public void CheckIfRestRequest_Cookie_WhenAjaxCSRFTokenIsValid_ThenGetRequestShouldBeAjax()
{
var doc = new XmlDocument();
doc.LoadXml("<r><template id='a' mode='Server' /></r>");
var validToken = "valid-token";
var httpContextInfo = new HttpContextInfo();
httpContextInfo.QueryString.Add("xtags-xajax", "xtags-xajax");
httpContextInfo.QueryString.Add("xtags-http-method", "GET");
httpContextInfo.QueryString.Add("xtags-id", "a");
httpContextInfo.QueryString.Add("xtags-token", validToken);
httpContextInfo.Cookies.Add(new HttpCookie("a"));
httpContextInfo.Cookies["a"].Value = validToken;
var result =
new xContext(httpContextInfo)
.Do(new LoadLibrary(doc))
.Do(new CreateTag("template"))
.DoFirst(x => x != null, new CheckIfRestRequest(onGet: (context, isAjax) =>
{
Assert.IsTrue(isAjax);
Assert.AreEqual(context.xTag.Id, "a");
}, useCsrfCookies: true), new RenderHtml());
var responseText = result.ResponseText.ToString();
Assert.IsTrue(responseText.StartsWith("(function(){"));
Assert.IsTrue(responseText.Contains("'a'"));
Assert.IsTrue(responseText.Contains("'" + httpContextInfo.PageUri() + "'"));
Assert.IsTrue(responseText.EndsWith("})();"));
Assert.AreEqual(result.ContentType, "text/plain");
}
internal bool FilterHttpContext (HttpContextInfo ctx)
{
if (ChannelDispatcher == null)
return true; // no mex can be involved.
if (ctx.Request.HttpMethod.ToUpper () != "GET")
return !ChannelDispatcher.IsMex; // non-GET request never matches mex channel dispatcher.
var sme = ChannelDispatcher.Host.Extensions.Find<ServiceMetadataExtension> ();
if (sme == null)
return true; // no mex can be involved.
var listener = ChannelDispatcher.Listener;
var mex = sme.Instance;
// now the request is GET, and we have to return true or false based on the matrix below:
// matches wsdl or help| yes | no |
// mex | yes | no | yes | no |
// --------------------+-----+----+-----+----+
// | T | F | F | T |
bool match =
(mex.WsdlUrl != null && Uri.Compare (ctx.Request.Url, mex.WsdlUrl, cmpflag, fmtflag, StringComparison.Ordinal) == 0) ||
(mex.HelpUrl != null && Uri.Compare (ctx.Request.Url, mex.HelpUrl, cmpflag, fmtflag, StringComparison.Ordinal) == 0);
return !(match ^ ChannelDispatcher.IsMex);
}
HttpChannelListenerEntry SelectChannel (HttpContextInfo ctx)
{
foreach (var e in Entries)
if (e.FilterHttpContext (ctx))
return e;
return null;
}
public void CheckIfRestRequest_Cookies_WhenAjaxCSRFTokenInvalid_ThenTokenShouldBeSentFirst()
{
var doc = new XmlDocument();
doc.LoadXml("<r><template id='a' mode='Server' /></r>");
var httpContextInfo = new HttpContextInfo();
httpContextInfo.QueryString.Add("xtags-xajax", "xtags-xajax");
httpContextInfo.QueryString.Add("xtags-http-method", "GET");
httpContextInfo.QueryString.Add("xtags-id", "a");
httpContextInfo.QueryString.Add("xtags-token", "Invalid token");
httpContextInfo.Cookies.Add(new HttpCookie("a"));
httpContextInfo.Cookies["a"].Value = "Invalid";
var result =
new xContext(httpContextInfo)
.Do(new LoadLibrary(doc))
.Do(new CreateTag("template"))
.DoFirst(x => x != null, new CheckIfRestRequest(onGet: EmptyGetHandler, useCsrfCookies: true), new RenderHtml());
var responseText = result.ResponseText.ToString();
Assert.IsTrue(responseText.StartsWith("{\"xtags-renew-token\":\""));
Assert.IsTrue(responseText.EndsWith("\"}"));
Assert.AreEqual(result.ContentType, "text/plain");
Assert.AreEqual(result.ResponseCookies["a"].Value, responseText.Replace("{\"xtags-renew-token\":\"", string.Empty).Replace("\"}", string.Empty));
}
public void ProcessNewContext (HttpContextInfo ctxi)
{
var ce = SelectChannel (ctxi);
if (ce == null)
throw new InvalidOperationException ("HttpListenerContext does not match any of the registered channels");
ce.ContextQueue.Enqueue (ctxi);
ce.WaitHandle.Set ();
}
public void SaveTag_Session_WhenTagIsSaved_ThenIsLoadedAgain()
{
var doc = new XmlDocument();
doc.LoadXml("<r><template id='a' modetype='session'><data type='text/name-value' name='test'><![CDATA[starting value]]></data></template></r>");
var persistedValue = "New value";
var httpContextInfo = new HttpContextInfo();
