summaryrefslogtreecommitdiff
path: root/test/integration
diff options
context:
space:
mode:
authorNavaL <ayoyo@thoughtworks.com>2016-07-14 15:44:07 +0200
committerNavaL <ayoyo@thoughtworks.com>2016-07-14 15:44:07 +0200
commite3c2cb91dfef5c39c608b967e702e9de977d1bd2 (patch)
tree154dc28dd986bd6e0a48e933c5da46994ffaa0cb /test/integration
parente2f19bcfb6dbce77746c2d61715340525b29a592 (diff)
parentf09e6ec1337962ab279f021a6a6d0ff30479ebe0 (diff)
Merge branch 'develop' of https://github.com/leapcode/leap_web into feature/expose_admin_in_api
Diffstat (limited to 'test/integration')
-rw-r--r--test/integration/api/cert_test.rb11
-rw-r--r--test/integration/api/signup_test.rb2
-rw-r--r--test/integration/api/smtp_cert_test.rb14
-rw-r--r--test/integration/api/srp_test.rb18
-rw-r--r--test/integration/api/token_auth_test.rb (renamed from test/integration/api/token_test.rb)4
-rw-r--r--test/integration/api/update_account_test.rb2
-rw-r--r--test/integration/browser/account_livecycle_test.rb114
-rw-r--r--test/integration/browser/account_livecycle_test.rb.orig (renamed from test/integration/browser/account_test.rb)33
-rw-r--r--test/integration/browser/admin_test.rb18
-rw-r--r--test/integration/browser/password_validation_test.rb8
-rw-r--r--test/integration/browser/security_test.rb52
-rw-r--r--test/integration/locale_path_test.rb7
-rw-r--r--test/integration/navigation_test.rb9
13 files changed, 233 insertions, 59 deletions
diff --git a/test/integration/api/cert_test.rb b/test/integration/api/cert_test.rb
index 772901d..289d3c6 100644
--- a/test/integration/api/cert_test.rb
+++ b/test/integration/api/cert_test.rb
@@ -5,7 +5,7 @@ class CertTest < ApiIntegrationTest
test "retrieve eip cert" do
login
- get '/1/cert', {}, RACK_ENV
+ get cert_url, {}, RACK_ENV
assert_text_response
assert_response_includes "BEGIN RSA PRIVATE KEY"
assert_response_includes "END RSA PRIVATE KEY"
@@ -14,13 +14,13 @@ class CertTest < ApiIntegrationTest
end
test "fetching certs requires login by default" do
- get '/1/cert', {}, RACK_ENV
+ get cert_url, {}, RACK_ENV
assert_login_required
end
test "retrieve anonymous eip cert" do
with_config allow_anonymous_certs: true do
- get '/1/cert', {}, RACK_ENV
+ get cert_url, {}, RACK_ENV
assert_text_response
assert_response_includes "BEGIN RSA PRIVATE KEY"
assert_response_includes "END RSA PRIVATE KEY"
@@ -28,4 +28,9 @@ class CertTest < ApiIntegrationTest
assert_response_includes "END CERTIFICATE"
end
end
+
+ def cert_url
+ "/#{api_version}/cert"
+ end
+
end
diff --git a/test/integration/api/signup_test.rb b/test/integration/api/signup_test.rb
index 05a0abe..2e515c1 100644
--- a/test/integration/api/signup_test.rb
+++ b/test/integration/api/signup_test.rb
@@ -1,4 +1,4 @@
-require_relative '../../test_helper'
+require 'test_helper'
require_relative 'srp_test'
class SignupTest < SrpTest
diff --git a/test/integration/api/smtp_cert_test.rb b/test/integration/api/smtp_cert_test.rb
index 681d509..53382c1 100644
--- a/test/integration/api/smtp_cert_test.rb
+++ b/test/integration/api/smtp_cert_test.rb
@@ -11,7 +11,7 @@ class SmtpCertTest < ApiIntegrationTest
test "retrieve smtp cert" do
@user = FactoryGirl.create :user, effective_service_level_code: 2, :invite_code => @testcode.invite_code
login
- post '/1/smtp_cert', {}, RACK_ENV
+ post smtp_cert_url, {}, RACK_ENV
assert_text_response
assert_response_includes "BEGIN RSA PRIVATE KEY"
assert_response_includes "END RSA PRIVATE KEY"
@@ -22,7 +22,7 @@ class SmtpCertTest < ApiIntegrationTest
test "cert and key" do
@user = FactoryGirl.create :user, effective_service_level_code: 2, :invite_code => @testcode.invite_code
login
- post '/1/smtp_cert', {}, RACK_ENV
+ post smtp_cert_url, {}, RACK_ENV
