Merge pull request #28864 from owncloud/OAuth2_App_enabled_with_CORS_fix

OAuth2 App enabled with CORS fix
owncloud · Aug 31, 2017 · c1df3d4 · c1df3d4
2 parents 0632ed4 + eca9c19
commit c1df3d4
Show file tree

Hide file tree

Showing 2 changed files with 0 additions and 146 deletions.
diff --git a/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php b/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php
@@ -81,35 +81,6 @@ public function __construct(IRequest $request,
 		$this->config = $config;
 	}
 
-	/**
-	 * This is being run in normal order before the controller is being
-	 * called which allows several modifications and checks
-	 *
-	 * @param Controller $controller the controller that is being called
-	 * @param string $methodName the name of the method that will be called on
-	 *                           the controller
-	 * @throws SecurityException
-	 * @since 6.0.0
-	 */
-	public function beforeController($controller, $methodName){
-		// ensure that @CORS annotated API routes are not used in conjunction
-		// with session authentication since this enables CSRF attack vectors
-		if ($this->reflector->hasAnnotation('CORS') &&
-			!$this->reflector->hasAnnotation('PublicPage'))  {
-			$user = $this->request->server['PHP_AUTH_USER'];
-			$pass = $this->request->server['PHP_AUTH_PW'];
-
-			$this->session->logout();
-			try {
-				if (!$this->session->logClientIn($user, $pass, $this->request)) {
-					throw new SecurityException('CORS requires basic auth', Http::STATUS_UNAUTHORIZED);
-				}
-			} catch (PasswordLoginForbiddenException $ex) {
-				throw new SecurityException('Password login forbidden, use token instead', Http::STATUS_UNAUTHORIZED);
-			}
-		}
-	}
-
 	/**
 	 * This is being run after a successful controllermethod call and allows
 	 * the manipulation of a Response object. The middleware is run in reverse order

diff --git a/tests/lib/AppFramework/Middleware/Security/CORSMiddlewareTest.php b/tests/lib/AppFramework/Middleware/Security/CORSMiddlewareTest.php
@@ -153,123 +153,6 @@ public function testCorsIgnoredIfWithCredentialsHeaderPresent() {
 		$middleware->afterController($this, __FUNCTION__, $response);
 	}
 
-	/**
-	 * @CORS
-	 * @PublicPage
-	 */
-	public function testNoCORSShouldAllowCookieAuth() {
-		$request = new Request(
-			[],
-			$this->createMock('\OCP\Security\ISecureRandom'),
-			$this->createMock('\OCP\IConfig')
-		);
-		$this->reflector->reflect($this, __FUNCTION__);
-		$middleware = new CORSMiddleware(
-			$request,
-			$this->reflector,
-			$this->fakeSession,
-			$this->config
-		);
-		$this->session->expects($this->never())
-			->method('logout');
-		$this->session->expects($this->never())
-			->method('logClientIn')
-			->with($this->equalTo('user'), $this->equalTo('pass'))
-			->will($this->returnValue(true));
-		$this->reflector->reflect($this, __FUNCTION__);
-
-		$middleware->beforeController($this, __FUNCTION__, new Response());
-	}
-
-	/**
-	 * @CORS
-	 */
-	public function testCORSShouldRelogin() {
-		$request = new Request(
-			['server' => [
-				'PHP_AUTH_USER' => 'user',
-				'PHP_AUTH_PW' => 'pass'
-			]],
-			$this->createMock('\OCP\Security\ISecureRandom'),
-			$this->config
-		);
-		$this->session->expects($this->once())
-			->method('logout');
-		$this->session->expects($this->once())
-			->method('logClientIn')
-			->with($this->equalTo('user'), $this->equalTo('pass'))
-			->will($this->returnValue(true));
-		$this->reflector->reflect($this, __FUNCTION__);
-		$middleware = new CORSMiddleware(
-			$request,
-			$this->reflector,
-			$this->session,
-			$this->config
-		);
-
-		$middleware->beforeController($this, __FUNCTION__, new Response());
-	}
-
-	/**
-	 * @CORS
-	 * @expectedException \OC\AppFramework\Middleware\Security\Exceptions\SecurityException
-	 */
-	public function testCORSShouldFailIfPasswordLoginIsForbidden() {
-		$request = new Request(
-			['server' => [
-				'PHP_AUTH_USER' => 'user',
-				'PHP_AUTH_PW' => 'pass'
-			]],
-			$this->createMock('\OCP\Security\ISecureRandom'),
-			$this->createMock('\OCP\IConfig')
-		);
-		$this->session->expects($this->once())
-			->method('logout');
-		$this->session->expects($this->once())
-			->method('logClientIn')
-			->with($this->equalTo('user'), $this->equalTo('pass'))
-			->will($this->throwException(new \OC\Authentication\Exceptions\PasswordLoginForbiddenException));
-		$this->reflector->reflect($this, __FUNCTION__);
-		$middleware = new CORSMiddleware(
-			$request,
-			$this->reflector,
-			$this->session,
-			$this->config
-		);
-
-		$middleware->beforeController($this, __FUNCTION__, new Response());
-	}
-
-	/**
-	 * @CORS
-	 * @expectedException \OC\AppFramework\Middleware\Security\Exceptions\SecurityException
-	 */
-	public function testCORSShouldNotAllowCookieAuth() {
-		$request = new Request(
-			['server' => [
-				'PHP_AUTH_USER' => 'user',
-				'PHP_AUTH_PW' => 'pass'
-			]],
-			$this->createMock('\OCP\Security\ISecureRandom'),
-			$this->createMock('\OCP\IConfig')
-		);
-		$this->session->expects($this->once())
-			->method('logout');
-		$this->session->expects($this->once())
-			->method('logClientIn')
-			->with($this->equalTo('user'), $this->equalTo('pass'))
-			->will($this->returnValue(false));
-		$this->reflector->reflect($this, __FUNCTION__);
-		$middleware = new CORSMiddleware(
-			$request,
-			$this->reflector,
-			$this->session,
-			$this->config
-		);
-
-		$middleware->beforeController($this, __FUNCTION__, new Response());
-	}
-
 	public function testAfterExceptionWithSecurityExceptionNoStatus() {
 		$request = new Request(
 			['server' => [