From 5bb286029709a4ca2b12653b4ded764acba14f78 Mon Sep 17 00:00:00 2001 From: amrita Date: Tue, 25 Jan 2022 12:38:42 +0545 Subject: [PATCH] Add spaces tests on webdav api auth --- .../apiAuthWebDav/webDavDELETEAuth.feature | 80 ++++++++++++++ .../apiAuthWebDav/webDavLOCKAuth.feature | 57 ++++++++++ .../apiAuthWebDav/webDavMKCOLAuth.feature | 60 +++++++++++ .../apiAuthWebDav/webDavMOVEAuth.feature | 54 ++++++++++ .../apiAuthWebDav/webDavPOSTAuth.feature | 54 ++++++++++ .../apiAuthWebDav/webDavPROPFINDAuth.feature | 54 ++++++++++ .../apiAuthWebDav/webDavPROPPATCHAuth.feature | 54 ++++++++++ .../apiAuthWebDav/webDavPUTAuth.feature | 59 +++++++++- .../apiAuthWebDav/webDavSpecialURLs.feature | 101 +++++++++++++++++- 9 files changed, 568 insertions(+), 5 deletions(-) diff --git a/tests/acceptance/features/apiAuthWebDav/webDavDELETEAuth.feature b/tests/acceptance/features/apiAuthWebDav/webDavDELETEAuth.feature index 457a910fe983..644b6366b5c8 100644 --- a/tests/acceptance/features/apiAuthWebDav/webDavDELETEAuth.feature +++ b/tests/acceptance/features/apiAuthWebDav/webDavDELETEAuth.feature @@ -21,9 +21,19 @@ Feature: delete file/folder | /remote.php/dav/files/%username%/textfile0.txt | | /remote.php/webdav/PARENT | | /remote.php/dav/files/%username%/PARENT | + | /remote.php/webdav/PARENT/parent.txt | | /remote.php/dav/files/%username%/PARENT/parent.txt | Then the HTTP status code of responses on all endpoints should be "401" + @smokeTest @skipOnBruteForceProtection @issue-brute_force_protection-112 @skipOnOcV10 @personalSpace + Scenario: send DELETE requests to webDav endpoints as normal user with wrong password using the spaces WebDAV API + When user "Alice" requests these endpoints with "DELETE" including body "doesnotmatter" using password "invalid" about user "Alice" + | endpoint | + | /remote.php/dav/spaces/%spaceid%/textfile0.txt | + | /remote.php/dav/spaces/%spaceid%/PARENT | + | /remote.php/dav/spaces/%spaceid%/PARENT/parent.txt | + Then the HTTP status code of responses on all endpoints should be "401" + Scenario: send DELETE requests to webDav endpoints as normal user with no password When user "Alice" requests these endpoints with "DELETE" including body "doesnotmatter" using password "" about user "Alice" | endpoint | @@ -31,9 +41,19 @@ Feature: delete file/folder | /remote.php/dav/files/%username%/textfile0.txt | | /remote.php/webdav/PARENT | | /remote.php/dav/files/%username%/PARENT | + | /remote.php/webdav/PARENT/parent.txt | | /remote.php/dav/files/%username%/PARENT/parent.txt | Then the HTTP status code of responses on all endpoints should be "401" + @skipOnOcV10 @personalSpace + Scenario: send DELETE requests to webDav endpoints as normal user with no password using the spaces WebDAV API + When user "Alice" requests these endpoints with "DELETE" including body "doesnotmatter" using password "" about user "Alice" + | endpoint | + | /remote.php/dav/spaces/%spaceid%/textfile0.txt | + | /remote.php/dav/spaces/%spaceid%/PARENT | + | /remote.php/dav/spaces/%spaceid%/PARENT/parent.txt | + Then the HTTP status code of responses on all endpoints should be "401" + @issue-ocis-reva-13 Scenario: send DELETE requests to another user's webDav endpoints as normal user When user "Brian" requests these endpoints with "DELETE" including body "doesnotmatter" about user "Alice" @@ -43,6 +63,15 @@ Feature: delete file/folder | /remote.php/dav/files/%username%/PARENT/parent.txt | Then the HTTP status code of responses on all endpoints should be "404" + @issue-ocis-reva-13 @skipOnOcV10 @personalSpace + Scenario: send DELETE requests to another user's webDav endpoints as normal user using the spaces WebDAV API + When user "Brian" requests these endpoints with "DELETE" including body "doesnotmatter" about user "Alice" + | endpoint | + | /remote.php/dav/spaces/%spaceid%/textfile0.txt | + | /remote.php/dav/spaces/%spaceid%/PARENT | + | /remote.php/dav/spaces/%spaceid%/PARENT/parent.txt | + Then the HTTP status code of responses on all endpoints should be "404" + @smokeTest Scenario: send DELETE requests to webDav endpoints using invalid username but correct password When user "usero" requests these endpoints with "DELETE" including body "doesnotmatter" using the password of user "Alice" @@ -54,6 +83,15 @@ Feature: delete file/folder | /remote.php/dav/files/%username%/PARENT/parent.txt | Then the HTTP status code of responses on all endpoints should be "401" + @smokeTest @skipOnOcV10 @personalSpace + Scenario: send DELETE requests to webDav endpoints using invalid username but correct password using the spaces WebDAV API + When user "usero" requests these endpoints with "DELETE" including body "doesnotmatter" using the password of user "Alice" + | endpoint | + | /remote.php/dav/spaces/%spaceid%/textfile0.txt | + | /remote.php/dav/spaces/%spaceid%/PARENT | + | /remote.php/dav/spaces/%spaceid%/PARENT/parent.txt | + Then the HTTP status code of responses on all endpoints should be "401" + Scenario: send DELETE requests to webDav endpoints using valid password and username of different user When user "Brian" requests these endpoints with "DELETE" including body "doesnotmatter" using the password of user "Alice" | endpoint | @@ -64,6 +102,15 @@ Feature: delete file/folder | /remote.php/dav/files/%username%/PARENT/parent.txt | Then the HTTP status code of responses on all endpoints should be "401" + @skipOnOcV10 @personalSpace + Scenario: send DELETE requests to webDav endpoints using valid password and username of different user using the spaces WebDAV API + When user "Brian" requests these endpoints with "DELETE" including body "doesnotmatter" using the password of user "Alice" + | endpoint | + | /remote.php/dav/spaces/%spaceid%/textfile0.txt | + | /remote.php/dav/spaces/%spaceid%/PARENT | + | /remote.php/dav/spaces/%spaceid%/PARENT/parent.txt | + Then the HTTP status code of responses on all endpoints should be "401" + @smokeTest @skipOnBruteForceProtection @issue-brute_force_protection-112 Scenario: send DELETE requests to webDav endpoints without any authentication @@ -76,6 +123,15 @@ Feature: delete file/folder | /remote.php/dav/files/%username%/PARENT/parent.txt | Then the HTTP status code of responses on all endpoints should be "401" + @smokeTest @skipOnBruteForceProtection @issue-brute_force_protection-112 @skipOnOcV10 @personalSpace + Scenario: send DELETE requests to webDav endpoints without any authentication using the spaces WebDAV API + When a user requests these endpoints with "DELETE" with body "doesnotmatter" and no authentication about user "Alice" + | endpoint | + | /remote.php/dav/spaces/%spaceid%/textfile0.txt | + | /remote.php/dav/spaces/%spaceid%/PARENT | + | /remote.php/dav/spaces/%spaceid%/PARENT/parent.txt | + Then the HTTP status code of responses on all endpoints should be "401" + @issue-ocis-reva-60 Scenario: send DELETE requests to webDav endpoints using token authentication should not work Given token auth has been enforced @@ -90,6 +146,18 @@ Feature: delete file/folder | /remote.php/dav/files/%username%/PARENT/parent.txt | Then the HTTP status code of responses on all endpoints should be "401" + @issue-ocis-reva-60 @skipOnOcV10 @personalSpace + Scenario: send DELETE requests to webDav endpoints using token authentication should not work using the spaces WebDAV API + Given token auth has been enforced + And a new browser session for "Alice" has been started + And the user has generated a new app password named "my-client" + When the user