The Sling Referrer Filter test

wttech · Sep 21, 2016 · ff0fa58 · ff0fa58
1 parent ef83b3c
commit ff0fa58
Show file tree

Hide file tree

Showing 10 changed files with 163 additions and 16 deletions.
diff --git a/src/main/aem/jcr_root/apps/cognifide/secureaem/components/slingReferrerFilter/.content.xml b/src/main/aem/jcr_root/apps/cognifide/secureaem/components/slingReferrerFilter/.content.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<jcr:root xmlns:sling="https://sling.apache.org/jcr/sling/1.0" xmlns:cq="https://www.day.com/jcr/cq/1.0" xmlns:jcr="https://www.jcp.org/jcr/1.0"
+    jcr:primaryType="cq:Component"
+    sling:resourceSuperType="cognifide/secureaem/components/abstractTest"
+    testClass="com.cognifide.secureaem.tests.SlingReferrerFilterTest"/>
diff --git a/src/main/aem/jcr_root/apps/cognifide/secureaem/components/slingReferrerFilter/dialog.xml b/src/main/aem/jcr_root/apps/cognifide/secureaem/components/slingReferrerFilter/dialog.xml
@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<jcr:root xmlns:cq="https://www.day.com/jcr/cq/1.0" xmlns:jcr="https://www.jcp.org/jcr/1.0"
+    jcr:primaryType="cq:Dialog"
+    height="400"
+    xtype="dialog">
+    <items jcr:primaryType="cq:WidgetCollection">
+        <tabPanel
+            jcr:primaryType="cq:TabPanel"
+            xtype="tabpanel">
+            <items jcr:primaryType="cq:WidgetCollection">
+                <general
+                    jcr:primaryType="cq:Widget"
+                    path="/apps/cognifide/secureaem/renderers/testRenderer/tab_general.infinity.json"
+                    xtype="cqinclude"/>
+                <configuration
+                    jcr:primaryType="cq:Widget"
+                    anchor="100%"
+                    title="Test configuration"
+                    xtype="panel">
+                    <items jcr:primaryType="cq:WidgetCollection">
+                        <title
+                            jcr:primaryType="cq:Widget"
+                            allowBlank="false"
+                            fieldLabel="Credentials"
+                            name="./testComponent/users"
+                            xtype="textfield"/>
+                    </items>
+                </configuration>
+            </items>
+        </tabPanel>
+    </items>
+</jcr:root>
diff --git a/src/main/aem/jcr_root/apps/cognifide/secureaem/components/slingReferrerFilter/metadata.jsp b/src/main/aem/jcr_root/apps/cognifide/secureaem/components/slingReferrerFilter/metadata.jsp
@@ -0,0 +1,13 @@
+<%@page contentType="text/html"
+            pageEncoding="utf-8"%><%
+%><%@include file="/libs/foundation/global.jsp"%>
+<p>Following credentials will be checked:</p>
+<ul>
+<c:forEach var="item" items="${properties.users}">
+    <li>
+        <div class="li-bullet">
+            ${item}
+        </div>
+    </li>
+</c:forEach>
+</ul>
diff --git a/src/main/aem/jcr_root/etc/secureaem/.content.xml b/src/main/aem/jcr_root/etc/secureaem/.content.xml
@@ -22,4 +22,8 @@
     <geometrixx/>
     <redundant-selectors/>
     <error-handler/>
+    <crx-development-bundles/>
+    <replication-transport-users/>
+    <sling-development-bundle/>
+    <sling-referrer-filter/>
 </jcr:root>
diff --git a/src/main/aem/jcr_root/etc/secureaem/sling-referrer-filter/.content.xml b/src/main/aem/jcr_root/etc/secureaem/sling-referrer-filter/.content.xml
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<jcr:root xmlns:sling="https://sling.apache.org/jcr/sling/1.0" xmlns:cq="https://www.day.com/jcr/cq/1.0" xmlns:jcr="https://www.jcp.org/jcr/1.0" xmlns:nt="https://www.jcp.org/jcr/nt/1.0"
+    jcr:primaryType="cq:Page">
+    <jcr:content
+        jcr:description="Protect against Cross-Site Request Forgery"
+        jcr:primaryType="cq:PageContent"
+        jcr:title="Sling Referrer Filter"
+        sling:resourceType="cognifide/secureaem/renderers/testRenderer"
+        severity="CRITICAL"
+        url="https://docs.adobe.com/docs/en/aem/6-2/administer/security/security-checklist.html#Protect against Cross-Site Request Forgery"
+        urlDesc="docs.adobe.com">
+        <testComponent
+            jcr:primaryType="nt:unstructured"
+            sling:resourceType="cognifide/secureaem/components/slingReferrerFilter"
+            enabled="true"
+            users="[admin:admin]"/>
+    </jcr:content>
+</jcr:root>
diff --git a/src/main/java/com/cognifide/secureaem/AbstractTest.java b/src/main/java/com/cognifide/secureaem/AbstractTest.java
@@ -6,7 +6,9 @@
 import java.util.List;
 import java.util.Set;
 
