diff --git a/tests/acceptance/features/apiAuthOcs/ocsDELETEAuth.feature b/tests/acceptance/features/apiAuthOcs/ocsDELETEAuth.feature
index a7aa37f89327..628ac752c688 100644
--- a/tests/acceptance/features/apiAuthOcs/ocsDELETEAuth.feature
+++ b/tests/acceptance/features/apiAuthOcs/ocsDELETEAuth.feature
@@ -8,45 +8,48 @@ Feature: auth
@smokeTest @issue-32068 @skipOnOcis @issue-ocis-reva-30 @issue-ocis-reva-65
@skipOnBruteForceProtection @issue-brute_force_protection-112
Scenario: send DELETE requests to OCS endpoints as admin with wrong password
- When user "another-admin" requests these endpoints with "DELETE" using password "invalid" then the status codes about user "Alice" should be as listed
- | endpoint | ocs-code | http-code |
- | /ocs/v1.php/apps/files_sharing/api/v1/remote_shares/pending/123 | 997 | 401 |
- | /ocs/v2.php/apps/files_sharing/api/v1/remote_shares/pending/123 | 997 | 401 |
- | /ocs/v1.php/apps/files_sharing/api/v1/remote_shares/123 | 997 | 401 |
- | /ocs/v2.php/apps/files_sharing/api/v1/remote_shares/123 | 997 | 401 |
- | /ocs/v2.php/apps/files_sharing/api/v1/shares/123 | 997 | 401 |
- | /ocs/v1.php/apps/files_sharing/api/v1/shares/pending/123 | 997 | 401 |
- | /ocs/v2.php/apps/files_sharing/api/v1/shares/pending/123 | 997 | 401 |
- | /ocs/v1.php/cloud/apps/testing | 997 | 401 |
- | /ocs/v2.php/cloud/apps/testing | 997 | 401 |
- | /ocs/v1.php/cloud/groups/group1 | 997 | 401 |
- | /ocs/v2.php/cloud/groups/group1 | 997 | 401 |
- | /ocs/v1.php/cloud/users/%username% | 997 | 401 |
- | /ocs/v2.php/cloud/users/%username% | 997 | 401 |
- | /ocs/v1.php/cloud/users/%username%/groups | 997 | 401 |
- | /ocs/v2.php/cloud/users/%username%/groups | 997 | 401 |
- | /ocs/v1.php/cloud/users/%username%/subadmins | 997 | 401 |
- | /ocs/v2.php/cloud/users/%username%/subadmins | 997 | 401 |
+ When user "another-admin" requests these endpoints with "DELETE" using password "invalid" about user "Alice"
+ | endpoint |
+ | /ocs/v1.php/apps/files_sharing/api/v1/remote_shares/pending/123 |
+ | /ocs/v2.php/apps/files_sharing/api/v1/remote_shares/pending/123 |
+ | /ocs/v1.php/apps/files_sharing/api/v1/remote_shares/123 |
+ | /ocs/v2.php/apps/files_sharing/api/v1/remote_shares/123 |
+ | /ocs/v2.php/apps/files_sharing/api/v1/shares/123 |
+ | /ocs/v1.php/apps/files_sharing/api/v1/shares/pending/123 |
+ | /ocs/v2.php/apps/files_sharing/api/v1/shares/pending/123 |
+ | /ocs/v1.php/cloud/apps/testing |
+ | /ocs/v2.php/cloud/apps/testing |
+ | /ocs/v1.php/cloud/groups/group1 |
+ | /ocs/v2.php/cloud/groups/group1 |
+ | /ocs/v1.php/cloud/users/%username% |
+ | /ocs/v2.php/cloud/users/%username% |
+ | /ocs/v1.php/cloud/users/%username%/groups |
+ | /ocs/v2.php/cloud/users/%username%/groups |
+ | /ocs/v1.php/cloud/users/%username%/subadmins |
+ | /ocs/v2.php/cloud/users/%username%/subadmins |
+ Then the HTTP status code of responses on all endpoints should be "401"
+ Then the OCS status code of responses on all endpoints should be "997"
@smokeTest @skipOnOcV10 @issue-ocis-reva-30 @issue-ocis-reva-65
#after fixing all issues delete this Scenario and use the one above
Scenario: send DELETE requests to OCS endpoints as admin with wrong password
- When user "another-admin" requests these endpoints with "DELETE" using password "invalid" then the status codes about user "Alice" should be as listed
- | endpoint | http-code |
- | /ocs/v1.php/apps/files_sharing/api/v1/remote_shares/pending/123 | 401 |
- | /ocs/v2.php/apps/files_sharing/api/v1/remote_shares/pending/123 | 401 |
- | /ocs/v1.php/apps/files_sharing/api/v1/remote_shares/123 | 401 |
- | /ocs/v2.php/apps/files_sharing/api/v1/remote_shares/123 | 401 |
- | /ocs/v2.php/apps/files_sharing/api/v1/shares/123 | 401 |
- | /ocs/v1.php/apps/files_sharing/api/v1/shares/pending/123 | 401 |
- | /ocs/v2.php/apps/files_sharing/api/v1/shares/pending/123 | 401 |
- | /ocs/v1.php/cloud/apps/testing | 401 |
- | /ocs/v2.php/cloud/apps/testing | 401 |
- | /ocs/v1.php/cloud/groups/group1 | 401 |
- | /ocs/v2.php/cloud/groups/group1 | 401 |
- | /ocs/v1.php/cloud/users/%username% | 401 |
- | /ocs/v2.php/cloud/users/%username% | 401 |
- | /ocs/v1.php/cloud/users/%username%/groups | 401 |
- | /ocs/v2.php/cloud/users/%username%/groups | 401 |
- | /ocs/v1.php/cloud/users/%username%/subadmins | 401 |
- | /ocs/v2.php/cloud/users/%username%/subadmins | 401 |
+ When user "another-admin" requests these endpoints with "DELETE" using password "invalid" about user "Alice"
+ | endpoint |
+ | /ocs/v1.php/apps/files_sharing/api/v1/remote_shares/pending/123 |
+ | /ocs/v2.php/apps/files_sharing/api/v1/remote_shares/pending/123 |
+ | /ocs/v1.php/apps/files_sharing/api/v1/remote_shares/123 |
+ | /ocs/v2.php/apps/files_sharing/api/v1/remote_shares/123 |
+ | /ocs/v2.php/apps/files_sharing/api/v1/shares/123 |
+ | /ocs/v1.php/apps/files_sharing/api/v1/shares/pending/123 |
+ | /ocs/v2.php/apps/files_sharing/api/v1/shares/pending/123 |
+ | /ocs/v1.php/cloud/apps/testing |
+ | /ocs/v2.php/cloud/apps/testing |
+ | /ocs/v1.php/cloud/groups/group1 |
+ | /ocs/v2.php/cloud/groups/group1 |
+ | /ocs/v1.php/cloud/users/%username% |
+ | /ocs/v2.php/cloud/users/%username% |
+ | /ocs/v1.php/cloud/users/%username%/groups |
+ | /ocs/v2.php/cloud/users/%username%/groups |
+ | /ocs/v1.php/cloud/users/%username%/subadmins |
+ | /ocs/v2.php/cloud/users/%username%/subadmins |
+ Then the HTTP status code of responses on all endpoints should be "401"
diff --git a/tests/acceptance/features/apiAuthOcs/ocsGETAuth.feature b/tests/acceptance/features/apiAuthOcs/ocsGETAuth.feature
index e2903d7c078a..2790e74d4feb 100644
--- a/tests/acceptance/features/apiAuthOcs/ocsGETAuth.feature
+++ b/tests/acceptance/features/apiAuthOcs/ocsGETAuth.feature
@@ -5,30 +5,42 @@ Feature: auth
Given user "Alice" has been created with default attributes and skeleton files
@issue-32068 @skipOnOcis
- @issue-ocis-reva-29
@issue-ocis-reva-30
@smokeTest
Scenario: using OCS anonymously
- When a user requests these endpoints with "GET" and no authentication then the status codes should be as listed
- | endpoint | ocs-code | http-code |
- | /ocs/v1.php/apps/files_external/api/v1/mounts | 997 | 401 |
- | /ocs/v2.php/apps/files_external/api/v1/mounts | 997 | 401 |
- | /ocs/v1.php/apps/files_sharing/api/v1/remote_shares | 997 | 401 |
- | /ocs/v2.php/apps/files_sharing/api/v1/remote_shares | 997 | 401 |
- | /ocs/v1.php/apps/files_sharing/api/v1/remote_shares/pending | 997 | 401 |
- | /ocs/v2.php/apps/files_sharing/api/v1/remote_shares/pending | 997 | 401 |
- | /ocs/v1.php/apps/files_sharing/api/v1/shares | 997 | 401 |
- | /ocs/v2.php/apps/files_sharing/api/v1/shares | 997 | 401 |
- | /ocs/v1.php/cloud/apps | 997 | 401 |
- | /ocs/v2.php/cloud/apps | 997 | 401 |
- | /ocs/v1.php/cloud/groups | 997 | 401 |
- | /ocs/v2.php/cloud/groups | 997 | 401 |
- | /ocs/v1.php/cloud/users | 997 | 401 |
- | /ocs/v2.php/cloud/users | 997 | 401 |
- | /ocs/v1.php/config | 100 | 200 |
- | /ocs/v2.php/config | 200 | 200 |
- | /ocs/v1.php/privatedata/getattribute | 997 | 401 |
- | /ocs/v2.php/privatedata/getattribute | 997 | 401 |
+ When a user requests these endpoints with "GET" and no authentication
+ | endpoint |
+ | /ocs/v1.php/apps/files_external/api/v1/mounts |
+ | /ocs/v2.php/apps/files_external/api/v1/mounts |
+ | /ocs/v1.php/apps/files_sharing/api/v1/remote_shares |
+ | /ocs/v2.php/apps/files_sharing/api/v1/remote_shares |
+ | /ocs/v1.php/apps/files_sharing/api/v1/remote_shares/pending |
+ | /ocs/v2.php/apps/files_sharing/api/v1/remote_shares/pending |
+ | /ocs/v1.php/apps/files_sharing/api/v1/shares |
+ | /ocs/v2.php/apps/files_sharing/api/v1/shares |
+ | /ocs/v1.php/cloud/apps |
+ | /ocs/v2.php/cloud/apps |
+ | /ocs/v1.php/cloud/groups |
+ | /ocs/v2.php/cloud/groups |
+ | /ocs/v1.php/cloud/users |
+ | /ocs/v2.php/cloud/users |
+ | /ocs/v1.php/privatedata/getattribute |
+ | /ocs/v2.php/privatedata/getattribute |
+ Then the HTTP status code of responses on all endpoints should be "401"
+ Then the OCS status code of responses on all endpoints should be "997"
+
+ @issue-ocis-reva-29 @skipOnOcis
+ Scenario: ocs config end point accessible by unauthorized users
+ When a user requests these endpoints with "GET" and no authentication
+ | endpoint |
+ | /ocs/v1.php/config |
+ Then the HTTP status code of responses on all endpoints should be "200"
+ Then the OCS status code of responses on all endpoints should be "100"
+ When a user requests these endpoints with "GET" and no authentication
+ | endpoint |
+ | /ocs/v2.php/config |
+ Then the HTTP status code of responses on all endpoints should be "200"
+ Then the OCS status code of responses on all endpoints should be "200"
@skipOnOcV10
@issue-ocis-reva-29
@@ -36,26 +48,27 @@ Feature: auth
@smokeTest
#after fixing all issues delete this Scenario and use the one above
Scenario: using OCS anonymously
- When a user requests these endpoints with "GET" and no authentication then the status codes should be as listed
- | endpoint | http-code |
- | /ocs/v1.php/apps/files_external/api/v1/mounts | 401 |
- | /ocs/v2.php/apps/files_external/api/v1/mounts | 401 |
- | /ocs/v1.php/apps/files_sharing/api/v1/remote_shares | 401 |
- | /ocs/v2.php/apps/files_sharing/api/v1/remote_shares | 401 |
- | /ocs/v1.php/apps/files_sharing/api/v1/remote_shares/pending | 401 |
- | /ocs/v2.php/apps/files_sharing/api/v1/remote_shares/pending | 401 |
- | /ocs/v1.php/apps/files_sharing/api/v1/shares | 401 |
- | /ocs/v2.php/apps/files_sharing/api/v1/shares | 401 |
- | /ocs/v1.php/cloud/apps | 401 |
- | /ocs/v2.php/cloud/apps | 401 |
- | /ocs/v1.php/cloud/groups | 401 |
- | /ocs/v2.php/cloud/groups | 401 |
- | /ocs/v1.php/cloud/users | 401 |
- | /ocs/v2.php/cloud/users | 401 |
- | /ocs/v1.php/config | 401 |
- | /ocs/v2.php/config | 401 |
- | /ocs/v1.php/privatedata/getattribute | 401 |
- | /ocs/v2.php/privatedata/getattribute | 401 |
+ When a user requests these endpoints with "GET" and no authentication
+ | endpoint |
+ | /ocs/v1.php/apps/files_external/api/v1/mounts |
+ | /ocs/v2.php/apps/files_external/api/v1/mounts |
+ | /ocs/v1.php/apps/files_sharing/api/v1/remote_shares |
+ | /ocs/v2.php/apps/files_sharing/api/v1/remote_shares |
+ | /ocs/v1.php/apps/files_sharing/api/v1/remote_shares/pending |
+ | /ocs/v2.php/apps/files_sharing/api/v1/remote_shares/pending |
+ | /ocs/v1.php/apps/files_sharing/api/v1/shares |
+ | /ocs/v2.php/apps/files_sharing/api/v1/shares |
+ | /ocs/v1.php/cloud/apps |
+ | /ocs/v2.php/cloud/apps |
+ | /ocs/v1.php/cloud/groups |
+ | /ocs/v2.php/cloud/groups |
+ | /ocs/v1.php/cloud/users |
+ | /ocs/v2.php/cloud/users |
+ | /ocs/v1.php/config |
+ | /ocs/v2.php/config |
+ | /ocs/v1.php/privatedata/getattribute |
+ | /ocs/v2.php/privatedata/getattribute |
+ Then the HTTP status code of responses on all endpoints should be "401"
@issue-32068 @skipOnOcis
@issue-ocis-reva-11
@@ -66,26 +79,36 @@ Feature: auth
@issue-ocis-reva-34
@issue-ocis-reva-35
Scenario: using OCS with non-admin basic auth
- When the user "Alice" requests these endpoints with "GET" with basic auth then the status codes should be as listed
- | endpoint | ocs-code | http-code |
- | /ocs/v1.php/apps/files_external/api/v1/mounts | 100 | 200 |
- | /ocs/v2.php/apps/files_external/api/v1/mounts | 200 | 200 |
- | /ocs/v1.php/apps/files_sharing/api/v1/remote_shares | 100 | 200 |
- | /ocs/v2.php/apps/files_sharing/api/v1/remote_shares | 200 | 200 |
- | /ocs/v1.php/apps/files_sharing/api/v1/remote_shares/pending | 100 | 200 |
- | /ocs/v2.php/apps/files_sharing/api/v1/remote_shares/pending | 200 | 200 |
- | /ocs/v1.php/apps/files_sharing/api/v1/shares | 100 | 200 |
- | /ocs/v2.php/apps/files_sharing/api/v1/shares | 200 | 200 |
- | /ocs/v1.php/cloud/apps | 997 | 401 |
- | /ocs/v2.php/cloud/apps | 997 | 401 |
- | /ocs/v1.php/cloud/groups | 997 | 401 |
- | /ocs/v2.php/cloud/groups | 997 | 401 |
- | /ocs/v1.php/cloud/users | 997 | 401 |
- | /ocs/v2.php/cloud/users | 997 | 401 |
- | /ocs/v1.php/config | 100 | 200 |
- | /ocs/v2.php/config | 200 | 200 |
- | /ocs/v1.php/privatedata/getattribute | 100 | 200 |
- | /ocs/v2.php/privatedata/getattribute | 200 | 200 |
+ When the user "Alice" requests these endpoints with "GET" with basic auth
+ | endpoint |
+ | /ocs/v1.php/apps/files_external/api/v1/mounts |
+ | /ocs/v1.php/apps/files_sharing/api/v1/remote_shares |
+ | /ocs/v1.php/apps/files_sharing/api/v1/remote_shares/pending |
+ | /ocs/v1.php/apps/files_sharing/api/v1/shares |
+ | /ocs/v1.php/config |
+ | /ocs/v1.php/privatedata/getattribute |
+ Then the HTTP status code of responses on all endpoints should be "200"
+ Then the OCS status code of responses on all endpoints should be "100"
+ When the user "Alice" requests these endpoints with "GET" with basic auth
+ | endpoint |
+ | /ocs/v2.php/apps/files_external/api/v1/mounts |
+ | /ocs/v2.php/apps/files_sharing/api/v1/remote_shares |
+ | /ocs/v2.php/apps/files_sharing/api/v1/remote_shares/pending |
+ | /ocs/v2.php/apps/files_sharing/api/v1/shares |
+ | /ocs/v2.php/config |
+ | /ocs/v2.php/privatedata/getattribute |
+ Then the HTTP status code of responses on all endpoints should be "200"
+ Then the OCS status code of responses on all endpoints should be "200"
+ When the user "Alice" requests these endpoints with "GET" with basic auth
+ | endpoint |
+ | /ocs/v1.php/cloud/apps |
+ | /ocs/v1.php/cloud/groups |
+ | /ocs/v1.php/cloud/users |
+ | /ocs/v2.php/cloud/apps |
+ | /ocs/v2.php/cloud/groups |
+ | /ocs/v2.php/cloud/users |
+ Then the HTTP status code of responses on all endpoints should be "401"
+ Then the OCS status code of responses on all endpoints should be "997"
@skipOnOcV10
@issue-ocis-reva-11
@@ -97,26 +120,49 @@ Feature: auth
@issue-ocis-reva-35
#after fixing all issues delete this Scenario and use the one above
Scenario: using OCS with non-admin basic auth
- When the user "Alice" requests these endpoints with "GET" with basic auth then the status codes should be as listed
- | endpoint | ocs-code | http-code |
- | /ocs/v1.php/apps/files_external/api/v1/mounts | 998 | 200 |
- | /ocs/v2.php/apps/files_external/api/v1/mounts | 998 | 404 |
- | /ocs/v1.php/apps/files_sharing/api/v1/remote_shares | 998 | 200 |
- | /ocs/v2.php/apps/files_sharing/api/v1/remote_shares | 998 | 404 |
- | /ocs/v1.php/apps/files_sharing/api/v1/remote_shares/pending | 998 | 200 |
- | /ocs/v2.php/apps/files_sharing/api/v1/remote_shares/pending | 998 | 404 |
+ When the user "Alice" requests these endpoints with "GET" with basic auth
+ | endpoint |
+ | /ocs/v1.php/apps/files_external/api/v1/mounts |
+ | /ocs/v1.php/apps/files_sharing/api/v1/remote_shares |
+ | /ocs/v1.php/apps/files_sharing/api/v1/remote_shares/pending |
+ | /ocs/v1.php/privatedata/getattribute |
+ | /ocs/v1.php/cloud/groups |
+ | /ocs/v1.php/cloud/apps |
+ Then the HTTP status code of responses on all endpoints should be "200"
+ And the OCS status code of responses on all endpoints should be "998"
+ When the user "Alice" requests these endpoints with "GET" with basic auth
+ | endpoint |
+ | /ocs/v1.php/config |
+ Then the HTTP status code of responses on all endpoints should be "200"
+ And the OCS status code of responses on all endpoints should be "100"
+ When the user "Alice" requests these endpoints with "GET" with basic auth
+ | endpoint |
+ | /ocs/v2.php/apps/files_external/api/v1/mounts |
+ | /ocs/v2.php/apps/files_sharing/api/v1/remote_shares |
+ | /ocs/v2.php/apps/files_sharing/api/v1/remote_shares/pending |
# | /ocs/v1.php/apps/files_sharing/api/v1/shares | 100 | 200 |
# | /ocs/v2.php/apps/files_sharing/api/v1/shares | 100 | 200 |
- | /ocs/v1.php/cloud/apps | 998 | 200 |
- | /ocs/v2.php/cloud/apps | 998 | 404 |
- | /ocs/v1.php/cloud/groups | 998 | 200 |
- | /ocs/v2.php/cloud/groups | 998 | 404 |
- | /ocs/v1.php/cloud/users | 403 | 200 |
- | /ocs/v2.php/cloud/users | 403 | 403 |
- | /ocs/v1.php/config | 100 | 200 |
- | /ocs/v2.php/config | 200 | 200 |
- | /ocs/v1.php/privatedata/getattribute | 998 | 200 |
- | /ocs/v2.php/privatedata/getattribute | 998 | 404 |
+
+ | /ocs/v2.php/cloud/apps |
+ | /ocs/v2.php/cloud/groups |
+ | /ocs/v2.php/privatedata/getattribute |
+ Then the HTTP status code of responses on all endpoints should be "404"
+ And the OCS status code of responses on all endpoints should be "998"
+ When the user "Alice" requests these endpoints with "GET" with basic auth
+ | endpoint |
+ | /ocs/v1.php/cloud/users |
+ Then the HTTP status code of responses on all endpoints should be "200"
+ And the OCS status code of responses on all endpoints should be "403"
+ When the user "Alice" requests these endpoints with "GET" with basic auth
+ | endpoint |
+ | /ocs/v2.php/cloud/users |
+ Then the HTTP status code of responses on all endpoints should be "403"
+ And the OCS status code of responses on all endpoints should be "403"
+ When the user "Alice" requests these endpoints with "GET" with basic auth
+ | endpoint |
+ | /ocs/v2.php/config |
+ Then the HTTP status code of responses on all endpoints should be "200"
+ And the OCS status code of responses on all endpoints should be "200"
@issue-32068 @skipOnOcis
@issue-ocis-reva-29
@@ -124,26 +170,37 @@ Feature: auth
@smokeTest
@skipOnBruteForceProtection @issue-brute_force_protection-112
Scenario: using OCS as normal user with wrong password
- When user "Alice" requests these endpoints with "GET" using password "invalid" then the status codes should be as listed
- | endpoint | ocs-code | http-code |
- | /ocs/v1.php/apps/files_external/api/v1/mounts | 997 | 401 |
- | /ocs/v2.php/apps/files_external/api/v1/mounts | 997 | 401 |
- | /ocs/v1.php/apps/files_sharing/api/v1/remote_shares | 997 | 401 |
- | /ocs/v2.php/apps/files_sharing/api/v1/remote_shares | 997 | 401 |
- | /ocs/v1.php/apps/files_sharing/api/v1/remote_shares/pending | 997 | 401 |
- | /ocs/v2.php/apps/files_sharing/api/v1/remote_shares/pending | 997 | 401 |
- | /ocs/v1.php/apps/files_sharing/api/v1/shares | 997 | 401 |
- | /ocs/v2.php/apps/files_sharing/api/v1/shares | 997 | 401 |
- | /ocs/v1.php/cloud/apps | 997 | 401 |
- | /ocs/v2.php/cloud/apps | 997 | 401 |
- | /ocs/v1.php/cloud/groups | 997 | 401 |
