2.4/user/test/com/google/gwt/user/server/rpc/AbstractXsrfProtectedServiceServletTest.java - gwt - Git at Google

 /*
  * Copyright 2011 Google Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy of
  * the License at
  *
  * http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
  * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
  * License for the specific language governing permissions and limitations under
  * the License.
  */
 package com.google.gwt.user.server.rpc;

 import com.google.gwt.user.client.rpc.RpcToken;
 import com.google.gwt.user.client.rpc.RpcTokenException;
 import com.google.gwt.user.client.rpc.XsrfProtectedService;

 import junit.framework.TestCase;

 import java.lang.reflect.Method;

 /**
  * Tests {@link AbstractXsrfProtectedServiceServlet}'s XSRF enforcement logic.
  */
 public class AbstractXsrfProtectedServiceServletTest extends TestCase {

   private boolean isValidateCalled;

   @Override
   public void setUp() {
     isValidateCalled = false;
   }

   private MockXsrfProtectedServiceServlet mockServlet =
     new MockXsrfProtectedServiceServlet();

   private class MockXsrfProtectedServiceServlet extends
       AbstractXsrfProtectedServiceServlet {

     @Override
     protected void validateXsrfToken(RpcToken token, Method method)
         throws RpcTokenException {
       isValidateCalled = true;
     }
   }

   @XsrfProtect
   private interface RpcWithXsrfProtect {
     void foo();
   }

   @XsrfProtect
   private interface RpcWithXsrfProtectAndMethodOverride {
     @NoXsrfProtect
     void foo();
   }

   @NoXsrfProtect
   private interface RpcWithNoXsrfProtect {
     void foo();
   }

   @NoXsrfProtect
   private interface RpcWithNoXsrfProtectAndMethodOverride {
     @XsrfProtect
     void foo();
   }

   private interface RpcWithoutAnnotationAndMethodXsrfProtect {
     @XsrfProtect
     void foo();
   }

   private interface RpcWithoutAnnotationAndMethodNoXsrfProtect {
     @NoXsrfProtect
     void foo();
   }

   private interface RpcWithoutAnnotationsAndWithRpcTokenMethod {
     void foo();
     RpcToken getToken();
   }

   @NoXsrfProtect
   private interface
       RpcWithoutAnnotationsAndWithRpcTokenMethodAndNoProtectOverride {
     void foo();
     RpcToken getToken();
   }

   @XsrfProtect
   private interface
       RpcWithoutAnnotationsAndWithRpcTokenMethodAndProtectOverride {
     void foo();
     RpcToken getToken();
   }

   @SuppressWarnings("rpc-validation")
   private interface XsrfProtectedRpc extends XsrfProtectedService {
     void foo();
   }

   @SuppressWarnings("rpc-validation")
   private interface XsrfProtectedRpcWithOverride extends XsrfProtectedRpc {
     void fooBar();
     @NoXsrfProtect
     void insecure();
   }

   private interface RpcWithoutAnyAnnotations {
     void foo();
   }

   public void testShouldValidatedXsrfToken() throws Exception {
     checkXsrfValidationLogic(RpcWithXsrfProtect.class, "foo", true);
     checkXsrfValidationLogic(RpcWithXsrfProtectAndMethodOverride.class, "foo",
         false);
     checkXsrfValidationLogic(RpcWithNoXsrfProtect.class, "foo", false);
     checkXsrfValidationLogic(RpcWithNoXsrfProtectAndMethodOverride.class, "foo",
         true);
     checkXsrfValidationLogic(RpcWithoutAnnotationAndMethodXsrfProtect.class,
         "foo", true);
     checkXsrfValidationLogic(RpcWithoutAnnotationAndMethodNoXsrfProtect.class,
         "foo", false);
     checkXsrfValidationLogic(RpcWithoutAnnotationsAndWithRpcTokenMethod.class,
         "foo", true);
     checkXsrfValidationLogic(
         RpcWithoutAnnotationsAndWithRpcTokenMethodAndNoProtectOverride.class,
         "foo", false);
     checkXsrfValidationLogic(
         RpcWithoutAnnotationsAndWithRpcTokenMethodAndNoProtectOverride.class,
         "getToken", false);
     checkXsrfValidationLogic(
         RpcWithoutAnnotationsAndWithRpcTokenMethodAndProtectOverride.class,
         "foo", true);
     checkXsrfValidationLogic(
         RpcWithoutAnnotationsAndWithRpcTokenMethodAndProtectOverride.class,
         "getToken", true);
     checkXsrfValidationLogic(RpcWithoutAnyAnnotations.class, "foo", false);
     checkXsrfValidationLogic(RpcWithoutAnnotationsAndWithRpcTokenMethod.class,
         "getToken", false);
     checkXsrfValidationLogic(XsrfProtectedRpc.class, "foo", true);
     checkXsrfValidationLogic(XsrfProtectedRpcWithOverride.class, "foo", true);
     checkXsrfValidationLogic(XsrfProtectedRpcWithOverride.class, "insecure",
         false);
   }

   private void checkXsrfValidationLogic(Class<?> rpcClass, String methodName,
       boolean mustCallValidate) throws Exception {
     isValidateCalled = false;
     Method method = rpcClass.getMethod(methodName, new Class[] {});
     RPCRequest request = new RPCRequest(method, new Object[] {}, null, 0);
     mockServlet.onAfterRequestDeserialized(request);
     assertEquals(mustCallValidate, isValidateCalled);
   }
 }
	/*
	* Copyright 2011 Google Inc.
	*
	* Licensed under the Apache License, Version 2.0 (the "License"); you may not
	* use this file except in compliance with the License. You may obtain a copy of
	* the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
	* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
	* License for the specific language governing permissions and limitations under
	* the License.
	*/
	package com.google.gwt.user.server.rpc;

	import com.google.gwt.user.client.rpc.RpcToken;
	import com.google.gwt.user.client.rpc.RpcTokenException;
	import com.google.gwt.user.client.rpc.XsrfProtectedService;

	import junit.framework.TestCase;

	import java.lang.reflect.Method;