assert_text_response
cert = OpenSSL::X509::Certificate.new(get_response.body)
key = OpenSSL::PKey::RSA.new(get_response.body)
@@ -34,7 +34,7 @@ class SmtpCertTest < ApiIntegrationTest
test "fingerprint is stored with identity" do
@user = FactoryGirl.create :user, effective_service_level_code: 2, :invite_code => @testcode.invite_code
login
- post '/1/smtp_cert', {}, RACK_ENV
+ post smtp_cert_url, {}, RACK_ENV
assert_text_response
cert = OpenSSL::X509::Certificate.new(get_response.body)
fingerprint = OpenSSL::Digest::SHA1.hexdigest(cert.to_der).scan(/../).join(':')
@@ -48,14 +48,18 @@ class SmtpCertTest < ApiIntegrationTest
test "fetching smtp certs requires email account" do
login
- post '/1/smtp_cert', {}, RACK_ENV
+ post smtp_cert_url, {}, RACK_ENV
assert_access_denied
end
test "no anonymous smtp certs" do
with_config allow_anonymous_certs: true do
- post '/1/smtp_cert', {}, RACK_ENV
+ post smtp_cert_url, {}, RACK_ENV
assert_login_required
end
end
+
+ def smtp_cert_url
+ "/#{api_version}/smtp_cert"
+ end
end
diff --git a/test/integration/api/srp_test.rb b/test/integration/api/srp_test.rb
index 463abcd..b9605f9 100644
--- a/test/integration/api/srp_test.rb
+++ b/test/integration/api/srp_test.rb
@@ -14,7 +14,7 @@ class SrpTest < RackTest
# this test wraps the api and implements the interface the ruby-srp client.
def handshake(login, aa)
- post "http://api.lvh.me:3000/1/sessions.json",
+ post api_url("sessions.json"),
:login => login,
'A' => aa,
:format => :json
@@ -27,7 +27,7 @@ class SrpTest < RackTest
end
def validate(m)
- put "http://api.lvh.me:3000/1/sessions/" + @login + '.json',
+ put api_url("sessions/#{@login}.json"),
:client_auth => m,
:format => :json
return JSON.parse(last_response.body)
@@ -39,7 +39,7 @@ class SrpTest < RackTest
def register_user(login = "integration_test", password = 'srp, verify me!', invite_code = @testcode.invite_code)
cleanup_user(login)
- post 'http://api.lvh.me:3000/1/users.json',
+ post api_url('users.json'),
user_params(login: login, password: password, invite_code: invite_code)
assert(@user = User.find_by_login(login), 'user should have been created: %s' % last_response_errors)
@login = login
@@ -47,7 +47,7 @@ class SrpTest < RackTest
end
def update_user(params)
- put "http://api.lvh.me:3000/1/users/" + @user.id + '.json',
+ put api_url("users/#{@user.id}.json"),
user_params(params),
auth_headers
end
@@ -68,7 +68,7 @@ class SrpTest < RackTest
end
def logout(params=nil, headers=nil)
- delete "http://api.lvh.me:3000/1/logout.json",
+ delete api_url("logout.json"),
params || {format: :json},
headers || auth_headers
end
@@ -112,4 +112,12 @@ class SrpTest < RackTest
rescue
""
end
+
+ def api_url(path)
+ "http://api.lvh.me:3000/#{api_version}/#{path}"
+ end
+
+ def api_version
+ 2
+ end
end
diff --git a/test/integration/api/token_test.rb b/test/integration/api/token_auth_test.rb
index dafbfb7..7b20b00 100644
--- a/test/integration/api/token_test.rb
+++ b/test/integration/api/token_auth_test.rb
@@ -1,7 +1,7 @@
-require_relative '../../test_helper'
+require 'test_helper'
require_relative 'srp_test'
-class TokenTest < SrpTest
+class TokenAuthTest < SrpTest
setup do
register_user
diff --git a/test/integration/api/update_account_test.rb b/test/integration/api/update_account_test.rb
index 16bbb8c..1492006 100644
--- a/test/integration/api/update_account_test.rb
+++ b/test/integration/api/update_account_test.rb
@@ -14,7 +14,7 @@ class UpdateAccountTest < SrpTest
test "require token" do
authenticate
- put "http://api.lvh.me:3000/1/users/" + @user.id + '.json',
+ put "http://api.lvh.me:3000/2/users/" + @user.id + '.json',
user_params(password: "No! Verify me instead.")
