X-Git-Url: https://code.wpia.club/?a=blobdiff_plain;f=tests%2Forg%2Fcacert%2Fgigi%2Fpages%2Fwot%2FTestAssurance.java;h=98248933cd215b710d99fd9a2d22dde3e65a7b77;hb=29a56cb5f3b067880f675ad2bcb3b19120f93410;hp=b072ad604e0ce8c1d7e140cf453c3891b26236c5;hpb=03231e26912b87975dd7180d821d2832c866a7ee;p=gigi.git diff --git a/tests/org/cacert/gigi/pages/wot/TestAssurance.java b/tests/org/cacert/gigi/pages/wot/TestAssurance.java index b072ad60..98248933 100644 --- a/tests/org/cacert/gigi/pages/wot/TestAssurance.java +++ b/tests/org/cacert/gigi/pages/wot/TestAssurance.java @@ -2,14 +2,18 @@ package org.cacert.gigi.pages.wot; import java.io.IOException; import java.io.UnsupportedEncodingException; +import java.net.HttpURLConnection; import java.net.MalformedURLException; import java.net.URL; import java.net.URLConnection; import java.net.URLEncoder; +import java.sql.PreparedStatement; +import java.sql.SQLException; import java.text.SimpleDateFormat; import java.util.Date; -import org.cacert.gigi.IOUtils; +import org.cacert.gigi.database.DatabaseConnection; +import org.cacert.gigi.testUtils.IOUtils; import org.cacert.gigi.testUtils.ManagedTest; import org.junit.Before; import org.junit.Test; @@ -22,42 +26,40 @@ public class TestAssurance extends ManagedTest { private int assurer; private int assuree; private String cookie; + @Before public void setup() throws IOException { assurerM = createUniqueName() + "@cacert-test.org"; assureeM = createUniqueName() + "@cacert-test.org"; - assurer = createAssuranceUser("a", "b", assurerM, "xvXV.1"); - assuree = createAssuranceUser("a", "c", assureeM, "xvXV.1"); - cookie = login(assurerM, "xvXV.1"); + assurer = createAssuranceUser("a", "b", assurerM, TEST_PASSWORD); + assuree = createAssuranceUser("a", "c", assureeM, TEST_PASSWORD); + cookie = login(assurerM, TEST_PASSWORD); } + @Test public void testAssureSearch() throws IOException { - String loc = search("email=" + URLEncoder.encode(assureeM, "UTF-8") - + "&day=1&month=1&year=1910"); + String loc = search("email=" + URLEncoder.encode(assureeM, "UTF-8") + "&day=1&month=1&year=1910"); assertTrue(loc, loc.endsWith(AssurePage.PATH + "/" + assuree)); } @Test public void testAssureSearchEmail() throws IOException { - String loc = search("email=1" + URLEncoder.encode(assureeM, "UTF-8") - + "&day=1&month=1&year=1910"); + String loc = search("email=1" + URLEncoder.encode(assureeM, "UTF-8") + "&day=1&month=1&year=1910"); assertNull(loc); } + @Test public void testAssureSearchDob() throws IOException { - String loc = search("email=" + URLEncoder.encode(assureeM, "UTF-8") - + "&day=2&month=1&year=1910"); + String loc = search("email=" + URLEncoder.encode(assureeM, "UTF-8") + "&day=2&month=1&year=1910"); assertNull(loc); - loc = search("email=" + URLEncoder.encode(assureeM, "UTF-8") - + "&day=1&month=2&year=1910"); + loc = search("email=" + URLEncoder.encode(assureeM, "UTF-8") + "&day=1&month=2&year=1910"); assertNull(loc); - loc = search("email=" + URLEncoder.encode(assureeM, "UTF-8") - + "&day=1&month=1&year=1911"); + loc = search("email=" + URLEncoder.encode(assureeM, "UTF-8") + "&day=1&month=1&year=1911"); assertNull(loc); } - private String search(String query) throws MalformedURLException, - IOException, UnsupportedEncodingException { + + private String search(String query) throws MalformedURLException, IOException, UnsupportedEncodingException { URL u = new URL("https://" + getServerName() + AssurePage.PATH); URLConnection uc = u.openConnection(); uc.setDoOutput(true); @@ -68,21 +70,57 @@ public class TestAssurance extends ManagedTest { String loc = uc.getHeaderField("Location"); return loc; } + @Test public void testAssureForm() throws IOException { String error = getError("date=2000-01-01&location=testcase&certify=1&rules=1&CCAAgreed=1&assertion=1&points=10"); assertTrue(error, error.startsWith("")); } + + @Test + public void testAssureFormNoCSRF() throws IOException { + // override csrf + HttpURLConnection uc = (HttpURLConnection) buildupAssureFormConnection(false); + uc.getOutputStream().write( + ("date=2000-01-01&location=testcase&certify=1&rules=1&CCAAgreed=1&assertion=1&points=10").getBytes()); + uc.getOutputStream().flush(); + assertEquals(500, uc.getResponseCode()); + } + + @Test + public void testAssureFormWrongCSRF() throws IOException { + // override csrf + HttpURLConnection uc = (HttpURLConnection) buildupAssureFormConnection(false); + uc.getOutputStream().write( + ("date=2000-01-01&location=testcase&certify=1&rules=1&CCAAgreed=1&assertion=1&points=10&csrf=aragc") + .getBytes()); + uc.getOutputStream().flush(); + assertEquals(500, uc.getResponseCode()); + } + + @Test + public void testAssureFormRace() throws IOException, SQLException { + URLConnection uc = buildupAssureFormConnection(true); + PreparedStatement ps = DatabaseConnection.getInstance() + .prepare("UPDATE `users` SET email='changed' WHERE id=?"); + ps.setInt(1, assuree); + ps.execute(); + uc.getOutputStream().write( + ("date=2000-01-01&location=testcase&certify=1&rules=1&CCAAgreed=1&assertion=1&points=10").getBytes()); + uc.getOutputStream().flush(); + String error = fetchStartErrorMessage(IOUtils.readURL(uc)); + assertTrue(error, !error.startsWith("")); + } + @Test public void testAssureFormFuture() throws IOException { SimpleDateFormat sdf = new SimpleDateFormat("YYYY"); - int year = Integer.parseInt(sdf.format(new Date(System - .currentTimeMillis()))) + 2; - String error = getError("date=" - + year - + "-01-01&location=testcase&certify=1&rules=1&CCAAgreed=1&assertion=1&points=10"); + int year = Integer.parseInt(sdf.format(new Date(System.currentTimeMillis()))) + 2; + String error = getError("date=" + year + + "-01-01&location=testcase&certify=1&rules=1&CCAAgreed=1&assertion=1&points=10"); assertTrue(error, !error.startsWith("")); } + @Test public void testAssureFormNoLoc() throws IOException { String error = getError("date=2000-01-01&location=a&certify=1&rules=1&CCAAgreed=1&assertion=1&points=10"); @@ -98,6 +136,7 @@ public class TestAssurance extends ManagedTest { error = getError("date=&location=testcase&certify=1&rules=1&CCAAgreed=1&assertion=1&points=10"); assertTrue(error, !error.startsWith("")); } + @Test public void testAssureFormBoxes() throws IOException { String error = getError("date=2000-01-01&location=testcase&certify=0&rules=1&CCAAgreed=1&assertion=1&points=10"); @@ -109,24 +148,26 @@ public class TestAssurance extends ManagedTest { error = getError("date=2000-01-01&location=testcase&certify=1&rules=1&CCAAgreed=1&assertion=z&points=10"); assertTrue(error, !error.startsWith("")); } - private String getError(String query) throws MalformedURLException, - IOException { - URLConnection uc = buildupAssureFormConnection(); + + private String getError(String query) throws MalformedURLException, IOException { + URLConnection uc = buildupAssureFormConnection(true); uc.getOutputStream().write((query).getBytes()); uc.getOutputStream().flush(); String error = fetchStartErrorMessage(IOUtils.readURL(uc)); return error; } - private URLConnection buildupAssureFormConnection() - throws MalformedURLException, IOException { - URL u = new URL("https://" + getServerName() + AssurePage.PATH + "/" - + assuree); + + private URLConnection buildupAssureFormConnection(boolean doCSRF) throws MalformedURLException, IOException { + URL u = new URL("https://" + getServerName() + AssurePage.PATH + "/" + assuree); URLConnection uc = u.openConnection(); uc.addRequestProperty("Cookie", cookie); - uc.getInputStream();// request form + String csrf = getCSRF(uc); uc = u.openConnection(); uc.addRequestProperty("Cookie", cookie); uc.setDoOutput(true); + if (doCSRF) { + uc.getOutputStream().write(("csrf=" + csrf + "&").getBytes()); + } return uc; }