- | /ocs/v2.php/cloud/groups | 997 | 401 |
- | /ocs/v1.php/cloud/users | 997 | 401 |
- | /ocs/v2.php/cloud/users | 997 | 401 |
- | /ocs/v1.php/config | 100 | 200 |
- | /ocs/v2.php/config | 200 | 200 |
- | /ocs/v1.php/privatedata/getattribute | 997 | 401 |
- | /ocs/v2.php/privatedata/getattribute | 997 | 401 |
+ When user "Alice" requests these endpoints with "GET" using password "invalid"
+ | endpoint |
+ | /ocs/v1.php/apps/files_external/api/v1/mounts |
+ | /ocs/v2.php/apps/files_external/api/v1/mounts |
+ | /ocs/v1.php/apps/files_sharing/api/v1/remote_shares |
+ | /ocs/v2.php/apps/files_sharing/api/v1/remote_shares |
+ | /ocs/v1.php/apps/files_sharing/api/v1/remote_shares/pending |
+ | /ocs/v2.php/apps/files_sharing/api/v1/remote_shares/pending |
+ | /ocs/v1.php/apps/files_sharing/api/v1/shares |
+ | /ocs/v2.php/apps/files_sharing/api/v1/shares |
+ | /ocs/v1.php/cloud/apps |
+ | /ocs/v2.php/cloud/apps |
+ | /ocs/v1.php/cloud/groups |
+ | /ocs/v2.php/cloud/groups |
+ | /ocs/v1.php/cloud/users |
+ | /ocs/v2.php/cloud/users |
+ | /ocs/v1.php/privatedata/getattribute |
+ | /ocs/v2.php/privatedata/getattribute |
+ Then the HTTP status code of responses on all endpoints should be "401"
+ And the OCS status code of responses on all endpoints should be "997"
+ When user "Alice" requests these endpoints with "GET" using password "invalid"
+ | endpoint |
+ | /ocs/v1.php/config |
+ Then the HTTP status code of responses on all endpoints should be "200"
+ And the OCS status code of responses on all endpoints should be "100"
+ When user "Alice" requests these endpoints with "GET" using password "invalid"
+ | endpoint |
+ | /ocs/v2.php/config |
+ Then the HTTP status code of responses on all endpoints should be "200"
+ And the OCS status code of responses on all endpoints should be "200"
+
@skipOnOcV10
@issue-ocis-reva-29
@@ -151,38 +208,45 @@ Feature: auth
@smokeTest
#after fixing all issues delete this Scenario and use the one above
Scenario: using OCS as normal user with wrong password
- When user "Alice" requests these endpoints with "GET" using password "invalid" then the status codes should be as listed
- | endpoint | http-code |
- | /ocs/v1.php/apps/files_external/api/v1/mounts | 401 |
- | /ocs/v2.php/apps/files_external/api/v1/mounts | 401 |
- | /ocs/v1.php/apps/files_sharing/api/v1/remote_shares | 401 |
- | /ocs/v2.php/apps/files_sharing/api/v1/remote_shares | 401 |
- | /ocs/v1.php/apps/files_sharing/api/v1/remote_shares/pending | 401 |
- | /ocs/v2.php/apps/files_sharing/api/v1/remote_shares/pending | 401 |
- | /ocs/v1.php/apps/files_sharing/api/v1/shares | 401 |
- | /ocs/v2.php/apps/files_sharing/api/v1/shares | 401 |
- | /ocs/v1.php/cloud/apps | 401 |
- | /ocs/v2.php/cloud/apps | 401 |
- | /ocs/v1.php/cloud/groups | 401 |
- | /ocs/v2.php/cloud/groups | 401 |
- | /ocs/v1.php/cloud/users | 401 |
- | /ocs/v2.php/cloud/users | 401 |
- | /ocs/v1.php/config | 401 |
- | /ocs/v2.php/config | 401 |
- | /ocs/v1.php/privatedata/getattribute | 401 |
- | /ocs/v2.php/privatedata/getattribute | 401 |
+ When user "Alice" requests these endpoints with "GET" using password "invalid"
+ | endpoint |
+ | /ocs/v1.php/apps/files_external/api/v1/mounts |
+ | /ocs/v2.php/apps/files_external/api/v1/mounts |
+ | /ocs/v1.php/apps/files_sharing/api/v1/remote_shares |
+ | /ocs/v2.php/apps/files_sharing/api/v1/remote_shares |
+ | /ocs/v1.php/apps/files_sharing/api/v1/remote_shares/pending |
+ | /ocs/v2.php/apps/files_sharing/api/v1/remote_shares/pending |
+ | /ocs/v1.php/apps/files_sharing/api/v1/shares |
+ | /ocs/v2.php/apps/files_sharing/api/v1/shares |
+ | /ocs/v1.php/cloud/apps |
+ | /ocs/v2.php/cloud/apps |
+ | /ocs/v1.php/cloud/groups |
+ | /ocs/v2.php/cloud/groups |
+ | /ocs/v1.php/cloud/users |
+ | /ocs/v2.php/cloud/users |
+ | /ocs/v1.php/config |
+ | /ocs/v2.php/config |
+ | /ocs/v1.php/privatedata/getattribute |
+ | /ocs/v2.php/privatedata/getattribute |
+ Then the HTTP status code of responses on all endpoints should be "401"
@skipOnOcis
@issue-ocis-reva-65
Scenario:using OCS with admin basic auth
- When the administrator requests these endpoint with "GET" then the status codes should be as listed
- | endpoint | ocs-code | http-code |
- | /ocs/v1.php/cloud/apps | 100 | 200 |
- | /ocs/v2.php/cloud/apps | 200 | 200 |
- | /ocs/v1.php/cloud/groups | 100 | 200 |
- | /ocs/v2.php/cloud/groups | 200 | 200 |
- | /ocs/v1.php/cloud/users | 100 | 200 |
- | /ocs/v2.php/cloud/users | 200 | 200 |
+ When the administrator requests these endpoint with "GET"
+ | endpoint |
+ | /ocs/v1.php/cloud/apps |
+ | /ocs/v1.php/cloud/groups |
+ | /ocs/v1.php/cloud/users |
+ Then the HTTP status code of responses on all endpoints should be "200"
+ And the OCS status code of responses on all endpoints should be "100"
+ When the administrator requests these endpoint with "GET"
+ | endpoint |
+ | /ocs/v2.php/cloud/apps |
+ | /ocs/v2.php/cloud/groups |
+ | /ocs/v2.php/cloud/users |
+ Then the HTTP status code of responses on all endpoints should be "200"
+ And the OCS status code of responses on all endpoints should be "200"
@skipOnOcis
@issue-ocis-reva-65
@@ -190,98 +254,141 @@ Feature: auth
Scenario: using OCS as admin user with wrong password
Given user "another-admin" has been created with default attributes and without skeleton files
And user "another-admin" has been added to group "admin"
- When user "another-admin" requests these endpoints with "GET" using password "invalid" then the status codes should be as listed
- | endpoint | ocs-code | http-code |
- | /ocs/v1.php/apps/files_external/api/v1/mounts | 997 | 401 |
- | /ocs/v2.php/apps/files_external/api/v1/mounts | 997 | 401 |
- | /ocs/v1.php/apps/files_sharing/api/v1/remote_shares | 997 | 401 |
- | /ocs/v2.php/apps/files_sharing/api/v1/remote_shares | 997 | 401 |
- | /ocs/v1.php/apps/files_sharing/api/v1/remote_shares/pending | 997 | 401 |
- | /ocs/v2.php/apps/files_sharing/api/v1/remote_shares/pending | 997 | 401 |
- | /ocs/v1.php/apps/files_sharing/api/v1/shares | 997 | 401 |
- | /ocs/v2.php/apps/files_sharing/api/v1/shares | 997 | 401 |
- | /ocs/v1.php/cloud/apps | 997 | 401 |
- | /ocs/v2.php/cloud/apps | 997 | 401 |
- | /ocs/v1.php/cloud/groups | 997 | 401 |
- | /ocs/v2.php/cloud/groups | 997 | 401 |
- | /ocs/v1.php/cloud/users | 997 | 401 |
- | /ocs/v2.php/cloud/users | 997 | 401 |
- | /ocs/v1.php/config | 100 | 200 |
- | /ocs/v2.php/config | 200 | 200 |
- | /ocs/v1.php/privatedata/getattribute | 997 | 401 |
- | /ocs/v2.php/privatedata/getattribute | 997 | 401 |
+ When user "another-admin" requests these endpoints with "GET" using password "invalid"
+ | endpoint |
+ | /ocs/v1.php/apps/files_external/api/v1/mounts |
+ | /ocs/v2.php/apps/files_external/api/v1/mounts |
+ | /ocs/v1.php/apps/files_sharing/api/v1/remote_shares |
+ | /ocs/v2.php/apps/files_sharing/api/v1/remote_shares |
+ | /ocs/v1.php/apps/files_sharing/api/v1/remote_shares/pending |
+ | /ocs/v2.php/apps/files_sharing/api/v1/remote_shares/pending |
+ | /ocs/v1.php/apps/files_sharing/api/v1/shares |
+ | /ocs/v2.php/apps/files_sharing/api/v1/shares |
+ | /ocs/v1.php/cloud/apps |
+ | /ocs/v2.php/cloud/apps |
+ | /ocs/v1.php/cloud/groups |
+ | /ocs/v2.php/cloud/groups |
+ | /ocs/v1.php/cloud/users |
+ | /ocs/v2.php/cloud/users |
+ | /ocs/v1.php/privatedata/getattribute |
+ | /ocs/v2.php/privatedata/getattribute |
+ Then the HTTP status code of responses on all endpoints should be "401"
+ And the OCS status code of responses on all endpoints should be "997"
+ When user "another-admin" requests these endpoints with "GET" using password "invalid"
+ | endpoint |
+ | /ocs/v1.php/config |
+ Then the HTTP status code of responses on all endpoints should be "200"
+ And the OCS status code of responses on all endpoints should be "100"
+ When user "another-admin" requests these endpoints with "GET" using password "invalid"
+ | endpoint |
+ | /ocs/v2.php/config |
+ Then the HTTP status code of responses on all endpoints should be "200"
+ And the OCS status code of responses on all endpoints should be "200"
+
@skipOnOcis
@issue-ocis-reva-28
Scenario: using OCS with token auth of a normal user
Given a new client token for "Alice" has been generated
- When user "Alice" requests these endpoints with "GET" using basic token auth then the status codes should be as listed
- | endpoint | ocs-code | http-code |
- | /ocs/v1.php/apps/files_external/api/v1/mounts | 100 | 200 |
- | /ocs/v2.php/apps/files_external/api/v1/mounts | 200 | 200 |
- | /ocs/v1.php/apps/files_sharing/api/v1/remote_shares | 100 | 200 |
- | /ocs/v2.php/apps/files_sharing/api/v1/remote_shares | 200 | 200 |
- | /ocs/v1.php/apps/files_sharing/api/v1/remote_shares/pending | 100 | 200 |
- | /ocs/v2.php/apps/files_sharing/api/v1/remote_shares/pending | 200 | 200 |
- | /ocs/v1.php/apps/files_sharing/api/v1/shares | 100 | 200 |
- | /ocs/v2.php/apps/files_sharing/api/v1/shares | 200 | 200 |
- | /ocs/v1.php/cloud/apps | 997 | 401 |
- | /ocs/v2.php/cloud/apps | 997 | 401 |
- | /ocs/v1.php/cloud/groups | 997 | 401 |
- | /ocs/v2.php/cloud/groups | 997 | 401 |
- | /ocs/v1.php/cloud/users | 997 | 401 |
- | /ocs/v2.php/cloud/users | 997 | 401 |
- | /ocs/v1.php/config | 100 | 200 |
- | /ocs/v2.php/config | 200 | 200 |
- | /ocs/v1.php/privatedata/getattribute | 100 | 200 |
- | /ocs/v2.php/privatedata/getattribute | 200 | 200 |
+ When user "Alice" requests these endpoints with "GET" using basic token auth
+ | endpoint |
+ | /ocs/v1.php/apps/files_external/api/v1/mounts |
+ | /ocs/v1.php/apps/files_sharing/api/v1/remote_shares |
+ | /ocs/v1.php/apps/files_sharing/api/v1/remote_shares/pending |
+ | /ocs/v1.php/apps/files_sharing/api/v1/shares |
+ | /ocs/v1.php/config |
+ | /ocs/v1.php/privatedata/getattribute |
+ Then the HTTP status code of responses on all endpoints should be "200"
+ And the OCS status code of responses on all endpoints should be "100"
+ When user "Alice" requests these endpoints with "GET" using basic token auth
+ | endpoint |
+ | /ocs/v2.php/apps/files_external/api/v1/mounts |
+ | /ocs/v2.php/apps/files_sharing/api/v1/remote_shares |
+ | /ocs/v2.php/apps/files_sharing/api/v1/remote_shares/pending |
+ | /ocs/v2.php/apps/files_sharing/api/v1/shares |
+ | /ocs/v2.php/config |
+ | /ocs/v2.php/privatedata/getattribute |
+ Then the HTTP status code of responses on all endpoints should be "200"
+ And the OCS status code of responses on all endpoints should be "200"
+ When user "Alice" requests these endpoints with "GET" using basic token auth
+ | endpoint |
+ | /ocs/v1.php/cloud/apps |
+ | /ocs/v1.php/cloud/users |
+ | /ocs/v1.php/cloud/groups |
+ | /ocs/v2.php/cloud/apps |
+ | /ocs/v2.php/cloud/groups |
+ | /ocs/v2.php/cloud/users |
+ Then the HTTP status code of responses on all endpoints should be "401"
+ And the OCS status code of responses on all endpoints should be "997"
@skipOnOcis
Scenario: using OCS with browser session of normal user
Given a new browser session for "Alice" has been started
- When the user requests these endpoints with "GET" using a new browser session then the status codes should be as listed
- | endpoint | ocs-code | http-code |
- | /ocs/v1.php/apps/files_external/api/v1/mounts | 100 | 200 |
- | /ocs/v2.php/apps/files_external/api/v1/mounts | 200 | 200 |
- | /ocs/v1.php/apps/files_sharing/api/v1/remote_shares | 100 | 200 |
- | /ocs/v2.php/apps/files_sharing/api/v1/remote_shares | 200 | 200 |
- | /ocs/v1.php/apps/files_sharing/api/v1/remote_shares/pending | 100 | 200 |
- | /ocs/v2.php/apps/files_sharing/api/v1/remote_shares/pending | 200 | 200 |
- | /ocs/v1.php/apps/files_sharing/api/v1/shares | 100 | 200 |
- | /ocs/v2.php/apps/files_sharing/api/v1/shares | 200 | 200 |
- | /ocs/v1.php/cloud/apps | 997 | 401 |
- | /ocs/v2.php/cloud/apps | 997 | 401 |
- | /ocs/v1.php/cloud/groups | 997 | 401 |
- | /ocs/v2.php/cloud/groups | 997 | 401 |
- | /ocs/v1.php/cloud/users | 997 | 401 |
- | /ocs/v2.php/cloud/users | 997 | 401 |
- | /ocs/v1.php/config | 100 | 200 |
- | /ocs/v2.php/config | 200 | 200 |
- | /ocs/v1.php/privatedata/getattribute | 100 | 200 |
- | /ocs/v2.php/privatedata/getattribute | 200 | 200 |
+ When the user requests these endpoints with "GET" using a new browser session
+ | endpoint |
+ | /ocs/v1.php/apps/files_external/api/v1/mounts |
+ | /ocs/v1.php/apps/files_sharing/api/v1/remote_shares |
+ | /ocs/v1.php/apps/files_sharing/api/v1/remote_shares/pending |
+ | /ocs/v1.php/apps/files_sharing/api/v1/shares |
+ | /ocs/v1.php/config |
+ | /ocs/v1.php/privatedata/getattribute |
+ Then the HTTP status code of responses on all endpoints should be "200"
+ And the OCS status code of responses on all endpoints should be "100"
+ When the user requests these endpoints with "GET" using a new browser session
+ | endpoint |
+ | /ocs/v2.php/apps/files_external/api/v1/mounts |
+ | /ocs/v2.php/apps/files_sharing/api/v1/remote_shares |
+ | /ocs/v2.php/apps/files_sharing/api/v1/remote_shares/pending |
+ | /ocs/v2.php/apps/files_sharing/api/v1/shares |
+ | /ocs/v2.php/config |
+ | /ocs/v2.php/privatedata/getattribute |
+ Then the HTTP status code of responses on all endpoints should be "200"
+ And the OCS status code of responses on all endpoints should be "200"
+ When the user requests these endpoints with "GET" using a new browser session
+ | endpoint |
+ | /ocs/v1.php/cloud/apps |
+ | /ocs/v2.php/cloud/apps |
+ | /ocs/v1.php/cloud/groups |
+ | /ocs/v2.php/cloud/groups |
+ | /ocs/v1.php/cloud/users |
+ | /ocs/v2.php/cloud/users |
+ Then the HTTP status code of responses on all endpoints should be "401"
+ And the OCS status code of responses on all endpoints should be "997"
+
@skipOnOcis
@issue-ocis-reva-60
Scenario: using OCS with an app password of a normal user
Given a new browser session for "Alice" has been started
And the user has generated a new app password named "my-client"
- When the user requests these endpoints with "GET" using the generated app password then the status codes should be as listed
- | endpoint | ocs-code | http-code |
- | /ocs/v1.php/apps/files_external/api/v1/mounts | 100 | 200 |
- | /ocs/v2.php/apps/files_external/api/v1/mounts | 200 | 200 |
- | /ocs/v1.php/apps/files_sharing/api/v1/remote_shares | 100 | 200 |
- | /ocs/v2.php/apps/files_sharing/api/v1/remote_shares | 200 | 200 |
- | /ocs/v1.php/apps/files_sharing/api/v1/remote_shares/pending | 100 | 200 |
- | /ocs/v2.php/apps/files_sharing/api/v1/remote_shares/pending | 200 | 200 |
- | /ocs/v1.php/apps/files_sharing/api/v1/shares | 100 | 200 |
- | /ocs/v2.php/apps/files_sharing/api/v1/shares | 200 | 200 |
- | /ocs/v1.php/cloud/apps | 997 | 401 |
- | /ocs/v2.php/cloud/apps | 997 | 401 |
- | /ocs/v1.php/cloud/groups | 997 | 401 |
- | /ocs/v2.php/cloud/groups | 997 | 401 |
- | /ocs/v1.php/cloud/users | 997 | 401 |
- | /ocs/v2.php/cloud/users | 997 | 401 |
- | /ocs/v1.php/config | 100 | 200 |
- | /ocs/v2.php/config | 200 | 200 |
- | /ocs/v1.php/privatedata/getattribute | 100 | 200 |
- | /ocs/v2.php/privatedata/getattribute | 200 | 200 |
+ When the user requests these endpoints with "GET" using the generated app password
+ | endpoint |
+ | /ocs/v1.php/apps/files_external/api/v1/mounts |
+ | /ocs/v1.php/apps/files_sharing/api/v1/remote_shares |
+ | /ocs/v1.php/apps/files_sharing/api/v1/remote_shares/pending |
+ | /ocs/v1.php/apps/files_sharing/api/v1/shares |
+ | /ocs/v1.php/config |
+ | /ocs/v1.php/privatedata/getattribute |
+ Then the HTTP status code of responses on all endpoints should be "200"
+ And the OCS status code of responses on all endpoints should be "100"
+
+ When the user requests these endpoints with "GET" using the generated app password
+ | endpoint |
+ | /ocs/v2.php/apps/files_external/api/v1/mounts |
+ | /ocs/v2.php/apps/files_sharing/api/v1/remote_shares |
+ | /ocs/v2.php/apps/files_sharing/api/v1/remote_shares/pending |
+ | /ocs/v2.php/apps/files_sharing/api/v1/shares |
+ | /ocs/v2.php/config |
+ | /ocs/v2.php/privatedata/getattribute |
+ Then the HTTP status code of responses on all endpoints should be "200"
+ And the OCS status code of responses on all endpoints should be "200"
+ When the user requests these endpoints with "GET" using the generated app password
+ | endpoint |
+ | /ocs/v1.php/cloud/apps |
+ | /ocs/v2.php/cloud/apps |
+ | /ocs/v1.php/cloud/groups |
+ | /ocs/v2.php/cloud/groups |
+ | /ocs/v1.php/cloud/users |
+ | /ocs/v2.php/cloud/users |
+ Then the HTTP status code of responses on all endpoints should be "401"
+ And the OCS status code of responses on all endpoints should be "997"
diff --git a/tests/acceptance/features/apiAuthOcs/ocsPOSTAuth.feature b/tests/acceptance/features/apiAuthOcs/ocsPOSTAuth.feature
index 10d670fb9cbc..603598f88c7d 100644
--- a/tests/acceptance/features/apiAuthOcs/ocsPOSTAuth.feature
+++ b/tests/acceptance/features/apiAuthOcs/ocsPOSTAuth.feature
@@ -9,57 +9,69 @@ Feature: auth
@smokeTest
@skipOnBruteForceProtection @issue-brute_force_protection-112
Scenario: send POST requests to OCS endpoints as normal user with wrong password
- When user "Alice" requests these endpoints with "POST" including body using password "invalid" then the status codes about user "Alice" should be as listed
- | endpoint | ocs-code | http-code | body |
- | /ocs/v1.php/apps/files_sharing/api/v1/remote_shares/pending/123 | 997 | 401 | doesnotmatter |
- | /ocs/v2.php/apps/files_sharing/api/v1/remote_shares/pending/123 | 997 | 401 | doesnotmatter |
- | /ocs/v1.php/apps/files_sharing/api/v1/shares | 997 | 401 | doesnotmatter |
- | /ocs/v2.php/apps/files_sharing/api/v1/shares | 997 | 401 | doesnotmatter |
- | /ocs/v1.php/apps/files_sharing/api/v1/shares/pending/123 | 997 | 401 | doesnotmatter |
- | /ocs/v2.php/apps/files_sharing/api/v1/shares/pending/123 | 997 | 401 | doesnotmatter |
- | /ocs/v1.php/cloud/apps/testing | 997 | 401 | doesnotmatter |
- | /ocs/v2.php/cloud/apps/testing | 997 | 401 | doesnotmatter |
- | /ocs/v1.php/cloud/groups | 997 | 401 | doesnotmatter |
- | /ocs/v2.php/cloud/groups | 997 | 401 | doesnotmatter |
- | /ocs/v1.php/cloud/users | 997 | 401 | doesnotmatter |
- | /ocs/v2.php/cloud/users | 997 | 401 | doesnotmatter |