assert_login_required
end
diff --git a/test/integration/browser/account_livecycle_test.rb b/test/integration/browser/account_livecycle_test.rb
new file mode 100644
index 0000000..85dbf13
--- /dev/null
+++ b/test/integration/browser/account_livecycle_test.rb
@@ -0,0 +1,114 @@
+require 'test_helper'
+
+class AccountLivecycleTest < BrowserIntegrationTest
+
+ teardown do
+ Identity.destroy_all_orphaned
+ end
+
+ test "signup successfully when invited" do
+ username, password = submit_signup
+ assert page.has_content?("Welcome #{username}")
+ click_on 'Log Out'
+ assert page.has_content?("Log In")
+ assert_equal '/', current_path
+ assert user = User.find_by_login(username)
+ user.account.destroy
+ end
+
+ test "signup successfully without invitation" do
+ with_config invite_required: false do
+
+ username ||= "test_#{SecureRandom.urlsafe_base64}".downcase
+ password ||= SecureRandom.base64
+
+ visit '/signup'
+ fill_in 'Username', with: username
+ fill_in 'Password', with: password
+ fill_in 'Password confirmation', with: password
+ click_on 'Sign Up'
+
+ assert page.has_content?("Welcome #{username}")
+ end
+ end
+
+ test "signup with username ending in dot json" do
+ username = Faker::Internet.user_name + '.json'
+ submit_signup username
+ assert page.has_content?("Welcome #{username}")
+ end
+
+ test "signup with reserved username" do
+ username = 'certmaster'
+ submit_signup username
+ assert page.has_content?("is reserved.")
+ end
+
+ test "successful login" do
+ username, password = submit_signup
+ click_on 'Log Out'
+ attempt_login(username, password)
+ assert page.has_content?("Welcome #{username}")
+ within('.sidenav li.active') do
+ assert page.has_content?("Overview")
+ end
+ User.find_by_login(username).account.destroy
+ end
+
+ test "failed login" do
+ visit '/'
+ attempt_login("username", "wrong password")
+ assert_invalid_login(page)
+ end
+
+ test "account destruction" do
+ username, password = submit_signup
+
+ click_on I18n.t('account_settings')
+ click_on I18n.t('destroy_my_account')
+ assert page.has_content?(I18n.t('account_destroyed'))
+ assert_equal 1, Identity.by_address.key("#{username}@test.me").count
+ attempt_login(username, password)
+ assert_invalid_login(page)
+ end
+
+ test "handle blocked after account destruction" do
+ username, password = submit_signup
+ click_on I18n.t('account_settings')
+ click_on I18n.t('destroy_my_account')
+ submit_signup(username)
+ assert page.has_content?('has already been taken')
+ end
+
+ test "change pgp key" do
+ with_config user_actions: ['change_pgp_key'] do
+ pgp_key = FactoryGirl.build :pgp_key
+ login
+ click_on "Account Settings"
+ within('#update_pgp_key') do
+ fill_in 'Public key', with: pgp_key
+ click_on 'Save'
+ end
+ page.assert_selector 'input[value="Saving..."]'
+ # at some point we're done:
+ page.assert_no_selector 'input[value="Saving..."]'
