-
Notifications
You must be signed in to change notification settings - Fork 187
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
35d4cb5
commit c59392b
Showing
336 changed files
with
52,903 additions
and
0 deletions.
There are no files selected for viewing
Large diffs are not rendered by default.
Oops, something went wrong.
85 changes: 85 additions & 0 deletions
85
tests/acceptance/features/coreApiAuth/corsOc10Issue34679.feature
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,85 @@ | ||
| @api @notToImplementOnOCIS | ||
| Feature: CORS headers current oC10 behavior for issue-34679 | ||
|
|
||
| Background: | ||
| Given user "Alice" has been created with default attributes and without skeleton files | ||
|
|
||
| @issue-34679 | ||
| Scenario Outline: CORS headers should be returned when invalid password is used | ||
| Given using OCS API version "<ocs_api_version>" | ||
| And user "Alice" has added "https://aphno.badal" to the list of personal CORS domains | ||
| When user "Alice" sends HTTP method "GET" to OCS API endpoint "<endpoint>" with headers using password "invalid" | ||
| | header | value | | ||
| | Origin | https://aphno.badal | | ||
| Then the OCS status code should be "<ocs-code>" | ||
| And the HTTP status code should be "<http-code>" | ||
| And the following headers should not be set | ||
| | header | | ||
| | Access-Control-Allow-Headers | | ||
| | Access-Control-Expose-Headers | | ||
| | Access-Control-Allow-Origin | | ||
| | Access-Control-Allow-Methods | | ||
| #Then the following headers should be set | ||
| # | header | value | | ||
| # | Access-Control-Allow-Headers | OC-Checksum,OC-Total-Length,OCS-APIREQUEST,X-OC-Mtime,Accept,Authorization,Brief,Content-Length,Content-Range,Content-Type,Date,Depth,Destination,Host,If,If-Match,If-Modified-Since,If-None-Match,If-Range,If-Unmodified-Since,Location,Lock-Token,Overwrite,Prefer,Range,Schedule-Reply,Timeout,User-Agent,X-Expected-Entity-Length,Accept-Language,Access-Control-Request-Method,Access-Control-Allow-Origin,ETag,OC-Autorename,OC-CalDav-Import,OC-Chunked,OC-Etag,OC-FileId,OC-LazyOps,OC-Total-File-Length,Origin,X-Request-ID,X-Requested-With | | ||
| # | Access-Control-Expose-Headers | Content-Location,DAV,ETag,Link,Lock-Token,OC-ETag,OC-Checksum,OC-FileId,OC-JobStatus-Location,Vary,Webdav-Location,X-Sabre-Status | | ||
| # | Access-Control-Allow-Origin | https://aphno.badal | | ||
| # | Access-Control-Allow-Methods | GET,OPTIONS,POST,PUT,DELETE,MKCOL,PROPFIND,PATCH,PROPPATCH,REPORT | | ||
| Examples: | ||
| | ocs_api_version | endpoint | ocs-code | http-code | | ||
| | 1 | /privatedata/getattribute | 997 | 401 | | ||
| | 2 | /privatedata/getattribute | 997 | 401 | | ||
| | 1 | /cloud/apps | 997 | 401 | | ||
| | 2 | /cloud/apps | 997 | 401 | | ||
| | 1 | /cloud/groups | 997 | 401 | | ||
| | 2 | /cloud/groups | 997 | 401 | | ||
| | 1 | /cloud/users | 997 | 401 | | ||
| | 2 | /cloud/users | 997 | 401 | | ||
|
|
||
| @files_external-app-required @notToImplementOnOCIS | ||
| Examples: | ||
| | ocs_api_version | endpoint | ocs-code | http-code | | ||
| | 1 | /apps/files_external/api/v1/mounts | 997 | 401 | | ||
| | 2 | /apps/files_external/api/v1/mounts | 997 | 401 | | ||
|
|
||
| @files_sharing-app-required | ||
| Examples: | ||
| | ocs_api_version | endpoint | ocs-code | http-code | | ||
| | 1 | /apps/files_sharing/api/v1/remote_shares | 997 | 401 | | ||
| | 2 | /apps/files_sharing/api/v1/remote_shares | 997 | 401 | | ||
| | 1 | /apps/files_sharing/api/v1/remote_shares/pending | 997 | 401 | | ||
| | 2 | /apps/files_sharing/api/v1/remote_shares/pending | 997 | 401 | | ||
| | 1 | /apps/files_sharing/api/v1/shares | 997 | 401 | | ||
| | 2 | /apps/files_sharing/api/v1/shares | 997 | 401 | | ||
|
|
||
| @issue-34679 | ||
| Scenario Outline: CORS headers should be returned when invalid password is used (admin only endpoints) | ||
| Given using OCS API version "<ocs_api_version>" | ||
| And the administrator has added "https://aphno.badal" to the list of personal CORS domains | ||
| And user "another-admin" has been created with default attributes and without skeleton files | ||
| And user "another-admin" has been added to group "admin" | ||
