/**
* Tests that transactions cannot be hijacked, even if created by an anonymous user
*
* @throws IOException exception thrown during this function
*/
@Test
public void testTransactionHijackingNotPossibleAnoymous() throws IOException {
/* anonymous user creates a transaction */
final String txLocation = createTransaction();
/* fedoraAdmin attempts to puts to anonymous transaction and fails */
try (final CloseableHttpResponse responseFedoraAdmin =
executeWithBasicAuth(new HttpPut(txLocation), "fedoraAdmin", "fedoraAdmin")) {
assertEquals(
"Status should be GONE because putting on a transaction of a different user is not permitted",
GONE.getStatusCode(),
getStatus(responseFedoraAdmin));
}
/* fedoraUser attempts to put to anonymous transaction and fails */
try (final CloseableHttpResponse responseFedoraUser =
executeWithBasicAuth(new HttpPut(txLocation), "fedoraUser", "fedoraUser")) {
assertEquals(
"Status should be GONE because putting on a transaction of a different user isn't permitted",
GONE.getStatusCode(),
getStatus(responseFedoraUser));
}
/* transaction is still intact and any anonymous user can successfully put to it */
assertEquals(
"Status should be CREATED after putting",
CREATED.getStatusCode(),
getStatus(new HttpPut(txLocation + "/" + getRandomUniqueId())));
}
@Test
public void testCreateAndTimeoutTransaction() throws IOException, InterruptedException {
/* create a short-lived tx */
final long testTimeout = min(500, REAP_INTERVAL / 2);
System.setProperty(TIMEOUT_SYSTEM_PROPERTY, Long.toString(testTimeout));
/* create a tx */
final String location = createTransaction();
try (CloseableHttpResponse resp = execute(new HttpGet(location))) {
assertEquals(OK.getStatusCode(), getStatus(resp));
assertTrue(
stream(resp.getHeaders(LINK))
.anyMatch(i -> i.getValue().contains("<" + serverAddress + ">;rel=\"canonical\"")));
consume(resp.getEntity());
}
sleep(REAP_INTERVAL * 2);
try {
assertEquals(
"Transaction did not expire", GONE.getStatusCode(), getStatus(new HttpGet(location)));
} finally {
System.setProperty(TIMEOUT_SYSTEM_PROPERTY, DEFAULT_TIMEOUT);
System.clearProperty("fcrepo.transactions.timeout");
}
}
/**
* Tests that transactions cannot be hijacked
*
* @throws IOException exception thrown during this function
*/
@Test
public void testTransactionHijackingNotPossible() throws IOException {
/* "fedoraAdmin" creates a transaction */
final String txLocation;
try (final CloseableHttpResponse response =
executeWithBasicAuth(
new HttpPost(serverAddress + "fcr:tx"), "fedoraAdmin", "fedoraAdmin")) {
assertEquals(
"Status should be CREATED after creating a transaction with user fedoraAdmin",
CREATED.getStatusCode(),
getStatus(response));
txLocation = getLocation(response);
}
/* "fedoraUser" puts to "fedoraAdmin"'s transaction and fails */
try (final CloseableHttpResponse responseFedoraUser =
executeWithBasicAuth(new HttpPut(txLocation), "fedoraUser", "fedoraUser")) {
assertEquals(
"Status should be GONE because putting on a transaction of a different user is not allowed",
GONE.getStatusCode(),
getStatus(responseFedoraUser));
}
/* anonymous user puts to "fedoraAdmin"'s transaction and fails */
assertEquals(
"Status should be GONE because putting on a transaction of a different user is not allowed",
GONE.getStatusCode(),
getStatus(new HttpPut(txLocation)));
/* transaction is still intact and "fedoraAdmin" - the owner - can successfully put to it */
try (final CloseableHttpResponse responseFromPutToTx =
executeWithBasicAuth(
new HttpPut(txLocation + "/" + getRandomUniqueId()), "fedoraAdmin", "fedoraAdmin")) {
assertEquals(
"Status should be CREATED after putting",
CREATED.getStatusCode(),
getStatus(responseFromPutToTx));
}
}
@Test
public void testRequestsInTransactionThatDoestExist() {
/* create a tx */
assertEquals(GONE.getStatusCode(), getStatus(new HttpPost(serverAddress + "tx:123/objects")));
}
