scm-webapp/src/test/java/sonia/scm/security/XsrfAccessTokenValidatorTest.java

/*
 * MIT License
 *
 * Copyright (c) 2020-present Cloudogu GmbH and Contributors
 *
 * Permission is hereby granted, free of charge, to any person obtaining a copy
 * of this software and associated documentation files (the "Software"), to deal
 * in the Software without restriction, including without limitation the rights
 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 * copies of the Software, and to permit persons to whom the Software is
 * furnished to do so, subject to the following conditions:
 *
 * The above copyright notice and this permission notice shall be included in all
 * copies or substantial portions of the Software.
 *
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 * SOFTWARE.
 */
    
package sonia.scm.security;


import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Nested;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
import org.junit.jupiter.params.ParameterizedTest;
import org.junit.jupiter.params.provider.CsvSource;
import org.junit.jupiter.params.provider.EnumSource;
import org.mockito.Mock;
import org.mockito.junit.jupiter.MockitoExtension;

import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.GET;
import java.util.Optional;

import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
import static org.mockito.Mockito.lenient;
import static org.mockito.Mockito.when;

/**
 * Tests {@link XsrfAccessTokenValidator}.
 *
 * @author Sebastian Sdorra
 */
@ExtendWith(MockitoExtension.class)
class XsrfAccessTokenValidatorTest {

  @Mock
  private HttpServletRequest request;

  @Mock
  private AccessToken accessToken;

  private XsrfAccessTokenValidator validator;

  /**
   * Prepare object under test.
   */
  @BeforeEach
  void prepareObjectUnderTest() {
    validator = new XsrfAccessTokenValidator(() -> request);
  }

  @Nested
  class RequestMethodPost {

    @BeforeEach
    void setRequestMethod() {
      lenient().when(request.getMethod()).thenReturn("POST");
    }

    /**
     * Tests {@link XsrfAccessTokenValidator#validate(AccessToken)}.
     */
    @Test
    void testValidate() {
      // prepare
      when(accessToken.getCustom(Xsrf.TOKEN_KEY)).thenReturn(Optional.of("abc"));
      when(request.getHeader(Xsrf.HEADER_KEY)).thenReturn("abc");

      // execute and assert
      assertTrue(validator.validate(accessToken));
    }

    /**
     * Tests {@link XsrfAccessTokenValidator#validate(AccessToken)} with wrong header.
     */
    @Test
    void testValidateWithWrongHeader() {
      // prepare
      when(accessToken.getCustom(Xsrf.TOKEN_KEY)).thenReturn(Optional.of("abc"));
      when(request.getHeader(Xsrf.HEADER_KEY)).thenReturn("123");

      // execute and assert
      assertFalse(validator.validate(accessToken));
    }

    /**
     * Tests {@link XsrfAccessTokenValidator#validate(AccessToken)} without header.
     */
    @Test
    void testValidateWithoutHeader() {
      // prepare
      when(accessToken.getCustom(Xsrf.TOKEN_KEY)).thenReturn(Optional.of("abc"));

      // execute and assert
      assertFalse(validator.validate(accessToken));
    }

    /**
     * Tests {@link XsrfAccessTokenValidator#validate(AccessToken)} without claims key.
     */
    @Test
    void testValidateWithoutClaimsKey() {
      // prepare
      when(accessToken.getCustom(Xsrf.TOKEN_KEY)).thenReturn(Optional.empty());

      // execute and assert
      assertTrue(validator.validate(accessToken));
    }

  }

  @ParameterizedTest
  @CsvSource({"GET", "HEAD", "OPTIONS"})
  void shouldNotValidateReadRequests(String method) {
    // prepare
    when(request.getMethod()).thenReturn(method);
    when(accessToken.getCustom(Xsrf.TOKEN_KEY)).thenReturn(Optional.of("abc"));

    // execute and assert
    assertTrue(validator.validate(accessToken));
  }

  @ParameterizedTest
  @CsvSource({"POST", "PUT", "DELETE", "PATCH"})
  void shouldFailValidationOfWriteRequests(String method) {
    // prepare
    when(request.getMethod()).thenReturn(method);
    when(accessToken.getCustom(Xsrf.TOKEN_KEY)).thenReturn(Optional.of("abc"));

