mirrors
/
nextcloud
espejo de https://github.com/nextcloud/server.git
Seguir 1
Destacar 0
Fork 0
Código Incidencias 0 Lanzamientos 987 Wiki Actividad
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
60903 Commits
403 Ramas
Árbol: 6312c0df69
Ramas Etiquetas
${ item.name }
Crear rama ${ searchTerm }
desde '6312c0df69'
${ noResults }
nextcloud/tests/lib/AppFramework/Middleware/Security/SecurityMiddlewareTest.php

SecurityMiddlewareTest.php 18KB
Original Normal View Histórico

initial import of appframework
hace 10 años
Show error template Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
hace 8 años
initial import of appframework
hace 10 años
Show error template Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
hace 8 años
initial import of appframework
hace 10 años
Show error template Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
hace 8 años
initial import of appframework
hace 10 años
Show error template Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
hace 8 años
initial import of appframework
hace 10 años
Show error template Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
hace 8 años
initial import of appframework
hace 10 años
Show error template Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
hace 8 años
initial import of appframework
hace 10 años
Fix namespaces in AppFramework tests
hace 8 años
initial import of appframework
hace 10 años
Fix namespace for OCP\Appframework\Http To avoid having to use OCP\Appframework\Http\Http in the public - and stable - API OCP\Appframework\Http is now both a class and a namespace.
hace 10 años
initial import of appframework
hace 10 años
Fix inconsistent nameing of AppFramework
hace 8 años
Show error template Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
hace 8 años
[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50
hace 7 años
Fix namespaces in AppFramework tests
hace 8 años
implement most of the basic stuff that was suggested in #8290
hace 10 años
Add admin privilege delegation for admin settings This makes it possible for selected groups to access some settings pages. Signed-off-by: Carl Schwan <carl@carlschwan.eu>
hace 2 años
Use proper DI for security middleware for app enabled check Signed-off-by: Morris Jobke <hey@morrisjobke.de>
hace 6 años
Dark hackery to not always disable CSRF for OCS controllers
hace 7 años
kill superfluent classloader from tests - this approach might be of interest within the apps
hace 10 años
Some php-cs fixes * Order the imports * No leading slash on imports * Empty line before namespace * One line per import * Empty after imports * Emmpty line at bottom of file Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
hace 4 años
Show error template Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
hace 8 años
Add tests
hace 7 años
Provide translated error message for permission error Signed-off-by: Morris Jobke <hey@morrisjobke.de>
hace 6 años
Dark hackery to not always disable CSRF for OCS controllers
hace 7 años
Add admin privilege delegation for admin settings This makes it possible for selected groups to access some settings pages. Signed-off-by: Carl Schwan <carl@carlschwan.eu>
hace 2 años
Add tests
hace 7 años
Fix unit tests Signed-off-by: Joas Schilling <coding@schilljs.com>
hace 3 años
initial import of appframework
hace 10 años
Make remaining files extend the test base
hace 9 años
initial import of appframework
hace 10 años
Change PHPDoc type hint from PHPUnit_Framework_MockObject_MockObject to \PHPUnit\Framework\MockObject\MockObject Signed-off-by: Morris Jobke <hey@morrisjobke.de>
hace 3 años
initial import of appframework
hace 10 años
Change PHPDoc type hint from PHPUnit_Framework_MockObject_MockObject to \PHPUnit\Framework\MockObject\MockObject Signed-off-by: Morris Jobke <hey@morrisjobke.de>
hace 3 años
initial import of appframework
hace 10 años
Dark hackery to not always disable CSRF for OCS controllers
hace 7 años
initial import of appframework
hace 10 años
Dark hackery to not always disable CSRF for OCS controllers
hace 7 años
initial import of appframework
hace 10 años
Change PHPDoc type hint from PHPUnit_Framework_MockObject_MockObject to \PHPUnit\Framework\MockObject\MockObject Signed-off-by: Morris Jobke <hey@morrisjobke.de>
hace 3 años
initial import of appframework
hace 10 años
Dark hackery to not always disable CSRF for OCS controllers
hace 7 años
implement most of the basic stuff that was suggested in #8290
hace 10 años
Fix unit tests Signed-off-by: Joas Schilling <coding@schilljs.com>
hace 3 años
fix 8757, get rid of service locator antipattern
hace 10 años
Change PHPDoc type hint from PHPUnit_Framework_MockObject_MockObject to \PHPUnit\Framework\MockObject\MockObject Signed-off-by: Morris Jobke <hey@morrisjobke.de>
hace 3 años
fix 8757, get rid of service locator antipattern
hace 10 años
Change PHPDoc type hint from PHPUnit_Framework_MockObject_MockObject to \PHPUnit\Framework\MockObject\MockObject Signed-off-by: Morris Jobke <hey@morrisjobke.de>
hace 3 años
fix 8757, get rid of service locator antipattern
hace 10 años
Change PHPDoc type hint from PHPUnit_Framework_MockObject_MockObject to \PHPUnit\Framework\MockObject\MockObject Signed-off-by: Morris Jobke <hey@morrisjobke.de>
hace 3 años
Use proper DI for security middleware for app enabled check Signed-off-by: Morris Jobke <hey@morrisjobke.de>
hace 6 años
Change PHPDoc type hint from PHPUnit_Framework_MockObject_MockObject to \PHPUnit\Framework\MockObject\MockObject Signed-off-by: Morris Jobke <hey@morrisjobke.de>
hace 3 años
Provide translated error message for permission error Signed-off-by: Morris Jobke <hey@morrisjobke.de>
hace 6 años
Add admin privilege delegation for admin settings This makes it possible for selected groups to access some settings pages. Signed-off-by: Carl Schwan <carl@carlschwan.eu>
hace 2 años
initial import of appframework
hace 10 años
Make phpunit8 compatible Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
hace 4 años
Make remaining files extend the test base
hace 9 años
Add admin privilege delegation for admin settings This makes it possible for selected groups to access some settings pages. Signed-off-by: Carl Schwan <carl@carlschwan.eu>
hace 2 años
Add tests
hace 7 años
implement most of the basic stuff that was suggested in #8290
hace 10 años
Fix unit tests Signed-off-by: Joas Schilling <coding@schilljs.com>
hace 3 años
Add tests
hace 7 años
Provide translated error message for permission error Signed-off-by: Morris Jobke <hey@morrisjobke.de>
hace 6 años
Make it possible to show admin settings for sub admins Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
hace 5 años
initial import of appframework
hace 10 años
Make it possible to show admin settings for sub admins Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
hace 5 años
Add tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
hace 6 años
fix 8757, get rid of service locator antipattern
hace 10 años
Check if app is enabled for user Fixes https://github.com/owncloud/core/issues/12188 for AppFramework apps
hace 9 años
fix 8757, get rid of service locator antipattern
hace 10 años
Add public API to give developers the possibility to adjust the global CSP defaults Allows to inject something into the default content policy. This is for example useful when you're injecting Javascript code into a view belonging to another controller and cannot modify its Content-Security-Policy itself. Note that the adjustment is only applied to applications that use AppFramework controllers. To use this from your `app.php` use `\OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy($policy)`, $policy has to be of type `\OCP\AppFramework\Http\ContentSecurityPolicy`. To test this add something like the following into an `app.php` of any enabled app: ``` $manager = \OC::$server->getContentSecurityPolicyManager(); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('asdf'); $policy->addAllowedScriptDomain('yolo.com'); $policy->allowInlineScript(false); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFontDomain('yolo.com'); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('banana.com'); $manager->addDefaultPolicy($policy); ``` If you now open the files app the policy should be: ``` Content-Security-Policy:default-src 'none';script-src yolo.com 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src yolo.com 'self';connect-src 'self';media-src 'self';frame-src asdf banana.com 'self' ```
