API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Feb 21st, 2019
85
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 15.08 KB | None | 0 0
raw download clone embed print report
  1. package com.example.microservice.person.tests.controller;
  2.  
  3. import static
  4. org.springframework.test.web.servlet.request.MockMvcRequestBuilders.*;
  5. import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
  6.  
  7. import java.util.ArrayList;
  8. import java.util.List;
  9. import java.util.Set;
  10.  
  11. import org.junit.BeforeClass;
  12. import org.junit.Test;
  13. import org.junit.runner.RunWith;
  14. import org.slf4j.Logger;
  15. import org.slf4j.LoggerFactory;
  16. import org.springframework.beans.factory.annotation.Autowired;
  17. import org.springframework.boot.logging.LogLevel;
  18. import org.springframework.boot.logging.LoggingSystem;
  19. import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest;
  20. import org.springframework.context.annotation.Import;
  21. import org.springframework.security.test.context.support.WithMockUser;
  22. import org.springframework.test.context.junit4.SpringRunner;
  23. import org.springframework.test.web.servlet.MockMvc;
  24. import org.springframework.web.bind.annotation.RequestMethod;
  25. import org.springframework.web.servlet.mvc.method.RequestMappingInfo;
  26. import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping;
  27.  
  28. import com.example.microservice.person.TestAppConfiguration;
  29.  
  30. @RunWith(SpringRunner.class)
  31. @Import(value= {TestAppConfiguration.class})
  32. @WebMvcTest
  33. public class UnauthorizedAccessTest {
  34. //This class tries to make sure that every exposed HTTP endpoint is not accessible by a bad ROLE
  35.  
  36. Logger logger = LoggerFactory.getLogger(UnauthorizedAccessTest.class);
  37.  
  38. @Autowired
  39. private RequestMappingHandlerMapping requestMappingHandlerMapping;
  40.  
  41. @Autowired
  42. private MockMvc mvc;
  43.  
  44. @BeforeClass
  45. public static void setErrorLogging() {
  46. //My attempt at turning off automatic logging
  47. LoggingSystem.get(ClassLoader.getSystemClassLoader())
  48. .setLogLevel(Logger.ROOT_LOGGER_NAME, LogLevel.OFF);
  49. }
  50.  
  51. @Test
  52. @WithMockUser(username="attacker", roles = {"DENYME"})
  53. public void TestAllEndpointsUnauthorized() throws Exception {
  54. List<String> unsecureMethods = new ArrayList<String>();
  55. List<String> secureMethods = new ArrayList<String>();
  56. for (RequestMappingInfo restMethod :
  57. requestMappingHandlerMapping.getHandlerMethods().keySet()) {
  58.  
  59. for (String path: restMethod.getPatternsCondition().getPatterns()) {
  60. Set<RequestMethod> methodTypes = restMethod.getMethodsCondition().getMethods();
  61. if (methodTypes.contains(RequestMethod.GET)) {
  62. try {
  63. mvc.perform(get(path)).andExpect(status().isForbidden());
  64. secureMethods.add("GET: " + path);
  65. }
  66. catch(AssertionError e) {
  67. unsecureMethods.add("GET: " + path);
  68. }
  69. }
  70. if (methodTypes.contains(RequestMethod.POST)) {
  71. try {
  72. mvc.perform(post(path)).andExpect(status().isForbidden());
  73. secureMethods.add("POST: " + path);
  74. }
  75. catch(AssertionError e) {
  76. unsecureMethods.add("POST: " + path);
  77. }
  78. }
  79. if (methodTypes.contains(RequestMethod.PUT)) {
  80. try {
  81. mvc.perform(put(path)).andExpect(status().isForbidden());
  82. secureMethods.add("PUT: " + path);
  83. }
  84. catch(AssertionError e) {
  85. unsecureMethods.add("PUT: " + path);
  86. }
  87. }
  88. if (methodTypes.contains(RequestMethod.DELETE)) {
  89. try {
  90. mvc.perform(delete(path)).andExpect(status().isForbidden());
  91. secureMethods.add("DELETE" + path);
  92. }
  93. catch(AssertionError e) {
  94. unsecureMethods.add("DELETE: " + path);
  95. }
  96. }
  97. }
  98. }
  99. //Log report and error if needed
  100. if (unsecureMethods.size() > 0) {
  101. logger.error("Invalid roles were able to access the following rest methods");
  102. for (String s : unsecureMethods) {
  103. logger.error("t" + s);
  104. }
  105. }
  106. else {
  107. logger.info("All rest methods denied access to the invalid role");
  108. for (String s: secureMethods) {
  109. logger.info("t" + s);
  110. }
  111. }
  112. assert(unsecureMethods.size() == 0);
  113. }
  114. }
  115.  
  116. 2019-02-21 08:31:40.959 ERROR 23628 --- [ main] c.e.m.p.t.c.UnauthorizedAccessTest : Invalid roles were able to access the following rest methods
  117. 2019-02-21 08:31:40.959 ERROR 23628 --- [ main] c.e.m.p.t.c.UnauthorizedAccessTest : GET: /cache/clearPersonCache
  118.  