	/**
	* Tests {@link AbstractXsrfProtectedServiceServlet}'s XSRF enforcement logic.
	*/
	public class AbstractXsrfProtectedServiceServletTest extends TestCase {

	private boolean isValidateCalled;

	@Override
	public void setUp() {
	isValidateCalled = false;
	}

	private MockXsrfProtectedServiceServlet mockServlet =
	new MockXsrfProtectedServiceServlet();

	private class MockXsrfProtectedServiceServlet extends
	AbstractXsrfProtectedServiceServlet {

	@Override
	protected void validateXsrfToken(RpcToken token, Method method)
	throws RpcTokenException {
	isValidateCalled = true;
	}
	}

	@XsrfProtect
	private interface RpcWithXsrfProtect {
	void foo();
	}

	@XsrfProtect
	private interface RpcWithXsrfProtectAndMethodOverride {
	@NoXsrfProtect
	void foo();
	}

	@NoXsrfProtect
	private interface RpcWithNoXsrfProtect {
	void foo();
	}

	@NoXsrfProtect
	private interface RpcWithNoXsrfProtectAndMethodOverride {
	@XsrfProtect
	void foo();
	}

	private interface RpcWithoutAnnotationAndMethodXsrfProtect {
	@XsrfProtect
	void foo();
	}

	private interface RpcWithoutAnnotationAndMethodNoXsrfProtect {
	@NoXsrfProtect
	void foo();
	}

	private interface RpcWithoutAnnotationsAndWithRpcTokenMethod {
	void foo();
	RpcToken getToken();
	}

	@NoXsrfProtect
	private interface
	RpcWithoutAnnotationsAndWithRpcTokenMethodAndNoProtectOverride {
	void foo();
	RpcToken getToken();
	}

	@XsrfProtect
	private interface
	RpcWithoutAnnotationsAndWithRpcTokenMethodAndProtectOverride {
	void foo();
	RpcToken getToken();
	}

	@SuppressWarnings("rpc-validation")
	private interface XsrfProtectedRpc extends XsrfProtectedService {
	void foo();
	}

	@SuppressWarnings("rpc-validation")
	private interface XsrfProtectedRpcWithOverride extends XsrfProtectedRpc {
	void fooBar();
	@NoXsrfProtect
	void insecure();
	}

	private interface RpcWithoutAnyAnnotations {
	void foo();
	}

	public void testShouldValidatedXsrfToken() throws Exception {
	checkXsrfValidationLogic(RpcWithXsrfProtect.class, "foo", true);
	checkXsrfValidationLogic(RpcWithXsrfProtectAndMethodOverride.class, "foo",
	false);
	checkXsrfValidationLogic(RpcWithNoXsrfProtect.class, "foo", false);
	checkXsrfValidationLogic(RpcWithNoXsrfProtectAndMethodOverride.class, "foo",
	true);
	checkXsrfValidationLogic(RpcWithoutAnnotationAndMethodXsrfProtect.class,
	"foo", true);
	checkXsrfValidationLogic(RpcWithoutAnnotationAndMethodNoXsrfProtect.class,
	"foo", false);
	checkXsrfValidationLogic(RpcWithoutAnnotationsAndWithRpcTokenMethod.class,
	"foo", true);
	checkXsrfValidationLogic(
	RpcWithoutAnnotationsAndWithRpcTokenMethodAndNoProtectOverride.class,
	"foo", false);
	checkXsrfValidationLogic(
	RpcWithoutAnnotationsAndWithRpcTokenMethodAndNoProtectOverride.class,
	"getToken", false);
	checkXsrfValidationLogic(
	RpcWithoutAnnotationsAndWithRpcTokenMethodAndProtectOverride.class,
	"foo", true);
	checkXsrfValidationLogic(
	RpcWithoutAnnotationsAndWithRpcTokenMethodAndProtectOverride.class,
	"getToken", true);
	checkXsrfValidationLogic(RpcWithoutAnyAnnotations.class, "foo", false);
	checkXsrfValidationLogic(RpcWithoutAnnotationsAndWithRpcTokenMethod.class,
	"getToken", false);
	checkXsrfValidationLogic(XsrfProtectedRpc.class, "foo", true);
	checkXsrfValidationLogic(XsrfProtectedRpcWithOverride.class, "foo", true);
	checkXsrfValidationLogic(XsrfProtectedRpcWithOverride.class, "insecure",
	false);
	}

	private void checkXsrfValidationLogic(Class<?> rpcClass, String methodName,
	boolean mustCallValidate) throws Exception {
	isValidateCalled = false;
	Method method = rpcClass.getMethod(methodName, new Class[] {});
	RPCRequest request = new RPCRequest(method, new Object[] {}, null, 0);
	mockServlet.onAfterRequestDeserialized(request);
	assertEquals(mustCallValidate, isValidateCalled);
	}
	}