open-dsi
/
nextcloud-server
mirror of https://github.com/nextcloud/server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
48856 Commits
612 Branches
1167 Tags
4.4 GiB
Tag: Branch: Tree: ff629ad158
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'ff629ad158'
${ noResults }
nextcloud-server/tests/lib/AppFramework/Middleware/Security/SecurityMiddlewareTest.php

739 lines
21 KiB
Raw Normal View History Unescape

initial import of appframework
13 years ago
<?php
/**
Show error template Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
10 years ago
* @author Bernhard Posselt <dev@bernhard-posselt.com>
* @author Lukas Reschke <lukas@owncloud.com>
initial import of appframework
13 years ago
*
Show error template Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
10 years ago
* @copyright Copyright (c) 2015, ownCloud, Inc.
* @license AGPL-3.0
initial import of appframework
13 years ago
*
Show error template Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
10 years ago
* This code is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License, version 3,
* as published by the Free Software Foundation.
initial import of appframework
13 years ago
*
Show error template Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
10 years ago
* This program is distributed in the hope that it will be useful,
initial import of appframework
13 years ago
* but WITHOUT ANY WARRANTY; without even the implied warranty of
Show error template Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
10 years ago
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
initial import of appframework
13 years ago
*
Show error template Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
10 years ago
* You should have received a copy of the GNU Affero General Public License, version 3,
* along with this program. If not, see <http://www.gnu.org/licenses/>
initial import of appframework
13 years ago
*
*/
Fix namespaces in AppFramework tests
10 years ago
namespace Test\AppFramework\Middleware\Security;
initial import of appframework
13 years ago
Fix namespace for OCP\Appframework\Http To avoid having to use OCP\Appframework\Http\Http in the public - and stable - API OCP\Appframework\Http is now both a class and a namespace.
12 years ago
use OC\AppFramework\Http;
initial import of appframework
13 years ago
use OC\AppFramework\Http\Request;
Fix inconsistent nameing of AppFramework
10 years ago
use OC\AppFramework\Middleware\Security\Exceptions\AppNotEnabledException;
use OC\AppFramework\Middleware\Security\Exceptions\CrossSiteRequestForgeryException;
use OC\AppFramework\Middleware\Security\Exceptions\NotAdminException;
use OC\AppFramework\Middleware\Security\Exceptions\NotLoggedInException;
Show error template Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
10 years ago
use OC\AppFramework\Middleware\Security\Exceptions\SecurityException;
[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50
10 years ago
use OC\Appframework\Middleware\Security\Exceptions\StrictCookieMissingException;
Fix namespaces in AppFramework tests
10 years ago
use OC\AppFramework\Middleware\Security\SecurityMiddleware;
implement most of the basic stuff that was suggested in #8290
12 years ago
use OC\AppFramework\Utility\ControllerMethodReflector;
Add public API to give developers the possibility to adjust the global CSP defaults Allows to inject something into the default content policy. This is for example useful when you're injecting Javascript code into a view belonging to another controller and cannot modify its Content-Security-Policy itself. Note that the adjustment is only applied to applications that use AppFramework controllers. To use this from your `app.php` use `\OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy($policy)`, $policy has to be of type `\OCP\AppFramework\Http\ContentSecurityPolicy`. To test this add something like the following into an `app.php` of any enabled app: ``` $manager = \OC::$server->getContentSecurityPolicyManager(); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('asdf'); $policy->addAllowedScriptDomain('yolo.com'); $policy->allowInlineScript(false); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFontDomain('yolo.com'); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('banana.com'); $manager->addDefaultPolicy($policy); ``` If you now open the files app the policy should be: ``` Content-Security-Policy:default-src 'none';script-src yolo.com 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src yolo.com 'self';connect-src 'self';media-src 'self';frame-src asdf banana.com 'self' ```
10 years ago
use OC\Security\CSP\ContentSecurityPolicy;
Dark hackery to not always disable CSRF for OCS controllers
10 years ago
use OC\Security\CSP\ContentSecurityPolicyManager;
Move browserSupportsCspV3 to CSPNonceManager Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
9 years ago
use OC\Security\CSP\ContentSecurityPolicyNonceManager;
Add support for CSP nonces CSP nonces are a feature available with CSP v2. Basically instead of saying "JS resources from the same domain are ok to be served" we now say "Ressources from everywhere are allowed as long as they add a `nonce` attribute to the script tag with the right nonce. At the moment the nonce is basically just a `<?php p(base64_encode($_['requesttoken'])) ?>`, we have to decode the requesttoken since `:` is not an allowed value in the nonce. So if somebody does on their own include JS files (instead of using the `addScript` public API, they now must also include that attribute.) IE does currently not implement CSP v2, thus there is a whitelist included that delivers the new CSP v2 policy to newer browsers. Check http://caniuse.com/#feat=contentsecuritypolicy2 for the current browser support list. An alternative approach would be to just add `'unsafe-inline'` as well as `'unsafe-inline'` is ignored by CSPv2 when a nonce is set. But this would make this security feature unusable at all in IE. Not worth it at the moment IMO. Implementing this offers the following advantages: 1. **Security:** As we host resources from the same domain by design we don't have to worry about 'self' anymore being in the whitelist 2. **Performance:** We can move oc.js again to inline JS. This makes the loading way quicker as we don't have to load on every load of a new web page a blocking dynamically non-cached JavaScript file. If you want to toy with CSP see also https://csp-evaluator.withgoogle.com/ Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
9 years ago
use OC\Security\CSRF\CsrfToken;
use OC\Security\CSRF\CsrfTokenManager;
Use proper DI for security middleware for app enabled check Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
use OCP\App\IAppManager;
Dark hackery to not always disable CSRF for OCS controllers
10 years ago
use OCP\AppFramework\Controller;
Add tests
9 years ago
use OCP\AppFramework\Http\EmptyContentSecurityPolicy;
make download and redirectresponse public
12 years ago
use OCP\AppFramework\Http\RedirectResponse;
kill superfluent classloader from tests - this approach might be of interest within the apps
13 years ago
use OCP\AppFramework\Http\JSONResponse;
Add tests
9 years ago
use OCP\AppFramework\Http\Response;
Show error template Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
10 years ago
use OCP\AppFramework\Http\TemplateResponse;
Add tests
9 years ago
use OCP\IConfig;
Provide translated error message for permission error Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
use OCP\IL10N;
Dark hackery to not always disable CSRF for OCS controllers
10 years ago
use OCP\ILogger;
use OCP\INavigationManager;
use OCP\IRequest;
use OCP\IURLGenerator;
Add tests
9 years ago
use OCP\Security\ISecureRandom;
initial import of appframework
13 years ago
Make remaining files extend the test base
11 years ago
class SecurityMiddlewareTest extends \Test\TestCase {
