[DSC-1766] Creates an IT to verify the CSRF token endpoint accessibil…

…ity in UserAgreementFilterIT
4Science · Oct 25, 2024 · b172a17 · b172a17
1 parent f28faf9
commit b172a17
Showing 1 changed file with 72 additions and 0 deletions.
diff --git a/dspace-server-webapp/src/test/java/org/dspace/app/rest/security/UserAgreementFilterIT.java b/dspace-server-webapp/src/test/java/org/dspace/app/rest/security/UserAgreementFilterIT.java
@@ -9,6 +9,8 @@
 
 import static org.hamcrest.Matchers.is;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.cookie;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.header;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
@@ -236,6 +238,76 @@ public void tryToAccessToItemRestEndpointUserThatCanIgnoreTermsTest() throws Exc
         configurationService.setProperty("user-agreement.enabled", "false");
     }
 
+
+    @Test
+    public void shouldBeAbleToAccessCSRFTokenEndpoint() throws Exception {
+
+        context.turnOffAuthorisationSystem();
+
+        configurationService.setProperty("user-agreement.enabled", "true");
+
+        EPerson user =
+            EPersonBuilder.createEPerson(context)
+                          .withEmail("user@4science.com")
+                          .withNameInMetadata("Vins", "1st")
+                          .withCanLogin(true)
+                          .withPassword(password)
+                          .build();
+
+        context.restoreAuthSystemState();
+
+        String userToken = getAuthToken(user.getEmail(), password);
+        getClient(userToken).perform(get("/api/security/csrf"))
+                            .andExpect(status().isNoContent())
+                            .andExpect(cookie().exists(DSpaceCsrfTokenRepository.DEFAULT_CSRF_COOKIE_NAME))
+                            .andExpect(header().exists(DSpaceCsrfTokenRepository.DSPACE_CSRF_HEADER_NAME));
+
+        context.turnOffAuthorisationSystem();
+
+        user = context.reloadEntity(user);
+        // ignore user agreement
+        ePersonService.addMetadata(context, user, "dspace", "agreements", "ignore", "en", "true");
+        context.commit();
+
+        context.restoreAuthSystemState();
+
+        getClient(userToken).perform(get("/api/security/csrf"))
+                            .andExpect(status().isNoContent())
+                            .andExpect(cookie().exists(DSpaceCsrfTokenRepository.DEFAULT_CSRF_COOKIE_NAME))
+                            .andExpect(header().exists(DSpaceCsrfTokenRepository.DSPACE_CSRF_HEADER_NAME));
+
+        context.turnOffAuthorisationSystem();
+
+        user = context.reloadEntity(user);
+        // refuse user agreement
+        ePersonService.setMetadataSingleValue(context, user, "dspace", "agreements", "ignore", "en", "false");
+        ePersonService.addMetadata(context, user, "dspace", "agreements", "end-user", "en", "false");
+        context.commit();
+
+        context.restoreAuthSystemState();
+
+        getClient(userToken).perform(get("/api/security/csrf"))
+                            .andExpect(status().isNoContent())
+                            .andExpect(cookie().exists(DSpaceCsrfTokenRepository.DEFAULT_CSRF_COOKIE_NAME))
+                            .andExpect(header().exists(DSpaceCsrfTokenRepository.DSPACE_CSRF_HEADER_NAME));
+
+        context.turnOffAuthorisationSystem();
+
+        user = context.reloadEntity(user);
+        // accept user agreement
+        ePersonService.setMetadataSingleValue(context, user, "dspace", "agreements", "end-user", "en", "true");
+        context.commit();
+
+        context.restoreAuthSystemState();
+
+        getClient(userToken).perform(get("/api/security/csrf"))
+                            .andExpect(status().isNoContent())
+                            .andExpect(cookie().exists(DSpaceCsrfTokenRepository.DEFAULT_CSRF_COOKIE_NAME))
+                            .andExpect(header().exists(DSpaceCsrfTokenRepository.DSPACE_CSRF_HEADER_NAME));
+
+    }
+
+
     private void resetOpenPathConfigurations(String[] values) {
         configurationService.getConfiguration().clearProperty("user-agreement.open-path-patterns");
         if (values != null) {