From 3b550d83267b884dbfdeaa12453624234ba7601a Mon Sep 17 00:00:00 2001
From: Artur Neumann <artur@jankaritech.com>
Date: Thu, 31 Jan 2019 17:11:15 +0545
Subject: [PATCH] tests to check webdav requests with locktoken in header

---
 .../apiWebdavLocks/requestsWithToken.feature  | 86 ++++++++++++++++
 .../bootstrap/PublicWebDavContext.php         |  5 +-
 .../acceptance/features/bootstrap/WebDav.php  |  2 +-
 .../bootstrap/WebDavLockingContext.php        | 97 +++++++++++++++++++
 4 files changed, 188 insertions(+), 2 deletions(-)
 create mode 100644 tests/acceptance/features/apiWebdavLocks/requestsWithToken.feature

diff --git a/tests/acceptance/features/apiWebdavLocks/requestsWithToken.feature b/tests/acceptance/features/apiWebdavLocks/requestsWithToken.feature
new file mode 100644
index 000000000000..ef1474a47e41
--- /dev/null
+++ b/tests/acceptance/features/apiWebdavLocks/requestsWithToken.feature
@@ -0,0 +1,86 @@
+@api
+Feature: actions on a locked item are possible if the token is sent with the request
+
+  Background:
+    Given user "user0" has been created with default attributes
+
+  Scenario Outline: rename a file in a locked folder
+    Given using <dav-path> DAV path
+    And user "user0" has locked folder "PARENT" setting following properties
+      | lockscope | <lock-scope> |
+    When user "user0" moves file "/PARENT/parent.txt" to "/PARENT/renamed-file.txt" sending the locktoken of folder "PARENT" using the WebDAV API
+    Then the HTTP status code should be "201"
+    And as "user0" file "/PARENT/parent.txt" should not exist
+    But as "user0" file "/PARENT/renamed-file.txt" should exist
+    Examples:
+      | dav-path | lock-scope |
+      | old      | shared     |
+      | old      | exclusive  |
+      | new      | shared     |
+      | new      | exclusive  |
+
+  Scenario Outline: move a file into a locked folder
+    Given using <dav-path> DAV path
+    And user "user0" has locked folder "FOLDER" setting following properties
+      | lockscope | <lock-scope> |
+    When user "user0" moves file "/PARENT/parent.txt" to "/FOLDER/moved-file.txt" sending the locktoken of folder "FOLDER" using the WebDAV API
+    Then the HTTP status code should be "201"
+    And as "user0" file "/PARENT/parent.txt" should not exist
+    But as "user0" file "/FOLDER/moved-file.txt" should exist
+    Examples:
+      | dav-path | lock-scope |
+      | old      | shared     |
+      | old      | exclusive  |
+      | new      | shared     |
+      | new      | exclusive  |
+
+  Scenario Outline: move a file into a locked folder is impossible when using the wrong token
+    Given using <dav-path> DAV path
+    And user "user0" has locked folder "FOLDER" setting following properties
+      | lockscope | <lock-scope> |
+    And user "user0" has locked folder "PARENT/CHILD" setting following properties
+      | lockscope | <lock-scope> |
+    When user "user0" moves file "/PARENT/parent.txt" to "/FOLDER/moved-file.txt" sending the locktoken of folder "PARENT/CHILD" using the WebDAV API
+    Then the HTTP status code should be "423"
+    And as "user0" file "/PARENT/parent.txt" should exist
+    But as "user0" file "/FOLDER/moved-file.txt" should not exist
+    Examples:
+      | dav-path | lock-scope |
+      | old      | shared     |
+      | old      | exclusive  |
+      | new      | shared     |
+      | new      | exclusive  |
+
+  @issue-34338
+  Scenario Outline: share receiver cannot rename a file in a folder locked by the owner even when sending the locktoken
+    Given using <dav-path> DAV path
+    And user "user1" has been created with default attributes
+    And user "user0" has shared folder "PARENT" with user "user1"