initial import of appframework
13 years ago
Dark hackery to not always disable CSRF for OCS controllers
10 years ago
/** @var SecurityMiddleware|\PHPUnit_Framework_MockObject_MockObject */
initial import of appframework
13 years ago
private $middleware;
Dark hackery to not always disable CSRF for OCS controllers
10 years ago
/** @var Controller|\PHPUnit_Framework_MockObject_MockObject */
initial import of appframework
13 years ago
private $controller;
Dark hackery to not always disable CSRF for OCS controllers
10 years ago
/** @var SecurityException */
initial import of appframework
13 years ago
private $secException;
Dark hackery to not always disable CSRF for OCS controllers
10 years ago
/** @var SecurityException */
initial import of appframework
13 years ago
private $secAjaxException;
Dark hackery to not always disable CSRF for OCS controllers
10 years ago
/** @var IRequest|\PHPUnit_Framework_MockObject_MockObject */
initial import of appframework
13 years ago
private $request;
Dark hackery to not always disable CSRF for OCS controllers
10 years ago
/** @var ControllerMethodReflector */
implement most of the basic stuff that was suggested in #8290
12 years ago
private $reader;
Dark hackery to not always disable CSRF for OCS controllers
10 years ago
/** @var ILogger|\PHPUnit_Framework_MockObject_MockObject */
fix 8757, get rid of service locator antipattern
12 years ago
private $logger;
Dark hackery to not always disable CSRF for OCS controllers
10 years ago
/** @var INavigationManager|\PHPUnit_Framework_MockObject_MockObject */
fix 8757, get rid of service locator antipattern
12 years ago
private $navigationManager;
Dark hackery to not always disable CSRF for OCS controllers
10 years ago
/** @var IURLGenerator|\PHPUnit_Framework_MockObject_MockObject */
fix 8757, get rid of service locator antipattern
12 years ago
private $urlGenerator;
Dark hackery to not always disable CSRF for OCS controllers
10 years ago
/** @var ContentSecurityPolicyManager|\PHPUnit_Framework_MockObject_MockObject */
Add public API to give developers the possibility to adjust the global CSP defaults Allows to inject something into the default content policy. This is for example useful when you're injecting Javascript code into a view belonging to another controller and cannot modify its Content-Security-Policy itself. Note that the adjustment is only applied to applications that use AppFramework controllers. To use this from your `app.php` use `\OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy($policy)`, $policy has to be of type `\OCP\AppFramework\Http\ContentSecurityPolicy`. To test this add something like the following into an `app.php` of any enabled app: ``` $manager = \OC::$server->getContentSecurityPolicyManager(); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('asdf'); $policy->addAllowedScriptDomain('yolo.com'); $policy->allowInlineScript(false); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFontDomain('yolo.com'); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('banana.com'); $manager->addDefaultPolicy($policy); ``` If you now open the files app the policy should be: ``` Content-Security-Policy:default-src 'none';script-src yolo.com 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src yolo.com 'self';connect-src 'self';media-src 'self';frame-src asdf banana.com 'self' ```
10 years ago
private $contentSecurityPolicyManager;
Add support for CSP nonces CSP nonces are a feature available with CSP v2. Basically instead of saying "JS resources from the same domain are ok to be served" we now say "Ressources from everywhere are allowed as long as they add a `nonce` attribute to the script tag with the right nonce. At the moment the nonce is basically just a `<?php p(base64_encode($_['requesttoken'])) ?>`, we have to decode the requesttoken since `:` is not an allowed value in the nonce. So if somebody does on their own include JS files (instead of using the `addScript` public API, they now must also include that attribute.) IE does currently not implement CSP v2, thus there is a whitelist included that delivers the new CSP v2 policy to newer browsers. Check http://caniuse.com/#feat=contentsecuritypolicy2 for the current browser support list. An alternative approach would be to just add `'unsafe-inline'` as well as `'unsafe-inline'` is ignored by CSPv2 when a nonce is set. But this would make this security feature unusable at all in IE. Not worth it at the moment IMO. Implementing this offers the following advantages: 1. **Security:** As we host resources from the same domain by design we don't have to worry about 'self' anymore being in the whitelist 2. **Performance:** We can move oc.js again to inline JS. This makes the loading way quicker as we don't have to load on every load of a new web page a blocking dynamically non-cached JavaScript file. If you want to toy with CSP see also https://csp-evaluator.withgoogle.com/ Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
9 years ago
/** @var CsrfTokenManager|\PHPUnit_Framework_MockObject_MockObject */
private $csrfTokenManager;
Move browserSupportsCspV3 to CSPNonceManager Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
9 years ago
/** @var ContentSecurityPolicyNonceManager|\PHPUnit_Framework_MockObject_MockObject */
private $cspNonceManager;
Use proper DI for security middleware for app enabled check Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
/** @var IAppManager|\PHPUnit_Framework_MockObject_MockObject */
private $appManager;
Provide translated error message for permission error Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
/** @var IL10N|\PHPUnit_Framework_MockObject_MockObject */
private $l10n;
initial import of appframework
13 years ago
Make remaining files extend the test base
11 years ago
protected function setUp() {
parent::setUp();
Add tests
9 years ago
$this->controller = $this->createMock(Controller::class);
implement most of the basic stuff that was suggested in #8290
12 years ago
$this->reader = new ControllerMethodReflector();
Add tests
9 years ago
$this->logger = $this->createMock(ILogger::class);
$this->navigationManager = $this->createMock(INavigationManager::class);
$this->urlGenerator = $this->createMock(IURLGenerator::class);
$this->request = $this->createMock(IRequest::class);
$this->contentSecurityPolicyManager = $this->createMock(ContentSecurityPolicyManager::class);
Add support for CSP nonces CSP nonces are a feature available with CSP v2. Basically instead of saying "JS resources from the same domain are ok to be served" we now say "Ressources from everywhere are allowed as long as they add a `nonce` attribute to the script tag with the right nonce. At the moment the nonce is basically just a `<?php p(base64_encode($_['requesttoken'])) ?>`, we have to decode the requesttoken since `:` is not an allowed value in the nonce. So if somebody does on their own include JS files (instead of using the `addScript` public API, they now must also include that attribute.) IE does currently not implement CSP v2, thus there is a whitelist included that delivers the new CSP v2 policy to newer browsers. Check http://caniuse.com/#feat=contentsecuritypolicy2 for the current browser support list. An alternative approach would be to just add `'unsafe-inline'` as well as `'unsafe-inline'` is ignored by CSPv2 when a nonce is set. But this would make this security feature unusable at all in IE. Not worth it at the moment IMO. Implementing this offers the following advantages: 1. **Security:** As we host resources from the same domain by design we don't have to worry about 'self' anymore being in the whitelist 2. **Performance:** We can move oc.js again to inline JS. This makes the loading way quicker as we don't have to load on every load of a new web page a blocking dynamically non-cached JavaScript file. If you want to toy with CSP see also https://csp-evaluator.withgoogle.com/ Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
