gophish/controllers/route_test.go

package controllers

import (
	"fmt"
	"net/http"
	"net/url"
	"strings"

	"github.com/PuerkitoBio/goquery"
)

func (s *ControllersSuite) TestLoginCSRF() {
	resp, err := http.PostForm(fmt.Sprintf("%s/login", s.adminServer.URL),
		url.Values{
			"username": {"admin"},
			"password": {"gophish"},
		})

	s.Equal(resp.StatusCode, http.StatusForbidden)
	fmt.Println(err)
}

func (s *ControllersSuite) TestInvalidCredentials() {
	resp, err := http.Get(fmt.Sprintf("%s/login", s.adminServer.URL))
	s.Equal(err, nil)
	s.Equal(resp.StatusCode, http.StatusOK)

	doc, err := goquery.NewDocumentFromResponse(resp)
	s.Equal(err, nil)
	elem := doc.Find("input[name='csrf_token']").First()
	token, ok := elem.Attr("value")
	s.Equal(ok, true)

	client := &http.Client{}
	req, err := http.NewRequest("POST", fmt.Sprintf("%s/login", s.adminServer.URL), strings.NewReader(url.Values{
		"username":   {"admin"},
		"password":   {"invalid"},
		"csrf_token": {token},
	}.Encode()))
	s.Equal(err, nil)

	req.Header.Set("Cookie", resp.Header.Get("Set-Cookie"))
	req.Header.Add("Content-Type", "application/x-www-form-urlencoded")

	resp, err = client.Do(req)
	s.Equal(err, nil)
	s.Equal(resp.StatusCode, http.StatusUnauthorized)
}

func (s *ControllersSuite) TestSuccessfulLogin() {
	resp, err := http.Get(fmt.Sprintf("%s/login", s.adminServer.URL))
	s.Equal(err, nil)
	s.Equal(resp.StatusCode, http.StatusOK)

	doc, err := goquery.NewDocumentFromResponse(resp)
	s.Equal(err, nil)
	elem := doc.Find("input[name='csrf_token']").First()
	token, ok := elem.Attr("value")
	s.Equal(ok, true)

	client := &http.Client{}
	req, err := http.NewRequest("POST", fmt.Sprintf("%s/login", s.adminServer.URL), strings.NewReader(url.Values{
		"username":   {"admin"},
		"password":   {"gophish"},
		"csrf_token": {token},
	}.Encode()))
	s.Equal(err, nil)

	req.Header.Set("Cookie", resp.Header.Get("Set-Cookie"))
	req.Header.Add("Content-Type", "application/x-www-form-urlencoded")

	resp, err = client.Do(req)
	s.Equal(err, nil)
	s.Equal(resp.StatusCode, http.StatusOK)
}

func (s *ControllersSuite) TestSuccessfulRedirect() {
	next := "/campaigns"
	resp, err := http.Get(fmt.Sprintf("%s/login", s.adminServer.URL))
	s.Equal(err, nil)
	s.Equal(resp.StatusCode, http.StatusOK)

	doc, err := goquery.NewDocumentFromResponse(resp)
	s.Equal(err, nil)
	elem := doc.Find("input[name='csrf_token']").First()
	token, ok := elem.Attr("value")
	s.Equal(ok, true)

	client := &http.Client{
		CheckRedirect: func(req *http.Request, via []*http.Request) error {
			return http.ErrUseLastResponse
		},
	}
	req, err := http.NewRequest("POST", fmt.Sprintf("%s/login?next=%s", s.adminServer.URL, next), strings.NewReader(url.Values{
		"username":   {"admin"},
		"password":   {"gophish"},
		"csrf_token": {token},
	}.Encode()))
	s.Equal(err, nil)

	req.Header.Set("Cookie", resp.Header.Get("Set-Cookie"))
	req.Header.Add("Content-Type", "application/x-www-form-urlencoded")

	resp, err = client.Do(req)
	s.Equal(err, nil)
	s.Equal(resp.StatusCode, http.StatusFound)
	url, err := resp.Location()
	s.Equal(err, nil)
	s.Equal(url.Path, next)
}
Fixing context issues with Go 1.7. 2016-09-15 03:24:51 +00:00			`package controllers`

			`import (`
			`"fmt"`
			`"net/http"`
			`"net/url"`
Change failed login status code to 401. Fixes #833 2017-12-11 00:11:32 +00:00			`"strings"`

			`"github.com/PuerkitoBio/goquery"`
Fixing context issues with Go 1.7. 2016-09-15 03:24:51 +00:00			`)`

