Implement test for Wrong CSRF-Token in assurance Form.

[gigi.git] / tests / org / cacert / gigi / pages / wot / TestAssurance.java

diff --git a/tests/org/cacert/gigi/pages/wot/TestAssurance.java b/tests/org/cacert/gigi/pages/wot/TestAssurance.java
index 350b0a2ce0adfaee9a6970171d55b24a0b5a1a91..cedbcde619f2a14d9b242745b3ce9ad318bcfc08 100644 (file)
--- a/tests/org/cacert/gigi/pages/wot/TestAssurance.java
+++ b/tests/org/cacert/gigi/pages/wot/TestAssurance.java
@@ -2,14 +2,18 @@ package org.cacert.gigi.pages.wot;
 
 import java.io.IOException;
 import java.io.UnsupportedEncodingException;
+import java.net.HttpURLConnection;
 import java.net.MalformedURLException;
 import java.net.URL;
 import java.net.URLConnection;
 import java.net.URLEncoder;
+import java.sql.PreparedStatement;
+import java.sql.SQLException;
 import java.text.SimpleDateFormat;
 import java.util.Date;
 
-import org.cacert.gigi.IOUtils;
+import org.cacert.gigi.database.DatabaseConnection;
+import org.cacert.gigi.testUtils.IOUtils;
 import org.cacert.gigi.testUtils.ManagedTest;
 import org.junit.Before;
 import org.junit.Test;
@@ -70,9 +74,44 @@ public class TestAssurance extends ManagedTest {
        }
        @Test
        public void testAssureForm() throws IOException {
-               String error = getError("date=2000-01-01&location=testcase&certify=1&rules=1&CCAAgreed=1&assertion=1");
+               String error = getError("date=2000-01-01&location=testcase&certify=1&rules=1&CCAAgreed=1&assertion=1&points=10");
                assertTrue(error, error.startsWith("</div>"));
        }
+
+       @Test
+       public void testAssureFormNoCSRF() throws IOException {
+               // override csrf
+               HttpURLConnection uc = (HttpURLConnection) buildupAssureFormConnection(false);
+               uc.getOutputStream()
+                               .write(("date=2000-01-01&location=testcase&certify=1&rules=1&CCAAgreed=1&assertion=1&points=10")
+                                               .getBytes());
+               uc.getOutputStream().flush();
+               assertEquals(500, uc.getResponseCode());
+       }
+       @Test
+       public void testAssureFormWrongCSRF() throws IOException {
+               // override csrf
+               HttpURLConnection uc = (HttpURLConnection) buildupAssureFormConnection(false);
+               uc.getOutputStream()
+                               .write(("date=2000-01-01&location=testcase&certify=1&rules=1&CCAAgreed=1&assertion=1&points=10&csrf=aragc")
+                                               .getBytes());
+               uc.getOutputStream().flush();
+               assertEquals(500, uc.getResponseCode());
+       }
+       @Test
+       public void testAssureFormRace() throws IOException, SQLException {
+               URLConnection uc = buildupAssureFormConnection(true);
+               PreparedStatement ps = DatabaseConnection.getInstance().prepare(
+                               "UPDATE `users` SET email='changed' WHERE id=?");
+               ps.setInt(1, assuree);
+               ps.execute();
+               uc.getOutputStream()
+                               .write(("date=2000-01-01&location=testcase&certify=1&rules=1&CCAAgreed=1&assertion=1&points=10")
+                                               .getBytes());
+               uc.getOutputStream().flush();
+               String error = fetchStartErrorMessage(IOUtils.readURL(uc));
+               assertTrue(error, !error.startsWith("</div>"));
+       }
        @Test
        public void testAssureFormFuture() throws IOException {
                SimpleDateFormat sdf = new SimpleDateFormat("YYYY");
@@ -80,53 +119,56 @@ public class TestAssurance extends ManagedTest {
                                .currentTimeMillis()))) + 2;
                String error = getError("date="
                                + year
-                               + "-01-01&location=testcase&certify=1&rules=1&CCAAgreed=1&assertion=1");
+                               + "-01-01&location=testcase&certify=1&rules=1&CCAAgreed=1&assertion=1&points=10");
                assertTrue(error, !error.startsWith("</div>"));
        }
        @Test
        public void testAssureFormNoLoc() throws IOException {
-               String error = getError("date=2000-01-01&location=a&certify=1&rules=1&CCAAgreed=1&assertion=1");
+               String error = getError("date=2000-01-01&location=a&certify=1&rules=1&CCAAgreed=1&assertion=1&points=10");
                assertTrue(error, !error.startsWith("</div>"));
-               error = getError("date=2000-01-01&location=&certify=1&rules=1&CCAAgreed=1&assertion=1");
+               error = getError("date=2000-01-01&location=&certify=1&rules=1&CCAAgreed=1&assertion=1&points=10");
                assertTrue(error, !error.startsWith("</div>"));
        }
 