9 years ago
$this->csrfTokenManager = $this->createMock(CsrfTokenManager::class);
Move browserSupportsCspV3 to CSPNonceManager Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
9 years ago
$this->cspNonceManager = $this->createMock(ContentSecurityPolicyNonceManager::class);
Provide translated error message for permission error Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
$this->l10n = $this->createMock(IL10N::class);
fix 8757, get rid of service locator antipattern
12 years ago
$this->middleware = $this->getMiddleware(true, true);
initial import of appframework
13 years ago
$this->secException = new SecurityException('hey', false);
$this->secAjaxException = new SecurityException('hey', true);
}
Add tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
8 years ago
private function getMiddleware(bool $isLoggedIn, bool $isAdminUser, bool $isAppEnabledForUser = true): SecurityMiddleware {
$this->appManager = $this->createMock(IAppManager::class);
$this->appManager->expects($this->any())
->method('isEnabledForUser')
->willReturn($isAppEnabledForUser);
fix 8757, get rid of service locator antipattern
12 years ago
return new SecurityMiddleware(
$this->request,
$this->reader,
$this->navigationManager,
$this->urlGenerator,
$this->logger,
Check if app is enabled for user Fixes https://github.com/owncloud/core/issues/12188 for AppFramework apps
11 years ago
'files',
fix 8757, get rid of service locator antipattern
12 years ago
$isLoggedIn,
Add public API to give developers the possibility to adjust the global CSP defaults Allows to inject something into the default content policy. This is for example useful when you're injecting Javascript code into a view belonging to another controller and cannot modify its Content-Security-Policy itself. Note that the adjustment is only applied to applications that use AppFramework controllers. To use this from your `app.php` use `\OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy($policy)`, $policy has to be of type `\OCP\AppFramework\Http\ContentSecurityPolicy`. To test this add something like the following into an `app.php` of any enabled app: ``` $manager = \OC::$server->getContentSecurityPolicyManager(); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('asdf'); $policy->addAllowedScriptDomain('yolo.com'); $policy->allowInlineScript(false); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFontDomain('yolo.com'); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('banana.com'); $manager->addDefaultPolicy($policy); ``` If you now open the files app the policy should be: ``` Content-Security-Policy:default-src 'none';script-src yolo.com 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src yolo.com 'self';connect-src 'self';media-src 'self';frame-src asdf banana.com 'self' ```
10 years ago
$isAdminUser,
Add support for CSP nonces CSP nonces are a feature available with CSP v2. Basically instead of saying "JS resources from the same domain are ok to be served" we now say "Ressources from everywhere are allowed as long as they add a `nonce` attribute to the script tag with the right nonce. At the moment the nonce is basically just a `<?php p(base64_encode($_['requesttoken'])) ?>`, we have to decode the requesttoken since `:` is not an allowed value in the nonce. So if somebody does on their own include JS files (instead of using the `addScript` public API, they now must also include that attribute.) IE does currently not implement CSP v2, thus there is a whitelist included that delivers the new CSP v2 policy to newer browsers. Check http://caniuse.com/#feat=contentsecuritypolicy2 for the current browser support list. An alternative approach would be to just add `'unsafe-inline'` as well as `'unsafe-inline'` is ignored by CSPv2 when a nonce is set. But this would make this security feature unusable at all in IE. Not worth it at the moment IMO. Implementing this offers the following advantages: 1. **Security:** As we host resources from the same domain by design we don't have to worry about 'self' anymore being in the whitelist 2. **Performance:** We can move oc.js again to inline JS. This makes the loading way quicker as we don't have to load on every load of a new web page a blocking dynamically non-cached JavaScript file. If you want to toy with CSP see also https://csp-evaluator.withgoogle.com/ Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
9 years ago
$this->contentSecurityPolicyManager,
Move browserSupportsCspV3 to CSPNonceManager Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
9 years ago
$this->csrfTokenManager,
Use proper DI for security middleware for app enabled check Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
$this->cspNonceManager,
Provide translated error message for permission error Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
$this->appManager,
$this->l10n
fix 8757, get rid of service locator antipattern
12 years ago
);
initial import of appframework
13 years ago
}
/**
reducing controller annotations to: @PublicPage - No user logon is expected @NoAdminRequired - the login user requires no admin rights @NoCSRFRequired - the incoming request will not check for CSRF token
13 years ago
* @PublicPage
* @NoCSRFRequired
initial import of appframework
13 years ago
*/
public function testSetNavigationEntry(){
fix 8757, get rid of service locator antipattern
12 years ago
$this->navigationManager->expects($this->once())
->method('setActiveEntry')
Check if app is enabled for user Fixes https://github.com/owncloud/core/issues/12188 for AppFramework apps
11 years ago
->with($this->equalTo('files'));
fix 8757, get rid of service locator antipattern
12 years ago
$this->reader->reflect(__CLASS__, __FUNCTION__);
Fix tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
9 years ago
$this->middleware->beforeController($this->controller, __FUNCTION__);
initial import of appframework
13 years ago
}
Scrutinizer Auto-Fixes This patch was automatically generated as part of the following inspection: https://scrutinizer-ci.com/g/owncloud/core/inspections/cdfecc4e-a37e-4233-8025-f0d7252a8720 Enabled analysis tools: - PHP Analyzer - JSHint - PHP Copy/Paste Detector - PHP PDepend
12 years ago
/**
* @param string $method
* @param string $test
*/
initial import of appframework
13 years ago
private function ajaxExceptionStatus($method, $test, $status) {
fix 8757, get rid of service locator antipattern
12 years ago
$isLoggedIn = false;
$isAdminUser = false;
initial import of appframework
13 years ago
reducing controller annotations to: @PublicPage - No user logon is expected @NoAdminRequired - the login user requires no admin rights @NoCSRFRequired - the incoming request will not check for CSRF token
13 years ago
// isAdminUser requires isLoggedIn call to return true
if ($test === 'isAdminUser') {
fix 8757, get rid of service locator antipattern
12 years ago
$isLoggedIn = true;
reducing controller annotations to: @PublicPage - No user logon is expected @NoAdminRequired - the login user requires no admin rights @NoCSRFRequired - the incoming request will not check for CSRF token
13 years ago
}
fix 8757, get rid of service locator antipattern
12 years ago
$sec = $this->getMiddleware($isLoggedIn, $isAdminUser);
initial import of appframework
13 years ago
try {
fix 8757, get rid of service locator antipattern
12 years ago
$this->reader->reflect(__CLASS__, $method);
Fix tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
9 years ago
$sec->beforeController($this->controller, $method);
initial import of appframework
13 years ago
} catch (SecurityException $ex){
$this->assertEquals($status, $ex->getCode());
}
fix assertions
12 years ago
// add assertion if everything should work fine otherwise phpunit will
// complain
if ($status === 0) {
Fix risky tests without assertions Signed-off-by: Joas Schilling <coding@schilljs.com>
