Enforce POST requests to only contain POST data.

[gigi.git] / tests / org / cacert / gigi / pages / account / TestChangePassword.java

package org.cacert.gigi.pages.account;

import static org.junit.Assert.*;

import java.io.IOException;
import java.io.OutputStream;
import java.io.UnsupportedEncodingException;
import java.net.MalformedURLException;
import java.net.URL;
import java.net.URLConnection;
import java.net.URLEncoder;

import org.cacert.gigi.GigiApiException;
import org.cacert.gigi.User;
import org.cacert.gigi.testUtils.IOUtils;
import org.cacert.gigi.testUtils.ManagedTest;
import org.junit.Test;

public class TestChangePassword extends ManagedTest {
        User u = User.getById(createVerifiedUser("fn", "ln", createUniqueName() + "uni@example.org", TEST_PASSWORD));
        String cookie;

        public TestChangePassword() throws IOException {
                cookie = login(u.getEmail(), TEST_PASSWORD);
                assertTrue(isLoggedin(cookie));
        }

        @Test
        public void testChangePasswordInternal() throws IOException, GigiApiException {
                try {
                        u.changePassword(TEST_PASSWORD + "wrong", TEST_PASSWORD + "v2");
                        fail("Password change must not succeed if old password is wrong.");
                } catch (GigiApiException e) {
                        // expected
                }
                ;
                assertTrue(isLoggedin(login(u.getEmail(), TEST_PASSWORD)));
                u.changePassword(TEST_PASSWORD, TEST_PASSWORD + "v2");
                assertTrue(isLoggedin(login(u.getEmail(), TEST_PASSWORD + "v2")));
        }

        @Test
        public void testChangePasswordWeb() throws IOException {
                String error = executeChangePassword("oldpassword=" + URLEncoder.encode(TEST_PASSWORD, "UTF-8") //
                        + "&pword1=" + URLEncoder.encode(TEST_PASSWORD + "v2", "UTF-8")//
                        + "&pword2=" + URLEncoder.encode(TEST_PASSWORD + "v2", "UTF-8"));
                assertNull(error);
                assertTrue(isLoggedin(login(u.getEmail(), TEST_PASSWORD + "v2")));
                assertFalse(isLoggedin(login(u.getEmail(), TEST_PASSWORD)));

        }

        @Test
        public void testChangePasswordWebOldWrong() throws IOException {
                String error = executeChangePassword("oldpassword=a" + URLEncoder.encode(TEST_PASSWORD, "UTF-8") //
                        + "&pword1=" + URLEncoder.encode(TEST_PASSWORD + "v2", "UTF-8")//
                        + "&pword2=" + URLEncoder.encode(TEST_PASSWORD + "v2", "UTF-8"));
                assertNotNull(error);
                assertFalse(isLoggedin(login(u.getEmail(), TEST_PASSWORD + "v2")));
                assertTrue(isLoggedin(login(u.getEmail(), TEST_PASSWORD)));

        }

        @Test
        public void testChangePasswordWebNewWrong() throws IOException {
                String error = executeChangePassword("oldpassword=" + URLEncoder.encode(TEST_PASSWORD, "UTF-8") //
                        + "&pword1=" + URLEncoder.encode(TEST_PASSWORD + "v2", "UTF-8")//
                        + "&pword2=a" + URLEncoder.encode(TEST_PASSWORD + "v2", "UTF-8"));
                assertNotNull(error);
                assertFalse(isLoggedin(login(u.getEmail(), TEST_PASSWORD + "v2")));
                assertTrue(isLoggedin(login(u.getEmail(), TEST_PASSWORD)));

        }

        @Test
        public void testChangePasswordWebNewEasy() throws IOException {
                String error = executeChangePassword("oldpassword=" + URLEncoder.encode(TEST_PASSWORD, "UTF-8") //
                        + "&pword1=a&pword2=a");
                assertNotNull(error);
                assertFalse(isLoggedin(login(u.getEmail(), TEST_PASSWORD + "v2")));
                assertTrue(isLoggedin(login(u.getEmail(), TEST_PASSWORD)));

        }

        @Test
        public void testChangePasswordWebMissingFields() throws IOException {
                String np = URLEncoder.encode(TEST_PASSWORD + "v2", "UTF-8");
                assertTrue(isLoggedin(login(u.getEmail(), TEST_PASSWORD)));
                String error = executeChangePassword("oldpassword=" + URLEncoder.encode(TEST_PASSWORD, "UTF-8") //
                        + "&pword1=" + np);
                assertNotNull(error);
                assertFalse(isLoggedin(login(u.getEmail(), TEST_PASSWORD + "v2")));
                assertTrue(isLoggedin(login(u.getEmail(), TEST_PASSWORD)));

                error = executeChangePassword("oldpassword=" + URLEncoder.encode(TEST_PASSWORD, "UTF-8") //
                        + "&pword2=" + np);
                assertNotNull(error);
                assertFalse(isLoggedin(login(u.getEmail(), TEST_PASSWORD + "v2")));
                assertTrue(isLoggedin(login(u.getEmail(), TEST_PASSWORD)));

                error = executeChangePassword("pword1=" + np + "&pword2=" + np);
                assertNotNull(error);
                assertFalse(isLoggedin(login(u.getEmail(), TEST_PASSWORD + "v2")));
                assertTrue(isLoggedin(login(u.getEmail(), TEST_PASSWORD)));

        }

        private String executeChangePassword(String query) throws IOException, MalformedURLException,
                UnsupportedEncodingException {
                URLConnection uc = new URL("https://" + getServerName() + ChangePasswordPage.PATH).openConnection();
                uc.addRequestProperty("Cookie", cookie);
                String csrf = getCSRF(uc);

                uc = new URL("https://" + getServerName() + ChangePasswordPage.PATH).openConnection();
                uc.addRequestProperty("Cookie", cookie);
                uc.setDoOutput(true);
                OutputStream os = uc.getOutputStream();
                os.write(("csrf=" + URLEncoder.encode(csrf, "UTF-8") + "&" //
                + query//
                ).getBytes());
                os.flush();
                String error = fetchStartErrorMessage(IOUtils.readURL(uc));
                return error;
        }

}