tests/test-login-fail.sh

   1 #!/bin/sh
   2 #
   3 #  Copyright (c) 2015-2016 Marcus Rohrmoser http://mro.name/me. All rights reserved.
   4 #
   5 #  This program is free software: you can redistribute it and/or modify
   6 #  it under the terms of the GNU General Public License as published by
   7 #  the Free Software Foundation, either version 3 of the License, or
   8 #  (at your option) any later version.
   9 #
  10 #  This program is distributed in the hope that it will be useful,
  11 #  but WITHOUT ANY WARRANTY; without even the implied warranty of
  12 #  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  13 #  GNU General Public License for more details.
  14 #
  15 #  You should have received a copy of the GNU General Public License
  16 #  along with this program.  If not, see <http://www.gnu.org/licenses/>.
  17 #
  18 cd "$(dirname "$0")/../tmp"
  19 . ../scripts/assert.sh
  20
  21 # Check preliminaries
  22 curl --version >/dev/null       || assert_fail 101 "I need curl."
  23 xmllint --version 2> /dev/null  || assert_fail 102 "I need xmllint (libxml2)."
  24 [ "${USERNAME}" != "" ]         || assert_fail 1 "How strange, USERNAME is unset."
  25 [ "${PASSWORD}" != "" ]         || assert_fail 2 "How strange, PASSWORD is unset."
  26 [ "${BASE_URL}" != "" ]         || assert_fail 3 "How strange, BASE_URL is unset."
  27
  28 fetch_token() {
  29   echo "GET $1" 1>&2
  30   # http://unix.stackexchange.com/a/157219
  31   LOCATION=$(curl --get --url "$1" \
  32     --cookie curl.cook --cookie-jar curl.cook \
  33     --location --output curl.tmp.html \
  34     --trace-ascii curl.tmp.trace --dump-header curl.tmp.head \
  35     --write-out '%{url_effective}' 2>/dev/null)
  36   # todo:
  37   errmsg=$(xmllint --html --nowarning --xpath 'string(/html[1 = count(*)]/head[1 = count(*)]/script[starts-with(.,"alert(")])' curl.tmp.html)
  38   [ "${errmsg}" = "" ] || assert_fail 107 "error: '${errmsg}'"
  39   echo $(xmllint --html --nowarning --xpath 'string(/html/body//form[@name="loginform"]//input[@name="token"]/@value)' curl.tmp.html)
  40   # string(..) http://stackoverflow.com/a/18390404
  41 }
  42
  43 echo "#### Test wrong token"
  44 rm curl.*
  45 LOCATION="${BASE_URL}/?do=login"
  46 TOKEN="just some bogus"
  47
  48 echo "POST ${LOCATION}"
  49 LOCATION=$(curl --url "${LOCATION}" \
  50   --data-urlencode "login=${USERNAME}" \
  51   --data-urlencode "password=${PASSWORD}" \
  52   --data-urlencode "token=${TOKEN}" \
  53   --data-urlencode "returnurl=${BASE_URL}/?do=changepasswd" \
  54   --cookie curl.cook --cookie-jar curl.cook \
  55   --location --output curl.tmp.html \
  56   --trace-ascii curl.tmp.trace --dump-header curl.tmp.head \
  57   --write-out '%{url_effective}' 2>/dev/null)
  58 errmsg=$(xmllint --html --nowarning --xpath 'string(/html[1 = count(*)]/head[1 = count(*)]/script[starts-with(.,"alert(")])' curl.tmp.html)
  59 [ "${errmsg}" = "alert(\"Wrong login/password.\");document.location='?do=login';" ] || assert_fail 59 "error: '${errmsg}'"
  60
  61
  62
  63 echo "#### Test wrong username"
  64 rm curl.*
  65 LOCATION="${BASE_URL}/?do=login"
  66 TOKEN="$(fetch_token "${LOCATION}")"
  67 # the precise length doesn't matter, it just has to be significantly larger than ''
  68 [ $(printf "%s" ${TOKEN} | wc -c) -eq 40 ] || assert_fail 68 "expected TOKEN of 40 characters, but found ${TOKEN} of $(printf "%s" ${TOKEN} | wc -c)"
  69
  70 echo "POST ${LOCATION}"
