mirror of
https://github.com/nextcloud/server.git
synced 2026-02-03 20:41:22 -05:00
809ff5ac95
Allows to inject something into the default content policy. This is for
example useful when you're injecting Javascript code into a view belonging
to another controller and cannot modify its Content-Security-Policy itself.
Note that the adjustment is only applied to applications that use AppFramework
controllers.
To use this from your `app.php` use `\OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy($policy)`,
$policy has to be of type `\OCP\AppFramework\Http\ContentSecurityPolicy`.
To test this add something like the following into an `app.php` of any enabled app:
```
$manager = \OC::$server->getContentSecurityPolicyManager();
$policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false);
$policy->addAllowedFrameDomain('asdf');
$policy->addAllowedScriptDomain('yolo.com');
$policy->allowInlineScript(false);
$manager->addDefaultPolicy($policy);
$policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false);
$policy->addAllowedFontDomain('yolo.com');
$manager->addDefaultPolicy($policy);
$policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false);
$policy->addAllowedFrameDomain('banana.com');
$manager->addDefaultPolicy($policy);
```
If you now open the files app the policy should be:
```
Content-Security-Policy:default-src 'none';script-src yolo.com 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src yolo.com 'self';connect-src 'self';media-src 'self';frame-src asdf banana.com 'self'
```
447 lines
11 KiB
PHP
447 lines
11 KiB
PHP
<?php
|
|
/**
|
|
* @author Bernhard Posselt <dev@bernhard-posselt.com>
|
|
* @author Lukas Reschke <lukas@owncloud.com>
|
|
*
|
|
* @copyright Copyright (c) 2015, ownCloud, Inc.
|
|
* @license AGPL-3.0
|
|
*
|
|
* This code is free software: you can redistribute it and/or modify
|
|
* it under the terms of the GNU Affero General Public License, version 3,
|
|
* as published by the Free Software Foundation.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU Affero General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU Affero General Public License, version 3,
|
|
* along with this program. If not, see <http://www.gnu.org/licenses/>
|
|
*
|
|
*/
|
|
|
|
|
|
|
|
namespace OC\AppFramework\Middleware\Security;
|
|
|
|
use OC\AppFramework\Http;
|
|
use OC\AppFramework\Http\Request;
|
|
use OC\Appframework\Middleware\Security\Exceptions\AppNotEnabledException;
|
|
use OC\Appframework\Middleware\Security\Exceptions\CrossSiteRequestForgeryException;
|
|
use OC\Appframework\Middleware\Security\Exceptions\NotAdminException;
|
|
use OC\Appframework\Middleware\Security\Exceptions\NotLoggedInException;
|
|
use OC\AppFramework\Middleware\Security\Exceptions\SecurityException;
|
|
use OC\AppFramework\Utility\ControllerMethodReflector;
|
|
use OC\Security\CSP\ContentSecurityPolicy;
|
|
use OCP\AppFramework\Http\RedirectResponse;
|
|
use OCP\AppFramework\Http\JSONResponse;
|
|
use OCP\AppFramework\Http\TemplateResponse;
|
|
|
|
|
|
class SecurityMiddlewareTest extends \Test\TestCase {
|
|
|
|
private $middleware;
|
|
private $controller;
|
|
private $secException;
|
|
private $secAjaxException;
|
|
private $request;
|
|
private $reader;
|
|
private $logger;
|
|
private $navigationManager;
|
|
private $urlGenerator;
|
|
private $contentSecurityPolicyManager;
|
|
|
|
protected function setUp() {
|
|
parent::setUp();
|
|
|
|