var xTagContext = new xContext(httpContextInfo).Do(new LoadLibrary(doc)).Do(new CreateTag("template"));
xTagContext.xTag.Data["test"] = persistedValue;
xTagContext.Do(new SaveTag());
var xTagContext2 = new xContext(httpContextInfo).Do(new LoadLibrary(doc)).Do(new CreateTag("template")).Do(new LoadTag());
Assert.AreEqual(xTagContext2.xTag.Data["test"], persistedValue);
}
public bool TryDequeueRequest (ChannelDispatcher channel, TimeSpan timeout, out HttpContextInfo context)
{
DateTime start = DateTime.Now;
context = null;
var ce = Entries.FirstOrDefault (e => e.ChannelDispatcher == channel);
if (ce == null)
return false;
lock (ce.RetrieverLock) {
var q = ce.ContextQueue;
if (q.Count == 0) {
bool ret = ce.WaitHandle.WaitOne (timeout);
return ret && TryDequeueRequest (channel, timeout - (DateTime.Now - start), out context); // recurse, am lazy :/
}
context = q.Dequeue ();
return true;
}
}
public bool TryDequeueRequest (ChannelDispatcher channel, TimeSpan timeout, out HttpContextInfo context)
{
DateTime start = DateTime.Now;
context = null;
HttpChannelListenerEntry ce = null;
lock (entries_lock) {
ce = Entries.FirstOrDefault (e => e.ChannelDispatcher == channel);
}
if (ce == null)
return false;
lock (ce.RetrieverLock) {
var q = ce.ContextQueue;
if (q.Count == 0) {
if (timeout.TotalMilliseconds < 0) return false;
TimeSpan waitTimeout = timeout;
if (timeout == TimeSpan.MaxValue)
waitTimeout = TimeSpan.FromMilliseconds (int.MaxValue);
bool ret = ce.WaitHandle.WaitOne (waitTimeout);
return ret && TryDequeueRequest (channel, waitTimeout - (DateTime.Now - start), out context); // recurse, am lazy :/
}
context = q.Dequeue ();
return true;
}
}
public void CheckIfRestRequest_WhenRequestBeenSendForNotAServerTemplate_ThenNormaHtmlShouldBeProcessed()
{
var doc = new XmlDocument();
doc.LoadXml("<r><template id='a' /></r>");
var httpContextInfo = new HttpContextInfo();
httpContextInfo.QueryString.Add("xtags-xajax", "xtags-xajax");
httpContextInfo.QueryString.Add("xtags-http-method", "GET");
httpContextInfo.QueryString.Add("xtags-id", "a");
var result =
new xContext(httpContextInfo)
.Do(new LoadLibrary(doc))
.Do(new CreateTag("template"))
.DoFirst(x => x != null, new CheckIfRestRequest(), new RenderHtml());
var responseText = result.ResponseText.ToString();
Assert.AreEqual(responseText, "<div id='a'></div>");
}
public void CheckIfRestRequest_WhenAjaxSentWithoutCSRFTokenWhenCSRFIsDisabled_ThenNormalAjaxRequest()
{
var doc = new XmlDocument();
doc.LoadXml("<r><template id='b' mode='Server' /></r>");
var httpContextInfo = new HttpContextInfo();
httpContextInfo.QueryString.Add("xtags-xajax", "xtags-xajax");
httpContextInfo.QueryString.Add("xtags-http-method", "GET");
httpContextInfo.QueryString.Add("xtags-id", "b");
var result =
new xContext(httpContextInfo)
.Do(new LoadLibrary(doc))
.Do(new CreateTag("template"))
.DoFirst(x => x != null, new CheckIfRestRequest(onGet: (context, isAjax) =>
{
Assert.IsTrue(isAjax);
Assert.AreEqual(context.xTag.Id, "b");
}, csrfProtectionEnabled: false), new RenderHtml());
Assert.AreEqual(result.ContentType, "text/plain");
Assert.IsNull(httpContextInfo.Session("b"));
Assert.IsNull(result.ResponseCookies["b"]);
}
public void CheckIfRestRequest_Session_WhenAjaxIsValidValuesOnlyRequest_ThenJsonResponseRendered()
{
var doc = new XmlDocument();
doc.LoadXml("<r><template id='a' mode='Server' /></r>");
var validToken = "valid-token";
var httpContextInfo = new HttpContextInfo();
httpContextInfo.QueryString.Add("xtags-xajax", "xtags-xajax");
httpContextInfo.QueryString.Add("xtags-http-method", "GET");
httpContextInfo.QueryString.Add("xtags-id", "a");
httpContextInfo.QueryString.Add("xtags-token", validToken);
httpContextInfo.QueryString.Add("callback", "callbackMethod");
httpContextInfo.QueryString.Add("xtags-values-only", "xtags-values-only");
httpContextInfo.Session("a", validToken);
var result =
new xContext(httpContextInfo)
.Do(new LoadLibrary(doc))
.Do(new CreateTag("template"))
.DoFirst(x => x != null, new CheckIfRestRequest(onGet: (context, isAjax) =>
{
Assert.IsTrue(isAjax);
Assert.AreEqual(context.xTag.Id, "a");
}), new RenderHtml());
