summaryrefslogtreecommitdiff
path: root/test/integration/api
diff options
context:
space:
mode:
authorAzul <azul@leap.se>2014-05-16 08:42:36 +0200
committerAzul <azul@leap.se>2014-05-16 08:42:36 +0200
commit8fbbb8717f0578536b97c2dc0883c632f120e976 (patch)
tree17aeb2b48ada703ac916a9a65fbf3c75a5dadb86 /test/integration/api
parent81555ec6244ed76f92e3629880f68104b8705817 (diff)
parenta4f7a410c536d88c91c834cab6ee950c71005ddd (diff)
Merge remote-tracking branch 'origin/develop'
Conflicts: app/assets/javascripts/srp test/nagios/soledad_sync.py test/nagios/webapp_login.py
Diffstat (limited to 'test/integration/api')
-rw-r--r--test/integration/api/Readme.md23
-rw-r--r--test/integration/api/login_test.rb50
-rw-r--r--test/integration/api/pgp_key_test.rb35
-rwxr-xr-xtest/integration/api/python/flow_with_srp.py96
-rwxr-xr-xtest/integration/api/python/login_wrong_username.py19
-rwxr-xr-xtest/integration/api/python/signup.py20
-rwxr-xr-xtest/integration/api/python/signup_and_login.py44
-rwxr-xr-xtest/integration/api/python/signup_and_login_wrong_password.py43
-rwxr-xr-xtest/integration/api/python/umlauts.py79
-rw-r--r--test/integration/api/signup_test.rb20
-rw-r--r--test/integration/api/srp_test.rb105
-rw-r--r--test/integration/api/update_account_test.rb51
12 files changed, 585 insertions, 0 deletions
diff --git a/test/integration/api/Readme.md b/test/integration/api/Readme.md
new file mode 100644
index 0000000..04363bd
--- /dev/null
+++ b/test/integration/api/Readme.md
@@ -0,0 +1,23 @@
+API tests
+==========
+
+
+Testing the restful api from a simple python client as that's what we'll be using.
+
+This test so far mostly demoes the API. We have no SRP calc in there.
+
+TODO: keep track of the cookies during login. The server uses the session to keep track of the random numbers A and B.
+
+The output of signup_and_login_wrong_password pretty well describes the SRP API:
+
+```
+POST: http://localhost:9292/users.json
+ {"user[password_salt]": "54321", "user[password_verifier]": "12345", "user[login]": "SWQ055"}
+ -> {"password_salt":"54321","login":"SWQ055"}
+POST: http://localhost:9292/sessions
+ {"A": "12345", "login": "SWQ055"}
+ -> {"B":"1778367531e93a4c7713c76f67649f35a4211ebc520926ae8c3848cd66171651"}
+PUT: http://localhost:9292/sessions/SWQ055
+ {"M": "123ABC"}
+ -> {"errors":[{"login":"Not a valid username/password combination"},{"password":"Not a valid username/password combination"}]}
+```
diff --git a/test/integration/api/login_test.rb b/test/integration/api/login_test.rb
new file mode 100644
index 0000000..92d153f
--- /dev/null
+++ b/test/integration/api/login_test.rb
@@ -0,0 +1,50 @@
+require 'test_helper'
+require_relative 'srp_test'
+
+class LoginTest < SrpTest
+
+ setup do
+ register_user
+ end
+
+ test "requires handshake before validation" do
+ validate("bla")
+ assert_json_error login: I18n.t(:all_strategies_failed)
+ end
+
+ test "login with srp" do
+ authenticate
+ assert_equal ["M2", "id", "token"], server_auth.keys
+ assert last_response.successful?
+ assert_nil server_auth["errors"]
+ assert server_auth["M2"]
+ end
+
+ test "wrong password login attempt" do
+ authenticate password: "wrong password"
+ assert_json_error "base" => "Not a valid username/password combination"
+ assert !last_response.successful?
+ assert_nil server_auth["M2"]
+ end
+
+ test "wrong username login attempt" do
+ assert_raises RECORD_NOT_FOUND do
+ authenticate login: "wrong login"
+ end
+ assert_json_error "base" => "Not a valid username/password combination"
+ assert !last_response.successful?
