123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248 |
- /*
- * Copyright 2000-2014 Vaadin Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not
- * use this file except in compliance with the License. You may obtain a copy of
- * the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
- * License for the specific language governing permissions and limitations under
- * the License.
- */
- package com.vaadin.tests.server;
-
- import java.util.UUID;
- import java.util.logging.Level;
- import java.util.logging.Logger;
-
- import javax.servlet.http.HttpServletRequest;
-
- import org.easymock.EasyMock;
- import org.junit.Assert;
- import org.junit.Before;
- import org.junit.Test;
-
- import com.vaadin.server.ServiceException;
- import com.vaadin.server.VaadinService;
- import com.vaadin.server.VaadinServlet;
- import com.vaadin.server.VaadinServletRequest;
- import com.vaadin.server.VaadinServletService;
- import com.vaadin.server.VaadinSession;
- import com.vaadin.server.communication.ServerRpcHandler.RpcRequest;
- import com.vaadin.shared.ApplicationConstants;
- import com.vaadin.tests.util.AlwaysLockedVaadinSession;
- import com.vaadin.tests.util.MockDeploymentConfiguration;
- import elemental.json.JsonException;
-
- /**
- * Test the actual csrf token validation by the server.
- *
- * @since
- * @author Vaadin Ltd
- */
- public class CsrfTokenMissingTestServer {
-
- // Dummy fields just to run the test.
- private VaadinServlet mockServlet;
-
- // The mock deployment configuration.
- private MockDeploymentConfiguration mockDeploymentConfiguration;
-
- private VaadinServletService mockService;
-
- // The mock UI session.
- private VaadinSession mockSession;
-
- // The mock vaadin request.
- private VaadinServletRequest vaadinRequest;
-
- /**
- * Initialize the mock servlet and other stuff for our tests.
- */
- @Before
- public void initMockStuff() throws ServiceException {
- mockServlet = new VaadinServlet();
- mockDeploymentConfiguration = new MockDeploymentConfiguration();
-
- mockService = new VaadinServletService(mockServlet,
- mockDeploymentConfiguration);
-
- mockSession = new AlwaysLockedVaadinSession(mockService);
-
- vaadinRequest = new VaadinServletRequest(
- EasyMock.createMock(HttpServletRequest.class), mockService);
-
- }
-
- private enum TokenType {
- MISSING, INVALID, VALID
- }
-
- private TokenType tokenType;
-
- private String invalidToken;
-
- public String getInvalidToken() {
- if (invalidToken == null) {
- // Just making sure this will never be in the same format as a valid
- // token.
- invalidToken = UUID.randomUUID().toString().substring(1);
- }
- return invalidToken;
- }
-
- private String getValidToken() {
- return mockSession.getCsrfToken();
- }
-
- /*
- * Gets the payload with the default token.
- */
- private String getPayload() {
- switch (tokenType) {
- case MISSING:
- return getPayload(null);
-
- case INVALID:
- return getPayload(getInvalidToken());
-
- case VALID:
- return getPayload(getValidToken());
- }
-
- return null;
- }
-
- /*
- * Gets the payload with the specified token.
- */
- private String getPayload(String token) {
- return "{"
- + (token != null ? "\"csrfToken\":" + "\"" + token + "\", "
- : "")
- + "\"rpc\":[[\"0\",\"com.vaadin.shared.ui.ui.UIServerRpc\",\"resize\",[\"449\",\"1155\",\"1155\",\"449\"]],[\"4\",\"com.vaadin.shared.ui.button.ButtonServerRpc\",\"click\",[{\"clientY\":\"53\", \"clientX\":\"79\", \"shiftKey\":false, \"button\":\"LEFT\", \"ctrlKey\":false, \"type\":\"1\", \"metaKey\":false, \"altKey\":false, \"relativeY\":\"17\", \"relativeX\":\"61\"}]]], \"syncId\":1}";
- }
-
- /*
- * Init the test parameters.
- */
- private void initTest(boolean enableSecurity, TokenType tokenType) {
- mockDeploymentConfiguration.setXsrfProtectionEnabled(enableSecurity);
- this.tokenType = tokenType;
- }
-
- /*
- * Create the requets.
- */
- private RpcRequest createRequest() {
- try {
- return new RpcRequest(getPayload(), vaadinRequest);
- } catch (JsonException e) {
- LOGGER.log(Level.SEVERE, "", e);
-
- Assert.assertTrue(false);
- return null;
- }
- }
-
- /*
- * Gets whether the token from the request is the default one.
- */
- private boolean isDefaultToken(RpcRequest rpcRequest) {
- return ApplicationConstants.CSRF_TOKEN_DEFAULT_VALUE.equals(rpcRequest
- .getCsrfToken());
- }
-
- /*
- * Gets whether the token from the request is the invalid one.
- */
- private boolean isInvalidToken(RpcRequest rpcRequest) {
- return getInvalidToken().equals(rpcRequest.getCsrfToken());
- }
-
- /*
- * Gets whether the token from the request is the valid one.
- */
- private boolean isValidToken(RpcRequest rpcRequest) {
- return getValidToken().equals(rpcRequest.getCsrfToken());
- }
-
- /*
- * Gets whether the token from the request is valid.
- */
- private boolean isRequestValid(RpcRequest rpcRequest) {
- return VaadinService.isCsrfTokenValid(mockSession,
- rpcRequest.getCsrfToken());
- }
-
- private static Logger LOGGER = Logger
- .getLogger(CsrfTokenMissingTestServer.class.getName());
- static {
- LOGGER.setLevel(Level.ALL);
- }
-
- @Test
- public void securityOnAndNoToken() {
- initTest(true, TokenType.MISSING);
-
- RpcRequest rpcRequest = createRequest();
-
- Assert.assertTrue(isDefaultToken(rpcRequest));
- Assert.assertFalse(isRequestValid(rpcRequest));
- }
-
- @Test
- public void securityOffAndNoToken() {
- initTest(false, TokenType.MISSING);
-
- RpcRequest rpcRequest = createRequest();
-
- Assert.assertTrue(isDefaultToken(rpcRequest));
- Assert.assertTrue(isRequestValid(rpcRequest));
- }
-
- @Test
- public void securityOnAndInvalidToken() {
- initTest(true, TokenType.INVALID);
-
- RpcRequest rpcRequest = createRequest();
-
- Assert.assertTrue(isInvalidToken(rpcRequest));
- Assert.assertFalse(isRequestValid(rpcRequest));
- }
-
- @Test
- public void securityOffAndInvalidToken() {
- initTest(false, TokenType.INVALID);
-
- RpcRequest rpcRequest = createRequest();
-
- Assert.assertTrue(isInvalidToken(rpcRequest));
- Assert.assertTrue(isRequestValid(rpcRequest));
- }
-
- @Test
- public void securityOnAndValidToken() {
- initTest(true, TokenType.VALID);
-
- RpcRequest rpcRequest = createRequest();
-
- Assert.assertTrue(isValidToken(rpcRequest));
- Assert.assertTrue(isRequestValid(rpcRequest));
- }
-
- @Test
- public void securityOffAndValidToken() {
- initTest(false, TokenType.VALID);
-
- RpcRequest rpcRequest = createRequest();
-
- Assert.assertTrue(isValidToken(rpcRequest));
- Assert.assertTrue(isRequestValid(rpcRequest));
- }
-
- }
|