diff --git a/tests/acceptance/features/apiAuthOcs/ocsPOSTAuth.feature b/tests/acceptance/features/apiAuthOcs/ocsPOSTAuth.feature index 5a39c20cab54..e314aec50269 100644 --- a/tests/acceptance/features/apiAuthOcs/ocsPOSTAuth.feature +++ b/tests/acceptance/features/apiAuthOcs/ocsPOSTAuth.feature @@ -31,15 +31,15 @@ Feature: auth | /ocs/v2.php/privatedata/deleteattribute/testing/test | | /ocs/v1.php/privatedata/setattribute/testing/test | | /ocs/v2.php/privatedata/setattribute/testing/test | - Then the HTTP status code of responses on all endpoints should be "997" - Then the OCS status code of responses on all endpoints should be "401" + Then the HTTP status code of responses on all endpoints should be "401" + Then the OCS status code of responses on all endpoints should be "997" Scenario: send POST requests to OCS endpoints as normal user with wrong password When user "Alice" requests these endpoints with "POST" including body "doesnotmatter" using password "invalid" about user "Alice" | endpoint | | /ocs/v1.php/person/check | - Then the HTTP status code of responses on all endpoints should be "101" - Then the OCS status code of responses on all endpoints should be "200" + Then the HTTP status code of responses on all endpoints should be "200" + Then the OCS status code of responses on all endpoints should be "101" Scenario: send POST requests to OCS endpoints as normal user with wrong password When user "Alice" requests these endpoints with "POST" including body "doesnotmatter" using password "invalid" about user "Alice" diff --git a/tests/acceptance/features/apiAuthOcs/ocsPUTAuth.feature b/tests/acceptance/features/apiAuthOcs/ocsPUTAuth.feature index 666d13c54c47..9597de528a84 100644 --- a/tests/acceptance/features/apiAuthOcs/ocsPUTAuth.feature +++ b/tests/acceptance/features/apiAuthOcs/ocsPUTAuth.feature @@ -10,29 +10,32 @@ Feature: auth @smokeTest @skipOnBruteForceProtection @issue-brute_force_protection-112 Scenario: send PUT request to OCS endpoints as admin with wrong password - When user "another-admin" requests these endpoints with "PUT" including body using password "invalid" then the status codes about user "Alice" should be as listed - | endpoint | ocs-code | http-code | body | - | /ocs/v1.php/cloud/users/%username% | 997 | 401 | doesnotmatter | - | /ocs/v2.php/cloud/users/%username% | 997 | 401 | doesnotmatter | - | /ocs/v1.php/cloud/users/%username%/disable | 997 | 401 | doesnotmatter | - | /ocs/v2.php/cloud/users/%username%/disable | 997 | 401 | doesnotmatter | - | /ocs/v1.php/cloud/users/%username%/enable | 997 | 401 | doesnotmatter | - | /ocs/v2.php/cloud/users/%username%/enable | 997 | 401 | doesnotmatter | - | /ocs/v1.php/apps/files_sharing/api/v1/shares/123 | 997 | 401 | doesnotmatter | - | /ocs/v2.php/apps/files_sharing/api/v1/shares/123 | 997 | 401 | doesnotmatter | + When user "another-admin" requests these endpoints with "PUT" including body "doesnotmatter" using password "invalid" about user "Alice" + | endpoint | + | /ocs/v1.php/cloud/users/%username% | + | /ocs/v2.php/cloud/users/%username% | + | /ocs/v1.php/cloud/users/%username%/disable | + | /ocs/v2.php/cloud/users/%username%/disable | + | /ocs/v1.php/cloud/users/%username%/enable | + | /ocs/v2.php/cloud/users/%username%/enable | + | /ocs/v1.php/apps/files_sharing/api/v1/shares/123 | + | /ocs/v2.php/apps/files_sharing/api/v1/shares/123 | + Then the HTTP status code of responses on all endpoints should be "401" + Then the OCS status code of responses on all endpoints should be "997" @skipOnOcV10 @issue-ocis-reva-30 @smokeTest #after fixing all issues delete this Scenario and use the one above Scenario: send PUT request to OCS endpoints as admin with wrong password - When user "another-admin" requests these endpoints with "PUT" including body using password "invalid" then the status codes about user "Alice" should be as listed - | endpoint | http-code | body | - | /ocs/v1.php/cloud/users/%username% | 401 | doesnotmatter | - | /ocs/v2.php/cloud/users/%username% | 401 | doesnotmatter | - | /ocs/v1.php/cloud/users/%username%/disable | 401 | doesnotmatter | - | /ocs/v2.php/cloud/users/%username%/disable | 401 | doesnotmatter | - | /ocs/v1.php/cloud/users/%username%/enable | 401 | doesnotmatter | - | /ocs/v2.php/cloud/users/%username%/enable | 401 | doesnotmatter | - | /ocs/v1.php/apps/files_sharing/api/v1/shares/123 | 401 | doesnotmatter | - | /ocs/v2.php/apps/files_sharing/api/v1/shares/123 | 401 | doesnotmatter | + When user "another-admin" requests these endpoints with "PUT" including body "doesnotmatter" using password "invalid" about user "Alice" + | endpoint | + | /ocs/v1.php/cloud/users/%username% | + | /ocs/v2.php/cloud/users/%username% | + | /ocs/v1.php/cloud/users/%username%/disable | + | /ocs/v2.php/cloud/users/%username%/disable | + | /ocs/v1.php/cloud/users/%username%/enable | + | /ocs/v2.php/cloud/users/%username%/enable | + | /ocs/v1.php/apps/files_sharing/api/v1/shares/123 | + | /ocs/v2.php/apps/files_sharing/api/v1/shares/123 | + Then the HTTP status code of responses on all endpoints should be "401" diff --git a/tests/acceptance/features/apiAuthWebDav/webDavDELETEAuth.feature b/tests/acceptance/features/apiAuthWebDav/webDavDELETEAuth.feature index 133f8f719f72..148290a48d86 100644 --- a/tests/acceptance/features/apiAuthWebDav/webDavDELETEAuth.feature +++ b/tests/acceptance/features/apiAuthWebDav/webDavDELETEAuth.feature @@ -93,7 +93,7 @@ Feature: delete file/folder Given token auth has been enforced And a new browser session for "Alice" has been started And the user has generated a new app password named "my-client" - When the user "Alice" requests these endpoints with "DELETE" with body "doesnotmatter" using the basic auth and generated app password about user "Alice" + When the user "Alice" requests these endpoints with "DELETE" with body "doesnotmatter" using basic auth and generated app password about user "Alice" | endpoint | | /remote.php/webdav/textfile0.txt | | /remote.php/dav/files/%username%/textfile1.txt | diff --git a/tests/acceptance/features/apiAuthWebDav/webDavLOCKAuth.feature b/tests/acceptance/features/apiAuthWebDav/webDavLOCKAuth.feature index 1b738aa70aae..8dc5a822da94 100644 --- a/tests/acceptance/features/apiAuthWebDav/webDavLOCKAuth.feature +++ b/tests/acceptance/features/apiAuthWebDav/webDavLOCKAuth.feature @@ -104,7 +104,7 @@ Feature: LOCK file/folder Given token auth has been enforced And a new browser session for "Alice" has been started And the user has generated a new app password named "my-client" - When the user "Alice" requests these endpoints with "LOCK" to get property "d:shared" using the basic auth and generated app password about user "Alice" + When the user "Alice" requests these endpoints with "LOCK" to get property "d:shared" using basic auth and generated app password about user "Alice" | endpoint | | /remote.php/webdav/textfile0.txt | | /remote.php/dav/files/%username%/textfile1.txt | diff --git a/tests/acceptance/features/apiAuthWebDav/webDavMKCOLAuth.feature b/tests/acceptance/features/apiAuthWebDav/webDavMKCOLAuth.feature index a177ff6be9f1..73aed4ef8a33 100644 --- a/tests/acceptance/features/apiAuthWebDav/webDavMKCOLAuth.feature +++ b/tests/acceptance/features/apiAuthWebDav/webDavMKCOLAuth.feature @@ -42,6 +42,10 @@ Feature: create folder using MKCOL | /remote.php/dav/files/%username%/PARENT/parent.txt | | /remote.php/dav/files/%username%/does-not-exist | Then the HTTP status code of responses on all endpoints should be "403" + When user "Brian" requests these endpoints with "MKCOL" including body "" about user "Alice" + | endpoint | + | /remote.php/dav/files/%username%/does-not-exist | + Then the HTTP status code of responses on all endpoints should be "409" Scenario: send MKCOL requests to webDav endpoints using invalid username but correct password When user "usero" requests these endpoints with "MKCOL" including body "doesnotmatter" using the password of user "Alice" @@ -94,7 +98,7 @@ Feature: create folder using MKCOL Given token auth has been enforced And a new browser session for "Alice" has been started And the user has generated a new app password named "my-client" - When the user "Alice" requests these endpoints with "MKCOL" using the basic auth and generated app password about user "Alice" + When the user "Alice" requests these endpoints with "MKCOL" using basic auth and generated app password about user "Alice" | endpoint | | /remote.php/webdav/newCol | | /remote.php/dav/files/%username%/newCol1 | diff --git a/tests/acceptance/features/apiAuthWebDav/webDavMOVEAuth.feature