			`func (s *ControllersSuite) TestLoginCSRF() {`
Refactor servers (#1321) * Refactoring servers to support custom workers and graceful shutdown. * Refactoring workers to support custom mailers. * Refactoring mailer to be an interface, with proper instances instead of a single global instance * Cleaning up a few things. Locking maillogs for campaigns set to launch immediately to prevent a race condition. * Cleaning up API middleware to be simpler * Moving template parameters to separate struct * Changed LoadConfig to return config object * Cleaned up some error handling, removing uninitialized global error in models package * Changed static file serving to use the unindexed package 2018-12-15 21:42:32 +00:00			`resp, err := http.PostForm(fmt.Sprintf("%s/login", s.adminServer.URL),`
Fixing context issues with Go 1.7. 2016-09-15 03:24:51 +00:00			`url.Values{`
			`"username": {"admin"},`
			`"password": {"gophish"},`
			`})`

Change failed login status code to 401. Fixes #833 2017-12-11 00:11:32 +00:00			`s.Equal(resp.StatusCode, http.StatusForbidden)`
Fixing context issues with Go 1.7. 2016-09-15 03:24:51 +00:00			`fmt.Println(err)`
			`}`
Change failed login status code to 401. Fixes #833 2017-12-11 00:11:32 +00:00
			`func (s *ControllersSuite) TestInvalidCredentials() {`
Refactor servers (#1321) * Refactoring servers to support custom workers and graceful shutdown. * Refactoring workers to support custom mailers. * Refactoring mailer to be an interface, with proper instances instead of a single global instance * Cleaning up a few things. Locking maillogs for campaigns set to launch immediately to prevent a race condition. * Cleaning up API middleware to be simpler * Moving template parameters to separate struct * Changed LoadConfig to return config object * Cleaned up some error handling, removing uninitialized global error in models package * Changed static file serving to use the unindexed package 2018-12-15 21:42:32 +00:00			`resp, err := http.Get(fmt.Sprintf("%s/login", s.adminServer.URL))`
Change failed login status code to 401. Fixes #833 2017-12-11 00:11:32 +00:00			`s.Equal(err, nil)`
			`s.Equal(resp.StatusCode, http.StatusOK)`

			`doc, err := goquery.NewDocumentFromResponse(resp)`
			`s.Equal(err, nil)`
			`elem := doc.Find("input[name='csrf_token']").First()`
			`token, ok := elem.Attr("value")`
			`s.Equal(ok, true)`

			`client := &http.Client{}`
Refactor servers (#1321) * Refactoring servers to support custom workers and graceful shutdown. * Refactoring workers to support custom mailers. * Refactoring mailer to be an interface, with proper instances instead of a single global instance * Cleaning up a few things. Locking maillogs for campaigns set to launch immediately to prevent a race condition. * Cleaning up API middleware to be simpler * Moving template parameters to separate struct * Changed LoadConfig to return config object * Cleaned up some error handling, removing uninitialized global error in models package * Changed static file serving to use the unindexed package 2018-12-15 21:42:32 +00:00			`req, err := http.NewRequest("POST", fmt.Sprintf("%s/login", s.adminServer.URL), strings.NewReader(url.Values{`
Change failed login status code to 401. Fixes #833 2017-12-11 00:11:32 +00:00			`"username": {"admin"},`
			`"password": {"invalid"},`
			`"csrf_token": {token},`
			`}.Encode()))`
			`s.Equal(err, nil)`

			`req.Header.Set("Cookie", resp.Header.Get("Set-Cookie"))`
			`req.Header.Add("Content-Type", "application/x-www-form-urlencoded")`

			`resp, err = client.Do(req)`
			`s.Equal(err, nil)`
			`s.Equal(resp.StatusCode, http.StatusUnauthorized)`
			`}`

			`func (s *ControllersSuite) TestSuccessfulLogin() {`
Refactor servers (#1321) * Refactoring servers to support custom workers and graceful shutdown. * Refactoring workers to support custom mailers. * Refactoring mailer to be an interface, with proper instances instead of a single global instance * Cleaning up a few things. Locking maillogs for campaigns set to launch immediately to prevent a race condition. * Cleaning up API middleware to be simpler * Moving template parameters to separate struct * Changed LoadConfig to return config object * Cleaned up some error handling, removing uninitialized global error in models package * Changed static file serving to use the unindexed package 2018-12-15 21:42:32 +00:00			`resp, err := http.Get(fmt.Sprintf("%s/login", s.adminServer.URL))`
Change failed login status code to 401. Fixes #833 2017-12-11 00:11:32 +00:00			`s.Equal(err, nil)`
			`s.Equal(resp.StatusCode, http.StatusOK)`