+ assert_nil server_auth
+ end
+
+ test "logout" do
+ authenticate
+ logout
+ assert_equal 204, last_response.status
+ end
+
+ test "logout requires token" do
+ authenticate
+ logout(nil, {})
+ assert_equal 422, last_response.status
+ end
+end
diff --git a/test/integration/api/pgp_key_test.rb b/test/integration/api/pgp_key_test.rb
new file mode 100644
index 0000000..4c7fb4c
--- /dev/null
+++ b/test/integration/api/pgp_key_test.rb
@@ -0,0 +1,35 @@
+require 'test_helper'
+require_relative 'srp_test'
+
+class PgpKeyTest < SrpTest
+
+ setup do
+ # todo: prepare user and login without doing the srp dance
+ register_user
+ authenticate
+ end
+
+ test "upload pgp key" do
+ update_user public_key: key
+ assert_equal key, Identity.for(@user).keys[:pgp]
+ end
+
+ # eventually probably want to remove most of this into a non-integration
+ # functional test
+ test "prevent uploading invalid key" do
+ update_user public_key: "invalid key"
+ assert_nil Identity.for(@user).keys[:pgp]
+ end
+
+ test "prevent emptying public key" do
+ update_user public_key: key
+ update_user public_key: ""
+ assert_equal key, Identity.for(@user).keys[:pgp]
+ end
+
+ protected
+
+ def key
+ @key ||= FactoryGirl.build :pgp_key
+ end
+end
diff --git a/test/integration/api/python/flow_with_srp.py b/test/integration/api/python/flow_with_srp.py
new file mode 100755
index 0000000..9fc168b
--- /dev/null
+++ b/test/integration/api/python/flow_with_srp.py
@@ -0,0 +1,96 @@
+#!/usr/bin/env python
+
+# under development
+
+import requests
+import json
+import string
+import random
+import srp._pysrp as srp
+import binascii
+
+safe_unhexlify = lambda x: binascii.unhexlify(x) if (len(x) % 2 == 0) else binascii.unhexlify('0'+x)
+
+# using globals for now
+# server = 'https://dev.bitmask.net/1'
+server = 'http://api.lvh.me:3000/1'
+
+def run_tests():
+ login = 'test_' + id_generator()
+ password = id_generator() + id_generator()
+ usr = srp.User( login, password, srp.SHA256, srp.NG_1024 )
+ print_and_parse(signup(login, password))
+
+ auth = print_and_parse(authenticate(usr))
+ verify_or_debug(auth, usr)
+ assert usr.authenticated()
+
+ usr = change_password(auth['id'], login, auth['token'])
+
+ auth = print_and_parse(authenticate(usr))
+ verify_or_debug(auth, usr)
+ # At this point the authentication process is complete.
+ assert usr.authenticated()
+
+# let's have some random name
+def id_generator(size=6, chars=string.ascii_lowercase + string.digits):
+ return ''.join(random.choice(chars) for x in range(size))
+
+# log the server communication
+def print_and_parse(response):
+ request = response.request
+ print request.method + ': ' + response.url
+ if hasattr(request, 'data'):
+ print " " + json.dumps(response.request.data)
+ print " -> " + response.text
+ try:
+ return json.loads(response.text)
+ except ValueError:
+ return None
+
+def signup(login, password):
+ salt, vkey = srp.create_salted_verification_key( login, password, srp.SHA256, srp.NG_1024 )
+ user_params = {
+ 'user[login]': login,
+ 'user[password_verifier]': binascii.hexlify(vkey),
+ 'user[password_salt]': binascii.hexlify(salt)
+ }
+ return requests.post(server + '/users.json', data = user_params, verify = False)
+
+def change_password(user_id, login, token):
+ password = id_generator() + id_generator()
+ salt, vkey = srp.create_salted_verification_key( login, password, srp.SHA256, srp.NG_1024 )
+ user_params = {
+ 'user[password_verifier]': binascii.hexlify(vkey),
+ 'user[password_salt]': binascii.hexlify(salt)
+ }
+ auth_headers = { 'Authorization': 'Token token="' + token + '"'}
+ print user_params
+ print_and_parse(requests.put(server + '/users/' + user_id + '.json', data = user_params, verify = False, headers = auth_headers))
+ return srp.User( login, password, srp.SHA256, srp.NG_1024 )
+
+
+def authenticate(usr):
+ session = requests.session()
+ uname, A = usr.start_authentication()
+ params = {
+ 'login': uname,
+ 'A': binascii.hexlify(A)
+ }
+ init = print_and_parse(session.post(server + '/sessions', data = params, verify=False))
+ M = usr.process_challenge( safe_unhexlify(init['salt']), safe_unhexlify(init['B']) )
