mirror of
https://github.com/scm-manager/scm-manager.git
synced 2025-11-14 01:15:44 +01:00
enable xrfs protection only on write request
This change is required in order to fix the image viewer and download of editor plugin
This commit is contained in:
Sebastian Sdorra
@@ -1,19 +1,19 @@
|
||||
/**
|
||||
* Copyright (c) 2014, Sebastian Sdorra
|
||||
* All rights reserved.
|
||||
*
|
||||
* <p>
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions are met:
|
||||
*
|
||||
* <p>
|
||||
* 1. Redistributions of source code must retain the above copyright notice,
|
||||
* this list of conditions and the following disclaimer.
|
||||
* this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright notice,
|
||||
* this list of conditions and the following disclaimer in the documentation
|
||||
* and/or other materials provided with the distribution.
|
||||
* this list of conditions and the following disclaimer in the documentation
|
||||
* and/or other materials provided with the distribution.
|
||||
* 3. Neither the name of SCM-Manager; nor the names of its
|
||||
* contributors may be used to endorse or promote products derived from this
|
||||
* software without specific prior written permission.
|
||||
*
|
||||
* contributors may be used to endorse or promote products derived from this
|
||||
* software without specific prior written permission.
|
||||
* <p>
|
||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
||||
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
||||
@@ -24,33 +24,39 @@
|
||||
* ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
||||
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*
|
||||
* <p>
|
||||
* http://bitbucket.org/sdorra/scm-manager
|
||||
*
|
||||
*/
|
||||
|
||||
package sonia.scm.security;
|
||||
|
||||
import org.junit.Before;
|
||||
import org.junit.Test;
|
||||
import org.junit.runner.RunWith;
|
||||
|
||||
import org.junit.jupiter.api.BeforeEach;
|
||||
import org.junit.jupiter.api.Nested;
|
||||
import org.junit.jupiter.api.Test;
|
||||
import org.junit.jupiter.api.extension.ExtendWith;
|
||||
import org.junit.jupiter.params.ParameterizedTest;
|
||||
import org.junit.jupiter.params.provider.CsvSource;
|
||||
import org.junit.jupiter.params.provider.EnumSource;
|
||||
import org.mockito.Mock;
|
||||
import org.mockito.junit.MockitoJUnitRunner;
|
||||
import org.mockito.junit.jupiter.MockitoExtension;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.ws.rs.GET;
|
||||
import java.util.Optional;
|
||||
|
||||
import static org.junit.Assert.assertFalse;
|
||||
import static org.junit.Assert.assertTrue;
|
||||
import static org.mockito.Mockito.lenient;
|
||||
import static org.mockito.Mockito.when;
|
||||
|
||||
/**
|
||||
* Tests {@link XsrfAccessTokenValidator}.
|
||||
*
|
||||
*
|
||||
* @author Sebastian Sdorra
|
||||
*/
|
||||
@RunWith(MockitoJUnitRunner.class)
|
||||
public class XsrfAccessTokenValidatorTest {
|
||||
@ExtendWith(MockitoExtension.class)
|
||||
class XsrfAccessTokenValidatorTest {
|
||||
|
||||
@Mock
|
||||
private HttpServletRequest request;
|
||||
@@ -59,62 +65,94 @@ public class XsrfAccessTokenValidatorTest {
|
||||
private AccessToken accessToken;
|
||||
|
||||
private XsrfAccessTokenValidator validator;
|
||||
|
||||
|
||||
/**
|
||||
* Prepare object under test.
|
||||
*/
|
||||
@Before
|
||||
public void prepareObjectUnderTest() {
|
||||
@BeforeEach
|
||||
void prepareObjectUnderTest() {
|
||||
validator = new XsrfAccessTokenValidator(() -> request);
|
||||
}
|
||||
|
||||
/**
|
||||
* Tests {@link XsrfAccessTokenValidator#validate(AccessToken)}.
|
||||
*/
|
||||
@Test
|
||||
public void testValidate() {
|
||||
|
||||
@Nested
|
||||
class RequestMethodPost {
|
||||
|
||||
@BeforeEach
|
||||
void setRequestMethod() {
|
||||
lenient().when(request.getMethod()).thenReturn("POST");
|
||||
}
|
||||
|
||||
/**
|
||||
* Tests {@link XsrfAccessTokenValidator#validate(AccessToken)}.