			`doc, err := goquery.NewDocumentFromResponse(resp)`
			`s.Equal(err, nil)`
			`elem := doc.Find("input[name='csrf_token']").First()`
			`token, ok := elem.Attr("value")`
			`s.Equal(ok, true)`

			`client := &http.Client{}`
Refactor servers (#1321) * Refactoring servers to support custom workers and graceful shutdown. * Refactoring workers to support custom mailers. * Refactoring mailer to be an interface, with proper instances instead of a single global instance * Cleaning up a few things. Locking maillogs for campaigns set to launch immediately to prevent a race condition. * Cleaning up API middleware to be simpler * Moving template parameters to separate struct * Changed LoadConfig to return config object * Cleaned up some error handling, removing uninitialized global error in models package * Changed static file serving to use the unindexed package 2018-12-15 21:42:32 +00:00			`req, err := http.NewRequest("POST", fmt.Sprintf("%s/login", s.adminServer.URL), strings.NewReader(url.Values{`
Change failed login status code to 401. Fixes #833 2017-12-11 00:11:32 +00:00			`"username": {"admin"},`
			`"password": {"gophish"},`
			`"csrf_token": {token},`
			`}.Encode()))`
			`s.Equal(err, nil)`

			`req.Header.Set("Cookie", resp.Header.Get("Set-Cookie"))`
			`req.Header.Add("Content-Type", "application/x-www-form-urlencoded")`

			`resp, err = client.Do(req)`
			`s.Equal(err, nil)`
			`s.Equal(resp.StatusCode, http.StatusOK)`
			`}`
Adding "next" parameter to support redirecting after successful login. 2017-12-11 03:40:46 +00:00
			`func (s *ControllersSuite) TestSuccessfulRedirect() {`
			`next := "/campaigns"`
Refactor servers (#1321) * Refactoring servers to support custom workers and graceful shutdown. * Refactoring workers to support custom mailers. * Refactoring mailer to be an interface, with proper instances instead of a single global instance * Cleaning up a few things. Locking maillogs for campaigns set to launch immediately to prevent a race condition. * Cleaning up API middleware to be simpler * Moving template parameters to separate struct * Changed LoadConfig to return config object * Cleaned up some error handling, removing uninitialized global error in models package * Changed static file serving to use the unindexed package 2018-12-15 21:42:32 +00:00			`resp, err := http.Get(fmt.Sprintf("%s/login", s.adminServer.URL))`
Adding "next" parameter to support redirecting after successful login. 2017-12-11 03:40:46 +00:00			`s.Equal(err, nil)`
			`s.Equal(resp.StatusCode, http.StatusOK)`

			`doc, err := goquery.NewDocumentFromResponse(resp)`
			`s.Equal(err, nil)`
			`elem := doc.Find("input[name='csrf_token']").First()`
			`token, ok := elem.Attr("value")`
			`s.Equal(ok, true)`

			`client := &http.Client{`
			`CheckRedirect: func(req http.Request, via []http.Request) error {`
			`return http.ErrUseLastResponse`
			`},`
			`}`
Refactor servers (#1321) * Refactoring servers to support custom workers and graceful shutdown. * Refactoring workers to support custom mailers. * Refactoring mailer to be an interface, with proper instances instead of a single global instance * Cleaning up a few things. Locking maillogs for campaigns set to launch immediately to prevent a race condition. * Cleaning up API middleware to be simpler * Moving template parameters to separate struct * Changed LoadConfig to return config object * Cleaned up some error handling, removing uninitialized global error in models package * Changed static file serving to use the unindexed package 2018-12-15 21:42:32 +00:00			`req, err := http.NewRequest("POST", fmt.Sprintf("%s/login?next=%s", s.adminServer.URL, next), strings.NewReader(url.Values{`
Adding "next" parameter to support redirecting after successful login. 2017-12-11 03:40:46 +00:00			`"username": {"admin"},`
			`"password": {"gophish"},`
			`"csrf_token": {token},`
			`}.Encode()))`
			`s.Equal(err, nil)`

			`req.Header.Set("Cookie", resp.Header.Get("Set-Cookie"))`
			`req.Header.Add("Content-Type", "application/x-www-form-urlencoded")`

			`resp, err = client.Do(req)`
			`s.Equal(err, nil)`
			`s.Equal(resp.StatusCode, http.StatusFound)`
			`url, err := resp.Location()`
			`s.Equal(err, nil)`
			`s.Equal(url.Path, next)`
			`}`