1 package it.com.atlassian.rest.xsrf;
2
3 import com.atlassian.plugins.rest.common.security.jersey.XsrfResourceFilter;
4 import com.atlassian.plugins.rest.json.JsonObject;
5 import com.atlassian.rest.jersey.client.WebResourceFactory;
6 import com.atlassian.sal.core.xsrf.IndependentXsrfTokenAccessor;
7 import com.atlassian.sal.core.xsrf.IndependentXsrfTokenValidator;
8 import com.sun.jersey.api.client.UniformInterfaceException;
9 import com.sun.jersey.api.client.WebResource;
10 import org.junit.Before;
11 import org.junit.Test;
12
13 import javax.ws.rs.core.Cookie;
14 import javax.ws.rs.core.MediaType;
15
16 import static org.junit.Assert.*;
17
18
19
20 public class XsrfCheckTest {
21 private WebResource.Builder webResource;
22
23 @Before
24 public void setUp() {
25 webResource = WebResourceFactory.anonymous(WebResourceFactory.REST_VERSION, false)
26 .path("xsrfCheck").getRequestBuilder();
27 }
28
29 @Test
30 public void testGetSuccess() {
31 assertSuccessful("GET", webResource);
32 }
33
34 @Test
35 public void testPostFormBlocked() {
36 assertBlocked("POST", webResource.header("Content-Type", MediaType.APPLICATION_FORM_URLENCODED));
37 }
38
39 @Test
40 public void testPostFormSuccess() {
41 assertSuccessful("POST", addXsrf(webResource).header("Content-Type", MediaType.APPLICATION_FORM_URLENCODED));
42 }
43
44 @Test
45 public void testPostJsonSuccess() {
46 assertSuccessful("POST", webResource.entity(new JsonObject()));
47 }
48
49 @Test
50 public void testPutFormSuccess() {
51 assertSuccessful("PUT", webResource.header("Content-Type", MediaType.APPLICATION_FORM_URLENCODED));
52 }
53
54 @Test
55 public void testPostWithValidXsrfTokenSuccess() {
56 final String xsrfToken = "abc123";
57 Cookie xsrfCookie = new Cookie(IndependentXsrfTokenAccessor.XSRF_COOKIE_KEY, xsrfToken);
58 webResource = WebResourceFactory.anonymous().path("xsrfCheck")
59 .queryParam(IndependentXsrfTokenValidator.XSRF_PARAM_NAME, xsrfToken).getRequestBuilder();
60 webResource = webResource.cookie(xsrfCookie).header("Content-Type", MediaType.APPLICATION_FORM_URLENCODED);
61 assertSuccessful("POST", webResource);
62 }
63
64 @Test
65 public void testPostWithInvalidXsrfTokenBlocked() {
66 final String xsrfToken = "abc123";
67 Cookie xsrfCookie = new Cookie(IndependentXsrfTokenAccessor.XSRF_COOKIE_KEY, xsrfToken);
68 webResource = WebResourceFactory.anonymous(WebResourceFactory.REST_VERSION, false)
69 .path("xsrfCheck")
70 .queryParam(IndependentXsrfTokenValidator.XSRF_PARAM_NAME, "INCORRECT").getRequestBuilder();
71 webResource = webResource.cookie(xsrfCookie).header("Content-Type", MediaType.APPLICATION_FORM_URLENCODED);
72 assertBlocked("POST", webResource);
73 }
74
75 @Test
76 public void testPostFormSuccessWithoutTokenOnXsrfProtectionExcludedAnnotatedResource() {
77 webResource = WebResourceFactory.anonymous().path("xsrfCheck")
78 .path("xsrfProtectionExcludedResource").getRequestBuilder();
79 assertSuccessful("POST", webResource.header("Content-Type", MediaType.APPLICATION_FORM_URLENCODED));
80 }
81
82 @Test
83 public void testGetWithRequiresXsrfCheckBlocked() {
84 webResource = WebResourceFactory.anonymous(WebResourceFactory.REST_VERSION, false)
85 .path("xsrfCheck").path(
86 "requiresXsrfCheckAnnotatedResource").getRequestBuilder();
87 assertBlocked("GET", webResource);
88 }
89
90 private WebResource.Builder addXsrf(WebResource.Builder webResource) {
91 return webResource.header(XsrfResourceFilter.TOKEN_HEADER, XsrfResourceFilter.NO_CHECK);
92 }
93
94 private void assertSuccessful(String method, WebResource.Builder webResource) {
95 assertEquals("Request succeeded", webResource.method(method, String.class));
96 }
97
98 private void assertBlocked(String method, WebResource.Builder webResource) {
99 try {
100 webResource.method(method, String.class);
101 fail("Request succeeded");
102 } catch (UniformInterfaceException e) {
103 assertEquals("XSRF check failed", e.getResponse().getEntity(String.class));
104 }
105 }
106 }