requests these endpoints with "DELETE" using the generated app password about user "Alice" + | endpoint | + | /remote.php/dav/spaces/%spaceid%/textfile0.txt | + | /remote.php/dav/spaces/%spaceid%/PARENT | + | /remote.php/dav/spaces/%spaceid%/PARENT/parent.txt | + Then the HTTP status code of responses on all endpoints should be "401" + @issue-ocis-reva-60 Scenario: send DELETE requests to webDav endpoints using app password token as password Given token auth has been enforced @@ -103,3 +171,15 @@ Feature: delete file/folder | /remote.php/webdav/PARENT | | /remote.php/dav/files/%username%/FOLDER | Then the HTTP status code of responses on all endpoints should be "204" + + @issue-ocis-reva-60 @skipOnOcV10 @personalSpace + Scenario: send DELETE requests to webDav endpoints using app password token as password using the spaces WebDAV API + Given token auth has been enforced + And a new browser session for "Alice" has been started + And the user has generated a new app password named "my-client" + When the user "Alice" requests these endpoints with "DELETE" with body "doesnotmatter" using basic auth and generated app password about user "Alice" + | endpoint | + | /remote.php/dav/spaces/%spaceid%/textfile0.txt | + | /remote.php/dav/spaces/%spaceid%/PARENT | + | /remote.php/dav/spaces/%spaceid%/PARENT/parent.txt | + Then the HTTP status code of responses on all endpoints should be "204" \ No newline at end of file diff --git a/tests/acceptance/features/apiAuthWebDav/webDavLOCKAuth.feature b/tests/acceptance/features/apiAuthWebDav/webDavLOCKAuth.feature index a53b02069262..c37d6f710c77 100644 --- a/tests/acceptance/features/apiAuthWebDav/webDavLOCKAuth.feature +++ b/tests/acceptance/features/apiAuthWebDav/webDavLOCKAuth.feature @@ -24,6 +24,15 @@ Feature: LOCK file/folder | /remote.php/dav/files/%username%/PARENT/parent.txt | Then the HTTP status code of responses on all endpoints should be "401" + @smokeTest @skipOnBruteForceProtection @issue-brute_force_protection-112 @skipOnOcV10 @personalSpace + Scenario: send LOCK requests to webDav endpoints as normal user with wrong password using the spaces WebDAV API + When user "Alice" requests these endpoints with "LOCK" including body "doesnotmatter" using password "invalid" about user "Alice" + | endpoint | + | /remote.php/dav/spaces/%spaceid%/textfile0.txt | + | /remote.php/dav/spaces/%spaceid%/PARENT | + | /remote.php/dav/spaces/%spaceid%/PARENT/parent.txt | + Then the HTTP status code of responses on all endpoints should be "401" + @smokeTest @skipOnBruteForceProtection @issue-brute_force_protection-112 Scenario: send LOCK requests to webDav endpoints as normal user with no password @@ -36,6 +45,15 @@ Feature: LOCK file/folder | /remote.php/dav/files/%username%/PARENT/parent.txt | Then the HTTP status code of responses on all endpoints should be "401" + @smokeTest @skipOnBruteForceProtection @issue-brute_force_protection-112 @skipOnOcV10 @personalSpace + Scenario: send LOCK requests to webDav endpoints as normal user with no password using the spaces WebDAV API + When user "Alice" requests these endpoints with "LOCK" including body "doesnotmatter" using password "" about user "Alice" + | endpoint | + | /remote.php/dav/spaces/%spaceid%/textfile0.txt | + | /remote.php/dav/spaces/%spaceid%/PARENT | + | /remote.php/dav/spaces/%spaceid%/PARENT/parent.txt | + Then the HTTP status code of responses on all endpoints should be "401" + @issue-ocis-reva-9 @skipOnOcV10.3 @skipOnOcV10.4 @skipOnOcV10.5 Scenario: send LOCK requests to another user's webDav endpoints as normal user When user "Brian" requests these endpoints with "LOCK" to get property "d:shared" about user "Alice" @@ -48,6 +66,18 @@ Feature: LOCK file/folder | /remote.php/dav/files/%username%/PARENT/parent.txt | Then the HTTP status code of responses on all endpoints should be "409" + @issue-ocis-reva-9 @skipOnOcV10.3 @skipOnOcV10.4 @skipOnOcV10.5 @skipOnOcV10 @personalSpace + Scenario: send LOCK requests to another user's webDav endpoints as normal user using the spaces WebDAV API + When user "Brian" requests these endpoints with "LOCK" to get property "d:shared" about user "Alice" + | endpoint | + | /remote.php/dav/spaces/%spaceid%/textfile0.txt | + | /remote.php/dav/spaces/%spaceid%/PARENT | + Then the HTTP status code of responses on all endpoints should be "403" + When user "Brian" requests these endpoints with "LOCK" to get property "d:shared" about user "Alice" + | endpoint | + | /remote.php/dav/spaces/%spaceid%/PARENT/parent.txt | + Then the HTTP status code of responses on all endpoints should be "409" + Scenario: send LOCK requests to webDav endpoints using invalid username but correct password When user "usero" requests these endpoints with "LOCK" including body "doesnotmatter" using the password of user "Alice" | endpoint | @@ -58,6 +88,15 @@ Feature: LOCK file/folder | /remote.php/dav/files/%username%/PARENT/parent.txt | Then the HTTP status code of responses on all endpoints should be "401" + @skipOnOcV10 @personalSpace + Scenario: send LOCK requests to webDav endpoints using invalid username but correct password using the spaces WebDAV API + When user "usero" requests these endpoints with "LOCK" including body "doesnotmatter" using the password of user "Alice" + | endpoint | + | /remote.php/dav/spaces/%spaceid%/textfile0.txt | + | /remote.php/dav/spaces/%spaceid%/PARENT | + | /remote.php/dav/spaces/%spaceid%/PARENT/parent.txt | + Then the HTTP status code of responses on all endpoints should be "401" + Scenario: send LOCK requests to webDav endpoints using valid password and username of different user When user "Brian" requests these endpoints with "LOCK" including body "doesnotmatter" using the password of user "Alice" | endpoint | @@ -68,6 +107,15 @@ Feature: LOCK file/folder | /remote.php/dav/files/%username%/PARENT/parent.txt | Then the HTTP status code of responses on all endpoints should be "401" + @skipOnOcV10 @personalSpace + Scenario: send LOCK requests to webDav endpoints using valid password and username of different user using the spaces WebDAV API + When user "Brian" requests these endpoints with "LOCK" including body "doesnotmatter" using the password of user "Alice" + | endpoint | + | /remote.php/dav/spaces/%spaceid%/textfile0.txt | + | /remote.php/dav/spaces/%spaceid%/PARENT | + | /remote.php/dav/spaces/%spaceid%/PARENT/parent.txt | + Then the HTTP status code of responses on all endpoints should be "401" + @smokeTest @skipOnBruteForceProtection @issue-brute_force_protection-112 Scenario: send LOCK requests to webDav endpoints without any authentication @@ -80,6 +128,15 @@ Feature: LOCK file/folder | /remote.php/dav/files/%username%/PARENT/parent.txt | Then the HTTP status code of responses on all endpoints should be "401" + @smokeTest @skipOnBruteForceProtection @issue-brute_force_protection-112 @skipOnOcV10 @personalSpace + Scenario: send LOCK requests to webDav endpoints without any authentication using the spaces WebDAV API + When a user requests these endpoints with "LOCK" with body "doesnotmatter" and no authentication about user "Alice" + | endpoint | + | /remote.php/dav/spaces/%spaceid%/textfile0.txt | + | /remote.php/dav/spaces/%spaceid%/PARENT | + | /remote.php/dav/spaces/%spaceid%/PARENT/parent.txt | + Then the HTTP status code of responses on all endpoints should be "401" + @notToImplementOnOCIS @issue-ocis-reva-37 Scenario: send LOCK requests to webDav endpoints using token authentication should not work Given token