- | /ocs/v1.php/cloud/users/%username%/groups | 997 | 401 | doesnotmatter |
- | /ocs/v2.php/cloud/users/%username%/groups | 997 | 401 | doesnotmatter |
- | /ocs/v1.php/cloud/users/%username%/subadmins | 997 | 401 | doesnotmatter |
- | /ocs/v2.php/cloud/users/%username%/subadmins | 997 | 401 | doesnotmatter |
- | /ocs/v1.php/person/check | 101 | 200 | doesnotmatter |
- | /ocs/v2.php/person/check | 400 | 400 | doesnotmatter |
- | /ocs/v1.php/privatedata/deleteattribute/testing/test | 997 | 401 | doesnotmatter |
- | /ocs/v2.php/privatedata/deleteattribute/testing/test | 997 | 401 | doesnotmatter |
- | /ocs/v1.php/privatedata/setattribute/testing/test | 997 | 401 | doesnotmatter |
- | /ocs/v2.php/privatedata/setattribute/testing/test | 997 | 401 | doesnotmatter |
+ When user "Alice" requests these endpoints with "POST" including body "doesnotmatter" using password "invalid" about user "Alice"
+ | endpoint |
+ | /ocs/v1.php/apps/files_sharing/api/v1/remote_shares/pending/123 |
+ | /ocs/v2.php/apps/files_sharing/api/v1/remote_shares/pending/123 |
+ | /ocs/v1.php/apps/files_sharing/api/v1/shares |
+ | /ocs/v2.php/apps/files_sharing/api/v1/shares |
+ | /ocs/v1.php/apps/files_sharing/api/v1/shares/pending/123 |
+ | /ocs/v2.php/apps/files_sharing/api/v1/shares/pending/123 |
+ | /ocs/v1.php/cloud/apps/testing |
+ | /ocs/v2.php/cloud/apps/testing |
+ | /ocs/v1.php/cloud/groups |
+ | /ocs/v2.php/cloud/groups |
+ | /ocs/v1.php/cloud/users |
+ | /ocs/v2.php/cloud/users |
+ | /ocs/v1.php/cloud/users/%username%/groups |
+ | /ocs/v2.php/cloud/users/%username%/groups |
+ | /ocs/v1.php/cloud/users/%username%/subadmins |
+ | /ocs/v2.php/cloud/users/%username%/subadmins |
+ | /ocs/v1.php/privatedata/deleteattribute/testing/test |
+ | /ocs/v2.php/privatedata/deleteattribute/testing/test |
+ | /ocs/v1.php/privatedata/setattribute/testing/test |
+ | /ocs/v2.php/privatedata/setattribute/testing/test |
+ Then the HTTP status code of responses on all endpoints should be "401"
+ Then the OCS status code of responses on all endpoints should be "997"
+ When user "Alice" requests these endpoints with "POST" including body "doesnotmatter" using password "invalid" about user "Alice"
+ | endpoint |
+ | /ocs/v1.php/person/check |
+ Then the HTTP status code of responses on all endpoints should be "200"
+ Then the OCS status code of responses on all endpoints should be "101"
+ When user "Alice" requests these endpoints with "POST" including body "doesnotmatter" using password "invalid" about user "Alice"
+ | endpoint |
+ | /ocs/v2.php/person/check |
+ Then the HTTP status code of responses on all endpoints should be "400"
+ Then the OCS status code of responses on all endpoints should be "400"
+
@skipOnOcV10
@issue-ocis-reva-30
@smokeTest
#after fixing all issues delete this Scenario and use the one above
Scenario: send POST requests to OCS endpoints as normal user with wrong password
- When user "Alice" requests these endpoints with "POST" including body using password "invalid" then the status codes about user "Alice" should be as listed
- | endpoint | http-code | body |
- | /ocs/v1.php/apps/files_sharing/api/v1/remote_shares/pending/123 | 401 | doesnotmatter |
- | /ocs/v2.php/apps/files_sharing/api/v1/remote_shares/pending/123 | 401 | doesnotmatter |
- | /ocs/v1.php/apps/files_sharing/api/v1/shares | 401 | doesnotmatter |
- | /ocs/v2.php/apps/files_sharing/api/v1/shares | 401 | doesnotmatter |
- | /ocs/v1.php/apps/files_sharing/api/v1/shares/pending/123 | 401 | doesnotmatter |
- | /ocs/v2.php/apps/files_sharing/api/v1/shares/pending/123 | 401 | doesnotmatter |
- | /ocs/v1.php/cloud/apps/testing | 401 | doesnotmatter |
- | /ocs/v2.php/cloud/apps/testing | 401 | doesnotmatter |
- | /ocs/v1.php/cloud/groups | 401 | doesnotmatter |
- | /ocs/v2.php/cloud/groups | 401 | doesnotmatter |
- | /ocs/v1.php/cloud/users | 401 | doesnotmatter |
- | /ocs/v2.php/cloud/users | 401 | doesnotmatter |
- | /ocs/v1.php/cloud/users/%username%/groups | 401 | doesnotmatter |
- | /ocs/v2.php/cloud/users/%username%/groups | 401 | doesnotmatter |
- | /ocs/v1.php/cloud/users/%username%/subadmins | 401 | doesnotmatter |
- | /ocs/v2.php/cloud/users/%username%/subadmins | 401 | doesnotmatter |
- | /ocs/v1.php/person/check | 401 | doesnotmatter |
- | /ocs/v2.php/person/check | 401 | doesnotmatter |
- | /ocs/v1.php/privatedata/deleteattribute/testing/test | 401 | doesnotmatter |
- | /ocs/v2.php/privatedata/deleteattribute/testing/test | 401 | doesnotmatter |
- | /ocs/v1.php/privatedata/setattribute/testing/test | 401 | doesnotmatter |
- | /ocs/v2.php/privatedata/setattribute/testing/test | 401 | doesnotmatter |
+ When user "Alice" requests these endpoints with "POST" including body "doesnotmatter" using password "invalid" about user "Alice"
+ | endpoint |
+ | /ocs/v1.php/apps/files_sharing/api/v1/remote_shares/pending/123 |
+ | /ocs/v2.php/apps/files_sharing/api/v1/remote_shares/pending/123 |
+ | /ocs/v1.php/apps/files_sharing/api/v1/shares |
+ | /ocs/v2.php/apps/files_sharing/api/v1/shares |
+ | /ocs/v1.php/apps/files_sharing/api/v1/shares/pending/123 |
+ | /ocs/v2.php/apps/files_sharing/api/v1/shares/pending/123 |
+ | /ocs/v1.php/cloud/apps/testing |
+ | /ocs/v2.php/cloud/apps/testing |
+ | /ocs/v1.php/cloud/groups |
+ | /ocs/v2.php/cloud/groups |
+ | /ocs/v1.php/cloud/users |
+ | /ocs/v2.php/cloud/users |
+ | /ocs/v1.php/cloud/users/%username%/groups |
+ | /ocs/v2.php/cloud/users/%username%/groups |
+ | /ocs/v1.php/cloud/users/%username%/subadmins |
+ | /ocs/v2.php/cloud/users/%username%/subadmins |
+ | /ocs/v1.php/person/check |
+ | /ocs/v2.php/person/check |
+ | /ocs/v1.php/privatedata/deleteattribute/testing/test |
+ | /ocs/v2.php/privatedata/deleteattribute/testing/test |
+ | /ocs/v1.php/privatedata/setattribute/testing/test |
+ | /ocs/v2.php/privatedata/setattribute/testing/test |
+ Then the HTTP status code of responses on all endpoints should be "401"
diff --git a/tests/acceptance/features/apiAuthOcs/ocsPUTAuth.feature b/tests/acceptance/features/apiAuthOcs/ocsPUTAuth.feature
index 666d13c54c47..9597de528a84 100644
--- a/tests/acceptance/features/apiAuthOcs/ocsPUTAuth.feature
+++ b/tests/acceptance/features/apiAuthOcs/ocsPUTAuth.feature
@@ -10,29 +10,32 @@ Feature: auth
@smokeTest
@skipOnBruteForceProtection @issue-brute_force_protection-112
Scenario: send PUT request to OCS endpoints as admin with wrong password
- When user "another-admin" requests these endpoints with "PUT" including body using password "invalid" then the status codes about user "Alice" should be as listed
- | endpoint | ocs-code | http-code | body |
- | /ocs/v1.php/cloud/users/%username% | 997 | 401 | doesnotmatter |
- | /ocs/v2.php/cloud/users/%username% | 997 | 401 | doesnotmatter |
- | /ocs/v1.php/cloud/users/%username%/disable | 997 | 401 | doesnotmatter |
- | /ocs/v2.php/cloud/users/%username%/disable | 997 | 401 | doesnotmatter |
- | /ocs/v1.php/cloud/users/%username%/enable | 997 | 401 | doesnotmatter |
- | /ocs/v2.php/cloud/users/%username%/enable | 997 | 401 | doesnotmatter |
- | /ocs/v1.php/apps/files_sharing/api/v1/shares/123 | 997 | 401 | doesnotmatter |
- | /ocs/v2.php/apps/files_sharing/api/v1/shares/123 | 997 | 401 | doesnotmatter |
+ When user "another-admin" requests these endpoints with "PUT" including body "doesnotmatter" using password "invalid" about user "Alice"
+ | endpoint |
+ | /ocs/v1.php/cloud/users/%username% |
+ | /ocs/v2.php/cloud/users/%username% |
+ | /ocs/v1.php/cloud/users/%username%/disable |
+ | /ocs/v2.php/cloud/users/%username%/disable |
+ | /ocs/v1.php/cloud/users/%username%/enable |
+ | /ocs/v2.php/cloud/users/%username%/enable |
+ | /ocs/v1.php/apps/files_sharing/api/v1/shares/123 |
+ | /ocs/v2.php/apps/files_sharing/api/v1/shares/123 |
+ Then the HTTP status code of responses on all endpoints should be "401"
+ Then the OCS status code of responses on all endpoints should be "997"
@skipOnOcV10
@issue-ocis-reva-30
@smokeTest
#after fixing all issues delete this Scenario and use the one above
Scenario: send PUT request to OCS endpoints as admin with wrong password
- When user "another-admin" requests these endpoints with "PUT" including body using password "invalid" then the status codes about user "Alice" should be as listed
- | endpoint | http-code | body |
- | /ocs/v1.php/cloud/users/%username% | 401 | doesnotmatter |
- | /ocs/v2.php/cloud/users/%username% | 401 | doesnotmatter |
- | /ocs/v1.php/cloud/users/%username%/disable | 401 | doesnotmatter |
- | /ocs/v2.php/cloud/users/%username%/disable | 401 | doesnotmatter |
- | /ocs/v1.php/cloud/users/%username%/enable | 401 | doesnotmatter |
- | /ocs/v2.php/cloud/users/%username%/enable | 401 | doesnotmatter |
- | /ocs/v1.php/apps/files_sharing/api/v1/shares/123 | 401 | doesnotmatter |
- | /ocs/v2.php/apps/files_sharing/api/v1/shares/123 | 401 | doesnotmatter |
+ When user "another-admin" requests these endpoints with "PUT" including body "doesnotmatter" using password "invalid" about user "Alice"
+ | endpoint |
+ | /ocs/v1.php/cloud/users/%username% |
+ | /ocs/v2.php/cloud/users/%username% |
+ | /ocs/v1.php/cloud/users/%username%/disable |
+ | /ocs/v2.php/cloud/users/%username%/disable |
+ | /ocs/v1.php/cloud/users/%username%/enable |
+ | /ocs/v2.php/cloud/users/%username%/enable |
+ | /ocs/v1.php/apps/files_sharing/api/v1/shares/123 |
+ | /ocs/v2.php/apps/files_sharing/api/v1/shares/123 |
+ Then the HTTP status code of responses on all endpoints should be "401"
diff --git a/tests/acceptance/features/apiAuthWebDav/webDavDELETEAuth.feature b/tests/acceptance/features/apiAuthWebDav/webDavDELETEAuth.feature
index e72e2b2c13c8..148290a48d86 100644
--- a/tests/acceptance/features/apiAuthWebDav/webDavDELETEAuth.feature
+++ b/tests/acceptance/features/apiAuthWebDav/webDavDELETEAuth.feature
@@ -13,83 +13,91 @@ Feature: delete file/folder
@smokeTest
@skipOnBruteForceProtection @issue-brute_force_protection-112
Scenario: send DELETE requests to webDav endpoints as normal user with wrong password
- When user "Alice" requests these endpoints with "DELETE" including body using password "invalid" then the status codes about user "Alice" should be as listed
- | endpoint | http-code | body |
- | /remote.php/webdav/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/webdav/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 401 | doesnotmatter |
+ When user "Alice" requests these endpoints with "DELETE" including body "doesnotmatter" using password "invalid" about user "Alice"
+ | endpoint |
+ | /remote.php/webdav/textfile0.txt |
+ | /remote.php/dav/files/%username%/textfile0.txt |
+ | /remote.php/webdav/PARENT |
+ | /remote.php/dav/files/%username%/PARENT |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ Then the HTTP status code of responses on all endpoints should be "401"
Scenario: send DELETE requests to webDav endpoints as normal user with no password
- When user "Alice" requests these endpoints with "DELETE" including body using password "" then the status codes about user "Alice" should be as listed
- | endpoint | http-code | body |
- | /remote.php/webdav/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/webdav/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 401 | doesnotmatter |
+ When user "Alice" requests these endpoints with "DELETE" including body "doesnotmatter" using password "" about user "Alice"
+ | endpoint |
+ | /remote.php/webdav/textfile0.txt |
+ | /remote.php/dav/files/%username%/textfile0.txt |
+ | /remote.php/webdav/PARENT |
+ | /remote.php/dav/files/%username%/PARENT |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ Then the HTTP status code of responses on all endpoints should be "401"
@skipOnOcis @issue-ocis-reva-13
Scenario: send DELETE requests to another user's webDav endpoints as normal user
- When user "Brian" requests these endpoints with "DELETE" including body then the status codes about user "Alice" should be as listed
- | endpoint | http-code | body |
- | /remote.php/dav/files/%username%/textfile0.txt | 404 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT | 404 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 404 | doesnotmatter |
+ When user "Brian" requests these endpoints with "DELETE" including body "doesnotmatter" about user "Alice"
+ | endpoint |
+ | /remote.php/dav/files/%username%/textfile0.txt |
+ | /remote.php/dav/files/%username%/PARENT |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ Then the HTTP status code of responses on all endpoints should be "404"
@smokeTest
Scenario: send DELETE requests to webDav endpoints using invalid username but correct password
- When user "usero" requests these endpoints with "DELETE" including body using the password of user "Alice" then the status codes should be as listed
- | endpoint | http-code | body |
- | /remote.php/webdav/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/webdav/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 401 | doesnotmatter |
+ When user "usero" requests these endpoints with "DELETE" including body "doesnotmatter" using the password of user "Alice"
+ | endpoint |
+ | /remote.php/webdav/textfile0.txt |
+ | /remote.php/dav/files/%username%/textfile0.txt |
+ | /remote.php/webdav/PARENT |
+ | /remote.php/dav/files/%username%/PARENT |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ Then the HTTP status code of responses on all endpoints should be "401"
Scenario: send DELETE requests to webDav endpoints using valid password and username of different user
- When user "Brian" requests these endpoints with "DELETE" including body using the password of user "Alice" then the status codes should be as listed
- | endpoint | http-code | body |
- | /remote.php/webdav/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/webdav/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 401 | doesnotmatter |
+ When user "Brian" requests these endpoints with "DELETE" including body "doesnotmatter" using the password of user "Alice"
+ | endpoint |
+ | /remote.php/webdav/textfile0.txt |
+ | /remote.php/dav/files/%username%/textfile0.txt |
+ | /remote.php/webdav/PARENT |
+ | /remote.php/dav/files/%username%/PARENT |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ Then the HTTP status code of responses on all endpoints should be "401"
@smokeTest
@skipOnBruteForceProtection @issue-brute_force_protection-112
Scenario: send DELETE requests to webDav endpoints without any authentication
- When a user requests these endpoints with "DELETE" and no authentication then the status codes about user "Alice" should be as listed
- | endpoint | http-code | body |
- | /remote.php/webdav/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/webdav/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 401 | doesnotmatter |
+ When a user requests these endpoints with "DELETE" with body "doesnotmatter" and no authentication about user "Alice"
+ | endpoint |
+ | /remote.php/webdav/textfile0.txt |
+ | /remote.php/dav/files/%username%/textfile0.txt |
+ | /remote.php/webdav/PARENT |
+ | /remote.php/dav/files/%username%/PARENT |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ Then the HTTP status code of responses on all endpoints should be "401"
@skipOnOcis @issue-ocis-reva-60
Scenario: send DELETE requests to webDav endpoints using token authentication should not work
Given token auth has been enforced
And a new browser session for "Alice" has been started
And the user has generated a new app password named "my-client"
- When the user requests these endpoints with "DELETE" using the generated app password then the status codes about user "Alice" should be as listed
- | endpoint | http-code |
- | /remote.php/webdav/textfile0.txt | 401 |
- | /remote.php/dav/files/%username%/textfile0.txt | 401 |
- | /remote.php/webdav/PARENT | 401 |
- | /remote.php/dav/files/%username%/PARENT | 401 |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 401 |
+ When the user requests these endpoints with "DELETE" using the generated app password about user "Alice"
+ | endpoint |
+ | /remote.php/webdav/textfile0.txt |
+ | /remote.php/dav/files/%username%/textfile0.txt |
+ | /remote.php/webdav/PARENT |
+ | /remote.php/dav/files/%username%/PARENT |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ Then the HTTP status code of responses on all endpoints should be "401"
@skipOnOcis @issue-ocis-reva-60
Scenario: send DELETE requests to webDav endpoints using app password token as password
Given token auth has been enforced
And a new browser session for "Alice" has been started
And the user has generated a new app password named "my-client"
- When the user "Alice" requests these endpoints with "DELETE" using the basic auth and generated app password then the status codes about user "Alice" should be as listed
- | endpoint | http-code | body |
- | /remote.php/webdav/textfile0.txt | 204 | doesnotmatter |
- | /remote.php/dav/files/%username%/textfile1.txt | 204 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 204 | doesnotmatter |
- | /remote.php/webdav/PARENT | 204 | doesnotmatter |
- | /remote.php/dav/files/%username%/FOLDER | 204 | doesnotmatter |
+ When the user "Alice" requests these endpoints with "DELETE" with body "doesnotmatter" using basic auth and generated app password about user "Alice"
+ | endpoint |
+ | /remote.php/webdav/textfile0.txt |
+ | /remote.php/dav/files/%username%/textfile1.txt |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ | /remote.php/webdav/PARENT |
+ | /remote.php/dav/files/%username%/FOLDER |
+ Then the HTTP status code of responses on all endpoints should be "204"
diff --git a/tests/acceptance/features/apiAuthWebDav/webDavLOCKAuth.feature b/tests/acceptance/features/apiAuthWebDav/webDavLOCKAuth.feature
index d570be892d27..3557947a7c8e 100644
--- a/tests/acceptance/features/apiAuthWebDav/webDavLOCKAuth.feature
+++ b/tests/acceptance/features/apiAuthWebDav/webDavLOCKAuth.feature
@@ -13,93 +13,105 @@ Feature: LOCK file/folder
@smokeTest
@skipOnBruteForceProtection @issue-brute_force_protection-112