+    And user "user0" has locked folder "PARENT" setting following properties
+      | lockscope | <lock-scope> |
+    When user "user1" moves file "PARENT (2)/parent.txt" to "PARENT (2)/renamed-file.txt" sending the locktoken of file "PARENT" of user "user0" using the WebDAV API
+    #When the issue is fixed, remove the following steps and replace with the commented-out steps
+    Then the HTTP status code should be "403"
+    And as "user0" file "/PARENT/parent.txt" should not exist
+    But as "user0" file "/PARENT/renamed-file.txt" should exist
+    #Then the HTTP status code should be "423"
+    #And as "user0" file "/PARENT/parent.txt" should exist
+    #But as "user0" file "/PARENT/renamed-file.txt" should not exist
+    Examples:
+      | dav-path | lock-scope |
+      | old      | shared     |
+      | old      | exclusive  |
+      | new      | shared     |
+      | new      | exclusive  |
+
+  Scenario Outline: public cannot overwrite a file in a folder locked by the owner even when sending the locktoken
+    Given user "user0" has created a public link share of folder "PARENT" with change permission
+    And user "user0" has locked folder "PARENT" setting following properties
+      | lockscope | <lock-scope> |
+    When the public uploads file "parent.txt" with content "test" sending the locktoken of file "PARENT" of user "user0" using the public WebDAV API
+    Then the HTTP status code should be "423"
+    And the content of file "/PARENT/parent.txt" for user "user0" should be "ownCloud test text file parent" plus end-of-line
+    Examples:
+      | lock-scope |
+      | shared     |
+      | exclusive  |
diff --git a/tests/acceptance/features/bootstrap/PublicWebDavContext.php b/tests/acceptance/features/bootstrap/PublicWebDavContext.php
index 32a6a3d18502..e4decb149739 100644
--- a/tests/acceptance/features/bootstrap/PublicWebDavContext.php
+++ b/tests/acceptance/features/bootstrap/PublicWebDavContext.php
@@ -254,6 +254,7 @@ public function publiclyUploadingShouldWork() {
 	 * @param string $password
 	 * @param string $body
 	 * @param bool $autorename
+	 * @param array $additionalHeaders
 	 *
 	 * @return void
 	 */
@@ -261,7 +262,8 @@ public function publicUploadContent(
 		$filename,
 		$password = '',
 		$body = 'test',
-		$autorename = false
+		$autorename = false,
+		$additionalHeaders = []
 	) {
 		$password = $this->featureContext->getActualPassword($password);
 		$url = $this->featureContext->getBaseUrl() . "/public.php/webdav/";
@@ -275,6 +277,7 @@ public function publicUploadContent(
 		if ($autorename) {
 			$headers['OC-Autorename'] = 1;
 		}
+		$headers = \array_merge($headers, $additionalHeaders);
 		$response = HttpRequestHelper::put(
 			$url, $token, $password, $headers, $body
 		);
diff --git a/tests/acceptance/features/bootstrap/WebDav.php b/tests/acceptance/features/bootstrap/WebDav.php
index fa51b35e2998..ada2a0136af8 100644
--- a/tests/acceptance/features/bootstrap/WebDav.php
+++ b/tests/acceptance/features/bootstrap/WebDav.php
@@ -417,7 +417,7 @@ public function slowdownDavRequests($method, $seconds) {
 	 *
 	 * @return string
 	 */
-	private function destinationHeaderValue($user, $fileDestination) {
+	public function destinationHeaderValue($user, $fileDestination) {
 		$fullUrl = $this->getBaseUrl() . '/' . $this->getDavFilesPath($user);
 		return $fullUrl . '/' . \ltrim($fileDestination, '/');
 	}
diff --git a/tests/acceptance/features/bootstrap/WebDavLockingContext.php b/tests/acceptance/features/bootstrap/WebDavLockingContext.php
index 6b4b30f88254..311a1681b6da 100644
--- a/tests/acceptance/features/bootstrap/WebDavLockingContext.php
+++ b/tests/acceptance/features/bootstrap/WebDavLockingContext.php
@@ -23,6 +23,7 @@
 use Behat\Behat\Context\Context;
