View Javadoc
1   /**
2    * Copyright 2005-2016 The Kuali Foundation
3    *
4    * Licensed under the Educational Community License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    * http://www.opensource.org/licenses/ecl2.php
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   */
16  package org.kuali.rice.krad.service.impl;
17  
18  import org.junit.Before;
19  import org.junit.Test;
20  import org.junit.runner.RunWith;
21  import org.kuali.rice.core.api.config.property.ConfigurationService;
22  import org.kuali.rice.coreservice.framework.parameter.ParameterConstants;
23  import org.kuali.rice.coreservice.framework.parameter.ParameterService;
24  import org.kuali.rice.krad.util.KRADConstants;
25  import org.mockito.InjectMocks;
26  import org.mockito.Mock;
27  import org.mockito.runners.MockitoJUnitRunner;
28  import org.springframework.mock.web.MockHttpServletRequest;
29  import org.springframework.mock.web.MockHttpServletResponse;
30  
31  import static org.junit.Assert.*;
32  import static org.mockito.Mockito.when;
33  
34  @RunWith(MockitoJUnitRunner.class)
35  public class CsrfServiceImplTest {
36  
37      @Mock
38      private ConfigurationService configurationService;
39      @Mock
40      private ParameterService parameterService;
41  
42      @InjectMocks
43      private CsrfServiceImpl csrfService;
44  
45      @Before
46      public void setUp() {
47          setExemptPathsConfig(null);
48          setExemptPathsParam(null);
49          setCsrfEnabledConfig(true);
50          setCsrfEnabledParam(null);
51      }
52  
53      @Test
54      public void testIsExemptPath_NoExemptPaths() {
55          MockHttpServletRequest request = new MockHttpServletRequest();
56          request.setRequestURI("http://localhost/myurl");
57          assertFalse(csrfService.isExemptPath(request));
58      }
59  
60      @Test
61      public void testIsExemptPath_OneExemptPath_Config() {
62          setExemptPathsConfig("myurl");
63  
64          MockHttpServletRequest request = new MockHttpServletRequest();
65          request.setRequestURI("http://localhost/myurl");
66          assertTrue(csrfService.isExemptPath(request));
67  
68          request.setRequestURI("http://localhost/myurl2");
69          assertTrue(csrfService.isExemptPath(request));
70  
71          request.setRequestURI("http://localhost/myotherurl");
72          assertFalse(csrfService.isExemptPath(request));
73      }
74  
75      @Test
76      public void testIsExemptPath_MultipleExemptPaths_Config() {
77          setExemptPathsConfig("one,two,http://localhost/three");
78  
79          MockHttpServletRequest request = new MockHttpServletRequest();
80          request.setRequestURI("http://localhost/one");
81          assertTrue(csrfService.isExemptPath(request));
82  
83          request.setRequestURI("http://localhost/two");
84          assertTrue(csrfService.isExemptPath(request));
85  
86          request.setRequestURI("http://localhost/three");
87          assertTrue(csrfService.isExemptPath(request));
88      }
89  
90      @Test
91      public void testIsExemptPath_OneExemptPath_Param() {
92          setExemptPathsParam("myurl");
93  
94          MockHttpServletRequest request = new MockHttpServletRequest();
95          request.setRequestURI("http://localhost/myurl");
96          assertTrue(csrfService.isExemptPath(request));
97  
98          request.setRequestURI("http://localhost/myurl2");
99          assertTrue(csrfService.isExemptPath(request));
100 
101         request.setRequestURI("http://localhost/myotherurl");
102         assertFalse(csrfService.isExemptPath(request));
103     }
104 
105     @Test
106     public void testIsExemptPath_MultipleExemptPaths_Param() {
107         setExemptPathsParam("one,two,http://localhost/three");
108 
109         MockHttpServletRequest request = new MockHttpServletRequest();
110         request.setRequestURI("http://localhost/one");
111         assertTrue(csrfService.isExemptPath(request));
112 
113         request.setRequestURI("http://localhost/two");
114         assertTrue(csrfService.isExemptPath(request));
115 
116         request.setRequestURI("http://localhost/three");
117         assertTrue(csrfService.isExemptPath(request));
118     }
119 
120     @Test
121     public void testIsExemptPath_Param_Overrides_Config() {
122         setExemptPathsConfig("two");
123         setExemptPathsParam("one,http://localhost/three");
124 
125         MockHttpServletRequest request = new MockHttpServletRequest();
126         request.setRequestURI("http://localhost/one");