8 years ago
$this->addToAssertionCount(1);
fix assertions
12 years ago
}
initial import of appframework
13 years ago
}
public function testAjaxStatusLoggedInCheck() {
$this->ajaxExceptionStatus(
fix assertions
12 years ago
__FUNCTION__,
initial import of appframework
13 years ago
'isLoggedIn',
Http::STATUS_UNAUTHORIZED
);
}
/**
reducing controller annotations to: @PublicPage - No user logon is expected @NoAdminRequired - the login user requires no admin rights @NoCSRFRequired - the incoming request will not check for CSRF token
13 years ago
* @NoCSRFRequired
initial import of appframework
13 years ago
*/
public function testAjaxNotAdminCheck() {
$this->ajaxExceptionStatus(
fix assertions
12 years ago
__FUNCTION__,
initial import of appframework
13 years ago
'isAdminUser',
Http::STATUS_FORBIDDEN
);
}
/**
reducing controller annotations to: @PublicPage - No user logon is expected @NoAdminRequired - the login user requires no admin rights @NoCSRFRequired - the incoming request will not check for CSRF token
13 years ago
* @PublicPage
initial import of appframework
13 years ago
*/
public function testAjaxStatusCSRFCheck() {
$this->ajaxExceptionStatus(
fix assertions
12 years ago
__FUNCTION__,
initial import of appframework
13 years ago
'passesCSRFCheck',
Http::STATUS_PRECONDITION_FAILED
);
}
/**
reducing controller annotations to: @PublicPage - No user logon is expected @NoAdminRequired - the login user requires no admin rights @NoCSRFRequired - the incoming request will not check for CSRF token
13 years ago
* @PublicPage
* @NoCSRFRequired
initial import of appframework
13 years ago
*/
public function testAjaxStatusAllGood() {
$this->ajaxExceptionStatus(
fix assertions
12 years ago
__FUNCTION__,
initial import of appframework
13 years ago
'isLoggedIn',
0
);
$this->ajaxExceptionStatus(
fix assertions
12 years ago
__FUNCTION__,
initial import of appframework
13 years ago
'isAdminUser',
0
);
$this->ajaxExceptionStatus(
fix assertions
12 years ago
__FUNCTION__,
initial import of appframework
13 years ago
'isSubAdminUser',
0
);
$this->ajaxExceptionStatus(
fix assertions
12 years ago
__FUNCTION__,
initial import of appframework
13 years ago
'passesCSRFCheck',
0
);
}
reducing controller annotations to: @PublicPage - No user logon is expected @NoAdminRequired - the login user requires no admin rights @NoCSRFRequired - the incoming request will not check for CSRF token
13 years ago
initial import of appframework
13 years ago
/**
reducing controller annotations to: @PublicPage - No user logon is expected @NoAdminRequired - the login user requires no admin rights @NoCSRFRequired - the incoming request will not check for CSRF token
13 years ago
* @PublicPage
* @NoCSRFRequired
initial import of appframework
13 years ago
*/
public function testNoChecks(){
fix 8757, get rid of service locator antipattern
12 years ago
$this->request->expects($this->never())
[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50
10 years ago
->method('passesCSRFCheck')
->will($this->returnValue(false));
fix 8757, get rid of service locator antipattern
12 years ago
$sec = $this->getMiddleware(false, false);
$this->reader->reflect(__CLASS__, __FUNCTION__);
Fix tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
9 years ago
$sec->beforeController($this->controller, __FUNCTION__);
initial import of appframework
13 years ago
}
Scrutinizer Auto-Fixes This patch was automatically generated as part of the following inspection: https://scrutinizer-ci.com/g/owncloud/core/inspections/cdfecc4e-a37e-4233-8025-f0d7252a8720 Enabled analysis tools: - PHP Analyzer - JSHint - PHP Copy/Paste Detector - PHP PDepend
12 years ago
/**
* @param string $method
* @param string $expects
*/
initial import of appframework
13 years ago
private function securityCheck($method, $expects, $shouldFail=false){
reducing controller annotations to: @PublicPage - No user logon is expected @NoAdminRequired - the login user requires no admin rights @NoCSRFRequired - the incoming request will not check for CSRF token
13 years ago
// admin check requires login
if ($expects === 'isAdminUser') {
fix 8757, get rid of service locator antipattern
12 years ago
$isLoggedIn = true;
$isAdminUser = !$shouldFail;
} else {
$isLoggedIn = !$shouldFail;
$isAdminUser = false;
reducing controller annotations to: @PublicPage - No user logon is expected @NoAdminRequired - the login user requires no admin rights @NoCSRFRequired - the incoming request will not check for CSRF token
13 years ago
}
fix 8757, get rid of service locator antipattern
12 years ago
$sec = $this->getMiddleware($isLoggedIn, $isAdminUser);
initial import of appframework
13 years ago
Show error template Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
10 years ago
if($shouldFail) {
Fix "Undefined method setExpectedException()" Signed-off-by: Joas Schilling <coding@schilljs.com>
8 years ago
$this->expectException(SecurityException::class);
reducing controller annotations to: @PublicPage - No user logon is expected @NoAdminRequired - the login user requires no admin rights @NoCSRFRequired - the incoming request will not check for CSRF token
13 years ago
} else {
Fix risky tests without assertions Signed-off-by: Joas Schilling <coding@schilljs.com>
8 years ago
$this->addToAssertionCount(1);
initial import of appframework
13 years ago
}
fix 8757, get rid of service locator antipattern
12 years ago
$this->reader->reflect(__CLASS__, $method);
Fix tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
9 years ago
$sec->beforeController($this->controller, $method);
initial import of appframework
13 years ago
}
/**
reducing controller annotations to: @PublicPage - No user logon is expected @NoAdminRequired - the login user requires no admin rights @NoCSRFRequired - the incoming request will not check for CSRF token
13 years ago
* @PublicPage
Show error template Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
10 years ago
* @expectedException \OC\AppFramework\Middleware\Security\Exceptions\CrossSiteRequestForgeryException
initial import of appframework
13 years ago
*/
public function testCsrfCheck(){
fix 8757, get rid of service locator antipattern
12 years ago
$this->request->expects($this->once())
fixing all appframework unit tests
12 years ago
->method('passesCSRFCheck')
->will($this->returnValue(false));
[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50
10 years ago
$this->request->expects($this->once())
->method('passesStrictCookieCheck')
->will($this->returnValue(true));
fix 8757, get rid of service locator antipattern
12 years ago
$this->reader->reflect(__CLASS__, __FUNCTION__);
Fix tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
9 years ago
$this->middleware->beforeController($this->controller, __FUNCTION__);
fixing all appframework unit tests
12 years ago
}
/**
* @PublicPage
* @NoCSRFRequired
*/
public function testNoCsrfCheck(){
fix 8757, get rid of service locator antipattern
12 years ago
$this->request->expects($this->never())
fixing all appframework unit tests
12 years ago
->method('passesCSRFCheck')
->will($this->returnValue(false));
fix 8757, get rid of service locator antipattern
12 years ago
$this->reader->reflect(__CLASS__, __FUNCTION__);
Fix tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
9 years ago
$this->middleware->beforeController($this->controller, __FUNCTION__);
initial import of appframework
13 years ago
}
[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50
10 years ago
/**
* @PublicPage
*/
public function testPassesCsrfCheck(){
$this->request->expects($this->once())
->method('passesCSRFCheck')
->will($this->returnValue(true));
$this->request->expects($this->once())
->method('passesStrictCookieCheck')
->will($this->returnValue(true));
$this->reader->reflect(__CLASS__, __FUNCTION__);
Fix tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
9 years ago
