Nemcio/SCM-Manager
1
0
Fork 0
mirror of https://github.com/scm-manager/scm-manager.git synced 2025-11-14 09:25:43 +01:00
Code Issues Packages Projects Releases Activity

fix lfs authentication via ssh command and enabled xsrf protection

Browse Source
This commit is contained in:
Sebastian Sdorra
2019-10-22 10:50:49 +02:00
parent e885d130be
commit 52f471b5dd
3 changed files with 125 additions and 95 deletions
Download Patch File Download Diff File Expand all files Collapse all files

163
scm-webapp/src/test/java/sonia/scm/security/XsrfAccessTokenEnricherTest.java
View File

@@ -1,19 +1,19 @@
/**
* Copyright (c) 2014, Sebastian Sdorra
* All rights reserved.
*
* <p>
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* <p>
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
* this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
* 3. Neither the name of SCM-Manager; nor the names of its
* contributors may be used to endorse or promote products derived from this
* software without specific prior written permission.
*
* contributors may be used to endorse or promote products derived from this
* software without specific prior written permission.
* <p>
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
@@ -24,103 +24,118 @@
* ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* <p>
* http://bitbucket.org/sdorra/scm-manager
*
*/
package sonia.scm.security;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import com.google.inject.OutOfScopeException;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Nested;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
import org.mockito.Mock;
import org.mockito.junit.MockitoJUnitRunner;
import org.mockito.junit.jupiter.MockitoExtension;
import sonia.scm.config.ScmConfiguration;
import sonia.scm.util.HttpUtil;
import javax.inject.Provider;
import javax.servlet.http.HttpServletRequest;
import static org.mockito.Mockito.never;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.when;
import static org.mockito.Mockito.*;
/**
* Unit tests for {@link XsrfAccessTokenEnricher}.
*
*
* @author Sebastian Sdorra
*/
@RunWith(MockitoJUnitRunner.class)
public class XsrfAccessTokenEnricherTest {
@ExtendWith(MockitoExtension.class)
class XsrfAccessTokenEnricherTest {
@Mock
private HttpServletRequest request;
@Mock
private AccessTokenBuilder builder;
private ScmConfiguration configuration;
private XsrfAccessTokenEnricher enricher;
/**
* Prepare object under test.
*/
@Before
public void prepareObjectUnderTest() {
@BeforeEach
void createConfiguration() {
configuration = new ScmConfiguration();
enricher = new XsrfAccessTokenEnricher(configuration, () -> request) {
}
@Test
@SuppressWarnings("unchecked")
void testWithoutRequestScope() {
// prepare
Provider<HttpServletRequest> requestProvider = mock(Provider.class);
when(requestProvider.get()).thenThrow(new OutOfScopeException("request scope is not available"));
configuration.setEnabledXsrfProtection(true);
XsrfAccessTokenEnricher enricher = createEnricher(requestProvider);
// execute
enricher.enrich(builder);
// assert
verify(builder, never()).custom(Xsrf.TOKEN_KEY, "42");
}
private XsrfAccessTokenEnricher createEnricher(Provider<HttpServletRequest> requestProvider) {
return new XsrfAccessTokenEnricher(configuration, requestProvider) {
@Override
String createToken() {
return "42";
}
};
}
/**
* Tests {@link XsrfAccessTokenEnricher#enrich(java.util.Map)}.
*/
@Test
public void testEnrich() {
// prepare
configuration.setEnabledXsrfProtection(true);
when(request.getHeader(HttpUtil.HEADER_SCM_CLIENT)).thenReturn(HttpUtil.SCM_CLIENT_WUI);
// execute
enricher.enrich(builder);
// assert
verify(builder).custom(Xsrf.TOKEN_KEY, "42");
}
/**
* Tests {@link XsrfAccessTokenEnricher#enrich(java.util.Map)} with disabled xsrf protection.
*/
@Test
public void testEnrichWithDisabledXsrf() {
// prepare
configuration.setEnabledXsrfProtection(false);
// execute
enricher.enrich(builder);
// assert
verify(builder, never()).custom(Xsrf.TOKEN_KEY, "42");
}
/**
* Tests {@link XsrfAccessTokenEnricher#enrich(java.util.Map)} with disabled xsrf protection.
*/
@Test
public void testEnrichWithNonWuiClient() {
// prepare
configuration.setEnabledXsrfProtection(true);
// execute
enricher.enrich(builder);
// assert
verify(builder, never()).custom(Xsrf.TOKEN_KEY, "42");
}
@Nested
class WithRequestMock {
@BeforeEach
void setupEnricher() {
enricher = createEnricher(() -> request);
}
@Test
void testEnrich() {
// prepare
configuration.setEnabledXsrfProtection(true);
when(request.getHeader(HttpUtil.HEADER_SCM_CLIENT)).thenReturn(HttpUtil.SCM_CLIENT_WUI);
// execute
enricher.enrich(builder);
// assert
verify(builder).custom(Xsrf.TOKEN_KEY, "42");
}
@Test
void testEnrichWithDisabledXsrf() {
// prepare
configuration.setEnabledXsrfProtection(false);
// execute
enricher.enrich(builder);
// assert
verify(builder, never()).custom(Xsrf.TOKEN_KEY, "42");
}
@Test
void testEnrichWithNonWuiClient() {
// prepare
configuration.setEnabledXsrfProtection(true);
// execute
enricher.enrich(builder);
// assert
verify(builder, never()).custom(Xsrf.TOKEN_KEY, "42");
}
}
}