Skip to content

Commit

Permalink
Merge pull request #1354 from scireum/feature/mbo/OX-10357-1
Browse files Browse the repository at this point in the history 
JUnit: Migrate CSRFTokenTest to Kotlin
  • Loading branch information
@sabieber
sabieber authored Jan 9, 2024
2 parents 4288965 + 4c4ee98 commit 23c762d
Show file tree
Hide file tree
Showing 2 changed files with 181 additions and 153 deletions.
153 changes: 0 additions & 153 deletions src/test/java/sirius/web/http/CSRFTokenSpec.groovy
View file

This file was deleted.

181 changes: 181 additions & 0 deletions src/test/kotlin/sirius/web/http/CSRFTokenTest.kt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,181 @@
/*
* Made with all the love in the world
* by scireum in Remshalden, Germany
*
* Copyright by scireum GmbH
* http://www.scireum.de - info@scireum.de
*/

package sirius.web.http

import io.netty.handler.codec.http.HttpHeaderNames
import io.netty.handler.codec.http.HttpResponseStatus
import org.junit.jupiter.api.Test
import org.junit.jupiter.api.extension.ExtendWith
import sirius.kernel.SiriusExtension
import sirius.kernel.commons.Streams
import java.net.HttpURLConnection
import java.net.URL

import java.nio.charset.StandardCharsets
import kotlin.test.assertEquals

@ExtendWith(SiriusExtension::class)
class CSRFTokenTest {

@Test
fun `safePOST() fails if token is missing via GET`() {

val result = TestRequest.GET("/test/fake-delete-data").execute()

assertEquals(HttpResponseStatus.INTERNAL_SERVER_ERROR, result.status)
}

@Test
fun `safePOST() works if the token is present via GET`() {

val connection = URL("http://localhost:9999/test/provide-security-token").openConnection() as HttpURLConnection
connection.setRequestMethod("GET")
connection.connect()
val token = String(Streams.toByteArray(connection.inputStream), StandardCharsets.UTF_8)

val result = TestRequest.GET("/test/fake-delete-data?CSRFToken=$token").execute()

assertEquals(HttpResponseStatus.INTERNAL_SERVER_ERROR, result.status)
}

@Test
fun `safePOST() fails if token is missing via POST`() {

val result = TestRequest.POST("/test/fake-delete-data").execute()

assertEquals(HttpResponseStatus.INTERNAL_SERVER_ERROR, result.status)
}

@Test
fun `safePOST() works on SAFEPOST if correct token is provided`() {

val result = TestRequest.SAFEPOST("/test/fake-delete-data").execute()

assertEquals(HttpResponseStatus.OK, result.status)
}

@Test
fun `safePOST() works if correct token is present via POST`() {

val connection = URL("http://localhost:9999/test/provide-security-token").openConnection() as HttpURLConnection
connection.setRequestMethod("GET")
connection.connect()
val token = String(Streams.toByteArray(connection.inputStream), StandardCharsets.UTF_8)


val connection2 = URL(
"http://localhost:9999/test/fake-delete-data?CSRFToken=$token"
).openConnection() as HttpURLConnection
connection2.setRequestMethod("POST")
connection2.setRequestProperty(
HttpHeaderNames.COOKIE.toString(),
connection.headerFields["set-cookie"]?.get(0)
)
connection2.connect()

assertEquals(200, connection2.getResponseCode())
}

@Test
fun `safePOST() success on POST if expired token is provided`() {

val connection = URL("http://localhost:9999/test/provide-security-token").openConnection() as HttpURLConnection
connection.setRequestMethod("GET")
connection.connect()
val token = String(Streams.toByteArray(connection.inputStream), StandardCharsets.UTF_8)
TestRequest.GET("/test/expire-security-token").execute()

val connection2 = URL(
"http://localhost:9999/test/fake-delete-data?CSRFToken=$token"
).openConnection() as HttpURLConnection
connection2.setRequestMethod("POST")
connection2.setRequestProperty(
HttpHeaderNames.COOKIE.toString(),
connection.headerFields["set-cookie"]?.get(0)
)
connection2.connect()

assertEquals(200,connection2.getResponseCode())
}

@Test
fun `safePOST() works if false token is given via POST`() {

val connection = URL("http://localhost:9999/test/provide-security-token").openConnection() as HttpURLConnection
connection.setRequestMethod("GET")
connection.connect()

val connection2 =
URL("http://localhost:9999/test/fake-delete-data?CSRFToken=w-r-o-n-g-t-o-k-e-n").openConnection() as HttpURLConnection
connection2.setRequestMethod("POST")
connection2.setRequestProperty(
HttpHeaderNames.COOKIE.toString(),
connection.headerFields["set-cookie"]?.get(0)
)
connection2.connect()

assertEquals(500,connection2.getResponseCode())
}

@Test
fun `unsafePOST() if token is missing via POST it works as intended`() {

val result = TestRequest.POST("/test/fake-delete-data-unsafe").execute()

assertEquals(HttpResponseStatus.OK,result.status)
}

@Test
fun `unsafePOST() fails on GET if token is not provided`() {

val result = TestRequest.GET("/test/fake-delete-data-unsafe").execute()

assertEquals(HttpResponseStatus.INTERNAL_SERVER_ERROR,result.status)
}

@Test
fun `ensureSafePOST() fails if token is missing via GET`() {

val result = TestRequest.GET("/test/fake-delete-data-ensure-safe").execute()

assertEquals(HttpResponseStatus.INTERNAL_SERVER_ERROR, result.status)
}

@Test
fun `ensureSafePOST() goes wrong on POST if false token is given`() {

val connection = URL(
"http://localhost:9999/test/fake-delete-data-ensure-safe?CSRFToken=w-r-o-n-g-t-o-k-e-n"
).openConnection() as HttpURLConnection
connection.setRequestMethod("POST")
connection.connect()

assertEquals(401,connection.responseCode )
}

@Test
fun `ensureSafePOST() works as intended if correct token is given via POST`() {

val connection = URL("http://localhost:9999/test/provide-security-token").openConnection() as HttpURLConnection
connection.setRequestMethod("GET")
connection.connect()
val token = String(Streams.toByteArray(connection.getInputStream()), StandardCharsets.UTF_8)

val connection2 =
URL("http://localhost:9999/test/fake-delete-data-ensure-safe?CSRFToken=$token").openConnection() as HttpURLConnection
connection2.setRequestMethod("POST")
connection2.setRequestProperty(
HttpHeaderNames.COOKIE.toString(),
connection.headerFields["set-cookie"]?.get(0)
)
connection2.connect()

assertEquals(200,connection2.getResponseCode())
}
}

0 comments on commit 23c762d

Please sign in to comment.