X-Git-Url: https://code.wpia.club/?a=blobdiff_plain;f=tests%2Fclub%2Fwpia%2Fgigi%2FTestCrossDomainAccess.java;fp=tests%2Fclub%2Fwpia%2Fgigi%2FTestCrossDomainAccess.java;h=fbcc3009b2473de30ee6570e7ced38d8d502ed30;hb=bccd4cc0dba0f89aa045b113bac46eb8cc1dab4e;hp=0000000000000000000000000000000000000000;hpb=c9ed09f0007fc2c813815be927a5a24b23dab83c;p=gigi.git diff --git a/tests/club/wpia/gigi/TestCrossDomainAccess.java b/tests/club/wpia/gigi/TestCrossDomainAccess.java new file mode 100644 index 00000000..fbcc3009 --- /dev/null +++ b/tests/club/wpia/gigi/TestCrossDomainAccess.java @@ -0,0 +1,78 @@ +package club.wpia.gigi; + +import static org.junit.Assert.*; + +import java.io.IOException; +import java.net.HttpURLConnection; +import java.net.MalformedURLException; +import java.net.URL; +import java.net.URLConnection; +import java.security.GeneralSecurityException; +import java.security.KeyPair; +import java.security.PrivateKey; +import java.sql.SQLException; + +import org.junit.Test; + +import club.wpia.gigi.dbObjects.Certificate; +import club.wpia.gigi.dbObjects.Certificate.CSRType; +import club.wpia.gigi.dbObjects.Digest; +import club.wpia.gigi.dbObjects.User; +import club.wpia.gigi.testUtils.IOUtils; +import club.wpia.gigi.testUtils.ManagedTest; +import club.wpia.gigi.util.ServerConstants; + +public class TestCrossDomainAccess extends ManagedTest { + + @Test + public void testNoOriginHeader() throws MalformedURLException, IOException { + URLConnection con = new URL("https://" + ServerConstants.getWwwHostNamePortSecure() + "/login").openConnection(); + assertTrue( !IOUtils.readURL(con).contains("No cross domain access allowed.")); + } + + @Test + public void testCorrectOriginHeaderFromHttpsToHttps() throws MalformedURLException, IOException { + URLConnection con = new URL("https://" + ServerConstants.getWwwHostNamePortSecure() + "/login").openConnection(); + con.setRequestProperty("Origin", "https://" + ServerConstants.getWwwHostNamePortSecure()); + assertTrue( !IOUtils.readURL(con).contains("No cross domain access allowed.")); + } + + @Test + public void testCorrectOriginHeaderFromHttpToHttps() throws MalformedURLException, IOException { + URLConnection con = new URL("https://" + ServerConstants.getWwwHostNamePortSecure() + "/login").openConnection(); + con.setRequestProperty("Origin", "http://" + ServerConstants.getWwwHostNamePort()); + assertTrue( !IOUtils.readURL(con).contains("No cross domain access allowed.")); + } + + @Test + public void testCorrectOriginHeaderFromHttpsToSecure() throws MalformedURLException, IOException, GeneralSecurityException, SQLException, InterruptedException, GigiApiException { + User u = User.getById(createVerifiedUser("fn", "ln", "testmail@example.com", TEST_PASSWORD)); + KeyPair kp = generateKeypair(); + String key = generatePEMCSR(kp, "CN=testmail@example.com"); + Certificate c = new Certificate(u, u, Certificate.buildDN("CN", "testmail@example.com"), Digest.SHA256, key, CSRType.CSR, getClientProfile()); + final PrivateKey pk = kp.getPrivate(); + c.setLoginEnabled(true); + await(c.issue(null, "2y", u)); + + URLConnection con = new URL("https://" + ServerConstants.getSecureHostNamePortSecure()).openConnection(); + authenticateClientCert(pk, c.cert(), (HttpURLConnection) con); + con.setRequestProperty("Origin", "https://" + ServerConstants.getWwwHostNamePortSecure()); + String contains = IOUtils.readURL(con); + assertTrue( !contains.contains("No cross domain access allowed.")); + } + + @Test + public void testCorrectOriginHeaderFromHttpsToHttp() throws MalformedURLException, IOException { + URLConnection con = new URL("http://" + ServerConstants.getWwwHostNamePort()).openConnection(); + con.setRequestProperty("Origin", "https://" + ServerConstants.getWwwHostNamePortSecure()); + assertTrue( !IOUtils.readURL(con).contains("No cross domain access allowed.")); + } + + @Test + public void testIncorrectOriginHeader() throws MalformedURLException, IOException { + HttpURLConnection con = (HttpURLConnection) new URL("https://" + ServerConstants.getWwwHostNamePortSecure() + "/login").openConnection(); + con.setRequestProperty("Origin", "https://evilpageandatleastnotcacert.com"); + assertTrue(IOUtils.readURL(con).contains("No cross domain access allowed.")); + } + +}