From eca9c1951249f5026df68c431fad089d18d2fbe1 Mon Sep 17 00:00:00 2001 From: noveens Date: Wed, 30 Aug 2017 23:41:07 +0530 Subject: [PATCH] Removed beforeController Logic --- .../Middleware/Security/CORSMiddleware.php | 29 ----- .../Security/CORSMiddlewareTest.php | 117 ------------------ 2 files changed, 146 deletions(-) diff --git a/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php b/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php index 26368a648992..a0405c6776e4 100644 --- a/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php +++ b/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php @@ -81,35 +81,6 @@ public function __construct(IRequest $request, $this->config = $config; } - /** - * This is being run in normal order before the controller is being - * called which allows several modifications and checks - * - * @param Controller $controller the controller that is being called - * @param string $methodName the name of the method that will be called on - * the controller - * @throws SecurityException - * @since 6.0.0 - */ - public function beforeController($controller, $methodName){ - // ensure that @CORS annotated API routes are not used in conjunction - // with session authentication since this enables CSRF attack vectors - if ($this->reflector->hasAnnotation('CORS') && - !$this->reflector->hasAnnotation('PublicPage')) { - $user = $this->request->server['PHP_AUTH_USER']; - $pass = $this->request->server['PHP_AUTH_PW']; - - $this->session->logout(); - try { - if (!$this->session->logClientIn($user, $pass, $this->request)) { - throw new SecurityException('CORS requires basic auth', Http::STATUS_UNAUTHORIZED); - } - } catch (PasswordLoginForbiddenException $ex) { - throw new SecurityException('Password login forbidden, use token instead', Http::STATUS_UNAUTHORIZED); - } - } - } - /** * This is being run after a successful controllermethod call and allows * the manipulation of a Response object. The middleware is run in reverse order diff --git a/tests/lib/AppFramework/Middleware/Security/CORSMiddlewareTest.php b/tests/lib/AppFramework/Middleware/Security/CORSMiddlewareTest.php index 1bb9e2b344eb..bad1e474c378 100644 --- a/tests/lib/AppFramework/Middleware/Security/CORSMiddlewareTest.php +++ b/tests/lib/AppFramework/Middleware/Security/CORSMiddlewareTest.php @@ -153,123 +153,6 @@ public function testCorsIgnoredIfWithCredentialsHeaderPresent() { $middleware->afterController($this, __FUNCTION__, $response); } - /** - * @CORS - * @PublicPage - */ - public function testNoCORSShouldAllowCookieAuth() { - $request = new Request( - [], - $this->createMock('\OCP\Security\ISecureRandom'), - $this->createMock('\OCP\IConfig') - ); - $this->reflector->reflect($this, __FUNCTION__); - $middleware = new CORSMiddleware( - $request, - $this->reflector, - $this->fakeSession, - $this->config - ); - $this->session->expects($this->never()) - ->method('logout'); - $this->session->expects($this->never()) - ->method('logClientIn') - ->with($this->equalTo('user'), $this->equalTo('pass')) - ->will($this->returnValue(true)); - $this->reflector->reflect($this, __FUNCTION__); - - $middleware->beforeController($this, __FUNCTION__, new Response()); - } - - /** - * @CORS - */ - public function testCORSShouldRelogin() { - $request = new Request( - ['server' => [ - 'PHP_AUTH_USER' => 'user', - 'PHP_AUTH_PW' => 'pass' - ]], - $this->createMock('\OCP\Security\ISecureRandom'), - $this->config - ); - $this->session->expects($this->once()) - ->method('logout'); - $this->session->expects($this->once()) - ->method('logClientIn') - ->with($this->equalTo('user'), $this->equalTo('pass')) - ->will($this->returnValue(true)); - $this->reflector->reflect($this, __FUNCTION__); - $middleware = new CORSMiddleware( - $request, - $this->reflector, - $this->session, - $this->config - ); - - $middleware->beforeController($this, __FUNCTION__, new Response()); - } - - /** - * @CORS - * @expectedException \OC\AppFramework\Middleware\Security\Exceptions\SecurityException - */ - public function testCORSShouldFailIfPasswordLoginIsForbidden() { - $request = new Request( - ['server' => [ - 'PHP_AUTH_USER' => 'user', - 'PHP_AUTH_PW' => 'pass' - ]], - $this->createMock('\OCP\Security\ISecureRandom'), - $this->createMock('\OCP\IConfig') - ); - $this->session->expects($this->once()) - ->method('logout'); - $this->session->expects($this->once()) - ->method('logClientIn') - ->with($this->equalTo('user'), $this->equalTo('pass')) - ->will($this->throwException(new \OC\Authentication\Exceptions\PasswordLoginForbiddenException)); - $this->reflector->reflect($this, __FUNCTION__); - $middleware = new CORSMiddleware( - $request, - $this->reflector, - $this->session, - $this->config - ); - - $middleware->beforeController($this, __FUNCTION__, new Response()); - } - - /** - * @CORS - * @expectedException \OC\AppFramework\Middleware\Security\Exceptions\SecurityException - */ - public function testCORSShouldNotAllowCookieAuth() { - $request = new Request( - ['server' => [ - 'PHP_AUTH_USER' => 'user', - 'PHP_AUTH_PW' => 'pass' - ]], - $this->createMock('\OCP\Security\ISecureRandom'), - $this->createMock('\OCP\IConfig') - ); - $this->session->expects($this->once()) - ->method('logout'); - $this->session->expects($this->once()) - ->method('logClientIn') - ->with($this->equalTo('user'), $this->equalTo('pass')) - ->will($this->returnValue(false)); - $this->reflector->reflect($this, __FUNCTION__); - $middleware = new CORSMiddleware( - $request, - $this->reflector, - $this->session, - $this->config - ); - - $middleware->beforeController($this, __FUNCTION__, new Response()); - } - public function testAfterExceptionWithSecurityExceptionNoStatus() { $request = new Request( ['server' => [