FalconCSRFFilterTest.java

/**
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package org.apache.falcon.security;

import org.apache.falcon.util.StartupProperties;
import org.mockito.Mock;
import org.mockito.Mockito;
import org.mockito.MockitoAnnotations;
import org.testng.annotations.BeforeClass;
import org.testng.annotations.Test;

import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.HttpMethod;

/**
 * Test for FalconCSRFFilter using mock objects.
 */
public class FalconCSRFFilterTest {
    private static final String FALCON_CSRF_HEADER_DEFAULT = "FALCON-CSRF-FILTER";

    @Mock
    private HttpServletRequest mockRequest;

    @Mock
    private HttpServletResponse mockResponse;

    @Mock
    private FilterChain mockChain;

    @Mock
    private FilterConfig mockConfig;

    @BeforeClass
    public void setUp() throws Exception {
        MockitoAnnotations.initMocks(this);
    }

    @Test
    public void testCSRFEnabledAllowedMethodFromBrowser() throws Exception {
        StartupProperties.get().setProperty("falcon.security.csrf.enabled", "true");
        StartupProperties.get().setProperty("falcon.security.csrf.header", FALCON_CSRF_HEADER_DEFAULT);
        mockHeader("Mozilla/5.0", null);
        mockGetMethod();
        mockRunFilter();
        Mockito.verify(mockResponse, Mockito.never()).sendError(HttpServletResponse.SC_FORBIDDEN,
                RestCsrfPreventionFilter.CSRF_ERROR_MESSAGE);
    }

    @Test
    public void testCSRFEnabledNoCustomHeaderFromBrowser() throws Exception {
        StartupProperties.get().setProperty("falcon.security.csrf.enabled", "true");
        StartupProperties.get().setProperty("falcon.security.csrf.header", FALCON_CSRF_HEADER_DEFAULT);
        mockHeader("Mozilla/5.0", null);
        mockDeleteMethod();
        mockRunFilter();
        Mockito.verify(mockResponse).sendError(HttpServletResponse.SC_FORBIDDEN,
                RestCsrfPreventionFilter.CSRF_ERROR_MESSAGE);
    }

    @Test
    public void testCSRFEnabledIncludeCustomHeaderFromBrowser() throws Exception {
        StartupProperties.get().setProperty("falcon.security.csrf.enabled", "true");
        StartupProperties.get().setProperty("falcon.security.csrf.header", FALCON_CSRF_HEADER_DEFAULT);
        mockHeader("Mozilla/5.0", "");
        mockDeleteMethod();
        mockRunFilter();
        Mockito.verify(mockResponse, Mockito.never()).sendError(HttpServletResponse.SC_FORBIDDEN,
                RestCsrfPreventionFilter.CSRF_ERROR_MESSAGE);
    }

    @Test
    public void testCSRFEnabledAllowNonBrowserInteractionWithoutHeader() throws Exception {
        StartupProperties.get().setProperty("falcon.security.csrf.enabled", "true");
        StartupProperties.get().setProperty("falcon.security.csrf.header", FALCON_CSRF_HEADER_DEFAULT);
        mockHeader(null, null);
        mockDeleteMethod();
        mockRunFilter();
        Mockito.verify(mockResponse, Mockito.never()).sendError(HttpServletResponse.SC_FORBIDDEN,
                RestCsrfPreventionFilter.CSRF_ERROR_MESSAGE);
    }

    @Test
    public void testCSRFDisabledAllowAnyMethodFromBrowser() throws Exception {
        StartupProperties.get().setProperty("falcon.security.csrf.enabled", "false");
        StartupProperties.get().setProperty("falcon.security.csrf.header", FALCON_CSRF_HEADER_DEFAULT);
        mockHeader("Mozilla/5.0", null);
        mockDeleteMethod();
        mockRunFilter();
        Mockito.verify(mockResponse, Mockito.never()).sendError(HttpServletResponse.SC_FORBIDDEN,
                RestCsrfPreventionFilter.CSRF_ERROR_MESSAGE);
    }

    private void mockGetMethod() {
        mockMethod(HttpMethod.GET, "/entities/list");
    }

    private void mockDeleteMethod() {
        mockMethod(HttpMethod.DELETE, "/entities/delete/cluster/primaryCluster");
    }

    private void mockMethod(String method, String resource) {
        StringBuffer requestUrl = new StringBuffer("http://localhost" + resource);
        Mockito.when(mockRequest.getRequestURL()).thenReturn(requestUrl);
        Mockito.when(mockRequest.getRequestURI()).thenReturn("/api" + resource);
        Mockito.when(mockRequest.getPathInfo()).thenReturn(resource);
        Mockito.when(mockRequest.getMethod()).thenReturn(method);
    }

    private void mockHeader(String userAgent, String customHeader) {
        Mockito.when(mockRequest.getHeader(RestCsrfPreventionFilter.HEADER_USER_AGENT)).thenReturn(userAgent);
        Mockito.when(mockRequest.getHeader(FALCON_CSRF_HEADER_DEFAULT)).thenReturn(customHeader);
    }

    private void mockRunFilter() throws Exception {
        Mockito.when(mockConfig.getInitParameter("methods-to-ignore")).thenReturn("GET");
        FalconCSRFFilter filter = new FalconCSRFFilter();
        filter.init(mockConfig);
        try {
            filter.doFilter(mockRequest, mockResponse, mockChain);
        } finally {
            filter.destroy();
        }
    }
}