+import org.apache.commons.lang3.ArrayUtils;
 import org.apache.commons.lang3.StringUtils;
+import org.apache.http.auth.UsernamePasswordCredentials;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -118,6 +120,20 @@ protected void addErrorMessage(String message, Object... params) {
 		errorMessages.add(formatted);
 	}
 
+	/**
+	 * Creates {@code UsernamePasswordCredentials} instance from component configuration.
+	 * @return UsernamePasswordCredentials
+	 * @throws IllegalArgumentException if credentials are not configured properly.
+	 */
+	protected UsernamePasswordCredentials getUserNamePasswordCredentials() {
+		String[] users = config.getStringList("users");
+		if (ArrayUtils.isEmpty(users)) {
+			throw new IllegalArgumentException("Invalid configuration");
+		}
+		String[] userInfo = UserHelper.splitUser(users[0]);
+		return new  UsernamePasswordCredentials(userInfo[0], userInfo[1]);
+	}
+
 	public List<String> getInfoMessages() {
 		return infoMessages;
 	}

diff --git a/src/main/java/com/cognifide/secureaem/tests/BundlesTest.java b/src/main/java/com/cognifide/secureaem/tests/BundlesTest.java
@@ -4,11 +4,9 @@
 
 import com.cognifide.secureaem.AbstractTest;
 import com.cognifide.secureaem.Configuration;
-import com.cognifide.secureaem.UserHelper;
 import com.cognifide.secureaem.markers.AuthorTest;
 import com.cognifide.secureaem.markers.PublishTest;
 
-import org.apache.commons.lang3.ArrayUtils;
 import org.apache.http.HttpResponse;
 import org.apache.http.auth.AuthenticationException;
 import org.apache.http.auth.UsernamePasswordCredentials;
@@ -37,12 +35,7 @@ public BundlesTest(Configuration config) {
 	}
 
 	@Override public boolean doTest(String url, String instanceName) throws Exception {
-		String[] users = config.getStringList("users");
-		if (ArrayUtils.isEmpty(users)) {
-			throw new IllegalArgumentException("Invalid configuration");
-		}
-		String[] userInfo = UserHelper.splitUser(users[0]);
-		UsernamePasswordCredentials credentials = new UsernamePasswordCredentials(userInfo[0], userInfo[1]);
+		UsernamePasswordCredentials credentials = getUserNamePasswordCredentials();
 
 		String agentUrl = url + "/system/console/bundles.json";
 		HttpUriRequest request = new HttpGet(agentUrl);

diff --git a/src/main/java/com/cognifide/secureaem/tests/ReplicationTransportUsersTest.java b/src/main/java/com/cognifide/secureaem/tests/ReplicationTransportUsersTest.java
@@ -4,11 +4,9 @@
 
 import com.cognifide.secureaem.AbstractTest;
 import com.cognifide.secureaem.Configuration;
-import com.cognifide.secureaem.UserHelper;
 import com.cognifide.secureaem.markers.AuthorTest;
 import com.cognifide.secureaem.markers.PublishTest;
 
-import org.apache.commons.lang3.ArrayUtils;
 import org.apache.http.HttpResponse;
 import org.apache.http.auth.AuthenticationException;
 import org.apache.http.auth.UsernamePasswordCredentials;
@@ -37,12 +35,7 @@ public ReplicationTransportUsersTest(Configuration config) {
 	}
 
