package com.opensymphony.xwork2.security;

import com.opensymphony.xwork2.XWorkTestCase;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;

public class DefaultExcludedPatternsCheckerTest extends XWorkTestCase {

    public void testHardcodedPatterns() throws Exception {
        // given
        List<String> params = new ArrayList<String>() {
            {
                add("%{#application['test']}");
                add("%{#application.test}");
                add("%{#Application['test']}");
                add("%{#Application.test}");
                add("%{#session['test']}");
                add("%{#session.test}");
                add("%{#Session['test']}");
                add("%{#Session.test}");
                add("%{#struts['test']}");
                add("%{#struts.test}");
                add("%{#Struts['test']}");
                add("%{#Struts.test}");
                add("%{#request['test']}");
                add("%{#request.test}");
                add("%{#Request['test']}");
                add("%{#Request.test}");
                add("%{#servletRequest['test']}");
                add("%{#servletRequest.test}");
                add("%{#ServletRequest['test']}");
                add("%{#ServletRequest.test}");
                add("%{#servletResponse['test']}");
                add("%{#servletResponse.test}");
                add("%{#ServletResponse['test']}");
                add("%{#ServletResponse.test}");
                add("%{#servletContext['test']}");
                add("%{#servletContext.test}");
                add("%{#ServletContext['test']}");
                add("%{#ServletContext.test}");
                add("%{#parameters['test']}");
                add("%{#parameters.test}");
                add("%{#Parameters['test']}");
                add("%{#Parameters.test}");
                add("#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse')");
                add("%{#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse')}");
                add("#_memberAccess[\"allowStaticMethodAccess\"]= new java.lang.Boolean(true)");
                add("%{#_memberAccess[\"allowStaticMethodAccess\"]= new java.lang.Boolean(true)}");
                add("form.class.classLoader");
                add("form[\"class\"][\"classLoader\"]");
                add("form['class']['classLoader']");
                add("class['classLoader']");
                add("class[\"classLoader\"]");
                add("class.classLoader.resources.dirContext.docBase=tttt");
                add("Class.classLoader.resources.dirContext.docBase=tttt");
            }
        };

        DefaultExcludedPatternsChecker checker = new DefaultExcludedPatternsChecker();
        checker.setAdditionalExcludePatterns(".*(^|\\.|\\[|'|\")class(\\.|\\[|'|\").*");

        for (String param : params) {
            // when
            ExcludedPatternsChecker.IsExcluded actual = checker.isExcluded(param);

            // then
            assertTrue("Access to " + param + " is possible!", actual.isExcluded());
        }
    }

    public void testDefaultExcludePatterns() throws Exception {
        // given
        List<String> prefixes = Arrays.asList("#[0].%s", "[0].%s", "top.%s", "%{[0].%s}", "%{#[0].%s}", "%{top.%s}", "%{#top.%s}", "%{#%s}", "%{%s}", "#%s");
        List<String> inners = Arrays.asList("servletRequest", "servletResponse", "servletContext", "application", "session", "struts", "request", "response", "dojo", "parameters");
        List<String> suffixes = Arrays.asList("['test']", "[\"test\"]", ".test");

        DefaultExcludedPatternsChecker checker = new DefaultExcludedPatternsChecker();
        checker.setAdditionalExcludePatterns(".*(^|\\.|\\[|'|\")class(\\.|\\[|'|\").*");

        List<String> params = new ArrayList<String>();
        for (String prefix : prefixes) {
            for (String inner : inners) {
                String innerUp = inner.substring(0, 1).toUpperCase() + inner.substring(1);
                for (String suffix : suffixes) {
                    params.add(prefix.replace("%s", inner + suffix));
                    params.add(prefix.replace("%s", innerUp + suffix));
                }
            }
        }

        for (String param : params) {
            // when
            ExcludedPatternsChecker.IsExcluded actual = checker.isExcluded(param);

            // then
            assertTrue("Access to " + param + " is possible!", actual.isExcluded());
        }
    }

    public void testParamWithClassInName() throws Exception {
        // given
        List<String> properParams = new ArrayList<>();
        properParams.add("eventClass");
        properParams.add("form.eventClass");
        properParams.add("form[\"eventClass\"]");
        properParams.add("form['eventClass']");
        properParams.add("class.super@demo.com");
        properParams.add("super.class@demo.com");

        ExcludedPatternsChecker checker = new DefaultExcludedPatternsChecker();

        for (String properParam : properParams) {
            // when
            ExcludedPatternsChecker.IsExcluded actual = checker.isExcluded(properParam);

            // then
            assertFalse("Param '" + properParam + "' is excluded!", actual.isExcluded());
        }
    }

    public void testStrutsTokenIsExcluded() throws Exception {
        // given
        List<String> tokens = new ArrayList<>();
        tokens.add("struts.token.name");
        tokens.add("struts.token");

        ExcludedPatternsChecker checker = new DefaultExcludedPatternsChecker();

        for (String token : tokens) {
            // when
            ExcludedPatternsChecker.IsExcluded actual = checker.isExcluded(token);

            // then
            assertTrue("Param '" + token + "' is not excluded!", actual.isExcluded());
        }
    }

}