Merge branch 'master' into feature/osgi-settings

# Conflicts:
#	src/main/aem/jcr_root/etc/secureaem/.content.xml
#	src/main/java/com/cognifide/secureaem/AbstractTest.java
#	src/main/resources/test_suite.properties

README.md

@@ -44,15 +44,15 @@ JAR package will be available as `target/secure-aem-VERSION-cli.jar`.
 
 Usage is simple:
 
-    java -jar secure-aem-VERSION.jar [-a AUTHOR_URL] [-p PUBLISH_URL] [-d DISPATCHER_URL]
+    java -jar secure-aem-VERSION.jar [-a AUTHOR_URL] [-aCredentials AUTHOR_LOGIN:AUTHOR_PASSWORD] [-p PUBLISH_URL] [-pCredentials PUBLISH_LOGIN:PUBLISH_PASSWORD] [-d DISPATCHER_URL]
 
 Enter at least one URL to test given instance, eg.:
 
-    java -jar secure-aem-VERSION.jar -a https://localhost:4502
+    java -jar secure-aem-VERSION.jar -a https://localhost:4502 -aCredentials admin:admin
 
 to invoke author tests on the localhost or
 
-    java -jar secure-aem-VERSION.jar -a 192.168.35.105:4502 -p 192.168.35.105:4503 -d 192.168.35.105
+    java -jar secure-aem-VERSION.jar -a 192.168.35.105:4502 -aCredentials admin:admin -p 192.168.35.105:4503  -pCredentials admin:admin-d 192.168.35.105
 
 to invoke author, publish and dispatcher-related tests. You may skip the starting `https://`, *SecureAEM* uses HTTP protocol by default.
 
@@ -62,7 +62,7 @@ By default *SecureAEM* runs full test set defined in:
 
 to override it use maven -suite parameter
 
-    java -jar secure-aem-VERSION.jar -a https://localhost:4502 -suite /home/myComputer/test_suite.properties
+    java -jar secure-aem-VERSION.jar -a https://localhost:4502 -aCredentials admin:admin -suite /home/myComputer/test_suite.properties
 
 ## Writing own tests
 

src/main/aem/jcr_root/apps/cognifide/secureaem/components/crxDevelopmentBundles/dialog.xml

@@ -18,12 +18,6 @@
                     title="Test configuration"
                     xtype="panel">
                     <items jcr:primaryType="cq:WidgetCollection">
-                        <title
-                            jcr:primaryType="cq:Widget"
-                            allowBlank="false"
-                            fieldLabel="Credentials"
-                            name="./testComponent/users"
-                            xtype="textfield"/>
                         <items
                             jcr:primaryType="cq:Widget"
                             fieldDescription="Press + to add more items"

src/main/aem/jcr_root/apps/cognifide/secureaem/components/slingDevelopmentBundle/dialog.xml

@@ -18,12 +18,6 @@
                     title="Test configuration"
                     xtype="panel">
                     <items jcr:primaryType="cq:WidgetCollection">
-                        <title
-                            jcr:primaryType="cq:Widget"
-                            allowBlank="false"
-                            fieldLabel="Credentials"
-                            name="./testComponent/users"
-                            xtype="textfield"/>
                         <items
                             jcr:primaryType="cq:Widget"
                             fieldDescription="Press + to add more items"

src/main/aem/jcr_root/apps/cognifide/secureaem/components/slingReferrerFilter/.content.xml

@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<jcr:root xmlns:sling="https://sling.apache.org/jcr/sling/1.0" xmlns:cq="https://www.day.com/jcr/cq/1.0" xmlns:jcr="https://www.jcp.org/jcr/1.0"
+    jcr:primaryType="cq:Component"
+    sling:resourceSuperType="cognifide/secureaem/components/abstractTest"
+    testClass="com.cognifide.secureaem.tests.SlingReferrerFilterTest"/>

src/main/aem/jcr_root/apps/cognifide/secureaem/renderers/mainRenderer/dialog.xml

@@ -25,12 +25,27 @@
                             fieldLabel="Author URL"
                             name="./author"
                             xtype="textfield"/>
+                        <authorCredentials
+                            jcr:primaryType="cq:Widget"
+                            allowBlank="false"
+                            fieldLabel="Author Credentials"
+                            name="./authorCredentials"
+                            defaultValue="admin:admin"
+                            xtype="textfield"/>
                         <publish
                             jcr:primaryType="cq:Widget"
                             allowBlank="true"
                             fieldLabel="Publish URL"
                             name="./publish"
                             xtype="textfield"/>
+                        <publishCredentials
+                            jcr:primaryType="cq:Widget"
+                            allowBlank="false"
+                            fieldLabel="Publish Credentials"
+                            name="./publishCredentials"
+                            defaultValue="admin:admin"
+                            xtype="textfield"/>
+
                     </items>
                 </configuration>
             </items>

