diff options
| author | Vincent Petry <pvince81@owncloud.com> | 2015-05-26 12:12:04 +0200 |
|---|---|---|
| committer | Vincent Petry <pvince81@owncloud.com> | 2015-05-26 12:12:04 +0200 |
| commit | 39c6a3648848c8098a9c38b818be2ec1169b703d (patch) | |
| tree | 3891b49b38866f7dca71188911fe5cd3afbe15ae /tests/lib | |
| parent | ab0747113c320552da45cd5c7f56210b3eccb263 (diff) | |
| parent | c8e3599cad9c5174260fc1dbe340efac65f1d646 (diff) | |
| download | nextcloud-server-39c6a3648848c8098a9c38b818be2ec1169b703d.tar.gz nextcloud-server-39c6a3648848c8098a9c38b818be2ec1169b703d.zip | |
Merge pull request #16532 from owncloud/cors-no-cookie-auth
Disallow cookie auth for cors requests
Diffstat (limited to 'tests/lib')
| -rw-r--r-- | tests/lib/appframework/middleware/security/CORSMiddlewareTest.php | 75 |
1 files changed, 71 insertions, 4 deletions
diff --git a/tests/lib/appframework/middleware/security/CORSMiddlewareTest.php b/tests/lib/appframework/middleware/security/CORSMiddlewareTest.php index a4f3137cb11..92ea5450ab9 100644 --- a/tests/lib/appframework/middleware/security/CORSMiddlewareTest.php +++ b/tests/lib/appframework/middleware/security/CORSMiddlewareTest.php @@ -21,10 +21,12 @@ use OCP\AppFramework\Http\Response; class CORSMiddlewareTest extends \Test\TestCase { private $reflector; + private $session; protected function setUp() { parent::setUp(); $this->reflector = new ControllerMethodReflector(); + $this->session = $this->getMock('\OCP\IUserSession'); } /** @@ -41,7 +43,7 @@ class CORSMiddlewareTest extends \Test\TestCase { $this->getMock('\OCP\IConfig') ); $this->reflector->reflect($this, __FUNCTION__); - $middleware = new CORSMiddleware($request, $this->reflector); + $middleware = new CORSMiddleware($request, $this->reflector, $this->session); $response = $middleware->afterController($this, __FUNCTION__, new Response()); $headers = $response->getHeaders(); @@ -59,7 +61,7 @@ class CORSMiddlewareTest extends \Test\TestCase { $this->getMock('\OCP\Security\ISecureRandom'), $this->getMock('\OCP\IConfig') ); - $middleware = new CORSMiddleware($request, $this->reflector); + $middleware = new CORSMiddleware($request, $this->reflector, $this->session); $response = $middleware->afterController($this, __FUNCTION__, new Response()); $headers = $response->getHeaders(); @@ -77,7 +79,7 @@ class CORSMiddlewareTest extends \Test\TestCase { $this->getMock('\OCP\IConfig') ); $this->reflector->reflect($this, __FUNCTION__); - $middleware = new CORSMiddleware($request, $this->reflector); + $middleware = new CORSMiddleware($request, $this->reflector, $this->session); $response = $middleware->afterController($this, __FUNCTION__, new Response()); $headers = $response->getHeaders(); @@ -100,11 +102,76 @@ class CORSMiddlewareTest extends \Test\TestCase { $this->getMock('\OCP\IConfig') ); $this->reflector->reflect($this, __FUNCTION__); - $middleware = new CORSMiddleware($request, $this->reflector); + $middleware = new CORSMiddleware($request, $this->reflector, $this->session); $response = new Response(); $response->addHeader('AcCess-control-Allow-Credentials ', 'TRUE'); $middleware->afterController($this, __FUNCTION__, $response); } + /** + * @CORS + * @PublicPage + */ + public function testNoCORSShouldAllowCookieAuth() { + $request = new Request( + [], + $this->getMock('\OCP\Security\ISecureRandom'), + $this->getMock('\OCP\IConfig') + ); + $this->reflector->reflect($this, __FUNCTION__); + $middleware = new CORSMiddleware($request, $this->reflector, $this->session); + + $middleware->beforeController($this, __FUNCTION__, new Response()); + } + + /** + * @CORS + */ + public function testCORSShouldRelogin() { + $request = new Request( + ['server' => [ + 'PHP_AUTH_USER' => 'user', + 'PHP_AUTH_PW' => 'pass' + ]], + $this->getMock('\OCP\Security\ISecureRandom'), + $this->getMock('\OCP\IConfig') + ); + $this->session->expects($this->once()) + ->method('logout'); + $this->session->expects($this->once()) + ->method('login') + ->with($this->equalTo('user'), $this->equalTo('pass')) + ->will($this->returnValue(true)); + $this->reflector->reflect($this, __FUNCTION__); + $middleware = new CORSMiddleware($request, $this->reflector, $this->session); + + $middleware->beforeController($this, __FUNCTION__, new Response()); + } + + /** + * @CORS + * @expectedException \OC\AppFramework\Middleware\Security\SecurityException + */ + public function testCORSShouldNotAllowCookieAuth() { + $request = new Request( + ['server' => [ + 'PHP_AUTH_USER' => 'user', + 'PHP_AUTH_PW' => 'pass' + ]], + $this->getMock('\OCP\Security\ISecureRandom'), + $this->getMock('\OCP\IConfig') + ); + $this->session->expects($this->once()) + ->method('logout'); + $this->session->expects($this->once()) + ->method('login') + ->with($this->equalTo('user'), $this->equalTo('pass')) + ->will($this->returnValue(false)); + $this->reflector->reflect($this, __FUNCTION__); + $middleware = new CORSMiddleware($request, $this->reflector, $this->session); + + $middleware->beforeController($this, __FUNCTION__, new Response()); + } + } |