hace 8 años
Make it possible to show admin settings for sub admins Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
hace 5 años
Provide translated error message for permission error Signed-off-by: Morris Jobke <hey@morrisjobke.de>
hace 6 años
Add admin privilege delegation for admin settings This makes it possible for selected groups to access some settings pages. Signed-off-by: Carl Schwan <carl@carlschwan.eu>
hace 2 años
fix 8757, get rid of service locator antipattern
hace 10 años
initial import of appframework
hace 10 años
reducing controller annotations to: @PublicPage - No user logon is expected @NoAdminRequired - the login user requires no admin rights @NoCSRFRequired - the incoming request will not check for CSRF token
hace 10 años
initial import of appframework
hace 10 años
Unify function spacing to PSR2 recommendation Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
hace 4 años
fix 8757, get rid of service locator antipattern
hace 10 años
Check if app is enabled for user Fixes https://github.com/owncloud/core/issues/12188 for AppFramework apps
hace 9 años
fix 8757, get rid of service locator antipattern
hace 10 años
Fix tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
hace 6 años
initial import of appframework
hace 10 años
Scrutinizer Auto-Fixes This patch was automatically generated as part of the following inspection: https://scrutinizer-ci.com/g/owncloud/core/inspections/cdfecc4e-a37e-4233-8025-f0d7252a8720 Enabled analysis tools: - PHP Analyzer - JSHint - PHP Copy/Paste Detector - PHP PDepend
hace 10 años
initial import of appframework
hace 10 años
fix 8757, get rid of service locator antipattern
hace 10 años
initial import of appframework
hace 10 años
reducing controller annotations to: @PublicPage - No user logon is expected @NoAdminRequired - the login user requires no admin rights @NoCSRFRequired - the incoming request will not check for CSRF token
hace 10 años
fix 8757, get rid of service locator antipattern
hace 10 años
reducing controller annotations to: @PublicPage - No user logon is expected @NoAdminRequired - the login user requires no admin rights @NoCSRFRequired - the incoming request will not check for CSRF token
hace 10 años
Make it possible to show admin settings for sub admins Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
hace 5 años
initial import of appframework
hace 10 años
fix 8757, get rid of service locator antipattern
hace 10 años
Fix tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
hace 6 años
Format control structures, classes, methods and function To continue this formatting madness, here's a tiny patch that adds unified formatting for control structures like if and loops as well as classes, their methods and anonymous functions. This basically forces the constructs to start on the same line. This is not exactly what PSR2 wants, but I think we can have a few exceptions with "our" style. The starting of braces on the same line is pracrically standard for our code. This also removes and empty lines from method/function bodies at the beginning and end. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
hace 4 años
initial import of appframework
hace 10 años
fix assertions
hace 10 años
Fix risky tests without assertions Signed-off-by: Joas Schilling <coding@schilljs.com>
hace 6 años
fix assertions
hace 10 años
initial import of appframework
hace 10 años
fix assertions
hace 10 años
initial import of appframework
hace 10 años
reducing controller annotations to: @PublicPage - No user logon is expected @NoAdminRequired - the login user requires no admin rights @NoCSRFRequired - the incoming request will not check for CSRF token
hace 10 años
initial import of appframework
hace 10 años
fix assertions
hace 10 años
initial import of appframework
hace 10 años
reducing controller annotations to: @PublicPage - No user logon is expected @NoAdminRequired - the login user requires no admin rights @NoCSRFRequired - the incoming request will not check for CSRF token
hace 10 años
initial import of appframework
hace 10 años
fix assertions
hace 10 años
initial import of appframework
hace 10 años
reducing controller annotations to: @PublicPage - No user logon is expected @NoAdminRequired - the login user requires no admin rights @NoCSRFRequired - the incoming request will not check for CSRF token
hace 10 años
initial import of appframework
hace 10 años
fix assertions
hace 10 años
initial import of appframework
hace 10 años
fix assertions
hace 10 años
initial import of appframework
hace 10 años
fix assertions
hace 10 años
initial import of appframework
hace 10 años
reducing controller annotations to: @PublicPage - No user logon is expected @NoAdminRequired - the login user requires no admin rights @NoCSRFRequired - the incoming request will not check for CSRF token
hace 10 años
initial import of appframework
hace 10 años
reducing controller annotations to: @PublicPage - No user logon is expected @NoAdminRequired - the login user requires no admin rights @NoCSRFRequired - the incoming request will not check for CSRF token
hace 10 años
initial import of appframework
hace 10 años
Unify function spacing to PSR2 recommendation Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
hace 4 años
fix 8757, get rid of service locator antipattern
hace 10 años
[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50
hace 7 años
Use the shorter phpunit syntax for mocked return values Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
hace 4 años
fix 8757, get rid of service locator antipattern
hace 10 años
Make it possible to show admin settings for sub admins Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
hace 5 años
fix 8757, get rid of service locator antipattern
hace 10 años
Fix tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
hace 6 años
initial import of appframework
hace 10 años
Scrutinizer Auto-Fixes This patch was automatically generated as part of the following inspection: https://scrutinizer-ci.com/g/owncloud/core/inspections/cdfecc4e-a37e-4233-8025-f0d7252a8720 Enabled analysis tools: - PHP Analyzer - JSHint - PHP Copy/Paste Detector - PHP PDepend
hace 10 años
Format code to a single space around binary operators Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
hace 3 años
reducing controller annotations to: @PublicPage - No user logon is expected @NoAdminRequired - the login user requires no admin rights @NoCSRFRequired - the incoming request will not check for CSRF token
hace 10 años
fix 8757, get rid of service locator antipattern
hace 10 años
reducing controller annotations to: @PublicPage - No user logon is expected @NoAdminRequired - the login user requires no admin rights @NoCSRFRequired - the incoming request will not check for CSRF token
hace 10 años
Make it possible to show admin settings for sub admins Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
hace 5 años
initial import of appframework
hace 10 años
Format control structures, classes, methods and function To continue this formatting madness, here's a tiny patch that adds unified formatting for control structures like if and loops as well as classes, their methods and anonymous functions. This basically forces the constructs to start on the same line. This is not exactly what PSR2 wants, but I think we can have a few exceptions with "our" style. The starting of braces on the same line is pracrically standard for our code. This also removes and empty lines from method/function bodies at the beginning and end. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
