test output++
[pin4sha_cgi.git] / tests / test-login-fail.sh
blobcb34fa38426d2dee6476fd61fc6234075af065e0
1 #!/bin/sh
3 # Copyright (c) 2015-2016 Marcus Rohrmoser http://mro.name/me. All rights reserved.
5 # This program is free software: you can redistribute it and/or modify
6 # it under the terms of the GNU General Public License as published by
7 # the Free Software Foundation, either version 3 of the License, or
8 # (at your option) any later version.
10 # This program is distributed in the hope that it will be useful,
11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 # GNU General Public License for more details.
15 # You should have received a copy of the GNU General Public License
16 # along with this program. If not, see <http://www.gnu.org/licenses/>.
18 cd "$(dirname "$0")/../tmp"
19 . ../scripts/assert.sh
21 # Check preliminaries
22 curl --version >/dev/null || assert_fail 101 "I need curl."
23 xmllint --version 2> /dev/null || assert_fail 102 "I need xmllint (libxml2)."
24 [ "${USERNAME}" != "" ] || assert_fail 1 "How strange, USERNAME is unset."
25 [ "${PASSWORD}" != "" ] || assert_fail 2 "How strange, PASSWORD is unset."
26 [ "${BASE_URL}" != "" ] || assert_fail 3 "How strange, BASE_URL is unset."
28 fetch_token() {
29 echo "GET $1" 1>&2
30 # http://unix.stackexchange.com/a/157219
31 LOCATION=$(curl --get --url "$1" \
32 --cookie curl.cook --cookie-jar curl.cook \
33 --location --output curl.tmp.html \
34 --trace-ascii curl.tmp.trace --dump-header curl.tmp.head \
35 --write-out '%{url_effective}' 2>/dev/null)
36 # todo:
37 errmsg=$(xmllint --html --nowarning --xpath 'string(/html[1 = count(*)]/head[1 = count(*)]/script[starts-with(.,"alert(")])' curl.tmp.html)
38 [ "${errmsg}" = "" ] || assert_fail 107 "error: '${errmsg}'"
39 echo $(xmllint --html --nowarning --xpath 'string(/html/body//form[@name="loginform"]//input[@name="token"]/@value)' curl.tmp.html)
40 # string(..) http://stackoverflow.com/a/18390404
43 echo "#### Test wrong token"
44 rm curl.*
45 LOCATION="${BASE_URL}/?do=login"
46 TOKEN="just some bogus"
48 echo "POST ${LOCATION}"
49 LOCATION=$(curl --url "${LOCATION}" \
50 --data-urlencode "login=${USERNAME}" \
51 --data-urlencode "password=${PASSWORD}" \
52 --data-urlencode "token=${TOKEN}" \
53 --data-urlencode "returnurl=${BASE_URL}/?do=changepasswd" \
54 --cookie curl.cook --cookie-jar curl.cook \
55 --location --output curl.tmp.html \
56 --trace-ascii curl.tmp.trace --dump-header curl.tmp.head \
57 --write-out '%{url_effective}' 2>/dev/null)
58 errmsg=$(xmllint --html --nowarning --xpath 'string(/html[1 = count(*)]/head[1 = count(*)]/script[starts-with(.,"alert(")])' curl.tmp.html)
59 [ "${errmsg}" = "alert(\"Wrong login/password.\");document.location='?do=login';" ] || assert_fail 59 "error: '${errmsg}'"
63 echo "#### Test wrong username"
64 rm curl.*
65 LOCATION="${BASE_URL}/?do=login"
66 TOKEN="$(fetch_token "${LOCATION}")"
67 # the precise length doesn't matter, it just has to be significantly larger than ''
68 [ $(printf "%s" ${TOKEN} | wc -c) -eq 40 ] || assert_fail 68 "expected TOKEN of 40 characters, but found ${TOKEN} of $(printf "%s" ${TOKEN} | wc -c)"
70 echo "POST ${LOCATION}"
71 LOCATION=$(curl --url "${LOCATION}" \
