For security reasons, we may want to monitor failures of 2FA challenges in order to ban attackers who might try to access compromised accounts but are stopped by the 2FA challenge.
Right now, the only hindrance is rate-limiting, but it's probably not enough.
Added dependency injection.
Signed-off-by: pjft <paulo.j.tavares@gmail.com>
The at() matcher has been deprecated. It will be removed in PHPUnit 10.
Please refactor your test to not rely on the order in which methods are
invoked.
Signed-off-by: François Freitag <mail@franek.fr>
- Drop reliance on deprecated global jQuery object.
- Allow testing user interactions.
- Use newer technology stack.
---
Test user interactions with the groupware dav settings
Add infrastructure to test Vue components:
- Use recommended libraries:
- https://vuejs.org/v2/guide/testing.html#Recommendations
- Use jest-dom for robust assertions on the DOM state
- Use user-event to be more representative of user actions
- Code is transpiled by Jest, with the help of vue-jest.
Ignore test files for no-unpublished-import. Prevent ESLint from
flagging:
```
/home/runner/work/server/server/apps/dav/src/views/CalDavSettings.spec.js
Error: 1:24 error "@testing-library/vue" is not published node/no-unpublished-import
Error: 2:23 error "@testing-library/user-event" is not published node/no-unpublished-import
```
Signed-off-by: François Freitag <mail@franek.fr>
- in fact the API could be done in a nicer way and it might be possible to
work without IAccountPropertyCollection, but only with the
IAccountProperties.
- To keep it simple at first and not overengineer the blunt attempt is
followed
- If necessary helpful in the further cause of development adjustements or
extensions can be done quickly with this base
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
[Jest](https://jestjs.io/) is a test runner that focuses on simplicity.
It instruments babel to transform modules and test them.
Using Jest simplifies the existing configuration and allows dropping a
bunch of workarounds, as well as following the shared Babel
configuration for new code.
Signed-off-by: François Freitag <mail@franek.fr>
- extends IAccountProperty for verificationData getters and setters
- implementation thereof ^
- and of course adaption of UsersController
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2) Test\Support\Subscription\RegistryTest::testDelegateIsHardUserLimitReachedWithoutSupportAppAndUserCount with data set #0 (35, 15, 2, false)
Cannot stub or mock class or interface "Test\Support\Subscription\UserInterface" which does not exist
3) Test\Support\Subscription\RegistryTest::testDelegateIsHardUserLimitReachedWithoutSupportAppAndUserCount with data set #1 (35, 45, 15, false)
Cannot stub or mock class or interface "Test\Support\Subscription\UserInterface" which does not exist
4) Test\Support\Subscription\RegistryTest::testDelegateIsHardUserLimitReachedWithoutSupportAppAndUserCount with data set #2 (35, 45, 5, true)
Cannot stub or mock class or interface "Test\Support\Subscription\UserInterface" which does not exist
5) Test\Support\Subscription\RegistryTest::testDelegateIsHardUserLimitReachedWithoutSupportAppAndUserCount with data set #3 (35, 45, 55, false)
Cannot stub or mock class or interface "Test\Support\Subscription\UserInterface" which does not exist
Had to use the Database user backend, as using multiple interfaces is deprecated:
https://github.com/sebastianbergmann/phpunit/issues/3955
> This functionality should be deprecated as "having to use it" is almost always a symptom of bad design.
> More importantly, though, the support for the creation of test doubles that implement multiple interfaces
> resulted in code that is hard to maintain.
Signed-off-by: Joas Schilling <coding@schilljs.com>
In the WebDriver protocol, when a command fails because it can not
interact with the target element, an "element not interactable" error is
generated. It can be a transitive issue (for example, due to an
animation), so when the error is received the command should be tried
again, just like done, for example, with "ElementNotVisible" exceptions.
However, the last version of the "instaclick/php-webdriver" library
compatible with the Selenium Driver of Mink did not support yet that
WebDriver error. And even if Chrome is run using the old protocol an
unknown "element not interactable" error can be received anyway in some
cases. When an unknown error is received by the
"instaclick/php-webdriver" library it is thrown as a generic Exception
so, until the library can be updated, the message of generic exceptions
is checked and the command is retried if it matched.
For the time being "element not interactable" errors are handled like
"ElementNotVisible" exceptions; this may need to change once the error
is better understood.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
The acceptance tests used the last Selenium 2 Docker container
available, which provides a rather old Firefox version (Firefox 47).
Nevertheless, despite some rendering issues, most things still worked as
expected due to the JavaScript files being built with support for older
browsers. However, now that support for Internet Explorer 11 and older
browsers will be dropped things could start to fail, so a newer browser
(and thus a newer Selenium version) should be used in the acceptance
tests.