Scenario: send LOCK requests to webDav endpoints as normal user with wrong password
- When user "Alice" requests these endpoints with "LOCK" including body using password "invalid" then the status codes about user "Alice" should be as listed
- | endpoint | http-code | body |
- | /remote.php/webdav/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/webdav/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 401 | doesnotmatter |
+ When user "Alice" requests these endpoints with "LOCK" including body "doesnotmatter" using password "invalid" about user "Alice"
+ | endpoint |
+ | /remote.php/webdav/textfile0.txt |
+ | /remote.php/dav/files/%username%/textfile0.txt |
+ | /remote.php/webdav/PARENT |
+ | /remote.php/dav/files/%username%/PARENT |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ Then the HTTP status code of responses on all endpoints should be "401"
@smokeTest
@skipOnBruteForceProtection @issue-brute_force_protection-112
Scenario: send LOCK requests to webDav endpoints as normal user with no password
- When user "Alice" requests these endpoints with "LOCK" including body using password "" then the status codes about user "Alice" should be as listed
- | endpoint | http-code | body |
- | /remote.php/webdav/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/webdav/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 401 | doesnotmatter |
+ When user "Alice" requests these endpoints with "LOCK" including body "doesnotmatter" using password "" about user "Alice"
+ | endpoint |
+ | /remote.php/webdav/textfile0.txt |
+ | /remote.php/dav/files/%username%/textfile0.txt |
+ | /remote.php/webdav/PARENT |
+ | /remote.php/dav/files/%username%/PARENT |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ Then the HTTP status code of responses on all endpoints should be "401"
@skipOnOcis @issue-ocis-reva-9
Scenario: send LOCK requests to another user's webDav endpoints as normal user
- When user "Brian" requests these endpoints with "LOCK" including body then the status codes about user "Alice" should be as listed
- | endpoint | http-code | body |
- | /remote.php/dav/files/%username%/textfile0.txt | 403 | |
- | /remote.php/dav/files/%username%/PARENT | 403 | |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 404 | |
+ When user "Brian" requests these endpoints with "LOCK" to get property "d:shared" about user "Alice"
+ | endpoint |
+ | /remote.php/dav/files/%username%/textfile0.txt |
+ | /remote.php/dav/files/%username%/PARENT |
+ Then the HTTP status code of responses on all endpoints should be "403"
+ When user "Brian" requests these endpoints with "LOCK" to get property "d:shared" about user "Alice"
+ | endpoint |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ Then the HTTP status code of responses on all endpoints should be "404"
@skipOnOcV10 @issue-ocis-reva-9
#after fixing all issues delete this Scenario and use the one above
Scenario: send LOCK requests to another user's webDav endpoints as normal user
- When user "Brian" requests these endpoints with "LOCK" including body then the status codes about user "Alice" should be as listed
- | endpoint | http-code | body |
- | /remote.php/dav/files/%username%/textfile0.txt | 200 | |
- | /remote.php/dav/files/%username%/PARENT | 200 | |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 200 | |
+ When user "Brian" requests these endpoints with "LOCK" to get property "d:shared" about user "Alice"
+ | endpoint |
+ | /remote.php/dav/files/%username%/textfile0.txt |
+ | /remote.php/dav/files/%username%/PARENT |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ Then the HTTP status code of responses on all endpoints should be "200"
Scenario: send LOCK requests to webDav endpoints using invalid username but correct password
- When user "usero" requests these endpoints with "LOCK" including body using the password of user "Alice" then the status codes should be as listed
- | endpoint | http-code | body |
- | /remote.php/webdav/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/webdav/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 401 | doesnotmatter |
+ When user "usero" requests these endpoints with "LOCK" including body "doesnotmatter" using the password of user "Alice"
+ | endpoint |
+ | /remote.php/webdav/textfile0.txt |
+ | /remote.php/dav/files/%username%/textfile0.txt |
+ | /remote.php/webdav/PARENT |
+ | /remote.php/dav/files/%username%/PARENT |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ Then the HTTP status code of responses on all endpoints should be "401"
Scenario: send LOCK requests to webDav endpoints using valid password and username of different user
- When user "Brian" requests these endpoints with "LOCK" including body using the password of user "Alice" then the status codes should be as listed
- | endpoint | http-code | body |
- | /remote.php/webdav/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/webdav/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 401 | doesnotmatter |
+ When user "Brian" requests these endpoints with "LOCK" including body "doesnotmatter" using the password of user "Alice"
+ | endpoint |
+ | /remote.php/webdav/textfile0.txt |
+ | /remote.php/dav/files/%username%/textfile0.txt |
+ | /remote.php/webdav/PARENT |
+ | /remote.php/dav/files/%username%/PARENT |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ Then the HTTP status code of responses on all endpoints should be "401"
@smokeTest
@skipOnBruteForceProtection @issue-brute_force_protection-112
Scenario: send LOCK requests to webDav endpoints without any authentication
- When a user requests these endpoints with "LOCK" and no authentication then the status codes about user "Alice" should be as listed
- | endpoint | http-code | body |
- | /remote.php/webdav/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/webdav/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 401 | doesnotmatter |
+ When a user requests these endpoints with "LOCK" with body "doesnotmatter" and no authentication about user "Alice"
+ | endpoint |
+ | /remote.php/webdav/textfile0.txt |
+ | /remote.php/dav/files/%username%/textfile0.txt |
+ | /remote.php/webdav/PARENT |
+ | /remote.php/dav/files/%username%/PARENT |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ Then the HTTP status code of responses on all endpoints should be "401"
@skipOnOcis @issue-ocis-reva-37
Scenario: send LOCK requests to webDav endpoints using token authentication should not work
Given token auth has been enforced
And a new browser session for "Alice" has been started
And the user has generated a new app password named "my-client"
- When the user requests these endpoints with "LOCK" using the generated app password then the status codes about user "Alice" should be as listed
- | endpoint | http-code |
- | /remote.php/webdav/textfile0.txt | 401 |
- | /remote.php/dav/files/%username%/textfile0.txt | 401 |
- | /remote.php/webdav/PARENT | 401 |
- | /remote.php/dav/files/%username%/PARENT | 401 |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 401 |
+ When the user requests these endpoints with "LOCK" using the generated app password about user "Alice"
+ | endpoint |
+ | /remote.php/webdav/textfile0.txt |
+ | /remote.php/dav/files/%username%/textfile0.txt |
+ | /remote.php/webdav/PARENT |
+ | /remote.php/dav/files/%username%/PARENT |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ Then the HTTP status code of responses on all endpoints should be "401"
@skipOnOcis @issue-ocis-reva-37
Scenario: send LOCK requests to webDav endpoints using app password token as password
Given token auth has been enforced
And a new browser session for "Alice" has been started
And the user has generated a new app password named "my-client"
- When the user "Alice" requests these endpoints with "LOCK" using the basic auth and generated app password then the status codes about user "Alice" should be as listed
- | endpoint | http-code | body |
- | /remote.php/webdav/textfile0.txt | 200 | |
- | /remote.php/dav/files/%username%/textfile1.txt | 200 | |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 200 | |
- | /remote.php/webdav/PARENT | 200 | |
- | /remote.php/dav/files/%username%/FOLDER | 200 | |
+ When the user "Alice" requests these endpoints with "LOCK" to get property "d:shared" using basic auth and generated app password about user "Alice"
+ | endpoint |
+ | /remote.php/webdav/textfile0.txt |
+ | /remote.php/dav/files/%username%/textfile1.txt |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ | /remote.php/webdav/PARENT |
+ | /remote.php/dav/files/%username%/FOLDER |
+ Then the HTTP status code of responses on all endpoints should be "200"
diff --git a/tests/acceptance/features/apiAuthWebDav/webDavMKCOLAuth.feature b/tests/acceptance/features/apiAuthWebDav/webDavMKCOLAuth.feature
index d41b8546225f..f1dff1e4066e 100644
--- a/tests/acceptance/features/apiAuthWebDav/webDavMKCOLAuth.feature
+++ b/tests/acceptance/features/apiAuthWebDav/webDavMKCOLAuth.feature
@@ -12,85 +12,96 @@ Feature: create folder using MKCOL
@smokeTest
@skipOnBruteForceProtection @issue-brute_force_protection-112
Scenario: send MKCOL requests to webDav endpoints as normal user with wrong password
- When user "Alice" requests these endpoints with "MKCOL" including body using password "invalid" then the status codes about user "Alice" should be as listed
- | endpoint | http-code | body |
- | /remote.php/webdav/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/webdav/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 401 | doesnotmatter |
+ When user "Alice" requests these endpoints with "MKCOL" including body "doesnotmatter" using password "invalid" about user "Alice"
+ | endpoint |
+ | /remote.php/webdav/textfile0.txt |
+ | /remote.php/dav/files/%username%/textfile0.txt |
+ | /remote.php/webdav/PARENT |
+ | /remote.php/dav/files/%username%/PARENT |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ Then the HTTP status code of responses on all endpoints should be "401"
@smokeTest
@skipOnBruteForceProtection @issue-brute_force_protection-112
Scenario: send MKCOL requests to webDav endpoints as normal user with no password
- When user "Alice" requests these endpoints with "MKCOL" including body using password "" then the status codes about user "Alice" should be as listed
- | endpoint | http-code | body |
- | /remote.php/webdav/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/webdav/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 401 | doesnotmatter |
+ When user "Alice" requests these endpoints with "MKCOL" including body "doesnotmatter" using password "" about user "Alice"
+ | endpoint |
+ | /remote.php/webdav/textfile0.txt |
+ | /remote.php/dav/files/%username%/textfile0.txt |
+ | /remote.php/webdav/PARENT |
+ | /remote.php/dav/files/%username%/PARENT |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ Then the HTTP status code of responses on all endpoints should be "401"
@skipOnOcis @issue-ocis-reva-9 @issue-ocis-reva-197
Scenario: send MKCOL requests to another user's webDav endpoints as normal user
- When user "Brian" requests these endpoints with "MKCOL" including body then the status codes about user "Alice" should be as listed
- | endpoint | http-code | body |
- | /remote.php/dav/files/%username%/textfile0.txt | 403 | |
- | /remote.php/dav/files/%username%/PARENT | 403 | |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 409 | |
- | /remote.php/dav/files/%username%/does-not-exist | 403 | |
+ When user "Brian" requests these endpoints with "MKCOL" including body "" about user "Alice"
+ | endpoint |
+ | /remote.php/dav/files/%username%/textfile0.txt |
+ | /remote.php/dav/files/%username%/PARENT |
+ | /remote.php/dav/files/%username%/does-not-exist |
+ Then the HTTP status code of responses on all endpoints should be "403"
+ When user "Brian" requests these endpoints with "MKCOL" including body "" about user "Alice"
+ | endpoint |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ Then the HTTP status code of responses on all endpoints should be "409"
Scenario: send MKCOL requests to webDav endpoints using invalid username but correct password
- When user "usero" requests these endpoints with "MKCOL" including body using the password of user "Alice" then the status codes should be as listed
- | endpoint | http-code | body |
- | /remote.php/webdav/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/webdav/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 401 | doesnotmatter |
+ When user "usero" requests these endpoints with "MKCOL" including body "doesnotmatter" using the password of user "Alice"
+ | endpoint |
+ | /remote.php/webdav/textfile0.txt |
+ | /remote.php/dav/files/%username%/textfile0.txt |
+ | /remote.php/webdav/PARENT |
+ | /remote.php/dav/files/%username%/PARENT |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ Then the HTTP status code of responses on all endpoints should be "401"
Scenario: send MKCOL requests to webDav endpoints using valid password and username of different user
- When user "Brian" requests these endpoints with "MKCOL" including body using the password of user "Alice" then the status codes should be as listed
- | endpoint | http-code | body |
- | /remote.php/webdav/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/webdav/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 401 | doesnotmatter |
+ When user "Brian" requests these endpoints with "MKCOL" including body "doesnotmatter" using the password of user "Alice"
+ | endpoint |
+ | /remote.php/webdav/textfile0.txt |
+ | /remote.php/dav/files/%username%/textfile0.txt |
+ | /remote.php/webdav/PARENT |
+ | /remote.php/dav/files/%username%/PARENT |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ Then the HTTP status code of responses on all endpoints should be "401"
@smokeTest
@skipOnBruteForceProtection @issue-brute_force_protection-112
Scenario: send MKCOL requests to webDav endpoints without any authentication
- When a user requests these endpoints with "MKCOL" and no authentication then the status codes about user "Alice" should be as listed
- | endpoint | http-code | body |
- | /remote.php/webdav/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/webdav/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 401 | doesnotmatter |
+ When a user requests these endpoints with "MKCOL" with body "doesnotmatter" and no authentication about user "Alice"
+ | endpoint |
+ | /remote.php/webdav/textfile0.txt |
+ | /remote.php/dav/files/%username%/textfile0.txt |
+ | /remote.php/webdav/PARENT |
+ | /remote.php/dav/files/%username%/PARENT |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ Then the HTTP status code of responses on all endpoints should be "401"
@skipOnOcis @issue-ocis-reva-37
Scenario: send MKCOL requests to webDav endpoints using token authentication should not work
Given token auth has been enforced
And a new browser session for "Alice" has been started
And the user has generated a new app password named "my-client"
- When the user requests these endpoints with "MKCOL" using the generated app password then the status codes about user "Alice" should be as listed
- | endpoint | http-code |
- | /remote.php/webdav/textfile0.txt | 401 |
- | /remote.php/dav/files/%username%/textfile0.txt | 401 |
- | /remote.php/webdav/PARENT | 401 |
- | /remote.php/dav/files/%username%/PARENT | 401 |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 401 |
+ When the user requests these endpoints with "MKCOL" using the generated app password about user "Alice"
+ | endpoint |
+ | /remote.php/webdav/textfile0.txt |
+ | /remote.php/dav/files/%username%/textfile0.txt |
+ | /remote.php/webdav/PARENT |
+ | /remote.php/dav/files/%username%/PARENT |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ Then the HTTP status code of responses on all endpoints should be "401"
@skipOnOcis @issue-ocis-reva-37
Scenario: send MKCOL requests to webDav endpoints using app password token as password
Given token auth has been enforced
And a new browser session for "Alice" has been started
And the user has generated a new app password named "my-client"
- When the user "Alice" requests these endpoints with "MKCOL" using the basic auth and generated app password then the status codes about user "Alice" should be as listed
- | endpoint | http-code |
- | /remote.php/webdav/newCol | 201 |
- | /remote.php/dav/files/%username%/newCol1 | 201 |
- | /remote.php/dav/files/%username%/PARENT/newCol | 201 |
- | /remote.php/webdav/COL | 201 |
- | /remote.php/dav/files/%username%/FOLDER/newCol | 201 |
+ When the user "Alice" requests these endpoints with "MKCOL" using basic auth and generated app password about user "Alice"
+ | endpoint |
+ | /remote.php/webdav/newCol |
+ | /remote.php/dav/files/%username%/newCol1 |
+ | /remote.php/dav/files/%username%/PARENT/newCol |
+ | /remote.php/webdav/COL |
+ | /remote.php/dav/files/%username%/FOLDER/newCol |
+ Then the HTTP status code of responses on all endpoints should be "201"
diff --git a/tests/acceptance/features/apiAuthWebDav/webDavMOVEAuth.feature b/tests/acceptance/features/apiAuthWebDav/webDavMOVEAuth.feature
index 56eb4d6b5808..daf1e07ef8dd 100644
--- a/tests/acceptance/features/apiAuthWebDav/webDavMOVEAuth.feature
+++ b/tests/acceptance/features/apiAuthWebDav/webDavMOVEAuth.feature
@@ -12,94 +12,103 @@ Feature: MOVE file/folder
@smokeTest
@skipOnBruteForceProtection @issue-brute_force_protection-112
Scenario: send MOVE requests to webDav endpoints as normal user with wrong password
- When user "Alice" requests these endpoints with "MOVE" including body using password "invalid" then the status codes about user "Alice" should be as listed
- | endpoint | http-code | body |
- | /remote.php/webdav/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/webdav/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 401 | doesnotmatter |
+ When user "Alice" requests these endpoints with "MOVE" including body "doesnotmatter" using password "invalid" about user "Alice"
+ | endpoint |
+ | /remote.php/webdav/textfile0.txt |
+ | /remote.php/dav/files/%username%/textfile0.txt |
