Skip to content

Commit

Permalink
Refactored some bug demonstration scenarios in api test
Browse files Browse the repository at this point in the history
  • Loading branch information
Talank authored and phil-davis committed Oct 6, 2020
1 parent fd294d7 commit 818fb6b
Show file tree
Hide file tree
Showing 37 changed files with 1,255 additions and 0 deletions.
23 changes: 23 additions & 0 deletions tests/acceptance/features/apiAuth/corsOc10Issue34664.feature
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
@api @skipOnOcV10 @notToImplementOnOCIS
Feature: CORS headers correct expected behavior for issue 34664

@issue-34664
Scenario Outline: CORS headers should be returned when setting CORS domain sending Origin header
Given user "Alice" has been created with default attributes and skeleton files
And using OCS API version "<ocs_api_version>"
And user "Alice" has added "https://aphno.badal" to the list of personal CORS domains
When user "Alice" sends HTTP method "GET" to OCS API endpoint "<endpoint>" with headers
| header | value |
| Origin | https://aphno.badal |
Then the OCS status code should be "<ocs-code>"
And the HTTP status code should be "<http-code>"
Then the following headers should be set
| header | value |
| Access-Control-Allow-Headers | OC-Checksum,OC-Total-Length,OCS-APIREQUEST,X-OC-Mtime,Accept,Authorization,Brief,Content-Length,Content-Range,Content-Type,Date,Depth,Destination,Host,If,If-Match,If-Modified-Since,If-None-Match,If-Range,If-Unmodified-Since,Location,Lock-Token,Overwrite,Prefer,Range,Schedule-Reply,Timeout,User-Agent,X-Expected-Entity-Length,Accept-Language,Access-Control-Request-Method,Access-Control-Allow-Origin,ETag,OC-Autorename,OC-CalDav-Import,OC-Chunked,OC-Etag,OC-FileId,OC-LazyOps,OC-Total-File-Length,Origin,X-Request-ID,X-Requested-With |
| Access-Control-Expose-Headers | Content-Location,DAV,ETag,Link,Lock-Token,OC-ETag,OC-Checksum,OC-FileId,OC-JobStatus-Location,Vary,Webdav-Location,X-Sabre-Status |
| Access-Control-Allow-Origin | https://aphno.badal |
| Access-Control-Allow-Methods | GET,OPTIONS,POST,PUT,DELETE,MKCOL,PROPFIND,PATCH,PROPPATCH,REPORT |
Examples:
| ocs_api_version | endpoint | ocs-code | http-code |
| 1 | /config | 100 | 200 |
| 2 | /config | 200 | 200 |
65 changes: 65 additions & 0 deletions tests/acceptance/features/apiAuth/corsOc10Issue34679.feature
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
@api @skipOnOcV10 @notToImplementOnOCIS
Feature: CORS headers correct expected behavior for issue 34679

Background:
Given user "Alice" has been created with default attributes and skeleton files

@issue-34679 @files_sharing-app-required
Scenario Outline: CORS headers should be returned when invalid password is used
Given using OCS API version "<ocs_api_version>"
And user "Alice" has added "https://aphno.badal" to the list of personal CORS domains
When user "Alice" sends HTTP method "GET" to OCS API endpoint "<endpoint>" with headers using password "invalid"
| header | value |
| Origin | https://aphno.badal |
Then the OCS status code should be "<ocs-code>"
And the HTTP status code should be "<http-code>"
Then the following headers should be set
| header | value |
| Access-Control-Allow-Headers | OC-Checksum,OC-Total-Length,OCS-APIREQUEST,X-OC-Mtime,Accept,Authorization,Brief,Content-Length,Content-Range,Content-Type,Date,Depth,Destination,Host,If,If-Match,If-Modified-Since,If-None-Match,If-Range,If-Unmodified-Since,Location,Lock-Token,Overwrite,Prefer,Range,Schedule-Reply,Timeout,User-Agent,X-Expected-Entity-Length,Accept-Language,Access-Control-Request-Method,Access-Control-Allow-Origin,ETag,OC-Autorename,OC-CalDav-Import,OC-Chunked,OC-Etag,OC-FileId,OC-LazyOps,OC-Total-File-Length,Origin,X-Request-ID,X-Requested-With |
| Access-Control-Expose-Headers | Content-Location,DAV,ETag,Link,Lock-Token,OC-ETag,OC-Checksum,OC-FileId,OC-JobStatus-Location,Vary,Webdav-Location,X-Sabre-Status |
| Access-Control-Allow-Origin | https://aphno.badal |
| Access-Control-Allow-Methods | GET,OPTIONS,POST,PUT,DELETE,MKCOL,PROPFIND,PATCH,PROPPATCH,REPORT |
Examples:
| ocs_api_version | endpoint | ocs-code | http-code |
| 1 | /apps/files_external/api/v1/mounts | 997 | 401 |
| 2 | /apps/files_external/api/v1/mounts | 997 | 401 |
| 1 | /apps/files_sharing/api/v1/remote_shares | 997 | 401 |
| 2 | /apps/files_sharing/api/v1/remote_shares | 997 | 401 |
| 1 | /apps/files_sharing/api/v1/remote_shares/pending | 997 | 401 |
| 2 | /apps/files_sharing/api/v1/remote_shares/pending | 997 | 401 |
| 1 | /apps/files_sharing/api/v1/shares | 997 | 401 |
| 2 | /apps/files_sharing/api/v1/shares | 997 | 401 |
| 1 | /privatedata/getattribute | 997 | 401 |
| 2 | /privatedata/getattribute | 997 | 401 |
| 1 | /cloud/apps | 997 | 401 |
| 2 | /cloud/apps | 997 | 401 |
| 1 | /cloud/groups | 997 | 401 |
| 2 | /cloud/groups | 997 | 401 |
| 1 | /cloud/users | 997 | 401 |
| 2 | /cloud/users | 997 | 401 |

