2013-08-17 13:16:48 +04:00
|
|
|
<?php
|
|
|
|
/**
|
2015-11-28 13:06:46 +03:00
|
|
|
* @author Bernhard Posselt <dev@bernhard-posselt.com>
|
|
|
|
* @author Lukas Reschke <lukas@owncloud.com>
|
2013-08-17 13:16:48 +04:00
|
|
|
*
|
2015-11-28 13:06:46 +03:00
|
|
|
* @copyright Copyright (c) 2015, ownCloud, Inc.
|
|
|
|
* @license AGPL-3.0
|
2013-08-17 13:16:48 +04:00
|
|
|
*
|
2015-11-28 13:06:46 +03:00
|
|
|
* This code is free software: you can redistribute it and/or modify
|
|
|
|
* it under the terms of the GNU Affero General Public License, version 3,
|
|
|
|
* as published by the Free Software Foundation.
|
2013-08-17 13:16:48 +04:00
|
|
|
*
|
2015-11-28 13:06:46 +03:00
|
|
|
* This program is distributed in the hope that it will be useful,
|
2013-08-17 13:16:48 +04:00
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
2015-11-28 13:06:46 +03:00
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
* GNU Affero General Public License for more details.
|
2013-08-17 13:16:48 +04:00
|
|
|
*
|
2015-11-28 13:06:46 +03:00
|
|
|
* You should have received a copy of the GNU Affero General Public License, version 3,
|
|
|
|
* along with this program. If not, see <http://www.gnu.org/licenses/>
|
2013-08-17 13:16:48 +04:00
|
|
|
*
|
|
|
|
*/
|
|
|
|
|
2016-05-18 19:40:34 +03:00
|
|
|
namespace Test\AppFramework\Middleware\Security;
|
2013-08-17 13:16:48 +04:00
|
|
|
|
2013-10-23 07:57:34 +04:00
|
|
|
use OC\AppFramework\Http;
|
2013-08-17 13:16:48 +04:00
|
|
|
use OC\AppFramework\Http\Request;
|
2016-04-22 16:28:48 +03:00
|
|
|
use OC\AppFramework\Middleware\Security\Exceptions\AppNotEnabledException;
|
|
|
|
use OC\AppFramework\Middleware\Security\Exceptions\CrossSiteRequestForgeryException;
|
|
|
|
use OC\AppFramework\Middleware\Security\Exceptions\NotAdminException;
|
|
|
|
use OC\AppFramework\Middleware\Security\Exceptions\NotLoggedInException;
|
2015-11-28 13:06:46 +03:00
|
|
|
use OC\AppFramework\Middleware\Security\Exceptions\SecurityException;
|
2016-07-20 18:37:30 +03:00
|
|
|
use OC\Appframework\Middleware\Security\Exceptions\StrictCookieMissingException;
|
2016-05-18 19:40:34 +03:00
|
|
|
use OC\AppFramework\Middleware\Security\SecurityMiddleware;
|
2014-05-06 18:29:19 +04:00
|
|
|
use OC\AppFramework\Utility\ControllerMethodReflector;
|
2017-10-24 00:40:17 +03:00
|
|
|
use OCP\App\IAppManager;
|
2016-07-29 14:41:30 +03:00
|
|
|
use OCP\AppFramework\Controller;
|
2013-08-21 02:41:20 +04:00
|
|
|
use OCP\AppFramework\Http\JSONResponse;
|
2019-11-22 22:52:10 +03:00
|
|
|
use OCP\AppFramework\Http\RedirectResponse;
|
2015-11-28 13:06:46 +03:00
|
|
|
use OCP\AppFramework\Http\TemplateResponse;
|
2016-09-15 13:12:30 +03:00
|
|
|
use OCP\IConfig;
|
2018-02-26 17:32:17 +03:00
|
|
|
use OCP\IL10N;
|
2016-07-29 14:41:30 +03:00
|
|
|
use OCP\INavigationManager;
|
|
|
|
use OCP\IRequest;
|
|
|
|
use OCP\IURLGenerator;
|
2016-09-15 13:12:30 +03:00
|
|
|
use OCP\Security\ISecureRandom;
|
2021-04-19 15:06:34 +03:00
|
|
|
use Psr\Log\LoggerInterface;
|
2013-08-17 13:16:48 +04:00
|
|
|
|
2014-11-11 01:30:38 +03:00
|
|
|
class SecurityMiddlewareTest extends \Test\TestCase {
|
2013-08-17 13:16:48 +04:00
|
|
|
|
2020-08-11 22:32:18 +03:00
|
|
|
/** @var SecurityMiddleware|\PHPUnit\Framework\MockObject\MockObject */
|
2013-08-17 13:16:48 +04:00
|
|
|
private $middleware;
|
2020-08-11 22:32:18 +03:00
|
|
|
/** @var Controller|\PHPUnit\Framework\MockObject\MockObject */
|
2013-08-17 13:16:48 +04:00
|
|
|
private $controller;
|
2016-07-29 14:41:30 +03:00
|
|
|
/** @var SecurityException */
|
2013-08-17 13:16:48 +04:00
|
|
|
private $secException;
|
2016-07-29 14:41:30 +03:00
|
|
|
/** @var SecurityException */
|
2013-08-17 13:16:48 +04:00
|
|
|
private $secAjaxException;
|
2020-08-11 22:32:18 +03:00
|
|
|
/** @var IRequest|\PHPUnit\Framework\MockObject\MockObject */
