1   // Copyright 2008-2013 The Apache Software Foundation
2   //
3   // Licensed under the Apache License, Version 2.0 (the "License");
4   // you may not use this file except in compliance with the License.
5   // You may obtain a copy of the License at
6   //
7   // http://www.apache.org/licenses/LICENSE-2.0
8   //
9   // Unless required by applicable law or agreed to in writing, software
10  // distributed under the License is distributed on an "AS IS" BASIS,
11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  // See the License for the specific language governing permissions and
13  // limitations under the License.
14  
15  package org.apache.tapestry5.internal.services;
16  
17  import org.apache.tapestry5.Link;
18  import org.apache.tapestry5.LinkSecurity;
19  import org.apache.tapestry5.MetaDataConstants;
20  import org.apache.tapestry5.internal.EmptyEventContext;
21  import org.apache.tapestry5.internal.test.InternalBaseTestCase;
22  import org.apache.tapestry5.services.*;
23  import org.testng.annotations.DataProvider;
24  import org.testng.annotations.Test;
25  
26  public class RequestSecurityManagerImplTest extends InternalBaseTestCase
27  {
28      private static final String PAGE_NAME = "Whatever";
29  
30      @Test
31      public void check_request_is_secure() throws Exception
32      {
33          Request request = mockRequest();
34          Response response = mockResponse();
35          MetaDataLocator locator = mockMetaDataLocator();
36          ComponentEventLinkEncoder encoder = newMock(ComponentEventLinkEncoder.class);
37  
38          train_isSecure(request, true);
39  
40          replay();
41  
42          PageRenderRequestParameters parameters = new PageRenderRequestParameters(PAGE_NAME, new EmptyEventContext(),
43                  false);
44  
45          RequestSecurityManager manager = new RequestSecurityManagerImpl(request, response, encoder, locator, true);
46  
47          assertFalse(manager.checkForInsecurePageRenderRequest(parameters));
48  
49          verify();
50      }
51  
52      @Test
53      public void check_page_not_secure() throws Exception
54      {
55          Request request = mockRequest();
56          Response response = mockResponse();
57          MetaDataLocator locator = mockMetaDataLocator();
58          ComponentEventLinkEncoder encoder = newMock(ComponentEventLinkEncoder.class);
59  
60          train_isSecure(request, false);
61  
62          train_isSecure(locator, PAGE_NAME, false);
63  
64          replay();
65  
66          PageRenderRequestParameters parameters = new PageRenderRequestParameters(PAGE_NAME, new EmptyEventContext(),
67                  false);
68  
69          RequestSecurityManager manager = new RequestSecurityManagerImpl(request, response, encoder, locator, true);
70  
71          assertFalse(manager.checkForInsecurePageRenderRequest(parameters));
72  
73          verify();
74      }
75  
76      @Test
77      public void check_redirect_needed() throws Exception
78      {
79          Request request = mockRequest();
80          Response response = mockResponse();
81          MetaDataLocator locator = mockMetaDataLocator();
82          Link link = mockLink();
83          ComponentEventLinkEncoder encoder = newMock(ComponentEventLinkEncoder.class);
84  
85          train_isSecure(request, false);
86  
87          train_isSecure(locator, PAGE_NAME, true);
88  
89          PageRenderRequestParameters parameters = new PageRenderRequestParameters(PAGE_NAME, new EmptyEventContext(),
90                  false);
91  
92          train_createPageRenderLink(encoder, parameters, link);
93  
94          response.sendRedirect(link);
95  
96          replay();
97  
98          RequestSecurityManager manager = new RequestSecurityManagerImpl(request, response, encoder, locator, true);
99  
100         assertTrue(manager.checkForInsecurePageRenderRequest(parameters));
101 
102         verify();
103     }
104 
105     private void train_createPageRenderLink(ComponentEventLinkEncoder encoder, PageRenderRequestParameters parameters,
106                                             Link link)
107     {
108         expect(encoder.createPageRenderLink(parameters)).andReturn(link);
109     }
110 
111     @DataProvider
112     public Object[][] check_page_security_data()
113     {
114         return new Object[][]
115                 {
116                         {true, true, LinkSecurity.SECURE},
117                         {false, false, LinkSecurity.INSECURE},
118                         {true, false, LinkSecurity.FORCE_INSECURE},
119                         {false, true, LinkSecurity.FORCE_SECURE}};
120     }
121 
122     @Test(dataProvider = "check_page_security_data")
123     public void check_page_security(boolean secureRequest, boolean securePage, LinkSecurity expectedLinkSecurity)
124     {
125         Request request = mockRequest();
126         Response response = mockResponse();
127         MetaDataLocator locator = mockMetaDataLocator();
128         ComponentEventLinkEncoder encoder = newMock(ComponentEventLinkEncoder.class);
129 
130         train_isSecure(request, secureRequest);
131 
132         train_isSecure(locator, PAGE_NAME, securePage);
133 
134         replay();
135 
136         RequestSecurityManager manager = new RequestSecurityManagerImpl(request, response, encoder, locator, true);
137 
138         assertEquals(manager.checkPageSecurity(PAGE_NAME), expectedLinkSecurity);
139 
140         verify();
141     }
142 
143     private static void train_isSecure(MetaDataLocator locator, String pageName, boolean securePage)
144     {
145         expect(locator.findMeta(MetaDataConstants.SECURE_PAGE, pageName, Boolean.class)).andReturn(securePage);
146     }
147 
148     @DataProvider
149     public Object[][] security_disabled_data()
150     {
151         return new Object[][]{
152                 {false, LinkSecurity.INSECURE},
153                 {true, LinkSecurity.SECURE}
154         };
155     }
156 
157     /**
158      * https://issues.apache.org/jira/browse/TAP5-1511
159      */
160     @Test(dataProvider = "security_disabled_data")
161     public void link_security_when_security_is_disabled(boolean secureRequest, LinkSecurity expectedLinkSecurity)
162     {
163         Request request = mockRequest();
164         Response response = mockResponse();
165         MetaDataLocator locator = mockMetaDataLocator();
166 
167         train_isSecure(request, secureRequest);
168 
169         replay();
170 
171         RequestSecurityManager manager = new RequestSecurityManagerImpl(request, response, null, locator, false);
172 
173         assertEquals(manager.checkPageSecurity(PAGE_NAME), expectedLinkSecurity);
174 
175         verify();
176     }
177 
178 }