+ | /remote.php/webdav/PARENT |
+ | /remote.php/dav/files/%username%/PARENT |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ Then the HTTP status code of responses on all endpoints should be "401"
@smokeTest
@skipOnBruteForceProtection @issue-brute_force_protection-112
Scenario: send MOVE requests to webDav endpoints as normal user with no password
- When user "Alice" requests these endpoints with "MOVE" including body using password "" then the status codes about user "Alice" should be as listed
- | endpoint | http-code | body |
- | /remote.php/webdav/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/webdav/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 401 | doesnotmatter |
+ When user "Alice" requests these endpoints with "MOVE" including body "doesnotmatter" using password "" about user "Alice"
+ | endpoint |
+ | /remote.php/webdav/textfile0.txt |
+ | /remote.php/dav/files/%username%/textfile0.txt |
+ | /remote.php/webdav/PARENT |
+ | /remote.php/dav/files/%username%/PARENT |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ Then the HTTP status code of responses on all endpoints should be "401"
@skipOnOcis @issue-ocis-reva-14
Scenario: send MOVE requests to another user's webDav endpoints as normal user
- When user "Brian" requests these endpoints with "MOVE" including body then the status codes about user "Alice" should be as listed
- | endpoint | http-code | body |
- | /remote.php/dav/files/%username%/textfile0.txt | 403 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT | 403 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 403 | doesnotmatter |
+ When user "Brian" requests these endpoints with "MOVE" including body "doesnotmatter" about user "Alice"
+ | endpoint |
+ | /remote.php/dav/files/%username%/textfile0.txt |
+ | /remote.php/dav/files/%username%/PARENT |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ Then the HTTP status code of responses on all endpoints should be "403"
@skipOnOcV10 @issue-ocis-reva-14
#after fixing all issues delete this Scenario and use the one above
Scenario: send MOVE requests to another user's webDav endpoints as normal user
- When user "Brian" requests these endpoints with "MOVE" including body then the status codes about user "Alice" should be as listed
- | endpoint | http-code | body |
- | /remote.php/dav/files/%username%/textfile0.txt | 400 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT | 400 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 400 | doesnotmatter |
+ When user "Brian" requests these endpoints with "MOVE" including body "doesnotmatter" about user "Alice"
+ | endpoint |
+ | /remote.php/dav/files/%username%/textfile0.txt |
+ | /remote.php/dav/files/%username%/PARENT |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ Then the HTTP status code of responses on all endpoints should be "400"
Scenario: send MOVE requests to webDav endpoints using invalid username but correct password
- When user "usero" requests these endpoints with "MOVE" including body using the password of user "Alice" then the status codes should be as listed
- | endpoint | http-code | body |
- | /remote.php/webdav/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/webdav/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 401 | doesnotmatter |
+ When user "usero" requests these endpoints with "MOVE" including body "doesnotmatter" using the password of user "Alice"
+ | endpoint |
+ | /remote.php/webdav/textfile0.txt |
+ | /remote.php/dav/files/%username%/textfile0.txt |
+ | /remote.php/webdav/PARENT |
+ | /remote.php/dav/files/%username%/PARENT |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ Then the HTTP status code of responses on all endpoints should be "401"
Scenario: send MOVE requests to webDav endpoints using valid password and username of different user
- When user "Brian" requests these endpoints with "MOVE" including body using the password of user "Alice" then the status codes should be as listed
- | endpoint | http-code | body |
- | /remote.php/webdav/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/webdav/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 401 | doesnotmatter |
+ When user "Brian" requests these endpoints with "MOVE" including body "doesnotmatter" using the password of user "Alice"
+ | endpoint |
+ | /remote.php/webdav/textfile0.txt |
+ | /remote.php/dav/files/%username%/textfile0.txt |
+ | /remote.php/webdav/PARENT |
+ | /remote.php/dav/files/%username%/PARENT |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ Then the HTTP status code of responses on all endpoints should be "401"
@smokeTest
@skipOnBruteForceProtection @issue-brute_force_protection-112
Scenario: send MOVE requests to webDav endpoints without any authentication
- When a user requests these endpoints with "MOVE" and no authentication then the status codes about user "Alice" should be as listed
- | endpoint | http-code | body |
- | /remote.php/webdav/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/webdav/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 401 | doesnotmatter |
+ When a user requests these endpoints with "MOVE" with body "doesnotmatter" and no authentication about user "Alice"
+ | endpoint |
+ | /remote.php/webdav/textfile0.txt |
+ | /remote.php/dav/files/%username%/textfile0.txt |
+ | /remote.php/webdav/PARENT |
+ | /remote.php/dav/files/%username%/PARENT |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ Then the HTTP status code of responses on all endpoints should be "401"
@skipOnOcis @issue-ocis-reva-37
Scenario: send MOVE requests to webDav endpoints using token authentication should not work
Given token auth has been enforced
And a new browser session for "Alice" has been started
And the user has generated a new app password named "my-client"
- When the user requests these endpoints with "MOVE" using the generated app password then the status codes about user "Alice" should be as listed
- | endpoint | http-code |
- | /remote.php/webdav/textfile0.txt | 401 |
- | /remote.php/dav/files/%username%/textfile0.txt | 401 |
- | /remote.php/webdav/PARENT | 401 |
- | /remote.php/dav/files/%username%/PARENT | 401 |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 401 |
+ When the user requests these endpoints with "MOVE" using the generated app password about user "Alice"
+ | endpoint |
+ | /remote.php/webdav/textfile0.txt |
+ | /remote.php/dav/files/%username%/textfile0.txt |
+ | /remote.php/webdav/PARENT |
+ | /remote.php/dav/files/%username%/PARENT |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ Then the HTTP status code of responses on all endpoints should be "401"
@skipOnOcis @issue-ocis-reva-37
Scenario: send MOVE requests to webDav endpoints using app password token as password
Given token auth has been enforced
And a new browser session for "Alice" has been started
And the user has generated a new app password named "my-client"
- When the user "Alice" requests these endpoints with "MOVE" using the basic auth and generated app password then the status codes about user "Alice" should be as listed
- | endpoint | http-code | body |
+ When the user "Alice" requests these endpoints with "MOVE" with body "doesnotmatter" using basic auth and generated app password about user "Alice"
+ | endpoint |
# The token was valid and accepted but the body is invalid so it gives 403
- | /remote.php/webdav/textfile0.txt | 403 | doesnotmatter |
- | /remote.php/dav/files/%username%/textfile1.txt | 403 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 403 | doesnotmatter |
- | /remote.php/webdav/PARENT | 403 | doesnotmatter |
- | /remote.php/dav/files/%username%/FOLDER | 403 | doesnotmatter |
+ | /remote.php/webdav/textfile0.txt |
+ | /remote.php/dav/files/%username%/textfile1.txt |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ | /remote.php/webdav/PARENT |
+ | /remote.php/dav/files/%username%/FOLDER |
+ Then the HTTP status code of responses on all endpoints should be "403"
diff --git a/tests/acceptance/features/apiAuthWebDav/webDavPOSTAuth.feature b/tests/acceptance/features/apiAuthWebDav/webDavPOSTAuth.feature
index cbc5df0ff01d..a92a3cf5ce9e 100644
--- a/tests/acceptance/features/apiAuthWebDav/webDavPOSTAuth.feature
+++ b/tests/acceptance/features/apiAuthWebDav/webDavPOSTAuth.feature
@@ -13,85 +13,93 @@ Feature: get file info using POST
@smokeTest
@skipOnBruteForceProtection @issue-brute_force_protection-112
Scenario: send POST requests to webDav endpoints as normal user with wrong password
- When user "Alice" requests these endpoints with "POST" including body using password "invalid" then the status codes about user "Alice" should be as listed
- | endpoint | http-code | body |
- | /remote.php/webdav/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/webdav/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 401 | doesnotmatter |
+ When user "Alice" requests these endpoints with "POST" including body "doesnotmatter" using password "invalid" about user "Alice"
+ | endpoint |
+ | /remote.php/webdav/textfile0.txt |
+ | /remote.php/dav/files/%username%/textfile0.txt |
+ | /remote.php/webdav/PARENT |
+ | /remote.php/dav/files/%username%/PARENT |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ Then the HTTP status code of responses on all endpoints should be "401"
@smokeTest
@skipOnBruteForceProtection @issue-brute_force_protection-112
Scenario: send POST requests to webDav endpoints as normal user with no password
- When user "Alice" requests these endpoints with "POST" including body using password "" then the status codes about user "Alice" should be as listed
- | endpoint | http-code | body |
- | /remote.php/webdav/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/webdav/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 401 | doesnotmatter |
+ When user "Alice" requests these endpoints with "POST" including body "doesnotmatter" using password "" about user "Alice"
+ | endpoint |
+ | /remote.php/webdav/textfile0.txt |
+ | /remote.php/dav/files/%username%/textfile0.txt |
+ | /remote.php/webdav/PARENT |
+ | /remote.php/dav/files/%username%/PARENT |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ Then the HTTP status code of responses on all endpoints should be "401"
@skipOnOcis @issue-ocis-reva-179
Scenario: send POST requests to another user's webDav endpoints as normal user
- When user "Brian" requests these endpoints with "POST" including body then the status codes about user "Alice" should be as listed
- | endpoint | http-code | body |
- | /remote.php/dav/files/%username%/textfile1.txt | 404 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENTS | 404 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENTS/parent.txt | 404 | doesnotmatter |
+ When user "Brian" requests these endpoints with "POST" including body "doesnotmatter" about user "Alice"
+ | endpoint |
+ | /remote.php/dav/files/%username%/textfile1.txt |
+ | /remote.php/dav/files/%username%/PARENTS |
+ | /remote.php/dav/files/%username%/PARENTS/parent.txt |
+ Then the HTTP status code of responses on all endpoints should be "404"
Scenario: send POST requests to webDav endpoints using invalid username but correct password
- When user "usero" requests these endpoints with "POST" including body using the password of user "Alice" then the status codes should be as listed
- | endpoint | http-code | body |
- | /remote.php/webdav/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/webdav/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 401 | doesnotmatter |
+ When user "usero" requests these endpoints with "POST" including body "doesnotmatter" using the password of user "Alice"
+ | endpoint |
+ | /remote.php/webdav/textfile0.txt |
+ | /remote.php/dav/files/%username%/textfile0.txt |
+ | /remote.php/webdav/PARENT |
+ | /remote.php/dav/files/%username%/PARENT |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ Then the HTTP status code of responses on all endpoints should be "401"
Scenario: send POST requests to webDav endpoints using valid password and username of different user
- When user "Brian" requests these endpoints with "POST" including body using the password of user "Alice" then the status codes should be as listed
- | endpoint | http-code | body |
- | /remote.php/webdav/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/webdav/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 401 | doesnotmatter |
+ When user "Brian" requests these endpoints with "POST" including body "doesnotmatter" using the password of user "Alice"
+ | endpoint |
+ | /remote.php/webdav/textfile0.txt |
+ | /remote.php/dav/files/%username%/textfile0.txt |
+ | /remote.php/webdav/PARENT |
+ | /remote.php/dav/files/%username%/PARENT |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ Then the HTTP status code of responses on all endpoints should be "401"
@smokeTest
@skipOnBruteForceProtection @issue-brute_force_protection-112
Scenario: send POST requests to webDav endpoints without any authentication
- When a user requests these endpoints with "POST" and no authentication then the status codes about user "Alice" should be as listed
- | endpoint | http-code | body |
- | /remote.php/webdav/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/webdav/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 401 | doesnotmatter |
+ When a user requests these endpoints with "POST" with body "doesnotmatter" and no authentication about user "Alice"
+ | endpoint |
+ | /remote.php/webdav/textfile0.txt |
+ | /remote.php/dav/files/%username%/textfile0.txt |
+ | /remote.php/webdav/PARENT |
+ | /remote.php/dav/files/%username%/PARENT |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ Then the HTTP status code of responses on all endpoints should be "401"
@skipOnOcis @issue-ocis-reva-37
Scenario: send POST requests to webDav endpoints using token authentication should not work
Given token auth has been enforced
And a new browser session for "Alice" has been started
And the user has generated a new app password named "my-client"
- When the user requests these endpoints with "POST" using the generated app password then the status codes about user "Alice" should be as listed
- | endpoint | http-code |
- | /remote.php/webdav/textfile0.txt | 401 |
- | /remote.php/dav/files/%username%/textfile0.txt | 401 |
- | /remote.php/webdav/PARENT | 401 |
- | /remote.php/dav/files/%username%/PARENT | 401 |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 401 |
+ When the user requests these endpoints with "POST" using the generated app password about user "Alice"
+ | endpoint |
+ | /remote.php/webdav/textfile0.txt |
+ | /remote.php/dav/files/%username%/textfile0.txt |
+ | /remote.php/webdav/PARENT |
+ | /remote.php/dav/files/%username%/PARENT |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ Then the HTTP status code of responses on all endpoints should be "401"
@skipOnOcis @issue-ocis-reva-37
Scenario: send POST requests to webDav endpoints using app password token as password
Given token auth has been enforced
And a new browser session for "Alice" has been started
And the user has generated a new app password named "my-client"
- When the user "Alice" requests these endpoints with "POST" using the basic auth and generated app password then the status codes about user "Alice" should be as listed
- | endpoint | http-code | body |
+ When the user "Alice" requests these endpoints with "POST" with body "doesnotmatter" using basic auth and generated app password about user "Alice"
+ | endpoint |
# this method is not available so gives 501
- | /remote.php/webdav/textfile0.txt | 501 | doesnotmatter |
- | /remote.php/dav/files/%username%/textfile1.txt | 501 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 501 | doesnotmatter |
- | /remote.php/webdav/PARENT | 501 | doesnotmatter |
- | /remote.php/dav/files/%username%/FOLDER | 501 | doesnotmatter |
+ | /remote.php/webdav/textfile0.txt |
+ | /remote.php/dav/files/%username%/textfile1.txt |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ | /remote.php/webdav/PARENT |
+ | /remote.php/dav/files/%username%/FOLDER |
+ Then the HTTP status code of responses on all endpoints should be "501"
diff --git a/tests/acceptance/features/apiAuthWebDav/webDavPROPFINDAuth.feature b/tests/acceptance/features/apiAuthWebDav/webDavPROPFINDAuth.feature
index 87a4a0275566..87604993e635 100644
--- a/tests/acceptance/features/apiAuthWebDav/webDavPROPFINDAuth.feature
+++ b/tests/acceptance/features/apiAuthWebDav/webDavPROPFINDAuth.feature
@@ -12,93 +12,102 @@ Feature: get file info using PROPFIND
@smokeTest
@skipOnBruteForceProtection @issue-brute_force_protection-112
Scenario: send PROPFIND requests to webDav endpoints as normal user with wrong password
- When user "Alice" requests these endpoints with "PROPFIND" including body using password "invalid" then the status codes about user "Alice" should be as listed
- | endpoint | http-code | body |
- | /remote.php/webdav/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/webdav/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 401 | doesnotmatter |
+ When user "Alice" requests these endpoints with "PROPFIND" including body "doesnotmatter" using password "invalid" about user "Alice"
+ | endpoint |
+ | /remote.php/webdav/textfile0.txt |
+ | /remote.php/dav/files/%username%/textfile0.txt |
+ | /remote.php/webdav/PARENT |
+ | /remote.php/dav/files/%username%/PARENT |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ Then the HTTP status code of responses on all endpoints should be "401"
@smokeTest
@skipOnBruteForceProtection @issue-brute_force_protection-112
Scenario: send PROPFIND requests to webDav endpoints as normal user with no password
- When user "Alice" requests these endpoints with "PROPFIND" including body using password "" then the status codes about user "Alice" should be as listed
- | endpoint | http-code | body |
- | /remote.php/webdav/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/webdav/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 401 | doesnotmatter |