hace 4 años
Fix "Undefined method setExpectedException()" Signed-off-by: Joas Schilling <coding@schilljs.com>
hace 6 años
reducing controller annotations to: @PublicPage - No user logon is expected @NoAdminRequired - the login user requires no admin rights @NoCSRFRequired - the incoming request will not check for CSRF token
hace 10 años
Fix risky tests without assertions Signed-off-by: Joas Schilling <coding@schilljs.com>
hace 6 años
initial import of appframework
hace 10 años
fix 8757, get rid of service locator antipattern
hace 10 años
Fix tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
hace 6 años
initial import of appframework
hace 10 años
reducing controller annotations to: @PublicPage - No user logon is expected @NoAdminRequired - the login user requires no admin rights @NoCSRFRequired - the incoming request will not check for CSRF token
hace 10 años
initial import of appframework
hace 10 años
Unify function spacing to PSR2 recommendation Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
hace 4 años
Mode to modern phpunit Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
hace 4 años
fix 8757, get rid of service locator antipattern
hace 10 años
fixing all appframework unit tests
hace 10 años
Use the shorter phpunit syntax for mocked return values Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
hace 4 años
[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50
hace 7 años
Use the shorter phpunit syntax for mocked return values Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
hace 4 años
fix 8757, get rid of service locator antipattern
hace 10 años
Fix tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
hace 6 años
fixing all appframework unit tests
hace 10 años
Unify function spacing to PSR2 recommendation Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
hace 4 años
fix 8757, get rid of service locator antipattern
hace 10 años
fixing all appframework unit tests
hace 10 años
Use the shorter phpunit syntax for mocked return values Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
hace 4 años
fixing all appframework unit tests
hace 10 años
fix 8757, get rid of service locator antipattern
hace 10 años
Fix tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
hace 6 años
initial import of appframework
hace 10 años
[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50
hace 7 años
Unify function spacing to PSR2 recommendation Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
hace 4 años
[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50
hace 7 años
Use the shorter phpunit syntax for mocked return values Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
hace 4 años
[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50
hace 7 años
Use the shorter phpunit syntax for mocked return values Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
hace 4 años
[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50
hace 7 años
Fix tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
hace 6 años
[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50
hace 7 años
initial import of appframework
hace 10 años
reducing controller annotations to: @PublicPage - No user logon is expected @NoAdminRequired - the login user requires no admin rights @NoCSRFRequired - the incoming request will not check for CSRF token
hace 10 años
initial import of appframework
hace 10 años
Unify function spacing to PSR2 recommendation Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
hace 4 años
Mode to modern phpunit Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
hace 4 años
fix 8757, get rid of service locator antipattern
hace 10 años
fixing all appframework unit tests
hace 10 años
Use the shorter phpunit syntax for mocked return values Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
hace 4 años
[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50
hace 7 años
Use the shorter phpunit syntax for mocked return values Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
hace 4 años
fixing all appframework unit tests
hace 10 años
fix 8757, get rid of service locator antipattern
hace 10 años
Fix tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
hace 6 años
initial import of appframework
hace 10 años
[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50
hace 7 años
Mode to modern phpunit Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
hace 4 años
[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50
hace 7 años
Use the shorter phpunit syntax for mocked return values Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
hace 4 años
[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50
hace 7 años
Fix tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
hace 6 años
[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50
hace 7 años
Use the shorter phpunit syntax for mocked return values Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
hace 4 años
[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50
hace 7 años
Fix tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
hace 6 años
[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50
hace 7 años
Fix tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
hace 6 años
[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50
hace 7 años
initial import of appframework
hace 10 años
Dark hackery to not always disable CSRF for OCS controllers
hace 7 años
Update tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
hace 6 años
Dark hackery to not always disable CSRF for OCS controllers
hace 7 años
Update tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
hace 6 años
Dark hackery to not always disable CSRF for OCS controllers
hace 7 años
Update tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
hace 6 años
Dark hackery to not always disable CSRF for OCS controllers
hace 7 años
Use the shorter phpunit syntax for mocked return values Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
hace 4 años
Update tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
hace 6 años
Use the shorter phpunit syntax for mocked return values Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
hace 4 años
Dark hackery to not always disable CSRF for OCS controllers
hace 7 años
initial import of appframework
hace 10 años
reducing controller annotations to: @PublicPage - No user logon is expected @NoAdminRequired - the login user requires no admin rights @NoCSRFRequired - the incoming request will not check for CSRF token
hace 10 años
initial import of appframework
hace 10 años
Unify function spacing to PSR2 recommendation Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
hace 4 años
fix 8757, get rid of service locator antipattern
hace 10 años
initial import of appframework
hace 10 años
reducing controller annotations to: @PublicPage - No user logon is expected @NoAdminRequired - the login user requires no admin rights @NoCSRFRequired - the incoming request will not check for CSRF token
hace 10 años
initial import of appframework
hace 10 años
Unify function spacing to PSR2 recommendation Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
hace 4 años
fix 8757, get rid of service locator antipattern
hace 10 años
initial import of appframework
hace 10 años
reducing controller annotations to: @PublicPage - No user logon is expected @NoAdminRequired - the login user requires no admin rights @NoCSRFRequired - the incoming request will not check for CSRF token
hace 10 años
initial import of appframework
hace 10 años
Unify function spacing to PSR2 recommendation Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
hace 4 años
fix 8757, get rid of service locator antipattern
hace 10 años
initial import of appframework
hace 10 años
Make it possible to show admin settings for sub admins Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
hace 5 años
Unify function spacing to PSR2 recommendation Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
hace 4 años
Check style update Signed-off-by: Carl Schwan <carl@carlschwan.eu>
hace 2 años
