HADOOP-12691. Move files to correct location.
Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/da77f423 Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/da77f423 Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/da77f423 Branch: refs/heads/HDFS-1312 Commit: da77f423d142c4dda8810d4668edde3c7d2999e8 Parents: 995f06f Author: cnauroth <[email protected]> Authored: Sat Jan 16 07:47:37 2016 -0800 Committer: cnauroth <[email protected]> Committed: Sat Jan 16 07:47:43 2016 -0800 ---------------------------------------------------------------------- .../security/http/RestCsrfPreventionFilter.java | 89 ++++++ .../http/TestRestCsrfPreventionFilter.java | 276 +++++++++++++++++++ .../security/http/RestCsrfPreventionFilter.java | 89 ------ .../http/TestRestCsrfPreventionFilter.java | 276 ------------------- 4 files changed, 365 insertions(+), 365 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hadoop/blob/da77f423/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/http/RestCsrfPreventionFilter.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/http/RestCsrfPreventionFilter.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/http/RestCsrfPreventionFilter.java new file mode 100644 index 0000000..50f95ad --- /dev/null +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/http/RestCsrfPreventionFilter.java @@ -0,0 +1,89 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.security.http; + +import java.io.IOException; +import java.util.HashSet; +import java.util.Set; + +import javax.servlet.Filter; +import javax.servlet.FilterChain; +import javax.servlet.FilterConfig; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +/** + * This filter provides protection against cross site request forgery (CSRF) + * attacks for REST APIs. Enabling this filter on an endpoint results in the + * requirement of all client to send a particular (configurable) HTTP header + * with every request. In the absense of this header the filter will reject the + * attempt as a bad request. + */ +public class RestCsrfPreventionFilter implements Filter { + public static final String CUSTOM_HEADER_PARAM = "custom-header"; + public static final String CUSTOM_METHODS_TO_IGNORE_PARAM = + "methods-to-ignore"; + static final String HEADER_DEFAULT = "X-XSRF-HEADER"; + static final String METHODS_TO_IGNORE_DEFAULT = "GET,OPTIONS,HEAD,TRACE"; + private String headerName = HEADER_DEFAULT; + private Set<String> methodsToIgnore = null; + + @Override + public void init(FilterConfig filterConfig) throws ServletException { + String customHeader = filterConfig.getInitParameter(CUSTOM_HEADER_PARAM); + if (customHeader != null) { + headerName = customHeader; + } + String customMethodsToIgnore = + filterConfig.getInitParameter(CUSTOM_METHODS_TO_IGNORE_PARAM); + if (customMethodsToIgnore != null) { + parseMethodsToIgnore(customMethodsToIgnore); + } else { + parseMethodsToIgnore(METHODS_TO_IGNORE_DEFAULT); + } + } + + void parseMethodsToIgnore(String mti) { + String[] methods = mti.split(","); + methodsToIgnore = new HashSet<String>(); + for (int i = 0; i < methods.length; i++) { + methodsToIgnore.add(methods[i]); + } + } + + @Override + public void doFilter(ServletRequest request, ServletResponse response, + FilterChain chain) throws IOException, ServletException { + HttpServletRequest httpRequest = (HttpServletRequest)request; + if (methodsToIgnore.contains(httpRequest.getMethod()) || + httpRequest.getHeader(headerName) != null) { + chain.doFilter(request, response); + } else { + ((HttpServletResponse)response).sendError( + HttpServletResponse.SC_BAD_REQUEST, + "Missing Required Header for Vulnerability Protection"); + } + } + + @Override + public void destroy() { + } +} http://git-wip-us.apache.org/repos/asf/hadoop/blob/da77f423/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/http/TestRestCsrfPreventionFilter.