 use Behat\Behat\Hook\Scope\BeforeScenarioScope;
 use Behat\Gherkin\Node\TableNode;
+use GuzzleHttp\Exception\ConnectException;
 use TestHelpers\WebDavHelper;
 
 require_once 'bootstrap.php';
@@ -37,6 +38,13 @@ class WebDavLockingContext implements Context {
 	 * @var FeatureContext
 	 */
 	private $featureContext;
+
+	/**
+	 *
+	 * @var PublicWebDavContext
+	 */
+	private $publicWebDavContext;
+
 	/**
 	 *
 	 * @var string[][]
@@ -275,6 +283,94 @@ public function unlockItemAsPublicUsingWebDavAPI($itemToUnlock) {
 		);
 	}
 
+	/**
+	 * @When /^user "([^"]*)" moves (?:file|folder|entry) "([^"]*)" to "([^"]*)" sending the locktoken of (?:file|folder|entry) "([^"]*)" using the WebDAV API$/
+	 *
+	 * @param string $user
+	 * @param string $fileSource
+	 * @param string $fileDestination
+	 * @param string $itemToUseLockOf
+	 *
+	 * @return void
+	 */
+	public function moveItemSendingLockToken(
+		$user, $fileSource, $fileDestination, $itemToUseLockOf
+	) {
+		$this->moveItemSendingLockTokenOfUser(
+			$user, $fileSource, $fileDestination, $itemToUseLockOf, $user
+		);
+	}
+
+	/**
+	 * @When /^user "([^"]*)" moves (?:file|folder|entry) "([^"]*)" to "([^"]*)" sending the locktoken of (?:file|folder|entry) "([^"]*)" of user "([^"]*)" using the WebDAV API$/
+	 *
+	 * @param string $user
+	 * @param string $fileSource
+	 * @param string $fileDestination
+	 * @param string $itemToUseLockOf
+	 * @param string $lockOwner
+	 *
+	 * @return void
+	 */
+	public function moveItemSendingLockTokenOfUser(
+		$user, $fileSource, $fileDestination, $itemToUseLockOf, $lockOwner
+	) {
+		$destination = $this->featureContext->destinationHeaderValue(
+			$user, $fileDestination
+		);
+		$token = $this->tokenOfLastLock[$lockOwner][$itemToUseLockOf];
+		$headers = [
+			"Destination" => $destination,
+			"If" => "(<$token>)"
+		];
+		try {
+			$response = $this->featureContext->makeDavRequest(
+				$user, "MOVE", $fileSource, $headers
+			);
+			$this->featureContext->setResponse($response);
+		} catch (ConnectException $e) {
+		}
+	}
+
+	/**
+	 * @When the public uploads file :filename with content :content sending the locktoken of file :itemToUseLockOf of user :lockOwner using the public WebDAV API
+	 *
+	 * @param string $filename
+	 * @param string $content
+	 * @param string $itemToUseLockOf
+	 * @param string $lockOwner
+	 *
+	 * @return void
+	 *
+	 */
+	public function publicUploadFileSendingLockTokenOfUser(
+		$filename, $content, $itemToUseLockOf, $lockOwner
+	) {
+		$headers = [
+			"If" => "(<" . $this->tokenOfLastLock[$lockOwner][$itemToUseLockOf] . ">)"
+		];
+		$this->publicWebDavContext->publicUploadContent(
+			$filename, '', $content, false, $headers
+		);
+	}
+
+	/**
+	 * @When the public uploads file :filename with content :content sending the locktoken of :itemToUseLockOf of the public using the public WebDAV API
+	 *
+	 * @param string $filename
+	 * @param string $content
+	 * @param string $itemToUseLockOf
+	 *
+	 * @return void
+	 */
+	public function publicUploadFileSendingLockTokenOfPublic(
+		$filename, $content, $itemToUseLockOf
+	) {
+		$lockOwner = (string)$this->featureContext->getLastShareData()->data->token;
+		$this->publicUploadFileSendingLockTokenOfUser(
+			$filename, $content, $itemToUseLockOf, $lockOwner
+		);
+	}
 	/**
 	 * @Then :count locks should be reported for file/folder :file of user :user by the WebDAV API
 	 *
@@ -320,5 +416,6 @@ public function before(BeforeScenarioScope $scope) {
 		$environment = $scope->getEnvironment();
 		// Get all the contexts you need in this context
 		$this->featureContext = $environment->getContext('FeatureContext');
+		$this->publicWebDavContext = $environment->getContext('PublicWebDavContext');
 	}
 }