func TestRefererHttps(t *testing.T) {
resp := httptest.NewRecorder()
postRequest, _ := http.NewRequest("POST", "http://www.example.com/", nil)
c := revel.NewController(revel.NewRequest(postRequest), revel.NewResponse(resp))
c.Session = make(revel.Session)
RefreshToken(c)
token := c.Session["csrf_token"]
// make a new request with the token
data := url.Values{}
data.Set("csrftoken", token)
formPostRequest, _ := http.NewRequest("POST", "https://www.example.com/", bytes.NewBufferString(data.Encode()))
formPostRequest.Header.Add("Content-Type", "application/x-www-form-urlencoded")
formPostRequest.Header.Add("Content-Length", strconv.Itoa(len(data.Encode())))
formPostRequest.Header.Add("Referer", "http://www.example.com/")
// and replace the old request
c.Request = revel.NewRequest(formPostRequest)
testFilters[0](c, testFilters)
if c.Response.Status != 403 {
t.Fatal("posts to https should have an https referer")
}
}
func (rc *RevelController) ServeHTTP(w http.ResponseWriter, r *http.Request) {
// Dirty hacks, do NOT copy!
revel.MainRouter = rc.router
upgrade := r.Header.Get("Upgrade")
if upgrade == "websocket" || upgrade == "Websocket" {
panic("Not implemented")
} else {
var (
req = revel.NewRequest(r)
resp = revel.NewResponse(w)
c = revel.NewController(req, resp)
)
req.Websocket = nil
revel.Filters[0](c, revel.Filters[1:])
if c.Result != nil {
c.Result.Apply(req, resp)
} else if c.Response.Status != 0 {
panic("Not implemented")
}
// Close the Writer if we can
if w, ok := resp.Out.(io.Closer); ok {
w.Close()
}
}
}
func TestPostWithoutToken(t *testing.T) {
resp := httptest.NewRecorder()
postRequest, _ := http.NewRequest("POST", "http://www.example.com/", nil)
c := revel.NewController(revel.NewRequest(postRequest), revel.NewResponse(resp))
c.Session = make(revel.Session)
testFilters[0](c, testFilters)
if c.Response.Status != 403 {
t.Fatal("post without token should be forbidden")
}
}
func TestTokenInSession(t *testing.T) {
resp := httptest.NewRecorder()
getRequest, _ := http.NewRequest("GET", "http://www.example.com/", nil)
c := revel.NewController(revel.NewRequest(getRequest), revel.NewResponse(resp))
c.Session = make(revel.Session)
testFilters[0](c, testFilters)
if _, ok := c.Session["csrf_token"]; !ok {
t.Fatal("token should be present in session")
}
}
func TestExemptPathCaseInsensitive(t *testing.T) {
MarkExempt("/Controller/Action")
resp := httptest.NewRecorder()
postRequest, _ := http.NewRequest("POST", "http://www.example.com/controller/action", nil)
c := revel.NewController(revel.NewRequest(postRequest), revel.NewResponse(resp))
c.Session = make(revel.Session)
testFilters[0](c, testFilters)
if c.Response.Status == 403 {
t.Fatal("post to csrf exempt action should pass")
}
}
func TestNoTokenInArgsWhenCORs(t *testing.T) {
resp := httptest.NewRecorder()
getRequest, _ := http.NewRequest("GET", "http://www.example1.com/", nil)
getRequest.Header.Add("Referer", "http://www.example2.com/")
c := revel.NewController(revel.NewRequest(getRequest), revel.NewResponse(resp))
c.Session = make(revel.Session)
testFilters[0](c, testFilters)
if _, ok := c.RenderArgs["_csrftoken"]; ok {
t.Fatal("RenderArgs should not contain token when not same origin")
}
}
func TestHeaderWithToken(t *testing.T) {
resp := httptest.NewRecorder()
