code.gitea.io/gitea@v1.19.3/modules/context/xsrf_test.go

code.gitea.io/gitea@v1.19.3/modules/context/xsrf_test.go (about)

     1  // Copyright 2012 Google Inc. All Rights Reserved.
     2  // Copyright 2014 The Macaron Authors
     3  // Copyright 2020 The Gitea Authors
     4  //
     5  // Licensed under the Apache License, Version 2.0 (the "License");
     6  // you may not use this file except in compliance with the License.
     7  // You may obtain a copy of the License at
     8  //
     9  //     http://www.apache.org/licenses/LICENSE-2.0
    10  //
    11  // Unless required by applicable law or agreed to in writing, software
    12  // distributed under the License is distributed on an "AS IS" BASIS,
    13  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    14  // See the License for the specific language governing permissions and
    15  // limitations under the License.
    16  // SPDX-License-Identifier: Apache-2.0
    17  
    18  package context
    19  
    20  import (
    21  	"encoding/base64"
    22  	"testing"
    23  	"time"
    24  
    25  	"github.com/stretchr/testify/assert"
    26  )
    27  
    28  const (
    29  	key      = "quay"
    30  	userID   = "12345678"
    31  	actionID = "POST /form"
    32  )
    33  
    34  var (
    35  	now              = time.Now()
    36  	oneMinuteFromNow = now.Add(1 * time.Minute)
    37  )
    38  
    39  func Test_ValidToken(t *testing.T) {
    40  	t.Run("Validate token", func(t *testing.T) {
    41  		tok := GenerateCsrfToken(key, userID, actionID, now)
    42  		assert.True(t, ValidCsrfToken(tok, key, userID, actionID, oneMinuteFromNow))
    43  		assert.True(t, ValidCsrfToken(tok, key, userID, actionID, now.Add(CsrfTokenTimeout-1*time.Nanosecond)))
    44  		assert.True(t, ValidCsrfToken(tok, key, userID, actionID, now.Add(-1*time.Minute)))
    45  	})
    46  }
    47  
    48  // Test_SeparatorReplacement tests that separators are being correctly substituted
    49  func Test_SeparatorReplacement(t *testing.T) {
    50  	t.Run("Test two separator replacements", func(t *testing.T) {
    51  		assert.NotEqual(t, GenerateCsrfToken("foo:bar", "baz", "wah", now),
    52  			GenerateCsrfToken("foo", "bar:baz", "wah", now))
    53  	})
    54  }
    55  
    56  func Test_InvalidToken(t *testing.T) {
    57  	t.Run("Test invalid tokens", func(t *testing.T) {
    58  		invalidTokenTests := []struct {
    59  			name, key, userID, actionID string
    60  			t                           time.Time
    61  		}{
    62  			{"Bad key", "foobar", userID, actionID, oneMinuteFromNow},
    63  			{"Bad userID", key, "foobar", actionID, oneMinuteFromNow},
    64  			{"Bad actionID", key, userID, "foobar", oneMinuteFromNow},
    65  			{"Expired", key, userID, actionID, now.Add(CsrfTokenTimeout)},
    66  			{"More than 1 minute from the future", key, userID, actionID, now.Add(-1*time.Nanosecond - 1*time.Minute)},
    67  		}
    68  
    69  		tok := GenerateCsrfToken(key, userID, actionID, now)
    70  		for _, itt := range invalidTokenTests {
    71  			assert.False(t, ValidCsrfToken(tok, itt.key, itt.userID, itt.actionID, itt.t))
    72  		}
    73  	})
    74  }
    75  
    76  // Test_ValidateBadData primarily tests that no unexpected panics are triggered during parsing
    77  func Test_ValidateBadData(t *testing.T) {
    78  	t.Run("Validate bad data", func(t *testing.T) {
    79  		badDataTests := []struct {
    80  			name, tok string
    81  		}{
    82  			{"Invalid Base64", "ASDab24(@)$*=="},
    83  			{"No delimiter", base64.URLEncoding.EncodeToString([]byte("foobar12345678"))},
    84  			{"Invalid time", base64.URLEncoding.EncodeToString([]byte("foobar:foobar"))},
    85  		}
    86  
    87  		for _, bdt := range badDataTests {
    88  			assert.False(t, ValidCsrfToken(bdt.tok, key, userID, actionID, oneMinuteFromNow))
    89  		}
    90  	})
    91  }