$this->middleware->beforeController($this->controller, __FUNCTION__);
[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50
10 years ago
}
initial import of appframework
13 years ago
/**
reducing controller annotations to: @PublicPage - No user logon is expected @NoAdminRequired - the login user requires no admin rights @NoCSRFRequired - the incoming request will not check for CSRF token
13 years ago
* @PublicPage
[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50
10 years ago
* @expectedException \OC\AppFramework\Middleware\Security\Exceptions\CrossSiteRequestForgeryException
initial import of appframework
13 years ago
*/
public function testFailCsrfCheck(){
fix 8757, get rid of service locator antipattern
12 years ago
$this->request->expects($this->once())
fixing all appframework unit tests
12 years ago
->method('passesCSRFCheck')
[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50
10 years ago
->will($this->returnValue(false));
$this->request->expects($this->once())
->method('passesStrictCookieCheck')
fixing all appframework unit tests
12 years ago
->will($this->returnValue(true));
fix 8757, get rid of service locator antipattern
12 years ago
$this->reader->reflect(__CLASS__, __FUNCTION__);
Fix tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
9 years ago
$this->middleware->beforeController($this->controller, __FUNCTION__);
initial import of appframework
13 years ago
}
[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50
10 years ago
/**
* @PublicPage
* @StrictCookieRequired
* @expectedException \OC\Appframework\Middleware\Security\Exceptions\StrictCookieMissingException
*/
public function testStrictCookieRequiredCheck() {
$this->request->expects($this->never())
->method('passesCSRFCheck');
$this->request->expects($this->once())
->method('passesStrictCookieCheck')
->will($this->returnValue(false));
$this->reader->reflect(__CLASS__, __FUNCTION__);
Fix tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
9 years ago
$this->middleware->beforeController($this->controller, __FUNCTION__);
[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50
10 years ago
}
/**
* @PublicPage
* @NoCSRFRequired
*/
public function testNoStrictCookieRequiredCheck() {
$this->request->expects($this->never())
->method('passesStrictCookieCheck')
->will($this->returnValue(false));
$this->reader->reflect(__CLASS__, __FUNCTION__);
Fix tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
9 years ago
$this->middleware->beforeController($this->controller, __FUNCTION__);
[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50
10 years ago
}
/**
* @PublicPage
* @NoCSRFRequired
* @StrictCookieRequired
*/
public function testPassesStrictCookieRequiredCheck() {
$this->request
->expects($this->once())
->method('passesStrictCookieCheck')
->willReturn(true);
$this->reader->reflect(__CLASS__, __FUNCTION__);
Fix tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
9 years ago
$this->middleware->beforeController($this->controller, __FUNCTION__);
[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50
10 years ago
}
initial import of appframework
13 years ago
Dark hackery to not always disable CSRF for OCS controllers
10 years ago
public function dataCsrfOcsController() {
$controller = $this->getMockBuilder('OCP\AppFramework\Controller')
->disableOriginalConstructor()
->getMock();
$ocsController = $this->getMockBuilder('OCP\AppFramework\OCSController')
->disableOriginalConstructor()
->getMock();
return [
Update tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
8 years ago
[$controller, false, false, true],
[$controller, false, true, true],
[$controller, true, false, true],
[$controller, true, true, true],
[$ocsController, false, false, true],
[$ocsController, false, true, false],
[$ocsController, true, false, false],
[$ocsController, true, true, false],
Dark hackery to not always disable CSRF for OCS controllers
10 years ago
];
}
/**
* @dataProvider dataCsrfOcsController
* @param Controller $controller
* @param bool $hasOcsApiHeader
Update tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
8 years ago
* @param bool $hasBearerAuth
Dark hackery to not always disable CSRF for OCS controllers
10 years ago
* @param bool $exception
*/
Update tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
8 years ago
public function testCsrfOcsController(Controller $controller, bool $hasOcsApiHeader, bool $hasBearerAuth, bool $exception) {
Dark hackery to not always disable CSRF for OCS controllers
10 years ago
$this->request
->method('getHeader')
Update tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
8 years ago
->will(self::returnCallback(function ($header) use ($hasOcsApiHeader, $hasBearerAuth) {
if ($header === 'OCS-APIREQUEST' && $hasOcsApiHeader) {
return 'true';
}
if ($header === 'Authorization' && $hasBearerAuth) {
return 'Bearer TOKEN!';
}
return '';
}));
Dark hackery to not always disable CSRF for OCS controllers
10 years ago
$this->request->expects($this->once())
->method('passesStrictCookieCheck')
->willReturn(true);
try {
$this->middleware->beforeController($controller, 'foo');
$this->assertFalse($exception);
} catch (CrossSiteRequestForgeryException $e) {
$this->assertTrue($exception);
}
}
initial import of appframework
13 years ago
/**
reducing controller annotations to: @PublicPage - No user logon is expected @NoAdminRequired - the login user requires no admin rights @NoCSRFRequired - the incoming request will not check for CSRF token
13 years ago
* @NoCSRFRequired
* @NoAdminRequired
initial import of appframework
13 years ago
*/
public function testLoggedInCheck(){
fix 8757, get rid of service locator antipattern
12 years ago
$this->securityCheck(__FUNCTION__, 'isLoggedIn');
initial import of appframework
13 years ago
}
/**
reducing controller annotations to: @PublicPage - No user logon is expected @NoAdminRequired - the login user requires no admin rights @NoCSRFRequired - the incoming request will not check for CSRF token
13 years ago
* @NoCSRFRequired
* @NoAdminRequired
initial import of appframework
13 years ago
*/
public function testFailLoggedInCheck(){
fix 8757, get rid of service locator antipattern
12 years ago
$this->securityCheck(__FUNCTION__, 'isLoggedIn', true);
initial import of appframework
13 years ago
}
/**
reducing controller annotations to: @PublicPage - No user logon is expected @NoAdminRequired - the login user requires no admin rights @NoCSRFRequired - the incoming request will not check for CSRF token
13 years ago
* @NoCSRFRequired
initial import of appframework
13 years ago
*/
public function testIsAdminCheck(){
fix 8757, get rid of service locator antipattern
12 years ago
$this->securityCheck(__FUNCTION__, 'isAdminUser');
initial import of appframework
13 years ago
}
/**
reducing controller annotations to: @PublicPage - No user logon is expected @NoAdminRequired - the login user requires no admin rights @NoCSRFRequired - the incoming request will not check for CSRF token
13 years ago
* @NoCSRFRequired
initial import of appframework
13 years ago
*/
public function testFailIsAdminCheck(){
fix 8757, get rid of service locator antipattern
12 years ago
$this->securityCheck(__FUNCTION__, 'isAdminUser', true);
initial import of appframework
13 years ago
}
public function testAfterExceptionNotCaughtThrowsItAgain(){
$ex = new \Exception();
Fix "Undefined method setExpectedException()" Signed-off-by: Joas Schilling <coding@schilljs.com>
8 years ago
$this->expectException(\Exception::class);
initial import of appframework
13 years ago
$this->middleware->afterException($this->controller, 'test', $ex);
}
Show error template Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
10 years ago
public function testAfterExceptionReturnsRedirectForNotLoggedInUser() {
initial import of appframework
13 years ago
$this->request = new Request(
[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50
10 years ago
[
'server' =>