@issue-34679
Scenario Outline: CORS headers should be returned when invalid password is used (admin only endpoints)
Given using OCS API version "<ocs_api_version>"
And the administrator has added "https://aphno.badal" to the list of personal CORS domains
And user "another-admin" has been created with default attributes and without skeleton files
And user "another-admin" has been added to group "admin"
When user "another-admin" sends HTTP method "GET" to OCS API endpoint "<endpoint>" with headers using password "invalid"
| header | value |
| Origin | https://aphno.badal |
Then the OCS status code should be "<ocs-code>"
And the HTTP status code should be "<http-code>"
Then the following headers should be set
| header | value |
| Access-Control-Allow-Headers | OC-Checksum,OC-Total-Length,OCS-APIREQUEST,X-OC-Mtime,Accept,Authorization,Brief,Content-Length,Content-Range,Content-Type,Date,Depth,Destination,Host,If,If-Match,If-Modified-Since,If-None-Match,If-Range,If-Unmodified-Since,Location,Lock-Token,Overwrite,Prefer,Range,Schedule-Reply,Timeout,User-Agent,X-Expected-Entity-Length,Accept-Language,Access-Control-Request-Method,Access-Control-Allow-Origin,ETag,OC-Autorename,OC-CalDav-Import,OC-Chunked,OC-Etag,OC-FileId,OC-LazyOps,OC-Total-File-Length,Origin,X-Request-ID,X-Requested-With |
| Access-Control-Expose-Headers | Content-Location,DAV,ETag,Link,Lock-Token,OC-ETag,OC-Checksum,OC-FileId,OC-JobStatus-Location,Vary,Webdav-Location,X-Sabre-Status |
| Access-Control-Allow-Origin | https://aphno.badal |
| Access-Control-Allow-Methods | GET,OPTIONS,POST,PUT,DELETE,MKCOL,PROPFIND,PATCH,PROPPATCH,REPORT |
Examples:
| ocs_api_version | endpoint | ocs-code | http-code |
| 1 | /cloud/apps | 997 | 401 |
| 2 | /cloud/apps | 997 | 401 |
| 1 | /cloud/groups | 997 | 401 |
| 2 | /cloud/groups | 997 | 401 |
| 1 | /cloud/users | 997 | 401 |
| 2 | /cloud/users | 997 | 401 |
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
@api @files_sharing-app-required
@skipOnOcV10 @notToImplementOnOCIS
Feature: auth

@smokeTest @issue-32068 @issue-ocis-reva-30 @issue-ocis-reva-65
@skipOnBruteForceProtection @issue-brute_force_protection-112
Scenario: send DELETE requests to OCS endpoints as admin with wrong password
Given user "another-admin" has been created with default attributes and without skeleton files
And user "another-admin" has been added to group "admin"
When user "another-admin" requests these endpoints with "DELETE" using password "invalid" about user "Alice"
| endpoint |
| /ocs/v1.php/apps/files_sharing/api/v1/remote_shares/pending/123 |
| /ocs/v2.php/apps/files_sharing/api/v1/remote_shares/pending/123 |
| /ocs/v1.php/apps/files_sharing/api/v1/remote_shares/123 |
| /ocs/v2.php/apps/files_sharing/api/v1/remote_shares/123 |
| /ocs/v2.php/apps/files_sharing/api/v1/shares/123 |
| /ocs/v1.php/apps/files_sharing/api/v1/shares/pending/123 |
| /ocs/v2.php/apps/files_sharing/api/v1/shares/pending/123 |
| /ocs/v1.php/cloud/apps/testing |
| /ocs/v2.php/cloud/apps/testing |
| /ocs/v1.php/cloud/groups/group1 |
| /ocs/v2.php/cloud/groups/group1 |
| /ocs/v1.php/cloud/users/%username% |
| /ocs/v2.php/cloud/users/%username% |
| /ocs/v1.php/cloud/users/%username%/groups |
| /ocs/v2.php/cloud/users/%username%/groups |
| /ocs/v1.php/cloud/users/%username%/subadmins |
| /ocs/v2.php/cloud/users/%username%/subadmins |
Then the HTTP status code of responses on all endpoints should be "401"
And the OCS status code of responses on all endpoints should be "401"
Loading

0 comments on commit 818fb6b

Please sign in to comment.