1 package com.atlassian.plugins.rest.common.security.jersey;
2
3 import com.atlassian.plugins.rest.common.security.XsrfCheckFailedException;
4 import com.atlassian.sal.api.web.context.HttpContext;
5 import com.atlassian.sal.core.xsrf.IndependentXsrfTokenAccessor;
6 import com.atlassian.sal.core.xsrf.IndependentXsrfTokenValidator;
7 import com.atlassian.sal.core.xsrf.XsrfRequestValidatorImpl;
8 import com.sun.jersey.spi.container.ContainerRequest;
9 import org.junit.Before;
10 import org.junit.Test;
11 import org.junit.runner.RunWith;
12 import org.mockito.Mock;
13 import org.mockito.runners.MockitoJUnitRunner;
14
15 import javax.servlet.http.HttpServletRequest;
16 import javax.ws.rs.core.MediaType;
17 import java.net.URI;
18 import java.util.Arrays;
19
20 import static com.atlassian.plugins.rest.common.security.jersey.TestXsrfResourceFilter.addTokenHeaderToRequest;
21 import static org.mockito.Mockito.when;
22
23 @RunWith(MockitoJUnitRunner.class)
24 public class TestOriginBasedXsrfResourceFilter {
25 private static final String IE_8_UA = "Mozilla/4.0 (compatible; MSIE 8.0" +
26 "; Windows NT 6.0; Trident/4.0)";
27 private static final String IE_10_UA = "Mozilla/5.0 (compatible; " +
28 "MSIE 10.0; Windows NT 6.2; Trident/6.0)";
29 private static final String IE_11_UA = "Mozilla/5.0 " +
30 "(Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko";
31 private static final String CHROME_32_UA = "Mozilla/5.0 (Windows NT 6.2;" +
32 " Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) " +
33 "Chrome/32.0.1667.0 Safari/537.36";
34
35 private XsrfResourceFilter xsrfResourceFilter;
36 @Mock
37 private ContainerRequest request;
38 @Mock
39 private HttpContext httpContext;
40 @Mock
41 private HttpServletRequest httpServletRequest;
42
43 @Before
44 public void setUp() throws Exception {
45 xsrfResourceFilter = new OriginBasedXsrfResourceFilter();
46 xsrfResourceFilter.setXsrfRequestValidator(
47 new XsrfRequestValidatorImpl(
48 new IndependentXsrfTokenValidator(
49 new IndependentXsrfTokenAccessor())));
50 when(request.getRequestUri()).thenReturn(new URI("http://default.com"));
51 when(request.getMethod()).thenReturn("POST");
52 when(httpContext.getRequest()).thenReturn(httpServletRequest);
53 xsrfResourceFilter.setHttpContext(httpContext);
54 }
55
56 @Test
57 public void browserGetRequestNotBlocked() throws Exception {
58 when(request.getMethod()).thenReturn("GET");
59 setBrowserUserAgentInRequest(request);
60 xsrfResourceFilter.filter(request);
61 }
62
63 @Test
64 public void nonBrowserGetRequestNotBlocked() throws Exception {
65 when(request.getMethod()).thenReturn("GET");
66 xsrfResourceFilter.filter(request);
67 }
68
69 @Test(expected = XsrfCheckFailedException.class)
70 public void browserPostJsonRequestBlocked() throws Exception {
71 setBrowserUserAgentInRequest(request);
72 setJsonContentTypeForRequest(request);
73 xsrfResourceFilter.filter(request);
74 }
75
76 @Test
77 public void nonBrowserPostJsonRequestNotBlocked() throws Exception {
78 setJsonContentTypeForRequest(request);
79 xsrfResourceFilter.filter(request);
80 }
81
82 @Test(expected = XsrfCheckFailedException.class)
83 public void NonIEBrowserPostJsonRequestWithTokenHeaderBlocked()
84 throws Exception {
85 addTokenHeaderToRequest(httpServletRequest, XsrfResourceFilter.NO_CHECK);
86 setJsonContentTypeForRequest(request);
87 setBrowserUserAgentInRequest(request, CHROME_32_UA);
88 xsrfResourceFilter.filter(request);
89 }
90
91 @Test
92 public void internetExplorerBrowserPostJsonRequestWithTokenHeaderNotBlocked()
93 throws Exception {
94 addTokenHeaderToRequest(httpServletRequest, XsrfResourceFilter.NO_CHECK);
95 setJsonContentTypeForRequest(request);
96 for (String userAgent : Arrays.asList(IE_8_UA, IE_10_UA, IE_11_UA)) {
97 setBrowserUserAgentInRequest(request, userAgent);
98 xsrfResourceFilter.filter(request);
99 }
100 }
101
102 @Test(expected = XsrfCheckFailedException.class)
103 public void browserPostNoContentTypeRequestBlocked() throws Exception {
104 setBrowserUserAgentInRequest(request);
105 setRequestContentType(request, null);
106 xsrfResourceFilter.filter(request);
107 }
108
109 @Test
110 public void nonBrowserPostNoContentTypeRequestNotBlocked() throws Exception {
111 setRequestContentType(request, null);
112 xsrfResourceFilter.filter(request);
113 }
114
115 @Test
116 public void browserPostXsrfContentTypeRequestNotBlocked() throws Exception {
117 setBrowserUserAgentInRequest(request);
118 setXsrfableContentType(request);
119 xsrfResourceFilter.filter(request);
120 }
121
122 @Test
123 public void nonBrowserPostXsrfContentTypeRequestNotBlocked() throws Exception {
124 setXsrfableContentType(request);
125 xsrfResourceFilter.filter(request);
126 }
127
128 private static void setXsrfableContentType(ContainerRequest request) {
129 setRequestContentType(request, MediaType.TEXT_PLAIN_TYPE);
130 }
131
132 private static void setJsonContentTypeForRequest(ContainerRequest request) {
133 setRequestContentType(request, MediaType.APPLICATION_JSON_TYPE);
134 }
135
136 private static void setRequestContentType(ContainerRequest request,
137 MediaType mediaType) {
138 when(request.getMediaType()).thenReturn(mediaType);
139 }
140
141 private static void setBrowserUserAgentInRequest(ContainerRequest request) {
142 setBrowserUserAgentInRequest(request, CHROME_32_UA);
143 }
144
145 private static void setBrowserUserAgentInRequest(ContainerRequest request, String userAgent) {
146 when(request.getHeaderValue("User-Agent")).thenReturn(userAgent);
147 }
148
149 }