Add Tests for checking auth through app passwords and token

tests/acceptance/features/apiAuth/tokenAuth.feature

@@ -24,6 +24,22 @@ Feature: tokenAuth
     When the user requests "/index.php/apps/files" with "GET" using the generated app password
     Then the HTTP status code should be "200"
 
+  Scenario: cannot access files app with an app password that is deleted when token auth is enforced
+    Given a new browser session for "user1" has been started
+    And the user has generated a new app password named "my-client"
+    And the user has deleted the app password named "my-client"
+    When the user requests "/index.php/apps/files" with "GET" using the generated app password
+    Then the HTTP status code should be "401"
+
+  Scenario: Access files app with when there are multiple tokens generated
+    Given a new browser session for "user1" has been started
+    And the user has generated a new app password named "my-client"
+    And the user has generated a new app password named "my-new-client"
+    When the user requests "/index.php/apps/files" with "GET" using app password named "my-client"
+    Then the HTTP status code should be "200"
+    When the user requests "/index.php/apps/files" with "GET" using app password named "my-new-client"
+    Then the HTTP status code should be "200"
+
   @smokeTest
   Scenario: cannot access files app with basic auth when token auth is enforced
     When user "user1" requests "/index.php/apps/files" with "GET" using basic auth

tests/acceptance/features/apiAuthWebDav/webDavDELETEAuth.feature

@@ -56,3 +56,27 @@ Feature: delete file/folder
       | /remote.php/webdav/PARENT                     | 401       | doesnotmatter |
       | /remote.php/dav/files/user0/PARENT            | 401       | doesnotmatter |
       | /remote.php/dav/files/user0/PARENT/parent.txt | 401       | doesnotmatter |
+
+  Scenario: send DELETE requests to webDav endpoints using token authentication should not work
+    Given token auth has been enforced
+    And a new browser session for "user0" has been started
+    And the user has generated a new app password named "my-client"
+    When the user requests these endpoints with "DELETE" using the generated app password then the status codes should be as listed
+      | endpoint                                      | http-code | body          |
+      | /remote.php/webdav/textfile0.txt              | 401       | doesnotmatter |
+      | /remote.php/dav/files/user0/textfile0.txt     | 401       | doesnotmatter |
+      | /remote.php/webdav/PARENT                     | 401       | doesnotmatter |
+      | /remote.php/dav/files/user0/PARENT            | 401       | doesnotmatter |
+      | /remote.php/dav/files/user0/PARENT/parent.txt | 401       | doesnotmatter |
+
+  Scenario: send DELETE requests to webDav endpoints using app password token as password
+    Given token auth has been enforced
+    And a new browser session for "user0" has been started
+    And the user has generated a new app password named "my-client"
+    When the user "user0" requests these endpoints with "DELETE" using the basic auth and generated app password then the status codes should be as listed
+      | endpoint                                      | http-code | body          |
+      | /remote.php/webdav/textfile0.txt              | 204       | doesnotmatter |
+      | /remote.php/dav/files/user0/textfile1.txt     | 204       | doesnotmatter |
+      | /remote.php/dav/files/user0/PARENT/parent.txt | 204       | doesnotmatter |
+      | /remote.php/webdav/PARENT                     | 204       | doesnotmatter |
+      | /remote.php/dav/files/user0/FOLDER            | 204       | doesnotmatter |

