From f6ec375be2dfa7f65949f9dbc3b0b6156151ba66 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Thu, 21 Sep 2023 16:49:22 +0200 Subject: [PATCH] Bug 36177: Add Cypress tests Signed-off-by: David Nind Signed-off-by: Nick Clemens Signed-off-by: Katrin Fischer --- cypress.config.ts | 5 +- t/cypress/integration/Auth/csrf.ts | 175 +++++++++++++++++++++++++++++ 2 files changed, 179 insertions(+), 1 deletion(-) create mode 100644 t/cypress/integration/Auth/csrf.ts diff --git a/cypress.config.ts b/cypress.config.ts index 95d03d37e8..ace1bcb273 100644 --- a/cypress.config.ts +++ b/cypress.config.ts @@ -7,8 +7,11 @@ export default defineConfig({ defaultCommandTimeout: 10000, e2e: { + setupNodeEvents(on, config) { + return require("./t/cypress/plugins/index.js")(on, config); + }, experimentalStudio: true, - baseUrl: "http://kohadev-intra.mydnsname.org:8081", + baseUrl: "http://localhost:8081", specPattern: "t/cypress/integration/**/*.*", supportFile: "t/cypress/support/e2e.js", env: { diff --git a/t/cypress/integration/Auth/csrf.ts b/t/cypress/integration/Auth/csrf.ts new file mode 100644 index 0000000000..704218d3a6 --- /dev/null +++ b/t/cypress/integration/Auth/csrf.ts @@ -0,0 +1,175 @@ +import { mount } from "@cypress/vue"; + +const branchcode = "TEST_LIB"; +const branchname = "test_branchname"; + +function cleanup() { + const sql = "DELETE FROM branches WHERE branchcode=?"; + cy.query(sql, branchcode); +} + +describe("CSRF", () => { + beforeEach(() => { + cleanup(); + cy.login(); + cy.title().should("eq", "Koha staff interface"); + }); + + afterEach(() => { + cleanup(); + }); + + it("Add using POST without csrf", () => { + cy.visit("/cgi-bin/koha/admin/branches.pl"); + + cy.get("#newbranch").click(); + cy.get("#Aform").find("input[name='csrf_token']").invoke("remove"); + cy.get("#branchcode").type(branchcode); + cy.get("#branchname").type(branchname); + cy.get("#Aform").contains("Submit").click(); + + cy.get(".main") + .find(".alert") + .contains(/No CSRF token passed for POST/); + + cy.query( + "SELECT COUNT(*) as count FROM branches WHERE branchcode=?", + branchcode + ).then(result => { + expect(result[0].count).to.equal(0); + }); + }); + + it("Add using POST with invalid csrf", () => { + cy.visit("/cgi-bin/koha/admin/branches.pl"); + + cy.get("#newbranch").click(); + cy.get("#Aform").find("input[name='csrf_token']").invoke("val", "foo"); + cy.get("#branchcode").type(branchcode); + cy.get("#branchname").type(branchname); + cy.get("#Aform").contains("Submit").click(); + + cy.get(".main") + .find(".alert") + .contains(/Wrong CSRF token/); + + cy.query( + "SELECT COUNT(*) as count FROM branches WHERE branchcode=?", + branchcode + ).then(result => { + expect(result[0].count).to.equal(0); + }); + }); + + it("Add using GET", () => { + // Trying correct op=cud-add_validate + cy.visit( + "/cgi-bin/koha/admin/branches.pl?op=cud-add_validate&branchcode=" + + branchcode + + "&branchname=" + + branchname, + { failOnStatusCode: false } + ); + + cy.get(".main") + .find(".alert") + .contains( + /Programming error - op 'cud-add_validate' must not start with 'cud-' for GET/ + ); + + // Trying incorrect op=add_validate + cy.visit( + "/cgi-bin/koha/admin/branches.pl?op=add_validate&branchcode=" + + branchcode + + "&branchname=" + + branchname + ); + + // We do not display a message + // We do not want Wrong CSRF token here + cy.get(".message").should("not.exist"); + + cy.query( + "SELECT COUNT(*) as count FROM branches WHERE branchcode=?", + branchcode + ).then(result => { + expect(result[0].count).to.equal(0); + }); + }); + + it("Add", () => { + cy.visit("/cgi-bin/koha/admin/branches.pl"); + + cy.get("#newbranch").click(); + cy.get("#branchcode").type(branchcode); + cy.get("#branchname").type(branchname); + cy.get("#Aform").contains("Submit").click(); + + cy.get(".main") + .find(".message") + .contains(/Library added successfully/); + + cy.get("select[name='libraries_length']").select("-1"); + cy.get("td").contains(branchcode); + + cy.query( + "SELECT COUNT(*) as count FROM branches WHERE branchcode=?", + branchcode + ).then(result => { + expect(result[0].count).to.equal(1); + }); + }); + + it("Delete without CSRF", () => { + cy.query("INSERT INTO branches(branchcode, branchname) VALUES (?, ?)", [ + branchcode, + branchname, + ]); + + cy.visit("/cgi-bin/koha/admin/branches.pl"); + cy.get("select[name='libraries_length']").select("-1"); + cy.get("#delete_library_" + branchcode).click(); + + // Remove CSRF Token + cy.get("form[method='post']") + .find("input[name='csrf_token']") + .invoke("remove"); + + cy.contains("Yes, delete").click(); + + cy.get(".main") + .find(".alert") + .contains(/No CSRF token passed for POST/); + + cy.query( + "SELECT COUNT(*) as count FROM branches WHERE branchcode=?", + branchcode + ).then(result => { + expect(result[0].count).to.equal(1); + }); + }); + + it("Delete", () => { + cy.query("INSERT INTO branches(branchcode, branchname) VALUES (?, ?)", [ + branchcode, + branchname, + ]); + + cy.visit("/cgi-bin/koha/admin/branches.pl"); + cy.get("select[name='libraries_length']").select("-1"); + cy.get("#delete_library_" + branchcode).click(); + + cy.contains("Yes, delete").click(); + + cy.get(".main") + .find(".message") + .contains(/Library deleted successfully/); + + cy.query( + "SELECT COUNT(*) as count FROM branches WHERE branchcode=?", + branchcode + ).then(result => { + expect(result[0].count).to.equal(0); + }); + }); +}); -- 2.39.5