View Javadoc

1   package com.atlassian.plugins.rest.common.security.jersey;
2   
3   import com.atlassian.plugins.rest.common.security.XsrfCheckFailedException;
4   import com.atlassian.sal.api.web.context.HttpContext;
5   import com.atlassian.sal.core.xsrf.IndependentXsrfTokenAccessor;
6   import com.atlassian.sal.core.xsrf.IndependentXsrfTokenValidator;
7   import com.sun.jersey.spi.container.ContainerRequest;
8   import org.junit.Before;
9   import org.junit.Test;
10  import org.junit.runner.RunWith;
11  import org.mockito.Mock;
12  import org.mockito.runners.MockitoJUnitRunner;
13  
14  import javax.servlet.http.Cookie;
15  import javax.servlet.http.HttpServletRequest;
16  import javax.ws.rs.core.MediaType;
17  import java.util.Arrays;
18  
19  import static org.hamcrest.CoreMatchers.is;
20  import static org.junit.Assert.assertEquals;
21  import static org.junit.Assert.assertThat;
22  import static org.mockito.Mockito.when;
23  
24  /**
25   */
26  @RunWith (MockitoJUnitRunner.class)
27  public class TestXsrfResourceFilter
28  {
29      private XsrfResourceFilter xsrfResourceFilter;
30      @Mock
31      private ContainerRequest request;
32      @Mock
33      private HttpContext httpContext;
34      @Mock
35      private HttpServletRequest httpServletRequest;
36  
37      @Before
38      public void setUp()
39      {
40          xsrfResourceFilter = new XsrfResourceFilter();
41          xsrfResourceFilter.setXsrfTokenValidator(new IndependentXsrfTokenValidator(new IndependentXsrfTokenAccessor()));
42      }
43  
44      @Test(expected = XsrfCheckFailedException.class)
45      public void testGetBlocked()
46      {
47          when(request.getMethod()).thenReturn("GET");
48          xsrfResourceFilter.filter(request);
49      }
50  
51      @Test
52      public void testGetSuccess()
53      {
54          when(request.getMethod()).thenReturn("GET");
55          when(request.getHeaderValue("X-Atlassian-Token")).thenReturn("nocheck");
56          assertEquals(request, xsrfResourceFilter.filter(request));
57      }
58  
59      @Test(expected = XsrfCheckFailedException.class)
60      public void testPostBlocked()
61      {
62          when(request.getMethod()).thenReturn("POST");
63          when(request.getMediaType()).thenReturn(MediaType.APPLICATION_FORM_URLENCODED_TYPE);
64          xsrfResourceFilter.filter(request);
65      }
66  
67      @Test
68      public void testPostSuccess()
69      {
70          when(request.getMethod()).thenReturn("POST");
71          when(request.getMediaType()).thenReturn(MediaType.APPLICATION_FORM_URLENCODED_TYPE);
72          when(request.getHeaderValue("X-Atlassian-Token")).thenReturn("nocheck");
73          assertEquals(request, xsrfResourceFilter.filter(request));
74      }
75  
76      @Test
77      public void testPostJsonSuccess()
78      {
79          when(request.getMethod()).thenReturn("POST");
80          when(request.getMediaType()).thenReturn(MediaType.APPLICATION_JSON_TYPE);
81          assertEquals(request, xsrfResourceFilter.filter(request));
82      }
83  
84      @Test
85      public void testPutFormSuccess()
86      {
87          when(request.getMethod()).thenReturn("PUT");
88          when(request.getMediaType()).thenReturn(MediaType.APPLICATION_FORM_URLENCODED_TYPE);
89          assertEquals(request, xsrfResourceFilter.filter(request));
90      }
91  
92      private static HttpServletRequest setupRequestWithXsrfToken(HttpServletRequest request, String expectedToken, String formToken)
93      {
94          Cookie [] cookies = {new Cookie(IndependentXsrfTokenAccessor.XSRF_COOKIE_KEY, expectedToken)};
95          when(request.getCookies()).thenReturn(cookies);
96          when(request.getParameter(IndependentXsrfTokenValidator.XSRF_PARAM_NAME)).thenReturn(formToken);
97          return request;
98      }
99  
100     @Test
101     public void testPostWithValidXsrfTokenSuccess()
102     {
103         when(request.getMethod()).thenReturn("POST");
104         when(request.getMediaType()).thenReturn(MediaType.APPLICATION_FORM_URLENCODED_TYPE);
105         for (String validToken : Arrays.asList("abc123", "ffff", "FFFx3~324", "☃☃☃"))
106         {
107             httpServletRequest = setupRequestWithXsrfToken(httpServletRequest, validToken, validToken);
108             when(httpContext.getRequest()).thenReturn(httpServletRequest);
109             xsrfResourceFilter.setHttpContext(httpContext);
110             assertThat(xsrfResourceFilter.filter(request), is(request));
111         }
112     }
113 
114     @Test(expected = XsrfCheckFailedException.class)
115     public void testPostWithInvalidXsrfTokenBlocked()
116     {
117         when(request.getMethod()).thenReturn("POST");
118         when(request.getMediaType()).thenReturn(MediaType.APPLICATION_FORM_URLENCODED_TYPE);
119         httpServletRequest = setupRequestWithXsrfToken(httpServletRequest, "abc123", "notabc123");
120         when(httpContext.getRequest()).thenReturn(httpServletRequest);
121         xsrfResourceFilter.setHttpContext(httpContext);
122         xsrfResourceFilter.filter(request);
123     }
124 }