From 69208fe0ace3b03ece53b0f059d6c876974631b8 Mon Sep 17 00:00:00 2001 From: Alex Bilbie Date: Mon, 4 Aug 2014 15:18:55 +0100 Subject: [PATCH] Added more fizzfuzz tests --- tests/fuzz/grant-authcode.yml | 9 ++ tests/fuzz/grant-client-credentials.yml | 59 +++++++++++++ tests/fuzz/grant-password.yml | 85 +++++++++++++++++++ tests/fuzz/tokeninfo-no-access-token.yml | 4 +- ...okeninfo-no-invalid-token-query-string.yml | 10 ++- tests/fuzz/tokeninfo-no-invalid-token.yml | 4 +- tests/fuzz/tokeninfo-valid-token-header.yml | 26 ++++++ tests/fuzz/tokeninfo-valid-token.yml | 10 +-- tests/fuzz/users-token-iamalex.yml | 32 +++++++ tests/fuzz/users-token-iamphil.yml | 32 +++++++ 10 files changed, 259 insertions(+), 12 deletions(-) create mode 100644 tests/fuzz/grant-authcode.yml create mode 100644 tests/fuzz/grant-client-credentials.yml create mode 100644 tests/fuzz/grant-password.yml create mode 100644 tests/fuzz/tokeninfo-valid-token-header.yml create mode 100644 tests/fuzz/users-token-iamalex.yml create mode 100644 tests/fuzz/users-token-iamphil.yml diff --git a/tests/fuzz/grant-authcode.yml b/tests/fuzz/grant-authcode.yml new file mode 100644 index 00000000..7c740a9d --- /dev/null +++ b/tests/fuzz/grant-authcode.yml @@ -0,0 +1,9 @@ +url: 'http://localhost:8000/authcode_grant.php/authorize?client_id=testclient&redirect_uri=http%3A%2F%2Fexample.com%2Fredirect&response_type=code&scope=basic' +request: + method: GET +response: + statusCode: 200 + headers: + - + key: Location + valueRegex: /http:\/\/example.com\/redirect\?code=([a-zA-Z0-9]*)/ \ No newline at end of file diff --git a/tests/fuzz/grant-client-credentials.yml b/tests/fuzz/grant-client-credentials.yml new file mode 100644 index 00000000..cc0e8519 --- /dev/null +++ b/tests/fuzz/grant-client-credentials.yml @@ -0,0 +1,59 @@ +url: 'http://localhost:8000/other_grants.php/access_token' +request: + method: POST + body: + - + key: client_id + value: testclient + missing: + response.statusCode: 400 + headers.content-type: "application/json" + body.error: invalid_request + body.message: "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Check the \"client_id\" parameter." + invalid: + response.statusCode: 401 + headers.content-type: "application/json" + body.error: invalid_client + body.message: "Client authentication failed." + - + key: client_secret + value: secret + missing: + response.statusCode: 400 + headers.content-type: "application/json" + body.error: invalid_request + body.message: "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Check the \"client_secret\" parameter." + invalid: + response.statusCode: 401 + headers.content-type: "application/json" + body.error: invalid_client + body.message: "Client authentication failed." + - + key: grant_type + value: client_credentials + missing: + response.statusCode: 400 + headers.content-type: "application/json" + body.error: invalid_request + body.message: "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Check the \"grant_type\" parameter." + invalid: + response.statusCode: 400 + headers.content-type: "application/json" + body.error: unsupported_grant_type + #body.message: "The authorization grant type XXX is not supported by the authorization server." +response: + statusCode: 200 + headers: + - + key: Content-type + value: application/json + body: + - + key: expires_in + valueType: integer + - + key: access_token + valueRegex: /([a-zA-Z0-9]*)/ + - + key: token_type + value: Bearer \ No newline at end of file diff --git a/tests/fuzz/grant-password.yml b/tests/fuzz/grant-password.yml new file mode 100644 index 00000000..63b0628b --- /dev/null +++ b/tests/fuzz/grant-password.yml @@ -0,0 +1,85 @@ +url: 'http://localhost:8000/other_grants.php/access_token' +request: + method: POST + body: + - + key: client_id + value: testclient + missing: + response.statusCode: 400 + headers.content-type: "application/json" + body.error: invalid_request + body.message: "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Check the \"client_id\" parameter." + invalid: + response.statusCode: 401 + headers.content-type: "application/json" + body.error: invalid_client + body.message: "Client authentication failed." + - + key: client_secret + value: secret + missing: + response.statusCode: 400 + headers.content-type: "application/json" + body.error: invalid_request + body.message: "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Check the \"client_secret\" parameter." + invalid: + response.statusCode: 401 + headers.content-type: "application/json" + body.error: invalid_client + body.message: "Client authentication failed." + - + key: username + value: alex + missing: + response.statusCode: 400 + headers.content-type: "application/json" + body.error: invalid_request + body.message: "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Check the \"username\" parameter." + invalid: + response.statusCode: 401 + headers.content-type: "application/json" + body.error: invalid_client + body.message: "Client authentication failed." + - + key: password + value: whisky + missing: + response.statusCode: 400 + headers.content-type: "application/json" + body.error: invalid_request + body.message: "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Check the \"password\" parameter." + invalid: + response.statusCode: 401 + headers.content-type: "application/json" + body.error: invalid_client + body.message: "Client authentication failed." + - + key: grant_type + value: password + missing: + response.statusCode: 400 + headers.content-type: "application/json" + body.error: invalid_request + body.message: "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Check the \"grant_type\" parameter." + invalid: + response.statusCode: 400 + headers.content-type: "application/json" + body.error: unsupported_grant_type + #body.message: "The authorization grant type XXX is not supported by the authorization server." +response: + statusCode: 200 + headers: + - + key: Content-type + value: application/json + body: + - + key: expires_in + valueType: integer + - + key: access_token + valueRegex: /([a-zA-Z0-9]*)/ + - + key: token_type + value: Bearer \ No newline at end of file diff --git a/tests/fuzz/tokeninfo-no-access-token.yml b/tests/fuzz/tokeninfo-no-access-token.yml index 15fbc8fa..3d084cf7 100644 --- a/tests/fuzz/tokeninfo-no-access-token.yml +++ b/tests/fuzz/tokeninfo-no-access-token.yml @@ -4,7 +4,9 @@ request: response: statusCode: 400 headers: - Content-type: application/json + - + key: Content-type + value: application/json body: - key: error diff --git a/tests/fuzz/tokeninfo-no-invalid-token-query-string.yml b/tests/fuzz/tokeninfo-no-invalid-token-query-string.yml index 4d60340b..bfe07737 100644 --- a/tests/fuzz/tokeninfo-no-invalid-token-query-string.yml +++ b/tests/fuzz/tokeninfo-no-invalid-token-query-string.yml @@ -2,13 +2,15 @@ url: 'http://localhost:8000/api.php/tokeninfo?access_token=foobar' request: method: GET response: - statusCode: 400 + statusCode: 401 headers: - Content-type: application/json + - + key: Content-type + value: application/json body: - key: error - value: "invalid_request" + value: "access_denied" - key: message - value: "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Check the \"access token\" parameter." \ No newline at end of file + value: "The resource owner or authorization server denied the request." \ No newline at end of file diff --git a/tests/fuzz/tokeninfo-no-invalid-token.yml b/tests/fuzz/tokeninfo-no-invalid-token.yml index 30ee8887..8c4535e3 100644 --- a/tests/fuzz/tokeninfo-no-invalid-token.yml +++ b/tests/fuzz/tokeninfo-no-invalid-token.yml @@ -8,7 +8,9 @@ request: response: statusCode: 401 headers: - Content-type: application/json + - + key: Content-type + value: application/json body: - key: error diff --git a/tests/fuzz/tokeninfo-valid-token-header.yml b/tests/fuzz/tokeninfo-valid-token-header.yml new file mode 100644 index 00000000..c30d819e --- /dev/null +++ b/tests/fuzz/tokeninfo-valid-token-header.yml @@ -0,0 +1,26 @@ +url: 'http://localhost:8000/api.php/tokeninfo' +request: + method: GET + headers: + - + key: Authorization + value: "Bearer iamgod" +response: + statusCode: 200 + headers: + - + key: Content-type + value: application/json + body: + - + key: owner_id + value: testclient + - + key: owner_type + value: client + - + key: access_token + value: iamgod + - + key: client_id + value: testclient \ No newline at end of file diff --git a/tests/fuzz/tokeninfo-valid-token.yml b/tests/fuzz/tokeninfo-valid-token.yml index d7ec6b3a..fb160249 100644 --- a/tests/fuzz/tokeninfo-valid-token.yml +++ b/tests/fuzz/tokeninfo-valid-token.yml @@ -1,14 +1,12 @@ -url: 'http://localhost:8000/api.php/tokeninfo' +url: 'http://localhost:8000/api.php/tokeninfo?access_token=iamgod' request: method: GET - headers: - - - key: Authorization - value: "Bearer iamgod" response: statusCode: 200 headers: - Content-type: application/json + - + key: Content-type + value: application/json body: - key: owner_id diff --git a/tests/fuzz/users-token-iamalex.yml b/tests/fuzz/users-token-iamalex.yml new file mode 100644 index 00000000..629de493 --- /dev/null +++ b/tests/fuzz/users-token-iamalex.yml @@ -0,0 +1,32 @@ +url: 'http://localhost:8000/api.php/users' +request: + method: GET + headers: + - + key: Authorization + value: Bearer iamalex +response: + statusCode: 200 + headers: + - + key: Content-type + value: application/json + body: + - + key: 0.username + value: alexbilbie + - + key: 0.name + value: Alex Bilbie + - + key: 0.photo + valueType: string + - + key: 1.username + value: philsturgeon + - + key: 1.name + value: Phil Sturgeon + - + key: 1.photo + valueType: string \ No newline at end of file diff --git a/tests/fuzz/users-token-iamphil.yml b/tests/fuzz/users-token-iamphil.yml new file mode 100644 index 00000000..6f1b7b57 --- /dev/null +++ b/tests/fuzz/users-token-iamphil.yml @@ -0,0 +1,32 @@ +url: 'http://localhost:8000/api.php/users' +request: + method: GET + headers: + - + key: Authorization + value: Bearer iamphil +response: + statusCode: 200 + headers: + - + key: Content-type + value: application/json + body: + - + key: 0.username + value: alexbilbie + - + key: 0.name + value: Alex Bilbie + - + key: 0.email + valueType: string + - + key: 1.username + value: philsturgeon + - + key: 1.name + value: Phil Sturgeon + - + key: 1.email + valueType: string \ No newline at end of file