+ assert page.has_field? 'Public key', with: pgp_key.to_s
+ @user.reload
+ assert_equal pgp_key, @user.public_key
+ end
+ end
+
+ def attempt_login(username, password)
+ click_on 'Log In'
+ fill_in 'Username', with: username
+ fill_in 'Password', with: password
+ click_on 'Log In'
+ end
+
+ def assert_invalid_login(page)
+ assert page.has_selector? '.btn-primary.disabled'
+ assert page.has_content? I18n.t(:invalid_user_pass)
+ assert page.has_no_selector? '.btn-primary.disabled'
+ end
+
+end
diff --git a/test/integration/browser/account_test.rb b/test/integration/browser/account_livecycle_test.rb.orig
index 50adb23..d1f800b 100644
--- a/test/integration/browser/account_test.rb
+++ b/test/integration/browser/account_livecycle_test.rb.orig
@@ -1,6 +1,6 @@
require 'test_helper'
-class AccountTest < BrowserIntegrationTest
+class AccountLivecycleTest < BrowserIntegrationTest
teardown do
Identity.destroy_all_orphaned
@@ -80,24 +80,6 @@ class AccountTest < BrowserIntegrationTest
assert page.has_content?('has already been taken')
end
- test "default user actions" do
- login
- click_on "Account Settings"
- assert page.has_content? I18n.t('destroy_my_account')
- assert page.has_no_css? '#update_login_and_password'
- assert page.has_no_css? '#update_pgp_key'
- end
-
- test "default admin actions" do
- login
- with_config admins: [@user.login] do
- click_on "Account Settings"
- assert page.has_content? I18n.t('destroy_my_account')
- assert page.has_no_css? '#update_login_and_password'
- assert page.has_css? '#update_pgp_key'
- end
- end
-
test "change pgp key" do
with_config user_actions: ['change_pgp_key'] do
pgp_key = FactoryGirl.build :pgp_key
@@ -116,6 +98,8 @@ class AccountTest < BrowserIntegrationTest
end
end
+<<<<<<< HEAD:test/integration/browser/account_livecycle_test.rb
+=======
# trying to seed an invalid A for srp login
test "detects attempt to circumvent SRP" do
@@ -133,7 +117,7 @@ class AccountTest < BrowserIntegrationTest
end
test "reports internal server errors" do
- V1::UsersController.any_instance.stubs(:create).raises
+ Api::UsersController.any_instance.stubs(:create).raises
submit_signup
assert page.has_content?("server failed")
end
@@ -152,6 +136,7 @@ class AccountTest < BrowserIntegrationTest
assert page.has_no_content?("Password")
end
+>>>>>>> api: allow version bumping - bump to 2:test/integration/browser/account_test.rb
def attempt_login(username, password)
click_on 'Log In'
fill_in 'Username', with: username
@@ -165,12 +150,4 @@ class AccountTest < BrowserIntegrationTest
assert page.has_no_selector? '.btn-primary.disabled'
end
- def inject_malicious_js
- page.execute_script <<-EOJS
- var calc = new srp.Calculate();
- calc.A = function(_a) {return "00";};
- calc.S = calc.A;
- srp.session = new srp.Session(null, calc);
- EOJS
- end
end
diff --git a/test/integration/browser/admin_test.rb b/test/integration/browser/admin_test.rb
index 902c981..0b43c29 100644
--- a/test/integration/browser/admin_test.rb
+++ b/test/integration/browser/admin_test.rb
@@ -2,6 +2,24 @@ require 'test_helper'
class AdminTest < BrowserIntegrationTest
+ test "default user actions" do
+ login
+ click_on "Account Settings"
+ assert page.has_content? I18n.t('destroy_my_account')
+ assert page.has_no_css? '#update_login_and_password'
+ assert page.has_no_css? '#update_pgp_key'
+ end
+
+ test "default admin actions" do
+ login
+ with_config admins: [@user.login] do
+ click_on "Account Settings"
+ assert page.has_content? I18n.t('destroy_my_account')
+ assert page.has_no_css? '#update_login_and_password'
+ assert page.has_css? '#update_pgp_key'
+ end
+ end
+
test "clear blocked handle" do
id = FactoryGirl.create :identity
submit_signup(id.login)
diff --git a/test/integration/browser/password_validation_test.rb b/test/integration/browser/password_validation_test.rb
index 45eb0bf..51fcc5d 100644
--- a/test/integration/browser/password_validation_test.rb
+++ b/test/integration/browser/password_validation_test.rb
@@ -5,26 +5,26 @@ class PasswordValidationTest < BrowserIntegrationTest
test "password confirmation is validated" do
username ||= "test_#{SecureRandom.urlsafe_base64}".downcase
password ||= SecureRandom.base64
- visit '/users/new'
+ visit '/signup'
fill_in 'Username', with: username
fill_in 'Password', with: password
fill_in 'Password confirmation', with: password + "-typo"
click_on 'Sign Up'
assert page.has_content? "does not match."