|
2013-08-17 13:16:48 +04:00
|
|
|
private $request;
|
2016-07-29 14:41:30 +03:00
|
|
|
/** @var ControllerMethodReflector */
|
2014-05-06 18:29:19 +04:00
|
|
|
private $reader;
|
2021-04-19 15:06:34 +03:00
|
|
|
/** @var LoggerInterface|\PHPUnit\Framework\MockObject\MockObject */
|
2014-05-28 04:12:01 +04:00
|
|
|
private $logger;
|
2020-08-11 22:32:18 +03:00
|
|
|
/** @var INavigationManager|\PHPUnit\Framework\MockObject\MockObject */
|
2014-05-28 04:12:01 +04:00
|
|
|
private $navigationManager;
|
2020-08-11 22:32:18 +03:00
|
|
|
/** @var IURLGenerator|\PHPUnit\Framework\MockObject\MockObject */
|
2014-05-28 04:12:01 +04:00
|
|
|
private $urlGenerator;
|
2020-08-11 22:32:18 +03:00
|
|
|
/** @var IAppManager|\PHPUnit\Framework\MockObject\MockObject */
|
2017-10-24 00:40:17 +03:00
|
|
|
private $appManager;
|
2020-08-11 22:32:18 +03:00
|
|
|
/** @var IL10N|\PHPUnit\Framework\MockObject\MockObject */
|
2018-02-26 17:32:17 +03:00
|
|
|
private $l10n;
|
2013-08-17 13:16:48 +04:00
|
|
|
|
2019-11-21 18:40:38 +03:00
|
|
|
protected function setUp(): void {
|
2014-11-11 01:30:38 +03:00
|
|
|
parent::setUp();
|
|
|
|
|
2016-09-15 13:12:30 +03:00
|
|
|
$this->controller = $this->createMock(Controller::class);
|
2014-05-06 18:29:19 +04:00
|
|
|
$this->reader = new ControllerMethodReflector();
|
2021-04-19 15:06:34 +03:00
|
|
|
$this->logger = $this->createMock(LoggerInterface::class);
|
2016-09-15 13:12:30 +03:00
|
|
|
$this->navigationManager = $this->createMock(INavigationManager::class);
|
|
|
|
$this->urlGenerator = $this->createMock(IURLGenerator::class);
|
|
|
|
$this->request = $this->createMock(IRequest::class);
|
2018-02-26 17:32:17 +03:00
|
|
|
$this->l10n = $this->createMock(IL10N::class);
|
2019-05-22 11:48:51 +03:00
|
|
|
$this->middleware = $this->getMiddleware(true, true, false);
|
2013-08-17 13:16:48 +04:00
|
|
|
$this->secException = new SecurityException('hey', false);
|
|
|
|
$this->secAjaxException = new SecurityException('hey', true);
|
|
|
|
}
|
|
|
|
|
2019-05-22 11:48:51 +03:00
|
|
|
private function getMiddleware(bool $isLoggedIn, bool $isAdminUser, bool $isSubAdmin, bool $isAppEnabledForUser = true): SecurityMiddleware {
|
2018-03-08 13:05:18 +03:00
|
|
|
$this->appManager = $this->createMock(IAppManager::class);
|
|
|
|
$this->appManager->expects($this->any())
|
|
|
|
->method('isEnabledForUser')
|
|
|
|
->willReturn($isAppEnabledForUser);
|
|
|
|
|
2014-05-28 04:12:01 +04:00
|
|
|
return new SecurityMiddleware(
|
|
|
|
$this->request,
|
|
|
|
$this->reader,
|
|
|
|
$this->navigationManager,
|
|
|
|
$this->urlGenerator,
|
|
|
|
$this->logger,
|
2014-11-14 19:20:51 +03:00
|
|
|
'files',
|
2014-05-28 04:12:01 +04:00
|
|
|
$isLoggedIn,
|
2016-01-28 16:33:02 +03:00
|
|
|
$isAdminUser,
|
2019-05-22 11:48:51 +03:00
|
|
|
$isSubAdmin,
|
2018-02-26 17:32:17 +03:00
|
|
|
$this->appManager,
|
|
|
|
$this->l10n
|
2014-05-28 04:12:01 +04:00
|
|
|
);
|
2013-08-17 13:16:48 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
2013-08-20 23:21:21 +04:00
|
|
|
* @PublicPage
|
|
|
|
* @NoCSRFRequired
|
2013-08-17 13:16:48 +04:00
|
|
|
*/
|
2020-04-09 14:53:40 +03:00
|
|
|
public function testSetNavigationEntry() {
|
2014-05-28 04:12:01 +04:00
|
|
|
$this->navigationManager->expects($this->once())
|
|
|
|
->method('setActiveEntry')
|
2014-11-14 19:20:51 +03:00
|
|
|
->with($this->equalTo('files'));
|
2014-05-28 04:12:01 +04:00
|
|
|
|
|
|
|
$this->reader->reflect(__CLASS__, __FUNCTION__);
|
2017-07-26 11:50:39 +03:00
|
|
|
$this->middleware->beforeController($this->controller, __FUNCTION__);
|
2013-08-17 13:16:48 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2014-02-19 12:31:54 +04:00
|
|
|
/**
|
|
|
|
* @param string $method
|
|
|
|
* @param string $test
|
|
|
|
*/
|
2013-08-17 13:16:48 +04:00
|
|
|
private function ajaxExceptionStatus($method, $test, $status) {