127         assertTrue(csrfService.isExemptPath(request));
128 
129         request.setRequestURI("http://localhost/three");
130         assertTrue(csrfService.isExemptPath(request));
131 
132         request.setRequestURI("four");
133         assertFalse(csrfService.isExemptPath(request));
134 
135         // parameter should override config
136         request.setRequestURI("http://localhost/two");
137         assertFalse(csrfService.isExemptPath(request));
138 
139     }
140 
141     @Test
142     public void testIsEnabled_Default() {
143         assertTrue(csrfService.isEnabled());
144     }
145 
146     @Test
147     public void testIsEnabled_Config() {
148         setCsrfEnabledConfig(false);
149         assertFalse(csrfService.isEnabled());
150 
151         setCsrfEnabledConfig(true);
152         assertTrue(csrfService.isEnabled());
153     }
154 
155     @Test
156     public void testIsEnabled_Param() {
157         setCsrfEnabledParam(false);
158         assertFalse(csrfService.isEnabled());
159 
160         setCsrfEnabledParam(true);
161         assertTrue(csrfService.isEnabled());
162     }
163 
164     @Test
165     public void testIsEnabled_Param_Overrides_Config() {
166         setCsrfEnabledConfig(true);
167         setCsrfEnabledParam(false);
168         assertFalse(csrfService.isEnabled());
169     }
170 
171     @Test(expected = IllegalArgumentException.class)
172     public void testValidateCsrfIfNecessary_NullRequest() {
173         csrfService.validateCsrfIfNecessary(null, new MockHttpServletResponse());
174     }
175 
176     @Test(expected = IllegalArgumentException.class)
177     public void testValidateCsrfIfNecessary_NullResponse() {
178         csrfService.validateCsrfIfNecessary(new MockHttpServletRequest(), null);
179     }
180 
181     @Test
182     public void testValidateCsrfIfNecessary() {
183         setCsrfEnabledConfig(false);
184 
185         MockHttpServletRequest request = new MockHttpServletRequest();
186         MockHttpServletResponse response = new MockHttpServletResponse();
187 
188         assertTrue(csrfService.validateCsrfIfNecessary(request, response));
189 
190         // enable csrf protection
191 
192         setCsrfEnabledConfig(true);
193         assertFalse(csrfService.validateCsrfIfNecessary(request, response));
194 
195         // now set an exempt path
196 
197         request = new MockHttpServletRequest();
198         response = new MockHttpServletResponse();
199 
200         setExemptPathsConfig("a");
201         request.setRequestURI("http://a");
202         assertTrue(csrfService.validateCsrfIfNecessary(request, response));
203 
204         request = new MockHttpServletRequest();
205         response = new MockHttpServletResponse();
206 
207         request.setRequestURI("http://b");
208         assertFalse(csrfService.validateCsrfIfNecessary(request, response));
209         assertEquals(403, response.getStatus());
210 
211     }
212 
213     @Test
214     public void testGetSessionToken() {
215         setCsrfEnabledConfig(true);
216 
217         MockHttpServletRequest request = new MockHttpServletRequest();
218         request.setMethod("GET");
219         MockHttpServletResponse response = new MockHttpServletResponse();
220         csrfService.validateCsrfIfNecessary(request, response);
221         assertNotNull(csrfService.getSessionToken(request));
222     }
223 
224     private void setCsrfEnabledParam(Boolean value) {
225         when(parameterService.getParameterValueAsBoolean(
226                 KRADConstants.KUALI_RICE_SYSTEM_NAMESPACE,
227                 ParameterConstants.ALL_COMPONENT,
228                 KRADConstants.ParameterNames.CSRF_ENABLED_IND)).thenReturn(value);
229     }
230 
231     private void setCsrfEnabledConfig(boolean value) {
232         when(configurationService.getPropertyValueAsBoolean(KRADConstants.Config.CSRF_ENABLED, true)).thenReturn(value);
233     }
234 
235     private void setExemptPathsParam(String exemptPaths) {
236         when(parameterService.getParameterValueAsFilteredString(
237                 KRADConstants.KUALI_RICE_SYSTEM_NAMESPACE,
238                 ParameterConstants.ALL_COMPONENT,
239                 KRADConstants.ParameterNames.CSRF_EXEMPT_PATHS)).thenReturn(exemptPaths);
240     }
241 
242     private void setExemptPathsConfig(String exemptPaths) {
243         when(configurationService.getPropertyValueAsString(KRADConstants.Config.CSRF_EXEMPT_PATHS)).thenReturn(exemptPaths);
244     }
245 
246 
247 
248 }
249