| When user "another-admin" sends HTTP method "GET" to OCS API endpoint "<endpoint>" with headers using password "invalid" | ||
| | header | value | | ||
| | Origin | https://aphno.badal | | ||
| Then the OCS status code should be "<ocs-code>" | ||
| And the HTTP status code should be "<http-code>" | ||
| And the following headers should not be set | ||
| | header | | ||
| | Access-Control-Allow-Headers | | ||
| | Access-Control-Expose-Headers | | ||
| | Access-Control-Allow-Origin | | ||
| | Access-Control-Allow-Methods | | ||
| #Then the following headers should be set | ||
| # | header | value | | ||
| # | Access-Control-Allow-Headers | OC-Checksum,OC-Total-Length,OCS-APIREQUEST,X-OC-Mtime,Accept,Authorization,Brief,Content-Length,Content-Range,Content-Type,Date,Depth,Destination,Host,If,If-Match,If-Modified-Since,If-None-Match,If-Range,If-Unmodified-Since,Location,Lock-Token,Overwrite,Prefer,Range,Schedule-Reply,Timeout,User-Agent,X-Expected-Entity-Length,Accept-Language,Access-Control-Request-Method,Access-Control-Allow-Origin,ETag,OC-Autorename,OC-CalDav-Import,OC-Chunked,OC-Etag,OC-FileId,OC-LazyOps,OC-Total-File-Length,Origin,X-Request-ID,X-Requested-With | | ||
| # | Access-Control-Expose-Headers | Content-Location,DAV,ETag,Link,Lock-Token,OC-ETag,OC-Checksum,OC-FileId,OC-JobStatus-Location,Vary,Webdav-Location,X-Sabre-Status | | ||
| # | Access-Control-Allow-Origin | https://aphno.badal | | ||
| # | Access-Control-Allow-Methods | GET,OPTIONS,POST,PUT,DELETE,MKCOL,PROPFIND,PATCH,PROPPATCH,REPORT | | ||
| Examples: | ||
| | ocs_api_version | endpoint | ocs-code | http-code | | ||
| | 1 | /cloud/apps | 997 | 401 | | ||
| | 2 | /cloud/apps | 997 | 401 | | ||
| | 1 | /cloud/groups | 997 | 401 | | ||
| | 2 | /cloud/groups | 997 | 401 | | ||
| | 1 | /cloud/users | 997 | 401 | | ||
| | 2 | /cloud/users | 997 | 401 | |
40 changes: 40 additions & 0 deletions
40
tests/acceptance/features/coreApiAuth/filesAppAuth.feature
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,40 @@ | ||
| @api @notToImplementOnOCIS @issue-ocis-reva-28 | ||
| Feature: auth | ||
|
|
||
| Background: | ||
| Given user "Alice" has been created with default attributes and without skeleton files | ||
|
|
||
| @smokeTest | ||
| Scenario: access files app anonymously | ||
| When a user requests "/index.php/apps/files" with "GET" and no authentication | ||
| Then the HTTP status code should be "401" | ||
|
|
||
| @smokeTest | ||
| Scenario: access files app with basic auth | ||
| When user "Alice" requests "/index.php/apps/files" with "GET" using basic auth | ||
| Then the HTTP status code should be "200" | ||
|
|
||
| @smokeTest | ||
| Scenario: access files app with basic token auth | ||
| Given a new client token for "Alice" has been generated | ||
| When user "Alice" requests "/index.php/apps/files" with "GET" using basic token auth | ||
| Then the HTTP status code should be "200" | ||
|
|
||
| @smokeTest | ||
| Scenario: access files app with a client token | ||
| Given a new client token for "Alice" has been generated | ||
| When the user requests "/index.php/apps/files" with "GET" using the generated client token | ||
| Then the HTTP status code should be "200" | ||
|
|
||
| @smokeTest | ||
| Scenario: access files app with browser session | ||
| Given a new browser session for "Alice" has been started | ||
| When the user requests "/index.php/apps/files" with "GET" using the browser session | ||
| Then the HTTP status code should be "200" | ||
|
|
||
| @smokeTest | ||
| Scenario: access files app with an app password | ||
| Given a new browser session for "Alice" has been started | ||
| And the user has generated a new app password named "my-client" | ||
| When the user requests "/index.php/apps/files" with "GET" using the generated app password | ||
| Then the HTTP status code should be "200" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,61 @@ | ||
| @api @notToImplementOnOCIS @issue-ocis-reva-28 @issue-ocis-reva-37 | ||
| Feature: tokenAuth | ||
|
|
||
| Background: | ||
| Given using OCS API version "1" | ||
| And user "Alice" has been created with default attributes and without skeleton files | ||
| And token auth has been enforced | ||
|
|
||
|
|
||
| Scenario: creating a user with basic auth should be blocked when token auth is enforced | ||