Make it possible to show admin settings for sub admins Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
hace 5 años
Unify function spacing to PSR2 recommendation Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
hace 4 años
Check style update Signed-off-by: Carl Schwan <carl@carlschwan.eu>
hace 2 años
Make it possible to show admin settings for sub admins Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
hace 5 años
Unify function spacing to PSR2 recommendation Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
hace 4 años
Check style update Signed-off-by: Carl Schwan <carl@carlschwan.eu>
hace 2 años
Make it possible to show admin settings for sub admins Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
hace 5 años
initial import of appframework
hace 10 años
reducing controller annotations to: @PublicPage - No user logon is expected @NoAdminRequired - the login user requires no admin rights @NoCSRFRequired - the incoming request will not check for CSRF token
hace 10 años
initial import of appframework
hace 10 años
Unify function spacing to PSR2 recommendation Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
hace 4 años
fix 8757, get rid of service locator antipattern
hace 10 años
initial import of appframework
hace 10 años
Unify function spacing to PSR2 recommendation Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
hace 4 años
initial import of appframework
hace 10 años
Fix "Undefined method setExpectedException()" Signed-off-by: Joas Schilling <coding@schilljs.com>
hace 6 años
initial import of appframework
hace 10 años
Show error template Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
hace 8 años
initial import of appframework
hace 10 años
[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50
hace 7 años
do not double encode the redirect url Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
hace 7 años
[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50
hace 7 años
Add tests
hace 7 años
Show error template Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
hace 8 años
Make it possible to show admin settings for sub admins Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
hace 5 años
Show error template Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
hace 8 años
[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50
hace 7 años
do not double encode the redirect url Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
hace 7 años
[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50
hace 7 años
Use the shorter phpunit syntax for mocked return values Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
hace 4 años
Show error template Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
hace 8 años
[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50
hace 7 años
Fix warnings about logException Signed-off-by: Joas Schilling <coding@schilljs.com>
hace 3 años
Show error template Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
hace 8 años
[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50
hace 7 años
Show error template Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
hace 8 años
do not double encode the redirect url Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
hace 7 años
Check style update Signed-off-by: Carl Schwan <carl@carlschwan.eu>
hace 2 años
Show error template Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
hace 8 años
[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50
hace 7 años
do not double encode the redirect url Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
hace 7 años
[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50
hace 7 años
Add tests
hace 7 años
[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50
hace 7 años
Make it possible to show admin settings for sub admins Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
hace 5 años
[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50
hace 7 años
Update SecurityMiddleware.php OC::$WEBROOT can be empty in case if your nextcloud installation has no url prefix. This will result in an empty Location Header. in other areas OC::$WEBROOT is always used together with an /
hace 4 años
Check style update Signed-off-by: Carl Schwan <carl@carlschwan.eu>
hace 2 años
[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50
hace 7 años
Show error template Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
hace 8 años
Respect `mod_unique_id` and refactor `OC_Request::getRequestId` When `mod_unique_id` is enabled the ID generated by it will be used for logging. This allows for correlation of the Apache logs and the ownCloud logs. Testplan: - [ ] When `mod_unique_id` is enabled the request ID equals the one generated by `mod_unique_id`. - [ ] When `mod_unique_id` is not available the request ID is a 20 character long random string - [ ] The generated Id is stable over the lifespan of one request Changeset looks a little bit larger since I had to adjust every unit test using the HTTP\Request class for proper DI. Fixes https://github.com/owncloud/core/issues/13366
hace 9 años
Show error template Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
hace 8 años
Provide translated error message for permission error Signed-off-by: Morris Jobke <hey@morrisjobke.de>
hace 6 años
Show error template Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
hace 8 años
[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50
hace 7 años
do not double encode the redirect url Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
hace 7 años
[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50
hace 7 años
Add tests
hace 7 años
Show error template Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
hace 8 años
Make it possible to show admin settings for sub admins Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
hace 5 años
Show error template Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
hace 8 años
[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50
hace 7 años
Fix warnings about logException Signed-off-by: Joas Schilling <coding@schilljs.com>
hace 3 años
Show error template Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
hace 8 años
[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50
hace 7 años
fix 8757, get rid of service locator antipattern
hace 10 años
Do not use file as template parameter Using file will overwrite the $file parameter in the template base. Leading to trying to include a file that is the exception message. Which will of course fail. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
hace 5 años
Show error template Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
hace 8 años
Check style update Signed-off-by: Carl Schwan <carl@carlschwan.eu>
hace 2 años
initial import of appframework
hace 10 años
Unify function spacing to PSR2 recommendation Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
hace 4 años
initial import of appframework
hace 10 años
[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50
hace 7 años
initial import of appframework
hace 10 años
Add tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
hace 6 años
Make it possible to show admin settings for sub admins Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
hace 5 años
Check style update Signed-off-by: Carl Schwan <carl@carlschwan.eu>
hace 2 años
Add tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
hace 6 años
Make it possible to show admin settings for sub admins Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
hace 5 años
Check style update Signed-off-by: Carl Schwan <carl@carlschwan.eu>
hace 2 años
Add tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
hace 6 años
Make it possible to show admin settings for sub admins Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
hace 5 años
Check style update Signed-off-by: Carl Schwan <carl@carlschwan.eu>
hace 2 años
Add tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
hace 6 años
initial import of appframework
hace 10 años
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677 
  1. <?php

