From c016e1788afde2d0db1921f4f39583a4526f1a6c Mon Sep 17 00:00:00 2001 From: Artur Neumann Date: Thu, 28 Feb 2019 13:23:23 +0545 Subject: [PATCH 1/5] test GET requests on OCS endpoints with invalid password --- .../acceptance/features/apiMain/auth.feature | 50 +++++++++++++++++++ .../features/bootstrap/BasicStructure.php | 22 +++++--- 2 files changed, 66 insertions(+), 6 deletions(-) diff --git a/tests/acceptance/features/apiMain/auth.feature b/tests/acceptance/features/apiMain/auth.feature index 433488163607..67d6ca83e6ab 100644 --- a/tests/acceptance/features/apiMain/auth.feature +++ b/tests/acceptance/features/apiMain/auth.feature @@ -116,6 +116,33 @@ Feature: auth |/ocs/v1.php/privatedata/getattribute | 100 | 200 | |/ocs/v2.php/privatedata/getattribute | 200 | 200 | + @issue-32068 + Scenario Outline: using OCS as normal user with wrong password + Given using OCS API version "" + When user "user0" sends HTTP method "GET" to OCS API endpoint "" using password "invalid" + Then the OCS status code should be "" + And the HTTP status code should be "" + Examples: + | ocs_api_version |endpoint | ocs-code | http-code | + | 1 |/apps/files_external/api/v1/mounts | 997 | 401 | + | 2 |/apps/files_external/api/v1/mounts | 997 | 401 | + | 1 |/apps/files_sharing/api/v1/remote_shares | 997 | 401 | + | 2 |/apps/files_sharing/api/v1/remote_shares | 997 | 401 | + | 1 |/apps/files_sharing/api/v1/remote_shares/pending | 997 | 401 | + | 2 |/apps/files_sharing/api/v1/remote_shares/pending | 997 | 401 | + | 1 |/apps/files_sharing/api/v1/shares | 997 | 401 | + | 2 |/apps/files_sharing/api/v1/shares | 997 | 401 | + | 1 |/cloud/apps | 997 | 401 | + | 2 |/cloud/apps | 997 | 401 | + | 1 |/cloud/groups | 997 | 401 | + | 2 |/cloud/groups | 997 | 401 | + | 1 |/cloud/users | 997 | 401 | + | 2 |/cloud/users | 997 | 401 | + | 1 |/config | 100 | 200 | + | 2 |/config | 200 | 200 | + | 1 |/privatedata/getattribute | 997 | 401 | + | 2 |/privatedata/getattribute | 997 | 401 | + Scenario Outline: using OCS with admin basic auth When the administrator requests "" with "GET" using basic auth Then the OCS status code should be "" @@ -129,6 +156,29 @@ Feature: auth |/ocs/v1.php/cloud/users | 100 | 200 | |/ocs/v2.php/cloud/users | 200 | 200 | + Scenario Outline: using OCS as admin user with wrong password + Given using OCS API version "" + When the administrator sends HTTP method "GET" to OCS API endpoint "" using password "invalid" + Then the OCS status code should be "" + And the HTTP status code should be "" + Examples: + | ocs_api_version |endpoint | ocs-code | http-code | + | 1 |/apps/files_external/api/v1/mounts | 997 | 401 | + | 2 |/apps/files_external/api/v1/mounts | 997 | 401 | + | 1 |/apps/files_sharing/api/v1/remote_shares | 997 | 401 | + | 2 |/apps/files_sharing/api/v1/remote_shares | 997 | 401 | + | 1 |/apps/files_sharing/api/v1/remote_shares/pending | 997 | 401 | + | 2 |/apps/files_sharing/api/v1/remote_shares/pending | 997 | 401 | + | 1 |/apps/files_sharing/api/v1/shares | 997 | 401 | + | 2 |/apps/files_sharing/api/v1/shares | 997 | 401 | + | 1 |/cloud/apps | 997 | 401 | + | 2 |/cloud/apps | 997 | 401 | + | 1 |/cloud/groups | 997 | 401 | + | 2 |/cloud/groups | 997 | 401 | + | 1 |/cloud/users | 997 | 401 | + | 2 |/cloud/users | 997 | 401 | + | 1 |/privatedata/getattribute | 997 | 401 | + | 2 |/privatedata/getattribute | 997 | 401 | Scenario Outline: using OCS with token auth of a normal user When user "user0" requests "" with "GET" using basic token auth diff --git a/tests/acceptance/features/bootstrap/BasicStructure.php