source.dussan.org Git - archiva.git/blob

   1 package org.apache.archiva.web.test;
   2
   3 /*
   4  * Licensed to the Apache Software Foundation (ASF) under one
   5  * or more contributor license agreements.  See the NOTICE file
   6  * distributed with this work for additional information
   7  * regarding copyright ownership.  The ASF licenses this file
   8  * to you under the Apache License, Version 2.0 (the
   9  * "License"); you may not use this file except in compliance
  10  * with the License.  You may obtain a copy of the License at
  11  *
  12  *   http://www.apache.org/licenses/LICENSE-2.0
  13  *
  14  * Unless required by applicable law or agreed to in writing,
  15  * software distributed under the License is distributed on an
  16  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  17  * KIND, either express or implied.  See the License for the
  18  * specific language governing permissions and limitations
  19  * under the License.
  20  */
  21
  22 import org.apache.archiva.web.test.parent.AbstractArchivaTest;
  23 import org.testng.annotations.Test;
  24
  25 /**
  26  * Test all actions affected with CSRF security issue.
  27  */
  28 @Test( groups = { "csrf" }, dependsOnMethods = { "testWithCorrectUsernamePassword" }, sequential = true )
  29 public class CSRFSecurityTest
  30     extends AbstractArchivaTest
  31 {
  32     public void testCSRFDeleteRepository()
  33     {
  34         getSelenium().open( baseUrl );
  35         getSelenium().open( baseUrl + "/admin/deleteRepository.action?repoid=test&method%3AdeleteContents=Delete+Configuration+and+Contents" );
  36         assertTextPresent( "Security Alert - Invalid Token Found" );
  37         assertTextPresent( "Possible CSRF attack detected! Invalid token found in the request." );
  38     }
  39
  40     public void testCSRFDeleteArtifact()
  41     {
  42         getSelenium().open( baseUrl );
  43         getSelenium().open( baseUrl + "/deleteArtifact!doDelete.action?groupId=1&artifactId=1&version=1&repositoryId=snapshots" );
  44         assertTextPresent( "Security Alert - Invalid Token Found" );
  45         assertTextPresent( "Possible CSRF attack detected! Invalid token found in the request." );
  46     }
  47
  48     public void testCSRFAddRepositoryGroup()
  49     {
  50         getSelenium().open( baseUrl );
  51         getSelenium().open( baseUrl + "/admin/addRepositoryGroup.action?repositoryGroup.id=csrfgrp" );
  52         assertTextPresent( "Security Alert - Invalid Token Found" );
  53         assertTextPresent( "Possible CSRF attack detected! Invalid token found in the request." );
  54     }
  55
  56     public void testCSRFDeleteRepositoryGroup()
  57     {
  58         getSelenium().open( baseUrl );
  59         getSelenium().open( baseUrl + "/admin/deleteRepositoryGroup.action?repoGroupId=test&method%3Adelete=Confirm" );
  60         assertTextPresent( "Security Alert - Invalid Token Found" );
  61         assertTextPresent( "Possible CSRF attack detected! Invalid token found in the request." );
  62     }
  63
  64     public void testCSRFDisableProxyConnector()
  65     {
  66         getSelenium().open( baseUrl );
  67         getSelenium().open( baseUrl + "/admin/disableProxyConnector!disable.action?target=maven2-repository.dev.java.net&source=internal" );
  68         assertTextPresent( "Security Alert - Invalid Token Found" );
  69         assertTextPresent( "Possible CSRF attack detected! Invalid token found in the request." );
  70     }
  71
  72     public void testCSRFDeleteProxyConnector()
  73     {
  74         getSelenium().open( baseUrl );
  75         getSelenium().open( baseUrl + "/admin/deleteProxyConnector!delete.action?target=maven2-repository.dev.java.net&source=snapshots" );
  76         assertTextPresent( "Security Alert - Invalid Token Found" );
  77         assertTextPresent( "Possible CSRF attack detected! Invalid token found in the request." );
  78     }
  79
  80     public void testCSRFDeleteLegacyArtifactPath()
  81     {
  82         getSelenium().open( baseUrl );
  83         getSelenium().open( baseUrl + "/admin/deleteLegacyArtifactPath.action?path=jaxen%2Fjars%2Fjaxen-1.0-FCS-full.jar" );
  84         assertTextPresent( "Security Alert - Invalid Token Found" );
  85         assertTextPresent( "Possible CSRF attack detected! Invalid token found in the request." );
  86     }
  87
  88     public void testCSRFSaveNetworkProxy()
  89     {
  90         getSelenium().open( baseUrl );
  91         getSelenium().open( baseUrl + "/admin/saveNetworkProxy.action?mode=add&proxy.id=ntwrk&proxy.protocol=http&" +
  92             "proxy.host=test&proxy.port=8080&proxy.username=&proxy.password=" );
  93         assertTextPresent( "Security Alert - Invalid Token Found" );
  94         assertTextPresent( "Possible CSRF attack detected! Invalid token found in the request." );
  95     }
  96
  97     public void testCSRFDeleteNetworkProxy()
  98     {
  99         getSelenium().open( baseUrl );
 100         getSelenium().open( baseUrl + "/admin/deleteNetworkProxy!delete.action?proxyid=myproxy" );
 101         assertTextPresent( "Security Alert - Invalid Token Found" );
 102         assertTextPresent( "Possible CSRF attack detected! Invalid token found in the request." );
 103     }
 104
 105     public void testCSRFAddFileTypePattern()
 106     {
 107         getSelenium().open( baseUrl );
 108         getSelenium().open( baseUrl + "/admin/repositoryScanning!addFiletypePattern.action?pattern=**%2F*.rum&fileTypeId=artifacts" );
 109         assertTextPresent( "Security Alert - Invalid Token Found" );
 110         assertTextPresent( "Possible CSRF attack detected! Invalid token found in the request." );
 111     }
 112
 113     public void testCSRFRemoveFileTypePattern()
 114     {
 115         getSelenium().open( baseUrl );
 116         getSelenium().open( baseUrl + "/admin/repositoryScanning!removeFiletypePattern.action?pattern=**%2F*.rum&fileTypeId=artifacts" );
 117         assertTextPresent( "Security Alert - Invalid Token Found" );
 118         assertTextPresent( "Possible CSRF attack detected! Invalid token found in the request." );
 119     }
 120
 121     public void testCSRFUpdateKnownConsumers()
 122     {
 123         getSelenium().open( baseUrl );
 124         getSelenium().open( baseUrl + "/admin/repositoryScanning!updateKnownConsumers.action?enabledKnownContentConsumers=auto-remove&" +
 125             "enabledKnownContentConsumers=auto-rename&enabledKnownContentConsumers=create-missing-checksums&" +
 126             "enabledKnownContentConsumers=index-content&enabledKnownContentConsumers=metadata-updater&" +
 127             "enabledKnownContentConsumers=repository-purge&enabledKnownContentConsumers=update-db-artifact&" +
 128             "enabledKnownContentConsumers=validate-checksums" );
 129         assertTextPresent( "Security Alert - Invalid Token Found" );
 130         assertTextPresent( "Possible CSRF attack detected! Invalid token found in the request." );
 131     }
 132 }