+ When user "Alice" requests these endpoints with "PROPFIND" including body "doesnotmatter" using password "" about user "Alice"
+ | endpoint |
+ | /remote.php/webdav/textfile0.txt |
+ | /remote.php/dav/files/%username%/textfile0.txt |
+ | /remote.php/webdav/PARENT |
+ | /remote.php/dav/files/%username%/PARENT |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ Then the HTTP status code of responses on all endpoints should be "401"
@skipOnOcis @issue-ocis-reva-9
Scenario: send PROPFIND requests to another user's webDav endpoints as normal user
- When user "Brian" requests these endpoints with "PROPFIND" including body then the status codes about user "Alice" should be as listed
- | endpoint | http-code | body |
- | /remote.php/dav/files/%username%/textfile0.txt | 404 | |
- | /remote.php/dav/files/%username%/PARENT | 404 | |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 404 | |
+ When user "Brian" requests these endpoints with "PROPFIND" to get property "d:getetag" about user "Alice"
+ | endpoint |
+ | /remote.php/dav/files/%username%/textfile0.txt |
+ | /remote.php/dav/files/%username%/PARENT |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ Then the HTTP status code of responses on all endpoints should be "404"
@skipOnOcV10 @issue-ocis-reva-9 @skipOnOcis-EOS-Storage @issue-ocis-reva-303
#after fixing all issues delete this Scenario and use the one above
Scenario: send PROPFIND requests to another user's webDav endpoints as normal user
- When user "Brian" requests these endpoints with "PROPFIND" including body then the status codes about user "Alice" should be as listed
- | endpoint | http-code | body |
- | /remote.php/dav/files/%username%/textfile0.txt | 207 | |
- | /remote.php/dav/files/%username%/PARENT | 207 | |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 207 | |
+ When user "Brian" requests these endpoints with "PROPFIND" to get property "d:getetag" about user "Alice"
+ | endpoint |
+ | /remote.php/dav/files/%username%/textfile0.txt |
+ | /remote.php/dav/files/%username%/PARENT |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ Then the HTTP status code of responses on all endpoints should be "207"
Scenario: send PROPFIND requests to webDav endpoints using invalid username but correct password
- When user "usero" requests these endpoints with "PROPFIND" including body using the password of user "Alice" then the status codes should be as listed
- | endpoint | http-code | body |
- | /remote.php/webdav/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/webdav/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 401 | doesnotmatter |
+ When user "usero" requests these endpoints with "PROPFIND" including body "doesnotmatter" using the password of user "Alice"
+ | endpoint |
+ | /remote.php/webdav/textfile0.txt |
+ | /remote.php/dav/files/%username%/textfile0.txt |
+ | /remote.php/webdav/PARENT |
+ | /remote.php/dav/files/%username%/PARENT |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ Then the HTTP status code of responses on all endpoints should be "401"
Scenario: send PROPFIND requests to webDav endpoints using valid password and username of different user
- When user "Brian" requests these endpoints with "PROPFIND" including body using the password of user "Alice" then the status codes should be as listed
- | endpoint | http-code | body |
- | /remote.php/webdav/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/webdav/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 401 | doesnotmatter |
+ When user "Brian" requests these endpoints with "PROPFIND" including body "doesnotmatter" using the password of user "Alice"
+ | endpoint |
+ | /remote.php/webdav/textfile0.txt |
+ | /remote.php/dav/files/%username%/textfile0.txt |
+ | /remote.php/webdav/PARENT |
+ | /remote.php/dav/files/%username%/PARENT |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ Then the HTTP status code of responses on all endpoints should be "401"
@smokeTest
@skipOnBruteForceProtection @issue-brute_force_protection-112
Scenario: send PROPFIND requests to webDav endpoints without any authentication
- When a user requests these endpoints with "PROPFIND" and no authentication then the status codes about user "Alice" should be as listed
- | endpoint | http-code | body |
- | /remote.php/webdav/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/webdav/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 401 | doesnotmatter |
+ When a user requests these endpoints with "PROPFIND" with body "doesnotmatter" and no authentication about user "Alice"
+ | endpoint |
+ | /remote.php/webdav/textfile0.txt |
+ | /remote.php/dav/files/%username%/textfile0.txt |
+ | /remote.php/webdav/PARENT |
+ | /remote.php/dav/files/%username%/PARENT |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ Then the HTTP status code of responses on all endpoints should be "401"
@skipOnOcis @issue-ocis-reva-37
Scenario: send PROPFIND requests to webDav endpoints using token authentication should not work
Given token auth has been enforced
And a new browser session for "Alice" has been started
And the user has generated a new app password named "my-client"
- When the user requests these endpoints with "PROPFIND" using the generated app password then the status codes about user "Alice" should be as listed
- | endpoint | http-code |
- | /remote.php/webdav/textfile0.txt | 401 |
- | /remote.php/dav/files/%username%/textfile0.txt | 401 |
- | /remote.php/webdav/PARENT | 401 |
- | /remote.php/dav/files/%username%/PARENT | 401 |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 401 |
+ When the user requests these endpoints with "PROPFIND" using the generated app password about user "Alice"
+ | endpoint |
+ | /remote.php/webdav/textfile0.txt |
+ | /remote.php/dav/files/%username%/textfile0.txt |
+ | /remote.php/webdav/PARENT |
+ | /remote.php/dav/files/%username%/PARENT |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ Then the HTTP status code of responses on all endpoints should be "401"
@skipOnOcis @issue-ocis-reva-37
Scenario: send PROPFIND requests to webDav endpoints using app password token as password
Given token auth has been enforced
And a new browser session for "Alice" has been started
And the user has generated a new app password named "my-client"
- When the user "Alice" requests these endpoints with "PROPFIND" using the basic auth and generated app password then the status codes about user "Alice" should be as listed
- | endpoint | http-code | body |
- | /remote.php/dav/files/%username%/textfile0.txt | 207 | |
- | /remote.php/dav/files/%username%/PARENT | 207 | |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 207 | |
- | /remote.php/webdav/PARENT | 207 | |
- | /remote.php/webdav/textfile0.txt | 207 | |
+ When the user "Alice" requests these endpoints with "PROPFIND" to get property "d:getetag" using basic auth and generated app password about user "Alice"
+ | endpoint |
+ | /remote.php/dav/files/%username%/textfile0.txt |
+ | /remote.php/dav/files/%username%/PARENT |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ | /remote.php/webdav/PARENT |
+ | /remote.php/webdav/textfile0.txt |
+ Then the HTTP status code of responses on all endpoints should be "207"
diff --git a/tests/acceptance/features/apiAuthWebDav/webDavPROPPATCHAuth.feature b/tests/acceptance/features/apiAuthWebDav/webDavPROPPATCHAuth.feature
index 60a26c0d7c8a..da9fb0cf698d 100644
--- a/tests/acceptance/features/apiAuthWebDav/webDavPROPPATCHAuth.feature
+++ b/tests/acceptance/features/apiAuthWebDav/webDavPROPPATCHAuth.feature
@@ -13,84 +13,92 @@ Feature: PROPPATCH file/folder
@smokeTest
@skipOnBruteForceProtection @issue-brute_force_protection-112
Scenario: send PROPPATCH requests to webDav endpoints as normal user with wrong password
- When user "Alice" requests these endpoints with "PROPPATCH" including body using password "invalid" then the status codes about user "Alice" should be as listed
- | endpoint | http-code | body |
- | /remote.php/webdav/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/webdav/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 401 | doesnotmatter |
+ When user "Alice" requests these endpoints with "PROPPATCH" including body "doesnotmatter" using password "invalid" about user "Alice"
+ | endpoint |
+ | /remote.php/webdav/textfile0.txt |
+ | /remote.php/dav/files/%username%/textfile0.txt |
+ | /remote.php/webdav/PARENT |
+ | /remote.php/dav/files/%username%/PARENT |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ Then the HTTP status code of responses on all endpoints should be "401"
@smokeTest
@skipOnBruteForceProtection @issue-brute_force_protection-112
Scenario: send PROPPATCH requests to webDav endpoints as normal user with no password
- When user "Alice" requests these endpoints with "PROPPATCH" including body using password "" then the status codes about user "Alice" should be as listed
- | endpoint | http-code | body |
- | /remote.php/webdav/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/webdav/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 401 | doesnotmatter |
+ When user "Alice" requests these endpoints with "PROPPATCH" including body "doesnotmatter" using password "" about user "Alice"
+ | endpoint |
+ | /remote.php/webdav/textfile0.txt |
+ | /remote.php/dav/files/%username%/textfile0.txt |
+ | /remote.php/webdav/PARENT |
+ | /remote.php/dav/files/%username%/PARENT |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ Then the HTTP status code of responses on all endpoints should be "401"
@skipOnOcis @issue-ocis-reva-9 @issue-ocis-reva-197
Scenario: send PROPPATCH requests to another user's webDav endpoints as normal user
- When user "Brian" requests these endpoints with "PROPPATCH" including body then the status codes about user "Alice" should be as listed
- | endpoint | http-code | body |
- | /remote.php/dav/files/%username%/textfile0.txt | 404 | 1 |
- | /remote.php/dav/files/%username%/PARENT | 404 | 1 |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 404 | 1 |
+ When user "Brian" requests these endpoints with "PROPPATCH" to set property "favorite" about user "Alice"
+ | endpoint |
+ | /remote.php/dav/files/%username%/textfile0.txt |
+ | /remote.php/dav/files/%username%/PARENT |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ Then the HTTP status code of responses on all endpoints should be "404"
Scenario: send PROPPATCH requests to webDav endpoints using invalid username but correct password
- When user "usero" requests these endpoints with "PROPPATCH" including body using the password of user "Alice" then the status codes should be as listed
- | endpoint | http-code | body |
- | /remote.php/webdav/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/webdav/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 401 | doesnotmatter |
+ When user "usero" requests these endpoints with "PROPPATCH" including body "doesnotmatter" using the password of user "Alice"
+ | endpoint |
+ | /remote.php/webdav/textfile0.txt |
+ | /remote.php/dav/files/%username%/textfile0.txt |
+ | /remote.php/webdav/PARENT |
+ | /remote.php/dav/files/%username%/PARENT |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ Then the HTTP status code of responses on all endpoints should be "401"
Scenario: send PROPPATCH requests to webDav endpoints using valid password and username of different user
- When user "Brian" requests these endpoints with "PROPPATCH" including body using the password of user "Alice" then the status codes should be as listed
- | endpoint | http-code | body |
- | /remote.php/webdav/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/webdav/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 401 | doesnotmatter |
+ When user "Brian" requests these endpoints with "PROPPATCH" including body "doesnotmatter" using the password of user "Alice"
+ | endpoint |
+ | /remote.php/webdav/textfile0.txt |
+ | /remote.php/dav/files/%username%/textfile0.txt |
+ | /remote.php/webdav/PARENT |
+ | /remote.php/dav/files/%username%/PARENT |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ Then the HTTP status code of responses on all endpoints should be "401"
@smokeTest
@skipOnBruteForceProtection @issue-brute_force_protection-112
Scenario: send PROPPATCH requests to webDav endpoints without any authentication
- When a user requests these endpoints with "PROPPATCH" and no authentication then the status codes about user "Alice" should be as listed
- | endpoint | http-code | body |
- | /remote.php/webdav/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/webdav/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 401 | doesnotmatter |
+ When a user requests these endpoints with "PROPPATCH" with body "doesnotmatter" and no authentication about user "Alice"
+ | endpoint |
+ | /remote.php/webdav/textfile0.txt |
+ | /remote.php/dav/files/%username%/textfile0.txt |
+ | /remote.php/webdav/PARENT |
+ | /remote.php/dav/files/%username%/PARENT |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ Then the HTTP status code of responses on all endpoints should be "401"
@skipOnOcis @issue-ocis-reva-37
Scenario: send PROPPATCH requests to webDav endpoints using token authentication should not work
Given token auth has been enforced
And a new browser session for "Alice" has been started
And the user has generated a new app password named "my-client"
- When the user requests these endpoints with "PROPPATCH" using the generated app password then the status codes about user "Alice" should be as listed
- | endpoint | http-code |
- | /remote.php/webdav/textfile0.txt | 401 |
- | /remote.php/dav/files/%username%/textfile0.txt | 401 |
- | /remote.php/webdav/PARENT | 401 |
- | /remote.php/dav/files/%username%/PARENT | 401 |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 401 |
+ When the user requests these endpoints with "PROPPATCH" using the generated app password about user "Alice"
+ | endpoint |
+ | /remote.php/webdav/textfile0.txt |
+ | /remote.php/dav/files/%username%/textfile0.txt |
+ | /remote.php/webdav/PARENT |
+ | /remote.php/dav/files/%username%/PARENT |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ Then the HTTP status code of responses on all endpoints should be "401"
@skipOnOcis @issue-ocis-reva-37
Scenario: send PROPPATCH requests to webDav endpoints using app password token as password
Given token auth has been enforced
And a new browser session for "Alice" has been started
And the user has generated a new app password named "my-client"
- When the user "Alice" requests these endpoints with "PROPPATCH" using the basic auth and generated app password then the status codes about user "Alice" should be as listed
- | endpoint | http-code | body |
- | /remote.php/webdav/textfile0.txt | 207 | 1 |
- | /remote.php/dav/files/%username%/textfile1.txt | 207 | 1 |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 207 | 1 |
- | /remote.php/webdav/PARENT | 207 | 1 |
- | /remote.php/dav/files/%username%/FOLDER | 207 | 1 |
+ When the user "Alice" requests these endpoints with "PROPPATCH" to set property "favorite" using basic auth and generated app password about user "Alice"
+ | endpoint |
+ | /remote.php/webdav/textfile0.txt |
+ | /remote.php/dav/files/%username%/textfile1.txt |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ | /remote.php/webdav/PARENT |
+ | /remote.php/dav/files/%username%/FOLDER |
+ Then the HTTP status code of responses on all endpoints should be "207"
diff --git a/tests/acceptance/features/apiAuthWebDav/webDavPUTAuth.feature b/tests/acceptance/features/apiAuthWebDav/webDavPUTAuth.feature
index 6e47de38444e..43e5882c0609 100644
--- a/tests/acceptance/features/apiAuthWebDav/webDavPUTAuth.feature
+++ b/tests/acceptance/features/apiAuthWebDav/webDavPUTAuth.feature
@@ -13,86 +13,104 @@ Feature: get file info using PUT
@smokeTest
@skipOnBruteForceProtection @issue-brute_force_protection-112
Scenario: send PUT requests to webDav endpoints as normal user with wrong password
- When user "Alice" requests these endpoints with "PUT" including body using password "invalid" then the status codes about user "Alice" should be as listed
- | endpoint | http-code | body |
- | /remote.php/webdav/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/webdav/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 401 | doesnotmatter |
+ When user "Alice" requests these endpoints with "PUT" including body "doesnotmatter" using password "invalid" about user "Alice"
+ | endpoint |
+ | /remote.php/webdav/textfile0.txt |
+ | /remote.php/dav/files/%username%/textfile0.txt |
+ | /remote.php/webdav/PARENT |
+ | /remote.php/dav/files/%username%/PARENT |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ Then the HTTP status code of responses on all endpoints should be "401"
@smokeTest
@skipOnBruteForceProtection @issue-brute_force_protection-112
Scenario: send PUT requests to webDav endpoints as normal user with no password
- When user "Alice" requests these endpoints with "PUT" including body using password "" then the status codes about user "Alice" should be as listed
- | endpoint | http-code | body |
- | /remote.php/webdav/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/webdav/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 401 | doesnotmatter |
+ When user "Alice" requests these endpoints with "PUT" including body "doesnotmatter" using password "" about user "Alice"
+ | endpoint |
+ | /remote.php/webdav/textfile0.txt |
+ | /remote.php/dav/files/%username%/textfile0.txt |
+ | /remote.php/webdav/PARENT |
+ | /remote.php/dav/files/%username%/PARENT |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ Then the HTTP status code of responses on all endpoints should be "401"
@skipOnOcis @issue-ocis-reva-9 @issue-ocis-reva-197
Scenario: send PUT requests to another user's webDav endpoints as normal user
- When user "Brian" requests these endpoints with "PUT" including body then the status codes about user "Alice" should be as listed
- | endpoint | http-code | body |
- | /remote.php/dav/files/%username%/textfile1.txt | 403 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENTS | 403 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENTS/parent.txt | 404 | doesnotmatter |