Selenium has been standardized by the W3C, and the protocol to
communicate between the Selenium server and the browser has changed due
to that. Firefox >= 48 only supports the new W3C protocol, but the
Selenium driver for Mink does not support it yet.
The old protocol can still be used in recent Chromium/Chrome versions by
explicitly forcing it, so for the time being the acceptance tests will
need to be run on Chrome instead (although Firefox provides some
interesting features like the fake streams that would be needed to test
calls in Talk, so they should be moved again to Firefox once possible).
Finally, the default shm size of Docker is 64 MiB. This does not seem
enough to run newer Chrome releases and causes the browser to randomly
crash during the tests ("unknown error: session deleted because of page
crash" is shown in the logs). Due to this "disable-dev-shm-usage" needs
to be used so Chrome writes shared memory files into "/tmp" instead of
"/dev/shm" (the default shm size of Docker could have been increased
instead using "docker run --shm-size...", but that seems to be
problematic when the container is run in current Drone releases).
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
When the value is set in some input fields a carriage return was sent to
simulate pressing the enter key and thus confirming the input. However,
different browsers use different keys (Firefox uses "\r", but Chrome
uses "\n"), so the carriage return was replaced with the WebDriver
"ENTER" constant which is common to both browsers.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
Sending the "enter" key is not needed in those input fields that auto
save while the user is typing or when the focus is lost (which since
version 1.4.0 the Selenium driver for Mink is automatically done after
setting the value).
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
Whilst we currently state that SSRF is generally outside of our threat model, this is something where we should invest to improve this.
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Since version 1.8.0 of Mink "Mink::getSession()" no longer starts the
session automatically (see https://github.com/minkphp/Mink/pull/705), so
it now needs to be explicitly started.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
Since version 1.4.0 the Selenium driver for Mink uses again the element
on which the value was set (see
https://github.com/minkphp/MinkSelenium2Driver/pull/286). When creating
a new folder or renaming one sending a new line ("\r") caused the
element on which the value was set to be removed, so the element was no
longer attached to the DOM when the driver tried to use it again, and
thus a "StaleElementReference" exception was thrown.
Due to this now it is needed to explicitly click the confirm button when
creating a new folder. In the case of the renaming, on the other hand,
nothing else besides not sending the new line is needed, as the Selenium
driver now unfocuses the element (that is why it uses again the element
after setting the value) which triggers the renaming.
Besides that, the Selenium driver for Mink uses a library to simulate
certain events, bitovi/syn. In version 1.4.0 that library was updated to
version 0.0.3, which seems to somehow break pressing the "escape" key.
Due to this now the sharing menu has to be closed by pressing "enter" on
the share menu button instead.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
The PHPUnit update also required an update of "symfony/yaml", so besides
the changes needed for PHPUnit the "behat.yml" file also had to be
adjusted.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
When avatar scope is private, the PlaceholderAvatar is used to deliver a
placeholder avatar based on the user's initials.
This was implemented as a separate class for now to avoid messing with
the existing UserAvatar implementation and its generated vs
non-generated logic.
Signed-off-by: Vincent Petry <vincent@nextcloud.com>
Use new scope values in settings page.
Adjust all consumers to use the new constants.
Map old scope values to new ones in account property getter.
Signed-off-by: Vincent Petry <vincent@nextcloud.com>
Added new v2-private account manager scope that restricts the scope
further by excluding public link access.
Avatars with v2-private account scope are now showing the guest avatar
instead of the real avatar.
Signed-off-by: Vincent Petry <vincent@nextcloud.com>
Remove "ocs-provider" test folder reference as it doesn't exist any
more.
Added back "Test" test subdir and fixed the tests inside.
Signed-off-by: Vincent Petry <vincent@nextcloud.com>
It seems Phpunit < 9 was case insensitive.
Fixed the phpunit config to target the correct name for the "Core" test
directory.
Signed-off-by: Vincent Petry <vincent@nextcloud.com>
Updating a user or group share now uses the correct method for the
validation of the expiration date. Instead of using the one from links
it uses the one for internal shares.
To avoid future confusion, the method "validateExpirationDate" has been
renamed to "validateExpirationDateLink".
Signed-off-by: Vincent Petry <vincent@nextcloud.com>
* Some implementations might check for different things
* IT will not change how the current ones work
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
User "user1" is added when installing and configuring the server, so it
is already added in all tests.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
User "user1" is added when installing and configuring the server, so it
is already added in all tests. As the test verifies that just added
users can be searched in the contacts menu a new user should be actually
added.