  71 LOCATION=$(curl --url "${LOCATION}" \
  72   --data-urlencode "login=f o o" \
  73   --data-urlencode "password=${PASSWORD}" \
  74   --data-urlencode "token=${TOKEN}" \
  75   --data-urlencode "returnurl=${BASE_URL}/?do=changepasswd" \
  76   --cookie curl.cook --cookie-jar curl.cook \
  77   --location --output curl.tmp.html \
  78   --trace-ascii curl.tmp.trace --dump-header curl.tmp.head \
  79   --write-out '%{url_effective}' 2>/dev/null)
  80 errmsg=$(xmllint --html --nowarning --xpath 'string(/html[1 = count(*)]/head[1 = count(*)]/script[starts-with(.,"alert(")])' curl.tmp.html)
  81 [ "${errmsg}" = "alert(\"Wrong login/password.\");document.location='?do=login';" ] || assert_fail 81 "error: '${errmsg}'"
  82
  83
  84
  85 echo "#### Test wrong password"
  86 rm curl.*
  87 LOCATION="${BASE_URL}/?do=login"
  88 TOKEN="$(fetch_token "${LOCATION}")"
  89 # the precise length doesn't matter, it just has to be significantly larger than ''
  90 [ $(printf "%s" ${TOKEN} | wc -c) -eq 40 ] || assert_fail 90 "expected TOKEN of 40 characters, but found ${TOKEN} of $(printf "%s" ${TOKEN} | wc -c)"
  91
  92 echo "POST ${LOCATION}"
  93 LOCATION=$(curl --url "${LOCATION}" \
  94   --data-urlencode "login=${USERNAME}" \
  95   --data-urlencode "password=f o o" \
  96   --data-urlencode "token=${TOKEN}" \
  97   --data-urlencode "returnurl=${BASE_URL}/?do=changepasswd" \
  98   --cookie curl.cook --cookie-jar curl.cook \
  99   --location --output curl.tmp.html \
 100   --trace-ascii curl.tmp.trace --dump-header curl.tmp.head \
 101   --write-out '%{url_effective}' 2>/dev/null)
 102 errmsg=$(xmllint --html --nowarning --xpath 'string(/html[1 = count(*)]/head[1 = count(*)]/script[starts-with(.,"alert(")])' curl.tmp.html)
 103 [ "${errmsg}" = "alert(\"Wrong login/password.\");document.location='?do=login';" ] || assert_fail 103 "error: '${errmsg}'"
 104
 105
 106
 107 echo "#### Test wrong password (again)"
 108 rm curl.*
 109 LOCATION="${BASE_URL}/?do=login"
 110 TOKEN="$(fetch_token "${LOCATION}")"
 111 # the precise length doesn't matter, it just has to be significantly larger than ''
 112 [ $(printf "%s" ${TOKEN} | wc -c) -eq 40 ] || assert_fail 112 "expected TOKEN of 40 characters, but found ${TOKEN} of $(printf "%s" ${TOKEN} | wc -c)"
 113
 114 echo "POST ${LOCATION}"
 115 LOCATION=$(curl --url "${LOCATION}" \
 116   --data-urlencode "login=${USERNAME}" \
 117   --data-urlencode "password=f o o" \
 118   --data-urlencode "token=${TOKEN}" \
 119   --data-urlencode "returnurl=${BASE_URL}/?do=changepasswd" \
 120   --cookie curl.cook --cookie-jar curl.cook \
 121   --location --output curl.tmp.html \
 122   --trace-ascii curl.tmp.trace --dump-header curl.tmp.head \
 123   --write-out '%{url_effective}' 2>/dev/null)
 124 errmsg=$(xmllint --html --nowarning --xpath 'string(/html[1 = count(*)]/head[1 = count(*)]/script[starts-with(.,"alert(")])' curl.tmp.html)
 125 [ "${errmsg}" = "alert(\"Wrong login/password.\");document.location='?do=login';" ] || assert_fail 125 "error: '${errmsg}'"
 126
 127
 128
 129 echo "#### Test banned ip (4 previous failures)"
 130 rm curl.*
 131 LOCATION="${BASE_URL}/?do=login"
 132 TOKEN="$(fetch_token "${LOCATION}")"
 133 errmsg=$(xmllint --html --nowarning --xpath 'string(normalize-space(/html/body//*[@id="headerform"]))' curl.tmp.html)
 134 [ "${errmsg}" = "You have been banned from login after too many failed attempts. Try later." ] || assert_fail 134 "error: '${errmsg}'"