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/http/TestRestCsrfPreventionFilter.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/http/TestRestCsrfPreventionFilter.java new file mode 100644 index 0000000..adf89f5 --- /dev/null +++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/http/TestRestCsrfPreventionFilter.java @@ -0,0 +1,276 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.security.http; + +import static org.mockito.Mockito.atLeastOnce; +import static org.mockito.Mockito.verify; + +import java.io.IOException; + +import javax.servlet.FilterChain; +import javax.servlet.FilterConfig; +import javax.servlet.ServletException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.junit.Test; +import org.mockito.Mockito; + +public class TestRestCsrfPreventionFilter { + + private static final String EXPECTED_MESSAGE = + "Missing Required Header for Vulnerability Protection"; + private static final String X_CUSTOM_HEADER = "X-CUSTOM_HEADER"; + + @Test + public void testNoHeaderDefaultConfig_badRequest() + throws ServletException, IOException { + // Setup the configuration settings of the server + FilterConfig filterConfig = Mockito.mock(FilterConfig.class); + Mockito.when(filterConfig.getInitParameter( + RestCsrfPreventionFilter.CUSTOM_HEADER_PARAM)).thenReturn(null); + Mockito.when(filterConfig.getInitParameter( + RestCsrfPreventionFilter.CUSTOM_METHODS_TO_IGNORE_PARAM)). + thenReturn(null); + + // CSRF has not been sent + HttpServletRequest mockReq = Mockito.mock(HttpServletRequest.class); + Mockito.when(mockReq.getHeader(RestCsrfPreventionFilter.HEADER_DEFAULT)). + thenReturn(null); + + // Objects to verify interactions based on request + HttpServletResponse mockRes = Mockito.mock(HttpServletResponse.class); + FilterChain mockChain = Mockito.mock(FilterChain.class); + + // Object under test + RestCsrfPreventionFilter filter = new RestCsrfPreventionFilter(); + filter.init(filterConfig); + filter.doFilter(mockReq, mockRes, mockChain); + + verify(mockRes, atLeastOnce()).sendError( + HttpServletResponse.SC_BAD_REQUEST, EXPECTED_MESSAGE); + Mockito.verifyZeroInteractions(mockChain); + } + + @Test + public void testHeaderPresentDefaultConfig_goodRequest() + throws ServletException, IOException { + // Setup the configuration settings of the server + FilterConfig filterConfig = Mockito.mock(FilterConfig.class); + Mockito.when(filterConfig.getInitParameter( + RestCsrfPreventionFilter.CUSTOM_HEADER_PARAM)).thenReturn(null); + Mockito.when(filterConfig.getInitParameter( + RestCsrfPreventionFilter.CUSTOM_METHODS_TO_IGNORE_PARAM)). + thenReturn(null); + + // CSRF HAS been sent + HttpServletRequest mockReq = Mockito.mock(HttpServletRequest.class); + Mockito.when(mockReq.getHeader(RestCsrfPreventionFilter.HEADER_DEFAULT)). + thenReturn("valueUnimportant"); + + // Objects to verify interactions based on request + HttpServletResponse mockRes = Mockito.mock(HttpServletResponse.class); + FilterChain mockChain = Mockito.mock(FilterChain.class); + + // Object under test + RestCsrfPreventionFilter filter = new RestCsrfPreventionFilter(); + filter.init(filterConfig); + filter.doFilter(mockReq, mockRes, mockChain); + + Mockito.verify(mockChain).doFilter(mockReq, mockRes); + } + + @Test + public void testHeaderPresentCustomHeaderConfig_goodRequest() + throws ServletException, IOException { + // Setup the configuration settings of the server + FilterConfig filterConfig = Mockito.mock(FilterConfig.class); + Mockito.when(filterConfig.getInitParameter( + RestCsrfPreventionFilter.CUSTOM_HEADER_PARAM)). + thenReturn(X_CUSTOM_HEADER); + Mockito.when(filterConfig.getInitParameter( + RestCsrfPreventionFilter.CUSTOM_METHODS_TO_IGNORE_PARAM)). + thenReturn(null); + + // CSRF HAS been sent + HttpServletRequest mockReq = Mockito.mock(HttpServletRequest.class); + Mockito.when(mockReq.getHeader(X_CUSTOM_HEADER)). + thenReturn("valueUnimportant"); + + // Objects to verify