2 files changed, 102 insertions, 6 deletions

diff --git a/tests/lib/Security/CSRF/CsrfTokenManagerTest.php b/tests/lib/Security/CSRF/CsrfTokenManagerTest.php
index c4fd480654d..8c19bc6e82d 100644
--- a/tests/lib/Security/CSRF/CsrfTokenManagerTest.php
+++ b/tests/lib/Security/CSRF/CsrfTokenManagerTest.php
@@ -131,14 +131,14 @@ class CsrfTokenManagerTest extends \Test\TestCase {
 		$xorB64 = 'BQcF';
 		$tokenVal = sprintf('%s:%s', $xorB64, base64_encode($a));
 		$this->storageInterface
-				->expects($this->once())
-				->method('hasToken')
-				->willReturn(true);
+			->expects($this->once())
+			->method('hasToken')
+			->willReturn(true);
 		$token = new \OC\Security\CSRF\CsrfToken($tokenVal);
 		$this->storageInterface
-				->expects($this->once())
-				->method('getToken')
-				->willReturn($b);
+			->expects($this->once())
+			->method('getToken')
+			->willReturn($b);
 
 		$this->assertSame(true, $this->csrfTokenManager->isTokenValid($token));
 	}
diff --git a/tests/lib/Security/CSRF/CsrfValidatorTest.php b/tests/lib/Security/CSRF/CsrfValidatorTest.php
new file mode 100644
index 00000000000..30aac3c7039
--- /dev/null
+++ b/tests/lib/Security/CSRF/CsrfValidatorTest.php
@@ -0,0 +1,96 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace Test\Security\CSRF;
+
+use OC\Security\CSRF\CsrfTokenManager;
+use OC\Security\CSRF\CsrfValidator;
+use OCP\IRequest;
+use Test\TestCase;
+
+class CsrfValidatorTest extends TestCase {
+	private CsrfTokenManager $csrfTokenManager;
+	private CsrfValidator $csrfValidator;
+
+	protected function setUp(): void {
+		parent::setUp();
+
+		$this->csrfTokenManager = $this->createMock(CsrfTokenManager::class);
+		$this->csrfValidator = new CsrfValidator($this->csrfTokenManager);
+	}
+
+	public function testFailStrictCookieCheck(): void {
+		$request = $this->createMock(IRequest::class);
+		$request->method('passesStrictCookieCheck')
+			->willReturn(false);
+
+		$this->assertFalse($this->csrfValidator->validate($request));
+	}
+
+	public function testFailMissingToken(): void {
+		$request = $this->createMock(IRequest::class);
+		$request->method('passesStrictCookieCheck')
+			->willReturn(true);
+		$request->method('getParam')
+			->with('requesttoken', '')
+			->willReturn('');
+		$request->method('getHeader')
+			->with('REQUESTTOKEN')
+			->willReturn('');
+
+		$this->assertFalse($this->csrfValidator->validate($request));
+	}
+
+	public function testFailInvalidToken(): void {
+		$request = $this->createMock(IRequest::class);
+		$request->method('passesStrictCookieCheck')
+			->willReturn(true);
+		$request->method('getParam')
+			->with('requesttoken', '')
+			->willReturn('token123');
+		$request->method('getHeader')
+			->with('REQUESTTOKEN')
+			->willReturn('');
+
+		$this->csrfTokenManager
+			->method('isTokenValid')
+			->willReturn(false);
+
+		$this->assertFalse($this->csrfValidator->validate($request));
+	}
+
+	public function testPass(): void {
+		$request = $this->createMock(IRequest::class);
+		$request->method('passesStrictCookieCheck')
+			->willReturn(true);
+		$request->method('getParam')
+			->with('requesttoken', '')
+			->willReturn('token123');
+		$request->method('getHeader')
+			->with('REQUESTTOKEN')
+			->willReturn('');
+
+		$this->csrfTokenManager
+			->method('isTokenValid')
+			->willReturn(true);
+
+		$this->assertTrue($this->csrfValidator->validate($request));
+	}
+
+	public function testPassWithOCSAPIRequestHeader(): void {
+		$request = $this->createMock(IRequest::class);
+		$request->method('passesStrictCookieCheck')
+			->willReturn(true);
+		$request->method('getHeader')
+			->with('OCS-APIRequest', '')
+			->willReturn('yes');
+
+		$this->assertTrue($this->csrfValidator->validate($request));
+	}
+}