|
2014-05-28 04:12:01 +04:00
|
|
|
$isLoggedIn = false;
|
|
|
|
$isAdminUser = false;
|
2013-08-17 13:16:48 +04:00
|
|
|
|
2013-08-20 23:21:21 +04:00
|
|
|
// isAdminUser requires isLoggedIn call to return true
|
|
|
|
if ($test === 'isAdminUser') {
|
2014-05-28 04:12:01 +04:00
|
|
|
$isLoggedIn = true;
|
2013-08-20 23:21:21 +04:00
|
|
|
}
|
|
|
|
|
2019-05-22 11:48:51 +03:00
|
|
|
$sec = $this->getMiddleware($isLoggedIn, $isAdminUser, false);
|
2013-08-17 13:16:48 +04:00
|
|
|
|
|
|
|
try {
|
2014-05-28 04:12:01 +04:00
|
|
|
$this->reader->reflect(__CLASS__, $method);
|
2017-07-26 11:50:39 +03:00
|
|
|
$sec->beforeController($this->controller, $method);
|
2020-04-10 15:19:56 +03:00
|
|
|
} catch (SecurityException $ex) {
|
2013-08-17 13:16:48 +04:00
|
|
|
$this->assertEquals($status, $ex->getCode());
|
|
|
|
}
|
2014-05-28 17:23:57 +04:00
|
|
|
|
|
|
|
// add assertion if everything should work fine otherwise phpunit will
|
|
|
|
// complain
|
|
|
|
if ($status === 0) {
|
2018-01-25 13:23:12 +03:00
|
|
|
$this->addToAssertionCount(1);
|
2014-05-28 17:23:57 +04:00
|
|
|
}
|
2013-08-17 13:16:48 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
public function testAjaxStatusLoggedInCheck() {
|
|
|
|
$this->ajaxExceptionStatus(
|
2014-05-28 17:23:57 +04:00
|
|
|
__FUNCTION__,
|
2013-08-17 13:16:48 +04:00
|
|
|
'isLoggedIn',
|
|
|
|
Http::STATUS_UNAUTHORIZED
|
|
|
|
);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2013-08-20 23:21:21 +04:00
|
|
|
* @NoCSRFRequired
|
2013-08-17 13:16:48 +04:00
|
|
|
*/
|
|
|
|
public function testAjaxNotAdminCheck() {
|
|
|
|
$this->ajaxExceptionStatus(
|
2014-05-28 17:23:57 +04:00
|
|
|
__FUNCTION__,
|
2013-08-17 13:16:48 +04:00
|
|
|
'isAdminUser',
|
|
|
|
Http::STATUS_FORBIDDEN
|
|
|
|
);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2013-08-20 23:21:21 +04:00
|
|
|
* @PublicPage
|
2013-08-17 13:16:48 +04:00
|
|
|
*/
|
|
|
|
public function testAjaxStatusCSRFCheck() {
|
|
|
|
$this->ajaxExceptionStatus(
|
2014-05-28 17:23:57 +04:00
|
|
|
__FUNCTION__,
|
2013-08-17 13:16:48 +04:00
|
|
|
'passesCSRFCheck',
|
|
|
|
Http::STATUS_PRECONDITION_FAILED
|
|
|
|
);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2013-08-20 23:21:21 +04:00
|
|
|
* @PublicPage
|
|
|
|
* @NoCSRFRequired
|
2013-08-17 13:16:48 +04:00
|
|
|
*/
|
|
|
|
public function testAjaxStatusAllGood() {
|
|
|
|
$this->ajaxExceptionStatus(
|
2014-05-28 17:23:57 +04:00
|
|
|
__FUNCTION__,
|
2013-08-17 13:16:48 +04:00
|
|
|
'isLoggedIn',
|
|
|
|
0
|
|
|
|
);
|
|
|
|
$this->ajaxExceptionStatus(
|
2014-05-28 17:23:57 +04:00
|
|
|
__FUNCTION__,
|
2013-08-17 13:16:48 +04:00
|
|
|
'isAdminUser',
|
|
|
|
0
|
|
|
|
);
|
|
|
|
$this->ajaxExceptionStatus(
|
2014-05-28 17:23:57 +04:00
|
|
|
__FUNCTION__,
|
2013-08-17 13:16:48 +04:00
|
|
|
'passesCSRFCheck',
|
|
|
|
0
|
|
|
|
);
|
|
|
|
}
|
|
|
|
|
2013-08-20 23:21:21 +04:00
|
|
|
|
2013-08-17 13:16:48 +04:00
|
|
|
/**
|
2013-08-20 23:21:21 +04:00
|
|
|
* @PublicPage
|
|
|
|
* @NoCSRFRequired
|
2013-08-17 13:16:48 +04:00
|
|
|
*/
|
2020-04-09 14:53:40 +03:00
|
|
|
public function testNoChecks() {
|
2014-05-28 04:12:01 +04:00
|
|
|
$this->request->expects($this->never())
|
2016-07-20 18:37:30 +03:00
|
|
|
->method('passesCSRFCheck')
|
2020-03-26 00:21:27 +03:00
|
|
|
->willReturn(false);
|
2014-05-28 04:12:01 +04:00
|
|
|
|
2019-05-22 11:48:51 +03:00
|
|
|
$sec = $this->getMiddleware(false, false, false);
|
2014-05-28 04:12:01 +04:00
|
|
|
|
|
|
|
$this->reader->reflect(__CLASS__, __FUNCTION__);
|
2017-07-26 11:50:39 +03:00
|
|
|
$sec->beforeController($this->controller, __FUNCTION__);
|
2013-08-17 13:16:48 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2014-02-19 12:31:54 +04:00
|
|
|
/**
|
|
|
|
* @param string $method
|
|
|
|
* @param string $expects
|
|
|
|
*/
|
