jenkins/test/src/test/java/hudson/security/csrf/GlobalCrumbIssuerConfigurationTest.java at 25f33cc7493f59aa0f71d7e108e6343a7afe96cf · jenkinsci/jenkins · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
package hudson.security.csrf;

import static org.hamcrest.MatcherAssert.assertThat;
import static org.hamcrest.Matchers.containsString;

import jakarta.servlet.ServletRequest;
import org.htmlunit.html.HtmlPage;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.jvnet.hudson.test.JenkinsRule;
import org.jvnet.hudson.test.TestExtension;
import org.jvnet.hudson.test.junit.jupiter.WithJenkins;

@WithJenkins
class GlobalCrumbIssuerConfigurationTest {

    private JenkinsRule j;

    @BeforeEach
    void setUp(JenkinsRule rule) {
        j = rule;
    }

    @Test
    void csrfSectionShownWhenNonDefaultIssuerConfigured() throws Exception {
        // DefaultCrumbIssuer is default, but other CrumbIssuer descriptors exist in test environment
        // so the CSRF section should be visible
        j.jenkins.setCrumbIssuer(new DefaultCrumbIssuer(false));

        JenkinsRule.WebClient wc = j.createWebClient();
        HtmlPage page = wc.goTo("configureSecurity");
        String pageContent = page.asNormalizedText();

        // With multiple CrumbIssuer descriptors available (from test extensions),
        // the CSRF Protection section should always be shown
        assertThat(pageContent, containsString("Crumb Issuer"));
    }

    @Test
    void csrfSectionShownWhenCsrfProtectionDisabled() throws Exception {
        boolean original = GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION;
        try {
            GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION = true;

            JenkinsRule.WebClient wc = j.createWebClient();
            HtmlPage page = wc.goTo("configureSecurity");
            String pageContent = page.asNormalizedText();

            assertThat(pageContent, containsString("This configuration is unavailable because the System property"));
        } finally {
            GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION = original;
        }
    }

    @TestExtension("csrfSectionShownWhenNonDefaultIssuerConfigured")
    public static class DummyCrumbIssuer extends CrumbIssuer {

        @Override
        public String getCrumbRequestField() {
            return "dummy";
        }

        @Override
        public String issueCrumb(ServletRequest request, String salt) {
            return "dummy-crumb";
        }

        public static class DescriptorImpl extends CrumbIssuerDescriptor<DummyCrumbIssuer> {

            DescriptorImpl() {
                super(
                    DummyCrumbIssuer.class.getName(),
                    "Dummy Crumb Issuer"
                );
            }

            @Override
            public String getDisplayName() {
                return "Dummy Crumb Issuer";
            }
        }
    }
}