Redo try_glassfish_3 specs

jvazquez-r7 · jvazquez-r7 · commit 768b50974fc9 · 2014-09-07T21:04:43.000-05:00
diff --git a/lib/metasploit/framework/login_scanner/glassfish.rb b/lib/metasploit/framework/login_scanner/glassfish.rb
@@ -111,7 +111,7 @@ def try_glassfish_2(credential)
         # @return (see #try_glassfish_2)
         def try_glassfish_3(credential)
           res = try_login(credential)
-          if res and res.code == 302
+          if res && res.code == 302
             opts = {
               'uri'     => '/common/applications/uploadFrame.jsf',
               'method'  => 'GET',
diff --git a/spec/lib/metasploit/framework/login_scanner/glassfish_spec.rb b/spec/lib/metasploit/framework/login_scanner/glassfish_spec.rb
@@ -22,10 +22,18 @@
     'admin'
   end
 
+  let(:username_disabled) do
+    'admin_disabled'
+  end
+
   let(:password) do
     'password'
   end
 
+  let(:password_disabled) do
+    'password_disabled'
+  end
+
   let(:cred) do
     Metasploit::Framework::Credential.new(
       paired: true,
@@ -42,6 +50,14 @@
     )
   end
 
+  let(:disabled_cred) do
+    Metasploit::Framework::Credential.new(
+        paired: true,
+        public: username_disabled,
+        private: password_disabled
+    )
+  end
+
   let(:res_code) do
     200
   end
@@ -102,7 +118,6 @@
 
     before :each do
       allow_any_instance_of(Rex::Proto::Http::Client).to receive(:send_recv) do |req|
-        p "#{req.opts['uri']}"
         if req.opts['uri'] && req.opts['uri'].include?('j_security_check') &&
             req.opts['data'] &&
             req.opts['data'].include?("j_username=#{username}") &&
@@ -136,26 +151,52 @@
   end
 
   context '#try_glassfish_3' do
+
+    let(:login_ok_message) do
+      '<title>Deploy Enterprise Applications/Modules</title>'
+    end
+
+    before :each do
+      allow_any_instance_of(Rex::Proto::Http::Client).to receive(:send_recv) do |req|
+        if req.opts['uri'] && req.opts['uri'].include?('j_security_check') &&
+            req.opts['data'] &&
+            req.opts['data'].include?("j_username=#{username}") &&
+            req. opts['data'].include?("j_password=#{password}")
+          res = Rex::Proto::Http::Response.new(302)
+          res.headers['Location'] = '/common/applications/uploadFrame.jsf'
+          res.headers['Set-Cookie'] = 'JSESSIONID=GOODSESSIONID'
+          res
+        elsif req.opts['uri'] && req.opts['uri'].include?('j_security_check') &&
+            req.opts['data'] &&
+            req.opts['data'].include?("j_username=#{username_disabled}") &&
+            req. opts['data'].include?("j_password=#{password_disabled}")
+          res = Rex::Proto::Http::Response.new(200)
+          res.body = 'Secure Admin must be enabled'
+        elsif req.opts['uri'] && req.opts['uri'].include?('j_security_check')
+          res = Rex::Proto::Http::Response.new(200)
+          res.body = 'bad login'
+        elsif req.opts['uri'] &&
+            req.opts['uri'].include?('/common/applications/uploadFrame.jsf')
+          res = Rex::Proto::Http::Response.new(200)
+          res.body = '<title>Deploy Applications or Modules'
+        else
+          res = Rex::Proto::Http::Response.new(404)
+        end
+
+        res
+      end
+    end
+
     it 'returns status Metasploit::Model::Login::Status::SUCCESSFUL for a valid credential' do
-      good_auth_res = Rex::Proto::Http::Response.new(302)
-      good_res = Rex::Proto::Http::Response.new(200)
-      good_res.stub(:body).and_return('<title>Deploy Applications or Modules</title>')
-      http_scanner.should_receive(:try_login).with(cred).and_return(good_auth_res)
-      http_scanner.should_receive(:send_request).with(kind_of(Hash)).and_return(good_res)
       http_scanner.try_glassfish_3(cred)[:status].should eq(Metasploit::Model::Login::Status::SUCCESSFUL)
     end
 
     it 'returns status Metasploit::Model::Login::Status::SUCCESSFUL based on a disabled remote admin message' do
-      good_auth_res = Rex::Proto::Http::Response.new(200)
-      good_auth_res.stub(:body).and_return('Secure Admin must be enabled')
-      http_scanner.should_receive(:try_login).with(cred).and_return(good_auth_res)
-      http_scanner.try_glassfish_3(cred)[:status].should eq(Metasploit::Model::Login::Status::SUCCESSFUL)
+      http_scanner.try_glassfish_3(disabled_cred)[:status].should eq(Metasploit::Model::Login::Status::SUCCESSFUL)
     end
 
     it 'returns status Metasploit::Model::Login::Status::INCORRECT for an invalid credential' do
-      bad_auth_res = Rex::Proto::Http::Response.new(200)
-      http_scanner.should_receive(:try_login).with(cred).and_return(bad_auth_res)
-      http_scanner.try_glassfish_3(cred)[:status].should eq(Metasploit::Model::Login::Status::INCORRECT)
+      http_scanner.try_glassfish_3(bad_cred)[:status].should eq(Metasploit::Model::Login::Status::INCORRECT)
     end
   end
 