src/main/aem/jcr_root/etc/secureaem/.content.xml

@@ -26,4 +26,8 @@
     <html-library-manager/>
     <sling-js-handler/>
     <sling-jsp-script-handler/>
+    <crx-development-bundles/>
+    <replication-transport-users/>
+    <sling-development-bundle/>
+    <sling-referrer-filter/>
 </jcr:root>

src/main/aem/jcr_root/etc/secureaem/sling-referrer-filter/.content.xml

@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<jcr:root xmlns:sling="https://sling.apache.org/jcr/sling/1.0" xmlns:cq="https://www.day.com/jcr/cq/1.0" xmlns:jcr="https://www.jcp.org/jcr/1.0" xmlns:nt="https://www.jcp.org/jcr/nt/1.0"
+    jcr:primaryType="cq:Page">
+    <jcr:content
+        jcr:description="Protect against Cross-Site Request Forgery"
+        jcr:primaryType="cq:PageContent"
+        jcr:title="Sling Referrer Filter"
+        sling:resourceType="cognifide/secureaem/renderers/testRenderer"
+        severity="CRITICAL"
+        url="https://docs.adobe.com/docs/en/aem/6-2/administer/security/security-checklist.html#Protect against Cross-Site Request Forgery"
+        urlDesc="docs.adobe.com">
+        <testComponent
+            jcr:primaryType="nt:unstructured"
+            sling:resourceType="cognifide/secureaem/components/slingReferrerFilter"
+            enabled="true"
+            users="[admin:admin]"/>
+    </jcr:content>
+</jcr:root>

src/main/java/com/cognifide/secureaem/AbstractTest.java

@@ -7,6 +7,7 @@
 import java.util.Set;
 
 import org.apache.commons.lang3.StringUtils;
+import org.apache.http.auth.UsernamePasswordCredentials;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -55,12 +56,12 @@ public void test() throws IOException {
 	/**
 	 * Perform test.
 	 *
-	 * @param url URL of the instance to test.
+	 * @param url          URL of the instance to test.
 	 * @param instanceName Name of the instance (eg. author, publish or dispatcher).
 	 * @return true if the test succeeded
 	 * @throws Exception If you throw an exception, test result will be set to "Exception". You may throw
-	 * special {@link AbstractTest.InvalidConfigurationException} with message if the test configuration isn't set
-	 * correctly.
+	 *                   special {@link AbstractTest.InvalidConfigurationException} with message if the test
+	 *                   configuration isn't set correctly.
 	 */
 	protected abstract boolean doTest(String url, String instanceName) throws Exception;
 
@@ -100,7 +101,7 @@ private TestResult doTest() throws Exception {
 	 * Add information message, it'll be shown to the user.
 	 *
 	 * @param message Message can contain standard {@code String.format()} placeholders
-	 * @param params Values to fill the placeholders.
+	 * @param params  Values to fill the placeholders.
 	 */
 	protected void addInfoMessage(String message, Object... params) {
 		String formatted = String.format(message, params);
@@ -111,13 +112,30 @@ protected void addInfoMessage(String message, Object... params) {
 	 * Add error message, it'll be shown to the user.
 	 *
 	 * @param message Message can contain standard {@code String.format()} placeholders
-	 * @param params Values to fill the placeholders.
+	 * @param params  Values to fill the placeholders.
 	 */
 	protected void addErrorMessage(String message, Object... params) {
 		String formatted = String.format(message, params);
 		errorMessages.add(formatted);
 	}
 
+	/**
+	 * Creates {@code UsernamePasswordCredentials} instance from configuration.
+	 * @param instance - instance name
+	 * @return UsernamePasswordCredentials
+	 */
+	protected UsernamePasswordCredentials getUsernamePasswordCredentials(String instance) {
+		UsernamePasswordCredentials credentials = null;
+		if (AuthorTest.ENVIRONMENT_NAME.equals(instance)) {
+			credentials = new UsernamePasswordCredentials(config.getAuthorLogin(),
+					config.getAuthorPassword());
+		} else if (PublishTest.ENVIRONMENT_NAME.equals(instance)) {
+			credentials = new UsernamePasswordCredentials(config.getPublishLogin(),
+					config.getPublishPassword());
+		}
+		return credentials;
+	}
+
 	/**
 	 * Check boolean property. If different than expected error message will be added to error list, if same as expected info message will be added to info list
 	 *

src/main/java/com/cognifide/secureaem/Configuration.java

@@ -9,8 +9,16 @@ public interface Configuration {
 
 	String getAuthor();
 
+	String getAuthorLogin();
+
+	String getAuthorPassword();
+
 	String getPublish();
 
+	String getPublishLogin();
+
+	String getPublishPassword();
+
 	String getStringValue(String name, String defaultValue);
 
 	String[] getStringList(String name);

src/main/java/com/cognifide/secureaem/cli/CliConfiguration.java

@@ -13,42 +13,65 @@
 
 public class CliConfiguration implements Configuration {
 
+	public static final String DEFAULT_USER = "admin";
+
 	private final XmlConfigurationReader xmlConfigReader;
 
 	private final CommandLine cmdLine;
 