  2. /**

  3.  * @author Bernhard Posselt <dev@bernhard-posselt.com>

  4.  * @author Lukas Reschke <lukas@owncloud.com>

  5.  *

  6.  * @copyright Copyright (c) 2015, ownCloud, Inc.

  7.  * @license AGPL-3.0

  8.  *

  9.  * This code is free software: you can redistribute it and/or modify

  10.  * it under the terms of the GNU Affero General Public License, version 3,

  11.  * as published by the Free Software Foundation.

  12.  *

  13.  * This program is distributed in the hope that it will be useful,

  14.  * but WITHOUT ANY WARRANTY; without even the implied warranty of

  15.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

  16.  * GNU Affero General Public License for more details.

  17.  *

  18.  * You should have received a copy of the GNU Affero General Public License, version 3,

  19.  * along with this program.  If not, see <http://www.gnu.org/licenses/>

  20.  *

  21.  */

  22. 

  23. namespace Test\AppFramework\Middleware\Security;

  24. 

  25. use OC\AppFramework\Http;

  26. use OC\AppFramework\Http\Request;

  27. use OC\AppFramework\Middleware\Security\Exceptions\AppNotEnabledException;

  28. use OC\AppFramework\Middleware\Security\Exceptions\CrossSiteRequestForgeryException;

  29. use OC\AppFramework\Middleware\Security\Exceptions\NotAdminException;

  30. use OC\AppFramework\Middleware\Security\Exceptions\NotLoggedInException;

  31. use OC\AppFramework\Middleware\Security\Exceptions\SecurityException;

  32. use OC\Appframework\Middleware\Security\Exceptions\StrictCookieMissingException;

  33. use OC\AppFramework\Middleware\Security\SecurityMiddleware;

  34. use OC\AppFramework\Utility\ControllerMethodReflector;

  35. use OC\Settings\AuthorizedGroupMapper;

  36. use OCP\App\IAppManager;

  37. use OCP\AppFramework\Controller;

  38. use OCP\AppFramework\Http\JSONResponse;

  39. use OCP\AppFramework\Http\RedirectResponse;

  40. use OCP\AppFramework\Http\TemplateResponse;

  41. use OCP\IConfig;

  42. use OCP\IL10N;

  43. use OCP\INavigationManager;

  44. use OCP\IRequest;

  45. use OCP\IURLGenerator;

  46. use OCP\IUserSession;

  47. use OCP\Security\ISecureRandom;

  48. use Psr\Log\LoggerInterface;

  49. 

  50. class SecurityMiddlewareTest extends \Test\TestCase {

  51. 

  52. 	/** @var SecurityMiddleware|\PHPUnit\Framework\MockObject\MockObject */

  53. 	private $middleware;

  54. 	/** @var Controller|\PHPUnit\Framework\MockObject\MockObject */

  55. 	private $controller;

  56. 	/** @var SecurityException */

  57. 	private $secException;

  58. 	/** @var SecurityException */

  59. 	private $secAjaxException;

  60. 	/** @var IRequest|\PHPUnit\Framework\MockObject\MockObject */

  61. 	private $request;

  62. 	/** @var ControllerMethodReflector */

  63. 	private $reader;

  64. 	/** @var LoggerInterface|\PHPUnit\Framework\MockObject\MockObject */

  65. 	private $logger;

  66. 	/** @var INavigationManager|\PHPUnit\Framework\MockObject\MockObject */

  67. 	private $navigationManager;

  68. 	/** @var IURLGenerator|\PHPUnit\Framework\MockObject\MockObject */

  69. 	private $urlGenerator;

  70. 	/** @var IAppManager|\PHPUnit\Framework\MockObject\MockObject */

  71. 	private $appManager;

  72. 	/** @var IL10N|\PHPUnit\Framework\MockObject\MockObject */

  73. 	private $l10n;

  74. 	/** @var IUserSession|\PHPUnit\Framework\MockObject\MockObject */

  75. 	private $userSession;

  76. 	/** @var AuthorizedGroupMapper|\PHPUnit\Framework\MockObject\MockObject */

  77. 	private $authorizedGroupMapper;

  78. 

  79. 	protected function setUp(): void {

  80. 		parent::setUp();

  81. 

  82. 		$this->authorizedGroupMapper = $this->createMock(AuthorizedGroupMapper::class);

  83. 		$this->userSession = $this->createMock(IUserSession::class);

  84. 		$this->controller = $this->createMock(Controller::class);

  85. 		$this->reader = new ControllerMethodReflector();

  86. 		$this->logger = $this->createMock(LoggerInterface::class);

  87. 		$this->navigationManager = $this->createMock(INavigationManager::class);

  88. 		$this->urlGenerator = $this->createMock(IURLGenerator::class);

  89. 		$this->request = $this->createMock(IRequest::class);

  90. 		$this->l10n = $this->createMock(IL10N::class);

  91. 		$this->middleware = $this->getMiddleware(true, true, false);

  92. 		$this->secException = new SecurityException('hey', false);

  93. 		$this->secAjaxException = new SecurityException('hey', true);

  94. 	}

  95. 

  96. 	private function getMiddleware(bool $isLoggedIn, bool $isAdminUser, bool $isSubAdmin, bool $isAppEnabledForUser = true): SecurityMiddleware {

  97. 		$this->appManager = $this->createMock(IAppManager::class);

  98. 		$this->appManager->expects($this->any())

  99. 			->method('isEnabledForUser')

  100. 			->willReturn($isAppEnabledForUser);

  101. 

  102. 		return new SecurityMiddleware(

  103. 			$this->request,

  104. 			$this->reader,

  105. 			$this->navigationManager,

  106. 			$this->urlGenerator,

  107. 			$this->logger,

  108. 			'files',

  109. 			$isLoggedIn,

  110. 			$isAdminUser,

  111. 			$isSubAdmin,

  112. 			$this->appManager,

  113. 			$this->l10n,

  114. 			$this->authorizedGroupMapper,

  115. 			$this->userSession

  116. 		);

  117. 	}

  118. 

  119. 

  120. 	/**

  121. 	 * @PublicPage

  122. 	 * @NoCSRFRequired

  123. 	 */

  124. 	public function testSetNavigationEntry() {

  125. 		$this->navigationManager->expects($this->once())

  126. 			->method('setActiveEntry')

  127. 			->with($this->equalTo('files'));

  128. 

  129. 		$this->reader->reflect(__CLASS__, __FUNCTION__);

  130. 		$this->middleware->beforeController($this->controller, __FUNCTION__);

  131. 	}

  132. 

  133. 

  134. 	/**

  135. 	 * @param string $method

  136. 	 * @param string $test

  137. 	 */

  138. 	private function ajaxExceptionStatus($method, $test, $status) {

  139. 		$isLoggedIn = false;

  140. 		$isAdminUser = false;

  141. 

  142. 		// isAdminUser requires isLoggedIn call to return true

  143. 		if ($test === 'isAdminUser') {

  144. 			$isLoggedIn = true;

  145. 		}

  146. 

  147. 		$sec = $this->getMiddleware($isLoggedIn, $isAdminUser, false);

  148. 

  149. 		try {

  150. 			$this->reader->reflect(__CLASS__, $method);

  151. 			$sec->beforeController($this->controller, $method);

  152. 		} catch (SecurityException $ex) {

  153. 			$this->assertEquals($status, $ex->getCode());

  154. 		}

  155. 

  156. 		// add assertion if everything should work fine otherwise phpunit will

  157. 		// complain

  158. 		if ($status === 0) {

  159. 			$this->addToAssertionCount(1);

  160. 		}

  161. 	}

  162. 

  163. 	public function testAjaxStatusLoggedInCheck() {

  164. 		$this->ajaxExceptionStatus(

  165. 			__FUNCTION__,

  166. 			'isLoggedIn',

  167. 			Http::STATUS_UNAUTHORIZED

  168. 		);

  169. 	}

  170. 

