Implement test for Wrong CSRF-Token in assurance Form.

[gigi.git] / tests / org / cacert / gigi / pages / wot / TestAssurance.java

diff --git a/tests/org/cacert/gigi/pages/wot/TestAssurance.java b/tests/org/cacert/gigi/pages/wot/TestAssurance.java
index b81a433390d431c6914ae86b796a513573795d1b..cedbcde619f2a14d9b242745b3ce9ad318bcfc08 100644 (file)
--- a/tests/org/cacert/gigi/pages/wot/TestAssurance.java
+++ b/tests/org/cacert/gigi/pages/wot/TestAssurance.java
@@ -2,6 +2,7 @@ package org.cacert.gigi.pages.wot;
 
 import java.io.IOException;
 import java.io.UnsupportedEncodingException;
+import java.net.HttpURLConnection;
 import java.net.MalformedURLException;
 import java.net.URL;
 import java.net.URLConnection;
@@ -11,8 +12,8 @@ import java.sql.SQLException;
 import java.text.SimpleDateFormat;
 import java.util.Date;
 
-import org.cacert.gigi.IOUtils;
 import org.cacert.gigi.database.DatabaseConnection;
+import org.cacert.gigi.testUtils.IOUtils;
 import org.cacert.gigi.testUtils.ManagedTest;
 import org.junit.Before;
 import org.junit.Test;
@@ -77,9 +78,29 @@ public class TestAssurance extends ManagedTest {
                assertTrue(error, error.startsWith("</div>"));
        }
 
+       @Test
+       public void testAssureFormNoCSRF() throws IOException {
+               // override csrf
+               HttpURLConnection uc = (HttpURLConnection) buildupAssureFormConnection(false);
+               uc.getOutputStream()
+                               .write(("date=2000-01-01&location=testcase&certify=1&rules=1&CCAAgreed=1&assertion=1&points=10")
+                                               .getBytes());
+               uc.getOutputStream().flush();
+               assertEquals(500, uc.getResponseCode());
+       }
+       @Test
+       public void testAssureFormWrongCSRF() throws IOException {
+               // override csrf
+               HttpURLConnection uc = (HttpURLConnection) buildupAssureFormConnection(false);
+               uc.getOutputStream()
+                               .write(("date=2000-01-01&location=testcase&certify=1&rules=1&CCAAgreed=1&assertion=1&points=10&csrf=aragc")
+                                               .getBytes());
+               uc.getOutputStream().flush();
+               assertEquals(500, uc.getResponseCode());
+       }
        @Test
        public void testAssureFormRace() throws IOException, SQLException {
-               URLConnection uc = buildupAssureFormConnection();
+               URLConnection uc = buildupAssureFormConnection(true);
                PreparedStatement ps = DatabaseConnection.getInstance().prepare(
                                "UPDATE `users` SET email='changed' WHERE id=?");
                ps.setInt(1, assuree);
@@ -129,22 +150,25 @@ public class TestAssurance extends ManagedTest {
        }
        private String getError(String query) throws MalformedURLException,
                        IOException {
-               URLConnection uc = buildupAssureFormConnection();
+               URLConnection uc = buildupAssureFormConnection(true);
                uc.getOutputStream().write((query).getBytes());
                uc.getOutputStream().flush();
                String error = fetchStartErrorMessage(IOUtils.readURL(uc));
                return error;
        }
-       private URLConnection buildupAssureFormConnection()
+       private URLConnection buildupAssureFormConnection(boolean doCSRF)
                        throws MalformedURLException, IOException {
                URL u = new URL("https://" + getServerName() + AssurePage.PATH + "/"
                                + assuree);
                URLConnection uc = u.openConnection();
                uc.addRequestProperty("Cookie", cookie);
-               uc.getInputStream();// request form
+               String csrf = getCSRF(uc);
                uc = u.openConnection();
                uc.addRequestProperty("Cookie", cookie);
                uc.setDoOutput(true);
+               if (doCSRF) {
+                       uc.getOutputStream().write(("csrf=" + csrf + "&").getBytes());
+               }
                return uc;
        }