Merge pull request #176 from azul/feature/api-authenticated-configs

API: Authenticated access to config settings

9 files changed, 318 insertions, 0 deletions

diff --git a/features/authentication.feature b/features/authentication.feature
new file mode 100644
index 0000000..52b562f
--- /dev/null
+++ b/features/authentication.feature
@@ -0,0 +1,24 @@
+Feature: Authentication
+
+  Authentication is handled with SRP. Once the SRP handshake has been successful a token will be transmitted. This token is used to authenticate further requests.
+
+  In the scenarios MY_AUTH_TOKEN will serve as a placeholder for the actual token received.
+
+  Background:
+    Given I set headers:
+      | Accept        | application/json |
+      | Content-Type  | application/json |
+
+  Scenario: Submitting a valid token
+    Given I authenticated
+    And I set headers:
+      | Authorization | Token token="MY_AUTH_TOKEN" |
+    When I send a GET request to "/1/configs.json"
+    Then the response status should be "200"
+
+  Scenario: Submitting an invalid token
+    Given I authenticated
+    And I set headers:
+      | Authorization | Token token="InvalidToken" |
+    When I send a GET request to "/1/configs.json"
+    Then the response status should be "401"
diff --git a/features/config.feature b/features/config.feature
new file mode 100644
index 0000000..6adaed9
--- /dev/null
+++ b/features/config.feature
@@ -0,0 +1,46 @@
+Feature: Download Provider Configuration
+
+  The LEAP Provider exposes parts of its configuration through the API.
+
+  This can be used to find out about services offered. The big picture can be retrieved from `/provider.json`. Which is available without authentication (see unauthenticated.feature).
+  
+  More detailed settings of the services are available after authentication. You can get a list of the available settings from `/1/configs.json`.
+
+  Background:
+    Given I authenticated
+    Given I set headers:
+      | Accept       | application/json |
+      | Content-Type | application/json |
+      | Authorization | Token token="MY_AUTH_TOKEN" |
+
+  @tempfile
+  Scenario: Fetch provider config
+    Given the provider config is:
+      """
+      {"config": "me"}
+      """
+    When I send a GET request to "/provider.json"
+    Then the response status should be "200"
+    And the response should be:
+      """
+      {"config": "me"}
+      """
+
+  Scenario: Missing provider config
+    When I send a GET request to "/provider.json"
+    Then the response status should be "404"
+    And the response should have "error" with "not_found"
+
+  Scenario: Fetch list of available configs
+    When I send a GET request to "/1/configs.json"
+    Then the response status should be "200"
+    And the response should be:
+      """
+      {
+        "services": {
+          "soledad": "/1/configs/soledad-service.json",
+          "eip": "/1/configs/eip-service.json",
+          "smtp": "/1/configs/smtp-service.json"
+        }
+      }
+      """
diff --git a/features/step_definitions/.gitkeep b/features/step_definitions/.gitkeep
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/features/step_definitions/.gitkeep
diff --git a/features/step_definitions/api_steps.rb b/features/step_definitions/api_steps.rb
new file mode 100644
index 0000000..a4f369c
--- /dev/null
+++ b/features/step_definitions/api_steps.rb
@@ -0,0 +1,131 @@
+if defined?(Rack)
+
+  # Monkey patch Rack::MockResponse to work properly with response debugging
+  class Rack::MockResponse
+    def to_str
+      body
+    end
+  end
+
+  World(Rack::Test::Methods)
+
+end
+
+Given /^I set headers:$/ do |headers|
+  headers.rows_hash.each do |key,value|
+    value.sub!('MY_AUTH_TOKEN', @my_auth_token.to_s) if @my_auth_token
+    header key, value
+  end
+end
+
+Given /^I send and accept (XML|JSON)$/ do |type|
+  header 'Accept', "application/#{type.downcase}"
+  header 'Content-Type', "application/#{type.downcase}"
+end
+
+Given /^I send and accept HTML$/ do
+  header 'Accept', "text/html"
+  header 'Content-Type', "application/x-www-form-urlencoded"
+end
+
+When /^I authenticate as the user "([^"]*)" with the password "([^"]*)"$/ do |user, pass|
+  authorize user, pass
+end
+
+When /^I digest\-authenticate as the user "(.*?)" with the password "(.*?)"$/ do |user, pass|
+  digest_authorize user, pass
+end
+
+When /^I send a (GET|POST|PUT|DELETE) request (?:for|to) "([^"]*)"(?: with the following:)?$/ do |*args|
+  request_type = args.shift
+  path = args.shift
+  input = args.shift
+
+  request_opts = {method: request_type.downcase.to_sym}
+
+  unless input.nil?