[
'HTTP_ACCEPT' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
do not double encode the redirect url Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
9 years ago
'REQUEST_URI' => 'nextcloud/index.php/apps/specialapp'
[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50
10 years ago
]
],
Add tests
9 years ago
$this->createMock(ISecureRandom::class),
$this->createMock(IConfig::class)
Show error template Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
10 years ago
);
$this->middleware = $this->getMiddleware(false, false);
$this->urlGenerator
[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50
10 years ago
->expects($this->once())
->method('linkToRoute')
->with(
'core.login.showLoginForm',
[
do not double encode the redirect url Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
9 years ago
'redirect_url' => 'nextcloud/index.php/apps/specialapp',
[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50
10 years ago
]
)
do not double encode the redirect url Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
9 years ago
->will($this->returnValue('http://localhost/nextcloud/index.php/login?redirect_url=nextcloud/index.php/apps/specialapp'));
Show error template Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
10 years ago
$this->logger
[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50
10 years ago
->expects($this->once())
Properly log the full exception instead of only the message Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
->method('logException');
Show error template Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
10 years ago
$response = $this->middleware->afterException(
[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50
10 years ago
$this->controller,
'test',
new NotLoggedInException()
Show error template Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
10 years ago
);
do not double encode the redirect url Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
9 years ago
$expected = new RedirectResponse('http://localhost/nextcloud/index.php/login?redirect_url=nextcloud/index.php/apps/specialapp');
Show error template Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
10 years ago
$this->assertEquals($expected , $response);
}
[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50
10 years ago
public function testAfterExceptionRedirectsToWebRootAfterStrictCookieFail() {
$this->request = new Request(
[
'server' => [
'HTTP_ACCEPT' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
do not double encode the redirect url Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
9 years ago
'REQUEST_URI' => 'nextcloud/index.php/apps/specialapp',
[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50
10 years ago
],
],
Add tests
9 years ago
$this->createMock(ISecureRandom::class),
$this->createMock(IConfig::class)
[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50
10 years ago
);
$this->middleware = $this->getMiddleware(false, false);
$response = $this->middleware->afterException(
$this->controller,
'test',
new StrictCookieMissingException()
);
$expected = new RedirectResponse(\OC::$WEBROOT);
$this->assertEquals($expected , $response);
}
Show error template Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
10 years ago
/**
* @return array
*/
public function exceptionProvider() {
return [
[
new AppNotEnabledException(),
],
[
new CrossSiteRequestForgeryException(),
Respect `mod_unique_id` and refactor `OC_Request::getRequestId` When `mod_unique_id` is enabled the ID generated by it will be used for logging. This allows for correlation of the Apache logs and the ownCloud logs. Testplan: - [ ] When `mod_unique_id` is enabled the request ID equals the one generated by `mod_unique_id`. - [ ] When `mod_unique_id` is not available the request ID is a 20 character long random string - [ ] The generated Id is stable over the lifespan of one request Changeset looks a little bit larger since I had to adjust every unit test using the HTTP\Request class for proper DI. Fixes https://github.com/owncloud/core/issues/13366
11 years ago
],
Show error template Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
10 years ago
[
Provide translated error message for permission error Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
new NotAdminException(''),
Show error template Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
10 years ago
],
];
}
/**
* @dataProvider exceptionProvider
* @param SecurityException $exception
*/
public function testAfterExceptionReturnsTemplateResponse(SecurityException $exception) {
$this->request = new Request(
[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50
10 years ago
[
'server' =>
[
'HTTP_ACCEPT' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
do not double encode the redirect url Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
9 years ago
'REQUEST_URI' => 'nextcloud/index.php/apps/specialapp'
[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50
10 years ago
]
],
Add tests
9 years ago
$this->createMock(ISecureRandom::class),
$this->createMock(IConfig::class)
Show error template Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
10 years ago
);
$this->middleware = $this->getMiddleware(false, false);
$this->logger
[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50
10 years ago
->expects($this->once())
Properly log the full exception instead of only the message Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
->method('logException');
Show error template Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
10 years ago
$response = $this->middleware->afterException(
[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50
10 years ago
$this->controller,
'test',
$exception
fix 8757, get rid of service locator antipattern
12 years ago
);
Do not use file as template parameter Using file will overwrite the $file parameter in the template base. Leading to trying to include a file that is the exception message. Which will of course fail. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
8 years ago
$expected = new TemplateResponse('core', '403', ['message' => $exception->getMessage()], 'guest');
Show error template Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
10 years ago
$expected->setStatus($exception->getCode());
$this->assertEquals($expected , $response);
initial import of appframework
13 years ago
}
public function testAfterAjaxExceptionReturnsJSONError(){
$response = $this->middleware->afterException($this->controller, 'test',
[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50
10 years ago
$this->secAjaxException);
initial import of appframework
13 years ago
$this->assertTrue($response instanceof JSONResponse);
}
Add public API to give developers the possibility to adjust the global CSP defaults Allows to inject something into the default content policy. This is for example useful when you're injecting Javascript code into a view belonging to another controller and cannot modify its Content-Security-Policy itself. Note that the adjustment is only applied to applications that use AppFramework controllers. To use this from your `app.php` use `\OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy($policy)`, $policy has to be of type `\OCP\AppFramework\Http\ContentSecurityPolicy`. To test this add something like the following into an `app.php` of any enabled app: ``` $manager = \OC::$server->getContentSecurityPolicyManager(); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('asdf'); $policy->addAllowedScriptDomain('yolo.com'); $policy->allowInlineScript(false); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFontDomain('yolo.com'); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('banana.com'); $manager->addDefaultPolicy($policy); ``` If you now open the files app the policy should be: ``` Content-Security-Policy:default-src 'none';script-src yolo.com 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src yolo.com 'self';connect-src 'self';media-src 'self';frame-src asdf banana.com 'self' ```