    // execute and assert
    assertFalse(validator.validate(accessToken));
  }
}
Changeover to MIT license (#1066) * prepare license-maven-plugin for license migration * added license mapping for tsx files and added some more excludes * Changeover to MIT license * Fix build problems * Delete old remaining licenses * Add more exclude path for license checker * Rename included netbeans license, add exclude .m2/repository/ * Specify .m2 exclude because not only repository/, also wrapper/ must match * Add .cache/ exclude for license check * Modify formatting of license in java classes to comply with convention and IDE * Add IntelliJ documentation for license configuration * Update CHANGELOG.md * Exclude tmp/workspace/ dir for license check * Edit README.md Co-authored-by: Sebastian Sdorra <sebastian.sdorra@cloudogu.com> 2020-03-23 15:35:58 +01:00			`/*`
			`* MIT License`
			`*`
			`* Copyright (c) 2020-present Cloudogu GmbH and Contributors`
			`*`
			`* Permission is hereby granted, free of charge, to any person obtaining a copy`
			`* of this software and associated documentation files (the "Software"), to deal`
			`* in the Software without restriction, including without limitation the rights`
			`* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell`
			`* copies of the Software, and to permit persons to whom the Software is`
			`* furnished to do so, subject to the following conditions:`
			`*`
			`* The above copyright notice and this permission notice shall be included in all`
			`* copies or substantial portions of the Software.`
			`*`
			`* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR`
			`* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,`
			`* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE`
			`* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER`
			`* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,`
			`* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE`
			`* SOFTWARE.`
added missing unit tests for xsrf related classes 2017-01-13 06:59:44 +01:00			`*/`
Changeover to MIT license (#1066) * prepare license-maven-plugin for license migration * added license mapping for tsx files and added some more excludes * Changeover to MIT license * Fix build problems * Delete old remaining licenses * Add more exclude path for license checker * Rename included netbeans license, add exclude .m2/repository/ * Specify .m2 exclude because not only repository/, also wrapper/ must match * Add .cache/ exclude for license check * Modify formatting of license in java classes to comply with convention and IDE * Add IntelliJ documentation for license configuration * Update CHANGELOG.md * Exclude tmp/workspace/ dir for license check * Edit README.md Co-authored-by: Sebastian Sdorra <sebastian.sdorra@cloudogu.com> 2020-03-23 15:35:58 +01:00
added missing unit tests for xsrf related classes 2017-01-13 06:59:44 +01:00			`package sonia.scm.security;`

enable xrfs protection only on write request This change is required in order to fix the image viewer and download of editor plugin 2020-01-14 13:28:17 +01:00
			`import org.junit.jupiter.api.BeforeEach;`
			`import org.junit.jupiter.api.Nested;`
			`import org.junit.jupiter.api.Test;`
			`import org.junit.jupiter.api.extension.ExtendWith;`
			`import org.junit.jupiter.params.ParameterizedTest;`
			`import org.junit.jupiter.params.provider.CsvSource;`
			`import org.junit.jupiter.params.provider.EnumSource;`
added missing unit tests for xsrf related classes 2017-01-13 06:59:44 +01:00			`import org.mockito.Mock;`
enable xrfs protection only on write request This change is required in order to fix the image viewer and download of editor plugin 2020-01-14 13:28:17 +01:00			`import org.mockito.junit.jupiter.MockitoExtension;`
added missing unit tests for xsrf related classes 2017-01-13 06:59:44 +01:00
replace TokenClaimsValidator with not so generic AccessTokenValidator interface and fixed duplicated code of BearerRealm and JwtAccessTokenResolve 2018-12-21 08:35:18 +01:00			`import javax.servlet.http.HttpServletRequest;`
enable xrfs protection only on write request This change is required in order to fix the image viewer and download of editor plugin 2020-01-14 13:28:17 +01:00			`import javax.ws.rs.GET;`
replace TokenClaimsValidator with not so generic AccessTokenValidator interface and fixed duplicated code of BearerRealm and JwtAccessTokenResolve 2018-12-21 08:35:18 +01:00			`import java.util.Optional;`

