Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Tests for checking auth through app passwords and token #36616

Merged
merged 1 commit into from
Dec 19, 2019
Merged

Add Tests for checking auth through app passwords and token #36616

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions tests/acceptance/features/apiAuth/tokenAuth.feature
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,22 @@ Feature: tokenAuth
When the user requests "/index.php/apps/files" with "GET" using the generated app password
Then the HTTP status code should be "200"

Scenario: cannot access files app with an app password that is deleted when token auth is enforced
Given a new browser session for "user1" has been started
And the user has generated a new app password named "my-client"
And the user has deleted the app password named "my-client"
When the user requests "/index.php/apps/files" with "GET" using the generated app password
Then the HTTP status code should be "401"

Scenario: Access files app with when there are multiple tokens generated
Given a new browser session for "user1" has been started
And the user has generated a new app password named "my-client"
And the user has generated a new app password named "my-new-client"
When the user requests "/index.php/apps/files" with "GET" using app password named "my-client"
Then the HTTP status code should be "200"
When the user requests "/index.php/apps/files" with "GET" using app password named "my-new-client"
Then the HTTP status code should be "200"

@smokeTest
Scenario: cannot access files app with basic auth when token auth is enforced
When user "user1" requests "/index.php/apps/files" with "GET" using basic auth
Expand Down
24 changes: 24 additions & 0 deletions tests/acceptance/features/apiAuthWebDav/webDavDELETEAuth.feature
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,3 +56,27 @@ Feature: delete file/folder
| /remote.php/webdav/PARENT | 401 | doesnotmatter |
| /remote.php/dav/files/user0/PARENT | 401 | doesnotmatter |
| /remote.php/dav/files/user0/PARENT/parent.txt | 401 | doesnotmatter |

Scenario: send DELETE requests to webDav endpoints using token authentication should not work
Given token auth has been enforced
And a new browser session for "user0" has been started
And the user has generated a new app password named "my-client"
When the user requests these endpoints with "DELETE" using the generated app password then the status codes should be as listed
| endpoint | http-code | body |
| /remote.php/webdav/textfile0.txt | 401 | doesnotmatter |
| /remote.php/dav/files/user0/textfile0.txt | 401 | doesnotmatter |
| /remote.php/webdav/PARENT | 401 | doesnotmatter |
| /remote.php/dav/files/user0/PARENT | 401 | doesnotmatter |
| /remote.php/dav/files/user0/PARENT/parent.txt | 401 | doesnotmatter |

Scenario: send DELETE requests to webDav endpoints using app password token as password
Given token auth has been enforced
And a new browser session for "user0" has been started
And the user has generated a new app password named "my-client"
When the user "user0" requests these endpoints with "DELETE" using the basic auth and generated app password then the status codes should be as listed
| endpoint | http-code | body |
| /remote.php/webdav/textfile0.txt | 204 | doesnotmatter |
| /remote.php/dav/files/user0/textfile1.txt | 204 | doesnotmatter |
| /remote.php/dav/files/user0/PARENT/parent.txt | 204 | doesnotmatter |
| /remote.php/webdav/PARENT | 204 | doesnotmatter |
| /remote.php/dav/files/user0/FOLDER | 204 | doesnotmatter |
24 changes: 24 additions & 0 deletions tests/acceptance/features/apiAuthWebDav/webDavLOCKAuth.feature
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,3 +56,27 @@ Feature: LOCK file/folder
| /remote.php/webdav/PARENT | 401 | doesnotmatter |
| /remote.php/dav/files/user0/PARENT | 401 | doesnotmatter |
| /remote.php/dav/files/user0/PARENT/parent.txt | 401 | doesnotmatter |

Scenario: send LOCK requests to webDav endpoints using token authentication should not work
Given token auth has been enforced
And a new browser session for "user0" has been started
And the user has generated a new app password named "my-client"
When the user requests these endpoints with "LOCK" using the generated app password then the status codes should be as listed
| endpoint | http-code | body |
| /remote.php/webdav/textfile0.txt | 401 | doesnotmatter |
| /remote.php/dav/files/user0/textfile0.txt | 401 | doesnotmatter |
| /remote.php/webdav/PARENT | 401 | doesnotmatter |
| /remote.php/dav/files/user0/PARENT | 401 | doesnotmatter |
| /remote.php/dav/files/user0/PARENT/parent.txt | 401 | doesnotmatter |

