
|
|
2015-11-19 16:18:27 +03:00
|
|
|
public function testAuthenticateNoBasicAuthenticateHeadersProvidedWithAjax() {
|
2019-11-27 17:27:18 +03:00
|
|
|
$this->expectException(\Sabre\DAV\Exception\NotAuthenticated::class);
|
|
|
|
$this->expectExceptionMessage('Cannot authenticate over ajax calls');
|
|
|
|
|
2015-11-20 15:35:23 +03:00
|
|
|
/** @var \Sabre\HTTP\RequestInterface $httpRequest */
|
2016-10-13 13:15:10 +03:00
|
|
|
$httpRequest = $this->getMockBuilder(RequestInterface::class)
|
2015-10-23 18:26:54 +03:00
|
|
|
->disableOriginalConstructor()
|
|
|
|
->getMock();
|
2015-11-20 15:35:23 +03:00
|
|
|
/** @var \Sabre\HTTP\ResponseInterface $httpResponse */
|
2016-10-13 13:15:10 +03:00
|
|
|
$httpResponse = $this->getMockBuilder(ResponseInterface::class)
|
2015-10-23 18:26:54 +03:00
|
|
|
->disableOriginalConstructor()
|
|
|
|
->getMock();
|
2015-11-26 18:14:49 +03:00
|
|
|
$this->userSession
|
|
|
|
->expects($this->any())
|
|
|
|
->method('isLoggedIn')
|
|
|
|
->will($this->returnValue(false));
|
2015-11-20 15:35:23 +03:00
|
|
|
$httpRequest
|
2015-10-23 18:26:54 +03:00
|
|
|
->expects($this->once())
|
|
|
|
->method('getHeader')
|
2015-11-19 16:18:27 +03:00
|
|
|
->with('X-Requested-With')
|
|
|
|
->will($this->returnValue('XMLHttpRequest'));
|
2015-11-20 15:35:23 +03:00
|
|
|
$this->auth->check($httpRequest, $httpResponse);
|
2015-11-19 16:18:27 +03:00
|
|
|
}
|
|
|
|
|
2015-11-26 18:14:49 +03:00
|
|
|
public function testAuthenticateNoBasicAuthenticateHeadersProvidedWithAjaxButUserIsStillLoggedIn() {
|
|
|
|
/** @var \Sabre\HTTP\RequestInterface $httpRequest */
|
2016-10-13 13:15:10 +03:00
|
|
|
$httpRequest = $this->getMockBuilder(RequestInterface::class)
|
2015-11-26 18:14:49 +03:00
|
|
|
->disableOriginalConstructor()
|
|
|
|
->getMock();
|
|
|
|
/** @var \Sabre\HTTP\ResponseInterface $httpResponse */
|
2016-10-13 13:15:10 +03:00
|
|
|
$httpResponse = $this->getMockBuilder(ResponseInterface::class)
|
2015-11-26 18:14:49 +03:00
|
|
|
->disableOriginalConstructor()
|
|
|
|
->getMock();
|
2016-01-06 22:48:33 +03:00
|
|
|
/** @var IUser */
|
2017-10-24 16:26:53 +03:00
|
|
|
$user = $this->getMockBuilder(IUser::class)
|
2016-07-15 10:52:46 +03:00
|
|
|
->disableOriginalConstructor()
|
|
|
|
->getMock();
|
2016-01-06 22:48:33 +03:00
|
|
|
$user->method('getUID')->willReturn('MyTestUser');
|
2015-11-26 18:14:49 +03:00
|
|
|
$this->userSession
|
|
|
|
->expects($this->any())
|
|
|
|
->method('isLoggedIn')
|
|
|
|
->will($this->returnValue(true));
|
2016-01-06 22:48:33 +03:00
|
|
|
$this->userSession
|
|
|
|
->expects($this->any())
|
|
|
|
->method('getUser')
|
|
|
|
->willReturn($user);
|
2015-11-26 18:14:49 +03:00
|
|
|
$this->session
|
2016-01-06 22:48:33 +03:00
|
|
|
->expects($this->atLeastOnce())
|
2015-11-26 18:14:49 +03:00
|
|
|
->method('get')
|
|
|
|
->with('AUTHENTICATED_TO_DAV_BACKEND')
|
|
|
|
->will($this->returnValue('MyTestUser'));
|
2016-03-23 21:31:17 +03:00
|
|
|
$this->request
|
|
|
|
->expects($this->once())
|
|
|
|
->method('getMethod')
|
|
|
|
->willReturn('GET');
|
2015-11-26 18:14:49 +03:00
|
|
|
$httpRequest
|
2016-01-06 22:48:33 +03:00
|
|
|
->expects($this->atLeastOnce())
|
2015-11-26 18:14:49 +03:00
|
|
|
->method('getHeader')
|
|
|
|
->with('Authorization')
|
|
|
|
->will($this->returnValue(null));
|
2016-01-06 22:48:33 +03:00
|
|
|
$this->assertEquals(
|
|
|
|
[true, 'principals/users/MyTestUser'],
|
|
|
|
$this->auth->check($httpRequest, $httpResponse)
|
|
|
|
);
|
2015-11-26 18:14:49 +03:00
|
|
|
}
|
|
|
|
|
2015-11-19 16:18:27 +03:00
|
|
|
