CORSMiddlewareTest.php 8.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273
  1. <?php
  2. /**
  3. * ownCloud - App Framework
  4. *
  5. * This file is licensed under the Affero General Public License version 3 or
  6. * later. See the COPYING file.
  7. *
  8. * @author Bernhard Posselt <dev@bernhard-posselt.com>
  9. * @copyright Bernhard Posselt 2014
  10. */
  11. namespace Test\AppFramework\Middleware\Security;
  12. use OC\AppFramework\Http\Request;
  13. use OC\AppFramework\Middleware\Security\CORSMiddleware;
  14. use OC\AppFramework\Middleware\Security\Exceptions\SecurityException;
  15. use OC\AppFramework\Utility\ControllerMethodReflector;
  16. use OC\Security\Bruteforce\Throttler;
  17. use OC\User\Session;
  18. use OCP\AppFramework\Controller;
  19. use OCP\AppFramework\Http\JSONResponse;
  20. use OCP\AppFramework\Http\Response;
  21. use OCP\IConfig;
  22. use OCP\Security\ISecureRandom;
  23. class CORSMiddlewareTest extends \Test\TestCase {
  24. /** @var ControllerMethodReflector */
  25. private $reflector;
  26. /** @var Session|\PHPUnit\Framework\MockObject\MockObject */
  27. private $session;
  28. /** @var Throttler */
  29. private $throttler;
  30. /** @var Controller */
  31. private $controller;
  32. protected function setUp(): void {
  33. parent::setUp();
  34. $this->reflector = new ControllerMethodReflector();
  35. $this->session = $this->createMock(Session::class);
  36. $this->throttler = $this->createMock(Throttler::class);
  37. $this->controller = $this->createMock(Controller::class);
  38. }
  39. /**
  40. * @CORS
  41. */
  42. public function testSetCORSAPIHeader() {
  43. $request = new Request(
  44. [
  45. 'server' => [
  46. 'HTTP_ORIGIN' => 'test'
  47. ]
  48. ],
  49. $this->createMock(ISecureRandom::class),
  50. $this->createMock(IConfig::class)
  51. );
  52. $this->reflector->reflect($this, __FUNCTION__);
  53. $middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
  54. $response = $middleware->afterController($this->controller, __FUNCTION__, new Response());
  55. $headers = $response->getHeaders();
  56. $this->assertEquals('test', $headers['Access-Control-Allow-Origin']);
  57. }
  58. public function testNoAnnotationNoCORSHEADER() {
  59. $request = new Request(
  60. [
  61. 'server' => [
  62. 'HTTP_ORIGIN' => 'test'
  63. ]
  64. ],
  65. $this->createMock(ISecureRandom::class),
  66. $this->createMock(IConfig::class)
  67. );
  68. $middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
  69. $response = $middleware->afterController($this->controller, __FUNCTION__, new Response());
  70. $headers = $response->getHeaders();
  71. $this->assertFalse(array_key_exists('Access-Control-Allow-Origin', $headers));
  72. }
  73. /**
  74. * @CORS
  75. */
  76. public function testNoOriginHeaderNoCORSHEADER() {
  77. $request = new Request(
  78. [],
  79. $this->createMock(ISecureRandom::class),
  80. $this->createMock(IConfig::class)
  81. );
  82. $this->reflector->reflect($this, __FUNCTION__);
  83. $middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
  84. $response = $middleware->afterController($this->controller, __FUNCTION__, new Response());
  85. $headers = $response->getHeaders();
  86. $this->assertFalse(array_key_exists('Access-Control-Allow-Origin', $headers));
  87. }
  88. /**
  89. * @CORS
  90. */
  91. public function testCorsIgnoredIfWithCredentialsHeaderPresent() {
  92. $this->expectException(\OC\AppFramework\Middleware\Security\Exceptions\SecurityException::class);
  93. $request = new Request(
  94. [
  95. 'server' => [
  96. 'HTTP_ORIGIN' => 'test'
  97. ]
  98. ],
  99. $this->createMock(ISecureRandom::class),
  100. $this->createMock(IConfig::class)
  101. );
  102. $this->reflector->reflect($this, __FUNCTION__);
  103. $middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
  104. $response = new Response();
  105. $response->addHeader('AcCess-control-Allow-Credentials ', 'TRUE');
  106. $middleware->afterController($this->controller, __FUNCTION__, $response);
  107. }
  108. /**
  109. * @CORS
  110. * @PublicPage
  111. */
  112. public function testNoCORSShouldAllowCookieAuth() {
  113. $request = new Request(
  114. [],
  115. $this->createMock(ISecureRandom::class),
  116. $this->createMock(IConfig::class)
  117. );
  118. $this->reflector->reflect($this, __FUNCTION__);
  119. $middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
  120. $this->session->expects($this->never())
  121. ->method('logout');
  122. $this->session->expects($this->never())
  123. ->method('logClientIn')
  124. ->with($this->equalTo('user'), $this->equalTo('pass'))