-	public CliConfiguration(XmlConfigurationReader xmlConfigReader, CommandLine cmdLine) throws IOException,
-			ParserConfigurationException, SAXException, URISyntaxException {
+	public CliConfiguration(XmlConfigurationReader xmlConfigReader, CommandLine cmdLine)
+			throws IOException, ParserConfigurationException, SAXException, URISyntaxException {
 		this.xmlConfigReader = xmlConfigReader;
 		this.cmdLine = cmdLine;
 	}
 
-	@Override
-	public String getDispatcherUrl() {
+	@Override public String getDispatcherUrl() {
 		return makeUrl(cmdLine.getOptionValue("d"));
 	}
 
-	@Override
-	public String getAuthor() {
+	@Override public String getAuthor() {
 		return makeUrl(cmdLine.getOptionValue("a"));
 	}
 
-	@Override
-	public String getPublish() {
+	@Override public String getAuthorLogin() {
+		return getCredentialsParameter("aCredentials", 0);
+	}
+
+	@Override public String getAuthorPassword() {
+		return getCredentialsParameter("aCredentials", 1);
+	}
+
+	@Override public String getPublish() {
 		return makeUrl(cmdLine.getOptionValue("p"));
 	}
 
-	@Override
-	public String getStringValue(String name, String defaultValue) {
+	@Override public String getPublishLogin() {
+		return getCredentialsParameter("pCredentials", 0);
+	}
+
+	@Override public String getPublishPassword() {
+		return getCredentialsParameter("pCredentials", 1);
+	}
+
+	@Override public String getStringValue(String name, String defaultValue) {
 		return StringUtils.defaultIfEmpty(xmlConfigReader.getValue(name), defaultValue);
 	}
 
-	@Override
-	public String[] getStringList(String name) {
+	@Override public String[] getStringList(String name) {
 		return xmlConfigReader.getValueList(name);
 	}
 
-	public static String makeUrl(String url) {
+	private String getCredentialsParameter(String credentialName, int parameterIndex) {
+		if (cmdLine.hasOption(credentialName)) {
+			String[] parameters = cmdLine.getOptionValue(credentialName).split(":");
+			if (parameters.length == 2) {
+				return parameters[parameterIndex];
+			}
+		}
+		return DEFAULT_USER;
+	}
+
+	private static String makeUrl(String url) {
 		if (StringUtils.isBlank(url)) {
 			return url;
 		}

src/main/java/com/cognifide/secureaem/cli/Main.java

@@ -8,6 +8,7 @@
 import org.apache.commons.lang3.StringUtils;
 
 import java.io.BufferedReader;
+import java.io.FileNotFoundException;
 import java.io.FileReader;
 import java.io.IOException;
 import java.io.InputStream;
@@ -39,25 +40,29 @@ public static void main(String[] args) throws Exception {
 	}
 
 	private static List<TestLoader> createTestLoaders(CommandLine cmdLine) throws IOException, ClassNotFoundException {
+		try (BufferedReader reader = getBufferedReader(cmdLine)) {
+			List<TestLoader> testLoaders = new ArrayList<>();
+			String line;
+			while ((line = reader.readLine()) != null) {
+				String[] parameters = line.split(", ");
+				if (parameters.length == 2) {
+					Class clazz = Class.forName(parameters[0]);
+					testLoaders.add(new TestLoader(clazz, parameters[1]));
+				}
+			}
+			return testLoaders;
+		}
+	}
+
+	private static BufferedReader getBufferedReader(CommandLine cmdLine) throws FileNotFoundException {
 		BufferedReader reader;
-		if(cmdLine.hasOption("suite")){
+		if (cmdLine.hasOption("suite")) {
 			reader = new BufferedReader(new FileReader(cmdLine.getOptionValue("suite")));
-		}
-		else {
+		} else {
 			InputStream is = Main.class.getClass().getResourceAsStream(DEFAULT_TEST_SUITE_PATH);
 			reader = new BufferedReader(new InputStreamReader(is));
 		}
-
-		List<TestLoader> testLoaders = new ArrayList<>();
-		String line;
-		while ((line = reader.readLine()) != null) {
-			String[] parameters = line.split(", ");
-			if(parameters.length == 2) {
-				Class clazz = Class.forName(parameters[0]);
-				testLoaders.add(new TestLoader(clazz, parameters[1]));
-			}
-		}
-		return testLoaders;
+		return reader;
 	}
 
 	private static boolean doTest(TestLoader testLoader, CommandLine cmdLine) throws Exception {
@@ -100,6 +105,8 @@ private static CommandLine createOptions(String args[]) throws ParseException {
 		options.addOption("p", true, "publish URL");
 		options.addOption("d", true, "dispatcher URL");
 		options.addOption("suite", true, "test suite");
+		options.addOption("aCredentials", true, "author credentials");
+		options.addOption("pCredentials", true, "publish credentials");
 
 		CommandLineParser parser = new PosixParser();
 		return parser.parse(options, args);