2020-10-05 16:12:57 +03:00
|
|
|
private function securityCheck($method, $expects, $shouldFail = false) {
|
2013-08-20 23:21:21 +04:00
|
|
|
// admin check requires login
|
|
|
|
if ($expects === 'isAdminUser') {
|
2014-05-28 04:12:01 +04:00
|
|
|
$isLoggedIn = true;
|
|
|
|
$isAdminUser = !$shouldFail;
|
|
|
|
} else {
|
|
|
|
$isLoggedIn = !$shouldFail;
|
|
|
|
$isAdminUser = false;
|
2013-08-20 23:21:21 +04:00
|
|
|
}
|
|
|
|
|
2019-05-22 11:48:51 +03:00
|
|
|
$sec = $this->getMiddleware($isLoggedIn, $isAdminUser, false);
|
2013-08-17 13:16:48 +04:00
|
|
|
|
2020-04-10 15:19:56 +03:00
|
|
|
if ($shouldFail) {
|
2018-01-24 20:10:16 +03:00
|
|
|
$this->expectException(SecurityException::class);
|
2013-08-20 23:21:21 +04:00
|
|
|
} else {
|
2018-01-25 13:23:12 +03:00
|
|
|
$this->addToAssertionCount(1);
|
2013-08-17 13:16:48 +04:00
|
|
|
}
|
|
|
|
|
2014-05-28 04:12:01 +04:00
|
|
|
$this->reader->reflect(__CLASS__, $method);
|
2017-07-26 11:50:39 +03:00
|
|
|
$sec->beforeController($this->controller, $method);
|
2013-08-17 13:16:48 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
2013-08-20 23:21:21 +04:00
|
|
|
* @PublicPage
|
2013-08-17 13:16:48 +04:00
|
|
|
*/
|
2020-04-09 14:53:40 +03:00
|
|
|
public function testCsrfCheck() {
|
2019-11-27 17:27:18 +03:00
|
|
|
$this->expectException(\OC\AppFramework\Middleware\Security\Exceptions\CrossSiteRequestForgeryException::class);
|
|
|
|
|
2014-05-28 04:12:01 +04:00
|
|
|
$this->request->expects($this->once())
|
2013-10-07 13:25:50 +04:00
|
|
|
->method('passesCSRFCheck')
|
2020-03-26 00:21:27 +03:00
|
|
|
->willReturn(false);
|
2016-07-20 18:37:30 +03:00
|
|
|
$this->request->expects($this->once())
|
|
|
|
->method('passesStrictCookieCheck')
|
2020-03-26 00:21:27 +03:00
|
|
|
->willReturn(true);
|
2014-05-28 04:12:01 +04:00
|
|
|
$this->reader->reflect(__CLASS__, __FUNCTION__);
|
2017-07-26 11:50:39 +03:00
|
|
|
$this->middleware->beforeController($this->controller, __FUNCTION__);
|
2013-10-07 13:25:50 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @PublicPage
|
|
|
|
* @NoCSRFRequired
|
|
|
|
*/
|
2020-04-09 14:53:40 +03:00
|
|
|
public function testNoCsrfCheck() {
|
2014-05-28 04:12:01 +04:00
|
|
|
$this->request->expects($this->never())
|
2013-10-07 13:25:50 +04:00
|
|
|
->method('passesCSRFCheck')
|
2020-03-26 00:21:27 +03:00
|
|
|
->willReturn(false);
|
2013-10-07 13:25:50 +04:00
|
|
|
|
2014-05-28 04:12:01 +04:00
|
|
|
$this->reader->reflect(__CLASS__, __FUNCTION__);
|
2017-07-26 11:50:39 +03:00
|
|
|
$this->middleware->beforeController($this->controller, __FUNCTION__);
|
2013-08-17 13:16:48 +04:00
|
|
|
}
|
|
|
|
|
2016-07-20 18:37:30 +03:00
|
|
|
/**
|
|
|
|
* @PublicPage
|
|
|
|
*/
|
2020-04-09 14:53:40 +03:00
|
|
|
public function testPassesCsrfCheck() {
|
2016-07-20 18:37:30 +03:00
|
|
|
$this->request->expects($this->once())
|
|
|
|
->method('passesCSRFCheck')
|
2020-03-26 00:21:27 +03:00
|
|
|
->willReturn(true);
|
2016-07-20 18:37:30 +03:00
|
|
|
$this->request->expects($this->once())
|
|
|
|
->method('passesStrictCookieCheck')
|
2020-03-26 00:21:27 +03:00
|
|
|
->willReturn(true);
|
2016-07-20 18:37:30 +03:00
|
|
|
|
|
|
|
$this->reader->reflect(__CLASS__, __FUNCTION__);
|
2017-07-26 11:50:39 +03:00
|
|
|
$this->middleware->beforeController($this->controller, __FUNCTION__);
|
2016-07-20 18:37:30 +03:00
|
|
|
}
|
2013-08-17 13:16:48 +04:00
|
|
|
|
|
|
|
/**
|
2013-08-20 23:21:21 +04:00
|
|
|
* @PublicPage
|
2013-08-17 13:16:48 +04:00
|
|
|
*/
|
2020-04-09 14:53:40 +03:00
|
|
|
public function testFailCsrfCheck() {
|
2019-11-27 17:27:18 +03:00
|
|
|
$this->expectException(\OC\AppFramework\Middleware\Security\Exceptions\CrossSiteRequestForgeryException::class);
|
|
|
|
|
2014-05-28 04:12:01 +04:00
|
|
|
$this->request->expects($this->once())
|
2013-10-07 13:25:50 +04:00
|
|
|
->method('passesCSRFCheck')