        @Test
        public void testAssureFormInvalDate() throws IOException {
-               String error = getError("date=20000101&location=testcase&certify=1&rules=1&CCAAgreed=1&assertion=1");
+               String error = getError("date=20000101&location=testcase&certify=1&rules=1&CCAAgreed=1&assertion=1&points=10");
                assertTrue(error, !error.startsWith("</div>"));
-               error = getError("date=&location=testcase&certify=1&rules=1&CCAAgreed=1&assertion=1");
+               error = getError("date=&location=testcase&certify=1&rules=1&CCAAgreed=1&assertion=1&points=10");
                assertTrue(error, !error.startsWith("</div>"));
        }
        @Test
        public void testAssureFormBoxes() throws IOException {
-               String error = getError("date=2000-01-01&location=testcase&certify=0&rules=1&CCAAgreed=1&assertion=1");
+               String error = getError("date=2000-01-01&location=testcase&certify=0&rules=1&CCAAgreed=1&assertion=1&points=10");
                assertTrue(error, !error.startsWith("</div>"));
-               error = getError("date=2000-01-01&location=testcase&certify=1&rules=&CCAAgreed=1&assertion=1");
+               error = getError("date=2000-01-01&location=testcase&certify=1&rules=&CCAAgreed=1&assertion=1&points=10");
                assertTrue(error, !error.startsWith("</div>"));
-               error = getError("date=2000-01-01&location=testcase&certify=1&rules=1&CCAAgreed=a&assertion=1");
+               error = getError("date=2000-01-01&location=testcase&certify=1&rules=1&CCAAgreed=a&assertion=1&points=10");
                assertTrue(error, !error.startsWith("</div>"));
-               error = getError("date=2000-01-01&location=testcase&certify=1&rules=1&CCAAgreed=1&assertion=z");
+               error = getError("date=2000-01-01&location=testcase&certify=1&rules=1&CCAAgreed=1&assertion=z&points=10");
                assertTrue(error, !error.startsWith("</div>"));
        }
        private String getError(String query) throws MalformedURLException,
                        IOException {
-               URLConnection uc = buildupAssureFormConnection();
+               URLConnection uc = buildupAssureFormConnection(true);
                uc.getOutputStream().write((query).getBytes());
                uc.getOutputStream().flush();
                String error = fetchStartErrorMessage(IOUtils.readURL(uc));
                return error;
        }
-       private URLConnection buildupAssureFormConnection()
+       private URLConnection buildupAssureFormConnection(boolean doCSRF)
                        throws MalformedURLException, IOException {
                URL u = new URL("https://" + getServerName() + AssurePage.PATH + "/"
                                + assuree);
                URLConnection uc = u.openConnection();
                uc.addRequestProperty("Cookie", cookie);
-               uc.getInputStream();// request form
+               String csrf = getCSRF(uc);
                uc = u.openConnection();
                uc.addRequestProperty("Cookie", cookie);
                uc.setDoOutput(true);
+               if (doCSRF) {
+                       uc.getOutputStream().write(("csrf=" + csrf + "&").getBytes());
+               }
                return uc;
        }