+ When user "Brian" requests these endpoints with "PUT" including body "doesnotmatter" about user "Alice"
+ | endpoint |
+ | /remote.php/dav/files/%username%/textfile1.txt |
+ | /remote.php/dav/files/%username%/PARENTS |
+ Then the HTTP status code of responses on all endpoints should be "403"
+ When user "Brian" requests these endpoints with "PUT" including body "doesnotmatter" about user "Alice"
+ | endpoint |
+ | /remote.php/dav/files/%username%/PARENTS/parent.txt |
+ Then the HTTP status code of responses on all endpoints should be "404"
Scenario: send PUT requests to webDav endpoints using invalid username but correct password
- When user "usero" requests these endpoints with "PUT" including body using the password of user "Alice" then the status codes should be as listed
- | endpoint | http-code | body |
- | /remote.php/webdav/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/webdav/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 401 | doesnotmatter |
+ When user "usero" requests these endpoints with "PUT" including body "doesnotmatter" using the password of user "Alice"
+ | endpoint |
+ | /remote.php/webdav/textfile0.txt |
+ | /remote.php/dav/files/%username%/textfile0.txt |
+ | /remote.php/webdav/PARENT |
+ | /remote.php/dav/files/%username%/PARENT |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ Then the HTTP status code of responses on all endpoints should be "401"
Scenario: send PUT requests to webDav endpoints using valid password and username of different user
- When user "Brian" requests these endpoints with "PUT" including body using the password of user "Alice" then the status codes should be as listed
- | endpoint | http-code | body |
- | /remote.php/webdav/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/webdav/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 401 | doesnotmatter |
+ When user "Brian" requests these endpoints with "PUT" including body "doesnotmatter" using the password of user "Alice"
+ | endpoint |
+ | /remote.php/webdav/textfile0.txt |
+ | /remote.php/dav/files/%username%/textfile0.txt |
+ | /remote.php/webdav/PARENT |
+ | /remote.php/dav/files/%username%/PARENT |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ Then the HTTP status code of responses on all endpoints should be "401"
@smokeTest
@skipOnBruteForceProtection @issue-brute_force_protection-112
Scenario: send PUT requests to webDav endpoints without any authentication
- When a user requests these endpoints with "PUT" and no authentication then the status codes about user "Alice" should be as listed
- | endpoint | http-code | body |
- | /remote.php/webdav/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/textfile0.txt | 401 | doesnotmatter |
- | /remote.php/webdav/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT | 401 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 401 | doesnotmatter |
+ When a user requests these endpoints with "PUT" with body "doesnotmatter" and no authentication about user "Alice"
+ | endpoint |
+ | /remote.php/webdav/textfile0.txt |
+ | /remote.php/dav/files/%username%/textfile0.txt |
+ | /remote.php/webdav/PARENT |
+ | /remote.php/dav/files/%username%/PARENT |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ Then the HTTP status code of responses on all endpoints should be "401"
@skipOnOcis @issue-ocis-reva-37
Scenario: send PUT requests to webDav endpoints using token authentication should not work
Given token auth has been enforced
And a new browser session for "Alice" has been started
And the user has generated a new app password named "my-client"
- When the user requests these endpoints with "PUT" using the generated app password then the status codes about user "Alice" should be as listed
- | endpoint | http-code |
- | /remote.php/webdav/textfile0.txt | 401 |
- | /remote.php/dav/files/%username%/textfile0.txt | 401 |
- | /remote.php/webdav/PARENT | 401 |
- | /remote.php/dav/files/%username%/PARENT | 401 |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 401 |
+ When the user requests these endpoints with "PUT" using the generated app password about user "Alice"
+ | endpoint |
+ | /remote.php/webdav/textfile0.txt |
+ | /remote.php/dav/files/%username%/textfile0.txt |
+ | /remote.php/webdav/PARENT |
+ | /remote.php/dav/files/%username%/PARENT |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ Then the HTTP status code of responses on all endpoints should be "401"
@skipOnOcis @issue-ocis-reva-37
Scenario: send PUT requests to webDav endpoints using app password token as password
Given token auth has been enforced
And a new browser session for "Alice" has been started
And the user has generated a new app password named "my-client"
- When the user "Alice" requests these endpoints with "PUT" using the basic auth and generated app password then the status codes about user "Alice" should be as listed
- | endpoint | http-code | body |
- | /remote.php/webdav/textfile0.txt | 204 | doesnotmatter |
- | /remote.php/dav/files/%username%/textfile1.txt | 204 | doesnotmatter |
- | /remote.php/dav/files/%username%/PARENT/parent.txt | 204 | doesnotmatter |
- | /remote.php/webdav/PARENS | 201 | doesnotmatter |
- | /remote.php/dav/files/%username%/FOLDERS | 201 | doesnotmatter |
+ When the user "Alice" requests these endpoints with "PUT" with body "doesnotmatter" using basic auth and generated app password about user "Alice"
+ | endpoint |
+ | /remote.php/webdav/textfile0.txt |
+ | /remote.php/dav/files/%username%/textfile1.txt |
+ | /remote.php/dav/files/%username%/PARENT/parent.txt |
+ Then the HTTP status code of responses on all endpoints should be "204"
+ When the user "Alice" requests these endpoints with "PUT" with body "doesnotmatter" using basic auth and generated app password about user "Alice"
+ | endpoint |
+ # this folder is created, so gives 201 - CREATED
+ | /remote.php/webdav/PARENS |
+ | /remote.php/dav/files/%username%/FOLDERS |
+ Then the HTTP status code of responses on all endpoints should be "201"
+ When the user "Alice" requests these endpoints with "PUT" with body "doesnotmatter" using basic auth and generated app password about user "Alice"
+ | endpoint |
# this folder already exists so gives 409 - CONFLICT
- | /remote.php/dav/files/%username%/FOLDER | 409 | doesnotmatter |
+ | /remote.php/dav/files/%username%/FOLDER |
+ Then the HTTP status code of responses on all endpoints should be "409"
diff --git a/tests/acceptance/features/bootstrap/AuthContext.php b/tests/acceptance/features/bootstrap/AuthContext.php
index 19df2ba62812..9367b2e326cf 100644
--- a/tests/acceptance/features/bootstrap/AuthContext.php
+++ b/tests/acceptance/features/bootstrap/AuthContext.php
@@ -170,31 +170,32 @@ public function verifyStatusCode($ocsCode, $httpCode, $endPoint) {
}
/**
- * @When a user requests these endpoints with :method and no authentication then the status codes about user :user should be as listed
+ * @When a user requests these endpoints with :method with body :body and no authentication about user :user
*
* @param string $method
- * @param string $user
+ * @param string $body
+ * @param string $ofUser
* @param TableNode $table
*
* @return void
* @throws Exception
*/
- public function userRequestsEndpointsWithNoAuthThenStatusCodeAboutUser($method, $user, TableNode $table) {
- $user = \strtolower($this->featureContext->getActualUsername($user));
- $this->featureContext->verifyTableNodeColumns($table, ['endpoint', 'http-code'], ['ocs-code', 'body']);
+ public function userRequestsEndpointsWithBodyAndNoAuthThenStatusCodeAboutUser($method, $body, $ofUser, TableNode $table) {
+ $ofUser = \strtolower($this->featureContext->getActualUsername($ofUser));
+ $this->featureContext->verifyTableNodeColumns($table, ['endpoint']);
foreach ($table->getHash() as $row) {
$row['endpoint'] = $this->featureContext->substituteInLineCodes(
- $row['endpoint'], $user
+ $row['endpoint'], $ofUser
);
- $body = $row['body'] ?? null;
$this->sendRequest($row['endpoint'], $method, null, false, $body);
- $ocsCode = $row['ocs-code'] ?? null;
- $this->verifyStatusCode($ocsCode, $row['http-code'], $row['endpoint']);
+ $this->featureContext->pushToLastHttpStatusCodesArray(
+ $this->featureContext->getResponse()->getStatusCode()
+ );
}
}
/**
- * @When a user requests these endpoints with :method and no authentication then the status codes should be as listed
+ * @When a user requests these endpoints with :method and no authentication
*
* @param string $method
* @param TableNode $table
@@ -203,17 +204,24 @@ public function userRequestsEndpointsWithNoAuthThenStatusCodeAboutUser($method,
* @throws Exception
*/
public function userRequestsEndpointsWithNoAuthentication($method, TableNode $table) {
- $this->featureContext->verifyTableNodeColumns($table, ['endpoint', 'http-code'], ['ocs-code', 'body']);
+ $this->featureContext->verifyTableNodeColumns($table, ['endpoint']);
+ $this->featureContext->emptyLastOCSStatusCodesArray();
+ $this->featureContext->emptyLastHTTPStatusCodesArray();
foreach ($table->getHash() as $row) {
- $body = $row['body'] ?? null;
- $this->sendRequest($row['endpoint'], $method, null, false, $body);
- $ocsCode = $row['ocs-code'] ?? null;
- $this->verifyStatusCode($ocsCode, $row['http-code'], $row['endpoint']);
+ $this->sendRequest($row['endpoint'], $method);
+ $this->featureContext->pushToLastHttpStatusCodesArray(
+ $this->featureContext->getResponse()->getStatusCode()
+ );
+ $this->featureContext->pushToLastOcsCodesArray(
+ $this->featureContext->ocsContext->getOCSResponseStatusCode(
+ $this->featureContext->getResponse()
+ )
+ );
}
}
/**
- * @When the user :user requests these endpoints with :method with basic auth then the status codes should be as listed
+ * @When the user :user requests these endpoints with :method with basic auth
*
* @param string $user
* @param string $method
@@ -228,7 +236,7 @@ public function userRequestsEndpointsWithBasicAuth($user, $method, TableNode $ta
}
/**
- * @When the user :user requests these endpoints with :method using the basic auth and generated app password then the status codes about user :ofUser should be as listed
+ * @When the user :user requests these endpoints with :method using basic auth and generated app password about user :ofUser
*
* @param string $user
* @param string $method
@@ -239,49 +247,85 @@ public function userRequestsEndpointsWithBasicAuth($user, $method, TableNode $ta
* @throws Exception
*/
public function userRequestsEndpointsWithBasicAuthAndGeneratedPassword($user, $method, $ofUser, TableNode $table) {
- $user = $this->featureContext->getActualUsername($user);
- $ofUser = \strtolower($this->featureContext->getActualUsername($ofUser));
- $this->featureContext->verifyTableNodeColumns($table, ['endpoint', 'http-code'], ['body', 'ocs-code']);
- foreach ($table->getHash() as $row) {
- $row['endpoint'] = $this->featureContext->substituteInLineCodes(
- $row['endpoint'], $ofUser
- );
- $body = $row['body'] ?? null;
- $this->userRequestsURLWithUsingBasicAuth($user, $row['endpoint'], $method, $this->appToken, $body);
- $ocsCode = $row['ocs-code'] ?? null;
- $this->verifyStatusCode($ocsCode, $row['http-code'], $row['endpoint']);
- }
+ $this->requestEndpointsWithBasicAuthAndGeneratedPassword($user, $method, $ofUser, $table);
}
/**
- * @When user :user requests these endpoints with :method using password :password then the status codes about user :ofUser should be as listed
+ * @When /^the user "([^"]*)" requests these endpoints with "([^"]*)" to (?:get|set) property "([^"]*)" using basic auth and generated app password about user "([^"]*)"$/
*
* @param string $user
* @param string $method
- * @param string $password
+ * @param string $property
* @param string $ofUser
* @param TableNode $table
*
* @return void
* @throws Exception
*/
- public function userRequestsEndpointsWithPasswordThenStatusCodeAboutUser($user, $method, $password, $ofUser, TableNode $table) {
+ public function userRequestsEndpointsWithBasicAuthAndGeneratedPasswordWithProperty(
+ $user, $method, $property, $ofUser, TableNode $table
+ ) {
+ $this->requestEndpointsWithBasicAuthAndGeneratedPassword(
+ $user, $method, $ofUser, $table, null, $property
+ );
+ }
+
+ /**
+ * @When the user :user requests these endpoints with :method with body :body using basic auth and generated app password about user :ofUser
+ *
+ * @param string $user
+ * @param string $method
+ * @param string $body
+ * @param string $ofUser
+ * @param TableNode $table
+ *
+ * @return void
+ * @throws Exception
+ */
+ public function userRequestsEndpointsWithBasicAuthAndGeneratedPasswordWithBody(
+ $user, $method, $body, $ofUser, TableNode $table
+ ) {
+ $this->requestEndpointsWithBasicAuthAndGeneratedPassword(
+ $user, $method, $ofUser, $table, $body
+ );
+ }
+
+ /**
+ * @param string $user requesting user
+ * @param string $method http method
+ * @param string $ofUser resource owner
+ * @param TableNode $table endpoints table
+ * @param string|null $body body for request
+ * @param string|null $property property to get
+ *
+ * @return void
+ * @throws Exception
+ */
+ public function requestEndpointsWithBasicAuthAndGeneratedPassword(
+ $user, $method, $ofUser, TableNode $table, $body = null, $property = null
+ ) {
$user = $this->featureContext->getActualUsername($user);
$ofUser = \strtolower($this->featureContext->getActualUsername($ofUser));
- $this->featureContext->verifyTableNodeColumns($table, ['endpoint', 'http-code'], ['ocs-code', 'body']);
+ $this->featureContext->verifyTableNodeColumns($table, ['endpoint']);
+ $this->featureContext->emptyLastHTTPStatusCodesArray();
+ if ($body === null && $property !== null) {
+ $body = $this->featureContext->getBodyForOCSRequest($method, $property);
+ }
+
+ $this->featureContext->verifyTableNodeColumns($table, ['endpoint']);
foreach ($table->getHash() as $row) {
$row['endpoint'] = $this->featureContext->substituteInLineCodes(
$row['endpoint'], $ofUser
);
- $body = $row['body'] ?? null;
- $ocsCode = $row['ocs-code'] ?? null;
- $this->userRequestsURLWithUsingBasicAuth($user, $row['endpoint'], $method, $password, $body);
- $this->verifyStatusCode($ocsCode, $row['http-code'], $row['endpoint']);
+ $this->userRequestsURLWithUsingBasicAuth($user, $row['endpoint'], $method, $this->appToken, $body);
+ $this->featureContext->pushToLastHttpStatusCodesArray(
+ $this->featureContext->getResponse()->getStatusCode()
+ );
}
}
/**
- * @When user :user requests these endpoints with :method using password :password then the status codes should be as listed
+ * @When user :user requests these endpoints with :method using password :password
*
* @param string $user
* @param string $method
@@ -293,17 +337,24 @@ public function userRequestsEndpointsWithPasswordThenStatusCodeAboutUser($user,
*/
public function userRequestsEndpointsWithPassword($user, $method, $password, TableNode $table) {
$user = $this->featureContext->getActualUsername($user);
- $this->featureContext->verifyTableNodeColumns($table, ['endpoint', 'http-code'], ['ocs-code', 'body']);
+ $this->featureContext->emptyLastOCSStatusCodesArray();
+ $this->featureContext->emptyLastHTTPStatusCodesArray();
+ $this->featureContext->verifyTableNodeColumns($table, ['endpoint']);
foreach ($table->getHash() as $row) {
- $body = $row['body'] ?? null;
- $ocsCode = $row['ocs-code'] ?? null;
- $this->userRequestsURLWithUsingBasicAuth($user, $row['endpoint'], $method, $password, $body);
- $this->verifyStatusCode($ocsCode, $row['http-code'], $row['endpoint']);
+ $this->userRequestsURLWithUsingBasicAuth($user, $row['endpoint'], $method, $password);
+ $this->featureContext->pushToLastHttpStatusCodesArray(
+ $this->featureContext->getResponse()->getStatusCode()
+ );
+ $this->featureContext->pushToLastOcsCodesArray(
+ $this->featureContext->ocsContext->getOCSResponseStatusCode(
+ $this->featureContext->getResponse()
+ )
+ );
}
}
/**
- * @When the administrator requests these endpoint with :method then the status codes should be as listed
+ * @When the administrator requests these endpoint with :method
*
* @param string $method
* @param TableNode $table
@@ -316,7 +367,7 @@ public function adminRequestsEndpoint($method, TableNode $table) {
}
/**
- * @When the administrator requests these endpoints with :method using password :password then the status codes should be as listed
+ * @When the administrator requests these endpoints with :method using password :password
*
* @param string $method
* @param string $password
@@ -330,20 +381,28 @@ public function adminRequestsEndpointsWithPassword(
$password,
TableNode $table
) {
- $this->featureContext->verifyTableNodeColumns($table, ['endpoint', 'http-code'], ['ocs-code']);
+ $this->featureContext->verifyTableNodeColumns($table, ['endpoint']);
+ $this->featureContext->emptyLastHTTPStatusCodesArray();
+ $this->featureContext->emptyLastOCSStatusCodesArray();
foreach ($table->getHash() as $row) {
$this->administratorRequestsURLWithUsingBasicAuth(
$row['endpoint'],
$method,
$password
);
- $ocsCode = $row['ocs-code'] ?? null;
- $this->verifyStatusCode($ocsCode, $row['http-code'], $row['endpoint']);
+ $this->featureContext->pushToLastHttpStatusCodesArray(
+ $this->featureContext->getResponse()->getStatusCode()
+ );
+ $this->featureContext->pushToLastOcsCodesArray(
+ $this->featureContext->ocsContext->getOCSResponseStatusCode(
+ $this->featureContext->getResponse()
+ )
+ );
}
}
/**
- * @When user :user requests these endpoints with :method using basic token auth then the status codes should be as listed
+ * @When user :user requests these endpoints with :method using basic token auth
*
* @param string $user
* @param string $method
@@ -354,16 +413,24 @@ public function adminRequestsEndpointsWithPassword(
*/
public function whenUserWithNewClientTokenRequestsForEndpointUsingBasicTokenAuth($user, $method, TableNode $table) {
$user = $this->featureContext->getActualUsername($user);
- $this->featureContext->verifyTableNodeColumns($table, ['endpoint', 'http-code'], ['ocs-code']);