  125. ->willReturn(true);
  126. $this->reflector->reflect($this, __FUNCTION__);
  127. $middleware->beforeController($this->controller, __FUNCTION__);
  128. }
  129. /**
  130. * @CORS
  131. */
  132. public function testCORSShouldRelogin() {
  133. $request = new Request(
  134. ['server' => [
  135. 'PHP_AUTH_USER' => 'user',
  136. 'PHP_AUTH_PW' => 'pass'
  137. ]],
  138. $this->createMock(ISecureRandom::class),
  139. $this->createMock(IConfig::class)
  140. );
  141. $this->session->expects($this->once())
  142. ->method('logout');
  143. $this->session->expects($this->once())
  144. ->method('logClientIn')
  145. ->with($this->equalTo('user'), $this->equalTo('pass'))
  146. ->willReturn(true);
  147. $this->reflector->reflect($this, __FUNCTION__);
  148. $middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
  149. $middleware->beforeController($this->controller, __FUNCTION__);
  150. }
  151. /**
  152. * @CORS
  153. */
  154. public function testCORSShouldFailIfPasswordLoginIsForbidden() {
  155. $this->expectException(\OC\AppFramework\Middleware\Security\Exceptions\SecurityException::class);
  156. $request = new Request(
  157. ['server' => [
  158. 'PHP_AUTH_USER' => 'user',
  159. 'PHP_AUTH_PW' => 'pass'
  160. ]],
  161. $this->createMock(ISecureRandom::class),
  162. $this->createMock(IConfig::class)
  163. );
  164. $this->session->expects($this->once())
  165. ->method('logout');
  166. $this->session->expects($this->once())
  167. ->method('logClientIn')
  168. ->with($this->equalTo('user'), $this->equalTo('pass'))
  169. ->will($this->throwException(new \OC\Authentication\Exceptions\PasswordLoginForbiddenException));
  170. $this->reflector->reflect($this, __FUNCTION__);
  171. $middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
  172. $middleware->beforeController($this->controller, __FUNCTION__);
  173. }
  174. /**
  175. * @CORS
  176. */
  177. public function testCORSShouldNotAllowCookieAuth() {
  178. $this->expectException(\OC\AppFramework\Middleware\Security\Exceptions\SecurityException::class);
  179. $request = new Request(
  180. ['server' => [
  181. 'PHP_AUTH_USER' => 'user',
  182. 'PHP_AUTH_PW' => 'pass'
  183. ]],
  184. $this->createMock(ISecureRandom::class),
  185. $this->createMock(IConfig::class)
  186. );
  187. $this->session->expects($this->once())
  188. ->method('logout');
  189. $this->session->expects($this->once())
  190. ->method('logClientIn')
  191. ->with($this->equalTo('user'), $this->equalTo('pass'))
  192. ->willReturn(false);
  193. $this->reflector->reflect($this, __FUNCTION__);
  194. $middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
  195. $middleware->beforeController($this->controller, __FUNCTION__);
  196. }
  197. public function testAfterExceptionWithSecurityExceptionNoStatus() {
  198. $request = new Request(
  199. ['server' => [
  200. 'PHP_AUTH_USER' => 'user',
  201. 'PHP_AUTH_PW' => 'pass'
  202. ]],
  203. $this->createMock(ISecureRandom::class),
  204. $this->createMock(IConfig::class)
  205. );
  206. $middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
  207. $response = $middleware->afterException($this->controller, __FUNCTION__, new SecurityException('A security exception'));
  208. $expected = new JSONResponse(['message' => 'A security exception'], 500);
  209. $this->assertEquals($expected, $response);
  210. }
  211. public function testAfterExceptionWithSecurityExceptionWithStatus() {
  212. $request = new Request(
  213. ['server' => [
  214. 'PHP_AUTH_USER' => 'user',
  215. 'PHP_AUTH_PW' => 'pass'
  216. ]],
  217. $this->createMock(ISecureRandom::class),
  218. $this->createMock(IConfig::class)
  219. );
  220. $middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
  221. $response = $middleware->afterException($this->controller, __FUNCTION__, new SecurityException('A security exception', 501));
  222. $expected = new JSONResponse(['message' => 'A security exception'], 501);
  223. $this->assertEquals($expected, $response);
  224. }
  225. public function testAfterExceptionWithRegularException() {
  226. $this->expectException(\Exception::class);
  227. $this->expectExceptionMessage('A regular exception');
  228. $request = new Request(
  229. ['server' => [
  230. 'PHP_AUTH_USER' => 'user',
  231. 'PHP_AUTH_PW' => 'pass'
  232. ]],
  233. $this->createMock(ISecureRandom::class),
  234. $this->createMock(IConfig::class)
  235. );
  236. $middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
  237. $middleware->afterException($this->controller, __FUNCTION__, new \Exception('A regular exception'));
  238. }
  239. }