  119. 2019-02-21 08:33:36.035 ERROR 21736 --- [ main] c.e.m.p.t.c.UnauthorizedAccessTest : Invalid roles were able to access the following rest methods
  120. 2019-02-21 08:33:36.035 ERROR 21736 --- [ main] c.e.m.p.t.c.UnauthorizedAccessTest : GET: /cache/clearPersonCache
  121.  
  122. MockHttpServletRequest:
  123. HTTP Method = GET
  124. Request URI = /cache/clearPersonCache
  125. Parameters = {}
  126. Headers = []
  127. Body = <no character encoding set>
  128. Session Attrs = {SPRING_SECURITY_CONTEXT=org.springframework.security.core.context.SecurityContextImpl@a63d2d27: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@a63d2d27: Principal: org.springframework.security.core.userdetails.User@201c88f5: Username: attacker; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_DENYME; Credentials: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_DENYME}
  129.  
  130. Handler:
  131. Type = com.example.microservice.person.controller.CacheController
  132. Method = private java.lang.Boolean com.example.microservice.person.controller.CacheController.clearPersonCache()
  133.  
  134. Async:
  135. Async started = false
  136. Async result = null
  137.  
  138. Resolved Exception:
  139. Type = null
  140.  
  141. ModelAndView:
  142. View name = null
  143. View = null
  144. Model = null
  145.  
  146. FlashMap:
  147. Attributes = null
  148.  
  149. MockHttpServletResponse:
  150. Status = 200
  151. Error message = null
  152. Headers = [Content-Type:"application/json;charset=UTF-8", X-Content-Type-Options:"nosniff", X-XSS-Protection:"1; mode=block", Cache-Control:"no-cache, no-store, max-age=0, must-revalidate", Pragma:"no-cache", Expires:"0", X-Frame-Options:"DENY"]
  153. Content type = application/json;charset=UTF-8
  154. Body = true
  155. Forwarded URL = null
  156. Redirected URL = null
  157. Cookies = []
  158.  
  159. MockHttpServletRequest:
  160. HTTP Method = POST
  161. Request URI = /person/updatePerson
  162. Parameters = {}
  163. Headers = []
  164. Body = <no character encoding set>
  165. Session Attrs = {SPRING_SECURITY_CONTEXT=org.springframework.security.core.context.SecurityContextImpl@a63d2d27: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@a63d2d27: Principal: org.springframework.security.core.userdetails.User@201c88f5: Username: attacker; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_DENYME; Credentials: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_DENYME}
  166.  
  167. Handler:
  168. Type = null
  169.  
  170. Async:
  171. Async started = false
  172. Async result = null
  173.  
  174. Resolved Exception:
  175. Type = null
  176.  
  177. ModelAndView:
  178. View name = null
  179. View = null
  180. Model = null
  181.  
  182. FlashMap:
  183. Attributes = null
  184.  
  185. MockHttpServletResponse:
  186. Status = 403
  187. Error message = Forbidden
  188. Headers = [X-Content-Type-Options:"nosniff", X-XSS-Protection:"1; mode=block", Cache-Control:"no-cache, no-store, max-age=0, must-revalidate", Pragma:"no-cache", Expires:"0", X-Frame-Options:"DENY"]
  189. Content type = null
  190. Body =
  191. Forwarded URL = null
  192. Redirected URL = null
  193. Cookies = []
  194.  
  195. MockHttpServletRequest:
  196. HTTP Method = POST
  197. Request URI = /person/addPerson
  198. Parameters = {}
  199. Headers = []
  200. Body = <no character encoding set>
  201. Session Attrs = {SPRING_SECURITY_CONTEXT=org.springframework.security.core.context.SecurityContextImpl@a63d2d27: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@a63d2d27: Principal: org.springframework.security.core.userdetails.User@201c88f5: Username: attacker; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_DENYME; Credentials: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_DENYME}
  202.  
  203. Handler:
  204. Type = null
  205.  
  206. Async:
  207. Async started = false
  208. Async result = null
  209.  
  210. Resolved Exception:
  211. Type = null
  212.  
  213. ModelAndView:
  214. View name = null
  215. View = null
  216. Model = null
  217.  
  218. FlashMap:
  219. Attributes = null
  220.  
  221. MockHttpServletResponse:
  222. Status = 403
  223. Error message = Forbidden
  224. Headers = [X-Content-Type-Options:"nosniff", X-XSS-Protection:"1; mode=block", Cache-Control:"no-cache, no-store, max-age=0, must-revalidate", Pragma:"no-cache", Expires:"0", X-Frame-Options:"DENY"]
  225. Content type = null
  226. Body =
  227. Forwarded URL = null
  228. Redirected URL = null
  229. Cookies = []
  230.  
  231. MockHttpServletRequest:
  232. HTTP Method = GET
  233. Request URI = /person/fixAgeOfPerson
  234. Parameters = {}
  235. Headers = []
  236. Body = <no character encoding set>
  237. Session Attrs = {SPRING_SECURITY_CONTEXT=org.springframework.security.core.context.SecurityContextImpl@a63d2d27: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@a63d2d27: Principal: org.springframework.security.core.userdetails.User@201c88f5: Username: attacker; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_DENYME; Credentials: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_DENYME}
  238.  