$this->controller = $this->getMockBuilder('OCP\AppFramework\Controller')
|
|
->disableOriginalConstructor()
|
|
->getMock();
|
|
$this->reader = new ControllerMethodReflector();
|
|
$this->logger = $this->getMockBuilder(
|
|
'OCP\ILogger')
|
|
->disableOriginalConstructor()
|
|
->getMock();
|
|
$this->navigationManager = $this->getMockBuilder(
|
|
'OCP\INavigationManager')
|
|
->disableOriginalConstructor()
|
|
->getMock();
|
|
$this->urlGenerator = $this->getMockBuilder(
|
|
'OCP\IURLGenerator')
|
|
->disableOriginalConstructor()
|
|
->getMock();
|
|
$this->request = $this->getMockBuilder(
|
|
'OCP\IRequest')
|
|
->disableOriginalConstructor()
|
|
->getMock();
|
|
$this->contentSecurityPolicyManager = $this->getMockBuilder(
|
|
'OC\Security\CSP\ContentSecurityPolicyManager')
|
|
->disableOriginalConstructor()
|
|
->getMock();
|
|
$this->middleware = $this->getMiddleware(true, true);
|
|
$this->secException = new SecurityException('hey', false);
|
|
$this->secAjaxException = new SecurityException('hey', true);
|
|
}
|
|
|
|
/**
|
|
* @param bool $isLoggedIn
|
|
* @param bool $isAdminUser
|
|
* @return SecurityMiddleware
|
|
*/
|
|
private function getMiddleware($isLoggedIn, $isAdminUser) {
|
|
return new SecurityMiddleware(
|
|
$this->request,
|
|
$this->reader,
|
|
$this->navigationManager,
|
|
$this->urlGenerator,
|
|
$this->logger,
|
|
'files',
|
|
$isLoggedIn,
|
|
$isAdminUser,
|
|
$this->contentSecurityPolicyManager
|
|
);
|
|
}
|
|
|
|
|
|
/**
|
|
* @PublicPage
|
|
* @NoCSRFRequired
|
|
*/
|
|
public function testSetNavigationEntry(){
|
|
$this->navigationManager->expects($this->once())
|
|
->method('setActiveEntry')
|
|
->with($this->equalTo('files'));
|
|
|
|
$this->reader->reflect(__CLASS__, __FUNCTION__);
|
|
$this->middleware->beforeController(__CLASS__, __FUNCTION__);
|
|
}
|
|
|
|
|
|
/**
|
|
* @param string $method
|
|
* @param string $test
|
|
*/
|
|
private function ajaxExceptionStatus($method, $test, $status) {
|
|
$isLoggedIn = false;
|
|
$isAdminUser = false;
|
|
|
|
// isAdminUser requires isLoggedIn call to return true
|
|
if ($test === 'isAdminUser') {
|
|
$isLoggedIn = true;
|
|
}
|
|
|
|
$sec = $this->getMiddleware($isLoggedIn, $isAdminUser);
|
|
|
|
try {
|
|
$this->reader->reflect(__CLASS__, $method);
|
|
$sec->beforeController(__CLASS__, $method);
|
|
} catch (SecurityException $ex){
|
|
$this->assertEquals($status, $ex->getCode());
|
|
}
|
|
|
|
// add assertion if everything should work fine otherwise phpunit will
|
|
// complain
|
|
if ($status === 0) {
|
|
$this->assertTrue(true);
|
|
}
|
|
}
|
|
|
|
public function testAjaxStatusLoggedInCheck() {
|
|
$this->ajaxExceptionStatus(
|
|
__FUNCTION__,
|
|
'isLoggedIn',
|
|
Http::STATUS_UNAUTHORIZED
|
|
);
|
|
}
|
|
|
|
/**
|
|
* @NoCSRFRequired
|
|
*/
|
|
public function testAjaxNotAdminCheck() {
|
|
$this->ajaxExceptionStatus(
|
|
__FUNCTION__,
|
|
'isAdminUser',
|
|
Http::STATUS_FORBIDDEN
|
|
);
|
|
}
|
|
|
|
/**
|
|
* @PublicPage
|
|
*/
|
|
public function testAjaxStatusCSRFCheck() {
|
|
$this->ajaxExceptionStatus(
|
|
__FUNCTION__,
|
|
'passesCSRFCheck',
|
|
Http::STATUS_PRECONDITION_FAILED
|
|
);
|
|
}
|
|
|
|
/**
|
|
* @PublicPage
|
|
* @NoCSRFRequired
|
|
*/
|
|
public function testAjaxStatusAllGood() {
|
|
$this->ajaxExceptionStatus(
|
|
__FUNCTION__,
|
|
'isLoggedIn',
|
|
0
|
|
);
|
|
$this->ajaxExceptionStatus(
|
|
__FUNCTION__,
|
|
'isAdminUser',
|
|
0
|
|
);
|
|