interactions based on request + HttpServletResponse mockRes = Mockito.mock(HttpServletResponse.class); + FilterChain mockChain = Mockito.mock(FilterChain.class); + + // Object under test + RestCsrfPreventionFilter filter = new RestCsrfPreventionFilter(); + filter.init(filterConfig); + filter.doFilter(mockReq, mockRes, mockChain); + + Mockito.verify(mockChain).doFilter(mockReq, mockRes); + } + + @Test + public void testMissingHeaderWithCustomHeaderConfig_badRequest() + throws ServletException, IOException { + // Setup the configuration settings of the server + FilterConfig filterConfig = Mockito.mock(FilterConfig.class); + Mockito.when(filterConfig.getInitParameter( + RestCsrfPreventionFilter.CUSTOM_HEADER_PARAM)). + thenReturn(X_CUSTOM_HEADER); + Mockito.when(filterConfig.getInitParameter( + RestCsrfPreventionFilter.CUSTOM_METHODS_TO_IGNORE_PARAM)). + thenReturn(null); + + // CSRF has not been sent + HttpServletRequest mockReq = Mockito.mock(HttpServletRequest.class); + Mockito.when(mockReq.getHeader(RestCsrfPreventionFilter.HEADER_DEFAULT)). + thenReturn(null); + + // Objects to verify interactions based on request + HttpServletResponse mockRes = Mockito.mock(HttpServletResponse.class); + FilterChain mockChain = Mockito.mock(FilterChain.class); + + // Object under test + RestCsrfPreventionFilter filter = new RestCsrfPreventionFilter(); + filter.init(filterConfig); + filter.doFilter(mockReq, mockRes, mockChain); + + Mockito.verifyZeroInteractions(mockChain); + } + + @Test + public void testMissingHeaderNoMethodsToIgnoreConfig_badRequest() + throws ServletException, IOException { + // Setup the configuration settings of the server + FilterConfig filterConfig = Mockito.mock(FilterConfig.class); + Mockito.when(filterConfig.getInitParameter( + RestCsrfPreventionFilter.CUSTOM_HEADER_PARAM)).thenReturn(null); + Mockito.when(filterConfig.getInitParameter( + RestCsrfPreventionFilter.CUSTOM_METHODS_TO_IGNORE_PARAM)). + thenReturn(""); + + // CSRF has not been sent + HttpServletRequest mockReq = Mockito.mock(HttpServletRequest.class); + Mockito.when(mockReq.getHeader(RestCsrfPreventionFilter.HEADER_DEFAULT)). + thenReturn(null); + Mockito.when(mockReq.getMethod()). + thenReturn("GET"); + + // Objects to verify interactions based on request + HttpServletResponse mockRes = Mockito.mock(HttpServletResponse.class); + FilterChain mockChain = Mockito.mock(FilterChain.class); + + // Object under test + RestCsrfPreventionFilter filter = new RestCsrfPreventionFilter(); + filter.init(filterConfig); + filter.doFilter(mockReq, mockRes, mockChain); + + Mockito.verifyZeroInteractions(mockChain); + } + + @Test + public void testMissingHeaderIgnoreGETMethodConfig_goodRequest() + throws ServletException, IOException { + // Setup the configuration settings of the server + FilterConfig filterConfig = Mockito.mock(FilterConfig.class); + Mockito.when(filterConfig.getInitParameter( + RestCsrfPreventionFilter.CUSTOM_HEADER_PARAM)).thenReturn(null); + Mockito.when(filterConfig.getInitParameter( + RestCsrfPreventionFilter.CUSTOM_METHODS_TO_IGNORE_PARAM)). + thenReturn("GET"); + + // CSRF has not been sent + HttpServletRequest mockReq = Mockito.mock(HttpServletRequest.class); + Mockito.when(mockReq.getHeader(RestCsrfPreventionFilter.HEADER_DEFAULT)). + thenReturn(null); + Mockito.when(mockReq.getMethod()). + thenReturn("GET"); + + // Objects to verify interactions based on request + HttpServletResponse mockRes = Mockito.mock(HttpServletResponse.class); + FilterChain mockChain = Mockito.mock(FilterChain.class); + + // Object under test + RestCsrfPreventionFilter filter = new RestCsrfPreventionFilter(); + filter.init(filterConfig); + filter.doFilter(mockReq, mockRes, mockChain); + + Mockito.verify(mockChain).doFilter(mockReq, mockRes); + } + + @Test + public void testMissingHeaderMultipleIgnoreMethodsConfig_goodRequest() + throws ServletException, IOException { + // Setup the configuration settings of the server + FilterConfig filterConfig = Mockito.mock(FilterConfig.class); + Mockito.when(filterConfig.getInitParameter( + RestCsrfPreventionFilter.CUSTOM_HEADER_PARAM)).thenReturn(null); + Mockito.when(filterConfig.getInitParameter( + RestCsrfPreventionFilter.CUSTOM_METHODS_TO_IGNORE_PARAM)). + thenReturn("GET,OPTIONS"); + + // CSRF has not been sent + HttpServletRequest mockReq = Mockito.mock(HttpServletRequest.class); + Mockito.when(mockReq.getHeader(RestCsrfPreventionFilter.HEADER_DEFAULT)). + thenReturn(null); + Mockito.when(mockReq.getMethod()). + thenReturn("OPTIONS"); + + // Objects to verify interactions based on request + HttpServletResponse mockRes = Mockito.mock(HttpServletResponse.class); + FilterChain mockChain = Mockito.mock(FilterChain.class); + + // Object under test + RestCsrfPreventionFilter filter = new RestCsrfPreventionFilter(); + filter.init(filterConfig); + filter.doFilter(mockReq, mockRes, mockChain); + + Mockito.verify(mockChain).doFilter(mockReq, mockRes); + } + + @Test + public void testMissingHeaderMultipleIgnoreMethodsConfig_badRequest() + throws ServletException, IOException { + // Setup the configuration settings of the server + FilterConfig filterConfig = Mockito.mock(FilterConfig.class); + Mockito.when(filterConfig.getInitParameter( + RestCsrfPreventionFilter.CUSTOM_HEADER_PARAM)).thenReturn(null); + Mockito.when(filterConfig.getInitParameter( + RestCsrfPreventionFilter.CUSTOM_METHODS_TO_IGNORE_PARAM)). + thenReturn("GET,OPTIONS"); + + // CSRF has not been sent + HttpServletRequest mockReq = Mockito.mock(HttpServletRequest.class); + Mockito.when(mockReq.getHeader(RestCsrfPreventionFilter.HEADER_DEFAULT)). + thenReturn(null); + Mockito.when(mockReq.getMethod()). + thenReturn("PUT"); + + // Objects to verify interactions based on request + HttpServletResponse mockRes = Mockito.mock(HttpServletResponse.class); + FilterChain mockChain = Mockito.mock(FilterChain.class); + + // Object under test + RestCsrfPreventionFilter filter = new RestCsrfPreventionFilter(); + filter.init(filterConfig); + filter.doFilter(mockReq, mockRes, mockChain); + + Mockito.verifyZeroInteractions(mockChain); + } +} http://git-wip-us.apache.org/repos/asf/hadoop/blob/da77f423/hadoop-common/src/main/java/org/apache/hadoop/security/http/RestCsrfPreventionFilter.java ---------------------------------------------------------------------- diff --git a/hadoop-common/src/main/java/org/apache/hadoop/security/http/RestCsrfPreventionFilter.java b/hadoop-common/src/main/java/org/apache/hadoop/security/http/RestCsrfPreventionFilter.java deleted file mode 100644 index 50f95ad..0000000 --- a/hadoop-common/src/main/java/org/apache/hadoop/security/http/RestCsrfPreventionFilter.java +++ /dev/null @@ -1,89 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.hadoop.security.http; - -import java.io.IOException; -import java.util.HashSet; -import java.util.Set; - -import javax.servlet.Filter; -import javax.servlet.FilterChain; -import javax.servlet.FilterConfig; -import javax.servlet.ServletException; -import javax.servlet.ServletRequest; -import javax.servlet.ServletResponse; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - -/** - * This filter provides protection against cross site request forgery (CSRF) - * attacks for REST APIs. Enabling this filter on an endpoint results in the - * requirement of all client to send a particular (configurable) HTTP header - * with every request. In the absense of this header the filter will reject the - * attempt as a bad request. - */ -public class RestCsrfPreventionFilter implements Filter { - public static final String CUSTOM_HEADER_PARAM = "custom-header"; - public static final String CUSTOM_METHODS_TO_IGNORE_PARAM = - "methods-to-ignore"; - static final String HEADER_DEFAULT = "X-XSRF-HEADER"; - static final String METHODS_TO_IGNORE_DEFAULT = "GET,OPTIONS,HEAD,TRACE"; - private String headerName = HEADER_DEFAULT; - private Set<String> methodsToIgnore = null; - - @Override - public void init(FilterConfig filterConfig) throws ServletException { - String customHeader = filterConfig.getInitParameter(CUSTOM_HEADER_PARAM); - if (customHeader != null) { - headerName = customHeader; - } - String customMethodsToIgnore = - filterConfig.getInitParameter(CUSTOM_METHODS_TO_IGNORE_PARAM); - if (customMethodsToIgnore != null) { - parseMethodsToIgnore(customMethodsToIgnore); - } else { - parseMethodsToIgnore(METHODS_TO_IGNORE_DEFAULT); - } - } - - void parseMethodsToIgnore(String mti) { - String[] methods = mti.split(","); - methodsToIgnore = new HashSet<String>(); - for (int i = 0; i < methods.length; i++) { - methodsToIgnore.add(methods[i]); - } - } - - @Override - public void doFilter(ServletRequest request, ServletResponse response, - FilterChain chain) throws IOException, ServletException { - HttpServletRequest httpRequest = (HttpServletRequest)request; - if (methodsToIgnore.contains(httpRequest.getMethod()) || - httpRequest.getHeader(headerName) != null) { - chain.doFilter(request, response); - } else { - ((HttpServletResponse)response).sendError( - HttpServletResponse.SC_BAD_REQUEST, - "Missing Required Header for Vulnerability Protection"); - } - } - - @Override - public void destroy() { - } -} http://git-wip-us.apache.org/repos/asf/hadoop/blob/da77f423/hadoop-common/src/test/java/org/apache/hadoop/security/http/TestRestCsrfPreventionFilter.java ---------------------------------------------------------------------- diff --git a/hadoop-common/src/test/java/org/apache/hadoop/security/http/TestRestCsrfPreventionFilter.java b/hadoop-common/src/test/java/org/apache/hadoop/security/http/TestRestCsrfPreventionFilter.java deleted file mode 100644 index adf89f5..0000000 --- a/hadoop-common/src/test/java/org/apache/hadoop/security/http/TestRestCsrfPreventionFilter.java +++ /dev/null @@ -1,276 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.hadoop.security.http; - -import static org.mockito.Mockito.atLeastOnce; -import static org.mockito.Mockito.verify; - -import java.io.IOException; - -import javax.servlet.FilterChain; -import javax.servlet.FilterConfig; -import javax.servlet.ServletException; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - -import org.junit.Test; -import org.mockito.Mockito; - -public class TestRestCsrfPreventionFilter { - - private static final String EXPECTED_MESSAGE = - "Missing Required Header for Vulnerability Protection"; - private static final String X_CUSTOM_HEADER = "X-CUSTOM_HEADER"; - - @Test - public void testNoHeaderDefaultConfig_badRequest() - throws ServletException, IOException { - // Setup the configuration settings of the server - FilterConfig filterConfig = Mockito.mock(FilterConfig.class); - Mockito.when(filterConfig.getInitParameter( - RestCsrfPreventionFilter.CUSTOM_HEADER_PARAM)).thenReturn(null); - Mockito.when(filterConfig.getInitParameter( - RestCsrfPreventionFilter.CUSTOM_METHODS_TO_IGNORE_PARAM)). - thenReturn(null); - - // CSRF has not been sent - HttpServletRequest mockReq = Mockito.mock(HttpServletRequest.class); - Mockito.when(mockReq.getHeader(RestCsrfPreventionFilter.HEADER_DEFAULT)). - thenReturn(null); - - // Objects to verify interactions based on request - HttpServletResponse mockRes = Mockito.mock(HttpServletResponse.class); - FilterChain mockChain = Mockito.mock(FilterChain.class); - - // Object under test - RestCsrfPreventionFilter filter = new RestCsrfPreventionFilter(); - filter.init(filterConfig); - filter.doFilter(mockReq, mockRes, mockChain); - - verify(mockRes, atLeastOnce()).sendError( - HttpServletResponse.SC_BAD_REQUEST, EXPECTED_MESSAGE); - Mockito.verifyZeroInteractions(mockChain); - } - - @Test - public void testHeaderPresentDefaultConfig_goodRequest() - throws ServletException, IOException { - // Setup the configuration settings of the server - FilterConfig filterConfig = Mockito.mock(FilterConfig.class); - Mockito.when(filterConfig.getInitParameter( - RestCsrfPreventionFilter.CUSTOM_HEADER_PARAM)).thenReturn(null); - Mockito.when(filterConfig.getInitParameter( - RestCsrfPreventionFilter.CUSTOM_METHODS_TO_IGNORE_PARAM)). - thenReturn(null); - - // CSRF HAS been sent - HttpServletRequest mockReq = Mockito.mock(HttpServletRequest.class); - Mockito.when(mockReq.getHeader(RestCsrfPreventionFilter.HEADER_DEFAULT)). - thenReturn("valueUnimportant"); - - // Objects to verify interactions based on request - HttpServletResponse mockRes = Mockito.mock(HttpServletResponse.class); - FilterChain mockChain = Mockito.mock(FilterChain.class); - - // Object under test - RestCsrfPreventionFilter filter = new RestCsrfPreventionFilter(); - filter.init(filterConfig); - filter.doFilter(mockReq, mockRes, mockChain); - - Mockito.verify(mockChain).doFilter(mockReq, mockRes); - } - - @Test - public void testHeaderPresentCustomHeaderConfig_goodRequest() - throws ServletException, IOException { - // Setup the configuration settings of the server - FilterConfig filterConfig = Mockito.mock(FilterConfig.class); - Mockito.when(filterConfig.getInitParameter( - RestCsrfPreventionFilter.CUSTOM_HEADER_PARAM)). - thenReturn(X_CUSTOM_HEADER); - Mockito.when(filterConfig.getInitParameter( - RestCsrfPreventionFilter.CUSTOM_METHODS_TO_IGNORE_PARAM)). - thenReturn(null); - - // CSRF HAS been sent - HttpServletRequest mockReq = Mockito.mock(HttpServletRequest.class); - Mockito.when(mockReq.getHeader(X_CUSTOM_HEADER)). - thenReturn("valueUnimportant"); - - // Objects to verify interactions based on request - HttpServletResponse mockRes = Mockito.mock(HttpServletResponse.class); - FilterChain mockChain = Mockito.mock(FilterChain.class); - - // Object under test - RestCsrfPreventionFilter filter = new RestCsrfPreventionFilter(); - filter.init(filterConfig); - filter.doFilter(mockReq, mockRes, mockChain); - - Mockito.verify(mockChain).doFilter(mockReq, mockRes); - } - - @Test - public void testMissingHeaderWithCustomHeaderConfig_badRequest() - throws ServletException, IOException { - // Setup the configuration settings of the server - FilterConfig filterConfig = Mockito.mock(FilterConfig.class); - Mockito.when(filterConfig.getInitParameter( - RestCsrfPreventionFilter.CUSTOM_HEADER_PARAM)). - thenReturn(X_CUSTOM_HEADER); - Mockito.when(filterConfig.getInitParameter( - RestCsrfPreventionFilter.CUSTOM_METHODS_TO_IGNORE_PARAM)). - thenReturn(null); - - // CSRF has not been sent - HttpServletRequest mockReq = Mockito.mock(HttpServletRequest.class); - Mockito.when(mockReq.getHeader(RestCsrfPreventionFilter.HEADER_DEFAULT)). - thenReturn(null); - - // Objects to verify interactions based on request - HttpServletResponse mockRes = Mockito.mock(HttpServletResponse.class); - FilterChain mockChain = Mockito.mock(FilterChain.class); - - // Object under test - RestCsrfPreventionFilter filter = new RestCsrfPreventionFilter(); - filter.init(filterConfig); - filter.doFilter(mockReq, mockRes, mockChain); - - Mockito.verifyZeroInteractions(mockChain); - } - - @Test - public void testMissingHeaderNoMethodsToIgnoreConfig_badRequest() - throws ServletException, IOException { - // Setup the configuration settings of the server - FilterConfig filterConfig = Mockito.mock(FilterConfig.class); - Mockito.when(filterConfig.getInitParameter( - RestCsrfPreventionFilter.CUSTOM_HEADER_PARAM)).thenReturn(null); - Mockito.when(filterConfig.getInitParameter( - RestCsrfPreventionFilter.CUSTOM_METHODS_TO_IGNORE_PARAM)). - thenReturn(""); - - // CSRF has not been sent - HttpServletRequest mockReq = Mockito.mock(HttpServletRequest.class); - Mockito.when(mockReq.getHeader(RestCsrfPreventionFilter.HEADER_DEFAULT)). - thenReturn(null); - Mockito.when(mockReq.getMethod()). - thenReturn("GET"); - - // Objects