  171. 	/**

  172. 	 * @NoCSRFRequired

  173. 	 */

  174. 	public function testAjaxNotAdminCheck() {

  175. 		$this->ajaxExceptionStatus(

  176. 			__FUNCTION__,

  177. 			'isAdminUser',

  178. 			Http::STATUS_FORBIDDEN

  179. 		);

  180. 	}

  181. 

  182. 	/**

  183. 	 * @PublicPage

  184. 	 */

  185. 	public function testAjaxStatusCSRFCheck() {

  186. 		$this->ajaxExceptionStatus(

  187. 			__FUNCTION__,

  188. 			'passesCSRFCheck',

  189. 			Http::STATUS_PRECONDITION_FAILED

  190. 		);

  191. 	}

  192. 

  193. 	/**

  194. 	 * @PublicPage

  195. 	 * @NoCSRFRequired

  196. 	 */

  197. 	public function testAjaxStatusAllGood() {

  198. 		$this->ajaxExceptionStatus(

  199. 			__FUNCTION__,

  200. 			'isLoggedIn',

  201. 			0

  202. 		);

  203. 		$this->ajaxExceptionStatus(

  204. 			__FUNCTION__,

  205. 			'isAdminUser',

  206. 			0

  207. 		);

  208. 		$this->ajaxExceptionStatus(

  209. 			__FUNCTION__,

  210. 			'passesCSRFCheck',

  211. 			0

  212. 		);

  213. 	}

  214. 

  215. 

  216. 	/**

  217. 	 * @PublicPage

  218. 	 * @NoCSRFRequired

  219. 	 */

  220. 	public function testNoChecks() {

  221. 		$this->request->expects($this->never())

  222. 			->method('passesCSRFCheck')

  223. 			->willReturn(false);

  224. 

  225. 		$sec = $this->getMiddleware(false, false, false);

  226. 

  227. 		$this->reader->reflect(__CLASS__, __FUNCTION__);

  228. 		$sec->beforeController($this->controller, __FUNCTION__);

  229. 	}

  230. 

  231. 

  232. 	/**

  233. 	 * @param string $method

  234. 	 * @param string $expects

  235. 	 */

  236. 	private function securityCheck($method, $expects, $shouldFail = false) {

  237. 		// admin check requires login

  238. 		if ($expects === 'isAdminUser') {

  239. 			$isLoggedIn = true;

  240. 			$isAdminUser = !$shouldFail;

  241. 		} else {

  242. 			$isLoggedIn = !$shouldFail;

  243. 			$isAdminUser = false;

  244. 		}

  245. 

  246. 		$sec = $this->getMiddleware($isLoggedIn, $isAdminUser, false);

  247. 

  248. 		if ($shouldFail) {

  249. 			$this->expectException(SecurityException::class);

  250. 		} else {

  251. 			$this->addToAssertionCount(1);

  252. 		}

  253. 

  254. 		$this->reader->reflect(__CLASS__, $method);

  255. 		$sec->beforeController($this->controller, $method);

  256. 	}

  257. 

  258. 

  259. 	/**

  260. 	 * @PublicPage

  261. 	 */

  262. 	public function testCsrfCheck() {

  263. 		$this->expectException(\OC\AppFramework\Middleware\Security\Exceptions\CrossSiteRequestForgeryException::class);

  264. 

  265. 		$this->request->expects($this->once())

  266. 			->method('passesCSRFCheck')

  267. 			->willReturn(false);

  268. 		$this->request->expects($this->once())

  269. 			->method('passesStrictCookieCheck')

  270. 			->willReturn(true);

  271. 		$this->reader->reflect(__CLASS__, __FUNCTION__);

  272. 		$this->middleware->beforeController($this->controller, __FUNCTION__);

  273. 	}

  274. 

  275. 

  276. 	/**

  277. 	 * @PublicPage

  278. 	 * @NoCSRFRequired

  279. 	 */

  280. 	public function testNoCsrfCheck() {

  281. 		$this->request->expects($this->never())

  282. 			->method('passesCSRFCheck')

  283. 			->willReturn(false);

  284. 

  285. 		$this->reader->reflect(__CLASS__, __FUNCTION__);

  286. 		$this->middleware->beforeController($this->controller, __FUNCTION__);

  287. 	}

  288. 

  289. 	/**

  290. 	 * @PublicPage

  291. 	 */

  292. 	public function testPassesCsrfCheck() {

  293. 		$this->request->expects($this->once())

  294. 			->method('passesCSRFCheck')

  295. 			->willReturn(true);

  296. 		$this->request->expects($this->once())

  297. 			->method('passesStrictCookieCheck')

  298. 			->willReturn(true);

  299. 

  300. 		$this->reader->reflect(__CLASS__, __FUNCTION__);

  301. 		$this->middleware->beforeController($this->controller, __FUNCTION__);

  302. 	}

  303. 

  304. 	/**

  305. 	 * @PublicPage

  306. 	 */

  307. 	public function testFailCsrfCheck() {

  308. 		$this->expectException(\OC\AppFramework\Middleware\Security\Exceptions\CrossSiteRequestForgeryException::class);

  309. 

  310. 		$this->request->expects($this->once())

  311. 			->method('passesCSRFCheck')

  312. 			->willReturn(false);

  313. 		$this->request->expects($this->once())

  314. 			->method('passesStrictCookieCheck')

  315. 			->willReturn(true);

  316. 

  317. 		$this->reader->reflect(__CLASS__, __FUNCTION__);

  318. 		$this->middleware->beforeController($this->controller, __FUNCTION__);

  319. 	}

  320. 

  321. 	/**

  322. 	 * @PublicPage

  323. 	 * @StrictCookieRequired

  324. 	 */

  325. 	public function testStrictCookieRequiredCheck() {

  326. 		$this->expectException(\OC\Appframework\Middleware\Security\Exceptions\StrictCookieMissingException::class);

  327. 

  328. 		$this->request->expects($this->never())

  329. 			->method('passesCSRFCheck');

  330. 		$this->request->expects($this->once())

  331. 			->method('passesStrictCookieCheck')

  332. 			->willReturn(false);

  333. 

  334. 		$this->reader->reflect(__CLASS__, __FUNCTION__);

  335. 		$this->middleware->beforeController($this->controller, __FUNCTION__);

  336. 	}

  337. 

  338. 