10 years ago
public function testAfterController() {
Move browserSupportsCspV3 to CSPNonceManager Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
9 years ago
$this->cspNonceManager
Add support for CSP nonces CSP nonces are a feature available with CSP v2. Basically instead of saying "JS resources from the same domain are ok to be served" we now say "Ressources from everywhere are allowed as long as they add a `nonce` attribute to the script tag with the right nonce. At the moment the nonce is basically just a `<?php p(base64_encode($_['requesttoken'])) ?>`, we have to decode the requesttoken since `:` is not an allowed value in the nonce. So if somebody does on their own include JS files (instead of using the `addScript` public API, they now must also include that attribute.) IE does currently not implement CSP v2, thus there is a whitelist included that delivers the new CSP v2 policy to newer browsers. Check http://caniuse.com/#feat=contentsecuritypolicy2 for the current browser support list. An alternative approach would be to just add `'unsafe-inline'` as well as `'unsafe-inline'` is ignored by CSPv2 when a nonce is set. But this would make this security feature unusable at all in IE. Not worth it at the moment IMO. Implementing this offers the following advantages: 1. **Security:** As we host resources from the same domain by design we don't have to worry about 'self' anymore being in the whitelist 2. **Performance:** We can move oc.js again to inline JS. This makes the loading way quicker as we don't have to load on every load of a new web page a blocking dynamically non-cached JavaScript file. If you want to toy with CSP see also https://csp-evaluator.withgoogle.com/ Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
9 years ago
->expects($this->once())
Move browserSupportsCspV3 to CSPNonceManager Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
9 years ago
->method('browserSupportsCspV3')
Add support for CSP nonces CSP nonces are a feature available with CSP v2. Basically instead of saying "JS resources from the same domain are ok to be served" we now say "Ressources from everywhere are allowed as long as they add a `nonce` attribute to the script tag with the right nonce. At the moment the nonce is basically just a `<?php p(base64_encode($_['requesttoken'])) ?>`, we have to decode the requesttoken since `:` is not an allowed value in the nonce. So if somebody does on their own include JS files (instead of using the `addScript` public API, they now must also include that attribute.) IE does currently not implement CSP v2, thus there is a whitelist included that delivers the new CSP v2 policy to newer browsers. Check http://caniuse.com/#feat=contentsecuritypolicy2 for the current browser support list. An alternative approach would be to just add `'unsafe-inline'` as well as `'unsafe-inline'` is ignored by CSPv2 when a nonce is set. But this would make this security feature unusable at all in IE. Not worth it at the moment IMO. Implementing this offers the following advantages: 1. **Security:** As we host resources from the same domain by design we don't have to worry about 'self' anymore being in the whitelist 2. **Performance:** We can move oc.js again to inline JS. This makes the loading way quicker as we don't have to load on every load of a new web page a blocking dynamically non-cached JavaScript file. If you want to toy with CSP see also https://csp-evaluator.withgoogle.com/ Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
9 years ago
->willReturn(false);
Add tests
9 years ago
$response = $this->createMock(Response::class);
Add public API to give developers the possibility to adjust the global CSP defaults Allows to inject something into the default content policy. This is for example useful when you're injecting Javascript code into a view belonging to another controller and cannot modify its Content-Security-Policy itself. Note that the adjustment is only applied to applications that use AppFramework controllers. To use this from your `app.php` use `\OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy($policy)`, $policy has to be of type `\OCP\AppFramework\Http\ContentSecurityPolicy`. To test this add something like the following into an `app.php` of any enabled app: ``` $manager = \OC::$server->getContentSecurityPolicyManager(); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('asdf'); $policy->addAllowedScriptDomain('yolo.com'); $policy->allowInlineScript(false); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFontDomain('yolo.com'); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('banana.com'); $manager->addDefaultPolicy($policy); ``` If you now open the files app the policy should be: ``` Content-Security-Policy:default-src 'none';script-src yolo.com 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src yolo.com 'self';connect-src 'self';media-src 'self';frame-src asdf banana.com 'self' ```
10 years ago
$defaultPolicy = new ContentSecurityPolicy();
$defaultPolicy->addAllowedImageDomain('defaultpolicy');
$currentPolicy = new ContentSecurityPolicy();
$currentPolicy->addAllowedConnectDomain('currentPolicy');
$mergedPolicy = new ContentSecurityPolicy();
$mergedPolicy->addAllowedMediaDomain('mergedPolicy');
$response
->expects($this->exactly(2))
->method('getContentSecurityPolicy')
->willReturn($currentPolicy);
$this->contentSecurityPolicyManager
->expects($this->once())
->method('getDefaultPolicy')
->willReturn($defaultPolicy);
$this->contentSecurityPolicyManager
[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50
10 years ago
->expects($this->once())
->method('mergePolicies')
->with($defaultPolicy, $currentPolicy)
->willReturn($mergedPolicy);
Add public API to give developers the possibility to adjust the global CSP defaults Allows to inject something into the default content policy. This is for example useful when you're injecting Javascript code into a view belonging to another controller and cannot modify its Content-Security-Policy itself. Note that the adjustment is only applied to applications that use AppFramework controllers. To use this from your `app.php` use `\OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy($policy)`, $policy has to be of type `\OCP\AppFramework\Http\ContentSecurityPolicy`. To test this add something like the following into an `app.php` of any enabled app: ``` $manager = \OC::$server->getContentSecurityPolicyManager(); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('asdf'); $policy->addAllowedScriptDomain('yolo.com'); $policy->allowInlineScript(false); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFontDomain('yolo.com'); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('banana.com'); $manager->addDefaultPolicy($policy); ``` If you now open the files app the policy should be: ``` Content-Security-Policy:default-src 'none';script-src yolo.com 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src yolo.com 'self';connect-src 'self';media-src 'self';frame-src asdf banana.com 'self' ```
10 years ago
$response->expects($this->once())
->method('setContentSecurityPolicy')
->with($mergedPolicy);
$this->middleware->afterController($this->controller, 'test', $response);
}
Add tests
9 years ago
public function testAfterControllerEmptyCSP() {
$response = $this->createMock(Response::class);
$emptyPolicy = new EmptyContentSecurityPolicy();
$response->expects($this->any())
->method('getContentSecurityPolicy')
->willReturn($emptyPolicy);
$response->expects($this->never())
->method('setContentSecurityPolicy');
$this->middleware->afterController($this->controller, 'test', $response);
}
