diff options
author | NavaL <ayoyo@thoughtworks.com> | 2016-07-14 15:44:07 +0200 |
---|---|---|
committer | NavaL <ayoyo@thoughtworks.com> | 2016-07-14 15:44:07 +0200 |
commit | e3c2cb91dfef5c39c608b967e702e9de977d1bd2 (patch) | |
tree | 154dc28dd986bd6e0a48e933c5da46994ffaa0cb /test/integration | |
parent | e2f19bcfb6dbce77746c2d61715340525b29a592 (diff) | |
parent | f09e6ec1337962ab279f021a6a6d0ff30479ebe0 (diff) |
Merge branch 'develop' of https://github.com/leapcode/leap_web into feature/expose_admin_in_api
Diffstat (limited to 'test/integration')
-rw-r--r-- | test/integration/api/cert_test.rb | 11 | ||||
-rw-r--r-- | test/integration/api/signup_test.rb | 2 | ||||
-rw-r--r-- | test/integration/api/smtp_cert_test.rb | 14 | ||||
-rw-r--r-- | test/integration/api/srp_test.rb | 18 | ||||
-rw-r--r-- | test/integration/api/token_auth_test.rb (renamed from test/integration/api/token_test.rb) | 4 | ||||
-rw-r--r-- | test/integration/api/update_account_test.rb | 2 | ||||
-rw-r--r-- | test/integration/browser/account_livecycle_test.rb | 114 | ||||
-rw-r--r-- | test/integration/browser/account_livecycle_test.rb.orig (renamed from test/integration/browser/account_test.rb) | 33 | ||||
-rw-r--r-- | test/integration/browser/admin_test.rb | 18 | ||||
-rw-r--r-- | test/integration/browser/password_validation_test.rb | 8 | ||||
-rw-r--r-- | test/integration/browser/security_test.rb | 52 | ||||
-rw-r--r-- | test/integration/locale_path_test.rb | 7 | ||||
-rw-r--r-- | test/integration/navigation_test.rb | 9 |
13 files changed, 233 insertions, 59 deletions
diff --git a/test/integration/api/cert_test.rb b/test/integration/api/cert_test.rb index 772901d..289d3c6 100644 --- a/test/integration/api/cert_test.rb +++ b/test/integration/api/cert_test.rb @@ -5,7 +5,7 @@ class CertTest < ApiIntegrationTest test "retrieve eip cert" do login - get '/1/cert', {}, RACK_ENV + get cert_url, {}, RACK_ENV assert_text_response assert_response_includes "BEGIN RSA PRIVATE KEY" assert_response_includes "END RSA PRIVATE KEY" @@ -14,13 +14,13 @@ class CertTest < ApiIntegrationTest end test "fetching certs requires login by default" do - get '/1/cert', {}, RACK_ENV + get cert_url, {}, RACK_ENV assert_login_required end test "retrieve anonymous eip cert" do with_config allow_anonymous_certs: true do - get '/1/cert', {}, RACK_ENV + get cert_url, {}, RACK_ENV assert_text_response assert_response_includes "BEGIN RSA PRIVATE KEY" assert_response_includes "END RSA PRIVATE KEY" @@ -28,4 +28,9 @@ class CertTest < ApiIntegrationTest assert_response_includes "END CERTIFICATE" end end + + def cert_url + "/#{api_version}/cert" + end + end diff --git a/test/integration/api/signup_test.rb b/test/integration/api/signup_test.rb index 05a0abe..2e515c1 100644 --- a/test/integration/api/signup_test.rb +++ b/test/integration/api/signup_test.rb @@ -1,4 +1,4 @@ -require_relative '../../test_helper' +require 'test_helper' require_relative 'srp_test' class SignupTest < SrpTest diff --git a/test/integration/api/smtp_cert_test.rb b/test/integration/api/smtp_cert_test.rb index 681d509..53382c1 100644 --- a/test/integration/api/smtp_cert_test.rb +++ b/test/integration/api/smtp_cert_test.rb @@ -11,7 +11,7 @@ class SmtpCertTest < ApiIntegrationTest test "retrieve smtp cert" do @user = FactoryGirl.create :user, effective_service_level_code: 2, :invite_code => @testcode.invite_code login - post '/1/smtp_cert', {}, RACK_ENV + post smtp_cert_url, {}, RACK_ENV assert_text_response assert_response_includes "BEGIN RSA PRIVATE KEY" assert_response_includes "END RSA PRIVATE KEY" @@ -22,7 +22,7 @@ class SmtpCertTest < ApiIntegrationTest test "cert and key" do @user = FactoryGirl.create :user, effective_service_level_code: 2, :invite_code => @testcode.invite_code login - post '/1/smtp_cert', {}, RACK_ENV + post smtp_cert_url, {}, RACK_ENV assert_text_response cert = OpenSSL::X509::Certificate.new(get_response.body) key = OpenSSL::PKey::RSA.new(get_response.body) @@ -34,7 +34,7 @@ class SmtpCertTest < ApiIntegrationTest test "fingerprint is stored with identity" do @user = FactoryGirl.create :user, effective_service_level_code: 2, :invite_code => @testcode.invite_code login - post '/1/smtp_cert', {}, RACK_ENV + post smtp_cert_url, {}, RACK_ENV assert_text_response cert = OpenSSL::X509::Certificate.new(get_response.body) fingerprint = OpenSSL::Digest::SHA1.hexdigest(cert.to_der).scan(/../).join(':') @@ -48,14 +48,18 @@ class SmtpCertTest < ApiIntegrationTest test "fetching smtp certs requires email account" do login - post '/1/smtp_cert', {}, RACK_ENV + post smtp_cert_url, {}, RACK_ENV assert_access_denied end test "no anonymous smtp certs" do with_config allow_anonymous_certs: true do - post '/1/smtp_cert', {}, RACK_ENV + post smtp_cert_url, {}, RACK_ENV assert_login_required end end + + def smtp_cert_url + "/#{api_version}/smtp_cert" + end end diff --git a/test/integration/api/srp_test.rb b/test/integration/api/srp_test.rb index 463abcd..b9605f9 100644 --- a/test/integration/api/srp_test.rb +++ b/test/integration/api/srp_test.rb @@ -14,7 +14,7 @@ class SrpTest < RackTest # this test wraps the api and implements the interface the ruby-srp client. def handshake(login, aa) - post "http://api.lvh.me:3000/1/sessions.json", + post api_url("sessions.json"), :login => login, 'A' => aa, :format => :json @@ -27,7 +27,7 @@ class SrpTest < RackTest end def validate(m) - put "http://api.lvh.me:3000/1/sessions/" + @login + '.json', + put api_url("sessions/#{@login}.json"), :client_auth => m, :format => :json return JSON.parse(last_response.body) @@ -39,7 +39,7 @@ class SrpTest < RackTest def register_user(login = "integration_test", password = 'srp, verify me!', invite_code = @testcode.invite_code) cleanup_user(login) - post 'http://api.lvh.me:3000/1/users.json', + post api_url('users.json'), user_params(login: login, password: password, invite_code: invite_code) assert(@user = User.find_by_login(login), 'user should have been created: %s' % last_response_errors) @login = login @@ -47,7 +47,7 @@ class SrpTest < RackTest end def update_user(params) - put "http://api.lvh.me:3000/1/users/" + @user.id + '.json', + put api_url("users/#{@user.id}.json"), user_params(params), auth_headers end @@ -68,7 +68,7 @@ class SrpTest < RackTest end def logout(params=nil, headers=nil) - delete "http://api.lvh.me:3000/1/logout.json", + delete api_url("logout.json"), params || {format: :json}, headers || auth_headers end @@ -112,4 +112,12 @@ class SrpTest < RackTest rescue "" end + + def api_url(path) + "http://api.lvh.me:3000/#{api_version}/#{path}" + end + + def api_version + 2 + end end diff --git a/test/integration/api/token_test.rb b/test/integration/api/token_auth_test.rb index dafbfb7..7b20b00 100644 --- a/test/integration/api/token_test.rb +++ b/test/integration/api/token_auth_test.rb @@ -1,7 +1,7 @@ -require_relative '../../test_helper' +require 'test_helper' require_relative 'srp_test' -class TokenTest < SrpTest +class TokenAuthTest < SrpTest setup do register_user diff --git a/test/integration/api/update_account_test.rb b/test/integration/api/update_account_test.rb index 16bbb8c..1492006 100644 --- a/test/integration/api/update_account_test.rb +++ b/test/integration/api/update_account_test.rb @@ -14,7 +14,7 @@ class UpdateAccountTest < SrpTest test "require token" do authenticate - put "http://api.lvh.me:3000/1/users/" + @user.id + '.json', + put "http://api.lvh.me:3000/2/users/" + @user.id + '.json', user_params(password: "No! Verify me instead.") assert_login_required end diff --git a/test/integration/browser/account_livecycle_test.rb b/test/integration/browser/account_livecycle_test.rb new file mode 100644 index 0000000..85dbf13 --- /dev/null +++ b/test/integration/browser/account_livecycle_test.rb @@ -0,0 +1,114 @@ +require 'test_helper' + +class AccountLivecycleTest < BrowserIntegrationTest + + teardown do + Identity.destroy_all_orphaned + end + + test "signup successfully when invited" do + username, password = submit_signup + assert page.has_content?("Welcome #{username}") + click_on 'Log Out' + assert page.has_content?("Log In") + assert_equal '/', current_path + assert user = User.find_by_login(username) + user.account.destroy + end + + test "signup successfully without invitation" do + with_config invite_required: false do + + username ||= "test_#{SecureRandom.urlsafe_base64}".downcase + password ||= SecureRandom.base64 + + visit '/signup' + fill_in 'Username', with: username + fill_in 'Password', with: password + fill_in 'Password confirmation', with: password + click_on 'Sign Up' + + assert page.has_content?("Welcome #{username}") + end + end + + test "signup with username ending in dot json" do + username = Faker::Internet.user_name + '.json' + submit_signup username + assert page.has_content?("Welcome #{username}") + end + + test "signup with reserved username" do + username = 'certmaster' + submit_signup username + assert page.has_content?("is reserved.") + end + + test "successful login" do + username, password = submit_signup + click_on 'Log Out' + attempt_login(username, password) + assert page.has_content?("Welcome #{username}") + within('.sidenav li.active') do + assert page.has_content?("Overview") + end + User.find_by_login(username).account.destroy + end + + test "failed login" do + visit '/' + attempt_login("username", "wrong password") + assert_invalid_login(page) + end + + test "account destruction" do + username, password = submit_signup + + click_on I18n.t('account_settings') + click_on I18n.t('destroy_my_account') + assert page.has_content?(I18n.t('account_destroyed')) + assert_equal 1, Identity.by_address.key("#{username}@test.me").count + attempt_login(username, password) + assert_invalid_login(page) + end + + test "handle blocked after account destruction" do + username, password = submit_signup + click_on I18n.t('account_settings') + click_on I18n.t('destroy_my_account') + submit_signup(username) + assert page.has_content?('has already been taken') + end + + test "change pgp key" do + with_config user_actions: ['change_pgp_key'] do + pgp_key = FactoryGirl.build :pgp_key + login + click_on "Account Settings" + within('#update_pgp_key') do + fill_in 'Public key', with: pgp_key + click_on 'Save' + end + page.assert_selector 'input[value="Saving..."]' + # at some point we're done: + page.assert_no_selector 'input[value="Saving..."]' + assert page.has_field? 