| Given user "brand-new-user" has been deleted | ||
| When the administrator sends a user creation request for user "brand-new-user" password "%alt1%" using the provisioning API | ||
| Then the OCS status code should be "997" | ||
| And the HTTP status code should be "401" | ||
|
|
||
|
|
||
| Scenario: moving a file should be blocked when token auth is enforced | ||
| Given using new DAV path | ||
| When user "Alice" moves file "/textfile0.txt" to "/renamed_textfile0.txt" using the WebDAV API | ||
| Then the HTTP status code should be "401" | ||
|
|
||
| @smokeTest | ||
| Scenario: can access files app with an app password when token auth is enforced | ||
| Given a new browser session for "Alice" has been started | ||
| And the user has generated a new app password named "my-client" | ||
| When the user requests "/index.php/apps/files" with "GET" using the generated app password | ||
| Then the HTTP status code should be "200" | ||
|
|
||
|
|
||
| Scenario: cannot access files app with an app password that is deleted when token auth is enforced | ||
| Given a new browser session for "Alice" has been started | ||
| And the user has generated a new app password named "my-client" | ||
| And the user has deleted the app password named "my-client" | ||
| When the user requests "/index.php/apps/files" with "GET" using the generated app password | ||
| Then the HTTP status code should be "401" | ||
|
|
||
|
|
||
| Scenario: Access files app with when there are multiple tokens generated | ||
| Given a new browser session for "Alice" has been started | ||
| And the user has generated a new app password named "my-client" | ||
| And the user has generated a new app password named "my-new-client" | ||
| When the user requests "/index.php/apps/files" with "GET" using app password named "my-client" | ||
| Then the HTTP status code should be "200" | ||
| When the user requests "/index.php/apps/files" with "GET" using app password named "my-new-client" | ||
| Then the HTTP status code should be "200" | ||
|
|
||
| @smokeTest | ||
| Scenario: cannot access files app with basic auth when token auth is enforced | ||
| When user "Alice" requests "/index.php/apps/files" with "GET" using basic auth | ||
| Then the HTTP status code should be "401" | ||
|
|
||
|
|
||
| Scenario: using WebDAV with basic auth should be blocked when token auth is enforced | ||
| When user "Alice" requests "/remote.php/webdav" with "PROPFIND" using basic auth | ||
| Then the HTTP status code should be "401" | ||
|
|
||
| @files_sharing-app-required | ||
| Scenario: using OCS with basic auth should be blocked when token auth is enforced | ||
| When user "Alice" requests "/ocs/v1.php/apps/files_sharing/api/v1/remote_shares" with "GET" using basic auth | ||
| Then the OCS status code should be "997" | ||
| And the HTTP status code should be "401" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,40 @@ | ||
| @api | ||
| Feature: auth | ||
|
|
||
| Background: | ||
| Given user "Alice" has been created with default attributes and without skeleton files | ||
|
|
||
| @smokeTest | ||
| Scenario: using WebDAV anonymously | ||
| When a user requests "/remote.php/webdav" with "PROPFIND" and no authentication | ||
| Then the HTTP status code should be "401" | ||
|
|
||
| @smokeTest @skipOnOcV10 @personalSpace | ||
| Scenario: using spaces WebDAV anonymously | ||
| When user "Alice" requests "/dav/spaces/%spaceid%" with "PROPFIND" and no authentication | ||
| Then the HTTP status code should be "401" | ||
|
|
||
| @smokeTest | ||
| Scenario Outline: using WebDAV with basic auth | ||
| When user "Alice" requests "<dav_path>" with "PROPFIND" using basic auth | ||
| Then the HTTP status code should be "207" | ||
| Examples: | ||
| | dav_path | | ||
| | /remote.php/webdav | | ||
|
|
||
| @skipOnOcV10 @personalSpace | ||
| Examples: | ||
| | dav_path | | ||
| | /dav/spaces/%spaceid% | | ||
|
|
||
| @smokeTest @notToImplementOnOCIS @issue-ocis-reva-28 | ||
| Scenario: using WebDAV with token auth | ||
| Given a new client token for "Alice" has been generated | ||
| When user "Alice" requests "/remote.php/webdav" with "PROPFIND" using basic token auth | ||
| Then the HTTP status code should be "207" | ||