 	@Override public boolean doTest(String url, String instanceName) throws Exception {
-		String[] users = config.getStringList("users");
-		if (ArrayUtils.isEmpty(users)) {
-			throw new IllegalArgumentException("Invalid configuration");
-		}
-		String[] userInfo = UserHelper.splitUser(users[0]);
-		UsernamePasswordCredentials credentials = new UsernamePasswordCredentials(userInfo[0], userInfo[1]);
+		UsernamePasswordCredentials credentials = getUserNamePasswordCredentials();
 
 		boolean result = testReplicationUser(credentials, instanceName, url);
 		return testReversReplicationUser(credentials, instanceName, url) && result;

diff --git a/src/main/java/com/cognifide/secureaem/tests/SlingReferrerFilterTest.java b/src/main/java/com/cognifide/secureaem/tests/SlingReferrerFilterTest.java
@@ -0,0 +1,72 @@
+package com.cognifide.secureaem.tests;
+
+import com.google.gson.Gson;
+
+import com.cognifide.secureaem.AbstractTest;
+import com.cognifide.secureaem.Configuration;
+import com.cognifide.secureaem.markers.AuthorTest;
+import com.cognifide.secureaem.markers.PublishTest;
+
+import org.apache.commons.lang3.StringUtils;
+import org.apache.http.HttpResponse;
+import org.apache.http.auth.UsernamePasswordCredentials;
+import org.apache.http.client.methods.HttpGet;
+import org.apache.http.client.methods.HttpUriRequest;
+import org.apache.http.impl.auth.BasicScheme;
+import org.apache.http.impl.client.DefaultHttpClient;
+import org.apache.http.util.EntityUtils;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+import java.util.Map;
+
+/**
+ * Check if Sling Referrer Filter is configured.
+ *
+ * Created by Mariusz Kubiś on 20.09.16
+ */
+public class SlingReferrerFilterTest extends AbstractTest implements AuthorTest, PublishTest {
+
+	private static final Gson GSON = new Gson();
+
+	private static final DefaultHttpClient client = new DefaultHttpClient();
+
+	public SlingReferrerFilterTest(Configuration config) {
+		super(config);
+	}
+
+	@Override public boolean doTest(String url, String instanceName) throws Exception {
+		UsernamePasswordCredentials credentials = getUserNamePasswordCredentials();
+		String testedUrl =
+				url + "/system/console/configMgr/org.apache.sling.security.impl.ReferrerFilter.json";
+		HttpUriRequest request = new HttpGet(testedUrl);
+		request.addHeader(new BasicScheme().authenticate(credentials, request, null));
+		HttpResponse response = client.execute(request);
+		String body = EntityUtils.toString(response.getEntity());
+		if (response.getStatusLine().getStatusCode() == 200) {
+			String hostsString = StringUtils
+					.substringBetween(body, "\"allow.hosts\":", ",\"allow.hosts.regexp\"");
+			@SuppressWarnings("unchecked") Map<String, ArrayList<String>> hostsMap = GSON
+					.fromJson(hostsString, Map.class);
+			String regexpString = StringUtils
+					.substringBetween(body, "\"allow.hosts.regexp\":", ",\"filter.methods\"");
+			@SuppressWarnings("unchecked") Map<String, ArrayList<String>> regexpMap = GSON
+					.fromJson(regexpString, Map.class);
+			List<String> hosts = hostsMap.get("values");
+			List<String> regexps = regexpMap.get("values");
+			hosts.removeAll(Collections.singletonList(""));
+			regexps.removeAll(Collections.singletonList(""));
+			if (hosts.isEmpty() && regexps.isEmpty()) {
+				addErrorMessage("Sling Referrer Filter is not configured on [%s]", instanceName);
+				return false;
+			} else {
+				addInfoMessage("Sling Referrer Filter is configured on [%s]", instanceName);
+				return true;
+			}
+		} else {
+			addErrorMessage("Cannot get Sling Referrer Filter configuration from [%s]", instanceName);
+			return false;
+		}
+	}
+}
diff --git a/src/main/resources/test_suite.properties b/src/main/resources/test_suite.properties
@@ -17,3 +17,4 @@ com.cognifide.secureaem.tests.ReplicationTransportUsersTest, replication-transpo
 com.cognifide.secureaem.tests.BundlesTest, crx-development-bundles
 com.cognifide.secureaem.tests.BundlesTest, sling-development-bundle
 com.cognifide.secureaem.tests.ErrorHandlerTest, error-handler
+com.cognifide.secureaem.tests.SlingReferrerFilterTest, sling-referrer-filter