Merged in task/dspace-cris-2023_02_x/DSC-1766_csrf_fix (pull request D…

…Space#2947) [DSC-1766] Add security csrf endpoint to user-agreement allow list Approved-by: Vincenzo Mecca
4Science · Oct 25, 2024 · 0163d5c · 0163d5c
2 parents 5bf6c6e + b172a17
commit 0163d5c
Show file tree

Hide file tree

Showing 2 changed files with 73 additions and 0 deletions.
diff --git a/dspace-server-webapp/src/test/java/org/dspace/app/rest/security/UserAgreementFilterIT.java b/dspace-server-webapp/src/test/java/org/dspace/app/rest/security/UserAgreementFilterIT.java
@@ -9,6 +9,8 @@
 
 import static org.hamcrest.Matchers.is;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.cookie;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.header;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
@@ -236,6 +238,76 @@ public void tryToAccessToItemRestEndpointUserThatCanIgnoreTermsTest() throws Exc
         configurationService.setProperty("user-agreement.enabled", "false");
     }
 
+
+    @Test
+    public void shouldBeAbleToAccessCSRFTokenEndpoint() throws Exception {
+
+        context.turnOffAuthorisationSystem();
+
+        configurationService.setProperty("user-agreement.enabled", "true");
+
+        EPerson user =
+            EPersonBuilder.createEPerson(context)
+                          .withEmail("[email protected]")
+                          .withNameInMetadata("Vins", "1st")
+                          .withCanLogin(true)
+                          .withPassword(password)
+                          .build();
+
+        context.restoreAuthSystemState();
+
+        String userToken = getAuthToken(user.getEmail(), password);
+        getClient(userToken).perform(get("/api/security/csrf"))
+                            .andExpect(status().isNoContent())
+                            .andExpect(cookie().exists(DSpaceCsrfTokenRepository.DEFAULT_CSRF_COOKIE_NAME))
+                            .andExpect(header().exists(DSpaceCsrfTokenRepository.DSPACE_CSRF_HEADER_NAME));
+
+        context.turnOffAuthorisationSystem();
+
+        user = context.reloadEntity(user);
+        // ignore user agreement
+        ePersonService.addMetadata(context, user, "dspace", "agreements", "ignore", "en", "true");
+        context.commit();
+
+        context.restoreAuthSystemState();
+
+        getClient(userToken).perform(get("/api/security/csrf"))
+                            .andExpect(status().isNoContent())
+                            .andExpect(cookie().exists(DSpaceCsrfTokenRepository.DEFAULT_CSRF_COOKIE_NAME))
+                            .andExpect(header().exists(DSpaceCsrfTokenRepository.DSPACE_CSRF_HEADER_NAME));
+
+        context.turnOffAuthorisationSystem();
+
+        user = context.reloadEntity(user);
+        // refuse user agreement
+        ePersonService.setMetadataSingleValue(context, user, "dspace", "agreements", "ignore", "en", "false");
+        ePersonService.addMetadata(context, user, "dspace", "agreements", "end-user", "en", "false");
+        context.commit();
+
+        context.restoreAuthSystemState();
+
+        getClient(userToken).perform(get("/api/security/csrf"))
+                            .andExpect(status().isNoContent())
+                            .andExpect(cookie().exists(DSpaceCsrfTokenRepository.DEFAULT_CSRF_COOKIE_NAME))
+                            .andExpect(header().exists(DSpaceCsrfTokenRepository.DSPACE_CSRF_HEADER_NAME));
+
+        context.turnOffAuthorisationSystem();
+
+        user = context.reloadEntity(user);
+        // accept user agreement
+        ePersonService.setMetadataSingleValue(context, user, "dspace", "agreements", "end-user", "en", "true");
+        context.commit();
+
+        context.restoreAuthSystemState();
+
+        getClient(userToken).perform(get("/api/security/csrf"))
+                            .andExpect(status().isNoContent())
+                            .andExpect(cookie().exists(DSpaceCsrfTokenRepository.DEFAULT_CSRF_COOKIE_NAME))
+                            .andExpect(header().exists(DSpaceCsrfTokenRepository.DSPACE_CSRF_HEADER_NAME));
+
+    }
+
+
     private void resetOpenPathConfigurations(String[] values) {
         configurationService.getConfiguration().clearProperty("user-agreement.open-path-patterns");
         if (values != null) {

diff --git a/dspace/config/dspace.cfg b/dspace/config/dspace.cfg
@@ -1787,6 +1787,7 @@ user-agreement.open-path-patterns = /api/core/sites/**
 user-agreement.open-path-patterns = /api/eperson/epersons/**
 user-agreement.open-path-patterns = /api/eperson/groups/**
 user-agreement.open-path-patterns = /api/eperson/registrations/**
+user-agreement.open-path-patterns = /api/security/csrf
 
 ################################################
 context-menu-entry.audit.enabled = true