var responseText = result.ResponseText.ToString();
var json = JsonConvert.DeserializeObject(responseText);
Assert.AreEqual(result.ContentType, "text/plain");
}
public void CheckIfRestRequest_Session_WhenAjaxHasCallback_ThenJsonpResponseRendered()
{
var doc = new XmlDocument();
doc.LoadXml("<r><template id='a' mode='Server' /></r>");
var validToken = "valid-token";
var httpContextInfo = new HttpContextInfo();
httpContextInfo.QueryString.Add("xtags-xajax", "xtags-xajax");
httpContextInfo.QueryString.Add("xtags-http-method", "GET");
httpContextInfo.QueryString.Add("xtags-id", "a");
httpContextInfo.QueryString.Add("xtags-token", validToken);
httpContextInfo.QueryString.Add("callback", "callbackMethod");
httpContextInfo.Session("a", validToken);
var result =
new xContext(httpContextInfo)
.Do(new LoadLibrary(doc))
.Do(new CreateTag("template"))
.DoFirst(x => x != null, new CheckIfRestRequest(onGet: (context, isAjax) =>
{
Assert.IsTrue(isAjax);
Assert.AreEqual(context.xTag.Id, "a");
}), new RenderHtml())
.Do(new RenderJsonpIfRequested());
var responseText = result.ResponseText.ToString();
Assert.IsTrue(responseText.StartsWith("callbackMethod(\"(function(){"));
Assert.IsTrue(responseText.Contains("'a'"));
Assert.IsTrue(responseText.Contains("'" + httpContextInfo.PageUri() + "'"));
Assert.IsTrue(responseText.EndsWith("})();\");"));
Assert.AreEqual(result.ContentType, "text/javascript");
}
public void CheckIfRestRequest_FormPost_WhenCSRFTokenIsValidButValuesAreMixedBetweenFormAndQuerystring_ThenTheHandlerShouldNotBeExecuted()
{
var doc = new XmlDocument();
doc.LoadXml("<r><template id='a' mode='Server' /></r>");
var validToken = "valid-token";
var httpContextInfo = new HttpContextInfo(httpMethod: "POST");
httpContextInfo.QueryString.Add("xtags-id", "a");
httpContextInfo.Form.Add("xtags-token", validToken);
httpContextInfo.Session("a", validToken);
var isMethodCalled = false;
var result =
new xContext(httpContextInfo)
.Do(new LoadLibrary(doc))
.Do(new CreateTag("template"))
.DoFirst(x => x != null, new CheckIfRestRequest(onPost: (tag, isAjax) =>
{
isMethodCalled = true;
}), new RenderHtml());
var responseText = result.ResponseText.ToString();
Assert.AreEqual(responseText, "<div id='a'></div>");
Assert.AreEqual(result.ContentType, "text/html");
Assert.IsFalse(isMethodCalled);
}
public void CheckIfRestRequest_FormPost_WhenAjaxCSRFTokenIsValid_ThenGetRequestShouldBeAjax()
{
var doc = new XmlDocument();
doc.LoadXml("<r><template id='a' mode='Server' /></r>");
var validToken = "valid-token";
var httpContextInfo = new HttpContextInfo(httpMethod: "POST");
httpContextInfo.QueryString.Add("xtags-id", "a");
httpContextInfo.Form.Add("xtags-token", validToken);
httpContextInfo.Session("a", validToken);
var result =
new xContext(httpContextInfo)
.Do(new LoadLibrary(doc))
.Do(new CreateTag("template"))
.DoFirst(x => x != null, new CheckIfRestRequest(onPost: (context, isAjax) =>
{
Assert.IsFalse(isAjax);
Assert.AreEqual(context.xTag.Id, "a");
}), new RenderHtml());
var responseText = result.ResponseText.ToString();
Assert.AreEqual(responseText, "<div id='a'></div>");
Assert.AreEqual(result.ContentType, "text/html");
}
public void CheckIfRestRequest_FormGet_WhenAjaxCSRFTokenInvalid_ThenServerGetIsNotRequestedAndJustRenderResponse()
{
var doc = new XmlDocument();
doc.LoadXml("<r><template id='a' mode='Server' /></r>");
var validToken = "valid-token";
var httpContextInfo = new HttpContextInfo();
httpContextInfo.QueryString.Add("xtags-http-method", "GET");
httpContextInfo.QueryString.Add("xtags-id", "a");
httpContextInfo.QueryString.Add("xtags-token", validToken);
httpContextInfo.Session("a", "invalid-token");
var isMethodCalled = false;
var result =
new xContext(httpContextInfo)
.Do(new LoadLibrary(doc))
.Do(new CreateTag("template"))
.DoFirst(x => x != null, new CheckIfRestRequest(onGet: (tag, isAjax) =>
{
isMethodCalled = true;
}), new RenderHtml());
var responseText = result.ResponseText.ToString();
Assert.AreEqual(responseText, "<div id='a'></div>");
Assert.AreEqual(result.ContentType, "text/html");
Assert.IsFalse(isMethodCalled);
}