b/tests/acceptance/features/bootstrap/BasicStructure.php index 5a1bd1d5201f..c2700271a994 100644 --- a/tests/acceptance/features/bootstrap/BasicStructure.php +++ b/tests/acceptance/features/bootstrap/BasicStructure.php @@ -781,34 +781,41 @@ public function theUserSendsToOcsApiEndpoint($verb, $url) { /** * @When /^user "([^"]*)" sends HTTP method "([^"]*)" to OCS API endpoint "([^"]*)"$/ + * @When /^user "([^"]*)" sends HTTP method "([^"]*)" to OCS API endpoint "([^"]*)" using password "([^"]*)"$/ * @Given /^user "([^"]*)" has sent HTTP method "([^"]*)" to API endpoint "([^"]*)"$/ * * @param string $user * @param string $verb * @param string $url + * @param string $password * * @return void */ - public function userSendsToOcsApiEndpoint($user, $verb, $url) { + public function userSendsToOcsApiEndpoint($user, $verb, $url, $password = null) { $this->userSendsHTTPMethodToOcsApiEndpointWithBody( $user, $verb, $url, - null + null, + $password ); } /** * @When the administrator sends HTTP method :verb to OCS API endpoint :url + * @When the administrator sends HTTP method :verb to OCS API endpoint :url using password :password * * @param string $verb * @param string $url + * @param string $password * * @return void */ - public function theAdministratorSendsHttpMethodToOcsApiEndpoint($verb, $url) { + public function theAdministratorSendsHttpMethodToOcsApiEndpoint( + $verb, $url, $password = null + ) { $admin = $this->getAdminUsername(); - $this->userSendsToOcsApiEndpoint($admin, $verb, $url); + $this->userSendsToOcsApiEndpoint($admin, $verb, $url, $password); } /** @@ -944,11 +951,12 @@ public function theUserSendsToOcsApiEndpointWithBody($verb, $url, $body) { * @param string $verb * @param string $url * @param TableNode|null $body + * @param string $password * * @return void */ public function userSendsHTTPMethodToOcsApiEndpointWithBody( - $user, $verb, $url, $body + $user, $verb, $url, $body = null, $password = null ) { /** @@ -964,7 +972,9 @@ public function userSendsHTTPMethodToOcsApiEndpointWithBody( if ($user !== 'UNAUTHORIZED_USER') { $user = $this->getActualUsername($user); - $password = $this->getPasswordForUser($user); + if ($password === null) { + $password = $this->getPasswordForUser($user); + } } else { $user = null; $password = null; From a672e52f875c41ed01aba27971f277659feb58a3 Mon Sep 17 00:00:00 2001 From: Artur Neumann Date: Thu, 28 Feb 2019 14:37:00 +0545 Subject: [PATCH 2/5] test POST requests on OCS endpoints with invalid password --- .../acceptance/features/apiMain/auth.feature | 33 +++++++++++++++++++ .../features/bootstrap/BasicStructure.php | 19 +++++++++++ 2 files changed, 52 insertions(+) diff --git a/tests/acceptance/features/apiMain/auth.feature b/tests/acceptance/features/apiMain/auth.feature index 67d6ca83e6ab..2e64dd4a91fa 100644 --- a/tests/acceptance/features/apiMain/auth.feature +++ b/tests/acceptance/features/apiMain/auth.feature @@ -143,6 +143,39 @@ Feature: auth | 1 |/privatedata/getattribute | 997 | 401 | | 2 |/privatedata/getattribute | 997 | 401 | + @issue-32068 + Scenario Outline: send POST requests to OCS endpoints as normal user with wrong password + Given using OCS API version "" + And user "user1" has been created with default attributes + When user "user0" sends HTTP method "POST" to OCS API endpoint "" with body using password "invalid" + | data | doesnotmatter | + Then the OCS status code should be "" + And the HTTP status code should be "" + Examples: + | ocs_api_version |endpoint | ocs-code | http-code | + | 1 |/apps/files_sharing/api/v1/remote_shares/pending/123 | 997 | 401 | + | 2 |/apps/files_sharing/api/v1/remote_shares/pending/123 | 997 | 401 | + | 1 |/apps/files_sharing/api/v1/shares | 997 | 401 | + | 2 |/apps/files_sharing/api/v1/shares | 997 | 401 | + | 1 |/apps/files_sharing/api/v1/shares/pending/123 | 997 | 401 | + | 2 |/apps/files_sharing/api/v1/shares/pending/123 | 997 | 401 | + | 1 |/cloud/apps/testing | 997 | 401 | + | 2 |/cloud/apps/testing | 997 | 401 | + | 1 |/cloud/groups | 997 | 401 | + | 2 |/cloud/groups | 997 | 401 | + | 1 |/cloud/users | 997 | 401 | + | 2 |/cloud/users | 997 | 401 | + | 1 |/cloud/users/user0/groups | 997 | 401 | + | 2 |/cloud/users/user0/groups | 997 | 401 | + | 1 |/cloud/users/user0/subadmins | 997 | 401 | + | 2 |/cloud/users/user0/subadmins | 997 | 401 | + | 1 |/person/check | 101 | 200 | + | 2 |/person/check | 400 | 400 | + | 1 |/privatedata/deleteattribute/testing/test | 997 | 401 | + | 2 |/privatedata/deleteattribute/testing/test | 997 | 401 | + | 1 |/privatedata/setattribute/testing/test | 997 | 401 | + | 2 |/privatedata/setattribute/testing/test | 997 | 401 | + Scenario Outline: using OCS with admin basic auth When the administrator requests "" with "GET" using basic auth Then the OCS status code should be "" diff --git a/tests/acceptance/features/bootstrap/BasicStructure.php b/tests/acceptance/features/bootstrap/BasicStructure.php index c2700271a994..04d3036b577e 100644 --- a/tests/acceptance/features/bootstrap/BasicStructure.php +++ b/tests/acceptance/features/bootstrap/BasicStructure.php @@ -943,6 +943,25 @@ public function theUserSendsToOcsApiEndpointWithBody($verb, $url, $body) { ); } + /** + * @When /^user "([^"]*)" sends HTTP method "([^"]*)" to OCS API endpoint "([^"]*)" with body using password "([^"]*)"$/ + * + * @param string $user + * @param string $verb + * @param string $url + * @param string $password + * @param TableNode $body + * + * @return void + */ + public function userSendsHTTPMethodToOcsApiEndpointWithBodyAndPassword( + $user, $verb, $url, $password, $body + ) { + $this->userSendsHTTPMethodToOcsApiEndpointWithBody( + $user, $verb, $url, $body, $password + ); + } + /** * @When /^user "([^"]*)" sends HTTP method "([^"]*)" to OCS API endpoint "([^"]*)" with body$/ * @Given /^user "([^"]*)" has sent HTTP method "([^"]*)" to OCS API endpoint "([^"]*)" with body$/ From 8ae223ffa615c5c190024daa16920267433c2e43 Mon Sep 17 00:00:00 2001 From: Artur Neumann Date: Thu, 28 Feb 2019 14:51:41 +0545 Subject: [PATCH 3/5] test PUT requests on OCS endpoints as admin with invalid password --- .../acceptance/features/apiMain/auth.feature | 18 ++++++++++++++++++ .../features/bootstrap/BasicStructure.php | 19 +++++++++++++++++++ 2 files changed, 37 insertions(+) diff --git a/tests/acceptance/features/apiMain/auth.feature b/tests/acceptance/features/apiMain/auth.feature index 2e64dd4a91fa..4a8492e54d9c 100644 --- a/tests/acceptance/features/apiMain/auth.feature +++ b/tests/acceptance/features/apiMain/auth.feature @@ -213,6 +213,24 @@ Feature: auth | 1 |/privatedata/getattribute | 997 | 401 | | 2 |/privatedata/getattribute | 997 | 401 | + @issue-32068 + Scenario Outline: send PUT requests to OCS endpoints as admin with wrong password + Given using OCS API version "" + When the administrator sends HTTP method "PUT" to OCS API endpoint "" with body using password "invalid" + | data | doesnotmatter | + Then the OCS status code should be "" + And the HTTP status code should be "" + Examples: + | ocs_api_version |endpoint | ocs-code | http-code | + | 1 |/apps/files_sharing/api/v1/shares/123 | 997 | 401 | + | 2 |/apps/files_sharing/api/v1/shares/123 | 997 | 401 | + | 1 |/cloud/users/user0 | 997 | 401 | + | 2 |/cloud/users/user0 | 997 | 401 | + | 1 |/cloud/users/user0/disable | 997 | 401 | + | 2 |/cloud/users/user0/disable | 997 | 401 | + | 1 |/cloud/users/user0/enable | 997 | 401 | + | 2 |/cloud/users/user0/enable | 997 | 401 | + Scenario Outline: using OCS with token auth of a normal user When user "user0" requests "" with "GET" using basic token auth Then the OCS status code should be "" diff --git a/tests/acceptance/features/bootstrap/BasicStructure.php b/tests/acceptance/features/bootstrap/BasicStructure.php index 04d3036b577e..e671ab9d2e18 100644 --- a/tests/acceptance/features/bootstrap/BasicStructure.php +++ b/tests/acceptance/features/bootstrap/BasicStructure.php @@ -1024,6 +1024,25 @@ public function theAdministratorSendsHttpMethodToOcsApiEndpointWithBody( ); } + /** + * @When the administrator sends HTTP method :verb to OCS API endpoint :url with body using password :password + * + * @param string $verb + * @param string $url + * @param string $password + * @param TableNode $body + * + * @return void + */ + public function theAdministratorSendsHttpMethodToOcsApiWithBodyAndPassword( + $verb, $url, $password, TableNode $body + ) { + $admin = $this->getAdminUsername(); + $this->userSendsHTTPMethodToOcsApiEndpointWithBody( + $admin, $verb, $url, $body, $password + ); + } + /** * @When /^user "([^"]*)" sends HTTP method "([^"]*)" to URL "([^"]*)"$/ * @Given /^user "([^"]*)" has sent HTTP method "([^"]*)" to URL "([^"]*)"$/ From 6cfdd29754a95ea52158c9b7a7373f1b0b7b7fbe Mon Sep 17 00:00:00 2001 From: Artur Neumann Date: Thu, 28 Feb 2019 15:06:12 +0545 Subject: [PATCH 4/5] test DELETE requests on OCS endpoints as admin with invalid password --- .../acceptance/features/apiMain/auth.feature | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/tests/acceptance/features/apiMain/auth.feature b/tests/acceptance/features/apiMain/auth.feature index 4a8492e54d9c..8fe6565f5892 100644 --- a/tests/acceptance/features/apiMain/auth.feature +++ b/tests/acceptance/features/apiMain/auth.feature @@ -231,6 +231,34 @@ Feature: auth | 1 |/cloud/users/user0/enable | 997 | 401 | | 2 |/cloud/users/user0/enable | 997 | 401 | + @issue-32068 + Scenario Outline: send DELETE requests to OCS endpoints as admin with wrong password + Given using OCS API version "" + And group "group1" has been created + When the administrator sends HTTP method "DELETE" to OCS API endpoint "" using password "invalid" + Then the OCS status code should be "" + And the HTTP status code should be "" + Examples: + | ocs_api_version |endpoint | ocs-code | http-code | + | 1 |/apps/files_sharing/api/v1/remote_shares/pending/123 | 997 | 401 | + | 2 |/apps/files_sharing/api/v1/remote_shares/pending/123 | 997 | 401 | + | 1 |/apps/files_sharing/api/v1/remote_shares/123 | 997 | 401 | + | 2 |/apps/files_sharing/api/v1/remote_shares/123 | 997 | 401 | + | 1 |/apps/files_sharing/api/v1/shares/123 | 997 | 401 | + | 2 |/apps/files_sharing/api/v1/shares/123 | 997 | 401 | + | 1 |/apps/files_sharing/api/v1/shares/pending/123 | 997 | 401 | + | 2 |/apps/files_sharing/api/v1/shares/pending/123 | 997 | 401 | + | 1 |/cloud/apps/testing | 997 | 401 | + | 2 |/cloud/apps/testing | 997 | 401 | + | 1 |/cloud/groups/group1 | 997 | 401 | + | 2 |/cloud/groups/group1 | 997 | 401 | + | 1 |/cloud/users/user0 | 997 | 401 | + | 2 |/cloud/users/user0 | 997 | 401 | + | 1 |/cloud/users/user0/groups | 997 | 401 | + | 2 |/cloud/users/user0/groups | 997 | 401 | + | 1 |/cloud/users/user0/subadmins | 997 | 401 | + | 2 |/cloud/users/user0/subadmins | 997 | 401 | + Scenario Outline: using OCS with token auth of a normal user When user "user0" requests "" with "GET" using basic token auth Then the OCS status code should be "" From 3dabf0448871f625c93212068a06f080a9abe8c1 Mon Sep 17 00:00:00 2001 From: Artur Neumann Date: Thu, 28 Feb 2019 15:34:53 +0545 Subject: [PATCH 5/5] move auth tests into separate behat suite --- .drone.yml | 11 ++++ tests/acceptance/config/behat.yml | 6 ++ .../features/apiAuth/filesAppAuth.feature | 39 ++++++++++++ .../features/apiAuth/ocsDELETEAuth.feature | 34 +++++++++++ .../ocsGETAuth.feature} | 61 ------------------- .../features/apiAuth/ocsPOSTAuth.feature | 40 ++++++++++++ .../features/apiAuth/ocsPUTAuth.feature | 25 ++++++++ .../{apiMain => apiAuth}/tokenAuth.feature | 0 .../features/apiAuth/webDavAuth.feature | 28 +++++++++ 9 files changed, 183 insertions(+), 61 deletions(-) create mode 100644 tests/acceptance/features/apiAuth/filesAppAuth.feature create mode 100644 tests/acceptance/features/apiAuth/ocsDELETEAuth.feature rename tests/acceptance/features/{apiMain/auth.feature => apiAuth/ocsGETAuth.feature} (91%) create mode 100644 tests/acceptance/features/apiAuth/ocsPOSTAuth.feature create mode 100644 tests/acceptance/features/apiAuth/ocsPUTAuth.feature rename tests/acceptance/features/{apiMain => apiAuth}/tokenAuth.feature (100%) create mode 100644 tests/acceptance/features/apiAuth/webDavAuth.feature diff --git a/.drone.yml b/.drone.yml index 5678b94c4869..155074ce570b 100644 --- a/.drone.yml +++ b/.drone.yml @@ -774,6 +774,17 @@ matrix: OWNCLOUD_LOG: true INSTALL_TESTING_APP: true + - PHP_VERSION: 7.1 + TEST_SUITE: api + BEHAT_SUITE: apiAuth + DB_TYPE: mariadb + USE_SERVER: true + SERVER_PROTOCOL: https + INSTALL_SERVER: true + CHOWN_SERVER: true + OWNCLOUD_LOG: true + INSTALL_TESTING_APP: true + - PHP_VERSION: 7.1 TEST_SUITE: api BEHAT_SUITE: apiCapabilities diff --git a/tests/acceptance/config/behat.yml b/tests/acceptance/config/behat.yml index 8e41c0036eea..55c6870b156d 100644 --- a/tests/acceptance/config/behat.yml +++ b/tests/acceptance/config/behat.yml @@ -20,6 +20,12 @@ default: - OccContext: - TransferOwnershipContext: + apiAuth: + paths: + - '%paths.base%/../features/apiAuth' + contexts: + - FeatureContext: *common_feature_context_params + apiCapabilities: paths: - '%paths.base%/../features/apiCapabilities' diff --git a/tests/acceptance/features/apiAuth/filesAppAuth.feature b/tests/acceptance/features/apiAuth/filesAppAuth.feature new file mode 100644 index 000000000000..421574c5307a --- /dev/null +++ b/tests/acceptance/features/apiAuth/filesAppAuth.feature @@ -0,0 +1,39 @@ +@api @TestAlsoOnExternalUserBackend +Feature: auth + + Background: + Given user "user0" has been created with default attributes + And a new client token for "user0" has been generated + + @smokeTest + Scenario: access files app anonymously + When a user requests "/index.php/apps/files" with "GET" and no authentication + Then the HTTP status code should be "401" + + @smokeTest + Scenario: access files app with basic auth + When user "user0" requests "/index.php/apps/files" with "GET" using basic auth + Then the HTTP status code should be "200" + + @smokeTest + Scenario: access files app with basic token auth + When user "user0" requests "/index.php/apps/files" with "GET" using basic token auth + Then the HTTP status code should be "200" + + @smokeTest + Scenario: access files app with a