$this->ajaxExceptionStatus(
|
|
__FUNCTION__,
|
|
'isSubAdminUser',
|
|
0
|
|
);
|
|
$this->ajaxExceptionStatus(
|
|
__FUNCTION__,
|
|
'passesCSRFCheck',
|
|
0
|
|
);
|
|
}
|
|
|
|
|
|
/**
|
|
* @PublicPage
|
|
* @NoCSRFRequired
|
|
*/
|
|
public function testNoChecks(){
|
|
$this->request->expects($this->never())
|
|
->method('passesCSRFCheck')
|
|
->will($this->returnValue(false));
|
|
|
|
$sec = $this->getMiddleware(false, false);
|
|
|
|
$this->reader->reflect(__CLASS__, __FUNCTION__);
|
|
$sec->beforeController(__CLASS__, __FUNCTION__);
|
|
}
|
|
|
|
|
|
/**
|
|
* @param string $method
|
|
* @param string $expects
|
|
*/
|
|
private function securityCheck($method, $expects, $shouldFail=false){
|
|
// admin check requires login
|
|
if ($expects === 'isAdminUser') {
|
|
$isLoggedIn = true;
|
|
$isAdminUser = !$shouldFail;
|
|
} else {
|
|
$isLoggedIn = !$shouldFail;
|
|
$isAdminUser = false;
|
|
}
|
|
|
|
$sec = $this->getMiddleware($isLoggedIn, $isAdminUser);
|
|
|
|
if($shouldFail) {
|
|
$this->setExpectedException('\OC\AppFramework\Middleware\Security\Exceptions\SecurityException');
|
|
} else {
|
|
$this->assertTrue(true);
|
|
}
|
|
|
|
$this->reader->reflect(__CLASS__, $method);
|
|
$sec->beforeController(__CLASS__, $method);
|
|
}
|
|
|
|
|
|
/**
|
|
* @PublicPage
|
|
* @expectedException \OC\AppFramework\Middleware\Security\Exceptions\CrossSiteRequestForgeryException
|
|
*/
|
|
public function testCsrfCheck(){
|
|
$this->request->expects($this->once())
|
|
->method('passesCSRFCheck')
|
|
->will($this->returnValue(false));
|
|
|
|
$this->reader->reflect(__CLASS__, __FUNCTION__);
|
|
$this->middleware->beforeController(__CLASS__, __FUNCTION__);
|
|
}
|
|
|
|
|
|
/**
|
|
* @PublicPage
|
|
* @NoCSRFRequired
|
|
*/
|
|
public function testNoCsrfCheck(){
|
|
$this->request->expects($this->never())
|
|
->method('passesCSRFCheck')
|
|
->will($this->returnValue(false));
|
|
|
|
$this->reader->reflect(__CLASS__, __FUNCTION__);
|
|
$this->middleware->beforeController(__CLASS__, __FUNCTION__);
|
|
}
|
|
|
|
|
|
/**
|
|
* @PublicPage
|
|
*/
|
|
public function testFailCsrfCheck(){
|
|
$this->request->expects($this->once())
|
|
->method('passesCSRFCheck')
|
|
->will($this->returnValue(true));
|
|
|
|
$this->reader->reflect(__CLASS__, __FUNCTION__);
|
|
$this->middleware->beforeController(__CLASS__, __FUNCTION__);
|
|
}
|
|
|
|
|
|
/**
|
|
* @NoCSRFRequired
|
|
* @NoAdminRequired
|
|
*/
|
|
public function testLoggedInCheck(){
|
|
$this->securityCheck(__FUNCTION__, 'isLoggedIn');
|
|
}
|
|
|
|
|
|
/**
|
|
* @NoCSRFRequired
|
|
* @NoAdminRequired
|
|
*/
|
|
public function testFailLoggedInCheck(){
|
|
$this->securityCheck(__FUNCTION__, 'isLoggedIn', true);
|
|
}
|
|
|
|
|
|
/**
|
|
* @NoCSRFRequired
|
|
*/
|
|
public function testIsAdminCheck(){
|
|
$this->securityCheck(__FUNCTION__, 'isAdminUser');
|
|
}
|
|
|
|
|
|
/**
|
|
* @NoCSRFRequired
|
|
*/
|
|
public function testFailIsAdminCheck(){
|
|
$this->securityCheck(__FUNCTION__, 'isAdminUser', true);
|
|
}
|
|
|
|
|
|
public function testAfterExceptionNotCaughtThrowsItAgain(){
|
|
$ex = new \Exception();
|
|
$this->setExpectedException('\Exception');
|
|
$this->middleware->afterException($this->controller, 'test', $ex);
|
|
}
|
|
|
|
public function testAfterExceptionReturnsRedirectForNotLoggedInUser() {
|
|
$this->request = new Request(
|
|
[
|
|
'server' =>
|
|
[
|
|
'HTTP_ACCEPT' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