			`import static org.junit.Assert.assertFalse;`
			`import static org.junit.Assert.assertTrue;`
enable xrfs protection only on write request This change is required in order to fix the image viewer and download of editor plugin 2020-01-14 13:28:17 +01:00			`import static org.mockito.Mockito.lenient;`
replace TokenClaimsValidator with not so generic AccessTokenValidator interface and fixed duplicated code of BearerRealm and JwtAccessTokenResolve 2018-12-21 08:35:18 +01:00			`import static org.mockito.Mockito.when;`

added missing unit tests for xsrf related classes 2017-01-13 06:59:44 +01:00			`/**`
replace TokenClaimsValidator with not so generic AccessTokenValidator interface and fixed duplicated code of BearerRealm and JwtAccessTokenResolve 2018-12-21 08:35:18 +01:00			`* Tests {@link XsrfAccessTokenValidator}.`
enable xrfs protection only on write request This change is required in order to fix the image viewer and download of editor plugin 2020-01-14 13:28:17 +01:00			`*`
added missing unit tests for xsrf related classes 2017-01-13 06:59:44 +01:00			`* @author Sebastian Sdorra`
			`*/`
enable xrfs protection only on write request This change is required in order to fix the image viewer and download of editor plugin 2020-01-14 13:28:17 +01:00			`@ExtendWith(MockitoExtension.class)`
			`class XsrfAccessTokenValidatorTest {`
added missing unit tests for xsrf related classes 2017-01-13 06:59:44 +01:00
			`@Mock`
			`private HttpServletRequest request;`

replace TokenClaimsValidator with not so generic AccessTokenValidator interface and fixed duplicated code of BearerRealm and JwtAccessTokenResolve 2018-12-21 08:35:18 +01:00			`@Mock`
			`private AccessToken accessToken;`

			`private XsrfAccessTokenValidator validator;`
enable xrfs protection only on write request This change is required in order to fix the image viewer and download of editor plugin 2020-01-14 13:28:17 +01:00
added missing unit tests for xsrf related classes 2017-01-13 06:59:44 +01:00			`/**`
			`* Prepare object under test.`
			`*/`
enable xrfs protection only on write request This change is required in order to fix the image viewer and download of editor plugin 2020-01-14 13:28:17 +01:00			`@BeforeEach`
			`void prepareObjectUnderTest() {`
replace TokenClaimsValidator with not so generic AccessTokenValidator interface and fixed duplicated code of BearerRealm and JwtAccessTokenResolve 2018-12-21 08:35:18 +01:00			`validator = new XsrfAccessTokenValidator(() -> request);`
added missing unit tests for xsrf related classes 2017-01-13 06:59:44 +01:00			`}`
enable xrfs protection only on write request This change is required in order to fix the image viewer and download of editor plugin 2020-01-14 13:28:17 +01:00
			`@Nested`
			`class RequestMethodPost {`

			`@BeforeEach`
			`void setRequestMethod() {`
			`lenient().when(request.getMethod()).thenReturn("POST");`
			`}`

			`/**`
			`* Tests {@link XsrfAccessTokenValidator#validate(AccessToken)}.`
			`*/`
			`@Test`
			`void testValidate() {`
			`// prepare`
			`when(accessToken.getCustom(Xsrf.TOKEN_KEY)).thenReturn(Optional.of("abc"));`
			`when(request.getHeader(Xsrf.HEADER_KEY)).thenReturn("abc");`

			`// execute and assert`
			`assertTrue(validator.validate(accessToken));`
			`}`

			`/**`
			`* Tests {@link XsrfAccessTokenValidator#validate(AccessToken)} with wrong header.`
			`*/`
			`@Test`
			`void testValidateWithWrongHeader() {`
			`// prepare`
			`when(accessToken.getCustom(Xsrf.TOKEN_KEY)).thenReturn(Optional.of("abc"));`
			`when(request.getHeader(Xsrf.HEADER_KEY)).thenReturn("123");`

