1 package org.cacert.gigi;
3 import static org.junit.Assert.*;
5 import java.io.IOException;
6 import java.net.HttpURLConnection;
7 import java.net.MalformedURLException;
9 import java.net.URLConnection;
10 import java.security.GeneralSecurityException;
11 import java.security.KeyPair;
12 import java.security.PrivateKey;
13 import java.sql.SQLException;
15 import org.cacert.gigi.dbObjects.Certificate;
16 import org.cacert.gigi.dbObjects.Certificate.CSRType;
17 import org.cacert.gigi.dbObjects.CertificateProfile;
18 import org.cacert.gigi.dbObjects.User;
19 import org.cacert.gigi.testUtils.IOUtils;
20 import org.cacert.gigi.testUtils.ManagedTest;
21 import org.cacert.gigi.util.ServerConstants;
22 import org.junit.Test;
24 public class TestCrossDomainAccess extends ManagedTest {
27 public void testNoOriginHeader() throws MalformedURLException, IOException {
28 URLConnection con = new URL("https://" + ServerConstants.getWwwHostNamePortSecure() + "/login").openConnection();
29 assertTrue( !IOUtils.readURL(con).contains("No cross domain access allowed."));
33 public void testCorrectOriginHeaderFromHttpsToHttps() throws MalformedURLException, IOException {
34 URLConnection con = new URL("https://" + ServerConstants.getWwwHostNamePortSecure() + "/login").openConnection();
35 con.setRequestProperty("Origin", "https://" + ServerConstants.getWwwHostNamePortSecure());
36 assertTrue( !IOUtils.readURL(con).contains("No cross domain access allowed."));
40 public void testCorrectOriginHeaderFromHttpToHttps() throws MalformedURLException, IOException {
41 URLConnection con = new URL("https://" + ServerConstants.getWwwHostNamePortSecure() + "/login").openConnection();
42 con.setRequestProperty("Origin", "http://" + ServerConstants.getWwwHostNamePort());
43 assertTrue( !IOUtils.readURL(con).contains("No cross domain access allowed."));
47 public void testCorrectOriginHeaderFromHttpsToSecure() throws MalformedURLException, IOException, GeneralSecurityException, SQLException, InterruptedException, GigiApiException {
48 User u = User.getById(createVerifiedUser("fn", "ln", "testmail@example.com", TEST_PASSWORD));
49 KeyPair kp = generateKeypair();
50 String key = generatePEMCSR(kp, "CN=testmail@example.com");
51 Certificate c = new Certificate(u, Certificate.buildDN("CN", "testmail@example.com"), "sha256", key, CSRType.CSR, CertificateProfile.getById(1));
52 final PrivateKey pk = kp.getPrivate();
53 c.issue(null, "2y").waitFor(60000);
55 URLConnection con = new URL("https://" + ServerConstants.getSecureHostNamePort()).openConnection();
56 authenticateClientCert(pk, c.cert(), (HttpURLConnection) con);
57 con.setRequestProperty("Origin", "https://" + ServerConstants.getWwwHostNamePortSecure());
58 String contains = IOUtils.readURL(con);
59 assertTrue( !contains.contains("No cross domain access allowed."));
63 public void testCorrectOriginHeaderFromHttpsToHttp() throws MalformedURLException, IOException {
64 URLConnection con = new URL("http://" + ServerConstants.getWwwHostNamePort()).openConnection();
65 con.setRequestProperty("Origin", "https://" + ServerConstants.getWwwHostNamePortSecure());
66 assertTrue( !IOUtils.readURL(con).contains("No cross domain access allowed."));
70 public void testIncorrectOriginHeader() throws MalformedURLException, IOException {
71 HttpURLConnection con = (HttpURLConnection) new URL("https://" + ServerConstants.getWwwHostNamePortSecure() + "/login").openConnection();
72 con.setRequestProperty("Origin", "https://evilpageandatleastnotcacert.com");
73 assertTrue(IOUtils.readURL(con).contains("No cross domain access allowed."));