Scenario: send LOCK requests to webDav endpoints using app password token as password
Given token auth has been enforced
And a new browser session for "user0" has been started
And the user has generated a new app password named "my-client"
When the user "user0" requests these endpoints with "LOCK" using the basic auth and generated app password then the status codes should be as listed
| endpoint | http-code | body |
| /remote.php/webdav/textfile0.txt | 200 | <?xml version='1.0' encoding='UTF-8'?><d:lockinfo xmlns:d='DAV:'> <d:lockscope><d:shared/></d:lockscope></d:lockinfo> |
| /remote.php/dav/files/user0/textfile1.txt | 200 | <?xml version='1.0' encoding='UTF-8'?><d:lockinfo xmlns:d='DAV:'> <d:lockscope><d:shared/></d:lockscope></d:lockinfo> |
| /remote.php/dav/files/user0/PARENT/parent.txt | 200 | <?xml version='1.0' encoding='UTF-8'?><d:lockinfo xmlns:d='DAV:'> <d:lockscope><d:shared/></d:lockscope></d:lockinfo> |
| /remote.php/webdav/PARENT | 200 | <?xml version='1.0' encoding='UTF-8'?><d:lockinfo xmlns:d='DAV:'> <d:lockscope><d:shared/></d:lockscope></d:lockinfo> |
| /remote.php/dav/files/user0/FOLDER | 200 | <?xml version='1.0' encoding='UTF-8'?><d:lockinfo xmlns:d='DAV:'> <d:lockscope><d:shared/></d:lockscope></d:lockinfo> |
24 changes: 24 additions & 0 deletions tests/acceptance/features/apiAuthWebDav/webDavMKCOLAuth.feature
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,3 +56,27 @@ Feature: get file info using MKCOL
| /remote.php/webdav/PARENT | 401 | doesnotmatter |
| /remote.php/dav/files/user0/PARENT | 401 | doesnotmatter |
| /remote.php/dav/files/user0/PARENT/parent.txt | 401 | doesnotmatter |

Scenario: send MKCOL requests to webDav endpoints using token authentication should not work
Given token auth has been enforced
And a new browser session for "user0" has been started
And the user has generated a new app password named "my-client"
When the user requests these endpoints with "MKCOL" using the generated app password then the status codes should be as listed
| endpoint | http-code | body |
| /remote.php/webdav/textfile0.txt | 401 | doesnotmatter |
| /remote.php/dav/files/user0/textfile0.txt | 401 | doesnotmatter |
| /remote.php/webdav/PARENT | 401 | doesnotmatter |
| /remote.php/dav/files/user0/PARENT | 401 | doesnotmatter |
| /remote.php/dav/files/user0/PARENT/parent.txt | 401 | doesnotmatter |

Scenario: send MKCOL requests to webDav endpoints using app password token as password
Given token auth has been enforced
And a new browser session for "user0" has been started
And the user has generated a new app password named "my-client"
When the user "user0" requests these endpoints with "MKCOL" using the basic auth and generated app password then the status codes should be as listed
| endpoint | http-code |
| /remote.php/webdav/newCol | 201 |
| /remote.php/dav/files/user0/newCol1 | 201 |
| /remote.php/dav/files/user0/PARENT/newCol | 201 |
| /remote.php/webdav/COL | 201 |
| /remote.php/dav/files/user0/FOLDER/newCol | 201 |
25 changes: 25 additions & 0 deletions tests/acceptance/features/apiAuthWebDav/webDavMOVEAuth.feature
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,3 +56,28 @@ Feature: MOVE file/folder
| /remote.php/webdav/PARENT | 401 | doesnotmatter |
| /remote.php/dav/files/user0/PARENT | 401 | doesnotmatter |
| /remote.php/dav/files/user0/PARENT/parent.txt | 401 | doesnotmatter |

Scenario: send MOVE requests to webDav endpoints using token authentication should not work
Given token auth has been enforced
And a new browser session for "user0" has been started
And the user has generated a new app password named "my-client"
When the user requests these endpoints with "MOVE" using the generated app password then the status codes should be as listed
| endpoint | http-code | body |
| /remote.php/webdav/textfile0.txt | 401 | doesnotmatter |
| /remote.php/dav/files/user0/textfile0.txt | 401 | doesnotmatter |
| /remote.php/webdav/PARENT | 401 | doesnotmatter |
| /remote.php/dav/files/user0/PARENT | 401 | doesnotmatter |
| /remote.php/dav/files/user0/PARENT/parent.txt | 401 | doesnotmatter |