|
|
||
| @smokeTest @notToImplementOnOCIS | ||
| Scenario: using WebDAV with browser session | ||
| Given a new browser session for "Alice" has been started | ||
| When the user requests "/remote.php/webdav" with "PROPFIND" using the browser session | ||
| Then the HTTP status code should be "207" |
30 changes: 30 additions & 0 deletions
30
tests/acceptance/features/coreApiAuthOcs/ocsDELETEAuth.feature
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| @api @files_sharing-app-required | ||
| Feature: auth | ||
|
|
||
| Background: | ||
| Given user "another-admin" has been created with default attributes and without skeleton files | ||
|
|
||
| @smokeTest @issue-ocis-reva-30 @issue-ocis-reva-65 @skipOnBruteForceProtection @issue-brute_force_protection-112 @skipOnOcV10 @issue-32068 | ||
| Scenario: send DELETE requests to OCS endpoints as admin with wrong password | ||
| Given user "another-admin" has been added to group "admin" | ||
| When user "another-admin" requests these endpoints with "DELETE" using password "invalid" about user "Alice" | ||
| | endpoint | | ||
| | /ocs/v1.php/apps/files_sharing/api/v1/remote_shares/pending/123 | | ||
| | /ocs/v2.php/apps/files_sharing/api/v1/remote_shares/pending/123 | | ||
| | /ocs/v1.php/apps/files_sharing/api/v1/remote_shares/123 | | ||
| | /ocs/v2.php/apps/files_sharing/api/v1/remote_shares/123 | | ||
| | /ocs/v2.php/apps/files_sharing/api/v1/shares/123 | | ||
| | /ocs/v1.php/apps/files_sharing/api/v1/shares/pending/123 | | ||
| | /ocs/v2.php/apps/files_sharing/api/v1/shares/pending/123 | | ||
| | /ocs/v1.php/cloud/apps/testing | | ||
| | /ocs/v2.php/cloud/apps/testing | | ||
| | /ocs/v1.php/cloud/groups/group1 | | ||
| | /ocs/v2.php/cloud/groups/group1 | | ||
| | /ocs/v1.php/cloud/users/%username% | | ||
| | /ocs/v2.php/cloud/users/%username% | | ||
| | /ocs/v1.php/cloud/users/%username%/groups | | ||
| | /ocs/v2.php/cloud/users/%username%/groups | | ||
| | /ocs/v1.php/cloud/users/%username%/subadmins | | ||
| | /ocs/v2.php/cloud/users/%username%/subadmins | | ||
| Then the HTTP status code of responses on all endpoints should be "401" | ||
| And the OCS status code of responses on all endpoints should be "401" |
29 changes: 29 additions & 0 deletions
29
tests/acceptance/features/coreApiAuthOcs/ocsDELETEAuthOc10Issue32068.feature
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,29 @@ | ||
| @api @files_sharing-app-required @notToImplementOnOCIS | ||
| Feature: current oC10 behavior for issue-32068 | ||
|
|
||
| @smokeTest @issue-32068 @issue-ocis-reva-30 @issue-ocis-reva-65 @skipOnBruteForceProtection @issue-brute_force_protection-112 | ||
| Scenario: send DELETE requests to OCS endpoints as admin with wrong password | ||
| Given user "another-admin" has been created with default attributes and without skeleton files | ||
| And user "another-admin" has been added to group "admin" | ||
| When user "another-admin" requests these endpoints with "DELETE" using password "invalid" about user "Alice" | ||
| | endpoint | | ||
| | /ocs/v1.php/apps/files_sharing/api/v1/remote_shares/pending/123 | | ||
| | /ocs/v2.php/apps/files_sharing/api/v1/remote_shares/pending/123 | | ||
| | /ocs/v1.php/apps/files_sharing/api/v1/remote_shares/123 | | ||
| | /ocs/v2.php/apps/files_sharing/api/v1/remote_shares/123 | | ||
| | /ocs/v2.php/apps/files_sharing/api/v1/shares/123 | | ||
| | /ocs/v1.php/apps/files_sharing/api/v1/shares/pending/123 | | ||
| | /ocs/v2.php/apps/files_sharing/api/v1/shares/pending/123 | | ||
| | /ocs/v1.php/cloud/apps/testing | | ||
| | /ocs/v2.php/cloud/apps/testing | | ||
| | /ocs/v1.php/cloud/groups/group1 | | ||
| | /ocs/v2.php/cloud/groups/group1 | | ||
| | /ocs/v1.php/cloud/users/%username% | | ||
| | /ocs/v2.php/cloud/users/%username% | | ||
| | /ocs/v1.php/cloud/users/%username%/groups | | ||
| | /ocs/v2.php/cloud/users/%username%/groups | | ||
| | /ocs/v1.php/cloud/users/%username%/subadmins | | ||
| | /ocs/v2.php/cloud/users/%username%/subadmins | | ||
| Then the HTTP status code of responses on all endpoints should be "401" | ||
| And the OCS status code of responses on all endpoints should be "997" | ||
| #And the OCS status code of responses on all endpoints should be "401" |
Oops, something went wrong.