|
2020-03-26 00:21:27 +03:00
|
|
|
->willReturn(false);
|
2016-07-20 18:37:30 +03:00
|
|
|
$this->request->expects($this->once())
|
|
|
|
->method('passesStrictCookieCheck')
|
2020-03-26 00:21:27 +03:00
|
|
|
->willReturn(true);
|
2013-10-07 13:25:50 +04:00
|
|
|
|
2014-05-28 04:12:01 +04:00
|
|
|
$this->reader->reflect(__CLASS__, __FUNCTION__);
|
2017-07-26 11:50:39 +03:00
|
|
|
$this->middleware->beforeController($this->controller, __FUNCTION__);
|
2013-08-17 13:16:48 +04:00
|
|
|
}
|
|
|
|
|
2016-07-20 18:37:30 +03:00
|
|
|
/**
|
|
|
|
* @PublicPage
|
|
|
|
* @StrictCookieRequired
|
|
|
|
*/
|
|
|
|
public function testStrictCookieRequiredCheck() {
|
2019-11-27 17:27:18 +03:00
|
|
|
$this->expectException(\OC\Appframework\Middleware\Security\Exceptions\StrictCookieMissingException::class);
|
|
|
|
|
2016-07-20 18:37:30 +03:00
|
|
|
$this->request->expects($this->never())
|
|
|
|
->method('passesCSRFCheck');
|
|
|
|
$this->request->expects($this->once())
|
|
|
|
->method('passesStrictCookieCheck')
|
2020-03-26 00:21:27 +03:00
|
|
|
->willReturn(false);
|
2016-07-20 18:37:30 +03:00
|
|
|
|
|
|
|
$this->reader->reflect(__CLASS__, __FUNCTION__);
|
2017-07-26 11:50:39 +03:00
|
|
|
$this->middleware->beforeController($this->controller, __FUNCTION__);
|
2016-07-20 18:37:30 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @PublicPage
|
|
|
|
* @NoCSRFRequired
|
|
|
|
*/
|
|
|
|
public function testNoStrictCookieRequiredCheck() {
|
|
|
|
$this->request->expects($this->never())
|
|
|
|
->method('passesStrictCookieCheck')
|
2020-03-26 00:21:27 +03:00
|
|
|
->willReturn(false);
|
2016-07-20 18:37:30 +03:00
|
|
|
|
|
|
|
$this->reader->reflect(__CLASS__, __FUNCTION__);
|
2017-07-26 11:50:39 +03:00
|
|
|
$this->middleware->beforeController($this->controller, __FUNCTION__);
|
2016-07-20 18:37:30 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @PublicPage
|
|
|
|
* @NoCSRFRequired
|
|
|
|
* @StrictCookieRequired
|
|
|
|
*/
|
|
|
|
public function testPassesStrictCookieRequiredCheck() {
|
|
|
|
$this->request
|
|
|
|
->expects($this->once())
|
|
|
|
->method('passesStrictCookieCheck')
|
|
|
|
->willReturn(true);
|
|
|
|
|
|
|
|
$this->reader->reflect(__CLASS__, __FUNCTION__);
|
2017-07-26 11:50:39 +03:00
|
|
|
$this->middleware->beforeController($this->controller, __FUNCTION__);
|
2016-07-20 18:37:30 +03:00
|
|
|
}
|
2013-08-17 13:16:48 +04:00
|
|
|
|
2016-07-29 14:41:30 +03:00
|
|
|
public function dataCsrfOcsController() {
|
|
|
|
$controller = $this->getMockBuilder('OCP\AppFramework\Controller')
|
|
|
|
->disableOriginalConstructor()
|
|
|
|
->getMock();
|
|
|
|
$ocsController = $this->getMockBuilder('OCP\AppFramework\OCSController')
|
|
|
|
->disableOriginalConstructor()
|
|
|
|
->getMock();
|
|
|
|
|
|
|
|
return [
|
2018-01-25 18:10:38 +03:00
|
|
|
[$controller, false, false, true],
|
|
|
|
[$controller, false, true, true],
|
|
|
|
[$controller, true, false, true],
|
|
|
|
[$controller, true, true, true],
|
|
|
|
|
|
|
|
[$ocsController, false, false, true],
|
|
|
|
[$ocsController, false, true, false],
|
|
|
|
[$ocsController, true, false, false],
|
|
|
|
[$ocsController, true, true, false],
|
2016-07-29 14:41:30 +03:00
|
|
|
];
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @dataProvider dataCsrfOcsController
|
|
|
|
* @param Controller $controller
|
|
|
|
* @param bool $hasOcsApiHeader
|
2018-01-25 18:10:38 +03:00
|
|
|
* @param bool $hasBearerAuth
|
2016-07-29 14:41:30 +03:00
|
|
|
* @param bool $exception
|
|
|
|
*/
|
2018-01-25 18:10:38 +03:00
|
|
|
public function testCsrfOcsController(Controller $controller, bool $hasOcsApiHeader, bool $hasBearerAuth, bool $exception) {
|
2016-07-29 14:41:30 +03:00
|
|
|
$this->request
|
|
|
|
->method('getHeader')
|
2020-03-26 00:21:27 +03:00
|
|
|
->willReturnCallback(function ($header) use ($hasOcsApiHeader, $hasBearerAuth) {
