Merge pull request #181 from azul/feature/allow_anonymous_config_access

Allow fetching configs if anonymous EIP access is allowed

5 files changed, 51 insertions, 3 deletions

diff --git a/app/controllers/v1/configs_controller.rb b/app/controllers/v1/configs_controller.rb
index accdf5a..9c01605 100644
--- a/app/controllers/v1/configs_controller.rb
+++ b/app/controllers/v1/configs_controller.rb
@@ -1,7 +1,7 @@
 class V1::ConfigsController < ApiController
   include ControllerExtension::JsonFile
 
-  before_filter :require_login
+  before_filter :require_login, :unless => :anonymous_certs_allowed?
   before_filter :sanitize_filename, only: :show
   before_filter :fetch_file, only: :show
 
@@ -21,6 +21,10 @@ class V1::ConfigsController < ApiController
 
   protected
 
+  def anonymous_certs_allowed?
+    APP_CONFIG[:allow_anonymous_certs]
+  end
+
   def service_paths
     Hash[SERVICES.map{|k,v| [k,"/1/configs/#{v}"] } ]
   end
diff --git a/features/step_definitions/auth_steps.rb b/features/step_definitions/auth_steps.rb
index 00d9004..e75455a 100644
--- a/features/step_definitions/auth_steps.rb
+++ b/features/step_definitions/auth_steps.rb
@@ -1,6 +1,21 @@
-
 Given /^I authenticated$/ do
   @user = FactoryGirl.create(:user)
   @my_auth_token = Token.create user_id: @user.id
 end
 
+Given /^I am not logged in$/ do
+  @my_auth_token = nil
+end
+
+When /^I send requests to these endpoints:$/ do |endpoints|
+  @endpoints = endpoints.rows_hash
+end
+
+Then /^they should require authentication$/ do
+  @endpoints.each do |type, path|
+    opts = {method: type.downcase.to_sym}
+    request path, opts
+    assert_equal 401, last_response.status,
+      "Expected #{type} #{path} to require authentication."
+  end
+end
diff --git a/features/step_definitions/config_steps.rb b/features/step_definitions/config_steps.rb
index 50ae829..70ff1aa 100644
--- a/features/step_definitions/config_steps.rb
+++ b/features/step_definitions/config_steps.rb
@@ -4,3 +4,13 @@ Given /the provider config is:$/ do |config|
   @tempfile.close
   StaticConfigController::PROVIDER_JSON = @tempfile.path
 end
+
+# use with @config tag so the config changes are reverted after the scenario
+Given /^"([^"]*)" is (enabled|disabled|"[^"]") in the config$/ do |key, value|
+  value = case value
+          when 'disabled' then false
+          when 'enabled' then true
+          else value.gsub('"', '')
+          end
+  APP_CONFIG.merge! key => value
+end
diff --git a/features/support/hooks.rb b/features/support/hooks.rb
index f11e602..f2e3b41 100644
--- a/features/support/hooks.rb
+++ b/features/support/hooks.rb
@@ -5,6 +5,12 @@ After '@tempfile' do
   end
 end
 
+Around '@config' do |scenario, block|
+  old_config = APP_CONFIG.dup
+  block.call
+  APP_CONFIG.replace old_config
+end
+
 # store end of server log for failing scenarios
 After do |scenario|
   if scenario.failed?
diff --git a/features/unauthenticated.feature b/features/unauthenticated.feature
index 120274b..870adb1 100644
--- a/features/unauthenticated.feature
+++ b/features/unauthenticated.feature
@@ -21,9 +21,22 @@ Feature: Unauthenticated API endpoints
       {"config": "me"}
       """
 
-  Scenario: Authentication required for all other API endpoints
+  @config
+  Scenario: Fetch configs when anonymous certs are allowed
+    Given "allow_anonymous_certs" is enabled in the config
+    When I send a GET request to "/1/configs.json"
+    Then the response status should be "200"
+
+  Scenario: Authentication required response
     When I send a GET request to "/1/configs"
     Then the response status should be "401"
     And the response should have "error" with "not_authorized_login"
     And the response should have "message"
 
+  Scenario: Authentication required for all other API endpoints (incomplete)
+    Given I am not logged in
+    When I send requests to these endpoints:
+      |  GET   | /1/configs                |
+      |  GET   | /1/configs/config_id.json |
+      | DELETE | /1/logout                 |
+    Then they should require authentication