  339. 	/**

  340. 	 * @PublicPage

  341. 	 * @NoCSRFRequired

  342. 	 */

  343. 	public function testNoStrictCookieRequiredCheck() {

  344. 		$this->request->expects($this->never())

  345. 			->method('passesStrictCookieCheck')

  346. 			->willReturn(false);

  347. 

  348. 		$this->reader->reflect(__CLASS__, __FUNCTION__);

  349. 		$this->middleware->beforeController($this->controller, __FUNCTION__);

  350. 	}

  351. 

  352. 	/**

  353. 	 * @PublicPage

  354. 	 * @NoCSRFRequired

  355. 	 * @StrictCookieRequired

  356. 	 */

  357. 	public function testPassesStrictCookieRequiredCheck() {

  358. 		$this->request

  359. 			->expects($this->once())

  360. 			->method('passesStrictCookieCheck')

  361. 			->willReturn(true);

  362. 

  363. 		$this->reader->reflect(__CLASS__, __FUNCTION__);

  364. 		$this->middleware->beforeController($this->controller, __FUNCTION__);

  365. 	}

  366. 

  367. 	public function dataCsrfOcsController() {

  368. 		$controller = $this->getMockBuilder('OCP\AppFramework\Controller')

  369. 			->disableOriginalConstructor()

  370. 			->getMock();

  371. 		$ocsController = $this->getMockBuilder('OCP\AppFramework\OCSController')

  372. 			->disableOriginalConstructor()

  373. 			->getMock();

  374. 

  375. 		return [

  376. 			[$controller, false, false, true],

  377. 			[$controller, false,  true, true],

  378. 			[$controller,  true, false, true],

  379. 			[$controller,  true,  true, true],

  380. 

  381. 			[$ocsController, false, false,  true],

  382. 			[$ocsController, false,  true, false],

  383. 			[$ocsController,  true, false, false],

  384. 			[$ocsController,  true,  true, false],

  385. 		];

  386. 	}

  387. 

  388. 	/**

  389. 	 * @dataProvider dataCsrfOcsController

  390. 	 * @param Controller $controller

  391. 	 * @param bool $hasOcsApiHeader

  392. 	 * @param bool $hasBearerAuth

  393. 	 * @param bool $exception

  394. 	 */

  395. 	public function testCsrfOcsController(Controller $controller, bool $hasOcsApiHeader, bool $hasBearerAuth, bool $exception) {

  396. 		$this->request

  397. 			->method('getHeader')

  398. 			->willReturnCallback(function ($header) use ($hasOcsApiHeader, $hasBearerAuth) {

  399. 				if ($header === 'OCS-APIREQUEST' && $hasOcsApiHeader) {

  400. 					return 'true';

  401. 				}

  402. 				if ($header === 'Authorization' && $hasBearerAuth) {

  403. 					return 'Bearer TOKEN!';

  404. 				}

  405. 				return '';

  406. 			});

  407. 		$this->request->expects($this->once())

  408. 			->method('passesStrictCookieCheck')

  409. 			->willReturn(true);

  410. 

  411. 		try {

  412. 			$this->middleware->beforeController($controller, 'foo');

  413. 			$this->assertFalse($exception);

  414. 		} catch (CrossSiteRequestForgeryException $e) {

  415. 			$this->assertTrue($exception);

  416. 		}

  417. 	}

  418. 

  419. 	/**

  420. 	 * @NoCSRFRequired

  421. 	 * @NoAdminRequired

  422. 	 */

  423. 	public function testLoggedInCheck() {

  424. 		$this->securityCheck(__FUNCTION__, 'isLoggedIn');

  425. 	}

  426. 

  427. 

  428. 	/**

  429. 	 * @NoCSRFRequired

  430. 	 * @NoAdminRequired

  431. 	 */

  432. 	public function testFailLoggedInCheck() {

  433. 		$this->securityCheck(__FUNCTION__, 'isLoggedIn', true);

  434. 	}

  435. 

  436. 

  437. 	/**

  438. 	 * @NoCSRFRequired

  439. 	 */

  440. 	public function testIsAdminCheck() {

  441. 		$this->securityCheck(__FUNCTION__, 'isAdminUser');

  442. 	}

  443. 

  444. 	/**

  445. 	 * @NoCSRFRequired

  446. 	 * @SubAdminRequired

  447. 	 */

  448. 	public function testIsNotSubAdminCheck() {

  449. 		$this->reader->reflect(__CLASS__, __FUNCTION__);

  450. 		$sec = $this->getMiddleware(true, false, false);

  451. 

  452. 		$this->expectException(SecurityException::class);

  453. 		$sec->beforeController($this, __METHOD__);

  454. 	}

  455. 

  456. 	/**

  457. 	 * @NoCSRFRequired

  458. 	 * @SubAdminRequired

  459. 	 */

  460. 	public function testIsSubAdminCheck() {

  461. 		$this->reader->reflect(__CLASS__, __FUNCTION__);

  462. 		$sec = $this->getMiddleware(true, false, true);

  463. 

  464. 		$sec->beforeController($this, __METHOD__);

  465. 		$this->addToAssertionCount(1);

  466. 	}

  467. 

  468. 	/**

  469. 	 * @NoCSRFRequired

  470. 	 * @SubAdminRequired

  471. 	 */

  472. 	public function testIsSubAdminAndAdminCheck() {

  473. 		$this->reader->reflect(__CLASS__, __FUNCTION__);

  474. 		$sec = $this->getMiddleware(true, true, true);

  475. 

  476. 		$sec->beforeController($this, __METHOD__);

  477. 		$this->addToAssertionCount(1);

  478. 	}

  479. 

  480. 	/**

  481. 	 * @NoCSRFRequired

  482. 	 */

  483. 	public function testFailIsAdminCheck() {

  484. 		$this->securityCheck(__FUNCTION__, 'isAdminUser', true);

  485. 	}

  486. 

  487. 

  488. 	public function testAfterExceptionNotCaughtThrowsItAgain() {

  489. 		$ex = new \Exception();

  490. 		$this->expectException(\Exception::class);

  491. 		$this->middleware->afterException($this->controller, 'test', $ex);

  492. 	}

  493. 

