1 package club.wpia.gigi;
3 import static org.junit.Assert.*;
5 import java.io.IOException;
6 import java.net.HttpURLConnection;
7 import java.net.MalformedURLException;
9 import java.net.URLConnection;
10 import java.security.GeneralSecurityException;
11 import java.security.KeyPair;
12 import java.security.PrivateKey;
13 import java.sql.SQLException;
15 import org.junit.Test;
17 import club.wpia.gigi.dbObjects.Certificate;
18 import club.wpia.gigi.dbObjects.Certificate.CSRType;
19 import club.wpia.gigi.dbObjects.Digest;
20 import club.wpia.gigi.dbObjects.User;
21 import club.wpia.gigi.testUtils.IOUtils;
22 import club.wpia.gigi.testUtils.ManagedTest;
23 import club.wpia.gigi.util.ServerConstants;
24 import club.wpia.gigi.util.ServerConstants.Host;
26 public class TestCrossDomainAccess extends ManagedTest {
29 public void testNoOriginHeader() throws MalformedURLException, IOException {
30 URLConnection con = new URL("https://" + ServerConstants.getHostNamePortSecure(Host.WWW) + "/login").openConnection();
31 assertTrue( !IOUtils.readURL(con).contains("No cross domain access allowed."));
35 public void testCorrectOriginHeaderFromHttpsToHttps() throws MalformedURLException, IOException {
36 URLConnection con = new URL("https://" + ServerConstants.getHostNamePortSecure(Host.WWW) + "/login").openConnection();
37 con.setRequestProperty("Origin", "https://" + ServerConstants.getHostNamePortSecure(Host.WWW));
38 assertTrue( !IOUtils.readURL(con).contains("No cross domain access allowed."));
42 public void testCorrectOriginHeaderFromHttpToHttps() throws MalformedURLException, IOException {
43 URLConnection con = new URL("https://" + ServerConstants.getHostNamePortSecure(Host.WWW) + "/login").openConnection();
44 con.setRequestProperty("Origin", "http://" + ServerConstants.getHostNamePort(Host.WWW));
45 assertTrue( !IOUtils.readURL(con).contains("No cross domain access allowed."));
49 public void testCorrectOriginHeaderFromHttpsToSecure() throws MalformedURLException, IOException, GeneralSecurityException, SQLException, InterruptedException, GigiApiException {
50 User u = User.getById(createVerifiedUser("fn", "ln", "testmail@example.com", TEST_PASSWORD));
51 KeyPair kp = generateKeypair();
52 String key = generatePEMCSR(kp, "CN=testmail@example.com");
53 Certificate c = new Certificate(u, u, Certificate.buildDN("CN", "testmail@example.com"), Digest.SHA256, key, CSRType.CSR, getClientProfile());
54 final PrivateKey pk = kp.getPrivate();
55 c.setLoginEnabled(true);
56 await(c.issue(null, "2y", u));
58 URLConnection con = new URL("https://" + ServerConstants.getHostNamePortSecure(Host.SECURE)).openConnection();
59 authenticateClientCert(pk, c.cert(), (HttpURLConnection) con);
60 con.setRequestProperty("Origin", "https://" + ServerConstants.getHostNamePortSecure(Host.WWW));
61 String contains = IOUtils.readURL(con);
62 assertTrue( !contains.contains("No cross domain access allowed."));
66 public void testCorrectOriginHeaderFromHttpsToHttp() throws MalformedURLException, IOException {
67 URLConnection con = new URL("http://" + ServerConstants.getHostNamePort(Host.WWW)).openConnection();
68 con.setRequestProperty("Origin", "https://" + ServerConstants.getHostNamePortSecure(Host.WWW));
69 assertTrue( !IOUtils.readURL(con).contains("No cross domain access allowed."));
73 public void testIncorrectOriginHeader() throws MalformedURLException, IOException {
74 HttpURLConnection con = (HttpURLConnection) new URL("https://" + ServerConstants.getHostNamePortSecure(Host.WWW) + "/login").openConnection();
75 con.setRequestProperty("Origin", "https://evilpageandatleastnotcacert.com");
76 assertTrue(IOUtils.readURL(con).contains("No cross domain access allowed."));