72 --data-urlencode "login=f o o" \
73 --data-urlencode "password=${PASSWORD}" \
74 --data-urlencode "token=${TOKEN}" \
75 --data-urlencode "returnurl=${BASE_URL}/?do=changepasswd" \
76 --cookie curl.cook --cookie-jar curl.cook \
77 --location --output curl.tmp.html \
78 --trace-ascii curl.tmp.trace --dump-header curl.tmp.head \
79 --write-out '%{url_effective}' 2>/dev/null)
80 errmsg=$(xmllint --html --nowarning --xpath 'string(/html[1 = count(*)]/head[1 = count(*)]/script[starts-with(.,"alert(")])' curl.tmp.html)
81 [ "${errmsg}" = "alert(\"Wrong login/password.\");document.location='?do=login';" ] || assert_fail 81 "error: '${errmsg}'"
85 echo "#### Test wrong password"
86 rm curl.*
87 LOCATION="${BASE_URL}/?do=login"
88 TOKEN="$(fetch_token "${LOCATION}")"
89 # the precise length doesn't matter, it just has to be significantly larger than ''
90 [ $(printf "%s" ${TOKEN} | wc -c) -eq 40 ] || assert_fail 90 "expected TOKEN of 40 characters, but found ${TOKEN} of $(printf "%s" ${TOKEN} | wc -c)"
92 echo "POST ${LOCATION}"
93 LOCATION=$(curl --url "${LOCATION}" \
94 --data-urlencode "login=${USERNAME}" \
95 --data-urlencode "password=f o o" \
96 --data-urlencode "token=${TOKEN}" \
97 --data-urlencode "returnurl=${BASE_URL}/?do=changepasswd" \
98 --cookie curl.cook --cookie-jar curl.cook \
99 --location --output curl.tmp.html \
100 --trace-ascii curl.tmp.trace --dump-header curl.tmp.head \
101 --write-out '%{url_effective}' 2>/dev/null)
102 errmsg=$(xmllint --html --nowarning --xpath 'string(/html[1 = count(*)]/head[1 = count(*)]/script[starts-with(.,"alert(")])' curl.tmp.html)
103 [ "${errmsg}" = "alert(\"Wrong login/password.\");document.location='?do=login';" ] || assert_fail 103 "error: '${errmsg}'"
107 echo "#### Test wrong password (again)"
108 rm curl.*
109 LOCATION="${BASE_URL}/?do=login"
110 TOKEN="$(fetch_token "${LOCATION}")"
111 # the precise length doesn't matter, it just has to be significantly larger than ''
112 [ $(printf "%s" ${TOKEN} | wc -c) -eq 40 ] || assert_fail 112 "expected TOKEN of 40 characters, but found ${TOKEN} of $(printf "%s" ${TOKEN} | wc -c)"
114 echo "POST ${LOCATION}"
115 LOCATION=$(curl --url "${LOCATION}" \
116 --data-urlencode "login=${USERNAME}" \
117 --data-urlencode "password=f o o" \
118 --data-urlencode "token=${TOKEN}" \
119 --data-urlencode "returnurl=${BASE_URL}/?do=changepasswd" \
120 --cookie curl.cook --cookie-jar curl.cook \
121 --location --output curl.tmp.html \
122 --trace-ascii curl.tmp.trace --dump-header curl.tmp.head \
123 --write-out '%{url_effective}' 2>/dev/null)
124 errmsg=$(xmllint --html --nowarning --xpath 'string(/html[1 = count(*)]/head[1 = count(*)]/script[starts-with(.,"alert(")])' curl.tmp.html)
125 [ "${errmsg}" = "alert(\"Wrong login/password.\");document.location='?do=login';" ] || assert_fail 125 "error: '${errmsg}'"
129 echo "#### Test banned ip (4 previous failures)"
130 rm curl.*
131 LOCATION="${BASE_URL}/?do=login"
132 TOKEN="$(fetch_token "${LOCATION}")"
133 errmsg=$(xmllint --html --nowarning --xpath 'string(normalize-space(/html/body//*[@id="headerform"]))' curl.tmp.html)
134 [ "${errmsg}" = "You have been banned from login after too many failed attempts. Try later." ] || assert_fail 134 "error: '${errmsg}'"