auth has been enforced diff --git a/tests/acceptance/features/apiAuthWebDav/webDavMKCOLAuth.feature b/tests/acceptance/features/apiAuthWebDav/webDavMKCOLAuth.feature index ae93ff26edc0..b61d602c496a 100644 --- a/tests/acceptance/features/apiAuthWebDav/webDavMKCOLAuth.feature +++ b/tests/acceptance/features/apiAuthWebDav/webDavMKCOLAuth.feature @@ -20,6 +20,15 @@ Feature: create folder using MKCOL | /remote.php/dav/files/%username%/PARENT/parent.txt | Then the HTTP status code of responses on all endpoints should be "401" + @smokeTest @skipOnBruteForceProtection @issue-brute_force_protection-112 @skipOnOcV10 @personalSpace + Scenario: send MKCOL requests to webDav endpoints as normal user with wrong password using the spaces WebDAV API + When user "Alice" requests these endpoints with "MKCOL" including body "doesnotmatter" using password "invalid" about user "Alice" + | endpoint | + | /remote.php/dav/spaces/%spaceid%/textfile0.txt | + | /remote.php/dav/spaces/%spaceid%/PARENT | + | /remote.php/dav/spaces/%spaceid%/PARENT/parent.txt | + Then the HTTP status code of responses on all endpoints should be "401" + @smokeTest @skipOnBruteForceProtection @issue-brute_force_protection-112 Scenario: send MKCOL requests to webDav endpoints as normal user with no password @@ -32,6 +41,15 @@ Feature: create folder using MKCOL | /remote.php/dav/files/%username%/PARENT/parent.txt | Then the HTTP status code of responses on all endpoints should be "401" + @smokeTest @skipOnOcV10 @personalSpace @skipOnBruteForceProtection @issue-brute_force_protection-112 + Scenario: send MKCOL requests to webDav endpoints as normal user with no password using the spaces WebDAV API + When user "Alice" requests these endpoints with "MKCOL" including body "doesnotmatter" using password "" about user "Alice" + | endpoint | + | /remote.php/dav/spaces/%spaceid%/textfile0.txt | + | /remote.php/dav/spaces/%spaceid%/PARENT | + | /remote.php/dav/spaces/%spaceid%/PARENT/parent.txt | + Then the HTTP status code of responses on all endpoints should be "401" + @issue-ocis-reva-9 @issue-ocis-reva-197 Scenario: send MKCOL requests to another user's webDav endpoints as normal user Given user "Brian" has been created with default attributes and without skeleton files @@ -46,6 +64,20 @@ Feature: create folder using MKCOL | /remote.php/dav/files/%username%/PARENT/parent.txt | Then the HTTP status code of responses on all endpoints should be "409" + @skipOnOcV10 @personalSpace @issue-ocis-reva-9 @issue-ocis-reva-197 + Scenario: send MKCOL requests to another user's webDav endpoints as normal user using the spaces WebDAV API + Given user "Brian" has been created with default attributes and without skeleton files + When user "Brian" requests these endpoints with "MKCOL" including body "" about user "Alice" + | endpoint | + | /remote.php/dav/spaces/%spaceid%/textfile0.txt | + | /remote.php/dav/spaces/%spaceid%/PARENT | + | /remote.php/dav/spaces/%spaceid%/does-not-exist | + Then the HTTP status code of responses on all endpoints should be "403" + When user "Brian" requests these endpoints with "MKCOL" including body "" about user "Alice" + | endpoint | + | /remote.php/dav/spaces/%spaceid%/PARENT/parent.txt | + Then the HTTP status code of responses on all endpoints should be "409" + Scenario: send MKCOL requests to webDav endpoints using invalid username but correct password When user "usero" requests these endpoints with "MKCOL" including body "doesnotmatter" using the password of user "Alice" | endpoint | @@ -56,6 +88,15 @@ Feature: create folder using MKCOL | /remote.php/dav/files/%username%/PARENT/parent.txt | Then the HTTP status code of responses on all endpoints should be "401" + @skipOnOcV10 @personalSpace + Scenario: send MKCOL requests to webDav endpoints using invalid username but correct password using the spaces WebDAV API + When user "usero" requests these endpoints with "MKCOL" including body "doesnotmatter" using the password of user "Alice" + | endpoint | + | /remote.php/dav/spaces/%spaceid%/textfile0.txt | + | /remote.php/dav/spaces/%spaceid%/PARENT | + | /remote.php/dav/spaces/%spaceid%/PARENT/parent.txt | + Then the HTTP status code of responses on all endpoints should be "401" + Scenario: send MKCOL requests to webDav endpoints using valid password and username of different user Given user "Brian" has been created with default attributes and without skeleton files When user "Brian" requests these endpoints with "MKCOL" including body "doesnotmatter" using the password of user "Alice" @@ -67,6 +108,16 @@ Feature: create folder using MKCOL | /remote.php/dav/files/%username%/PARENT/parent.txt | Then the HTTP status code of responses on all endpoints should be "401" + @skipOnOcV10 @personalSpace + Scenario: send MKCOL requests to webDav endpoints using valid password and username of different user using the spaces WebDAV API + Given user "Brian" has been created with default attributes and without skeleton files + When user "Brian" requests these endpoints with "MKCOL" including body "doesnotmatter" using the password of user "Alice" + | endpoint | + | /remote.php/dav/spaces/%spaceid%/textfile0.txt | + | /remote.php/dav/spaces/%spaceid%/PARENT | + | /remote.php/dav/spaces/%spaceid%/PARENT/parent.txt | + Then the HTTP status code of responses on all endpoints should be "401" + @smokeTest @skipOnBruteForceProtection @issue-brute_force_protection-112 Scenario: send MKCOL requests to webDav endpoints without any authentication @@ -79,6 +130,15 @@ Feature: create folder using MKCOL | /remote.php/dav/files/%username%/PARENT/parent.txt | Then the HTTP status code of responses on all endpoints should be "401" + @smokeTest @skipOnBruteForceProtection @issue-brute_force_protection-112 @skipOnOcV10 @personalSpace + Scenario: send MKCOL requests to webDav endpoints without any authentication using the spaces WebDAV API + When a user requests these endpoints with "MKCOL" with body "doesnotmatter" and no authentication about user "Alice" + | endpoint | + | /remote.php/dav/spaces/%spaceid%/textfile0.txt | + | /remote.php/dav/spaces/%spaceid%/PARENT | + | /remote.php/dav/spaces/%spaceid%/PARENT/parent.txt | + Then the HTTP status code of responses on all endpoints should be "401" + @notToImplementOnOCIS @issue-ocis-reva-37 Scenario: send MKCOL requests to webDav endpoints using token authentication should not work Given token auth has been enforced diff --git a/tests/acceptance/features/apiAuthWebDav/webDavMOVEAuth.feature b/tests/acceptance/features/apiAuthWebDav/webDavMOVEAuth.feature index f2aca5ff1dba..defe13235df7 100644 --- a/tests/acceptance/features/apiAuthWebDav/webDavMOVEAuth.feature +++ b/tests/acceptance/features/apiAuthWebDav/webDavMOVEAuth.feature @@ -23,6 +23,15 @@ Feature: MOVE file/folder | /remote.php/dav/files/%username%/PARENT/parent.txt | Then the HTTP status code of responses on all endpoints should be "401" + @smokeTest @skipOnBruteForceProtection @issue-brute_force_protection-112 @skipOnOcV10 @personalSpace + Scenario: send MOVE requests to webDav endpoints as normal user with wrong password using the spaces WebDAV API + When user "Alice" requests these endpoints with "MOVE" including body "doesnotmatter" using password "invalid" about user "Alice" + | endpoint | + | /remote.php/dav/spaces/%spaceid%/textfile0.txt | + | /remote.php/dav/spaces/%spaceid%/PARENT | + | /remote.php/dav/spaces/%spaceid%/PARENT/parent.txt | + Then the HTTP status code of responses on all endpoints should