/** * Tests that transactions cannot be hijacked, even if created by an anonymous user * * @throws IOException exception thrown during this function */ @Test public void testTransactionHijackingNotPossibleAnoymous() throws IOException { /* anonymous user creates a transaction */ final String txLocation = createTransaction(); /* fedoraAdmin attempts to puts to anonymous transaction and fails */ try (final CloseableHttpResponse responseFedoraAdmin = executeWithBasicAuth(new HttpPut(txLocation), "fedoraAdmin", "fedoraAdmin")) { assertEquals( "Status should be GONE because putting on a transaction of a different user is not permitted", GONE.getStatusCode(), getStatus(responseFedoraAdmin)); } /* fedoraUser attempts to put to anonymous transaction and fails */ try (final CloseableHttpResponse responseFedoraUser = executeWithBasicAuth(new HttpPut(txLocation), "fedoraUser", "fedoraUser")) { assertEquals( "Status should be GONE because putting on a transaction of a different user isn't permitted", GONE.getStatusCode(), getStatus(responseFedoraUser)); } /* transaction is still intact and any anonymous user can successfully put to it */ assertEquals( "Status should be CREATED after putting", CREATED.getStatusCode(), getStatus(new HttpPut(txLocation + "/" + getRandomUniqueId()))); }
@Test public void testCreateAndTimeoutTransaction() throws IOException, InterruptedException { /* create a short-lived tx */ final long testTimeout = min(500, REAP_INTERVAL / 2); System.setProperty(TIMEOUT_SYSTEM_PROPERTY, Long.toString(testTimeout)); /* create a tx */ final String location = createTransaction(); try (CloseableHttpResponse resp = execute(new HttpGet(location))) { assertEquals(OK.getStatusCode(), getStatus(resp)); assertTrue( stream(resp.getHeaders(LINK)) .anyMatch(i -> i.getValue().contains("<" + serverAddress + ">;rel=\"canonical\""))); consume(resp.getEntity()); } sleep(REAP_INTERVAL * 2); try { assertEquals( "Transaction did not expire", GONE.getStatusCode(), getStatus(new HttpGet(location))); } finally { System.setProperty(TIMEOUT_SYSTEM_PROPERTY, DEFAULT_TIMEOUT); System.clearProperty("fcrepo.transactions.timeout"); } }
/** * Tests that transactions cannot be hijacked * * @throws IOException exception thrown during this function */ @Test public void testTransactionHijackingNotPossible() throws IOException { /* "fedoraAdmin" creates a transaction */ final String txLocation; try (final CloseableHttpResponse response = executeWithBasicAuth( new HttpPost(serverAddress + "fcr:tx"), "fedoraAdmin", "fedoraAdmin")) { assertEquals( "Status should be CREATED after creating a transaction with user fedoraAdmin", CREATED.getStatusCode(), getStatus(response)); txLocation = getLocation(response); } /* "fedoraUser" puts to "fedoraAdmin"'s transaction and fails */ try (final CloseableHttpResponse responseFedoraUser = executeWithBasicAuth(new HttpPut(txLocation), "fedoraUser", "fedoraUser")) { assertEquals( "Status should be GONE because putting on a transaction of a different user is not allowed", GONE.getStatusCode(), getStatus(responseFedoraUser)); } /* anonymous user puts to "fedoraAdmin"'s transaction and fails */ assertEquals( "Status should be GONE because putting on a transaction of a different user is not allowed", GONE.getStatusCode(), getStatus(new HttpPut(txLocation))); /* transaction is still intact and "fedoraAdmin" - the owner - can successfully put to it */ try (final CloseableHttpResponse responseFromPutToTx = executeWithBasicAuth( new HttpPut(txLocation + "/" + getRandomUniqueId()), "fedoraAdmin", "fedoraAdmin")) { assertEquals( "Status should be CREATED after putting", CREATED.getStatusCode(), getStatus(responseFromPutToTx)); } }
@Test public void testRequestsInTransactionThatDoestExist() { /* create a tx */ assertEquals(GONE.getStatusCode(), getStatus(new HttpPost(serverAddress + "tx:123/objects"))); }