go vendor

2017-11-30 19:55:33 +08:00
parent 2856da6888
commit 0fb92efbf3
670 changed files with 199010 additions and 0 deletions
--- a/vendor/github.com/revel/modules/csrf/app/csrf_test.go
+++ b/vendor/github.com/revel/modules/csrf/app/csrf_test.go
@ -0,0 +1,183 @@
+package csrf
+
+import (
+	"bytes"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"strconv"
+	"testing"
+
+	"github.com/revel/revel"
+)
+
+func NewTestController(w http.ResponseWriter, r *http.Request) *revel.Controller{
+	context := revel.NewGoContext(nil)
+	context.Request.SetRequest(r)
+	context.Response.SetResponse(w)
+	c := revel.NewController(context)
+	return c
+}
+
+var testFilters = []revel.Filter{
+	revel.ParamsFilter,
+	CsrfFilter,
+	func(c *revel.Controller, fc []revel.Filter) {
+		c.RenderHTML("{{ csrftoken . }}")
+	},
+}
+
+func TestTokenInSession(t *testing.T) {
+	resp := httptest.NewRecorder()
+	getRequest, _ := http.NewRequest("GET", "http://www.example.com/", nil)
+	c := NewTestController(resp,getRequest)
+
+	c.Session = make(revel.Session)
+
+	testFilters[0](c, testFilters)
+
+	if _, ok := c.Session["csrf_token"]; !ok {
+		t.Fatal("token should be present in session")
+	}
+}
+
+func TestPostWithoutToken(t *testing.T) {
+	resp := httptest.NewRecorder()
+	postRequest, _ := http.NewRequest("POST", "http://www.example.com/", nil)
+	c := NewTestController(resp,postRequest)
+	c.Session = make(revel.Session)
+
+	testFilters[0](c, testFilters)
+
+	if c.Response.Status != 403 {
+		t.Fatal("post without token should be forbidden")
+	}
+}
+
+func TestNoReferrer(t *testing.T) {
+	resp := httptest.NewRecorder()
+	postRequest, _ := http.NewRequest("POST", "http://www.example.com/", nil)
+
+	c := NewTestController(resp,postRequest)
+	c.Session = make(revel.Session)
+
+	RefreshToken(c)
+	token := c.Session["csrf_token"]
+
+	// make a new request with the token
+	data := url.Values{}
+	data.Set("csrftoken", token)
+	formPostRequest, _ := http.NewRequest("POST", "http://www.example.com/", bytes.NewBufferString(data.Encode()))
+	formPostRequest.Header.Add("Content-Type", "application/x-www-form-urlencoded")
+	formPostRequest.Header.Add("Content-Length", strconv.Itoa(len(data.Encode())))
+
+	cnew := NewTestController(resp,formPostRequest)
+	// and replace the old request
+	c.Request = cnew.Request
+
+	testFilters[0](c, testFilters)
+
+	if c.Response.Status != 403 {
+		t.Fatal("post without referer should be forbidden")
+	}
+}
+
+func TestRefererHttps(t *testing.T) {
+	resp := httptest.NewRecorder()
+	postRequest, _ := http.NewRequest("POST", "http://www.example.com/", nil)
+	c := NewTestController(resp,postRequest)
+
+	c.Session = make(revel.Session)
+
+	RefreshToken(c)
+	token := c.Session["csrf_token"]
+
+	// make a new request with the token
+	data := url.Values{}
+	data.Set("csrftoken", token)
+	formPostRequest, _ := http.NewRequest("POST", "https://www.example.com/", bytes.NewBufferString(data.Encode()))
+	formPostRequest.Header.Add("Content-Type", "application/x-www-form-urlencoded")
+	formPostRequest.Header.Add("Content-Length", strconv.Itoa(len(data.Encode())))
+	formPostRequest.Header.Add("Referer", "http://www.example.com/")
+
+	cnew := NewTestController(resp,formPostRequest)
+	// and replace the old request
+	c.Request = cnew.Request
+
+	testFilters[0](c, testFilters)
+
+	if c.Response.Status != 403 {
+		t.Fatal("posts to https should have an https referer")
+	}
+}
+
+func TestHeaderWithToken(t *testing.T) {
+	resp := httptest.NewRecorder()
+	postRequest, _ := http.NewRequest("POST", "http://www.example.com/", nil)
+	c := NewTestController(resp,postRequest)
+
+	c.Session = make(revel.Session)
+
+	RefreshToken(c)
+	token := c.Session["csrf_token"]
+
+	// make a new request with the token
+	formPostRequest, _ := http.NewRequest("POST", "http://www.example.com/", nil)
+	formPostRequest.Header.Add("X-CSRFToken", token)
+	formPostRequest.Header.Add("Referer", "http://www.example.com/")
+
+	cnew := NewTestController(resp,formPostRequest)
+	// and replace the old request
+	c.Request = cnew.Request
+
+	testFilters[0](c, testFilters)
+
+	if c.Response.Status == 403 {
+		t.Fatal("post with http header token should be allowed")
+	}
+}
+
+func TestFormPostWithToken(t *testing.T) {
+	resp := httptest.NewRecorder()
+	postRequest, _ := http.NewRequest("POST", "http://www.example.com/", nil)
+	c := NewTestController(resp,postRequest)
+
+	c.Session = make(revel.Session)
+
+	RefreshToken(c)
+	token := c.Session["csrf_token"]
+
+	// make a new request with the token
+	data := url.Values{}
+	data.Set("csrftoken", token)
+	formPostRequest, _ := http.NewRequest("POST", "http://www.example.com/", bytes.NewBufferString(data.Encode()))
+	formPostRequest.Header.Add("Content-Type", "application/x-www-form-urlencoded")
+	formPostRequest.Header.Add("Content-Length", strconv.Itoa(len(data.Encode())))
+	formPostRequest.Header.Add("Referer", "http://www.example.com/")
+
+	cnew := NewTestController(resp,formPostRequest)
+	// and replace the old request
+	c.Request = cnew.Request
+
+	testFilters[0](c, testFilters)
+
+	if c.Response.Status == 403 {
+		t.Fatal("form post with token should be allowed")
+	}
+}
+
+func TestNoTokenInArgsWhenCORs(t *testing.T) {
+	resp := httptest.NewRecorder()
+
+	getRequest, _ := http.NewRequest("GET", "http://www.example1.com/", nil)
+	getRequest.Header.Add("Referer", "http://www.example2.com/")
+
+	c := NewTestController(resp,getRequest)
+	c.Session = make(revel.Session)
+
+	testFilters[0](c, testFilters)
+
+	if _, ok := c.ViewArgs["_csrftoken"]; ok {
+		t.Fatal("ViewArgs should not contain token when not same origin")
+	}
+}