be "401" + @smokeTest @skipOnBruteForceProtection @issue-brute_force_protection-112 Scenario: send MOVE requests to webDav endpoints as normal user with no password @@ -35,6 +44,15 @@ Feature: MOVE file/folder | /remote.php/dav/files/%username%/PARENT/parent.txt | Then the HTTP status code of responses on all endpoints should be "401" + @smokeTest @skipOnBruteForceProtection @issue-brute_force_protection-112 @skipOnOcV10 @personalSpace + Scenario: send MOVE requests to webDav endpoints as normal user with no password using the spaces WebDAV API + When user "Alice" requests these endpoints with "MOVE" including body "doesnotmatter" using password "" about user "Alice" + | endpoint | + | /remote.php/dav/spaces/%spaceid%/textfile0.txt | + | /remote.php/dav/spaces/%spaceid%/PARENT | + | /remote.php/dav/spaces/%spaceid%/PARENT/parent.txt | + Then the HTTP status code of responses on all endpoints should be "401" + @issue-ocis-reva-14 Scenario: send MOVE requests to another user's webDav endpoints as normal user When user "Brian" requests these endpoints with "MOVE" including body "doesnotmatter" about user "Alice" @@ -44,6 +62,15 @@ Feature: MOVE file/folder | /remote.php/dav/files/%username%/PARENT/parent.txt | Then the HTTP status code of responses on all endpoints should be "403" + @skipOnOcV10 @personalSpace @issue-ocis-reva-14 + Scenario: send MOVE requests to another user's webDav endpoints as normal user using the spaces WebDAV API + When user "Brian" requests these endpoints with "MOVE" including body "doesnotmatter" about user "Alice" + | endpoint | + | /remote.php/dav/spaces/%spaceid%/textfile0.txt | + | /remote.php/dav/spaces/%spaceid%/PARENT | + | /remote.php/dav/spaces/%spaceid%/PARENT/parent.txt | + Then the HTTP status code of responses on all endpoints should be "403" + Scenario: send MOVE requests to webDav endpoints using invalid username but correct password When user "usero" requests these endpoints with "MOVE" including body "doesnotmatter" using the password of user "Alice" | endpoint | @@ -54,6 +81,15 @@ Feature: MOVE file/folder | /remote.php/dav/files/%username%/PARENT/parent.txt | Then the HTTP status code of responses on all endpoints should be "401" + @skipOnOcV10 @personalSpace + Scenario: send MOVE requests to webDav endpoints using invalid username but correct password using the spaces WebDAV API + When user "usero" requests these endpoints with "MOVE" including body "doesnotmatter" using the password of user "Alice" + | endpoint | + | /remote.php/dav/spaces/%spaceid%/textfile0.txt | + | /remote.php/dav/spaces/%spaceid%/PARENT | + | /remote.php/dav/spaces/%spaceid%/PARENT/parent.txt | + Then the HTTP status code of responses on all endpoints should be "401" + Scenario: send MOVE requests to webDav endpoints using valid password and username of different user When user "Brian" requests these endpoints with "MOVE" including body "doesnotmatter" using the password of user "Alice" | endpoint | @@ -64,6 +100,15 @@ Feature: MOVE file/folder | /remote.php/dav/files/%username%/PARENT/parent.txt | Then the HTTP status code of responses on all endpoints should be "401" + @skipOnOcV10 @personalSpace + Scenario: send MOVE requests to webDav endpoints using valid password and username of different user using the spaces WebDAV API + When user "Brian" requests these endpoints with "MOVE" including body "doesnotmatter" using the password of user "Alice" + | endpoint | + | /remote.php/dav/spaces/%spaceid%/textfile0.txt | + | /remote.php/dav/spaces/%spaceid%/PARENT | + | /remote.php/dav/spaces/%spaceid%/PARENT/parent.txt | + Then the HTTP status code of responses on all endpoints should be "401" + @smokeTest @skipOnBruteForceProtection @issue-brute_force_protection-112 Scenario: send MOVE requests to webDav endpoints without any authentication @@ -76,6 +121,15 @@ Feature: MOVE file/folder | /remote.php/dav/files/%username%/PARENT/parent.txt | Then the HTTP status code of responses on all endpoints should be "401" + @smokeTest @skipOnBruteForceProtection @issue-brute_force_protection-112 @skipOnOcV10 @personalSpace + Scenario: send MOVE requests to webDav endpoints without any authentication using the spaces WebDAV API + When a user requests these endpoints with "MOVE" with body "doesnotmatter" and no authentication about user "Alice" + | endpoint | + | /remote.php/dav/spaces/%spaceid%/textfile0.txt | + | /remote.php/dav/spaces/%spaceid%/PARENT | + | /remote.php/dav/spaces/%spaceid%/PARENT/parent.txt | + Then the HTTP status code of responses on all endpoints should be "401" + @notToImplementOnOCIS @issue-ocis-reva-37 Scenario: send MOVE requests to webDav endpoints using token authentication should not work Given token auth has been enforced diff --git a/tests/acceptance/features/apiAuthWebDav/webDavPOSTAuth.feature b/tests/acceptance/features/apiAuthWebDav/webDavPOSTAuth.feature index b19212a66ae1..8cc9493a9a11 100644 --- a/tests/acceptance/features/apiAuthWebDav/webDavPOSTAuth.feature +++ b/tests/acceptance/features/apiAuthWebDav/webDavPOSTAuth.feature @@ -24,6 +24,15 @@ Feature: get file info using POST | /remote.php/dav/files/%username%/PARENT/parent.txt | Then the HTTP status code of responses on all endpoints should be "401" + @smokeTest @skipOnBruteForceProtection @issue-brute_force_protection-112 @skipOnOcV10 @personalSpace + Scenario: send POST requests to webDav endpoints as normal user with wrong password using the spaces WebDAV API + When user "Alice" requests these endpoints with "POST" including body "doesnotmatter" using password "invalid" about user "Alice" + | endpoint | + | /remote.php/dav/spaces/%spaceid%/textfile0.txt | + | /remote.php/dav/spaces/%spaceid%/PARENT | + | /remote.php/dav/spaces/%spaceid%/PARENT/parent.txt | + Then the HTTP status code of responses on all endpoints should be "401" + @smokeTest @skipOnBruteForceProtection @issue-brute_force_protection-112 Scenario: send POST requests to webDav endpoints as normal user with no password @@ -36,6 +45,15 @@ Feature: get file info using POST | /remote.php/dav/files/%username%/PARENT/parent.txt | Then the HTTP status code of responses on all endpoints should be "401" + @smokeTest @skipOnBruteForceProtection @issue-brute_force_protection-112 @skipOnOcV10 @personalSpace + Scenario: send POST requests to webDav endpoints as normal user with no password using the spaces WebDAV API + When user "Alice" requests these endpoints with "POST" including body "doesnotmatter" using password "" about user "Alice" + | endpoint | + | /remote.php/dav/spaces/%spaceid%/textfile0.txt | + | /remote.php/dav/spaces/%spaceid%/PARENT | + | /remote.php/dav/spaces/%spaceid%/PARENT/parent.txt | + Then the HTTP status code of responses on all endpoints should be "401" + @issue-ocis-reva-179 Scenario: send POST requests to another user's webDav endpoints as normal user When user "Brian" requests these endpoints with "POST" including body "doesnotmatter" about user "Alice" @@ -45,6 +63,15 @@ Feature: get file info using POST | /remote.php/dav/files/%username%/PARENT/parent.txt | Then the HTTP status code of responses on all endpoints should be "404" + @skipOnOcV10 @personalSpace @issue-ocis-reva-179 + Scenario: send POST requests to another user's webDav endpoints as normal user using the spaces WebDAV API + When user "Brian" requests these endpoints with "POST" including body "doesnotmatter" about user "Alice" + | endpoint | + | /remote.php/dav/spaces/%spaceid%/textfile0.txt | + | /remote.php/dav/spaces/%spaceid%/PARENT | + | /remote.php/dav/spaces/%spaceid%/PARENT/parent.txt | + Then the HTTP status code of responses on all endpoints should be "404" + Scenario: send POST requests to webDav endpoints using invalid username but correct password When user "usero" requests these endpoints with "POST" including body "doesnotmatter" using the password of user "Alice" | endpoint | @@ -55,6 +82,15 @@ Feature: get file info using POST | /remote.php/dav/files/%username%/PARENT/parent.txt | Then the HTTP status code of responses on all endpoints should be "401" + @skipOnOcV10 @personalSpace + Scenario: send POST requests to webDav endpoints using invalid username but correct password using the spaces WebDAV API + When user "usero" requests these endpoints with "POST" including body "doesnotmatter" using the password of user "Alice" + | endpoint | + | /remote.php/dav/spaces/%spaceid%/textfile0.txt | + | /remote.php/dav/spaces/%spaceid%/PARENT | + | /remote.php/dav/spaces/%spaceid%/PARENT/parent.txt | + Then the HTTP status code of responses on all endpoints should be "401" + Scenario: send POST requests to webDav endpoints using valid password and username of different user When user "Brian" requests these endpoints with "POST" including body "doesnotmatter" using the password of user "Alice" | endpoint | @@ -65,6 +101,15 @@ Feature: get file info using POST | /remote.php/dav/files/%username%/PARENT/parent.txt | Then the HTTP status code of responses on all endpoints should be "401" + @skipOnOcV10 @personalSpace + Scenario: send POST requests to webDav endpoints using valid password and username of different user using the spaces WebDAV API + When user "Brian" requests these endpoints with "POST" including body "doesnotmatter" using the password of user "Alice" + | endpoint | + | /remote.php/dav/spaces/%spaceid%/textfile0.txt | + | /remote.php/dav/spaces/%spaceid%/PARENT | + | /remote.php/dav/spaces/%spaceid%/PARENT/parent.txt | + Then the HTTP status code of responses on all endpoints should be "401" + @smokeTest @skipOnBruteForceProtection @issue-brute_force_protection-112 Scenario: send POST requests to webDav endpoints without any authentication @@ -77,6 +122,15 @@ Feature: get file info using POST | /remote.php/dav/files/%username%/PARENT/parent.txt | Then the HTTP status code of responses on all endpoints should be "401" + @smokeTest @skipOnBruteForceProtection @issue-brute_force_protection-112 @skipOnOcV10 @personalSpace + Scenario: send POST requests to webDav endpoints without any authentication using the spaces WebDAV API + When a user requests these endpoints with "POST" with body "doesnotmatter" and no authentication about user "Alice" + | endpoint | + | /remote.php/dav/spaces/%spaceid%/textfile0.txt | + | /remote.php/dav/spaces/%spaceid%/PARENT | + | /remote.php/dav/spaces/%spaceid%/PARENT/parent.txt | + Then the HTTP status code of responses on all endpoints should be "401" + @notToImplementOnOCIS @issue-ocis-reva-37 Scenario: send POST requests to webDav endpoints using token authentication should not work Given token auth has been enforced diff --git a/tests/acceptance/features/apiAuthWebDav/webDavPROPFINDAuth.feature b/tests/acceptance/features/apiAuthWebDav/webDavPROPFINDAuth.feature index fa038bb16ecb..c619aae69ea1 100644 --- a/tests/acceptance/features/apiAuthWebDav/webDavPROPFINDAuth.feature +++ b/tests/acceptance/features/apiAuthWebDav/webDavPROPFINDAuth.feature @@ -23,6 +23,15 @@ Feature: get file info using PROPFIND | /remote.php/dav/files/%username%/PARENT/parent.txt | Then the HTTP status code of responses on all endpoints should be "401" + @smokeTest @skipOnBruteForceProtection @issue-brute_force_protection-112 @skipOnOcV10 @personalSpace + Scenario: send PROPFIND requests to webDav endpoints as normal user with wrong password using the spaces WebDAV API + When user "Alice" requests these endpoints with "PROPFIND" including body "doesnotmatter" using password "invalid" about user "Alice" + | endpoint | + | /remote.php/dav/spaces/%spaceid%/textfile0.txt | + | /remote.php/dav/spaces/%spaceid%/PARENT | + | /remote.php/dav/spaces/%spaceid%/PARENT/parent.txt | + Then the HTTP status code of responses on all endpoints should be "401" + @smokeTest @skipOnBruteForceProtection @issue-brute_force_protection-112 Scenario: send PROPFIND requests to webDav endpoints as normal user with no password @@ -35,6 +44,15 @@ Feature: get file info using PROPFIND | /remote.php/dav/files/%username%/PARENT/parent.txt | Then the HTTP status code of responses on all endpoints should be "401" + @smokeTest @skipOnBruteForceProtection @issue-brute_force_protection-112 @skipOnOcV10 @personalSpace + Scenario: send PROPFIND requests to webDav endpoints as normal user with no password using the spaces WebDAV API + When user "Alice" requests these endpoints with "PROPFIND" including body "doesnotmatter" using password "" about user "Alice" + | endpoint | + | /remote.php/dav/spaces/%spaceid%/textfile0.txt | + | /remote.php/dav/spaces/%spaceid%/PARENT | + | /remote.php/dav/spaces/%spaceid%/PARENT/parent.txt | + Then the HTTP status code of responses on all endpoints should be "401" + @issue-ocis-reva-9 Scenario: send PROPFIND requests to another user's webDav endpoints as normal user When user "Brian" requests these endpoints with "PROPFIND" to get property "d:getetag" about user "Alice" @@ -44,6 +62,15 @@ Feature: get file info using PROPFIND | /remote.php/dav/files/%username%/PARENT/parent.txt | Then the HTTP status code of responses on all endpoints should be "404" + @skipOnOcV10 @personalSpace @issue-ocis-reva-9 + Scenario: send PROPFIND requests to another user's webDav endpoints as normal user using the spaces WebDAV API + When user "Brian" requests these endpoints with "PROPFIND" to get property "d:getetag" about user "Alice" + | endpoint | + | /remote.php/dav/spaces/%spaceid%/textfile0.txt | + | /remote.php/dav/spaces/%spaceid%/PARENT | + | /remote.php/dav/spaces/%spaceid%/PARENT/parent.txt | + Then the HTTP status code of responses on all endpoints should be "404" + Scenario: send PROPFIND requests to webDav endpoints using invalid username but correct password When user "usero" requests these endpoints with "PROPFIND" including body "doesnotmatter" using the password of user "Alice" | endpoint | @@ -54,6 +81,15 @@ Feature: get file info using PROPFIND | /remote.php/dav/files/%username%/PARENT/parent.txt | Then the HTTP status code of responses on all endpoints should be "401" + @skipOnOcV10 @personalSpace + Scenario: send PROPFIND requests to webDav endpoints using invalid username but correct password using the spaces WebDAV API + When user "usero" requests these endpoints with "PROPFIND" including body "doesnotmatter" using the password of user "Alice" + | endpoint | + | /remote.php/dav/spaces/%spaceid%/textfile0.txt | + | /remote.php/dav/spaces/%spaceid%/PARENT | + | /remote.php/dav/spaces/%spaceid%/PARENT/parent.txt | + Then the HTTP status code of responses on all endpoints should be "401" + Scenario: send PROPFIND requests to webDav endpoints using valid password and username of different user When user "Brian" requests these endpoints with "PROPFIND" including body "doesnotmatter" using the password of user "Alice" | endpoint | @@ -64,6 +100,15 @@ Feature: get file info using PROPFIND | /remote.php/dav/files/%username%/PARENT/parent.txt | Then the HTTP status code of responses on all endpoints should be "401" + @skipOnOcV10 @personalSpace + Scenario: send PROPFIND requests to webDav endpoints using valid password and username of different user using the spaces WebDAV API + When user "Brian" requests these endpoints with "PROPFIND" including body "doesnotmatter" using the password of user "Alice" + | endpoint | + | /remote.php/dav/spaces/%spaceid%/textfile0.txt | + | /remote.php/dav/spaces/%spaceid%/PARENT | + | /remote.php/dav/spaces/%spaceid%/PARENT/parent.txt | + Then the HTTP status code of responses on all endpoints should be "401" + @smokeTest @skipOnBruteForceProtection @issue-brute_force_protection-112 Scenario: send PROPFIND requests to webDav endpoints without any authentication @@ -76,6 +121,15 @@ Feature: get file info using PROPFIND | /remote.php/dav/files/%username%/PARENT/parent.txt | Then the HTTP status code of responses on all endpoints should be "401" + @smokeTest @skipOnBruteForceProtection @issue-brute_force_protection-112 @skipOnOcV10 @personalSpace + Scenario: send PROPFIND requests to webDav endpoints without any authentication using the spaces WebDAV API + When a user requests these endpoints with "PROPFIND" with body "doesnotmatter" and no authentication about user "Alice" + | endpoint | + | /remote.php/dav/spaces/%spaceid%/textfile0.txt | + | /remote.php/dav/spaces/%spaceid%/PARENT | + | /remote.php/dav/spaces/%spaceid%/PARENT/parent.txt | + Then the HTTP status code of responses on all endpoints should be "401" + @notToImplementOnOCIS @issue-ocis-reva-37 Scenario: send PROPFIND requests to webDav endpoints using token authentication should not work Given token auth has been enforced diff --git a/tests/acceptance/features/apiAuthWebDav/webDavPROPPATCHAuth.feature b/tests/acceptance/features/apiAuthWebDav/webDavPROPPATCHAuth.feature index dc7c6022c12b..5e5b829c10c5 100644 --- a/tests/acceptance/features/apiAuthWebDav/webDavPROPPATCHAuth.feature +++ b/tests/acceptance/features/apiAuthWebDav/webDavPROPPATCHAuth.feature @@ -24,6 +24,15 @@ Feature: PROPPATCH file/folder | /remote.php/dav/files/%username%/PARENT/parent.txt | Then the HTTP status code of responses on all endpoints should be "401" + @smokeTest @skipOnBruteForceProtection @issue-brute_force_protection-112 @skipOnOcV10 @personalSpace + Scenario: send PROPPATCH requests to webDav endpoints as normal user with wrong password using the spaces WebDAV API + When user "Alice" requests these endpoints with "PROPPATCH" including body "doesnotmatter" using password "invalid" about user "Alice" + | endpoint | + | /remote.php/dav/spaces/%spaceid%/textfile0.txt | + | /remote.php/dav/spaces/%spaceid%/PARENT | + | /remote.php/dav/spaces/%spaceid%/PARENT/parent.txt | + Then the HTTP status code of responses on all endpoints should be "401" + @smokeTest @skipOnBruteForceProtection @issue-brute_force_protection-112 Scenario: send PROPPATCH requests to webDav endpoints as normal user with no password @@ -36,6 +45,15 @@ Feature: PROPPATCH file/folder | /remote.php/dav/files/%username%/PARENT/parent.txt | Then the HTTP status code of responses on all endpoints should be "401" + @smokeTest @skipOnBruteForceProtection @issue-brute_force_protection-112 @skipOnOcV10 @personalSpace + Scenario: send PROPPATCH requests to webDav endpoints as normal user with no password using the spaces WebDAV API + When user "Alice" requests these endpoints with "PROPPATCH" including body "doesnotmatter" using password "" about user "Alice" + | endpoint | + | /remote.php/dav/spaces/%spaceid%/textfile0.txt | + | /remote.php/dav/spaces/%spaceid%/PARENT | + | /remote.php/dav/spaces/%spaceid%/PARENT/parent.txt | + Then the HTTP status code of responses on all endpoints should be "401" + @issue-ocis-reva-9 @issue-ocis-reva-197 Scenario: send PROPPATCH requests to another user's webDav endpoints as normal user When user "Brian" requests these endpoints with "PROPPATCH" to set property "favorite" about user "Alice" @@ -45,6 +63,15 @@ Feature: PROPPATCH file/folder | /remote.php/dav/files/%username%/PARENT/parent.txt | Then the HTTP status code of responses on all endpoints should be "404" + @issue-ocis-reva-9 @issue-ocis-reva-197 @skipOnOcV10 @personalSpace + Scenario: send PROPPATCH requests to another user's webDav endpoints as normal user using the spaces WebDAV API + When user "Brian" requests these endpoints with "PROPPATCH" to set property "favorite" about user "Alice" + | endpoint | + | /remote.php/dav/spaces/%spaceid%/textfile0.txt | + | /remote.php/dav/spaces/%spaceid%/PARENT | + | /remote.php/dav/spaces/%spaceid%/PARENT/parent.txt | + Then the HTTP status code of responses on all endpoints should be "404" + Scenario: send PROPPATCH requests to webDav endpoints using invalid username but correct password When user "usero" requests these endpoints with "PROPPATCH" including body "doesnotmatter" using the password of user "Alice" | endpoint | @@ -55,6 +82,15 @@ Feature: PROPPATCH file/folder | /remote.php/dav/files/%username%/PARENT/parent.txt | Then the HTTP status code of responses on all endpoints should be "401" + @skipOnOcV10 @personalSpace + Scenario: send PROPPATCH requests to webDav endpoints using invalid username but correct password using the spaces WebDAV API + When user "usero" requests these endpoints with "PROPPATCH" including body "doesnotmatter" using the password of user "Alice" + | endpoint | + | /remote.php/dav/spaces/%spaceid%/textfile0.txt | + | /remote.php/dav/spaces/%spaceid%/PARENT | + | /remote.php/dav/spaces/%spaceid%/PARENT/parent.txt | + Then the HTTP status code of responses on all endpoints should be "401" + Scenario: send PROPPATCH requests to webDav endpoints using valid password and username of different user When user "Brian" requests these endpoints with "PROPPATCH" including body "doesnotmatter" using the password of user "Alice" | endpoint | @@ -65,6 +101,15 @@ Feature: PROPPATCH file/folder | /remote.php/dav/files/%username%/PARENT/parent.txt | Then the HTTP status code of responses on all endpoints should be "401" + @skipOnOcV10 @personalSpace + Scenario: send PROPPATCH requests to webDav endpoints using valid password and username of different user using the spaces WebDAV API + When user "Brian" requests these endpoints with "PROPPATCH" including body "doesnotmatter" using the password of user "Alice" + | endpoint | + | /remote.php/dav/spaces/%spaceid%/textfile0.txt | + | /remote.php/dav/spaces/%spaceid%/PARENT | + | /remote.php/dav/spaces/%spaceid%/PARENT/parent.txt | + Then the HTTP status code of responses on all endpoints should be "401" + @smokeTest @skipOnBruteForceProtection @issue-brute_force_protection-112 Scenario: send PROPPATCH requests to webDav endpoints without any authentication @@ -77,6 +122,15 @@ Feature: PROPPATCH file/folder | /remote.php/dav/files/%username%/PARENT/parent.txt | Then the HTTP status code of responses on all endpoints should be "401" + @smokeTest @skipOnBruteForceProtection @issue-brute_force_protection-112 @skipOnOcV10 @personalSpace + Scenario: send PROPPATCH requests to webDav endpoints without any authentication using the spaces WebDAV API + When a user requests these endpoints with "PROPPATCH" with body "doesnotmatter" and no authentication about user "Alice" + | endpoint | + | /remote.php/dav/spaces/%spaceid%/textfile0.txt | + | /remote.php/dav/spaces/%spaceid%/PARENT | + | /remote.php/dav/spaces/%spaceid%/PARENT/parent.txt | + Then the HTTP status code of responses on all endpoints should be "401" + @notToImplementOnOCIS @issue-ocis-reva-37 Scenario: send PROPPATCH