client token + When the user requests "/index.php/apps/files" with "GET" using the generated client token + Then the HTTP status code should be "200" + + @smokeTest + Scenario: access files app with browser session + Given a new browser session for "user0" has been started + When the user requests "/index.php/apps/files" with "GET" using the browser session + Then the HTTP status code should be "200" + + @smokeTest + Scenario: access files app with an app password + Given a new browser session for "user0" has been started + And the user has generated a new app password named "my-client" + When the user requests "/index.php/apps/files" with "GET" using the generated app password + Then the HTTP status code should be "200" diff --git a/tests/acceptance/features/apiAuth/ocsDELETEAuth.feature b/tests/acceptance/features/apiAuth/ocsDELETEAuth.feature new file mode 100644 index 000000000000..f1feb2eb5f5b --- /dev/null +++ b/tests/acceptance/features/apiAuth/ocsDELETEAuth.feature @@ -0,0 +1,34 @@ +@api @TestAlsoOnExternalUserBackend +Feature: auth + + Background: + Given user "user0" has been created with default attributes + And a new client token for "user0" has been generated + + @issue-32068 + Scenario Outline: send DELETE requests to OCS endpoints as admin with wrong password + Given using OCS API version "" + And group "group1" has been created + When the administrator sends HTTP method "DELETE" to OCS API endpoint "" using password "invalid" + Then the OCS status code should be "" + And the HTTP status code should be "" + Examples: + | ocs_api_version |endpoint | ocs-code | http-code | + | 1 |/apps/files_sharing/api/v1/remote_shares/pending/123 | 997 | 401 | + | 2 |/apps/files_sharing/api/v1/remote_shares/pending/123 | 997 | 401 | + | 1 |/apps/files_sharing/api/v1/remote_shares/123 | 997 | 401 | + | 2 |/apps/files_sharing/api/v1/remote_shares/123 | 997 | 401 | + | 1 |/apps/files_sharing/api/v1/shares/123 | 997 | 401 | + | 2 |/apps/files_sharing/api/v1/shares/123 | 997 | 401 | + | 1 |/apps/files_sharing/api/v1/shares/pending/123 | 997 | 401 | + | 2 |/apps/files_sharing/api/v1/shares/pending/123 | 997 | 401 | + | 1 |/cloud/apps/testing | 997 | 401 | + | 2 |/cloud/apps/testing | 997 | 401 | + | 1 |/cloud/groups/group1 | 997 | 401 | + | 2 |/cloud/groups/group1 | 997 | 401 | + | 1 |/cloud/users/user0 | 997 | 401 | + | 2 |/cloud/users/user0 | 997 | 401 | + | 1 |/cloud/users/user0/groups | 997 | 401 | + | 2 |/cloud/users/user0/groups | 997 | 401 | + | 1 |/cloud/users/user0/subadmins | 997 | 401 | + | 2 |/cloud/users/user0/subadmins | 997 | 401 | diff --git a/tests/acceptance/features/apiMain/auth.feature b/tests/acceptance/features/apiAuth/ocsGETAuth.feature similarity index 91% rename from tests/acceptance/features/apiMain/auth.feature rename to tests/acceptance/features/apiAuth/ocsGETAuth.feature index 8fe6565f5892..a4e74815c462 100644 --- a/tests/acceptance/features/apiMain/auth.feature +++ b/tests/acceptance/features/apiAuth/ocsGETAuth.feature @@ -1,70 +1,9 @@ @api @TestAlsoOnExternalUserBackend Feature: auth - Background: Given user "user0" has been created with default attributes And a new client token for "user0" has been generated - # FILES APP - @smokeTest - Scenario: access files app anonymously - When a user requests "/index.php/apps/files" with "GET" and no authentication - Then the HTTP status code should be "401" - - @smokeTest - Scenario: access files app with basic auth - When user "user0" requests "/index.php/apps/files" with "GET" using basic auth - Then the HTTP status