Scenario: send MOVE requests to webDav endpoints using app password token as password
Given token auth has been enforced
And a new browser session for "user0" has been started
And the user has generated a new app password named "my-client"
When the user "user0" requests these endpoints with "MOVE" using the basic auth and generated app password then the status codes should be as listed
| endpoint | http-code | body |
# The token was valid and accepted but the body is invalid so it gives 403
| /remote.php/webdav/textfile0.txt | 403 | doesnotmatter |
| /remote.php/dav/files/user0/textfile1.txt | 403 | doesnotmatter |
| /remote.php/dav/files/user0/PARENT/parent.txt | 403 | doesnotmatter |
| /remote.php/webdav/PARENT | 403 | doesnotmatter |
| /remote.php/dav/files/user0/FOLDER | 403 | doesnotmatter |
25 changes: 25 additions & 0 deletions tests/acceptance/features/apiAuthWebDav/webDavPOSTAuth.feature
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,3 +56,28 @@ Feature: get file info using POST
| /remote.php/webdav/PARENT | 401 | doesnotmatter |
| /remote.php/dav/files/user0/PARENT | 401 | doesnotmatter |
| /remote.php/dav/files/user0/PARENT/parent.txt | 401 | doesnotmatter |

Scenario: send POST requests to webDav endpoints using token authentication should not work
Given token auth has been enforced
And a new browser session for "user0" has been started
And the user has generated a new app password named "my-client"
When the user requests these endpoints with "POST" using the generated app password then the status codes should be as listed
| endpoint | http-code | body |
| /remote.php/webdav/textfile0.txt | 401 | doesnotmatter |
| /remote.php/dav/files/user0/textfile0.txt | 401 | doesnotmatter |
| /remote.php/webdav/PARENT | 401 | doesnotmatter |
| /remote.php/dav/files/user0/PARENT | 401 | doesnotmatter |
| /remote.php/dav/files/user0/PARENT/parent.txt | 401 | doesnotmatter |

Scenario: send POST requests to webDav endpoints using app password token as password
Given token auth has been enforced
And a new browser session for "user0" has been started
And the user has generated a new app password named "my-client"
When the user "user0" requests these endpoints with "POST" using the basic auth and generated app password then the status codes should be as listed
| endpoint | http-code | body |
# this method is not available so gives 501
| /remote.php/webdav/textfile0.txt | 501 | doesnotmatter |
| /remote.php/dav/files/user0/textfile1.txt | 501 | doesnotmatter |
| /remote.php/dav/files/user0/PARENT/parent.txt | 501 | doesnotmatter |
| /remote.php/webdav/PARENT | 501 | doesnotmatter |
| /remote.php/dav/files/user0/FOLDER | 501 | doesnotmatter |
24 changes: 24 additions & 0 deletions tests/acceptance/features/apiAuthWebDav/webDavPROPFINDAuth.feature
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,3 +56,27 @@ Feature: get file info using PROPFIND
| /remote.php/webdav/PARENT | 401 | doesnotmatter |
| /remote.php/dav/files/user0/PARENT | 401 | doesnotmatter |
| /remote.php/dav/files/user0/PARENT/parent.txt | 401 | doesnotmatter |

Scenario: send PROPFIND requests to webDav endpoints using token authentication should not work
Given token auth has been enforced
And a new browser session for "user0" has been started
And the user has generated a new app password named "my-client"
When the user requests these endpoints with "PROPFIND" using the generated app password then the status codes should be as listed
| endpoint | http-code | body |
| /remote.php/webdav/textfile0.txt | 401 | doesnotmatter |
| /remote.php/dav/files/user0/textfile0.txt | 401 | doesnotmatter |
| /remote.php/webdav/PARENT | 401 | doesnotmatter |
| /remote.php/dav/files/user0/PARENT | 401 | doesnotmatter |
| /remote.php/dav/files/user0/PARENT/parent.txt | 401 | doesnotmatter |