|
|
'REQUEST_URI' => 'owncloud/index.php/apps/specialapp'
|
|
]
|
|
],
|
|
$this->getMock('\OCP\Security\ISecureRandom'),
|
|
$this->getMock('\OCP\IConfig')
|
|
);
|
|
$this->middleware = $this->getMiddleware(false, false);
|
|
$this->urlGenerator
|
|
->expects($this->once())
|
|
->method('getAbsoluteURL')
|
|
->with('index.php')
|
|
->will($this->returnValue('http://localhost/index.php'));
|
|
$this->logger
|
|
->expects($this->once())
|
|
->method('debug')
|
|
->with('Current user is not logged in');
|
|
$response = $this->middleware->afterException(
|
|
$this->controller,
|
|
'test',
|
|
new NotLoggedInException()
|
|
);
|
|
|
|
$expected = new RedirectResponse('http://localhost/index.php?redirect_url=owncloud%2Findex.php%2Fapps%2Fspecialapp');
|
|
$this->assertEquals($expected , $response);
|
|
}
|
|
|
|
/**
|
|
* @return array
|
|
*/
|
|
public function exceptionProvider() {
|
|
return [
|
|
[
|
|
new AppNotEnabledException(),
|
|
],
|
|
[
|
|
new CrossSiteRequestForgeryException(),
|
|
],
|
|
[
|
|
new NotAdminException(),
|
|
],
|
|
];
|
|
}
|
|
|
|
/**
|
|
* @dataProvider exceptionProvider
|
|
* @param SecurityException $exception
|
|
*/
|
|
public function testAfterExceptionReturnsTemplateResponse(SecurityException $exception) {
|
|
$this->request = new Request(
|
|
[
|
|
'server' =>
|
|
[
|
|
'HTTP_ACCEPT' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
|
|
'REQUEST_URI' => 'owncloud/index.php/apps/specialapp'
|
|
]
|
|
],
|
|
$this->getMock('\OCP\Security\ISecureRandom'),
|
|
$this->getMock('\OCP\IConfig')
|
|
);
|
|
$this->middleware = $this->getMiddleware(false, false);
|
|
$this->logger
|
|
->expects($this->once())
|
|
->method('debug')
|
|
->with($exception->getMessage());
|
|
$response = $this->middleware->afterException(
|
|
$this->controller,
|
|
'test',
|
|
$exception
|
|
);
|
|
|
|
$expected = new TemplateResponse('core', '403', ['file' => $exception->getMessage()], 'guest');
|
|
$expected->setStatus($exception->getCode());
|
|
$this->assertEquals($expected , $response);
|
|
}
|
|
|
|
|
|
public function testAfterAjaxExceptionReturnsJSONError(){
|
|
$response = $this->middleware->afterException($this->controller, 'test',
|
|
$this->secAjaxException);
|
|
|
|
$this->assertTrue($response instanceof JSONResponse);
|
|
}
|
|
|
|
public function testAfterController() {
|
|
$response = $this->getMockBuilder('\OCP\AppFramework\Http\Response')->disableOriginalConstructor()->getMock();
|
|
$defaultPolicy = new ContentSecurityPolicy();
|
|
$defaultPolicy->addAllowedImageDomain('defaultpolicy');
|
|
$currentPolicy = new ContentSecurityPolicy();
|
|
$currentPolicy->addAllowedConnectDomain('currentPolicy');
|
|
$mergedPolicy = new ContentSecurityPolicy();
|
|
$mergedPolicy->addAllowedMediaDomain('mergedPolicy');
|
|
$response
|
|
->expects($this->exactly(2))
|
|
->method('getContentSecurityPolicy')
|
|
->willReturn($currentPolicy);
|
|
$this->contentSecurityPolicyManager
|
|
->expects($this->once())
|
|
->method('getDefaultPolicy')
|
|
->willReturn($defaultPolicy);
|
|
$this->contentSecurityPolicyManager
|
|
->expects($this->once())
|
|
->method('mergePolicies')
|
|
->with($defaultPolicy, $currentPolicy)
|
|
->willReturn($mergedPolicy);
|
|
$response->expects($this->once())
|
|
->method('setContentSecurityPolicy')
|
|
->with($mergedPolicy);
|
|
|
|
$this->middleware->afterController($this->controller, 'test', $response);
|
|
}
|
|
}
|