From 28b5eef7793a477c1cca064a4731b61da869eb36 Mon Sep 17 00:00:00 2001
From: Grant Burgess <grantrburgess@outlook.com>
Date: Fri, 10 Jan 2020 14:45:14 +1000
Subject: [PATCH] Tests to cover Admin UI access

---
 spec/beef/extensions/adminui_spec.rb | 46 ++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)
 create mode 100644 spec/beef/extensions/adminui_spec.rb

diff --git a/spec/beef/extensions/adminui_spec.rb b/spec/beef/extensions/adminui_spec.rb
new file mode 100644
index 000000000..72ec66057
--- /dev/null
+++ b/spec/beef/extensions/adminui_spec.rb
@@ -0,0 +1,46 @@
+# 
+# Tests for handling access to the Admin UI
+# 
+
+require 'extensions/admin_ui/classes/httpcontroller'
+require 'extensions/admin_ui/controllers/authentication/authentication'
+
+RSpec.describe 'BeEF Extension AdminUI' do
+  before(:all) do
+    @config = BeEF::Core::Configuration.instance
+  end
+
+  it 'loads configuration' do
+    expect(@config.get('beef.restrictions')).to have_key('permitted_ui_subnet')
+  end
+
+  it 'confirms that any ip address is permitted to view the admin ui' do
+    ui = BeEF::Extension::AdminUI::HttpController.new
+    expect(@config.set('beef.restrictions.permitted_ui_subnet',["0.0.0.0/0", "::/0"])).to eq true
+    expect(ui.authenticate_request("8.8.8.8")).to eq true
+  end
+
+  it 'confirms that an ip address is permitted to view the admin ui' do
+    ui = BeEF::Extension::AdminUI::HttpController.new
+    expect(@config.set('beef.restrictions.permitted_ui_subnet',["192.168.10.1"])).to eq true
+    expect(ui.authenticate_request("192.168.10.1")).to eq true
+  end
+
+  it 'confirms that an ip address is not permitted to view the admin ui' do
+    ui = BeEF::Extension::AdminUI::HttpController.new
+    expect(@config.set('beef.restrictions.permitted_ui_subnet',["10.10.10.1"])).to eq true
+    expect(ui.authenticate_request("8.8.8.8")).to eq false
+  end
+
+  it 'confirms that X-Forwarded-For cant be spoofed when reverse proxy is disabled' do
+    ui = BeEF::Extension::AdminUI::HttpController.new
+    expect(@config.set('beef.restrictions.permitted_ui_subnet',["192.168.0.10"])).to eq true
+    expect(@config.set('beef.http.allow_reverse_proxy',false)).to eq true
+    env = { "REQUEST_METHOD" => "GET", "PATH_INFO" => "/ui/authentication" }
+    request = Rack::Request.new(env) 
+    request.add_header("HTTP_X_FORWARDED_FOR","192.168.0.10")
+    request.add_header("REMOTE_ADDR","192.168.0.20")
+    expect(ui.get_ip(request)).to eq "192.168.0.20"
+  end
+
+end
\ No newline at end of file