tests/acceptance/features/apiAuthWebDav/webDavLOCKAuth.feature

@@ -56,3 +56,27 @@ Feature: LOCK file/folder
       | /remote.php/webdav/PARENT                     | 401       | doesnotmatter |
       | /remote.php/dav/files/user0/PARENT            | 401       | doesnotmatter |
       | /remote.php/dav/files/user0/PARENT/parent.txt | 401       | doesnotmatter |
+
+  Scenario: send LOCK requests to webDav endpoints using token authentication should not work
+    Given token auth has been enforced
+    And a new browser session for "user0" has been started
+    And the user has generated a new app password named "my-client"
+    When the user requests these endpoints with "LOCK" using the generated app password then the status codes should be as listed
+      | endpoint                                      | http-code | body          |
+      | /remote.php/webdav/textfile0.txt              | 401       | doesnotmatter |
+      | /remote.php/dav/files/user0/textfile0.txt     | 401       | doesnotmatter |
+      | /remote.php/webdav/PARENT                     | 401       | doesnotmatter |
+      | /remote.php/dav/files/user0/PARENT            | 401       | doesnotmatter |
+      | /remote.php/dav/files/user0/PARENT/parent.txt | 401       | doesnotmatter |
+
+  Scenario: send LOCK requests to webDav endpoints using app password token as password
+    Given token auth has been enforced
+    And a new browser session for "user0" has been started
+    And the user has generated a new app password named "my-client"
+    When the user "user0" requests these endpoints with "LOCK" using the basic auth and generated app password then the status codes should be as listed
+      | endpoint                                      | http-code | body                                                                                                                  |
+      | /remote.php/webdav/textfile0.txt              | 200       | <?xml version='1.0' encoding='UTF-8'?><d:lockinfo xmlns:d='DAV:'> <d:lockscope><d:shared/></d:lockscope></d:lockinfo> |
+      | /remote.php/dav/files/user0/textfile1.txt     | 200       | <?xml version='1.0' encoding='UTF-8'?><d:lockinfo xmlns:d='DAV:'> <d:lockscope><d:shared/></d:lockscope></d:lockinfo> |
+      | /remote.php/dav/files/user0/PARENT/parent.txt | 200       | <?xml version='1.0' encoding='UTF-8'?><d:lockinfo xmlns:d='DAV:'> <d:lockscope><d:shared/></d:lockscope></d:lockinfo> |
+      | /remote.php/webdav/PARENT                     | 200       | <?xml version='1.0' encoding='UTF-8'?><d:lockinfo xmlns:d='DAV:'> <d:lockscope><d:shared/></d:lockscope></d:lockinfo> |
+      | /remote.php/dav/files/user0/FOLDER            | 200       | <?xml version='1.0' encoding='UTF-8'?><d:lockinfo xmlns:d='DAV:'> <d:lockscope><d:shared/></d:lockscope></d:lockinfo> |

tests/acceptance/features/apiAuthWebDav/webDavMKCOLAuth.feature

@@ -56,3 +56,27 @@ Feature: get file info using MKCOL
       | /remote.php/webdav/PARENT                     | 401       | doesnotmatter |
       | /remote.php/dav/files/user0/PARENT            | 401       | doesnotmatter |
       | /remote.php/dav/files/user0/PARENT/parent.txt | 401       | doesnotmatter |
+
+  Scenario: send MKCOL requests to webDav endpoints using token authentication should not work
+    Given token auth has been enforced
+    And a new browser session for "user0" has been started
+    And the user has generated a new app password named "my-client"
+    When the user requests these endpoints with "MKCOL" using the generated app password then the status codes should be as listed
+      | endpoint                                      | http-code | body          |
+      | /remote.php/webdav/textfile0.txt              | 401       | doesnotmatter |
+      | /remote.php/dav/files/user0/textfile0.txt     | 401       | doesnotmatter |
+      | /remote.php/webdav/PARENT                     | 401       | doesnotmatter |
+      | /remote.php/dav/files/user0/PARENT            | 401       | doesnotmatter |
+      | /remote.php/dav/files/user0/PARENT/parent.txt | 401       | doesnotmatter |
+
+  Scenario: send MKCOL requests to webDav endpoints using app password token as password
+    Given token auth has been enforced
+    And a new browser session for "user0" has been started
+    And the user has generated a new app password named "my-client"
+    When the user "user0" requests these endpoints with "MKCOL" using the basic auth and generated app password then the status codes should be as listed
+      | endpoint                                  | http-code |
+      | /remote.php/webdav/newCol                 | 201       |
+      | /remote.php/dav/files/user0/newCol1       | 201       |
+      | /remote.php/dav/files/user0/PARENT/newCol | 201       |
+      | /remote.php/webdav/COL                    | 201       |
+      | /remote.php/dav/files/user0/FOLDER/newCol | 201       |

tests/acceptance/features/apiAuthWebDav/webDavMOVEAuth.feature

@@ -56,3 +56,28 @@ Feature: MOVE file/folder
       | /remote.php/webdav/PARENT                     | 401       | doesnotmatter |
       | /remote.php/dav/files/user0/PARENT            | 401       | doesnotmatter |
       | /remote.php/dav/files/user0/PARENT/parent.txt | 401       | doesnotmatter |
+
+  Scenario: send MOVE requests to webDav endpoints using token authentication should not work
+    Given token auth has been enforced
+    And a new browser session for "user0" has been started
+    And the user has generated a new app password named "my-client"
+    When the user requests these endpoints with "MOVE" using the generated app password then the status codes should be as listed
+      | endpoint                                      | http-code | body          |
+      | /remote.php/webdav/textfile0.txt              | 401       | doesnotmatter |
+      | /remote.php/dav/files/user0/textfile0.txt     | 401       | doesnotmatter |
+      | /remote.php/webdav/PARENT                     | 401       | doesnotmatter |
+      | /remote.php/dav/files/user0/PARENT            | 401       | doesnotmatter |
+      | /remote.php/dav/files/user0/PARENT/parent.txt | 401       | doesnotmatter |
+
+  Scenario: send MOVE requests to webDav endpoints using app password token as password
+    Given token auth has been enforced
+    And a new browser session for "user0" has been started
+    And the user has generated a new app password named "my-client"
+    When the user "user0" requests these endpoints with "MOVE" using the basic auth and generated app password then the status codes should be as listed
+      | endpoint                                      | http-code | body          |
+      # The token was valid and accepted but the body is invalid so it gives 403
+      | /remote.php/webdav/textfile0.txt              | 403       | doesnotmatter |
+      | /remote.php/dav/files/user0/textfile1.txt     | 403       | doesnotmatter |
+      | /remote.php/dav/files/user0/PARENT/parent.txt | 403       | doesnotmatter |
+      | /remote.php/webdav/PARENT                     | 403       | doesnotmatter |
+      | /remote.php/dav/files/user0/FOLDER            | 403       | doesnotmatter |