+    if input.class == Cucumber::Ast::Table
+      request_opts[:params] = input.rows_hash
+    else
+      request_opts[:input] = input
+    end
+  end
+
+  request path, request_opts
+end
+
+Then /^show me the (unparsed)?\s?response$/ do |unparsed|
+  if unparsed == 'unparsed'
+    puts last_response.body
+  elsif last_response.headers['Content-Type'] =~ /json/
+    json_response = JSON.parse(last_response.body)
+    puts JSON.pretty_generate(json_response)
+  else
+    puts last_response.headers
+    puts last_response.body
+  end
+end
+
+Then /^the response status should be "([^"]*)"$/ do |status|
+  if self.respond_to? :should
+    last_response.status.should == status.to_i
+  else
+    assert_equal status.to_i, last_response.status
+  end
+end
+
+Then /^the response should (not)?\s?have "([^"]*)"$/ do |negative, key|
+  json    = JSON.parse(last_response.body)
+  if self.respond_to?(:should)
+    if negative.present?
+      json[key].should be_blank
+    else
+      json[key].should be_present
+    end
+  else
+    if negative.present?
+      assert json[key].blank?
+    else
+      assert json[key].present?
+    end
+  end
+end
+
+
+Then /^the response should (not)?\s?have "([^"]*)" with(?: the text)? "([^"]*)"$/ do |negative, key, text|
+  json    = JSON.parse(last_response.body)
+  if self.respond_to?(:should)
+    if negative.present?
+      json[key].should_not == text
+    else
+      results.should == text
+    end
+  else
+    if negative.present?
+      assert ! json[key] == text
+    else
+      assert_equal text, json[key]
+    end
+  end
+end
+
+Then /^the response should be:$/ do |json|
+  expected = JSON.parse(json)
+  actual = JSON.parse(last_response.body)
+
+  if self.respond_to?(:should)
+    actual.should == expected
+  else
+    assert_equal expected, actual
+  end
+end
+
+Then /^the response should have "([^"]*)" with a length of (\d+)$/ do |json_path, length|
+  json = JSON.parse(last_response.body)
+  results = JsonPath.new(json_path).on(json)
+  if self.respond_to?(:should)
+    results.length.should == length.to_i
+  else
+    assert_equal length.to_i, results.length
+  end
+end
diff --git a/features/step_definitions/auth_steps.rb b/features/step_definitions/auth_steps.rb
new file mode 100644
index 0000000..00d9004
--- /dev/null
+++ b/features/step_definitions/auth_steps.rb
@@ -0,0 +1,6 @@
+
+Given /^I authenticated$/ do
+  @user = FactoryGirl.create(:user)
+  @my_auth_token = Token.create user_id: @user.id
+end
+
diff --git a/features/step_definitions/config_steps.rb b/features/step_definitions/config_steps.rb
new file mode 100644
index 0000000..50ae829
--- /dev/null
+++ b/features/step_definitions/config_steps.rb
@@ -0,0 +1,6 @@
+Given /the provider config is:$/ do |config|
+  @tempfile = Tempfile.new('provider.json')
+  @tempfile.write config
+  @tempfile.close
+  StaticConfigController::PROVIDER_JSON = @tempfile.path
+end
diff --git a/features/support/env.rb b/features/support/env.rb
new file mode 100644
index 0000000..d3067db
--- /dev/null
+++ b/features/support/env.rb
@@ -0,0 +1,58 @@
+# IMPORTANT: This file is generated by cucumber-rails - edit at your own peril.
+# It is recommended to regenerate this file in the future when you upgrade to a
+# newer version of cucumber-rails. Consider adding your own code to a new file
+# instead of editing this one. Cucumber will automatically load all features/**/*.rb
+# files.
