diff options
| author | Heiko Bernloehr <Heiko.Bernloehr@FreeIT.de> | 2012-11-15 17:10:35 +0100 |
|---|---|---|
| committer | Heiko Bernloehr <Heiko.Bernloehr@FreeIT.de> | 2012-11-15 17:15:27 +0100 |
| commit | 97c25ae39e3d6a628c65f4cb2ceecd48e410732d (patch) | |
| tree | 97aea0adea3043e19b50758325d1bb7a646fff71 /test | |
| parent | 9298117acdf82c9529a12a3ab41baf9d1e86c2f4 (diff) | |
| download | ecs2-97c25ae39e3d6a628c65f4cb2ceecd48e410732d.tar.gz ecs2-97c25ae39e3d6a628c65f4cb2ceecd48e410732d.zip | |
Changed security fix for redirects.
When creating authorization token the ECS only checks if exactly one of
the realm or url parameter is present.
Diffstat (limited to 'test')
| -rw-r--r-- | test/functional/messages_controller_test.rb | 16 | ||||
| -rw-r--r-- | test/unit/message_test.rb | 13 |
2 files changed, 8 insertions, 21 deletions
diff --git a/test/functional/messages_controller_test.rb b/test/functional/messages_controller_test.rb index 2522617..6d7a906 100644 --- a/test/functional/messages_controller_test.rb +++ b/test/functional/messages_controller_test.rb @@ -309,22 +309,6 @@ class MessagesControllerTest < ActionController::TestCase # Auths tests # - test "create_auths" do - @request.env["RAW_POST_DATA"] = <<-'HERE' - { - "url":"https://ilias.uni-stuttgart.de/goto.php?target=crs_95034&client_id=USTGT", - "realm":"https://ilias.uni-stuttgart.de/goto.php?target=crs_95034&client_id=USTGT" - } - HERE - @request.env["CONTENT_TYPE"] = "application/json" - @request.env["X-EcsAuthId"] = identities(:stgt_id1).name - @request.env["X-EcsReceiverMemberships"] = memberships(:ulm_wuv).id.to_s - @request.set_REQUEST_URI("/sys/auths") - mm_count = MembershipMessage.all.count - post :create - assert_response 201 - end - test "create_auths_url" do @request.env["RAW_POST_DATA"] = <<-'HERE' { diff --git a/test/unit/message_test.rb b/test/unit/message_test.rb index fbe0b21..928f3bc 100644 --- a/test/unit/message_test.rb +++ b/test/unit/message_test.rb @@ -68,9 +68,9 @@ class MessageTest < ActiveSupport::TestCase "CONTENT_TYPE" => "application/json" } raw_post= Hash.new - raw_post[:realm]= <<-'HERE' + raw_post[:realm]= <<-"HERE" { - "realm":"https://ilias.uni-stuttgart.de/goto.php?target=crs_95034&client_id=USTGT" + "realm":"#{Digest::SHA1.hexdigest 'https://ilias.uni-stuttgart.de/goto.php?target=crs_95034&client_id=USTGT'}" } HERE raw_post[:url]= <<-'HERE' @@ -91,9 +91,12 @@ class MessageTest < ActiveSupport::TestCase json= ActiveSupport::JSON.decode(msg.body) end assert json.keys.include?(k.to_s) - assert_equal "https://ilias.uni-stuttgart.de/goto.php?target=crs_95034&client_id=USTGT", json[k.to_s] - assert json.keys.include?(k.to_s) - assert_equal "https://ilias.uni-stuttgart.de/goto.php?target=crs_95034&client_id=USTGT", json[k.to_s] + if k.to_s == "realm" + assert_equal Digest::SHA1.hexdigest("https://ilias.uni-stuttgart.de/goto.php?target=crs_95034&client_id=USTGT"), json[k.to_s] + end + if k.to_s == "url" + assert_equal "https://ilias.uni-stuttgart.de/goto.php?target=crs_95034&client_id=USTGT", json[k.to_s] + end assert json.keys.include?("pid") assert_equal participants(:ilias_stgt).id, json["pid"] end |