requests to webDav endpoints using token authentication should not work Given token auth has been enforced diff --git a/tests/acceptance/features/apiAuthWebDav/webDavPUTAuth.feature b/tests/acceptance/features/apiAuthWebDav/webDavPUTAuth.feature index eafe63f5c345..3dbc0558a530 100644 --- a/tests/acceptance/features/apiAuthWebDav/webDavPUTAuth.feature +++ b/tests/acceptance/features/apiAuthWebDav/webDavPUTAuth.feature @@ -24,6 +24,15 @@ Feature: get file info using PUT | /remote.php/dav/files/%username%/PARENT/parent.txt | Then the HTTP status code of responses on all endpoints should be "401" + @smokeTest @skipOnBruteForceProtection @issue-brute_force_protection-112 @skipOnOcV10 @personalSpace + Scenario: send PUT requests to webDav endpoints as normal user with wrong password using the spaces WebDAV API + When user "Alice" requests these endpoints with "PUT" including body "doesnotmatter" using password "invalid" about user "Alice" + | endpoint | + | /remote.php/dav/spaces/%spaceid%/textfile0.txt | + | /remote.php/dav/spaces/%spaceid%/PARENT | + | /remote.php/dav/spaces/%spaceid%/PARENT/parent.txt | + Then the HTTP status code of responses on all endpoints should be "401" + @smokeTest @skipOnBruteForceProtection @issue-brute_force_protection-112 Scenario: send PUT requests to webDav endpoints as normal user with no password @@ -36,6 +45,15 @@ Feature: get file info using PUT | /remote.php/dav/files/%username%/PARENT/parent.txt | Then the HTTP status code of responses on all endpoints should be "401" + @smokeTest @skipOnBruteForceProtection @issue-brute_force_protection-112 @skipOnOcV10 @personalSpace + Scenario: send PUT requests to webDav endpoints as normal user with no password using the spaces WebDAV API + When user "Alice" requests these endpoints with "PUT" including body "doesnotmatter" using password "" about user "Alice" + | endpoint | + | /remote.php/dav/spaces/%spaceid%/textfile0.txt | + | /remote.php/dav/spaces/%spaceid%/PARENT | + | /remote.php/dav/spaces/%spaceid%/PARENT/parent.txt | + Then the HTTP status code of responses on all endpoints should be "401" + @skipOnOcV10 Scenario: send PUT requests to another user's webDav endpoints as normal user When user "Brian" requests these endpoints with "PUT" including body "doesnotmatter" about user "Alice" @@ -48,6 +66,18 @@ Feature: get file info using PUT | /remote.php/dav/files/%username%/PARENT/parent.txt | Then the HTTP status code of responses on all endpoints should be "403" + @skipOnOcV10 @personalSpace + Scenario: send PUT requests to another user's webDav endpoints as normal user using the spaces WebDAV API + When user "Brian" requests these endpoints with "PUT" including body "doesnotmatter" about user "Alice" + | endpoint | + | /remote.php/dav/spaces/%spaceid%/textfile0.txt | + | /remote.php/dav/spaces/%spaceid%/PARENT | + Then the HTTP status code of responses on all endpoints should be "403" + When user "Brian" requests these endpoints with "PUT" including body "doesnotmatter" about user "Alice" + | endpoint | + | /remote.php/dav/spaces/%spaceid%/PARENT/parent.txt | + Then the HTTP status code of responses on all endpoints should be "403" + Scenario: send PUT requests to webDav endpoints using invalid username but correct password When user "usero" requests these endpoints with "PUT" including body "doesnotmatter" using the password of user "Alice" @@ -59,7 +89,16 @@ Feature: get file info using PUT | /remote.php/dav/files/%username%/PARENT/parent.txt | Then the HTTP status code of responses on all endpoints should be "401" - + @skipOnOcV10 @personalSpace + Scenario: send PUT requests to webDav endpoints using invalid username but correct password using the spaces WebDAV API + When user "usero" requests these endpoints with "PUT" including body "doesnotmatter" using the password of user "Alice" + | endpoint | + | /remote.php/dav/spaces/%spaceid%/textfile0.txt | + | /remote.php/dav/spaces/%spaceid%/PARENT | + | /remote.php/dav/spaces/%spaceid%/PARENT/parent.txt | + Then the HTTP status code of responses on all endpoints should be "401" + + Scenario: send PUT requests to webDav endpoints using valid password and username of different user When user "Brian" requests these endpoints with "PUT" including body "doesnotmatter" using the password of user "Alice" | endpoint | @@ -70,6 +109,15 @@ Feature: get file info using PUT | /remote.php/dav/files/%username%/PARENT/parent.txt | Then the HTTP status code of responses on all endpoints should be "401" + @skipOnOcV10 @personalSpace + Scenario: send PUT requests to webDav endpoints using valid password and username of different user using the spaces WebDAV API + When user "Brian" requests these endpoints with "PUT" including body "doesnotmatter" using the password of user "Alice" + | endpoint | + | /remote.php/dav/spaces/%spaceid%/textfile0.txt | + | /remote.php/dav/spaces/%spaceid%/PARENT | + | /remote.php/dav/spaces/%spaceid%/PARENT/parent.txt | + Then the HTTP status code of responses on all endpoints should be "401" + @smokeTest @skipOnBruteForceProtection @issue-brute_force_protection-112 Scenario: send PUT requests to webDav endpoints without any authentication @@ -82,6 +130,15 @@ Feature: get file info using PUT | /remote.php/dav/files/%username%/PARENT/parent.txt | Then the HTTP status code of responses on all endpoints should be "401" + @smokeTest @skipOnBruteForceProtection @issue-brute_force_protection-112 @skipOnOcV10 @personalSpace + Scenario: send PUT requests to webDav endpoints without any authentication using the spaces WebDAV API + When a user requests these endpoints with "PUT" with body "doesnotmatter" and no authentication about user "Alice" + | endpoint | + | /remote.php/dav/spaces/%spaceid%/textfile0.txt | + | /remote.php/dav/spaces/%spaceid%/PARENT | + | /remote.php/dav/spaces/%spaceid%/PARENT/parent.txt | + Then the HTTP status code of responses on all endpoints should be "401" + @notToImplementOnOCIS @issue-ocis-reva-37 Scenario: send PUT requests to webDav endpoints using token authentication should not work Given token auth has been enforced diff --git a/tests/acceptance/features/apiAuthWebDav/webDavSpecialURLs.feature b/tests/acceptance/features/apiAuthWebDav/webDavSpecialURLs.feature index f4ad5a1dcc84..5570139ef80c 100644 --- a/tests/acceptance/features/apiAuthWebDav/webDavSpecialURLs.feature +++ b/tests/acceptance/features/apiAuthWebDav/webDavSpecialURLs.feature @@ -17,7 +17,17 @@ Feature: make webdav request with special urls | //remote.php//dav/files/%username%/textfile1.txt | | /remote.php//dav/files/%username%/PARENT/parent.txt | | /remote.php//webdav/PARENT | - | //remote.php/dav//files/%username%//FOLDER | + | //remote.php/dav//files/%username%//FOLDER | + Then the HTTP status code of responses on all endpoints should be "204" + + @personalSpace + Scenario: send DELETE requests to webDav endpoints with 2 slashes using the spaces WebDAV API + When user "Alice" requests these endpoints with "DELETE" including body "doesnotmatter" using password "%regular%" about user "Alice" + | endpoint | + | //remote.php/dav/spaces/%spaceid%/textfile0.txt | + | /remote.php//dav/spaces/%spaceid%/PARENT | + | //remote.php/dav//spaces/%spaceid%//FOLDER | + | //remote.php//dav/spaces/%spaceid%/PARENT/parent.txt | Then the HTTP status code of responses on all endpoints should be "204" @@ -28,7 +38,17 @@ Feature: make webdav request with special urls | //remote.php//dav/files/%username%/textfile1.txt | | /remote.php//dav/files/%username%/PARENT/parent.txt | | /remote.php//webdav/PARENT | - | //remote.php/dav//files/%username%//FOLDER | + | //remote.php/dav//files/%username%//FOLDER | + Then the HTTP status code of responses on all endpoints should be "200" + + @personalSpace + Scenario: send GET requests to webDav endpoints with 2 slashes using the spaces WebDAV API + When user "Alice" requests these endpoints with "GET" using password "%regular%" about user "Alice" + | endpoint | + | //remote.php/dav/spaces/%spaceid%/textfile0.txt | + | //remote.php//dav/spaces/%spaceid%/PARENT/parent.txt | + | /remote.php//dav/spaces/%spaceid%/PARENT | + | //remote.php/dav//spaces/%spaceid%//FOLDER | Then the HTTP status code of responses on all endpoints should be "200" @@ -39,7 +59,17 @@ Feature: make webdav request with special urls | //remote.php//dav/files/%username%/textfile1.txt | | /remote.php//dav/files/%username%/PARENT/parent.txt | | /remote.php//webdav/PARENT | - | //remote.php/dav//files/%username%//FOLDER | + | //remote.php/dav//files/%username%//FOLDER | + Then the HTTP status code of responses on all endpoints should be "200" + + @personalSpace + Scenario: send LOCK requests to webDav endpoints with 2 slashes using the spaces WebDAV API + When the user "Alice" requests these endpoints with "LOCK" to get property "d:shared" with password "%regular%" about user "Alice" + | endpoint | + | //remote.php/dav/spaces/%spaceid%/textfile0.txt | + | //remote.php//dav/spaces/%spaceid%/PARENT/parent.txt | + | /remote.php//dav/spaces/%spaceid%/PARENT | + | //remote.php/dav//spaces/%spaceid%//FOLDER | Then the HTTP status code of responses on all endpoints should be "200" @@ -54,6 +84,18 @@ Feature: make webdav request with special urls | /remote.php/dav//files/%username%/PARENT6 | Then the HTTP status code of responses on all endpoints should be "201" + @personalSpace + Scenario: send MKCOL requests to webDav endpoints with 2 slashes using the spaces WebDAV API + When user "Alice" requests these endpoints with "MKCOL" using password "%regular%" about user "Alice" + | endpoint | + | //remote.php/dav/spaces/%spaceid%/PARENT1 | + | /remote.php//dav/spaces/%spaceid%/PARENT2 | + | //remote.php//dav/spaces/%spaceid%/PARENT3 | + | //remote.php/dav//spaces/%spaceid%/PARENT4 | + | /remote.php/dav/spaces/%spaceid%//PARENT5 | + | /remote.php/dav//spaces/%spaceid%/PARENT6 | + Then the HTTP status code of responses on all endpoints should be "201" + Scenario: send MOVE requests to webDav endpoints with 2 slashes When user "Alice" requests these endpoints with "MOVE" using password "%regular%" about user "Alice" @@ -65,6 +107,16 @@ Feature: make webdav request with special urls | /remote.php/dav//files/%username%/PARENT2/parent.txt | /remote.php/dav/files/%username%/PARENT2/parent1.txt | Then the HTTP status code of responses on all endpoints should be "201" + @personalSpace + Scenario: send MOVE requests to webDav endpoints with 2 slashes using the spaces WebDAV API + When user "Alice" requests these endpoints with "MOVE" using password "%regular%" about user "Alice" + | endpoint | destination | + | /remote.php//dav/spaces/%spaceid%/textfile1.txt | /remote.php/dav/spaces/%spaceid%/textfileOne.txt | + | /remote.php/dav//spaces/%spaceid%/PARENT | /remote.php/dav/spaces/%spaceid%/PARENT1 | + | //remote.php/dav/spaces/%spaceid%//PARENT1 | /remote.php/dav/spaces/%spaceid%/PARENT2 | + | //remote.php/dav/spaces/%spaceid%/PARENT2/parent.txt | /remote.php/dav/spaces/%spaceid%/PARENT2/parent1.txt | + Then the HTTP status code of responses on all endpoints should be "201" + Scenario: send POST requests to webDav endpoints with 2 slashes When user "Alice" requests these endpoints with "POST" including body "doesnotmatter" using password "%regular%" about user "Alice" @@ -73,7 +125,17 @@ Feature: make webdav request with special urls | //remote.php//dav/files/%username%/textfile1.txt | | /remote.php//dav/files/%username%/PARENT/parent.txt | | /remote.php//webdav/PARENT | - | //remote.php/dav//files/%username%//FOLDER | + | //remote.php/dav//files/%username%//FOLDER | + Then the HTTP status code of responses on all endpoints should be "500" or "501" + + @personalSpace + Scenario: send POST requests to webDav endpoints with 2 slashes using the spaces WebDAV API + When user "Alice" requests these endpoints with "POST" including body "doesnotmatter" using password "%regular%" about user "Alice" + | endpoint | + | //remote.php//dav/spaces/%spaceid%/textfile1.txt | + | /remote.php//dav/spaces/%spaceid%/PARENT/parent.txt | + | /remote.php//dav/spaces/%spaceid%/PARENT | + | //remote.php/dav//spaces/%spaceid%//FOLDER | Then the HTTP status code of responses on all endpoints should be "500" or "501" @@ -87,6 +149,16 @@ Feature: make webdav request with special urls | //remote.php/dav//files/%username%//FOLDER | Then the HTTP status code of responses on all endpoints should be "207" + @personalSpace + Scenario: send PROPFIND requests to webDav endpoints with 2 slashes using the spaces WebDAV API + When the user "Alice" requests these endpoints with "PROPFIND" to get property "d:href" with password "%regular%" about user "Alice" + | endpoint | + | //remote.php//dav/spaces/%spaceid%/textfile1.txt | + | /remote.php//dav/spaces/%spaceid%/PARENT/parent.txt | + | /remote.php//dav/spaces/%spaceid%/PARENT | + | //remote.php/dav//spaces/%spaceid%//FOLDER | + Then the HTTP status code of responses on all endpoints should be "207" + Scenario: send PROPPATCH requests to webDav endpoints with 2 slashes When the user "Alice" requests these endpoints with "PROPPATCH" to set property "d:getlastmodified" with password "%regular%" about user "Alice" @@ -98,6 +170,16 @@ Feature: make webdav request with special urls | //remote.php/dav//files/%username%//FOLDER | Then the HTTP status code of responses on all endpoints should be "207" + @personalSpace + Scenario: send PROPPATCH requests to webDav endpoints with 2 slashes using the spaces WebDAV API + When the user "Alice" requests these endpoints with "PROPPATCH" to set property "d:getlastmodified" with password "%regular%" about user "Alice" + | endpoint | + | //remote.php//dav/spaces/%spaceid%/textfile1.txt | + | /remote.php//dav/spaces/%spaceid%/PARENT/parent.txt | + | /remote.php//dav/spaces/%spaceid%/PARENT | + | //remote.php/dav//spaces/%spaceid%//FOLDER | + Then the HTTP status code of responses on all endpoints should be "207" + Scenario: send PUT requests to webDav endpoints with 2 slashes When user "Alice" requests these endpoints with "PUT" including body "doesnotmatter" using password "%regular%" about user "Alice" @@ -108,3 +190,14 @@ Feature: make webdav request with special urls | /remote.php/dav/files/%username%/textfile7.txt | | //remote.php/dav/files/%username%/PARENT//parent.txt | Then the HTTP status code of responses on all endpoints should be "204" or "201" + + @personalSpace + Scenario: send PUT requests to webDav endpoints with 2 slashes using the spaces WebDAV API + When user "Alice" requests these endpoints with "PUT" including body "doesnotmatter" using password "%regular%" about user "Alice" + | endpoint | + | //remote.php/dav/spaces/%spaceid%/textfile0.txt | + | /remote.php//dav/spaces/%spaceid%/textfile1.txt | + | //remote.php//dav/spaces/%spaceid%/textfile1.txt | + | /remote.php/dav/spaces/%spaceid%/textfile7.txt | + | //remote.php/dav/spaces/%spaceid%/PARENT//parent.txt | + Then the HTTP status code of responses on all endpoints should be "204" or "201"