From 1d3e391ad8b9eadefab8eaa8239e6901b8466f01 Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Wed, 5 Apr 2017 13:14:59 +0200 Subject: [PATCH] Add integration tests for token auth Signed-off-by: Lukas Reschke --- build/integration/features/auth.feature | 59 +++++--- build/integration/features/bootstrap/Auth.php | 135 +++++++++++++++--- 2 files changed, 158 insertions(+), 36 deletions(-) diff --git a/build/integration/features/auth.feature b/build/integration/features/auth.feature index a3af28f25c8..b9f423a9e93 100644 --- a/build/integration/features/auth.feature +++ b/build/integration/features/auth.feature @@ -2,11 +2,11 @@ Feature: auth Background: Given user "user0" exists - Given a new client token is used - + Given a new restricted client token is added + Given a new unrestricted client token is added + Given the cookie jar is reset # FILES APP - Scenario: access files app anonymously When requesting "/index.php/apps/files" with "GET" Then the HTTP status code should be "401" @@ -15,12 +15,20 @@ Feature: auth When requesting "/index.php/apps/files" with "GET" using basic auth Then the HTTP status code should be "200" - Scenario: access files app with basic token auth - When requesting "/index.php/apps/files" with "GET" using basic token auth + Scenario: access files app with unrestricted basic token auth + When requesting "/index.php/apps/files" with "GET" using unrestricted basic token auth + Then the HTTP status code should be "200" + Then requesting "/remote.php/files/welcome.txt" with "GET" using browser session + Then the HTTP status code should be "200" + + Scenario: access files app with restricted basic token auth + When requesting "/index.php/apps/files" with "GET" using restricted basic token auth Then the HTTP status code should be "200" + Then requesting "/remote.php/files/welcome.txt" with "GET" using browser session + Then the HTTP status code should be "404" - Scenario: access files app with a client token - When requesting "/index.php/apps/files" with "GET" using a client token + Scenario: access files app with an unrestricted client token + When requesting "/index.php/apps/files" with "GET" using an unrestricted client token Then the HTTP status code should be "200" Scenario: access files app with browser session @@ -28,9 +36,7 @@ Feature: auth When requesting "/index.php/apps/files" with "GET" using browser session Then the HTTP status code should be "200" - # WebDAV - Scenario: using WebDAV anonymously When requesting "/remote.php/webdav" with "PROPFIND" Then the HTTP status code should be "401" @@ -39,23 +45,20 @@ Feature: auth When requesting "/remote.php/webdav" with "PROPFIND" using basic auth Then the HTTP status code should be "207" - Scenario: using WebDAV with token auth - When requesting "/remote.php/webdav" with "PROPFIND" using basic token auth + Scenario: using WebDAV with unrestricted basic token auth + When requesting "/remote.php/webdav" with "PROPFIND" using unrestricted basic token auth Then the HTTP status code should be "207" - # DAV token auth is not possible yet - #Scenario: using WebDAV with a client token - # When requesting "/remote.php/webdav" with "PROPFIND" using a client token - # Then the HTTP status code should be "207" + Scenario: using WebDAV with restricted basic token auth + When requesting "/remote.php/webdav" with "PROPFIND" using restricted basic token auth + Then the HTTP status code should be "207" Scenario: using WebDAV with browser session Given a new browser session is started When requesting "/remote.php/webdav" with "PROPFIND" using browser session Then the HTTP status code should be "207" - # OCS - Scenario: using OCS anonymously When requesting "/ocs/v1.php/apps/files_sharing/api/v1/remote_shares" with "GET" Then the OCS status code should be "997" @@ -65,11 +68,11 @@ Feature: auth Then the OCS status code should be "100" Scenario: using OCS with token auth - When requesting "/ocs/v1.php/apps/files_sharing/api/v1/remote_shares" with "GET" using basic token auth + When requesting "/ocs/v1.php/apps/files_sharing/api/v1/remote_shares" with "GET" using unrestricted basic token auth Then the OCS status code should be "100" - Scenario: using OCS with client token - When requesting "/ocs/v1.php/apps/files_sharing/api/v1/remote_shares" with "GET" using a client token + Scenario: using OCS with an unrestricted client token + When requesting "/ocs/v1.php/apps/files_sharing/api/v1/remote_shares" with "GET" using an unrestricted client token Then the OCS status code should be "100" Scenario: using OCS with browser session @@ -84,3 +87,19 @@ Feature: auth And requesting "/index.php/apps/files" with "GET" using browser session Then the HTTP status code should be "200" + # AUTH TOKENS + Scenario: Creating an auth token with regular auth token should not work + When requesting "/index.php/apps/files" with "GET" using restricted basic token auth + Then the HTTP status code should be "200" + When the CSRF token is extracted from the previous response + When a new unrestricted client token is added using restricted basic token auth + Then the HTTP status code should be "503" + + Scenario: Creating a restricted auth token with regular login should work + When a new restricted client token is added + Then the HTTP status code should be "200" + + Scenario: Creating an unrestricted auth token with regular login should work + When a new unrestricted client token is added + Then the HTTP status code should be "200" + diff --git a/build/integration/features/bootstrap/Auth.php b/build/integration/features/bootstrap/Auth.php index 46bb94a2b20..fd1b2e05a80 100644 --- a/build/integration/features/bootstrap/Auth.php +++ b/build/integration/features/bootstrap/Auth.php @@ -1,7 +1,5 @@ * @@ -21,19 +19,28 @@ * along with this program. If not, see . * */ + use GuzzleHttp\Client; use GuzzleHttp\Exception\ClientException; +use GuzzleHttp\Cookie\CookieJar; require __DIR__ . '/../../vendor/autoload.php'; trait Auth { - - private $clientToken; + /** @var string */ + private $unrestrictedClientToken; + /** @var string */ + private $restrictedClientToken; + /** @var Client */ + private $client; + /** @var string */ + private $responseXml; /** @BeforeScenario */ public function setUpScenario() { $this->client = new Client(); $this->responseXml = ''; + $this->cookieJar = new CookieJar(); } /** @@ -65,15 +72,28 @@ trait Auth { } /** - * @Given a new client token is used + * @When the CSRF token is extracted from the previous response + */ + public function theCsrfTokenIsExtractedFromThePreviousResponse() { + $this->requestToken = substr(preg_replace('/(.