Scenario: send PROPFIND requests to webDav endpoints using app password token as password
Given token auth has been enforced
And a new browser session for "user0" has been started
And the user has generated a new app password named "my-client"
When the user "user0" requests these endpoints with "PROPFIND" using the basic auth and generated app password then the status codes should be as listed
| endpoint | http-code | body |
| /remote.php/dav/files/user0/textfile0.txt | 207 | <?xml version="1.0"?><d:propfind xmlns:d="DAV:" xmlns:oc="http://owncloud.org/ns"><d:prop><d:getetag /></d:prop></d:propfind> |
| /remote.php/dav/files/user0/PARENT | 207 | <?xml version="1.0"?><d:propfind xmlns:d="DAV:" xmlns:oc="http://owncloud.org/ns"><d:prop><d:getetag /></d:prop></d:propfind> |
| /remote.php/dav/files/user0/PARENT/parent.txt | 207 | <?xml version="1.0"?><d:propfind xmlns:d="DAV:" xmlns:oc="http://owncloud.org/ns"><d:prop><d:getetag /></d:prop></d:propfind> |
| /remote.php/webdav/PARENT | 207 | <?xml version="1.0"?><d:propfind xmlns:d="DAV:" xmlns:oc="http://owncloud.org/ns"><d:prop><d:getetag /></d:prop></d:propfind> |
| /remote.php/webdav/textfile0.txt | 207 | <?xml version="1.0"?><d:propfind xmlns:d="DAV:" xmlns:oc="http://owncloud.org/ns"><d:prop><d:getetag /></d:prop></d:propfind> |
24 changes: 24 additions & 0 deletions tests/acceptance/features/apiAuthWebDav/webDavPROPPATCHAuth.feature
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,3 +56,27 @@ Feature: PROPPATCH file/folder
| /remote.php/webdav/PARENT | 401 | doesnotmatter |
| /remote.php/dav/files/user0/PARENT | 401 | doesnotmatter |
| /remote.php/dav/files/user0/PARENT/parent.txt | 401 | doesnotmatter |

Scenario: send PROPPATCH requests to webDav endpoints using token authentication should not work
Given token auth has been enforced
And a new browser session for "user0" has been started
And the user has generated a new app password named "my-client"
When the user requests these endpoints with "PROPPATCH" using the generated app password then the status codes should be as listed
| endpoint | http-code | body |
| /remote.php/webdav/textfile0.txt | 401 | doesnotmatter |
| /remote.php/dav/files/user0/textfile0.txt | 401 | doesnotmatter |
| /remote.php/webdav/PARENT | 401 | doesnotmatter |
| /remote.php/dav/files/user0/PARENT | 401 | doesnotmatter |
| /remote.php/dav/files/user0/PARENT/parent.txt | 401 | doesnotmatter |

Scenario: send PROPPATCH requests to webDav endpoints using app password token as password
Given token auth has been enforced
And a new browser session for "user0" has been started
And the user has generated a new app password named "my-client"
When the user "user0" requests these endpoints with "PROPPATCH" using the basic auth and generated app password then the status codes should be as listed
| endpoint | http-code | body |
| /remote.php/webdav/textfile0.txt | 207 | <?xml version="1.0"?><d:propertyupdate xmlns:d="DAV:" xmlns:oc="http://owncloud.org/ns"><d:set><d:prop><oc:favorite xmlns:oc="http://owncloud.org/ns">1</oc:favorite></d:prop></d:set></d:propertyupdate> |
| /remote.php/dav/files/user0/textfile1.txt | 207 | <?xml version="1.0"?><d:propertyupdate xmlns:d="DAV:" xmlns:oc="http://owncloud.org/ns"><d:set><d:prop><oc:favorite xmlns:oc="http://owncloud.org/ns">1</oc:favorite></d:prop></d:set></d:propertyupdate> |
| /remote.php/dav/files/user0/PARENT/parent.txt | 207 | <?xml version="1.0"?><d:propertyupdate xmlns:d="DAV:" xmlns:oc="http://owncloud.org/ns"><d:set><d:prop><oc:favorite xmlns:oc="http://owncloud.org/ns">1</oc:favorite></d:prop></d:set></d:propertyupdate> |
| /remote.php/webdav/PARENT | 207 | <?xml version="1.0"?><d:propertyupdate xmlns:d="DAV:" xmlns:oc="http://owncloud.org/ns"><d:set><d:prop><oc:favorite xmlns:oc="http://owncloud.org/ns">1</oc:favorite></d:prop></d:set></d:propertyupdate> |
| /remote.php/dav/files/user0/FOLDER | 207 | <?xml version="1.0"?><d:propertyupdate xmlns:d="DAV:" xmlns:oc="http://owncloud.org/ns"><d:set><d:prop><oc:favorite xmlns:oc="http://owncloud.org/ns">1</oc:favorite></d:prop></d:set></d:propertyupdate> |
Loading