|
2018-01-25 18:10:38 +03:00
|
|
|
if ($header === 'OCS-APIREQUEST' && $hasOcsApiHeader) {
|
|
|
|
return 'true';
|
|
|
|
}
|
|
|
|
if ($header === 'Authorization' && $hasBearerAuth) {
|
|
|
|
return 'Bearer TOKEN!';
|
|
|
|
}
|
|
|
|
return '';
|
2020-03-26 00:21:27 +03:00
|
|
|
});
|
2016-07-29 14:41:30 +03:00
|
|
|
$this->request->expects($this->once())
|
|
|
|
->method('passesStrictCookieCheck')
|
|
|
|
->willReturn(true);
|
|
|
|
|
|
|
|
try {
|
|
|
|
$this->middleware->beforeController($controller, 'foo');
|
|
|
|
$this->assertFalse($exception);
|
|
|
|
} catch (CrossSiteRequestForgeryException $e) {
|
|
|
|
$this->assertTrue($exception);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2013-08-17 13:16:48 +04:00
|
|
|
/**
|
2013-08-20 23:21:21 +04:00
|
|
|
* @NoCSRFRequired
|
|
|
|
* @NoAdminRequired
|
2013-08-17 13:16:48 +04:00
|
|
|
*/
|
2020-04-09 14:53:40 +03:00
|
|
|
public function testLoggedInCheck() {
|
2014-05-28 04:12:01 +04:00
|
|
|
$this->securityCheck(__FUNCTION__, 'isLoggedIn');
|
2013-08-17 13:16:48 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
2013-08-20 23:21:21 +04:00
|
|
|
* @NoCSRFRequired
|
|
|
|
* @NoAdminRequired
|
2013-08-17 13:16:48 +04:00
|
|
|
*/
|
2020-04-09 14:53:40 +03:00
|
|
|
public function testFailLoggedInCheck() {
|
2014-05-28 04:12:01 +04:00
|
|
|
$this->securityCheck(__FUNCTION__, 'isLoggedIn', true);
|
2013-08-17 13:16:48 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
2013-08-20 23:21:21 +04:00
|
|
|
* @NoCSRFRequired
|
2013-08-17 13:16:48 +04:00
|
|
|
*/
|
2020-04-09 14:53:40 +03:00
|
|
|
public function testIsAdminCheck() {
|
2014-05-28 04:12:01 +04:00
|
|
|
$this->securityCheck(__FUNCTION__, 'isAdminUser');
|
2013-08-17 13:16:48 +04:00
|
|
|
}
|
|
|
|
|
2019-05-22 11:48:51 +03:00
|
|
|
/**
|
|
|
|
* @NoCSRFRequired
|
|
|
|
* @SubAdminRequired
|
|
|
|
*/
|
2020-04-09 14:53:40 +03:00
|
|
|
public function testIsNotSubAdminCheck() {
|
2019-05-22 11:48:51 +03:00
|
|
|
$this->reader->reflect(__CLASS__,__FUNCTION__);
|
|
|
|
$sec = $this->getMiddleware(true, false, false);
|
|
|
|
|
|
|
|
$this->expectException(SecurityException::class);
|
|
|
|
$sec->beforeController($this, __METHOD__);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @NoCSRFRequired
|
|
|
|
* @SubAdminRequired
|
|
|
|
*/
|
2020-04-09 14:53:40 +03:00
|
|
|
public function testIsSubAdminCheck() {
|
2019-05-22 11:48:51 +03:00
|
|
|
$this->reader->reflect(__CLASS__,__FUNCTION__);
|
|
|
|
$sec = $this->getMiddleware(true, false, true);
|
|
|
|
|
|
|
|
$sec->beforeController($this, __METHOD__);
|
|
|
|
$this->addToAssertionCount(1);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @NoCSRFRequired
|
|
|
|
* @SubAdminRequired
|
|
|
|
*/
|
2020-04-09 14:53:40 +03:00
|
|
|
public function testIsSubAdminAndAdminCheck() {
|
2019-05-22 11:48:51 +03:00
|
|
|
$this->reader->reflect(__CLASS__,__FUNCTION__);
|
|
|
|
$sec = $this->getMiddleware(true, true, true);
|
|
|
|
|
|
|
|
$sec->beforeController($this, __METHOD__);
|
|
|
|
$this->addToAssertionCount(1);
|
|
|
|
}
|
2013-08-17 13:16:48 +04:00
|
|
|
|
|
|
|
/**
|
2013-08-20 23:21:21 +04:00
|
|
|
* @NoCSRFRequired
|
2013-08-17 13:16:48 +04:00
|
|
|
*/
|
2020-04-09 14:53:40 +03:00
|
|
|
public function testFailIsAdminCheck() {
|
2014-05-28 04:12:01 +04:00
|
|
|
$this->securityCheck(__FUNCTION__, 'isAdminUser', true);
|
2013-08-17 13:16:48 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2020-04-09 14:53:40 +03:00
|
|
|
public function testAfterExceptionNotCaughtThrowsItAgain() {
|
2013-08-17 13:16:48 +04:00
|
|
|
$ex = new \Exception();
|
2018-01-24 20:10:16 +03:00
|
|
|
$this->expectException(\Exception::class);
|
2013-08-17 13:16:48 +04:00
|
|
|
$this->middleware->afterException($this->controller, 'test', $ex);
|
|
|
|
}
|
|
|
|
|