*)data-requesttoken="(.*)">(.*)/sm', '\2', $this->response->getBody()->getContents()), 0, 89); + } + + /** + * @param bool $loginViaWeb + * @return object */ - public function aNewClientTokenIsUsed() { - $this->loggingInUsingWebAs('user0'); + private function createClientToken($loginViaWeb = true) { + if($loginViaWeb) { + $this->loggingInUsingWebAs('user0'); + } $fullUrl = substr($this->baseUrl, 0, -5) . '/index.php/settings/personal/authtokens'; $client = new Client(); $options = [ - 'auth' => ['user0', '123456'], + 'auth' => [ + 'user0', + $loginViaWeb ? '123456' : $this->restrictedClientToken, + ], 'body' => [ 'requesttoken' => $this->requestToken, 'name' => md5(microtime()), @@ -81,34 +101,107 @@ trait Auth { 'cookies' => $this->cookieJar, ]; - $resp = $client->send($client->createRequest('POST', $fullUrl, $options)); + try { + $this->response = $client->send($client->createRequest('POST', $fullUrl, $options)); + } catch (\GuzzleHttp\Exception\ServerException $e) { + $this->response = $e->getResponse(); + } + return json_decode($this->response->getBody()->getContents()); + } - $this->clientToken = json_decode($resp->getBody()->getContents())->token; + /** + * @Given a new restricted client token is added + */ + public function aNewRestrictedClientTokenIsAdded() { + $tokenObj = $this->createClientToken(); + $newCreatedTokenId = $tokenObj->deviceToken->id; + $fullUrl = substr($this->baseUrl, 0, -5) . '/index.php/settings/personal/authtokens/' . $newCreatedTokenId; + $client = new Client(); + $options = [ + 'auth' => ['user0', '123456'], + 'headers' => [ + 'requesttoken' => $this->requestToken, + ], + 'json' => [ + 'scope' => [ + 'filesystem' => false, + ], + ], + 'cookies' => $this->cookieJar, + ]; + $this->response = $client->send($client->createRequest('PUT', $fullUrl, $options)); + $this->restrictedClientToken = $tokenObj->token; + } + + /** + * @Given a new unrestricted client token is added + */ + public function aNewUnrestrictedClientTokenIsAdded() { + $this->unrestrictedClientToken = $this->createClientToken()->token; + } + + /** + * @When a new unrestricted client token is added using restricted basic token auth + */ + public function aNewUnrestrictedClientTokenIsAddedUsingRestrictedBasicTokenAuth() { + $this->createClientToken(false); } /** * @When requesting :url with :method using basic auth + * + * @param string $url + * @param string $method */ public function requestingWithBasicAuth($url, $method) { $this->sendRequest($url, $method, 'basic ' . base64_encode('user0:123456')); } /** - * @When requesting :url with :method using basic token auth + * @When requesting :url with :method using unrestricted basic token auth + * + * @param string $url + * @param string $method + */ + public function requestingWithUnrestrictedBasicTokenAuth($url, $method) { + $this->sendRequest($url, $method, 'basic ' . base64_encode('user0:' . $this->unrestrictedClientToken), true); + } + + /** + * @When requesting :url with :method using restricted basic token auth + * + * @param string $url + * @param string $method + */ + public function requestingWithRestrictedBasicTokenAuth($url, $method) { + $this->sendRequest($url, $method, 'basic ' . base64_encode('user0:' . $this->restrictedClientToken), true); + } + + /** + * @When requesting :url with :method using an unrestricted client token + * + * @param string $url + * @param string $method */ - public function requestingWithBasicTokenAuth($url, $method) { - $this->sendRequest($url, $method, 'basic ' . base64_encode('user0:' . $this->clientToken)); + public function requestingWithUsingAnUnrestrictedClientToken($url, $method) { + $this->sendRequest($url, $method, 'token ' . $this->unrestrictedClientToken); } /** - * @When requesting :url with :method using a client token + * @When requesting :url with :method using a restricted client token + * + * @param string $url + * @param string $method */ - public function requestingWithUsingAClientToken($url, $method) { - $this->sendRequest($url, $method, 'token ' . $this->clientToken); + public function requestingWithUsingARestrictedClientToken($url, $method) { + $this->sendRequest($url, $method, 'token ' . $this->restrictedClientToken); } /** * @When requesting :url with :method using browser session + * + * @param string $url + * @param string $method */ public function requestingWithBrowserSession($url, $method) { $this->sendRequest($url, $method, null, true); @@ -116,6 +209,8 @@ trait Auth { /** * @Given a new browser session is started + * + * @param bool $remember */ public function aNewBrowserSessionIsStarted($remember = false) { $loginUrl = substr($this->baseUrl, 0, -5) . '/login'; @@ -149,6 +244,14 @@ trait Auth { $this->aNewBrowserSessionIsStarted(true); } + + /** + * @Given the cookie jar is reset + */ + public function theCookieJarIsReset() { + $this->cookieJar = new CookieJar(); + } + /** * @When the session cookie expires */ -- 2.39.5