  494. 	public function testAfterExceptionReturnsRedirectForNotLoggedInUser() {

  495. 		$this->request = new Request(

  496. 			[

  497. 				'server' =>

  498. 					[

  499. 						'HTTP_ACCEPT' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',

  500. 						'REQUEST_URI' => 'nextcloud/index.php/apps/specialapp'

  501. 					]

  502. 			],

  503. 			$this->createMock(ISecureRandom::class),

  504. 			$this->createMock(IConfig::class)

  505. 		);

  506. 		$this->middleware = $this->getMiddleware(false, false, false);

  507. 		$this->urlGenerator

  508. 			->expects($this->once())

  509. 			->method('linkToRoute')

  510. 			->with(

  511. 				'core.login.showLoginForm',

  512. 				[

  513. 					'redirect_url' => 'nextcloud/index.php/apps/specialapp',

  514. 				]

  515. 			)

  516. 			->willReturn('http://localhost/nextcloud/index.php/login?redirect_url=nextcloud/index.php/apps/specialapp');

  517. 		$this->logger

  518. 			->expects($this->once())

  519. 			->method('debug');

  520. 		$response = $this->middleware->afterException(

  521. 			$this->controller,

  522. 			'test',

  523. 			new NotLoggedInException()

  524. 		);

  525. 		$expected = new RedirectResponse('http://localhost/nextcloud/index.php/login?redirect_url=nextcloud/index.php/apps/specialapp');

  526. 		$this->assertEquals($expected, $response);

  527. 	}

  528. 

  529. 	public function testAfterExceptionRedirectsToWebRootAfterStrictCookieFail() {

  530. 		$this->request = new Request(

  531. 			[

  532. 				'server' => [

  533. 					'HTTP_ACCEPT' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',

  534. 					'REQUEST_URI' => 'nextcloud/index.php/apps/specialapp',

  535. 				],

  536. 			],

  537. 			$this->createMock(ISecureRandom::class),

  538. 			$this->createMock(IConfig::class)

  539. 		);

  540. 

  541. 		$this->middleware = $this->getMiddleware(false, false, false);

  542. 		$response = $this->middleware->afterException(

  543. 			$this->controller,

  544. 			'test',

  545. 			new StrictCookieMissingException()

  546. 		);

  547. 

  548. 		$expected = new RedirectResponse(\OC::$WEBROOT . '/');

  549. 		$this->assertEquals($expected, $response);

  550. 	}

  551. 

  552. 

  553. 	/**

  554. 	 * @return array

  555. 	 */

  556. 	public function exceptionProvider() {

  557. 		return [

  558. 			[

  559. 				new AppNotEnabledException(),

  560. 			],

  561. 			[

  562. 				new CrossSiteRequestForgeryException(),

  563. 			],

  564. 			[

  565. 				new NotAdminException(''),

  566. 			],

  567. 		];

  568. 	}

  569. 

  570. 	/**

  571. 	 * @dataProvider exceptionProvider

  572. 	 * @param SecurityException $exception

  573. 	 */

  574. 	public function testAfterExceptionReturnsTemplateResponse(SecurityException $exception) {

  575. 		$this->request = new Request(

  576. 			[

  577. 				'server' =>

  578. 					[

  579. 						'HTTP_ACCEPT' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',

  580. 						'REQUEST_URI' => 'nextcloud/index.php/apps/specialapp'

  581. 					]

  582. 			],

  583. 			$this->createMock(ISecureRandom::class),

  584. 			$this->createMock(IConfig::class)

  585. 		);

  586. 		$this->middleware = $this->getMiddleware(false, false, false);

  587. 		$this->logger

  588. 			->expects($this->once())

  589. 			->method('debug');

  590. 		$response = $this->middleware->afterException(

  591. 			$this->controller,

  592. 			'test',

  593. 			$exception

  594. 		);

  595. 		$expected = new TemplateResponse('core', '403', ['message' => $exception->getMessage()], 'guest');

  596. 		$expected->setStatus($exception->getCode());

  597. 		$this->assertEquals($expected, $response);

  598. 	}

  599. 

  600. 	public function testAfterAjaxExceptionReturnsJSONError() {

  601. 		$response = $this->middleware->afterException($this->controller, 'test',

  602. 			$this->secAjaxException);

  603. 

  604. 		$this->assertTrue($response instanceof JSONResponse);

  605. 	}

  606. 

  607. 	public function dataRestrictedApp() {

  608. 		return [

  609. 			[false, false, false,],

  610. 			[false, false,  true,],

  611. 			[false,  true, false,],

  612. 			[false,  true,  true,],

  613. 			[ true, false, false,],

  614. 			[ true, false,  true,],

  615. 			[ true,  true, false,],

  616. 			[ true,  true,  true,],

  617. 		];

  618. 	}

  619. 

  620. 	/**

  621. 	 * @PublicPage

  622. 	 * @NoAdminRequired

  623. 	 * @NoCSRFRequired

  624. 	 */

  625. 	public function testRestrictedAppLoggedInPublicPage() {

  626. 		$middleware = $this->getMiddleware(true, false, false);

  627. 		$this->reader->reflect(__CLASS__, __FUNCTION__);

  628. 

  629. 		$this->appManager->method('getAppPath')

  630. 			->with('files')

  631. 			->willReturn('foo');

  632. 

  633. 		$this->appManager->method('isEnabledForUser')

  634. 			->with('files')

  635. 			->willReturn(false);

  636. 

  637. 		$middleware->beforeController($this->controller, __FUNCTION__);

  638. 		$this->addToAssertionCount(1);

  639. 	}

  640. 

  641. 	/**

  642. 	 * @PublicPage

  643. 	 * @NoAdminRequired

  644. 	 * @NoCSRFRequired

  645. 	 */

  646. 	public function testRestrictedAppNotLoggedInPublicPage() {

  647. 		$middleware = $this->getMiddleware(false, false, false);

  648. 		$this->reader->reflect(__CLASS__, __FUNCTION__);

  649. 

  650. 		$this->appManager->method('getAppPath')

  651. 			->with('files')

  652. 			->willReturn('foo');

  653. 

  654. 		$this->appManager->method('isEnabledForUser')

  655. 			->with('files')

  656. 			->willReturn(false);

  657. 

  658. 		$middleware->beforeController($this->controller, __FUNCTION__);

  659. 		$this->addToAssertionCount(1);

  660. 	}

  661. 

  662. 	/**

  663. 	 * @NoAdminRequired

  664. 	 * @NoCSRFRequired

  665. 	 */

  666. 	public function testRestrictedAppLoggedIn() {

  667. 		$middleware = $this->getMiddleware(true, false, false, false);

  668. 		$this->reader->reflect(__CLASS__, __FUNCTION__);

  669. 

  670. 		$this->appManager->method('getAppPath')

  671. 			->with('files')

  672. 			->willReturn('foo');

  673. 

  674. 		$this->expectException(AppNotEnabledException::class);

  675. 		$middleware->beforeController($this->controller, __FUNCTION__);

  676. 	}

  677. }