'Public key', with: pgp_key.to_s + @user.reload + assert_equal pgp_key, @user.public_key + end + end + + def attempt_login(username, password) + click_on 'Log In' + fill_in 'Username', with: username + fill_in 'Password', with: password + click_on 'Log In' + end + + def assert_invalid_login(page) + assert page.has_selector? '.btn-primary.disabled' + assert page.has_content? I18n.t(:invalid_user_pass) + assert page.has_no_selector? '.btn-primary.disabled' + end + +end diff --git a/test/integration/browser/account_test.rb b/test/integration/browser/account_livecycle_test.rb.orig index 50adb23..d1f800b 100644 --- a/test/integration/browser/account_test.rb +++ b/test/integration/browser/account_livecycle_test.rb.orig @@ -1,6 +1,6 @@ require 'test_helper' -class AccountTest < BrowserIntegrationTest +class AccountLivecycleTest < BrowserIntegrationTest teardown do Identity.destroy_all_orphaned @@ -80,24 +80,6 @@ class AccountTest < BrowserIntegrationTest assert page.has_content?('has already been taken') end - test "default user actions" do - login - click_on "Account Settings" - assert page.has_content? I18n.t('destroy_my_account') - assert page.has_no_css? '#update_login_and_password' - assert page.has_no_css? '#update_pgp_key' - end - - test "default admin actions" do - login - with_config admins: [@user.login] do - click_on "Account Settings" - assert page.has_content? I18n.t('destroy_my_account') - assert page.has_no_css? '#update_login_and_password' - assert page.has_css? '#update_pgp_key' - end - end - test "change pgp key" do with_config user_actions: ['change_pgp_key'] do pgp_key = FactoryGirl.build :pgp_key @@ -116,6 +98,8 @@ class AccountTest < BrowserIntegrationTest end end +<<<<<<< HEAD:test/integration/browser/account_livecycle_test.rb +======= # trying to seed an invalid A for srp login test "detects attempt to circumvent SRP" do @@ -133,7 +117,7 @@ class AccountTest < BrowserIntegrationTest end test "reports internal server errors" do - V1::UsersController.any_instance.stubs(:create).raises + Api::UsersController.any_instance.stubs(:create).raises submit_signup assert page.has_content?("server failed") end @@ -152,6 +136,7 @@ class AccountTest < BrowserIntegrationTest assert page.has_no_content?("Password") end +>>>>>>> api: allow version bumping - bump to 2:test/integration/browser/account_test.rb def attempt_login(username, password) click_on 'Log In' fill_in 'Username', with: username @@ -165,12 +150,4 @@ class AccountTest < BrowserIntegrationTest assert page.has_no_selector? '.btn-primary.disabled' end - def inject_malicious_js - page.execute_script <<-EOJS - var calc = new srp.Calculate(); - calc.A = function(_a) {return "00";}; - calc.S = calc.A; - srp.session = new srp.Session(null, calc); - EOJS - end end diff --git a/test/integration/browser/admin_test.rb b/test/integration/browser/admin_test.rb index 902c981..0b43c29 100644 --- a/test/integration/browser/admin_test.rb +++ b/test/integration/browser/admin_test.rb @@ -2,6 +2,24 @@ require 'test_helper' class AdminTest < BrowserIntegrationTest + test "default user actions" do + login + click_on "Account Settings" + assert page.has_content? I18n.t('destroy_my_account') + assert page.has_no_css? '#update_login_and_password' + assert page.has_no_css? '#update_pgp_key' + end + + test "default admin actions" do + login + with_config admins: [@user.login] do + click_on "Account Settings" + assert page.has_content? I18n.t('destroy_my_account') + assert page.has_no_css? '#update_login_and_password' + assert page.has_css? '#update_pgp_key' + end + end + test "clear blocked handle" do id = FactoryGirl.create :identity submit_signup(id.login) diff --git a/test/integration/browser/password_validation_test.rb b/test/integration/browser/password_validation_test.rb index 45eb0bf..51fcc5d 100644 --- a/test/integration/browser/password_validation_test.rb +++ b/test/integration/browser/password_validation_test.rb @@ -5,26 +5,26 @@ class PasswordValidationTest < BrowserIntegrationTest test "password confirmation is validated" do username ||= "test_#{SecureRandom.urlsafe_base64}".downcase password ||= SecureRandom.base64 - visit '/users/new' + visit '/signup' fill_in 'Username', with: username fill_in 'Password', with: password fill_in 'Password confirmation', with: password + "-typo" click_on 'Sign Up' assert page.has_content? "does not match." - assert_equal '/users/new', current_path + assert_equal '/signup', current_path assert page.has_selector? ".error #srp_password_confirmation" end test "password needs to be at least 8 chars long" do username ||= "test_#{SecureRandom.urlsafe_base64}".downcase password ||= SecureRandom.base64[0,7] - visit '/users/new' + visit '/signup' fill_in 'Username', with: username fill_in 'Password', with: password fill_in 'Password confirmation', with: password click_on 'Sign Up' assert page.has_content? "needs to be at least 8 characters long" - assert_equal '/users/new', current_path + assert_equal '/signup', current_path assert page.has_selector? ".error #srp_password" end end diff --git a/test/integration/browser/security_test.rb b/test/integration/browser/security_test.rb new file mode 100644 index 0000000..825d50b --- /dev/null +++ b/test/integration/browser/security_test.rb @@ -0,0 +1,52 @@ +require 'test_helper' + +class SecurityTest < BrowserIntegrationTest + + teardown do + Identity.destroy_all_orphaned + end + + # trying to seed an invalid A for srp login + test "detects attempt to circumvent SRP" do + InviteCodeValidator.any_instance.stubs(:validate) + + user = FactoryGirl.create :user + visit '/login' + fill_in 'Username', with: user.login + fill_in 'Password', with: "password" + inject_malicious_js + click_on 'Log In' + assert page.has_content?("Invalid random key") + assert page.has_no_content?("Welcome") + user.destroy + end + + test "reports internal server errors" do + Api::UsersController.any_instance.stubs(:create).raises + submit_signup + assert page.has_content?("server failed") + end + + test "does not render signup form without js" do + Capybara.current_driver = :rack_test # no js + visit '/signup' + assert page.has_no_content?("Username") + assert page.has_no_content?("Password") + end + + test "does not render login form without js" do + Capybara.current_driver = :rack_test # no js + visit '/login' + assert page.has_no_content?("Username") + assert page.has_no_content?("Password") + end + + def inject_malicious_js + page.execute_script <<-EOJS + var calc = new srp.Calculate(); + calc.A = function(_a) {return "00";}; + calc.S = calc.A; + srp.session = new srp.Session(null, calc); + EOJS + end +end diff --git a/test/integration/locale_path_test.rb b/test/integration/locale_path_test.rb index 738e7f5..22293dc 100644 --- a/test/integration/locale_path_test.rb +++ b/test/integration/locale_path_test.rb @@ -21,6 +21,11 @@ require 'test_helper' # class LocalePathTest < ActionDispatch::IntegrationTest + + teardown do + I18n.locale = 'en' + end + test "redirect if accept-language is not default locale" do get_via_redirect '/', {}, 'HTTP_ACCEPT_LANGUAGE' => 'de' assert_equal '/de', path @@ -55,4 +60,4 @@ class LocalePathTest < ActionDispatch::IntegrationTest @controller.send(:default_url_options) end -end
\ No newline at end of file +end diff --git a/test/integration/navigation_test.rb b/test/integration/navigation_test.rb deleted file mode 100644 index eec8c0e..0000000 --- a/test/integration/navigation_test.rb +++ /dev/null @@ -1,9 +0,0 @@ -require 'test_helper' - -class NavigationTest < ActionDispatch::IntegrationTest - - # test "the truth" do - # assert true - # end -end - |