+ return session.put(server + '/sessions/' + uname, verify = False,
+ data = {'client_auth': binascii.hexlify(M)})
+
+def verify_or_debug(auth, usr):
+ if ( 'errors' in auth ):
+ print ' u = "%x"' % usr.u
+ print ' x = "%x"' % usr.x
+ print ' v = "%x"' % usr.v
+ print ' S = "%x"' % usr.S
+ print ' K = "' + binascii.hexlify(usr.K) + '"'
+ print ' M = "' + binascii.hexlify(usr.M) + '"'
+ else:
+ usr.verify_session( safe_unhexlify(auth["M2"]) )
+
+run_tests()
diff --git a/test/integration/api/python/login_wrong_username.py b/test/integration/api/python/login_wrong_username.py
new file mode 100755
index 0000000..390f250
--- /dev/null
+++ b/test/integration/api/python/login_wrong_username.py
@@ -0,0 +1,19 @@
+#!/usr/bin/env python
+
+server = 'http://localhost:3000'
+
+import requests
+import json
+import string
+import random
+
+def id_generator(size=6, chars=string.ascii_uppercase + string.digits):
+ return ''.join(random.choice(chars) for x in range(size))
+
+params = {
+ 'login': 'python_test_user_'+id_generator(),
+ 'A': '12345',
+ }
+r = requests.post(server + '/sessions', data = params)
+print r.url
+print r.text
diff --git a/test/integration/api/python/signup.py b/test/integration/api/python/signup.py
new file mode 100755
index 0000000..0d3a4e0
--- /dev/null
+++ b/test/integration/api/python/signup.py
@@ -0,0 +1,20 @@
+#!/usr/bin/env python
+
+server = 'http://localhost:3000'
+
+import requests
+import json
+import string
+import random
+
+def id_generator(size=6, chars=string.ascii_uppercase + string.digits):
+ return ''.join(random.choice(chars) for x in range(size))
+
+user_params = {
+ 'user[login]': 'python_test_user_'+id_generator(),
+ 'user[password_verifier]': '12345',
+ 'user[password_salt]': '54321'
+ }
+r = requests.post(server + '/users.json', data = user_params)
+print r.url
+print r.text
diff --git a/test/integration/api/python/signup_and_login.py b/test/integration/api/python/signup_and_login.py
new file mode 100755
index 0000000..ac611d7
--- /dev/null
+++ b/test/integration/api/python/signup_and_login.py
@@ -0,0 +1,44 @@
+#!/usr/bin/env python
+
+# FAILS
+#
+# This test is currently failing for me because the session is not kept.
+# Played with it a bunch - is probably messed up right now as well.
+
+
+server = 'http://localhost:3000'
+
+import requests
+import json
+import string
+import random
+
+def id_generator(size=6, chars=string.ascii_uppercase + string.digits):
+ return ''.join(random.choice(chars) for x in range(size))
+
+def print_and_parse(response):
+ print response.request.method + ': ' + response.url
+ print " " + json.dumps(response.request.data)
+ print " -> " + response.text
+ return json.loads(response.text)
+
+def signup(session):
+ user_params = {
+ 'user[login]': id_generator(),
+ 'user[password_verifier]': '12345',
+ 'user[password_salt]': 'AB54321'
+ }
+ return session.post(server + '/users.json', data = user_params)
+
+def authenticate(session, login):
+ params = {
+ 'login': login,
+ 'A': '12345',
+ }
+ init = print_and_parse(session.post(server + '/sessions', data = params))
+ return session.put(server + '/sessions/' + login, data = {'client_auth': '123'})
+
+session = requests.session()
+user = print_and_parse(signup(session))
+# SRP signup would happen here and calculate M hex
+auth = print_and_parse(authenticate(session, user['login']))
diff --git a/test/integration/api/python/signup_and_login_wrong_password.py b/test/integration/api/python/signup_and_login_wrong_password.py
new file mode 100755
index 0000000..9efffa1
--- /dev/null
+++ b/test/integration/api/python/signup_and_login_wrong_password.py
@@ -0,0 +1,43 @@
+#!/usr/bin/env python
+
+server = 'http://localhost:9292'
+
+import requests
+import json
+import string
+import random
+
+def id_generator(size=6, chars=string.ascii_uppercase + string.digits):
+ return ''.join(random.choice(chars) for x in range(size))
+
+def print_and_parse(response):
+ print response.request.method + ': ' + response.url
+ print " " + json.dumps(response.request.data)
+ print " -> " + response.text
+# print " () " + json.dumps(requests.utils.dict_from_cookiejar(response.cookies))