tests/acceptance/features/apiAuthWebDav/webDavPOSTAuth.feature

@@ -56,3 +56,28 @@ Feature: get file info using POST
       | /remote.php/webdav/PARENT                     | 401       | doesnotmatter |
       | /remote.php/dav/files/user0/PARENT            | 401       | doesnotmatter |
       | /remote.php/dav/files/user0/PARENT/parent.txt | 401       | doesnotmatter |
+
+  Scenario: send POST requests to webDav endpoints using token authentication should not work
+    Given token auth has been enforced
+    And a new browser session for "user0" has been started
+    And the user has generated a new app password named "my-client"
+    When the user requests these endpoints with "POST" using the generated app password then the status codes should be as listed
+      | endpoint                                      | http-code | body          |
+      | /remote.php/webdav/textfile0.txt              | 401       | doesnotmatter |
+      | /remote.php/dav/files/user0/textfile0.txt     | 401       | doesnotmatter |
+      | /remote.php/webdav/PARENT                     | 401       | doesnotmatter |
+      | /remote.php/dav/files/user0/PARENT            | 401       | doesnotmatter |
+      | /remote.php/dav/files/user0/PARENT/parent.txt | 401       | doesnotmatter |
+
+  Scenario: send POST requests to webDav endpoints using app password token as password
+    Given token auth has been enforced
+    And a new browser session for "user0" has been started
+    And the user has generated a new app password named "my-client"
+    When the user "user0" requests these endpoints with "POST" using the basic auth and generated app password then the status codes should be as listed
+      | endpoint                                      | http-code | body          |
+      # this method is not available so gives 501
+      | /remote.php/webdav/textfile0.txt              | 501       | doesnotmatter |
+      | /remote.php/dav/files/user0/textfile1.txt     | 501       | doesnotmatter |
+      | /remote.php/dav/files/user0/PARENT/parent.txt | 501       | doesnotmatter |
+      | /remote.php/webdav/PARENT                     | 501       | doesnotmatter |
+      | /remote.php/dav/files/user0/FOLDER            | 501       | doesnotmatter |

tests/acceptance/features/apiAuthWebDav/webDavPROPFINDAuth.feature

@@ -56,3 +56,27 @@ Feature: get file info using PROPFIND
       | /remote.php/webdav/PARENT                     | 401       | doesnotmatter |
       | /remote.php/dav/files/user0/PARENT            | 401       | doesnotmatter |
       | /remote.php/dav/files/user0/PARENT/parent.txt | 401       | doesnotmatter |
+
+  Scenario: send PROPFIND requests to webDav endpoints using token authentication should not work
+    Given token auth has been enforced
+    And a new browser session for "user0" has been started
+    And the user has generated a new app password named "my-client"
+    When the user requests these endpoints with "PROPFIND" using the generated app password then the status codes should be as listed
+      | endpoint                                      | http-code | body          |
+      | /remote.php/webdav/textfile0.txt              | 401       | doesnotmatter |
+      | /remote.php/dav/files/user0/textfile0.txt     | 401       | doesnotmatter |
+      | /remote.php/webdav/PARENT                     | 401       | doesnotmatter |
+      | /remote.php/dav/files/user0/PARENT            | 401       | doesnotmatter |
+      | /remote.php/dav/files/user0/PARENT/parent.txt | 401       | doesnotmatter |
+
+  Scenario: send PROPFIND requests to webDav endpoints using app password token as password
+    Given token auth has been enforced
+    And a new browser session for "user0" has been started
+    And the user has generated a new app password named "my-client"
+    When the user "user0" requests these endpoints with "PROPFIND" using the basic auth and generated app password then the status codes should be as listed
+      | endpoint                                      | http-code | body          |
+      | /remote.php/dav/files/user0/textfile0.txt     | 207       | <?xml version="1.0"?><d:propfind  xmlns:d="DAV:" xmlns:oc="http://owncloud.org/ns"><d:prop><d:getetag /></d:prop></d:propfind> |
+      | /remote.php/dav/files/user0/PARENT            | 207       | <?xml version="1.0"?><d:propfind  xmlns:d="DAV:" xmlns:oc="http://owncloud.org/ns"><d:prop><d:getetag /></d:prop></d:propfind> |
+      | /remote.php/dav/files/user0/PARENT/parent.txt | 207       | <?xml version="1.0"?><d:propfind  xmlns:d="DAV:" xmlns:oc="http://owncloud.org/ns"><d:prop><d:getetag /></d:prop></d:propfind> |
+      | /remote.php/webdav/PARENT                     | 207       | <?xml version="1.0"?><d:propfind  xmlns:d="DAV:" xmlns:oc="http://owncloud.org/ns"><d:prop><d:getetag /></d:prop></d:propfind> |
+      | /remote.php/webdav/textfile0.txt              | 207       | <?xml version="1.0"?><d:propfind  xmlns:d="DAV:" xmlns:oc="http://owncloud.org/ns"><d:prop><d:getetag /></d:prop></d:propfind> |

