fix cookie path, if scm-manager runs with context path /

2025-11-17 10:41:06 +01:00 · 2018-08-23 08:24:19 +02:00
parent e17f3bfd79
commit 9e8bd299f0
2 changed files with 132 additions and 11 deletions
--- a/scm-webapp/src/test/java/sonia/scm/security/AccessTokenCookieIssuerTest.java
+++ b/scm-webapp/src/test/java/sonia/scm/security/AccessTokenCookieIssuerTest.java
@@ -0,0 +1,113 @@
+package sonia.scm.security;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.ArgumentCaptor;
+import org.mockito.Captor;
+import org.mockito.Mock;
+import org.mockito.junit.MockitoJUnitRunner;
+import sonia.scm.config.ScmConfiguration;
+
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import java.util.Date;
+
+import static org.junit.Assert.*;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
+@RunWith(MockitoJUnitRunner.class)
+public class AccessTokenCookieIssuerTest {
+
+  private ScmConfiguration configuration;
+
+  private AccessTokenCookieIssuer issuer;
+
+  @Mock
+  private HttpServletRequest request;
+
+  @Mock
+  private HttpServletResponse response;
+
+  @Mock
+  private AccessToken accessToken;
+
+  @Captor
+  private ArgumentCaptor<Cookie> cookieArgumentCaptor;
+
+  @Before
+  public void setUp() {
+    configuration = new ScmConfiguration();
+    issuer = new AccessTokenCookieIssuer(configuration);
+  }
+
+  @Test
+  public void testContextPath() {
+    assertContextPath("/scm", "/scm");
+    assertContextPath("/", "/");
+    assertContextPath("", "/");
+    assertContextPath(null, "/");
+  }
+
+  @Test
+  public void httpOnlyShouldBeEnabledIfXsrfProtectionIsDisabled() {
+    configuration.setEnabledXsrfProtection(false);
+
+    Cookie cookie = authenticate();
+
+    assertTrue(cookie.isHttpOnly());
+  }
+
+  @Test
+  public void httpOnlyShouldBeDisabled() {
+    Cookie cookie = authenticate();
+
+    assertFalse(cookie.isHttpOnly());
+  }
+
+  @Test
+  public void secureShouldBeSetIfTheRequestIsSecure() {
+    when(request.isSecure()).thenReturn(true);
+
+    Cookie cookie = authenticate();
+
+    assertTrue(cookie.getSecure());
+  }
+
+  @Test
+  public void secureShouldBeDisabledIfTheRequestIsNotSecure() {
+    when(request.isSecure()).thenReturn(false);
+
+    Cookie cookie = authenticate();
+
+    assertFalse(cookie.getSecure());
+  }
+
+  @Test
+  public void testInvalidate() {
+    issuer.invalidate(request, response);
+
+    verify(response).addCookie(cookieArgumentCaptor.capture());
+    Cookie cookie = cookieArgumentCaptor.getValue();
+
+    assertEquals(0, cookie.getMaxAge());
+  }
+
+  private Cookie authenticate() {
+    when(accessToken.getExpiration()).thenReturn(new Date());
+
+    issuer.authenticate(request, response, accessToken);
+
+    verify(response).addCookie(cookieArgumentCaptor.capture());
+    return cookieArgumentCaptor.getValue();
+  }
+
+
+  private void assertContextPath(String contextPath, String expected) {
+    when(request.getContextPath()).thenReturn(contextPath);
+    assertEquals(expected, issuer.contextPath(request));
+  }
+}