CheckCsrfTokenValveTests.java example

Explorer
citrus-master
/*
 * Copyright (c) 2002-2012 Alibaba Group Holding Limited.
 * All rights reserved.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *    http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package com.alibaba.citrus.turbine.pipeline.valve;

import static com.alibaba.citrus.test.TestUtil.*;
import static org.junit.Assert.*;

import javax.servlet.http.HttpServletRequest;

import com.alibaba.citrus.service.pipeline.PipelineContext;
import com.alibaba.citrus.service.pipeline.PipelineException;
import com.alibaba.citrus.service.pipeline.Valve;
import com.alibaba.citrus.service.pipeline.impl.PipelineImpl;
import com.alibaba.citrus.turbine.util.CsrfToken;
import org.junit.Before;
import org.junit.Test;
import org.springframework.beans.factory.annotation.Autowired;

public class CheckCsrfTokenValveTests extends AbstractValveTests {
    @Before
    public void initPipeline() {
        pipeline = (PipelineImpl) factory.getBean("checkCsrfToken_manually");
        assertNotNull(pipeline);
    }

    @Test
    public void checkCsrfToken_checkManually() throws Exception {
        getInvocationContext("http://localhost/app1/a.vm");
        initRequestContext();

        CheckCsrfTokenValve valve = (CheckCsrfTokenValve) pipeline.getValves()[0];

        assertEquals("token", valve.getTokenKey());
        assertEquals("error.vm", valve.getExpiredPage());
        assertEquals(1, valve.getMaxTokens());
        assertEquals("mySecurity", valve.getLogName());

        try {
            pipeline.newInvocation().invoke();
            fail();
        } catch (PipelineException e) {
            assertThat(e, exception(IllegalArgumentException.class));
        }
    }

    @Test
    public void checkCsrfToken_noRequestToken() throws Exception {
        pipeline = (PipelineImpl) factory.getBean("checkCsrfToken");
        assertNotNull(pipeline);

        getInvocationContext("http://localhost/app1/a.vm");
        initRequestContext();

        newRequest.getSession().setAttribute("token", "aaa");
        pipeline.newInvocation().invoke();
        assertEquals("aaa", newRequest.getSession().getAttribute("token"));

        assertEquals(null, rundata.getRedirectTarget()); // no error
    }

    @Test
    public void checkCsrfToken_notMatch() throws Exception {
        getInvocationContext("http://localhost/app1/a.vm?token=notMatch");
        initRequestContext();

        newRequest.getSession().setAttribute("token", "aaa");
        pipeline.newInvocation().invoke();
        assertEquals("aaa", newRequest.getSession().getAttribute("token"));

        assertEquals("error.vm", rundata.getRedirectTarget()); // redirect to error page
    }

    @Test
    public void checkCsrfToken_notMatch_tokens() throws Exception {
        getInvocationContext("http://localhost/app1/a.vm?token=notMatch");
        initRequestContext();

        newRequest.getSession().setAttribute("token", "aaa,bbb,ccc");
        pipeline.newInvocation().invoke();
        assertEquals("aaa,bbb,ccc", newRequest.getSession().getAttribute("token"));

        assertEquals("error.vm", rundata.getRedirectTarget()); // redirect to error page
    }

    @Test
    public void checkCsrfToken_matched_longLiveToken() throws Exception {
        getInvocationContext("http://localhost/app1/a.vm");
        initRequestContext();

        String token = CsrfToken.getLongLiveTokenInSession(newRequest.getSession());

        commitRequestContext();

        getInvocationContext("http://localhost/app1/a.vm?token=" + token);
        initRequestContext();

        pipeline.newInvocation().invoke();

        assertEquals(null, newRequest.getSession().getAttribute("token"));
        assertEquals(null, rundata.getRedirectTarget());
    }

    @Test
    public void checkCsrfToken_matched() throws Exception {
        getInvocationContext("http://localhost/app1/a.vm?token=bbb");
        initRequestContext();

        newRequest.getSession().setAttribute("token", "bbb");
        pipeline.newInvocation().invoke();
        assertEquals(null, newRequest.getSession().getAttribute("token")); // removed last token

        assertEquals(null, rundata.getRedirectTarget()); // redirect to error page
    }

    @Test
    public void checkCsrfToken_matched_tokens() throws Exception {
        getInvocationContext("http://localhost/app1/a.vm?token=bbb");
        initRequestContext();

        newRequest.getSession().setAttribute("token", "aaa/bbb/ccc");
        pipeline.newInvocation().invoke();
        assertEquals("aaa/ccc", newRequest.getSession().getAttribute("token"));

        assertEquals(null, rundata.getRedirectTarget()); // redirect to error page
    }

    public static class CheckCsrfManually implements Valve {
        @Autowired
        private HttpServletRequest request;

        public void invoke(PipelineContext pipelineContext) throws Exception {
            if (!CsrfToken.check(request)) {
                throw new IllegalArgumentException();
            }
        }
    }
}