2015-11-28 13:06:46 +03:00
|
|
|
public function testAfterExceptionReturnsRedirectForNotLoggedInUser() {
|
2013-08-17 13:16:48 +04:00
|
|
|
$this->request = new Request(
|
2016-07-20 18:37:30 +03:00
|
|
|
[
|
|
|
|
'server' =>
|
|
|
|
[
|
|
|
|
'HTTP_ACCEPT' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
|
2016-11-09 18:14:46 +03:00
|
|
|
'REQUEST_URI' => 'nextcloud/index.php/apps/specialapp'
|
2016-07-20 18:37:30 +03:00
|
|
|
]
|
|
|
|
],
|
2016-09-15 13:12:30 +03:00
|
|
|
$this->createMock(ISecureRandom::class),
|
|
|
|
$this->createMock(IConfig::class)
|
2015-11-28 13:06:46 +03:00
|
|
|
);
|
2019-05-22 11:48:51 +03:00
|
|
|
$this->middleware = $this->getMiddleware(false, false, false);
|
2015-11-28 13:06:46 +03:00
|
|
|
$this->urlGenerator
|
2016-07-20 18:37:30 +03:00
|
|
|
->expects($this->once())
|
|
|
|
->method('linkToRoute')
|
|
|
|
->with(
|
|
|
|
'core.login.showLoginForm',
|
|
|
|
[
|
2016-11-09 18:14:46 +03:00
|
|
|
'redirect_url' => 'nextcloud/index.php/apps/specialapp',
|
2016-07-20 18:37:30 +03:00
|
|
|
]
|
|
|
|
)
|
2020-03-26 00:21:27 +03:00
|
|
|
->willReturn('http://localhost/nextcloud/index.php/login?redirect_url=nextcloud/index.php/apps/specialapp');
|
2015-11-28 13:06:46 +03:00
|
|
|
$this->logger
|
2016-07-20 18:37:30 +03:00
|
|
|
->expects($this->once())
|
2018-01-17 17:21:56 +03:00
|
|
|
->method('logException');
|
2015-11-28 13:06:46 +03:00
|
|
|
$response = $this->middleware->afterException(
|
2016-07-20 18:37:30 +03:00
|
|
|
$this->controller,
|
|
|
|
'test',
|
|
|
|
new NotLoggedInException()
|
2015-11-28 13:06:46 +03:00
|
|
|
);
|
2016-11-09 18:14:46 +03:00
|
|
|
$expected = new RedirectResponse('http://localhost/nextcloud/index.php/login?redirect_url=nextcloud/index.php/apps/specialapp');
|
2015-11-28 13:06:46 +03:00
|
|
|
$this->assertEquals($expected , $response);
|
|
|
|
}
|
|
|
|
|
2016-07-20 18:37:30 +03:00
|
|
|
public function testAfterExceptionRedirectsToWebRootAfterStrictCookieFail() {
|
|
|
|
$this->request = new Request(
|
|
|
|
[
|
|
|
|
'server' => [
|
|
|
|
'HTTP_ACCEPT' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
|
2016-11-09 18:14:46 +03:00
|
|
|
'REQUEST_URI' => 'nextcloud/index.php/apps/specialapp',
|
2016-07-20 18:37:30 +03:00
|
|
|
],
|
|
|
|
],
|
2016-09-15 13:12:30 +03:00
|
|
|
$this->createMock(ISecureRandom::class),
|
|
|
|
$this->createMock(IConfig::class)
|
2016-07-20 18:37:30 +03:00
|
|
|
);
|
|
|
|
|
2019-05-22 11:48:51 +03:00
|
|
|
$this->middleware = $this->getMiddleware(false, false, false);
|
2016-07-20 18:37:30 +03:00
|
|
|
$response = $this->middleware->afterException(
|
|
|
|
$this->controller,
|
|
|
|
'test',
|
|
|
|
new StrictCookieMissingException()
|
|
|
|
);
|
|
|
|
|
2020-01-13 19:53:08 +03:00
|
|
|
$expected = new RedirectResponse(\OC::$WEBROOT . '/');
|
2016-07-20 18:37:30 +03:00
|
|
|
$this->assertEquals($expected , $response);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2015-11-28 13:06:46 +03:00
|
|
|
/**
|
|
|
|
* @return array
|
|
|
|
*/
|
|
|
|
public function exceptionProvider() {
|
|
|
|
return [
|
|
|
|
[
|
|
|
|
new AppNotEnabledException(),
|
|
|
|
],
|
|
|
|
[
|
|
|
|
new CrossSiteRequestForgeryException(),
|
2015-02-09 13:41:48 +03:00
|
|
|
],
|
2015-11-28 13:06:46 +03:00
|
|
|
[
|
2018-02-26 17:32:17 +03:00
|
|
|
new NotAdminException(''),
|
2015-11-28 13:06:46 +03:00
|
|
|
],
|
|
|
|
];
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @dataProvider exceptionProvider
|
|
|
|
* @param SecurityException $exception
|
|
|
|
*/
|
|
|
|
public function testAfterExceptionReturnsTemplateResponse(SecurityException $exception) {
|
|
|
|
$this->request = new Request(
|
2016-07-20 18:37:30 +03:00
|
|
|
[
|
|
|
|
'server' =>
|
|
|
|
[
|
|
|
|
'HTTP_ACCEPT' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
|
2016-11-09 18:14:46 +03:00
|
|
|