+ return json.loads(response.text)
+
+def signup():
+ user_params = {
+ 'user[login]': id_generator(),
+ 'user[password_verifier]': '12345',
+ 'user[password_salt]': '54321'
+ }
+ return requests.post(server + '/users.json', data = user_params)
+
+def handshake(login):
+ params = {
+ 'login': login,
+ 'A': '12345',
+ }
+ return requests.post(server + '/sessions', data = params)
+
+def authenticate(login, M):
+ return requests.put(server + '/sessions/' + login, data = {'M': M})
+
+
+user = print_and_parse(signup())
+handshake = print_and_parse(handshake(user['login']))
+# SRP signup would happen here and calculate M hex
+M = '123ABC'
+auth = print_and_parse(authenticate(user['login'], M))
diff --git a/test/integration/api/python/umlauts.py b/test/integration/api/python/umlauts.py
new file mode 100755
index 0000000..96fecbf
--- /dev/null
+++ b/test/integration/api/python/umlauts.py
@@ -0,0 +1,79 @@
+#!/usr/bin/env python
+# coding: utf-8
+
+# under development
+
+import requests
+import json
+import string
+import random
+import srp._pysrp as srp
+import binascii
+
+safe_unhexlify = lambda x: binascii.unhexlify(x) if (len(x) % 2 == 0) else binascii.unhexlify('0'+x)
+
+# using globals for now
+# server = 'https://dev.bitmask.net/1'
+server = 'http://api.lvh.me:3000/1'
+
+def run_tests():
+ login = 'test_' + id_generator()
+ password = id_generator() + "äöì" + id_generator()
+ usr = srp.User( login, password, srp.SHA256, srp.NG_1024 )
+ print_and_parse(signup(login, password))
+
+ auth = print_and_parse(authenticate(usr))
+ verify_or_debug(auth, usr)
+ assert usr.authenticated()
+
+
+# let's have some random name
+def id_generator(size=6, chars=string.ascii_lowercase + string.digits):
+ return ''.join(random.choice(chars) for x in range(size))
+
+# log the server communication
+def print_and_parse(response):
+ request = response.request
+ print request.method + ': ' + response.url
+ if hasattr(request, 'data'):
+ print " " + json.dumps(response.request.data)
+ print " -> " + response.text
+ try:
+ return json.loads(response.text)
+ except ValueError:
+ return None
+
+def signup(login, password):
+ salt, vkey = srp.create_salted_verification_key( login, password, srp.SHA256, srp.NG_1024 )
+ user_params = {
+ 'user[login]': login,
+ 'user[password_verifier]': binascii.hexlify(vkey),
+ 'user[password_salt]': binascii.hexlify(salt)
+ }
+ print json.dumps(user_params)
+ return requests.post(server + '/users.json', data = user_params, verify = False)
+
+def authenticate(usr):
+ session = requests.session()
+ uname, A = usr.start_authentication()
+ params = {
+ 'login': uname,
+ 'A': binascii.hexlify(A)
+ }
+ init = print_and_parse(session.post(server + '/sessions', data = params, verify=False))
+ M = usr.process_challenge( safe_unhexlify(init['salt']), safe_unhexlify(init['B']) )
+ return session.put(server + '/sessions/' + uname, verify = False,
+ data = {'client_auth': binascii.hexlify(M)})
+
+def verify_or_debug(auth, usr):
+ if ( 'errors' in auth ):
+ print ' u = "%x"' % usr.u
+ print ' x = "%x"' % usr.x
+ print ' v = "%x"' % usr.v
+ print ' S = "%x"' % usr.S
+ print ' K = "' + binascii.hexlify(usr.K) + '"'
+ print ' M = "' + binascii.hexlify(usr.M) + '"'
+ else:
+ usr.verify_session( safe_unhexlify(auth["M2"]) )
+
+run_tests()
diff --git a/test/integration/api/signup_test.rb b/test/integration/api/signup_test.rb
new file mode 100644
index 0000000..236c547
--- /dev/null
+++ b/test/integration/api/signup_test.rb
@@ -0,0 +1,20 @@
+require 'test_helper'
+require_relative 'srp_test'
+
+class SignupTest < SrpTest
+
+ setup do
+ register_user
+ end
+
+ test "signup response" do
+ assert_json_response :login => @login, :ok => true
+ assert last_response.successful?
+ end
+
+ test "signup creates user" do
+ assert @user
+ assert_equal @login, @user.login
+ end
+end
+
diff --git a/test/integration/api/srp_test.rb b/test/integration/api/srp_test.rb
new file mode 100644
index 0000000..26adc8c
--- /dev/null
+++ b/test/integration/api/srp_test.rb
@@ -0,0 +1,105 @@
+class SrpTest < RackTest
+ include AssertResponses
+
+ teardown do
+ if @user
+ cleanup_user
+ end
+ Warden.test_reset!