+ $this->featureContext->verifyTableNodeColumns($table, ['endpoint']);
+ $this->featureContext->emptyLastHTTPStatusCodesArray();
+ $this->featureContext->emptyLastOCSStatusCodesArray();
foreach ($table->getHash() as $row) {
- $ocsCode = $row['ocs-code'] ?? null;
$this->userRequestsURLWithUsingBasicTokenAuth($user, $row['endpoint'], $method);
- $this->verifyStatusCode($ocsCode, $row['http-code'], $row['endpoint']);
+ $this->featureContext->pushToLastHttpStatusCodesArray(
+ $this->featureContext->getResponse()->getStatusCode()
+ );
+ $this->featureContext->pushToLastOcsCodesArray(
+ $this->featureContext->ocsContext->getOCSResponseStatusCode(
+ $this->featureContext->getResponse()
+ )
+ );
}
}
/**
- * @When the user requests these endpoints with :method using a new browser session then the status codes should be as listed
+ * @When the user requests these endpoints with :method using a new browser session
*
* @param string $method
* @param TableNode $table
@@ -372,16 +439,24 @@ public function whenUserWithNewClientTokenRequestsForEndpointUsingBasicTokenAuth
* @throws Exception
*/
public function userRequestsTheseEndpointsUsingNewBrowserSession($method, TableNode $table) {
- $this->featureContext->verifyTableNodeColumns($table, ['endpoint', 'http-code'], ['ocs-code']);
+ $this->featureContext->verifyTableNodeColumns($table, ['endpoint']);
+ $this->featureContext->emptyLastHTTPStatusCodesArray();
+ $this->featureContext->emptyLastOCSStatusCodesArray();
foreach ($table->getHash() as $row) {
- $ocsCode = $row['ocs-code'] ?? null;
$this->userRequestsURLWithBrowserSession($row['endpoint'], $method);
- $this->verifyStatusCode($ocsCode, $row['http-code'], $row['endpoint']);
+ $this->featureContext->pushToLastHttpStatusCodesArray(
+ $this->featureContext->getResponse()->getStatusCode()
+ );
+ $this->featureContext->pushToLastOcsCodesArray(
+ $this->featureContext->ocsContext->getOCSResponseStatusCode(
+ $this->featureContext->getResponse()
+ )
+ );
}
}
/**
- * @When the user requests these endpoints with :method using the generated app password then the status codes about user :user should be as listed
+ * @When the user requests these endpoints with :method using the generated app password about user :user
*
* @param string $method
* @param string $user
@@ -392,19 +467,21 @@ public function userRequestsTheseEndpointsUsingNewBrowserSession($method, TableN
*/
public function userRequestsEndpointsUsingTheGeneratedAppPasswordThenStatusCodeAboutUser($method, $user, TableNode $table) {
$user = \strtolower($this->featureContext->getActualUsername($user));
- $this->featureContext->verifyTableNodeColumns($table, ['endpoint', 'http-code'], ['ocs-code']);
+ $this->featureContext->verifyTableNodeColumns($table, ['endpoint']);
+ $this->featureContext->emptyLastHTTPStatusCodesArray();
foreach ($table->getHash() as $row) {
$row['endpoint'] = $this->featureContext->substituteInLineCodes(
$row['endpoint'], $user
);
$this->userRequestsURLWithUsingAppPassword($row['endpoint'], $method);
- $ocsCode = $row['ocs-code'] ?? null;
- $this->verifyStatusCode($ocsCode, $row['http-code'], $row['endpoint']);
+ $this->featureContext->pushToLastHttpStatusCodesArray(
+ $this->featureContext->getResponse()->getStatusCode()
+ );
}
}
/**
- * @When the user requests these endpoints with :method using the generated app password then the status codes should be as listed
+ * @When the user requests these endpoints with :method using the generated app password
*
* @param string $method
* @param TableNode $table
@@ -413,11 +490,19 @@ public function userRequestsEndpointsUsingTheGeneratedAppPasswordThenStatusCodeA
* @throws Exception
*/
public function userRequestsEndpointsUsingTheGeneratedAppPassword($method, TableNode $table) {
- $this->featureContext->verifyTableNodeColumns($table, ['endpoint', 'http-code'], ['ocs-code']);
+ $this->featureContext->verifyTableNodeColumns($table, ['endpoint']);
+ $this->featureContext->emptyLastHTTPStatusCodesArray();
+ $this->featureContext->emptyLastOCSStatusCodesArray();
foreach ($table->getHash() as $row) {
$this->userRequestsURLWithUsingAppPassword($row['endpoint'], $method);
- $ocsCode = $row['ocs-code'] ?? null;
- $this->verifyStatusCode($ocsCode, $row['http-code'], $row['endpoint']);
+ $this->featureContext->pushToLastHttpStatusCodesArray(
+ $this->featureContext->getResponse()->getStatusCode()
+ );
+ $this->featureContext->pushToLastOcsCodesArray(
+ $this->featureContext->ocsContext->getOCSResponseStatusCode(
+ $this->featureContext->getResponse()
+ )
+ );
}
}
@@ -576,6 +661,7 @@ public function aNewClientTokenForTheAdministratorHasBeenGenerated() {
* @param string $body
*
* @return void
+ * @throws Exception
*/
public function userRequestsURLWithUsingBasicAuth($user, $url, $method, $password = null, $body = null) {
$userRenamed = $this->featureContext->getActualUsername($user);
@@ -602,6 +688,7 @@ public function userRequestsURLWithUsingBasicAuth($user, $url, $method, $passwor
* @param string $body
*
* @return void
+ * @throws Exception
*/
public function userHasRequestedURLWithUsingBasicAuth(
$user, $url, $method, $password = null, $body = null
@@ -620,6 +707,7 @@ public function userHasRequestedURLWithUsingBasicAuth(
* @param string $password
*
* @return void
+ * @throws Exception
*/
public function administratorRequestsURLWithUsingBasicAuth($url, $method, $password = null) {
$this->userRequestsURLWithUsingBasicAuth(
diff --git a/tests/acceptance/features/bootstrap/FeatureContext.php b/tests/acceptance/features/bootstrap/FeatureContext.php
index 2e045595fab6..6f264c342dec 100644
--- a/tests/acceptance/features/bootstrap/FeatureContext.php
+++ b/tests/acceptance/features/bootstrap/FeatureContext.php
@@ -275,6 +275,46 @@ class FeatureContext extends BehatVariablesContext {
* @var string stderr of last command
*/
private $lastStdErr;
+ /**
+ * @var array last http status codes
+ */
+ private $lastHttpStatusCodesArray = [];
+ /**
+ * @var array last ocs status codes
+ */
+ private $lastOCSStatusCodesArray = [];
+
+ /**
+ * @param $httpStatusCode
+ *
+ * @return void
+ */
+ public function pushToLastHttpStatusCodesArray($httpStatusCode) {
+ \array_push($this->lastHttpStatusCodesArray, $httpStatusCode);
+ }
+
+ /**
+ * @return void
+ */
+ public function emptyLastHTTPStatusCodesArray() {
+ $this->lastHttpStatusCodesArray = [];
+ }
+
+ /**
+ * @return void
+ */
+ public function emptyLastOCSStatusCodesArray() {
+ $this->lastOCSStatusCodesArray = [];
+ }
+ /**
+ * @param $ocsStatusCode
+ *
+ * @return void
+ */
+ public function pushToLastOcsCodesArray($ocsStatusCode) {
+ \array_push($this->lastOCSStatusCodesArray, $ocsStatusCode);
+ }
+
/*
* @var Ldap
*/
@@ -3533,6 +3573,31 @@ public function getTrustedServers($server = 'LOCAL') {
}
}
+ /**
+ * @param string $method http request method
+ * @param string $property property in form d:getetag
+ * if property is `doesnotmatter` body is also set `doesnotmatter`
+ *
+ * @return string
+ */
+ public function getBodyForOCSRequest($method, $property) {
+ $body = null;
+ if ($method === 'PROPFIND') {
+ $body = '<' . $property . '/>';
+ } elseif ($method === 'LOCK') {
+ $body = " <" . $property . " />";
+ } elseif ($method === 'PROPPATCH') {
+ if ($property === 'favorite') {
+ $property = '1';
+ }
+ $body = '' . $property . '';
+ }
+ if ($property === '') {
+ $body = '';
+ }
+ return $body;
+ }
+
/**
* @BeforeScenario
*
diff --git a/tests/acceptance/features/bootstrap/OCSContext.php b/tests/acceptance/features/bootstrap/OCSContext.php
index 035bab57fa5b..9facd6c0a6b9 100644
--- a/tests/acceptance/features/bootstrap/OCSContext.php
+++ b/tests/acceptance/features/bootstrap/OCSContext.php
@@ -431,62 +431,65 @@ public function theAdministratorSendsHttpMethodToOcsApiWithBodyAndPassword(
}
/**
- * @When the administrator requests these endpoints with :method with body using password :password then the status codes should be as listed
+ * @When /^user "([^"]*)" sends HTTP method "([^"]*)" to OCS API endpoint "([^"]*)" with body using password "([^"]*)"$/
*
- * @param string $method
+ * @param string $user
+ * @param string $verb
+ * @param string $url
* @param string $password
- * @param TableNode $table
+ * @param TableNode $body
*
* @return void
*/
- public function administratorSendsRequestToTheseEndpointsWithPassword(
- $method,
- $password,
- TableNode $table
+ public function userSendsHTTPMethodToOcsApiEndpointWithBodyAndPassword(
+ $user, $verb, $url, $password, $body
) {
- $admin = $this->featureContext->getAdminUsername();
- $this->userSendsRequestToTheseEndpointsWithBodyUsingPassword(
- $admin,
- $method,
- $password,
- $table
+ $this->userSendsHTTPMethodToOcsApiEndpointWithBody(
+ $user, $verb, $url, $body, $password
);
}
/**
- * @When /^user "([^"]*)" sends HTTP method "([^"]*)" to OCS API endpoint "([^"]*)" with body using password "([^"]*)"$/
+ * @When user :user requests these endpoints with :method using password :password about user :ofUser
*
* @param string $user
- * @param string $verb
- * @param string $url
+ * @param string $method
* @param string $password
- * @param TableNode $body
+ * @param string $ofUser
+ * @param TableNode $table
*
* @return void
+ * @throws \Exception
*/
- public function userSendsHTTPMethodToOcsApiEndpointWithBodyAndPassword(
- $user, $verb, $url, $password, $body
+ public function userSendsRequestToTheseEndpointsWithOutBodyUsingPassword(
+ $user, $method, $password, $ofUser, TableNode $table
) {
- $this->userSendsHTTPMethodToOcsApiEndpointWithBody(
- $user, $verb, $url, $body, $password
+ $this->userSendsRequestToTheseEndpointsWithBodyUsingPassword(
+ $user, $method, null, $password, $ofUser, $table
);
}
/**
- * @When user :user requests these endpoints with :method including body using password :password then the status codes about user :ofUser should be as listed
+ * @When user :user requests these endpoints with :method including body :body using password :password about user :ofUser
*
* @param string $user
* @param string $method
+ * @param string $body
* @param string $password
* @param string $ofUser
* @param TableNode $table
*
* @return void
+ * @throws \Exception
*/
- public function userSendsRequestToTheseEndpointsWithBodyUsingPassword($user, $method, $password, $ofUser, TableNode $table) {
+ public function userSendsRequestToTheseEndpointsWithBodyUsingPassword(
+ $user, $method, $body, $password, $ofUser, TableNode $table
+ ) {
$user = $this->featureContext->getActualUsername($user);
$ofUser = $this->featureContext->getActualUsername($ofUser);
- $this->featureContext->verifyTableNodeColumns($table, ['endpoint', 'http-code', 'body'], ['ocs-code']);
+ $this->featureContext->verifyTableNodeColumns($table, ['endpoint']);
+ $this->featureContext->emptyLastHTTPStatusCodesArray();
+ $this->featureContext->emptyLastOCSStatusCodesArray();
foreach ($table->getHash() as $row) {
$row['endpoint'] = $this->featureContext->substituteInLineCodes(
$row['endpoint'], $ofUser
@@ -496,31 +499,81 @@ public function userSendsRequestToTheseEndpointsWithBodyUsingPassword($user, $me
$row['endpoint'],
$method,
$password,
- $row['body']
+ $body
);
- $ocsCode = null;
- if (\array_key_exists('ocs-code', $row)) {
- $ocsCode = $row['ocs-code'];
+ $this->featureContext->pushToLastHttpStatusCodesArray(
+ $this->featureContext->getResponse()->getStatusCode()
+ );
+ try {
+ $this->featureContext->pushToLastOcsCodesArray(
+ $this->getOCSResponseStatusCode(
+ $this->featureContext->getResponse()
+ )
+ );
+ } catch (Exception $exception) {
+ // do nothing if ocs code is not found
}
- $this->featureContext->authContext->verifyStatusCode($ocsCode, $row['http-code'], $row['endpoint']);
}
}
/**
- * @When user :user requests these endpoints with :method including body then the status codes about user :ofUser should be as listed
+ * @When user :user requests these endpoints with :method including body :body about user :ofUser
*
* @param string $user
* @param string $method
+ * @param string $body
* @param string $ofUser
* @param TableNode $table
*
* @return void
* @throws Exception
*/
- public function userSendsRequestToTheseEndpointsWithBody($user, $method, $ofUser, TableNode $table) {
+ public function userSendsRequestToTheseEndpointsWithBody($user, $method, $body, $ofUser, TableNode $table) {
+ $this->sendRequestToTheseEndpointsAsNormalUser(
+ $user, $method, $ofUser, $table, $body
+ );
+ }
+
+ /**
+ * @When /^user "([^"]*)" requests these endpoints with "([^"]*)" to (?:get|set) property "([^"]*)" about user "([^"]*)"$/
+ *
+ * @param string $user
+ * @param string $method
+ * @param string $property
+ * @param string $ofUser
+ * @param TableNode $table
+ *
+ * @return void
+ * @throws Exception
+ */
+ public function userSendsRequestToTheseEndpointsWithProperty($user, $method, $property, $ofUser, TableNode $table) {
+ $this->sendRequestToTheseEndpointsAsNormalUser(
+ $user, $method, $ofUser, $table, null, $property
+ );
+ }
+
+ /**
+ * @param string $user
+ * @param string $method
+ * @param string $ofUser
+ * @param TableNode $table
+ * @param string|null $body
+ * @param string|null $property
+ *
+ * @return void
+ * @throws Exception
+ */
+ public function sendRequestToTheseEndpointsAsNormalUser(
+ $user, $method, $ofUser, $table, $body = null, $property = null
+ ) {
$user = $this->featureContext->getActualUsername($user);
$ofUser = $this->featureContext->getActualUsername($ofUser);
- $this->featureContext->verifyTableNodeColumns($table, ['endpoint', 'http-code', 'body'], ['ocs-code']);
+ $this->featureContext->verifyTableNodeColumns($table, ['endpoint']);
+ $this->featureContext->emptyLastHTTPStatusCodesArray();
+ $this->featureContext->emptyLastOCSStatusCodesArray();
+ if (!$body && $property) {
+ $body = $this->featureContext->getBodyForOCSRequest($method, $property);
+ }
foreach ($table->getHash() as $row) {
$row['endpoint'] = $this->featureContext->substituteInLineCodes(
$row['endpoint'], $ofUser
@@ -530,30 +583,30 @@ public function userSendsRequestToTheseEndpointsWithBody($user, $method, $ofUser
$row['endpoint'],
$method,
$this->featureContext->getPasswordForUser($user),
- $row['body']
+ $body
+ );
+ $this->featureContext->pushToLastHttpStatusCodesArray(
+ $this->featureContext->getResponse()->getStatusCode()
);
- $ocsCode = null;
- if (\array_key_exists('ocs-code', $row)) {
- $ocsCode = $row['ocs-code'];
- }
- $this->featureContext->authContext->verifyStatusCode($ocsCode, $row['http-code'], $row['endpoint']);
}
}
/**
- * @When user :asUser requests these endpoints with :method including body using the password of user :user then the status codes should be as listed
+ * @When user :asUser requests these endpoints with :method including body :body using the password of user :user
*
* @param string $asUser
* @param string $method
+ * @param string $body
* @param string $user
* @param TableNode $table
*
* @return void
+ * @throws Exception
*/
- public function userRequestsTheseEndpointsWithUsingThePasswordOfUser($asUser, $method, $user, TableNode $table) {
+ public function userRequestsTheseEndpointsWithUsingThePasswordOfUser($asUser, $method, $body, $user, TableNode $table) {
$asUser = $this->featureContext->getActualUsername($asUser);
$userRenamed = $this->featureContext->getActualUsername($user);
- $this->featureContext->verifyTableNodeColumns($table, ['endpoint', 'http-code', 'body'], ['ocs-code']);
+ $this->featureContext->verifyTableNodeColumns($table, ['endpoint']);
foreach ($table->getHash() as $row) {
$row['endpoint'] = $this->featureContext->substituteInLineCodes(
$row['endpoint'], $userRenamed
@@ -563,13 +616,11 @@ public function userRequestsTheseEndpointsWithUsingThePasswordOfUser($asUser, $m
$row['endpoint'],
$method,
$this->featureContext->getPasswordForUser($user),
- $row['body']
+ $body
+ );
+ $this->featureContext->pushToLastHttpStatusCodesArray(
+ $this->featureContext->getResponse()->getStatusCode()
);
- $ocsCode = null;
- if (\array_key_exists('ocs-code', $row)) {
- $ocsCode = $row['ocs-code'];
- }
- $this->featureContext->authContext->verifyStatusCode($ocsCode, $row['http-code'], $row['endpoint']);
}
}
diff --git a/tests/acceptance/features/bootstrap/WebDav.php b/tests/acceptance/features/bootstrap/WebDav.php
index dfef00db9546..2462a0ab6c31 100644
--- a/tests/acceptance/features/bootstrap/WebDav.php
+++ b/tests/acceptance/features/bootstrap/WebDav.php
@@ -1770,6 +1770,54 @@ public function theHTTPStatusCodeOfAllUploadResponsesShouldBe($statusCode) {
}
}
+ /**
+ * @Then the HTTP status code of responses on all endpoints should be :statusCode
+ *
+ * @param $statusCode
+ *
+ * @return void
+ * @throws Exception
+ */
+ public function theHTTPStatusCodeOfResponsesOnAllEndpointsShouldBe($statusCode) {
+ $duplicateRemovedStatusCodes = \array_unique($this->lastHttpStatusCodesArray);
+ if (\count($duplicateRemovedStatusCodes) === 1) {
+ Assert::assertSame(
+ \intval($statusCode),
+ \intval($duplicateRemovedStatusCodes[0]),
+ 'Responses did not return expected http status code'
+ );
+ } else {
+ throw new \Exception(
+ 'Expected same but found different http status codes of last requested responses.' .
+ 'Found status codes: ' . \implode(',', $this->lastHttpStatusCodesArray)
+ );
+ }
+ }
+
+ /**
+ * @Then the OCS status code of responses on all endpoints should be :statusCode
+ *
+ * @param $statusCode
+ *
+ * @return void
+ * @throws Exception
+ */
+ public function theOCSStatusCodeOfResponsesOnAllEndpointsShouldBe($statusCode) {
+ $duplicateRemovedStatusCodes = \array_unique($this->lastOCSStatusCodesArray);
+ if (\count($duplicateRemovedStatusCodes) === 1) {
+ Assert::assertSame(
+ \intval($statusCode),
+ \intval($duplicateRemovedStatusCodes[0]),
+ 'Responses did not return expected ocs status code'
+ );
+ } else {
+ throw new \Exception(
+ 'Expected same but found different ocs status codes of last requested responses.' .
+ 'Found status codes: ' . \implode(',', $this->lastOCSStatusCodesArray)
+ );
+ }
+ }
+
/**
* @Then /^the HTTP reason phrase of all upload responses should be "([^"]*)"$/
*