Example 96 with AuthToken
use of com.zimbra.cs.account.AuthToken in project zm-mailbox by Zimbra.
the class TestCookieReuse method testReuseUserCookieWithoutCsrf.
/**
* Verify that we CAN make a GET request by reusing a valid non-csrf-enabled cookie
*/
@Test
public void testReuseUserCookieWithoutCsrf() throws Exception {
AuthToken at = AuthProvider.getAuthToken(TestUtil.getAccount(USER_NAME));
ZMailbox mbox = TestUtil.getZMailbox(USER_NAME);
URI uri = mbox.getRestURI("Inbox?fmt=rss&thief=false");
at.setCsrfTokenEnabled(false);
GetMethod get = new GetMethod(uri.toString());
HttpClient eve = ZimbraHttpConnectionManager.getInternalHttpConnMgr().newHttpClient();
HttpState state = HttpClientUtil.newHttpState(new ZAuthToken(at.getEncoded()), uri.getHost(), false);
eve.setState(state);
eve.getParams().setCookiePolicy(CookiePolicy.BROWSER_COMPATIBILITY);
int statusCode = HttpClientUtil.executeMethod(eve, get);
Assert.assertEquals("This request should succeed. Getting status code " + statusCode + " Response: " + get.getResponseBodyAsString(), HttpStatus.SC_OK, statusCode);
}
Also used :
ZMailbox(com.zimbra.client.ZMailbox)
HttpClient(org.apache.commons.httpclient.HttpClient)
GetMethod(org.apache.commons.httpclient.methods.GetMethod)
HttpState(org.apache.commons.httpclient.HttpState)
AuthToken(com.zimbra.cs.account.AuthToken)
ZAuthToken(com.zimbra.common.auth.ZAuthToken)
ZimbraAuthToken(com.zimbra.cs.account.ZimbraAuthToken)
URI(java.net.URI)
ZAuthToken(com.zimbra.common.auth.ZAuthToken)
Test(org.junit.Test)
Example 97 with AuthToken
use of com.zimbra.cs.account.AuthToken in project zm-mailbox by Zimbra.
the class TestCookieReuse method testReuseAdminCookieWithCsrf.
/**
* Verify that we CAN make an admin GET request by reusing a valid csrf-enabled cookie
*/
@Test
public void testReuseAdminCookieWithCsrf() throws Exception {
AuthToken at = AuthProvider.getAdminAuthToken();
at.setCsrfTokenEnabled(true);
int port = 7071;
try {
port = Provisioning.getInstance().getLocalServer().getIntAttr(Provisioning.A_zimbraAdminPort, 0);
} catch (ServiceException e) {
ZimbraLog.test.error("Unable to get admin SOAP port", e);
}
String host = Provisioning.getInstance().getLocalServer().getName();
String getServerConfigURL = "https://localhost:" + port + "/service/collectconfig/?host=" + host;
HttpClient eve = ZimbraHttpConnectionManager.getInternalHttpConnMgr().newHttpClient();
HttpState state = new HttpState();
at.encode(state, true, "localhost");
eve.setState(state);
GetMethod get = new GetMethod(getServerConfigURL);
int statusCode = HttpClientUtil.executeMethod(eve, get);
Assert.assertEquals("This request should succeed. Getting status code " + statusCode, HttpStatus.SC_OK, statusCode);
}
Also used :
ServiceException(com.zimbra.common.service.ServiceException)
HttpClient(org.apache.commons.httpclient.HttpClient)
HttpState(org.apache.commons.httpclient.HttpState)
GetMethod(org.apache.commons.httpclient.methods.GetMethod)
AuthToken(com.zimbra.cs.account.AuthToken)
ZAuthToken(com.zimbra.common.auth.ZAuthToken)
ZimbraAuthToken(com.zimbra.cs.account.ZimbraAuthToken)
Test(org.junit.Test)
Example 98 with AuthToken
use of com.zimbra.cs.account.AuthToken in project zm-mailbox by Zimbra.
the class TestCookieReuse method testForgedNonCSRFAdminPost.
/**
* Verify that we CANNOT make an admin POST request with a non-CSRF-enabled auth token if
* the auth token has an associated CSRF token
*/
@Test
public void testForgedNonCSRFAdminPost() throws Exception {
AuthToken at = AuthProvider.getAdminAuthToken();
at.setCsrfTokenEnabled(false);
CsrfUtil.generateCsrfToken(at.getAccountId(), at.getExpires(), new Random().nextInt() + 1, at);
SoapTransport transport = TestUtil.getAdminSoapTransport();
transport.setAuthToken(at.getEncoded());
Map<String, Object> attrs = null;
CreateAccountRequest request = new CreateAccountRequest(UNAUTHORIZED_USER, "test123", attrs);
try {
transport.invoke(JaxbUtil.jaxbToElement(request));
} catch (ServiceException e) {
Assert.assertEquals("should be catching AUTH EXPIRED here", ServiceException.AUTH_REQUIRED, e.getCode());
return;
}
Assert.fail("should have caught an exception");
}
Also used :
CreateAccountRequest(com.zimbra.soap.admin.message.CreateAccountRequest)
Random(java.util.Random)
ServiceException(com.zimbra.common.service.ServiceException)
AuthToken(com.zimbra.cs.account.AuthToken)
ZAuthToken(com.zimbra.common.auth.ZAuthToken)
ZimbraAuthToken(com.zimbra.cs.account.ZimbraAuthToken)
SoapTransport(com.zimbra.common.soap.SoapTransport)
Test(org.junit.Test)
Aggregations
AuthToken (com.zimbra.cs.account.AuthToken)98
ServiceException (com.zimbra.common.service.ServiceException)46
Account (com.zimbra.cs.account.Account)44
ZimbraAuthToken (com.zimbra.cs.account.ZimbraAuthToken)27
AuthTokenException (com.zimbra.cs.account.AuthTokenException)26
Element (com.zimbra.common.soap.Element)24
Provisioning (com.zimbra.cs.account.Provisioning)23
ZMailbox (com.zimbra.client.ZMailbox)19
ZAuthToken (com.zimbra.common.auth.ZAuthToken)18
IOException (java.io.IOException)14
Server (com.zimbra.cs.account.Server)12
ZimbraSoapContext (com.zimbra.soap.ZimbraSoapContext)12
HttpClient (org.apache.commons.httpclient.HttpClient)12
HashMap (java.util.HashMap)11
GetMethod (org.apache.commons.httpclient.methods.GetMethod)11
Test (org.junit.Test)11
SoapHttpTransport (com.zimbra.common.soap.SoapHttpTransport)10
ServletException (javax.servlet.ServletException)10
AuthFailedServiceException (com.zimbra.cs.account.AccountServiceException.AuthFailedServiceException)8
MailServiceException (com.zimbra.cs.mailbox.MailServiceException)8
