1   package com.atlassian.seraph.config;
2   
3   import com.atlassian.seraph.util.LocalMockHttpServletRequest;
4   
5   import java.util.HashMap;
6   import java.util.Map;
7   
8   import junit.framework.TestCase;
9   
10  public class TestDefaultRedirectPolicy extends TestCase
11  {
12      private LocalMockHttpServletRequest mockJirarequest;
13  
14      @Override
15      protected void setUp() throws Exception
16      {
17          // Setup the mock "incoming" request to look like: http://example.com/jira/login.jsp
18          mockJirarequest = new LocalMockHttpServletRequest();
19          mockJirarequest.setupScheme("http");
20          mockJirarequest.setupServerName("example.com");
21          mockJirarequest.setupPort(80);
22          mockJirarequest.setupGetContextPath("/jira");
23      }
24  
25      public void testNullParams()
26      {
27          try
28          {
29              new DefaultRedirectPolicy().init(null, null);
30              fail();
31          }
32          catch (final IllegalArgumentException ex)
33          {
34              // expected
35          }
36      }
37  
38      public void testNullParameter() throws Exception
39      {
40          // initialise with an empty param map:
41          final DefaultRedirectPolicy redirectPolicy = new DefaultRedirectPolicy();
42          redirectPolicy.init(new HashMap<String, String>(), null);
43          // Should not blow up, and should set isAllowAnyUrl=false.
44          assertFalse(redirectPolicy.isAllowAnyUrl());
45          // And act accordingly:
46          // relative paths allowed
47          assertTrue(redirectPolicy.allowedRedirectDestination("jira/admin/Stuff", mockJirarequest));
48          assertTrue(redirectPolicy.allowedRedirectDestination("/jira/admin/Stuff", mockJirarequest));
49          // absolute paths must stay in the same context: (http://example.com/jira/)
50          assertFalse(redirectPolicy.allowedRedirectDestination("http://evil.com/jira/Stuff", mockJirarequest));
51          assertTrue(redirectPolicy.allowedRedirectDestination("http://example.com/jira/Stuff", mockJirarequest));
52          assertFalse(redirectPolicy.allowedRedirectDestination("http://example.com/crowd/Stuff", mockJirarequest));
53          assertFalse(redirectPolicy.allowedRedirectDestination("http://example.com/jiranot", mockJirarequest));
54          assertTrue(redirectPolicy.allowedRedirectDestination("http://example.com/jira", mockJirarequest));
55      }
56  
57      public void testAllowAnyFalse() throws Exception
58      {
59          // initialise with "allow.any.redirect.url=false"
60          final DefaultRedirectPolicy redirectPolicy = new DefaultRedirectPolicy();
61          final Map<String, String> params = new HashMap<String, String>();
62          params.put("allow.any.redirect.url", "false");
63          redirectPolicy.init(params, null);
64          // Should not blow up, and should just disallow any URLs to a different context.
65          assertFalse(redirectPolicy.isAllowAnyUrl());
66          // And act accordingly:
67  
68          assertTrue(redirectPolicy.allowedRedirectDestination("http://example.com/jira/Stuff", mockJirarequest));
69  
70          // relative paths allowed
71          assertTrue(redirectPolicy.allowedRedirectDestination("jira/admin/Stuff", mockJirarequest));
72          assertTrue(redirectPolicy.allowedRedirectDestination("/jira/admin/Stuff", mockJirarequest));
73          // absolute paths must stay in the same context: (http://example.com/jira/)
74          assertFalse(redirectPolicy.allowedRedirectDestination("http://evil.com/jira/Stuff", mockJirarequest));
75          assertTrue(redirectPolicy.allowedRedirectDestination("http://example.com/jira/Stuff", mockJirarequest));
76          assertFalse(redirectPolicy.allowedRedirectDestination("http://example.com/crowd/Stuff", mockJirarequest));
77          assertFalse(redirectPolicy.allowedRedirectDestination("http://example.com/jiranot", mockJirarequest));
78          assertTrue(redirectPolicy.allowedRedirectDestination("http://example.com/jira", mockJirarequest));
79  
80          // Some testing for invalid URI's including header injection
81          assertFalse(redirectPolicy.allowedRedirectDestination("jira/admin/Stuff http://elsewhere", mockJirarequest));
82          assertFalse(redirectPolicy.allowedRedirectDestination("jira/admin/Stuff http://elsewhere", mockJirarequest));
83          assertFalse(redirectPolicy.allowedRedirectDestination("jira/admin/Stuff\r\nhttp://elsewhere", mockJirarequest));
84          assertFalse(redirectPolicy.allowedRedirectDestination("jira/admin/Stuff\rhttp://elsewhere", mockJirarequest));
85          assertFalse(redirectPolicy.allowedRedirectDestination("jira/admin/Stuff\nhttp://elsewhere", mockJirarequest));
86          assertFalse(redirectPolicy.allowedRedirectDestination("jira/admin/Stuff http://elsewhere", mockJirarequest));
87          assertFalse(redirectPolicy.allowedRedirectDestination("jira/admin/Stuff\thttp://elsewhere", mockJirarequest));
88          assertFalse(redirectPolicy.allowedRedirectDestination("jira/admin/Stuff ", mockJirarequest));
89      }
90  
91      public void testAllowAnyTrue() throws Exception
92      {
93          // initialise with "allow.any.redirect.url=true"
94          final DefaultRedirectPolicy redirectPolicy = new DefaultRedirectPolicy();
95          final Map<String, String> params = new HashMap<String, String>();
96          params.put("allow.any.redirect.url", "true");
97          redirectPolicy.init(params, null);
98          // Should not blow up, and should just allow any.
99          assertTrue(redirectPolicy.isAllowAnyUrl());
100         assertTrue(redirectPolicy.allowedRedirectDestination("", null));
101         assertTrue(redirectPolicy.allowedRedirectDestination("/jira/admin/Stuff", null));
102         assertTrue(redirectPolicy.allowedRedirectDestination("http://example.com", null));
103     }
104 
105 }