public function testAuthenticateValidCredentials() {
|
2017-10-24 16:26:53 +03:00
|
|
|
$server = $this->getMockBuilder(Server::class)
|
2015-11-19 16:18:27 +03:00
|
|
|
->disableOriginalConstructor()
|
|
|
|
->getMock();
|
2016-10-13 13:15:10 +03:00
|
|
|
$server->httpRequest = $this->getMockBuilder(RequestInterface::class)
|
2015-11-19 16:18:27 +03:00
|
|
|
->disableOriginalConstructor()
|
|
|
|
->getMock();
|
|
|
|
$server->httpRequest
|
|
|
|
->expects($this->at(0))
|
|
|
|
->method('getHeader')
|
|
|
|
->with('X-Requested-With')
|
|
|
|
->will($this->returnValue(null));
|
|
|
|
$server->httpRequest
|
|
|
|
->expects($this->at(1))
|
|
|
|
->method('getHeader')
|
2015-10-23 18:26:54 +03:00
|
|
|
->with('Authorization')
|
|
|
|
->will($this->returnValue('basic dXNlcm5hbWU6cGFzc3dvcmQ='));
|
2016-10-13 13:15:10 +03:00
|
|
|
$server->httpResponse = $this->getMockBuilder(ResponseInterface::class)
|
2015-10-23 18:26:54 +03:00
|
|
|
->disableOriginalConstructor()
|
|
|
|
->getMock();
|
|
|
|
$this->userSession
|
|
|
|
->expects($this->once())
|
2016-05-24 15:08:42 +03:00
|
|
|
->method('logClientIn')
|
2015-10-23 18:26:54 +03:00
|
|
|
->with('username', 'password')
|
|
|
|
->will($this->returnValue(true));
|
2017-10-24 16:26:53 +03:00
|
|
|
$user = $this->getMockBuilder(IUser::class)
|
2015-10-23 18:26:54 +03:00
|
|
|
->disableOriginalConstructor()
|
|
|
|
->getMock();
|
2016-06-13 17:00:49 +03:00
|
|
|
$user->expects($this->exactly(3))
|
2015-10-23 18:26:54 +03:00
|
|
|
->method('getUID')
|
|
|
|
->will($this->returnValue('MyTestUser'));
|
|
|
|
$this->userSession
|
2016-08-24 11:42:07 +03:00
|
|
|
->expects($this->exactly(4))
|
2015-10-23 18:26:54 +03:00
|
|
|
->method('getUser')
|
|
|
|
->will($this->returnValue($user));
|
2015-11-20 15:35:23 +03:00
|
|
|
$response = $this->auth->check($server->httpRequest, $server->httpResponse);
|
2016-03-21 23:53:16 +03:00
|
|
|
$this->assertEquals([true, 'principals/users/MyTestUser'], $response);
|
2015-10-23 18:26:54 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
public function testAuthenticateInvalidCredentials() {
|
2017-10-24 16:26:53 +03:00
|
|
|
$server = $this->getMockBuilder(Server::class)
|
2015-10-23 18:26:54 +03:00
|
|
|
->disableOriginalConstructor()
|
|
|
|
->getMock();
|
2016-10-13 13:15:10 +03:00
|
|
|
$server->httpRequest = $this->getMockBuilder(RequestInterface::class)
|
2015-10-23 18:26:54 +03:00
|
|
|
->disableOriginalConstructor()
|
|
|
|
->getMock();
|
|
|
|
$server->httpRequest
|
2015-11-19 16:18:27 +03:00
|
|
|
->expects($this->at(0))
|
|
|
|
->method('getHeader')
|
|
|
|
->with('X-Requested-With')
|
|
|
|
->will($this->returnValue(null));
|
|
|
|
$server->httpRequest
|
|
|
|
->expects($this->at(1))
|
2015-10-23 18:26:54 +03:00
|
|
|
->method('getHeader')
|
|
|
|
->with('Authorization')
|
|
|
|
->will($this->returnValue('basic dXNlcm5hbWU6cGFzc3dvcmQ='));
|
2016-10-13 13:15:10 +03:00
|
|
|
$server->httpResponse = $this->getMockBuilder(ResponseInterface::class)
|
2015-10-23 18:26:54 +03:00
|
|
|
->disableOriginalConstructor()
|
|
|
|
->getMock();
|
|
|
|
$this->userSession
|
|
|
|
->expects($this->once())
|
2016-05-24 15:08:42 +03:00
|
|
|
->method('logClientIn')
|
2015-10-23 18:26:54 +03:00
|
|
|
->with('username', 'password')
|
|
|
|
->will($this->returnValue(false));
|
2015-11-20 15:35:23 +03:00
|
|
|
$response = $this->auth->check($server->httpRequest, $server->httpResponse);
|
|
|
|
$this->assertEquals([false, 'Username or password was incorrect'], $response);
|
2015-10-23 18:26:54 +03:00
|
|
|
}
|
|
|
|
}
|