  239. Handler:
  240. Type = null
  241.  
  242. Async:
  243. Async started = false
  244. Async result = null
  245.  
  246. Resolved Exception:
  247. Type = null
  248.  
  249. ModelAndView:
  250. View name = null
  251. View = null
  252. Model = null
  253.  
  254. FlashMap:
  255. Attributes = null
  256.  
  257. MockHttpServletResponse:
  258. Status = 403
  259. Error message = Forbidden
  260. Headers = [X-Content-Type-Options:"nosniff", X-XSS-Protection:"1; mode=block", Cache-Control:"no-cache, no-store, max-age=0, must-revalidate", Pragma:"no-cache", Expires:"0", X-Frame-Options:"DENY"]
  261. Content type = null
  262. Body =
  263. Forwarded URL = null
  264. Redirected URL = null
  265. Cookies = []
  266.  
  267. MockHttpServletRequest:
  268. HTTP Method = GET
  269. Request URI = /person/getPersonList
  270. Parameters = {}
  271. Headers = []
  272. Body = <no character encoding set>
  273. Session Attrs = {SPRING_SECURITY_CONTEXT=org.springframework.security.core.context.SecurityContextImpl@a63d2d27: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@a63d2d27: Principal: org.springframework.security.core.userdetails.User@201c88f5: Username: attacker; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_DENYME; Credentials: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_DENYME}
  274.  
  275. Handler:
  276. Type = null
  277.  
  278. Async:
  279. Async started = false
  280. Async result = null
  281.  
  282. Resolved Exception:
  283. Type = null
  284.  
  285. ModelAndView:
  286. View name = null
  287. View = null
  288. Model = null
  289.  
  290. FlashMap:
  291. Attributes = null
  292.  
  293. MockHttpServletResponse:
  294. Status = 403
  295. Error message = Forbidden
  296. Headers = [X-Content-Type-Options:"nosniff", X-XSS-Protection:"1; mode=block", Cache-Control:"no-cache, no-store, max-age=0, must-revalidate", Pragma:"no-cache", Expires:"0", X-Frame-Options:"DENY"]
  297. Content type = null
  298. Body =
  299. Forwarded URL = null
  300. Redirected URL = null
  301. Cookies = []
  302.  
  303. MockHttpServletRequest:
  304. HTTP Method = GET
  305. Request URI = /person/getPersonById
  306. Parameters = {}
  307. Headers = []
  308. Body = <no character encoding set>
  309. Session Attrs = {SPRING_SECURITY_CONTEXT=org.springframework.security.core.context.SecurityContextImpl@a63d2d27: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@a63d2d27: Principal: org.springframework.security.core.userdetails.User@201c88f5: Username: attacker; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_DENYME; Credentials: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_DENYME}
  310.  
  311. Handler:
  312. Type = null
  313.  
  314. Async:
  315. Async started = false
  316. Async result = null
  317.  
  318. Resolved Exception:
  319. Type = null
  320.  
  321. ModelAndView:
  322. View name = null
  323. View = null
  324. Model = null
  325.  
  326. FlashMap:
  327. Attributes = null
  328.  
  329. MockHttpServletResponse:
  330. Status = 403
  331. Error message = Forbidden
  332. Headers = [X-Content-Type-Options:"nosniff", X-XSS-Protection:"1; mode=block", Cache-Control:"no-cache, no-store, max-age=0, must-revalidate", Pragma:"no-cache", Expires:"0", X-Frame-Options:"DENY"]
  333. Content type = null
  334. Body =
  335. Forwarded URL = null
  336. Redirected URL = null
  337. Cookies = []
  338.  
  339. MockHttpServletRequest:
  340. HTTP Method = GET
  341. Request URI = /person/averageAgeInBirthMonth
  342. Parameters = {}
  343. Headers = []
  344. Body = <no character encoding set>
  345. Session Attrs = {SPRING_SECURITY_CONTEXT=org.springframework.security.core.context.SecurityContextImpl@a63d2d27: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@a63d2d27: Principal: org.springframework.security.core.userdetails.User@201c88f5: Username: attacker; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_DENYME; Credentials: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_DENYME}
  346.  
  347. Handler:
  348. Type = null
  349.  
  350. Async:
  351. Async started = false
  352. Async result = null
  353.  
  354. Resolved Exception:
  355. Type = null
  356.  
  357. ModelAndView:
  358. View name = null
  359. View = null
  360. Model = null
  361.  
  362. FlashMap:
  363. Attributes = null
  364.  
  365. MockHttpServletResponse:
  366. Status = 403
  367. Error message = Forbidden
  368. Headers = [X-Content-Type-Options:"nosniff", X-XSS-Protection:"1; mode=block", Cache-Control:"no-cache, no-store, max-age=0, must-revalidate", Pragma:"no-cache", Expires:"0", X-Frame-Options:"DENY"]
  369. Content type = null
  370. Body =
  371. Forwarded URL = null
  372. Redirected URL = null
  373. Cookies = []
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!