- assert_equal '/users/new', current_path
+ assert_equal '/signup', current_path
assert page.has_selector? ".error #srp_password_confirmation"
end
test "password needs to be at least 8 chars long" do
username ||= "test_#{SecureRandom.urlsafe_base64}".downcase
password ||= SecureRandom.base64[0,7]
- visit '/users/new'
+ visit '/signup'
fill_in 'Username', with: username
fill_in 'Password', with: password
fill_in 'Password confirmation', with: password
click_on 'Sign Up'
assert page.has_content? "needs to be at least 8 characters long"
- assert_equal '/users/new', current_path
+ assert_equal '/signup', current_path
assert page.has_selector? ".error #srp_password"
end
end
diff --git a/test/integration/browser/security_test.rb b/test/integration/browser/security_test.rb
new file mode 100644
index 0000000..825d50b
--- /dev/null
+++ b/test/integration/browser/security_test.rb
@@ -0,0 +1,52 @@
+require 'test_helper'
+
+class SecurityTest < BrowserIntegrationTest
+
+ teardown do
+ Identity.destroy_all_orphaned
+ end
+
+ # trying to seed an invalid A for srp login
+ test "detects attempt to circumvent SRP" do
+ InviteCodeValidator.any_instance.stubs(:validate)
+
+ user = FactoryGirl.create :user
+ visit '/login'
+ fill_in 'Username', with: user.login
+ fill_in 'Password', with: "password"
+ inject_malicious_js
+ click_on 'Log In'
+ assert page.has_content?("Invalid random key")
+ assert page.has_no_content?("Welcome")
+ user.destroy
+ end
+
+ test "reports internal server errors" do
+ Api::UsersController.any_instance.stubs(:create).raises
+ submit_signup
+ assert page.has_content?("server failed")
+ end
+
+ test "does not render signup form without js" do
+ Capybara.current_driver = :rack_test # no js
+ visit '/signup'
+ assert page.has_no_content?("Username")
+ assert page.has_no_content?("Password")
+ end
+
+ test "does not render login form without js" do
+ Capybara.current_driver = :rack_test # no js
+ visit '/login'
+ assert page.has_no_content?("Username")
+ assert page.has_no_content?("Password")
+ end
+
+ def inject_malicious_js
+ page.execute_script <<-EOJS
+ var calc = new srp.Calculate();
+ calc.A = function(_a) {return "00";};
+ calc.S = calc.A;
+ srp.session = new srp.Session(null, calc);
+ EOJS
+ end
+end
diff --git a/test/integration/locale_path_test.rb b/test/integration/locale_path_test.rb
index 738e7f5..22293dc 100644
--- a/test/integration/locale_path_test.rb
+++ b/test/integration/locale_path_test.rb
@@ -21,6 +21,11 @@ require 'test_helper'
#
class LocalePathTest < ActionDispatch::IntegrationTest
+
+ teardown do
+ I18n.locale = 'en'
+ end
+
test "redirect if accept-language is not default locale" do
get_via_redirect '/', {}, 'HTTP_ACCEPT_LANGUAGE' => 'de'
assert_equal '/de', path
@@ -55,4 +60,4 @@ class LocalePathTest < ActionDispatch::IntegrationTest
@controller.send(:default_url_options)
end
-end \ No newline at end of file
+end
diff --git a/test/integration/navigation_test.rb b/test/integration/navigation_test.rb
deleted file mode 100644
index eec8c0e..0000000
--- a/test/integration/navigation_test.rb
+++ /dev/null
@@ -1,9 +0,0 @@
-require 'test_helper'
-
-class NavigationTest < ActionDispatch::IntegrationTest
-
- # test "the truth" do
- # assert true
- # end
-end
-