|
||||
*/
|
||||
@Test
|
||||
void testValidate() {
|
||||
// prepare
|
||||
when(accessToken.getCustom(Xsrf.TOKEN_KEY)).thenReturn(Optional.of("abc"));
|
||||
when(request.getHeader(Xsrf.HEADER_KEY)).thenReturn("abc");
|
||||
|
||||
// execute and assert
|
||||
assertTrue(validator.validate(accessToken));
|
||||
}
|
||||
|
||||
/**
|
||||
* Tests {@link XsrfAccessTokenValidator#validate(AccessToken)} with wrong header.
|
||||
*/
|
||||
@Test
|
||||
void testValidateWithWrongHeader() {
|
||||
// prepare
|
||||
when(accessToken.getCustom(Xsrf.TOKEN_KEY)).thenReturn(Optional.of("abc"));
|
||||
when(request.getHeader(Xsrf.HEADER_KEY)).thenReturn("123");
|
||||
|
||||
// execute and assert
|
||||
assertFalse(validator.validate(accessToken));
|
||||
}
|
||||
|
||||
/**
|
||||
* Tests {@link XsrfAccessTokenValidator#validate(AccessToken)} without header.
|
||||
*/
|
||||
@Test
|
||||
void testValidateWithoutHeader() {
|
||||
// prepare
|
||||
when(accessToken.getCustom(Xsrf.TOKEN_KEY)).thenReturn(Optional.of("abc"));
|
||||
|
||||
// execute and assert
|
||||
assertFalse(validator.validate(accessToken));
|
||||
}
|
||||
|
||||
/**
|
||||
* Tests {@link XsrfAccessTokenValidator#validate(AccessToken)} without claims key.
|
||||
*/
|
||||
@Test
|
||||
void testValidateWithoutClaimsKey() {
|
||||
// prepare
|
||||
when(accessToken.getCustom(Xsrf.TOKEN_KEY)).thenReturn(Optional.empty());
|
||||
|
||||
// execute and assert
|
||||
assertTrue(validator.validate(accessToken));
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@ParameterizedTest
|
||||
@CsvSource({"GET", "HEAD", "OPTIONS"})
|
||||
void shouldNotValidateReadRequests(String method) {
|
||||
// prepare
|
||||
when(request.getMethod()).thenReturn(method);
|
||||
when(accessToken.getCustom(Xsrf.TOKEN_KEY)).thenReturn(Optional.of("abc"));
|
||||
when(request.getHeader(Xsrf.HEADER_KEY)).thenReturn("abc");
|
||||
|
||||
|
||||
// execute and assert
|
||||
assertTrue(validator.validate(accessToken));
|
||||
}
|
||||
|
||||
/**
|
||||
* Tests {@link XsrfAccessTokenValidator#validate(AccessToken)} with wrong header.
|
||||
*/
|
||||
@Test
|
||||
public void testValidateWithWrongHeader() {
|
||||
|
||||
@ParameterizedTest
|
||||
@CsvSource({"POST", "PUT", "DELETE", "PATCH"})
|
||||
void shouldFailValidationOfWriteRequests(String method) {
|
||||
// prepare
|
||||
when(request.getMethod()).thenReturn(method);
|
||||
when(accessToken.getCustom(Xsrf.TOKEN_KEY)).thenReturn(Optional.of("abc"));
|
||||
when(request.getHeader(Xsrf.HEADER_KEY)).thenReturn("123");
|
||||
|
||||
|
||||
// execute and assert
|
||||
assertFalse(validator.validate(accessToken));
|
||||
}
|
||||
|
||||
/**
|
||||
* Tests {@link XsrfAccessTokenValidator#validate(AccessToken)} without header.
|
||||
*/
|
||||
@Test
|
||||
public void testValidateWithoutHeader() {
|
||||
// prepare
|
||||
when(accessToken.getCustom(Xsrf.TOKEN_KEY)).thenReturn(Optional.of("abc"));
|
||||
|
||||
// execute and assert
|
||||
assertFalse(validator.validate(accessToken));
|
||||
}
|
||||
|
||||
/**
|
||||
* Tests {@link XsrfAccessTokenValidator#validate(AccessToken)} without claims key.
|
||||
*/
|
||||
@Test
|
||||
public void testValidateWithoutClaimsKey() {
|
||||
// prepare
|
||||
when(accessToken.getCustom(Xsrf.TOKEN_KEY)).thenReturn(Optional.empty());
|
||||
|
||||
// execute and assert
|
||||
assertTrue(validator.validate(accessToken));
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user