'REQUEST_URI' => 'nextcloud/index.php/apps/specialapp'
|
2016-07-20 18:37:30 +03:00
|
|
|
]
|
|
|
|
],
|
2016-09-15 13:12:30 +03:00
|
|
|
$this->createMock(ISecureRandom::class),
|
|
|
|
$this->createMock(IConfig::class)
|
2015-11-28 13:06:46 +03:00
|
|
|
);
|
2019-05-22 11:48:51 +03:00
|
|
|
$this->middleware = $this->getMiddleware(false, false, false);
|
2015-11-28 13:06:46 +03:00
|
|
|
$this->logger
|
2016-07-20 18:37:30 +03:00
|
|
|
->expects($this->once())
|
2018-01-17 17:21:56 +03:00
|
|
|
->method('logException');
|
2015-11-28 13:06:46 +03:00
|
|
|
$response = $this->middleware->afterException(
|
2016-07-20 18:37:30 +03:00
|
|
|
$this->controller,
|
|
|
|
'test',
|
|
|
|
$exception
|
2014-05-28 04:12:01 +04:00
|
|
|
);
|
2018-08-09 15:27:20 +03:00
|
|
|
$expected = new TemplateResponse('core', '403', ['message' => $exception->getMessage()], 'guest');
|
2015-11-28 13:06:46 +03:00
|
|
|
$expected->setStatus($exception->getCode());
|
|
|
|
$this->assertEquals($expected , $response);
|
2013-08-17 13:16:48 +04:00
|
|
|
}
|
|
|
|
|
2020-04-09 14:53:40 +03:00
|
|
|
public function testAfterAjaxExceptionReturnsJSONError() {
|
2013-08-17 13:16:48 +04:00
|
|
|
$response = $this->middleware->afterException($this->controller, 'test',
|
2016-07-20 18:37:30 +03:00
|
|
|
$this->secAjaxException);
|
2013-08-17 13:16:48 +04:00
|
|
|
|
|
|
|
$this->assertTrue($response instanceof JSONResponse);
|
|
|
|
}
|
|
|
|
|
2018-03-08 13:05:18 +03:00
|
|
|
public function dataRestrictedApp() {
|
|
|
|
return [
|
|
|
|
[false, false, false,],
|
|
|
|
[false, false, true,],
|
|
|
|
[false, true, false,],
|
|
|
|
[false, true, true,],
|
|
|
|
[ true, false, false,],
|
|
|
|
[ true, false, true,],
|
|
|
|
[ true, true, false,],
|
|
|
|
[ true, true, true,],
|
|
|
|
];
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @PublicPage
|
|
|
|
* @NoAdminRequired
|
|
|
|
* @NoCSRFRequired
|
|
|
|
*/
|
|
|
|
public function testRestrictedAppLoggedInPublicPage() {
|
2019-05-22 11:48:51 +03:00
|
|
|
$middleware = $this->getMiddleware(true, false, false);
|
2018-03-08 13:05:18 +03:00
|
|
|
$this->reader->reflect(__CLASS__,__FUNCTION__);
|
|
|
|
|
|
|
|
$this->appManager->method('getAppPath')
|
|
|
|
->with('files')
|
|
|
|
->willReturn('foo');
|
|
|
|
|
|
|
|
$this->appManager->method('isEnabledForUser')
|
|
|
|
->with('files')
|
|
|
|
->willReturn(false);
|
|
|
|
|
|
|
|
$middleware->beforeController($this->controller, __FUNCTION__);
|
|
|
|
$this->addToAssertionCount(1);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @PublicPage
|
|
|
|
* @NoAdminRequired
|
|
|
|
* @NoCSRFRequired
|
|
|
|
*/
|
|
|
|
public function testRestrictedAppNotLoggedInPublicPage() {
|
2019-05-22 11:48:51 +03:00
|
|
|
$middleware = $this->getMiddleware(false, false, false);
|
2018-03-08 13:05:18 +03:00
|
|
|
$this->reader->reflect(__CLASS__,__FUNCTION__);
|
|
|
|
|
|
|
|
$this->appManager->method('getAppPath')
|
|
|
|
->with('files')
|
|
|
|
->willReturn('foo');
|
|
|
|
|
|
|
|
$this->appManager->method('isEnabledForUser')
|
|
|
|
->with('files')
|
|
|
|
->willReturn(false);
|
|
|
|
|
|
|
|
$middleware->beforeController($this->controller, __FUNCTION__);
|
|
|
|
$this->addToAssertionCount(1);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @NoAdminRequired
|
|
|
|
* @NoCSRFRequired
|
|
|
|
*/
|
|
|
|
public function testRestrictedAppLoggedIn() {
|
2019-05-22 11:48:51 +03:00
|
|
|
$middleware = $this->getMiddleware(true, false, false, false);
|
2018-03-08 13:05:18 +03:00
|
|
|
$this->reader->reflect(__CLASS__,__FUNCTION__);
|
|
|
|
|
|
|
|
$this->appManager->method('getAppPath')
|
|
|
|
->with('files')
|
|
|
|
->willReturn('foo');
|
|
|
|
|
|
|
|
$this->expectException(AppNotEnabledException::class);
|
|
|
|
$middleware->beforeController($this->controller, __FUNCTION__);
|
|
|
|
}
|
2013-08-17 13:16:48 +04:00
|
|
|
}
|