1 package org.cacert.gigi;
3 import static org.junit.Assert.*;
5 import java.io.IOException;
6 import java.net.HttpURLConnection;
7 import java.net.MalformedURLException;
9 import java.net.URLConnection;
10 import java.security.GeneralSecurityException;
11 import java.security.KeyPair;
12 import java.security.PrivateKey;
13 import java.security.cert.X509Certificate;
14 import java.sql.SQLException;
16 import org.cacert.gigi.dbObjects.Certificate;
17 import org.cacert.gigi.dbObjects.Certificate.CSRType;
18 import org.cacert.gigi.dbObjects.CertificateProfile;
19 import org.cacert.gigi.dbObjects.User;
20 import org.cacert.gigi.testUtils.IOUtils;
21 import org.cacert.gigi.testUtils.ManagedTest;
22 import org.cacert.gigi.util.ServerConstants;
23 import org.junit.Test;
25 public class TestCrossDomainAccess extends ManagedTest {
28 public void testNoOriginHeader() throws MalformedURLException, IOException {
29 URLConnection con = new URL("https://" + ServerConstants.getWwwHostNamePortSecure() + "/login").openConnection();
30 assertTrue( !IOUtils.readURL(con).contains("No cross domain access allowed."));
34 public void testCorrectOriginHeaderFromHttpsToHttps() throws MalformedURLException, IOException {
35 URLConnection con = new URL("https://" + ServerConstants.getWwwHostNamePortSecure() + "/login").openConnection();
36 con.setRequestProperty("Origin", "https://" + ServerConstants.getWwwHostNamePortSecure());
37 assertTrue( !IOUtils.readURL(con).contains("No cross domain access allowed."));
41 public void testCorrectOriginHeaderFromHttpToHttps() throws MalformedURLException, IOException {
42 URLConnection con = new URL("https://" + ServerConstants.getWwwHostNamePortSecure() + "/login").openConnection();
43 con.setRequestProperty("Origin", "http://" + ServerConstants.getWwwHostNamePort());
44 assertTrue( !IOUtils.readURL(con).contains("No cross domain access allowed."));
48 public void testCorrectOriginHeaderFromHttpsToSecure() throws MalformedURLException, IOException, GeneralSecurityException, SQLException, InterruptedException, GigiApiException {
49 String email = createUniqueName() + "@b.ce";
50 int id = createVerifiedUser("Kurti", "Hansel", email, TEST_PASSWORD);
51 KeyPair kp = generateKeypair();
52 String key1 = generatePEMCSR(kp, "CN=" + email);
53 Certificate c = new Certificate(User.getById(id), "/CN=" + email, "sha256", key1, CSRType.CSR, CertificateProfile.getById(1));
54 final PrivateKey pk = kp.getPrivate();
55 c.issue(null, "2y").waitFor(60000);
56 final X509Certificate ce = c.cert();
57 String cookie = login(pk, ce);
58 URLConnection con = new URL("https://" + ServerConstants.getSecureHostNamePort()).openConnection();
59 con.setRequestProperty("Cookie", cookie);
60 con.setRequestProperty("Origin", "https://" + ServerConstants.getWwwHostNamePortSecure());
61 String contains = IOUtils.readURL(con);
62 assertTrue( !contains.contains("No cross domain access allowed."));
66 public void testCorrectOriginHeaderFromHttpsToHttp() throws MalformedURLException, IOException {
67 URLConnection con = new URL("http://" + ServerConstants.getWwwHostNamePort()).openConnection();
68 con.setRequestProperty("Origin", "https://" + ServerConstants.getWwwHostNamePortSecure());
69 assertTrue( !IOUtils.readURL(con).contains("No cross domain access allowed."));
73 public void testIncorrectOriginHeader() throws MalformedURLException, IOException {
74 HttpURLConnection con = (HttpURLConnection) new URL("https://" + ServerConstants.getWwwHostNamePortSecure() + "/login").openConnection();
75 con.setRequestProperty("Origin", "https://evilpageandatleastnotcacert.com");
76 assertTrue(IOUtils.readURL(con).contains("No cross domain access allowed."));