Implement test for Wrong CSRF-Token in assurance Form.

author Felix Dörre <felix@dogcraft.de>

Sat, 5 Jul 2014 00:11:15 +0000 (02:11 +0200)

committer Felix Dörre <felix@dogcraft.de>

Sat, 5 Jul 2014 00:11:15 +0000 (02:11 +0200)
author Felix Dörre <felix@dogcraft.de>
Sat, 5 Jul 2014 00:11:15 +0000 (02:11 +0200)
committer Felix Dörre <felix@dogcraft.de>
Sat, 5 Jul 2014 00:11:15 +0000 (02:11 +0200)
diff --git a/tests/org/cacert/gigi/pages/wot/TestAssurance.java b/tests/org/cacert/gigi/pages/wot/TestAssurance.java

index 769767cd76f41b1ff329fb17cf150d429aa0fa1e..cedbcde619f2a14d9b242745b3ce9ad318bcfc08 100644 (file)
--- a/tests/org/cacert/gigi/pages/wot/TestAssurance.java
+++ b/tests/org/cacert/gigi/pages/wot/TestAssurance.java
@@ -2,6 +2,7 @@ package org.cacert.gigi.pages.wot;
  
  import java.io.IOException;
  import java.io.UnsupportedEncodingException;
  
  import java.io.IOException;
  import java.io.UnsupportedEncodingException;
+import java.net.HttpURLConnection;
  import java.net.MalformedURLException;
  import java.net.URL;
  import java.net.URLConnection;
  import java.net.MalformedURLException;
  import java.net.URL;
  import java.net.URLConnection;
@@ -77,9 +78,29 @@ public class TestAssurance extends ManagedTest {
                 assertTrue(error, error.startsWith("</div>"));
         }
  
                 assertTrue(error, error.startsWith("</div>"));
         }
  
+       @Test
+       public void testAssureFormNoCSRF() throws IOException {
+               // override csrf
+               HttpURLConnection uc = (HttpURLConnection) buildupAssureFormConnection(false);
+               uc.getOutputStream()
+                               .write(("date=2000-01-01&location=testcase&certify=1&rules=1&CCAAgreed=1&assertion=1&points=10")
+                                               .getBytes());
+               uc.getOutputStream().flush();
+               assertEquals(500, uc.getResponseCode());
+       }
+       @Test
+       public void testAssureFormWrongCSRF() throws IOException {
+               // override csrf
+               HttpURLConnection uc = (HttpURLConnection) buildupAssureFormConnection(false);
+               uc.getOutputStream()
+                               .write(("date=2000-01-01&location=testcase&certify=1&rules=1&CCAAgreed=1&assertion=1&points=10&csrf=aragc")
+                                               .getBytes());
+               uc.getOutputStream().flush();
+               assertEquals(500, uc.getResponseCode());
+       }
         @Test
         public void testAssureFormRace() throws IOException, SQLException {
         @Test
         public void testAssureFormRace() throws IOException, SQLException {
-               URLConnection uc = buildupAssureFormConnection();
+               URLConnection uc = buildupAssureFormConnection(true);
                 PreparedStatement ps = DatabaseConnection.getInstance().prepare(
                                 "UPDATE `users` SET email='changed' WHERE id=?");
                 ps.setInt(1, assuree);
                 PreparedStatement ps = DatabaseConnection.getInstance().prepare(
                                 "UPDATE `users` SET email='changed' WHERE id=?");
                 ps.setInt(1, assuree);
@@ -129,13 +150,13 @@ public class TestAssurance extends ManagedTest {
         }
         private String getError(String query) throws MalformedURLException,
                         IOException {
         }
         private String getError(String query) throws MalformedURLException,
                         IOException {
-               URLConnection uc = buildupAssureFormConnection();
+               URLConnection uc = buildupAssureFormConnection(true);
                 uc.getOutputStream().write((query).getBytes());
                 uc.getOutputStream().flush();
                 String error = fetchStartErrorMessage(IOUtils.readURL(uc));
                 return error;
         }
                 uc.getOutputStream().write((query).getBytes());
                 uc.getOutputStream().flush();
                 String error = fetchStartErrorMessage(IOUtils.readURL(uc));
                 return error;
         }
-       private URLConnection buildupAssureFormConnection()
+       private URLConnection buildupAssureFormConnection(boolean doCSRF)
                         throws MalformedURLException, IOException {
                 URL u = new URL("https://" + getServerName() + AssurePage.PATH + "/"
                                 + assuree);
                         throws MalformedURLException, IOException {
                 URL u = new URL("https://" + getServerName() + AssurePage.PATH + "/"
                                 + assuree);
@@ -145,7 +166,9 @@ public class TestAssurance extends ManagedTest {
                 uc = u.openConnection();
                 uc.addRequestProperty("Cookie", cookie);
                 uc.setDoOutput(true);
                 uc = u.openConnection();
                 uc.addRequestProperty("Cookie", cookie);
                 uc.setDoOutput(true);
-               uc.getOutputStream().write(("csrf=" + csrf + "&").getBytes());
+               if (doCSRF) {
+                       uc.getOutputStream().write(("csrf=" + csrf + "&").getBytes());
+               }
                 return uc;
         }
  
                 return uc;
         }
author	Felix Dörre <felix@dogcraft.de>
	Sat, 5 Jul 2014 00:11:15 +0000 (02:11 +0200)
committer	Felix Dörre <felix@dogcraft.de>
	Sat, 5 Jul 2014 00:11:15 +0000 (02:11 +0200)