			`// execute and assert`
			`assertFalse(validator.validate(accessToken));`
			`}`

			`/**`
			`* Tests {@link XsrfAccessTokenValidator#validate(AccessToken)} without header.`
			`*/`
			`@Test`
			`void testValidateWithoutHeader() {`
			`// prepare`
			`when(accessToken.getCustom(Xsrf.TOKEN_KEY)).thenReturn(Optional.of("abc"));`

			`// execute and assert`
			`assertFalse(validator.validate(accessToken));`
			`}`

			`/**`
			`* Tests {@link XsrfAccessTokenValidator#validate(AccessToken)} without claims key.`
			`*/`
			`@Test`
			`void testValidateWithoutClaimsKey() {`
			`// prepare`
			`when(accessToken.getCustom(Xsrf.TOKEN_KEY)).thenReturn(Optional.empty());`

			`// execute and assert`
			`assertTrue(validator.validate(accessToken));`
			`}`

added missing unit tests for xsrf related classes 2017-01-13 06:59:44 +01:00			`}`
enable xrfs protection only on write request This change is required in order to fix the image viewer and download of editor plugin 2020-01-14 13:28:17 +01:00
			`@ParameterizedTest`
			`@CsvSource({"GET", "HEAD", "OPTIONS"})`
			`void shouldNotValidateReadRequests(String method) {`
added missing unit tests for xsrf related classes 2017-01-13 06:59:44 +01:00			`// prepare`
enable xrfs protection only on write request This change is required in order to fix the image viewer and download of editor plugin 2020-01-14 13:28:17 +01:00			`when(request.getMethod()).thenReturn(method);`
replace TokenClaimsValidator with not so generic AccessTokenValidator interface and fixed duplicated code of BearerRealm and JwtAccessTokenResolve 2018-12-21 08:35:18 +01:00			`when(accessToken.getCustom(Xsrf.TOKEN_KEY)).thenReturn(Optional.of("abc"));`
enable xrfs protection only on write request This change is required in order to fix the image viewer and download of editor plugin 2020-01-14 13:28:17 +01:00
added missing unit tests for xsrf related classes 2017-01-13 06:59:44 +01:00			`// execute and assert`
enable xrfs protection only on write request This change is required in order to fix the image viewer and download of editor plugin 2020-01-14 13:28:17 +01:00			`assertTrue(validator.validate(accessToken));`
added missing unit tests for xsrf related classes 2017-01-13 06:59:44 +01:00			`}`
enable xrfs protection only on write request This change is required in order to fix the image viewer and download of editor plugin 2020-01-14 13:28:17 +01:00
			`@ParameterizedTest`
			`@CsvSource({"POST", "PUT", "DELETE", "PATCH"})`
			`void shouldFailValidationOfWriteRequests(String method) {`
added missing unit tests for xsrf related classes 2017-01-13 06:59:44 +01:00			`// prepare`
enable xrfs protection only on write request This change is required in order to fix the image viewer and download of editor plugin 2020-01-14 13:28:17 +01:00			`when(request.getMethod()).thenReturn(method);`
replace TokenClaimsValidator with not so generic AccessTokenValidator interface and fixed duplicated code of BearerRealm and JwtAccessTokenResolve 2018-12-21 08:35:18 +01:00			`when(accessToken.getCustom(Xsrf.TOKEN_KEY)).thenReturn(Optional.of("abc"));`
enable xrfs protection only on write request This change is required in order to fix the image viewer and download of editor plugin 2020-01-14 13:28:17 +01:00
added missing unit tests for xsrf related classes 2017-01-13 06:59:44 +01:00			`// execute and assert`
replace TokenClaimsValidator with not so generic AccessTokenValidator interface and fixed duplicated code of BearerRealm and JwtAccessTokenResolve 2018-12-21 08:35:18 +01:00			`assertFalse(validator.validate(accessToken));`
added missing unit tests for xsrf related classes 2017-01-13 06:59:44 +01:00			`}`
Update to Mockito v2 2018-08-08 09:20:08 +02:00			`}`