The test did not fail because it assumed that "user1" did not exist and
just checked that it existed after "adding" it, but not whether adding
it failed.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
The input element is always hidden, so the check always ended falling
back to the label. Moreover, the label is the element that the user
interacts with, so it must be the one used.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
Although if the element could not be found an exception would be thrown
and the test aborted if an element is in the DOM but hidden it would be
found and the test would pass.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
Instead of looking for the bundle button and then checking its value now
the expected value is included in the locator and the button is checked
similarly to other elements.
No "Disable all" locator was added as it was not currently needed
anywhere.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
"Actor::find" is a more robust way to look for elements, as it handles
some exceptions that may be thrown. Therefore, even if the elements are
not actually used and it is only checked whether they exist or not using
the actor is the preferred way when possible (and it also makes it
consistent with the rest of the acceptance tests).
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
Adding some missing asserts showed that the "delete user" acceptance
test was silently failing, as the deletion was not being confirmed in
the dialog and thus the user was not being deleted.
The dialog button contains a single quote ("user0's"), so the XPath
expression had to be adjusted (it seems that it is not possible to
escape a single quote in a string enclosed in single quotes in XPath
1.0).
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
WaitFor::element... calls only perform the waiting and return whether
the condition succeeded or not, but that result needs to be explicitly
checked to prevent further steps from being executed if the wait failed.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
As no timeout was specified the elements were tried to be found just
once. This caused the steps to fail if the elements did not appear yet
in the page when they were tried to be found.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
Psalm found an issue. However the issue found was because of lying
docblocks. Fixed those and did some typing to make it all better.
For #25839
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Generated avatars as well as text file previews are rendered using the
"core/fonts/NotoSans-Regular.ttf" font. The file was the standard hinted
"NotoSans-Regular.ttf" file from https://www.google.com/get/noto/.
However that file does not cover some non LGC (Latin, Greek, Cyrillic)
scripts, like Arabic, Devanagari or Hebrew, to name a few.
Markdown file previews also use "core/fonts/NotoSans-Bold.ttf", which is
in the same situation as the regular one.
Due to limitations in the TTF format it is not possible to provide a
single file for each style that includes all Noto fonts. However, it is
possible to add more scripts to the standard "NotoSans-Regular.ttf" and
"NotoSans-Bold.ttf" files (although no CJK (Chinese, Japanese, Korean)
glyph can be included due to the aforementioned limitations).
This commit replaces the standard files with an extended version created
using the Noto Tools. The build script (as well as a patch for the Noto
Tools) is also included for reference and to be able to update the font
files in the future if needed.
Due to the additional scripts added the font files are now much larger,
although this does not seem to increase the time spent rendering LGC
scripts.
Note that the file for the bold style still contains less scripts than
the regular one, as not all scripts supported by Noto have a bold
weight.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
Else you can end up that you renewed your password (LDAP for example).
But they still don't work because you did not use them before you logged
in.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
When app app specifies php 7.4 as upper limit we have to allow the
installation on php>7.4.0. The previous version check didn't do that.
This adjusts the regexes to discard any irrelevant suffix after the
three version numbers so that we can use more fine granular checks than
php's version_compare can do out of the box, like for php 7.4 we only
compare the major and minor version numbers and ignore the patch level.
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
The IConfig service is documented to handle its data as strings, hence
this changes the code a bit to ensure we store keys as string and
convert them back when reading.
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
Reduces calls to DI container by reusing already fetched dependencies.
For status.php it went from 355 to 344.
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
As "composer.lock" was not versioned the dependencies had to be resolved
everytime that the acceptance tests run, which took some precious time.
Besides that the dependency versions were also tightened for better
control.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
frame-ancestors doesn't fall back to default-src. So when we apply a
very restricted CSP we should make sure to set it to 'none' and not
leave it empty.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
This shows in a clearer way that the expected expiration date is the
original one, but without time.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
This adds back what was being actually tested in the unit test fixed in
the previous commit.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
The expiration date was explicitly given, so it was not testing what it
should. Moreover, "link_defaultExpDays" needs to be mapped when testing
the default value (even if it will just fallback to the value of
"shareapi_expire_after_n_days").
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
The enforced expiration date was not actually enabled, as for that
"shareapi_default_expire_date" needs to be explicitly set to "yes".
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
The test should fail if no exception was thrown, and no exception was
thrown due to a missing configuration parameter. However, the use of
"addToAssertionCount(1)" made the test pass even if no exception was
thrown and, therefore, to silently fail.
Now the missing configuration parameter was added and the test will fail
if the expected exception is not thrown.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
* removes the ability for users to import their own certificates (for external storage)
* reliably returns the same certificate bundles system wide (and not depending on the user context and available sessions)
The user specific certificates were broken in some cases anyways, as they are only loaded if the specific user is logged in and thus causing unexpected behavior for background jobs and other non-user triggered code paths.
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
On some systems with a lot of users this creates a lot of extra DB
writes.
Being able to increase this interval helps there.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>