Add support for CSP nonces CSP nonces are a feature available with CSP v2. Basically instead of saying "JS resources from the same domain are ok to be served" we now say "Ressources from everywhere are allowed as long as they add a `nonce` attribute to the script tag with the right nonce. At the moment the nonce is basically just a `<?php p(base64_encode($_['requesttoken'])) ?>`, we have to decode the requesttoken since `:` is not an allowed value in the nonce. So if somebody does on their own include JS files (instead of using the `addScript` public API, they now must also include that attribute.) IE does currently not implement CSP v2, thus there is a whitelist included that delivers the new CSP v2 policy to newer browsers. Check http://caniuse.com/#feat=contentsecuritypolicy2 for the current browser support list. An alternative approach would be to just add `'unsafe-inline'` as well as `'unsafe-inline'` is ignored by CSPv2 when a nonce is set. But this would make this security feature unusable at all in IE. Not worth it at the moment IMO. Implementing this offers the following advantages: 1. **Security:** As we host resources from the same domain by design we don't have to worry about 'self' anymore being in the whitelist 2. **Performance:** We can move oc.js again to inline JS. This makes the loading way quicker as we don't have to load on every load of a new web page a blocking dynamically non-cached JavaScript file. If you want to toy with CSP see also https://csp-evaluator.withgoogle.com/ Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
9 years ago
public function testAfterControllerWithContentSecurityPolicy3Support() {
Move browserSupportsCspV3 to CSPNonceManager Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
9 years ago
$this->cspNonceManager
Add support for CSP nonces CSP nonces are a feature available with CSP v2. Basically instead of saying "JS resources from the same domain are ok to be served" we now say "Ressources from everywhere are allowed as long as they add a `nonce` attribute to the script tag with the right nonce. At the moment the nonce is basically just a `<?php p(base64_encode($_['requesttoken'])) ?>`, we have to decode the requesttoken since `:` is not an allowed value in the nonce. So if somebody does on their own include JS files (instead of using the `addScript` public API, they now must also include that attribute.) IE does currently not implement CSP v2, thus there is a whitelist included that delivers the new CSP v2 policy to newer browsers. Check http://caniuse.com/#feat=contentsecuritypolicy2 for the current browser support list. An alternative approach would be to just add `'unsafe-inline'` as well as `'unsafe-inline'` is ignored by CSPv2 when a nonce is set. But this would make this security feature unusable at all in IE. Not worth it at the moment IMO. Implementing this offers the following advantages: 1. **Security:** As we host resources from the same domain by design we don't have to worry about 'self' anymore being in the whitelist 2. **Performance:** We can move oc.js again to inline JS. This makes the loading way quicker as we don't have to load on every load of a new web page a blocking dynamically non-cached JavaScript file. If you want to toy with CSP see also https://csp-evaluator.withgoogle.com/ Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
9 years ago
->expects($this->once())
Move browserSupportsCspV3 to CSPNonceManager Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
9 years ago
->method('browserSupportsCspV3')
Add support for CSP nonces CSP nonces are a feature available with CSP v2. Basically instead of saying "JS resources from the same domain are ok to be served" we now say "Ressources from everywhere are allowed as long as they add a `nonce` attribute to the script tag with the right nonce. At the moment the nonce is basically just a `<?php p(base64_encode($_['requesttoken'])) ?>`, we have to decode the requesttoken since `:` is not an allowed value in the nonce. So if somebody does on their own include JS files (instead of using the `addScript` public API, they now must also include that attribute.) IE does currently not implement CSP v2, thus there is a whitelist included that delivers the new CSP v2 policy to newer browsers. Check http://caniuse.com/#feat=contentsecuritypolicy2 for the current browser support list. An alternative approach would be to just add `'unsafe-inline'` as well as `'unsafe-inline'` is ignored by CSPv2 when a nonce is set. But this would make this security feature unusable at all in IE. Not worth it at the moment IMO. Implementing this offers the following advantages: 1. **Security:** As we host resources from the same domain by design we don't have to worry about 'self' anymore being in the whitelist 2. **Performance:** We can move oc.js again to inline JS. This makes the loading way quicker as we don't have to load on every load of a new web page a blocking dynamically non-cached JavaScript file. If you want to toy with CSP see also https://csp-evaluator.withgoogle.com/ Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
9 years ago
->willReturn(true);
$token = $this->createMock(CsrfToken::class);
$token
->expects($this->once())
->method('getEncryptedValue')
->willReturn('MyEncryptedToken');
$this->csrfTokenManager
->expects($this->once())
->method('getToken')
->willReturn($token);
$response = $this->createMock(Response::class);
$defaultPolicy = new ContentSecurityPolicy();
$defaultPolicy->addAllowedImageDomain('defaultpolicy');
$currentPolicy = new ContentSecurityPolicy();
$currentPolicy->addAllowedConnectDomain('currentPolicy');
$mergedPolicy = new ContentSecurityPolicy();
$mergedPolicy->addAllowedMediaDomain('mergedPolicy');
$response
->expects($this->exactly(2))
->method('getContentSecurityPolicy')
->willReturn($currentPolicy);
$this->contentSecurityPolicyManager
->expects($this->once())
->method('getDefaultPolicy')
->willReturn($defaultPolicy);
$this->contentSecurityPolicyManager
->expects($this->once())
->method('mergePolicies')
->with($defaultPolicy, $currentPolicy)
->willReturn($mergedPolicy);
$response->expects($this->once())
->method('setContentSecurityPolicy')
->with($mergedPolicy);
$this->assertEquals($response, $this->middleware->afterController($this->controller, 'test', $response));
}
Add tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
8 years ago
public function dataRestrictedApp() {
return [
[false, false, false,],
[false, false, true,],
[false, true, false,],
[false, true, true,],
[ true, false, false,],
[ true, false, true,],
[ true, true, false,],
[ true, true, true,],
];
}
/**
* @PublicPage
* @NoAdminRequired
* @NoCSRFRequired
*/
public function testRestrictedAppLoggedInPublicPage() {
$middleware = $this->getMiddleware(true, false);
$this->reader->reflect(__CLASS__,__FUNCTION__);
$this->appManager->method('getAppPath')
->with('files')
->willReturn('foo');
$this->appManager->method('isEnabledForUser')
->with('files')
->willReturn(false);
$middleware->beforeController($this->controller, __FUNCTION__);
$this->addToAssertionCount(1);
}
/**
* @PublicPage
* @NoAdminRequired
* @NoCSRFRequired
*/
public function testRestrictedAppNotLoggedInPublicPage() {
$middleware = $this->getMiddleware(false, false);
$this->reader->reflect(__CLASS__,__FUNCTION__);
$this->appManager->method('getAppPath')
->with('files')
->willReturn('foo');
$this->appManager->method('isEnabledForUser')
->with('files')
->willReturn(false);
$middleware->beforeController($this->controller, __FUNCTION__);
$this->addToAssertionCount(1);
}
/**
* @NoAdminRequired
* @NoCSRFRequired
*/
public function testRestrictedAppLoggedIn() {
$middleware = $this->getMiddleware(true, false, false);
$this->reader->reflect(__CLASS__,__FUNCTION__);
$this->appManager->method('getAppPath')
->with('files')
->willReturn('foo');
$this->expectException(AppNotEnabledException::class);
$middleware->beforeController($this->controller, __FUNCTION__);
}
initial import of appframework
13 years ago
}