to verify interactions based on request - HttpServletResponse mockRes = Mockito.mock(HttpServletResponse.class); - FilterChain mockChain = Mockito.mock(FilterChain.class); - - // Object under test - RestCsrfPreventionFilter filter = new RestCsrfPreventionFilter(); - filter.init(filterConfig); - filter.doFilter(mockReq, mockRes, mockChain); - - Mockito.verifyZeroInteractions(mockChain); - } - - @Test - public void testMissingHeaderIgnoreGETMethodConfig_goodRequest() - throws ServletException, IOException { - // Setup the configuration settings of the server - FilterConfig filterConfig = Mockito.mock(FilterConfig.class); - Mockito.when(filterConfig.getInitParameter( - RestCsrfPreventionFilter.CUSTOM_HEADER_PARAM)).thenReturn(null); - Mockito.when(filterConfig.getInitParameter( - RestCsrfPreventionFilter.CUSTOM_METHODS_TO_IGNORE_PARAM)). - thenReturn("GET"); - - // CSRF has not been sent - HttpServletRequest mockReq = Mockito.mock(HttpServletRequest.class); - Mockito.when(mockReq.getHeader(RestCsrfPreventionFilter.HEADER_DEFAULT)). - thenReturn(null); - Mockito.when(mockReq.getMethod()). - thenReturn("GET"); - - // Objects to verify interactions based on request - HttpServletResponse mockRes = Mockito.mock(HttpServletResponse.class); - FilterChain mockChain = Mockito.mock(FilterChain.class); - - // Object under test - RestCsrfPreventionFilter filter = new RestCsrfPreventionFilter(); - filter.init(filterConfig); - filter.doFilter(mockReq, mockRes, mockChain); - - Mockito.verify(mockChain).doFilter(mockReq, mockRes); - } - - @Test - public void testMissingHeaderMultipleIgnoreMethodsConfig_goodRequest() - throws ServletException, IOException { - // Setup the configuration settings of the server - FilterConfig filterConfig = Mockito.mock(FilterConfig.class); - Mockito.when(filterConfig.getInitParameter( - RestCsrfPreventionFilter.CUSTOM_HEADER_PARAM)).thenReturn(null); - Mockito.when(filterConfig.getInitParameter( - RestCsrfPreventionFilter.CUSTOM_METHODS_TO_IGNORE_PARAM)). - thenReturn("GET,OPTIONS"); - - // CSRF has not been sent - HttpServletRequest mockReq = Mockito.mock(HttpServletRequest.class); - Mockito.when(mockReq.getHeader(RestCsrfPreventionFilter.HEADER_DEFAULT)). - thenReturn(null); - Mockito.when(mockReq.getMethod()). - thenReturn("OPTIONS"); - - // Objects to verify interactions based on request - HttpServletResponse mockRes = Mockito.mock(HttpServletResponse.class); - FilterChain mockChain = Mockito.mock(FilterChain.class); - - // Object under test - RestCsrfPreventionFilter filter = new RestCsrfPreventionFilter(); - filter.init(filterConfig); - filter.doFilter(mockReq, mockRes, mockChain); - - Mockito.verify(mockChain).doFilter(mockReq, mockRes); - } - - @Test - public void testMissingHeaderMultipleIgnoreMethodsConfig_badRequest() - throws ServletException, IOException { - // Setup the configuration settings of the server - FilterConfig filterConfig = Mockito.mock(FilterConfig.class); - Mockito.when(filterConfig.getInitParameter( - RestCsrfPreventionFilter.CUSTOM_HEADER_PARAM)).thenReturn(null); - Mockito.when(filterConfig.getInitParameter( - RestCsrfPreventionFilter.CUSTOM_METHODS_TO_IGNORE_PARAM)). - thenReturn("GET,OPTIONS"); - - // CSRF has not been sent - HttpServletRequest mockReq = Mockito.mock(HttpServletRequest.class); - Mockito.when(mockReq.getHeader(RestCsrfPreventionFilter.HEADER_DEFAULT)). - thenReturn(null); - Mockito.when(mockReq.getMethod()). - thenReturn("PUT"); - - // Objects to verify interactions based on request - HttpServletResponse mockRes = Mockito.mock(HttpServletResponse.class); - FilterChain mockChain = Mockito.mock(FilterChain.class); - - // Object under test - RestCsrfPreventionFilter filter = new RestCsrfPreventionFilter(); - filter.init(filterConfig); - filter.doFilter(mockReq, mockRes, mockChain); - - Mockito.verifyZeroInteractions(mockChain); - } -}