b/tests/acceptance/features/apiAuthWebDav/webDavMOVEAuth.feature index 38ae4031cc3d..daf1e07ef8dd 100644 --- a/tests/acceptance/features/apiAuthWebDav/webDavMOVEAuth.feature +++ b/tests/acceptance/features/apiAuthWebDav/webDavMOVEAuth.feature @@ -103,7 +103,7 @@ Feature: MOVE file/folder Given token auth has been enforced And a new browser session for "Alice" has been started And the user has generated a new app password named "my-client" - When the user "Alice" requests these endpoints with "MOVE" with body "doesnotmatter" using the basic auth and generated app password about user "Alice" + When the user "Alice" requests these endpoints with "MOVE" with body "doesnotmatter" using basic auth and generated app password about user "Alice" | endpoint | # The token was valid and accepted but the body is invalid so it gives 403 | /remote.php/webdav/textfile0.txt | diff --git a/tests/acceptance/features/apiAuthWebDav/webDavPOSTAuth.feature b/tests/acceptance/features/apiAuthWebDav/webDavPOSTAuth.feature index 7e80578d9e71..a92a3cf5ce9e 100644 --- a/tests/acceptance/features/apiAuthWebDav/webDavPOSTAuth.feature +++ b/tests/acceptance/features/apiAuthWebDav/webDavPOSTAuth.feature @@ -94,7 +94,7 @@ Feature: get file info using POST Given token auth has been enforced And a new browser session for "Alice" has been started And the user has generated a new app password named "my-client" - When the user "Alice" requests these endpoints with "POST" with body "doesnotmatter" using the basic auth and generated app password about user "Alice" + When the user "Alice" requests these endpoints with "POST" with body "doesnotmatter" using basic auth and generated app password about user "Alice" | endpoint | # this method is not available so gives 501 | /remote.php/webdav/textfile0.txt | @@ -102,3 +102,4 @@ Feature: get file info using POST | /remote.php/dav/files/%username%/PARENT/parent.txt | | /remote.php/webdav/PARENT | | /remote.php/dav/files/%username%/FOLDER | + Then the HTTP status code of responses on all endpoints should be "501" diff --git a/tests/acceptance/features/apiAuthWebDav/webDavPROPFINDAuth.feature b/tests/acceptance/features/apiAuthWebDav/webDavPROPFINDAuth.feature index 4c220e373999..87604993e635 100644 --- a/tests/acceptance/features/apiAuthWebDav/webDavPROPFINDAuth.feature +++ b/tests/acceptance/features/apiAuthWebDav/webDavPROPFINDAuth.feature @@ -103,7 +103,7 @@ Feature: get file info using PROPFIND Given token auth has been enforced And a new browser session for "Alice" has been started And the user has generated a new app password named "my-client" - When the user "Alice" requests these endpoints with "PROPFIND" to get property "d:getetag" using the basic auth and generated app password about user "Alice" + When the user "Alice" requests these endpoints with "PROPFIND" to get property "d:getetag" using basic auth and generated app password about user "Alice" | endpoint | | /remote.php/dav/files/%username%/textfile0.txt | | /remote.php/dav/files/%username%/PARENT | diff --git a/tests/acceptance/features/apiAuthWebDav/webDavPROPPATCHAuth.feature b/tests/acceptance/features/apiAuthWebDav/webDavPROPPATCHAuth.feature index 2d24db2c9669..da9fb0cf698d 100644 --- a/tests/acceptance/features/apiAuthWebDav/webDavPROPPATCHAuth.feature +++ b/tests/acceptance/features/apiAuthWebDav/webDavPROPPATCHAuth.feature @@ -94,7 +94,7 @@ Feature: PROPPATCH file/folder Given token auth has been enforced And a new browser session for "Alice" has been started And the user has generated a new app password named "my-client" - When the user "Alice" requests these endpoints with "PROPPATCH" to set property "favorite" using the basic auth and generated app password about user "Alice" + When the user "Alice" requests these endpoints with "PROPPATCH" to set property "favorite" using basic auth and generated app password about user "Alice" | endpoint | | /remote.php/webdav/textfile0.txt | | /remote.php/dav/files/%username%/textfile1.txt | diff --git a/tests/acceptance/features/apiAuthWebDav/webDavPUTAuth.feature b/tests/acceptance/features/apiAuthWebDav/webDavPUTAuth.feature index 1708ac8b396e..4da1ed16e721 100644 --- a/tests/acceptance/features/apiAuthWebDav/webDavPUTAuth.feature +++ b/tests/acceptance/features/apiAuthWebDav/webDavPUTAuth.feature @@ -42,6 +42,10 @@ Feature: get file info using PUT | /remote.php/dav/files/%username%/PARENTS | | /remote.php/dav/files/%username%/PARENTS/parent.txt | Then the HTTP status code of responses on all endpoints should be "403" + When user "Brian" requests these endpoints with "PUT" including body "doesnotmatter" about user "Alice" + | endpoint | + | /remote.php/dav/files/%username%/PARENTS/parent.txt | + Then the HTTP status code of responses on all endpoints should be "404" Scenario: send PUT requests to webDav endpoints using invalid username but correct password When user "usero" requests these endpoints with "PUT" including body "doesnotmatter" using the password of user "Alice" @@ -99,8 +103,13 @@ Feature: get file info using PUT | /remote.php/webdav/textfile0.txt | | /remote.php/dav/files/%username%/textfile1.txt | | /remote.php/dav/files/%username%/PARENT/parent.txt | + Then the HTTP status code of responses on all endpoints should be "204" + When the user "Alice" requests these endpoints with "PUT" with body "doesnotmatter" using the basic auth and generated app password about user "Alice" + # this folder is created, so gives 201 - CREATED | /remote.php/webdav/PARENS | | /remote.php/dav/files/%username%/FOLDERS | + Then the HTTP status code of responses on all endpoints should be "201" + When the user "Alice" requests these endpoints with "PUT" with body "doesnotmatter" using basic auth and generated app password about user "Alice" # this folder already exists so gives 409 - CONFLICT | /remote.php/dav/files/%username%/FOLDER | - Then the HTTP status code of responses on all endpoints should be "204,201,409" + Then the HTTP status code of responses on all endpoints should be "409" diff --git a/tests/acceptance/features/bootstrap/AuthContext.php b/tests/acceptance/features/bootstrap/AuthContext.php index f17e3b715614..6771272c5fa3 100644 --- a/tests/acceptance/features/bootstrap/AuthContext.php +++ b/tests/acceptance/features/bootstrap/AuthContext.php @@ -229,7 +229,7 @@ public function userRequestsEndpointsWithBasicAuth($user, $method, TableNode $ta } /** - * @When the user :user requests these endpoints with :method using the basic auth and generated app password about user :ofUser + * @When the user :user requests these endpoints with :method using basic auth and generated app password about user :ofUser * * @param string $user * @param string $method @@ -244,7 +244,7 @@ public function userRequestsEndpointsWithBasicAuthAndGeneratedPassword($user, $m } /** - * @When the user :user requests these endpoints with :method to (get|set) property :property using the basic auth and generated app password about user :ofUser + * @When the user :user requests these endpoints with :method to (get|set) property :property using basic auth and generated app password about user :ofUser * * @param string $user * @param string $method @@ -264,7 +264,7 @@ public function userRequestsEndpointsWithBasicAuthAndGeneratedPasswordWithProper } /** - * @When the user :user requests these endpoints with :method with body :body using the basic auth and generated app password about user :ofUser + * @When the user :user requests these endpoints with :method with body :body using basic auth and generated app password about user :ofUser * * @param string $user * @param string $method diff --git a/tests/acceptance/features/bootstrap/WebDav.php b/tests/acceptance/features/bootstrap/WebDav.php index 607430a7cba4..b4a83fff818a 100644 --- a/tests/acceptance/features/bootstrap/WebDav.php +++ b/tests/acceptance/features/bootstrap/WebDav.php @@ -1783,7 +1783,7 @@ public function theHTTPStatusCodeOfResponsesOnAllEndpointsShouldBe($statusCode) if (\count($duplicateRemovedStatusCodes) === 1) { Assert::assertSame( \intval($statusCode), - $duplicateRemovedStatusCodes[0], + \intval($duplicateRemovedStatusCodes[0]), 'Responses did not return expected http status code' ); } else { @@ -1804,7 +1804,7 @@ public function theOCSStatusCodeOfResponsesOnAllEndpointsShouldBe($statusCode) { if (\count($duplicateRemovedStatusCodes) === 1) { Assert::assertSame( \intval($statusCode), - $duplicateRemovedStatusCodes[0], + \intval($duplicateRemovedStatusCodes[0]), 'Responses did not return expected ocs status code' ); } else {