postRequest, _ := http.NewRequest("POST", "http://www.example.com/", nil)
c := revel.NewController(revel.NewRequest(postRequest), revel.NewResponse(resp))
c.Session = make(revel.Session)
RefreshToken(c)
token := c.Session["csrf_token"]
// make a new request with the token
formPostRequest, _ := http.NewRequest("POST", "http://www.example.com/", nil)
formPostRequest.Header.Add("X-CSRFToken", token)
formPostRequest.Header.Add("Referer", "http://www.example.com/")
// and replace the old request
c.Request = revel.NewRequest(formPostRequest)
testFilters[0](c, testFilters)
if c.Response.Status == 403 {
t.Fatal("post with http header token should be allowed")
}
}
func renderError(w http.ResponseWriter, r *http.Request, err error) {
req, resp := revel.NewRequest(r), revel.NewResponse(w)
c := revel.NewController(req, resp)
c.RenderError(err).Apply(req, resp)
}
func FilterForApiDoc(c *revel.Controller, fc []revel.Filter) {
if record, _ := revel.Config.Bool("yaag.record"); !record {
fc[0](c, fc[1:])
return
}
w := httptest.NewRecorder()
c.Response = revel.NewResponse(w)
httpVerb := c.Request.Method
customParams := make(map[string]interface{})
headers := make(map[string]string)
hasJson := false
hasXml := false
body := middleware.ReadBody(c.Request.Request)
if c.Request.ContentType == "application/json" {
if httpVerb == "POST" || httpVerb == "PUT" || httpVerb == "PATCH" {
err := json.Unmarshal([]byte(*body), &customParams)
if err != nil {
log.Println("Json Error ! ", err)
} else {
hasJson = true
}
} else {
err := json.Unmarshal([]byte(c.Request.URL.RawQuery), &customParams)
if err != nil {
log.Println("Json Error ! ", err)
} else {
hasJson = true
}
}
} else if c.Request.ContentType == "application/xml" {
if httpVerb == "POST" || httpVerb == "PUT" || httpVerb == "PATCH" {
err := xml.Unmarshal([]byte(*body), &customParams)
if err != nil {
log.Println("Xml Error ! ", err)
} else {
hasXml = true
}
} else {
err := xml.Unmarshal([]byte(c.Request.URL.RawQuery), &customParams)
if err != nil {
log.Println("Json Error ! ", err)
} else {
hasXml = true
}
}
}
log.Println(hasJson, hasXml)
// call remaiing filters
fc[0](c, fc[1:])
c.Result.Apply(c.Request, c.Response)
htmlValues := yaag.APICall{}
htmlValues.CommonRequestHeaders = make(map[string]string)
// get headers
for k, v := range c.Request.Header {
isCommon := false
for _, hk := range yaag.CommonHeaders {
if k == hk {
isCommon = true
htmlValues.CommonRequestHeaders[k] = strings.Join(v, " ")
break
}
}
if !isCommon {
headers[k] = strings.Join(v, " ")
}
}
htmlValues.MethodType = httpVerb
htmlValues.CurrentPath = c.Request.URL.Path
htmlValues.PostForm = make(map[string]string)
for k, v := range c.Params.Form {
htmlValues.PostForm[k] = strings.Join(v, " ")
}
htmlValues.RequestBody = *body
htmlValues.RequestHeader = headers
htmlValues.RequestUrlParams = make(map[string]string)
for k, v := range c.Request.URL.Query() {
htmlValues.RequestUrlParams[k] = strings.Join(v, " ")
}
htmlValues.ResponseHeader = make(map[string]string)
htmlValues.ResponseBody = w.Body.String()
for k, v := range w.Header() {
htmlValues.ResponseHeader[k] = strings.Join(v, " ")
}
htmlValues.ResponseCode = w.Code
yaag.ApiCallValueInstance.BaseLink = c.Request.Host
go yaag.GenerateHtml(&htmlValues)
}