+
+require 'cucumber/rails'
+
+# Capybara defaults to CSS3 selectors rather than XPath.
+# If you'd prefer to use XPath, just uncomment this line and adjust any
+# selectors in your step definitions to use the XPath syntax.
+# Capybara.default_selector = :xpath
+
+# By default, any exception happening in your Rails application will bubble up
+# to Cucumber so that your scenario will fail. This is a different from how
+# your application behaves in the production environment, where an error page will
+# be rendered instead.
+#
+# Sometimes we want to override this default behaviour and allow Rails to rescue
+# exceptions and display an error page (just like when the app is running in production).
+# Typical scenarios where you want to do this is when you test your error pages.
+# There are two ways to allow Rails to rescue exceptions:
+#
+# 1) Tag your scenario (or feature) with @allow-rescue
+#
+# 2) Set the value below to true. Beware that doing this globally is not
+# recommended as it will mask a lot of errors for you!
+#
+ActionController::Base.allow_rescue = false
+
+# Remove/comment out the lines below if your app doesn't have a database.
+# For some databases (like MongoDB and CouchDB) you may need to use :truncation instead.
+begin
+  #DatabaseCleaner.strategy = :truncation
+rescue NameError
+  raise "You need to add database_cleaner to your Gemfile (in the :test group) if you wish to use it."
+end
+
+# You may also want to configure DatabaseCleaner to use different strategies for certain features and scenarios.
+# See the DatabaseCleaner documentation for details. Example:
+#
+#   Before('@no-txn,@selenium,@culerity,@celerity,@javascript') do
+#     # { :except => [:widgets] } may not do what you expect here
+#     # as Cucumber::Rails::Database.javascript_strategy overrides
+#     # this setting.
+#     DatabaseCleaner.strategy = :truncation
+#   end
+#
+#   Before('~@no-txn', '~@selenium', '~@culerity', '~@celerity', '~@javascript') do
+#     DatabaseCleaner.strategy = :transaction
+#   end
+#
+
+# Possible values are :truncation and :transaction
+# The :transaction strategy is faster, but might give you threading problems.
+# See https://github.com/cucumber/cucumber-rails/blob/master/features/choose_javascript_database_strategy.feature
+Cucumber::Rails::Database.javascript_strategy = :truncation
+
diff --git a/features/support/hooks.rb b/features/support/hooks.rb
new file mode 100644
index 0000000..19928d8
--- /dev/null
+++ b/features/support/hooks.rb
@@ -0,0 +1,18 @@
+After '@tempfile' do
+  if @tempfile
+    @tempfile.close
+    @tempfile.unlink
+  end
+end
+
+After do |scenario|
+  if scenario.failed?
+    logfile_path = Rails.root + 'tmp'
+    logfile_path += "#{scenario.title.gsub(/\s/, '_')}.log"
+    File.open(logfile_path, 'w') do |test_log|
+      test_log.puts scenario.title
+      test_log.puts "========================="
+      test_log.puts `tail log/test.log -n 200`
+    end
+  end
+end
diff --git a/features/unauthenticated.feature b/features/unauthenticated.feature
new file mode 100644
index 0000000..120274b
--- /dev/null
+++ b/features/unauthenticated.feature
@@ -0,0 +1,29 @@
+Feature: Unauthenticated API endpoints
+
+  Most of the LEAP Provider API requires authentication.
+  However there are a few exceptions - mostly prerequisits of authenticating. This feature and the authentication feature document these.
+
+  Background:
+    Given I set headers:
+      | Accept       | application/json |
+      | Content-Type | application/json |
+
+  @tempfile
+  Scenario: Fetch provider config
+    Given the provider config is:
+      """
+      {"config": "me"}
+      """
+    When I send a GET request to "/provider.json"
+    Then the response status should be "200"
+    And the response should be:
+      """
+      {"config": "me"}
+      """
+
+  Scenario: Authentication required for all other API endpoints
+    When I send a GET request to "/1/configs"
+    Then the response status should be "401"
+    And the response should have "error" with "not_authorized_login"
+    And the response should have "message"
+