code should be "200" - - @smokeTest - Scenario: access files app with basic token auth - When user "user0" requests "/index.php/apps/files" with "GET" using basic token auth - Then the HTTP status code should be "200" - - @smokeTest - Scenario: access files app with a client token - When the user requests "/index.php/apps/files" with "GET" using the generated client token - Then the HTTP status code should be "200" - - @smokeTest - Scenario: access files app with browser session - Given a new browser session for "user0" has been started - When the user requests "/index.php/apps/files" with "GET" using the browser session - Then the HTTP status code should be "200" - - @smokeTest - Scenario: access files app with an app password - Given a new browser session for "user0" has been started - And the user has generated a new app password named "my-client" - When the user requests "/index.php/apps/files" with "GET" using the generated app password - Then the HTTP status code should be "200" - - # WebDAV - - Scenario: using WebDAV anonymously - When a user requests "/remote.php/webdav" with "PROPFIND" and no authentication - Then the HTTP status code should be "401" - - Scenario: using WebDAV with basic auth - When user "user0" requests "/remote.php/webdav" with "PROPFIND" using basic auth - Then the HTTP status code should be "207" - - Scenario: using WebDAV with token auth - When user "user0" requests "/remote.php/webdav" with "PROPFIND" using basic token auth - Then the HTTP status code should be "207" - - # DAV token auth is not possible yet - #Scenario: using WebDAV with a client token - # When requesting "/remote.php/webdav" with "PROPFIND" using a client token - # Then the HTTP status code should be "207" - - Scenario: using WebDAV with browser session - Given a new browser session for "user0" has been started - When the user requests "/remote.php/webdav" with "PROPFIND" using the browser session - Then the HTTP status code should be "207" - - - # OCS @issue-32068 Scenario Outline: using OCS anonymously When a user requests "" with "GET" and no authentication diff --git a/tests/acceptance/features/apiAuth/ocsPOSTAuth.feature b/tests/acceptance/features/apiAuth/ocsPOSTAuth.feature new file mode 100644 index 000000000000..342533f3c26f --- /dev/null +++ b/tests/acceptance/features/apiAuth/ocsPOSTAuth.feature @@ -0,0 +1,40 @@ +@api @TestAlsoOnExternalUserBackend +Feature: auth + + Background: + Given user "user0" has been created with default attributes + And a new client token for "user0" has been generated + + @issue-32068 + Scenario Outline: send POST requests to OCS endpoints as normal user with wrong password + Given using OCS API version "" + And user "user1" has been created with default attributes + When user "user0" sends HTTP method "POST" to OCS API endpoint "" with body using password "invalid" + | data | doesnotmatter | + Then the OCS status code should be "" + And the HTTP status code should be "" + Examples: + | ocs_api_version |endpoint | ocs-code | http-code | + | 1 |/apps/files_sharing/api/v1/remote_shares/pending/123 | 997 | 401 | + | 2 |/apps/files_sharing/api/v1/remote_shares/pending/123 | 997 | 401 | + | 1 |/apps/files_sharing/api/v1/shares | 997 | 401 | + | 2 |/apps/files_sharing/api/v1/shares | 997 | 401 | + | 1 |/apps/files_sharing/api/v1/shares/pending/123 | 997 | 401 | + | 2 |/apps/files_sharing/api/v1/shares/pending/123 | 997 | 401 | + | 1 |/cloud/apps/testing | 997 | 401 | + | 2 |/cloud/apps/testing | 997 | 401 | + | 1 |/cloud/groups | 997 | 401 | + | 2 |/cloud/groups | 997 | 401 | + | 1 |/cloud/users | 997 | 401 | + | 2 |/cloud/users | 997 | 401 | + | 1 |/cloud/users/user0/groups | 997 | 401 | + | 2 |/cloud/users/user0/groups | 997 | 401 | + | 1 |/cloud/users/user0/subadmins | 997 | 401 | + | 2 |/cloud/users/user0/subadmins | 997 | 401 | + | 1 |/person/check | 101 | 200 | + | 2 |/person/check | 400 | 400 | + | 1 |/privatedata/deleteattribute/testing/test | 997 | 401 | + | 2 |/privatedata/deleteattribute/testing/test | 997 | 401 | + | 1 |/privatedata/setattribute/testing/test | 997 | 401 | + | 2 |/privatedata/setattribute/testing/test | 997 | 401 | + diff --git a/tests/acceptance/features/apiAuth/ocsPUTAuth.feature b/tests/acceptance/features/apiAuth/ocsPUTAuth.feature new file mode 100644 index 000000000000..38792496717c --- /dev/null +++ b/tests/acceptance/features/apiAuth/ocsPUTAuth.feature @@ -0,0 +1,25 @@ +@api @TestAlsoOnExternalUserBackend +Feature: auth + + Background: + Given user "user0" has been created with default attributes + And a new client token for "user0" has been generated + + @issue-32068 + Scenario Outline: send PUT requests to OCS endpoints as admin with wrong password + Given using OCS API version "" + When the administrator sends HTTP method "PUT" to OCS API endpoint "" with body using password "invalid" + | data | doesnotmatter | + Then the OCS status code should be "" + And the HTTP status code should be "" + Examples: + | ocs_api_version |endpoint | ocs-code | http-code | + | 1 |/cloud/users/user0 | 997 | 401 | + | 2 |/cloud/users/user0 | 997 | 401 | + | 1 |/cloud/users/user0/disable | 997 | 401 | + | 2 |/cloud/users/user0/disable | 997 | 401 | + | 1 |/cloud/users/user0/enable | 997 | 401 | + | 2 |/cloud/users/user0/enable | 997 | 401 | + | 1 |/apps/files_sharing/api/v1/shares/123 | 997 | 401 | + | 2 |/apps/files_sharing/api/v1/shares/123 | 997 | 401 | + diff --git a/tests/acceptance/features/apiMain/tokenAuth.feature b/tests/acceptance/features/apiAuth/tokenAuth.feature similarity index 100% rename from tests/acceptance/features/apiMain/tokenAuth.feature rename to tests/acceptance/features/apiAuth/tokenAuth.feature diff --git a/tests/acceptance/features/apiAuth/webDavAuth.feature b/tests/acceptance/features/apiAuth/webDavAuth.feature new file mode 100644 index 000000000000..387a5c485082 --- /dev/null +++ b/tests/acceptance/features/apiAuth/webDavAuth.feature @@ -0,0 +1,28 @@ +@api @TestAlsoOnExternalUserBackend +Feature: auth + + Background: + Given user "user0" has been created with default attributes + And a new client token for "user0" has been generated + + Scenario: using WebDAV anonymously + When a user requests "/remote.php/webdav" with "PROPFIND" and no authentication + Then the HTTP status code should be "401" + + Scenario: using WebDAV with basic auth + When user "user0" requests "/remote.php/webdav" with "PROPFIND" using basic auth + Then the HTTP status code should be "207" + + Scenario: using WebDAV with token auth + When user "user0" requests "/remote.php/webdav" with "PROPFIND" using basic token auth + Then the HTTP status code should be "207" + + # DAV token auth is not possible yet + #Scenario: using WebDAV with a client token + # When requesting "/remote.php/webdav" with "PROPFIND" using a client token + # Then the HTTP status code should be "207" + + Scenario: using WebDAV with browser session + Given a new browser session for "user0" has been started + When the user requests "/remote.php/webdav" with "PROPFIND" using the browser session + Then the HTTP status code should be "207"