+ end
+
+ # this test wraps the api and implements the interface the ruby-srp client.
+ def handshake(login, aa)
+ post "http://api.lvh.me:3000/1/sessions.json",
+ :login => login,
+ 'A' => aa,
+ :format => :json
+ response = JSON.parse(last_response.body)
+ if response['errors']
+ raise RECORD_NOT_FOUND.new(response['errors'])
+ else
+ return response['B']
+ end
+ end
+
+ def validate(m)
+ put "http://api.lvh.me:3000/1/sessions/" + @login + '.json',
+ :client_auth => m,
+ :format => :json
+ return JSON.parse(last_response.body)
+ end
+
+ protected
+
+ attr_reader :server_auth
+
+ def register_user(login = "integration_test_user", password = 'srp, verify me!')
+ cleanup_user(login)
+ post 'http://api.lvh.me:3000/1/users.json',
+ user_params(login: login, password: password)
+ @user = User.find_by_login(login)
+ @login = login
+ @password = password
+ end
+
+ def update_user(params)
+ put "http://api.lvh.me:3000/1/users/" + @user.id + '.json',
+ user_params(params),
+ auth_headers
+ end
+
+ def authenticate(params = nil)
+ @server_auth = srp(params).authenticate(self)
+ end
+
+ def auth_headers
+ return {} if @server_auth.nil?
+ {
+ "HTTP_AUTHORIZATION" => encoded_token
+ }
+ end
+
+ def encoded_token
+ ActionController::HttpAuthentication::Token.encode_credentials(server_auth["token"])
+ end
+
+ def logout(params=nil, headers=nil)
+ delete "http://api.lvh.me:3000/1/logout.json",
+ params || {format: :json},
+ headers || auth_headers
+ end
+
+ def cleanup_user(login = nil)
+ login ||= @user.login
+ Identity.by_address.key(login + '@' + APP_CONFIG[:domain]).each do |identity|
+ identity.destroy
+ end
+ if user = User.find_by_login(login)
+ user.destroy
+ end
+ end
+
+ def user_params(params)
+ if params.keys.include?(:password)
+ srp_process_password(params)
+ end
+ return { user: params, format: :json }
+ end
+
+ def srp_process_password(params)
+ params.reverse_merge! login: @login, salt: @salt
+ @srp = SRP::Client.new params[:login], password: params.delete(:password)
+ @salt = srp.salt.to_s(16)
+ params.merge! :password_verifier => srp.verifier.to_s(16),
+ :password_salt => @salt
+ end
+
+ def srp(params = nil)
+ if params.nil?
+ @srp
+ else
+ params.reverse_merge! password: @password
+ SRP::Client.new(params.delete(:login) || @login, params)
+ end
+ end
+end
diff --git a/test/integration/api/update_account_test.rb b/test/integration/api/update_account_test.rb
new file mode 100644
index 0000000..63429e7
--- /dev/null
+++ b/test/integration/api/update_account_test.rb
@@ -0,0 +1,51 @@
+require 'test_helper'
+require_relative 'srp_test'
+
+class UpdateAccountTest < SrpTest
+
+ setup do
+ register_user
+ end
+
+ test "require authentication" do
+ update_user password: "No! Verify me instead."
+ assert_access_denied
+ end
+
+ test "require token" do
+ authenticate
+ put "http://api.lvh.me:3000/1/users/" + @user.id + '.json',
+ user_params(password: "No! Verify me instead.")
+ assert_access_denied
+ end
+
+ test "update password via api" do
+ authenticate
+ update_user password: "No! Verify me instead."
+ authenticate
+ assert last_response.successful?
+ assert_nil server_auth["errors"]
+ assert server_auth["M2"]
+ end
+
+ test "change login with password_verifier" do
+ authenticate
+ new_login = 'zaph'
+ cleanup_user new_login
+ update_user login: new_login, password: @password
+ authenticate
+ assert last_response.successful?
+ assert_equal new_login, @user.reload.login
+ end
+
+ test "prevent changing login without changing password_verifier" do
+ authenticate
+ original_login = @user.login
+ new_login = 'zaph'
+ cleanup_user new_login
+ update_user login: new_login
+ assert last_response.successful?
+ # does not change login if no password_verifier is present
+ assert_equal original_login, @user.reload.login
+ end
+end