tests/acceptance/features/apiAuthWebDav/webDavPROPPATCHAuth.feature

@@ -56,3 +56,27 @@ Feature: PROPPATCH file/folder
       | /remote.php/webdav/PARENT                     | 401       | doesnotmatter |
       | /remote.php/dav/files/user0/PARENT            | 401       | doesnotmatter |
       | /remote.php/dav/files/user0/PARENT/parent.txt | 401       | doesnotmatter |
+
+  Scenario: send PROPPATCH requests to webDav endpoints using token authentication should not work
+    Given token auth has been enforced
+    And a new browser session for "user0" has been started
+    And the user has generated a new app password named "my-client"
+    When the user requests these endpoints with "PROPPATCH" using the generated app password then the status codes should be as listed
+      | endpoint                                      | http-code | body          |
+      | /remote.php/webdav/textfile0.txt              | 401       | doesnotmatter |
+      | /remote.php/dav/files/user0/textfile0.txt     | 401       | doesnotmatter |
+      | /remote.php/webdav/PARENT                     | 401       | doesnotmatter |
+      | /remote.php/dav/files/user0/PARENT            | 401       | doesnotmatter |
+      | /remote.php/dav/files/user0/PARENT/parent.txt | 401       | doesnotmatter |
+
+  Scenario: send PROPPATCH requests to webDav endpoints using app password token as password
+    Given token auth has been enforced
+    And a new browser session for "user0" has been started
+    And the user has generated a new app password named "my-client"
+    When the user "user0" requests these endpoints with "PROPPATCH" using the basic auth and generated app password then the status codes should be as listed
+      | endpoint                                      | http-code | body                                                                                                                  |
+      | /remote.php/webdav/textfile0.txt              | 207       | <?xml version="1.0"?><d:propertyupdate xmlns:d="DAV:" xmlns:oc="http://owncloud.org/ns"><d:set><d:prop><oc:favorite xmlns:oc="http://owncloud.org/ns">1</oc:favorite></d:prop></d:set></d:propertyupdate> |
+      | /remote.php/dav/files/user0/textfile1.txt     | 207       | <?xml version="1.0"?><d:propertyupdate xmlns:d="DAV:" xmlns:oc="http://owncloud.org/ns"><d:set><d:prop><oc:favorite xmlns:oc="http://owncloud.org/ns">1</oc:favorite></d:prop></d:set></d:propertyupdate> |
+      | /remote.php/dav/files/user0/PARENT/parent.txt | 207       | <?xml version="1.0"?><d:propertyupdate xmlns:d="DAV:" xmlns:oc="http://owncloud.org/ns"><d:set><d:prop><oc:favorite xmlns:oc="http://owncloud.org/ns">1</oc:favorite></d:prop></d:set></d:propertyupdate> |
+      | /remote.php/webdav/PARENT                     | 207       | <?xml version="1.0"?><d:propertyupdate xmlns:d="DAV:" xmlns:oc="http://owncloud.org/ns"><d:set><d:prop><oc:favorite xmlns:oc="http://owncloud.org/ns">1</oc:favorite></d:prop></d:set></d:propertyupdate> |
+      | /remote.php/dav/files/user0/FOLDER            | 207       | <?xml version="1.0"?><d:propertyupdate xmlns:d="DAV:" xmlns:oc="http://owncloud.org/ns"><d:set><d:prop><oc:favorite xmlns:oc="http://owncloud.org/ns">1</oc:favorite></d:prop></d:set></d:propertyupdate> |