Merge remote-tracking branch 'github/211' into develop

10 files changed, 169 insertions, 7 deletions

diff --git a/test/factories.rb b/test/factories.rb
index b6e1475..5d49729 100644
--- a/test/factories.rb
+++ b/test/factories.rb
@@ -26,6 +26,10 @@ FactoryGirl.define do
       end
     end
 
+    factory :test_user do
+      login {"test_user_" + Faker::Internet.user_name + '_' + SecureRandom.hex(4)}
+    end
+
     factory :premium_user do
       effective_service_level_code 2
     end
diff --git a/test/functional/token_auth_test.rb b/test/functional/token_auth_test.rb
new file mode 100644
index 0000000..53d5fb3
--- /dev/null
+++ b/test/functional/token_auth_test.rb
@@ -0,0 +1,40 @@
+#
+# tests for authenticating an admin or monitor user
+# via static configured tokens.
+#
+
+require_relative '../test_helper'
+
+class TokenAuthTest < ActionController::TestCase
+  tests V1::ConfigsController
+
+  def test_login_via_api_token
+    with_config(:allow_anonymous_certs => false) do
+      monitor_auth do
+        get :index
+        assert assigns(:token), 'should have authenticated via api token'
+        assert assigns(:token).is_a? ApiToken
+        assert @controller.send(:current_user).is_a? ApiMonitorUser
+      end
+    end
+  end
+
+  def test_fail_api_auth_when_ip_not_allowed
+    with_config(:allow_anonymous_certs => false) do
+      allowed = "99.99.99.99"
+      new_config = {api_tokens: APP_CONFIG["api_tokens"].merge(allowed_ips: [allowed])}
+      with_config(new_config) do
+        monitor_auth do
+          request.env['REMOTE_ADDR'] = "1.1.1.1"
+          get :index
+          assert_nil assigns(:token), "should not be able to auth with api token when ip restriction doesn't allow it"
+          request.env['REMOTE_ADDR'] = allowed
+          get :index
+          assert assigns(:token), "should have authenticated via api token"
+        end
+      end
+    end
+  end
+
+end
+
diff --git a/test/functional/v1/identities_controller_test.rb b/test/functional/v1/identities_controller_test.rb
new file mode 100644
index 0000000..6410c44
--- /dev/null
+++ b/test/functional/v1/identities_controller_test.rb
@@ -0,0 +1,24 @@
+require_relative '../../test_helper'
+
+class V1::IdentitiesControllerTest < ActionController::TestCase
+
+  test "api monitor can fetch identity" do
+    monitor_auth do
+      identity = FactoryGirl.create :identity
+      get :show, :id => identity.address, :format => 'json'
+      assert_response :success
+      assert_equal identity, assigns(:identity)
+
+      get :show, :id => "blahblahblah", :format => 'json'
+      assert_response :not_found
+    end
+  end
+
+
+  test "anonymous cannot fetch identity" do
+    identity = FactoryGirl.create :identity
+    get :show, :id => identity.address, :format => 'json'
+    assert_response :forbidden
+  end
+
+end
diff --git a/test/functional/v1/users_controller_test.rb b/test/functional/v1/users_controller_test.rb
index ffe2484..7afbb02 100644
--- a/test/functional/v1/users_controller_test.rb
+++ b/test/functional/v1/users_controller_test.rb
@@ -1,4 +1,4 @@
-require 'test_helper'
+require_relative '../../test_helper'
 
 class V1::UsersControllerTest < ActionController::TestCase
 
@@ -81,4 +81,54 @@ class V1::UsersControllerTest < ActionController::TestCase
     end
   end
 
+  test "admin can show user" do
+    user = FactoryGirl.create :user
+    login :is_admin? => true
+    get :show, :id => 0, :login => user.login, :format => :json
+    assert_response :success
+    assert_json_response user
+    get :show, :id => user.id, :format => :json
+    assert_response :success
+    assert_json_response user
+    get :show, :id => "0", :format => :json
+    assert_response :not_found
+  end
+
+  test "normal users cannot show user" do
+    user = find_record :user
+    login
+    get :show, :id => 0, :login => user.login, :format => :json
+    assert_access_denied
+  end
+
+  test "api monitor auth can create and destroy test users" do
+    with_config(allow_registration: false) do
+      monitor_auth do
+        user_attribs = record_attributes_for :test_user
+        post :create, :user => user_attribs, :format => :json
+        assert_response :success
+        delete :destroy, :id => assigns(:user).id, :format => :json
+        assert_response :success
+      end
+    end
+  end
+
+  test "api monitor auth cannot create normal users" do
+    monitor_auth do
+      user_attribs = record_attributes_for :user
+      post :create, :user => user_attribs, :format => :json
+      assert_response :forbidden
+    end
+  end
+
+  test "api monitor auth cannot delete normal users" do
+    post :create, :user => record_attributes_for(:user), :format => :json
+    assert_response :success
+    normal_user_id = assigns(:user).id
+    monitor_auth do
+      delete :destroy, :id => normal_user_id, :format => :json
+      assert_response :forbidden
+    end
+  end
+
 end
diff --git a/test/integration/api/signup_test.rb b/test/integration/api/signup_test.rb
index 236c547..7216496 100644
--- a/test/integration/api/signup_test.rb
+++ b/test/integration/api/signup_test.rb
@@ -1,4 +1,4 @@
-require 'test_helper'
+require_relative '../../test_helper'
 require_relative 'srp_test'
 
 class SignupTest < SrpTest
@@ -8,7 +8,7 @@ class SignupTest < SrpTest
   end
 
   test "signup response" do
-    assert_json_response :login => @login, :ok => true
+    assert_json_response :login => @login, :ok => true, :id => @user.id, :enabled => true
     assert last_response.successful?
   end
 
diff --git a/test/integration/api/tmp_user_test.rb b/test/integration/api/tmp_user_test.rb
index 4c1e659..bf5f99d 100644
--- a/test/integration/api/tmp_user_test.rb
+++ b/test/integration/api/tmp_user_test.rb
@@ -4,7 +4,7 @@ require_relative 'srp_test'
 class TmpUserTest < SrpTest
 
   setup do
-    register_user('test_user_'+SecureRandom.hex(5))
+    register_user('tmp_user_'+SecureRandom.hex(5))
   end
 
   test "login with srp" do
diff --git a/test/integration/api/token_test.rb b/test/integration/api/token_test.rb
index ad3ac22..dafbfb7 100644
--- a/test/integration/api/token_test.rb
+++ b/test/integration/api/token_test.rb
@@ -1,4 +1,4 @@
-require 'test_helper'
+require_relative '../../test_helper'
 require_relative 'srp_test'
 
 class TokenTest < SrpTest
@@ -12,4 +12,5 @@ class TokenTest < SrpTest
     token = server_auth['token']
     assert Token.find(Digest::SHA512.hexdigest(token))
   end
+
 end
diff --git a/test/support/auth_test_helper.rb b/test/support/auth_test_helper.rb
index 7af3341..acc6076 100644
--- a/test/support/auth_test_helper.rb
+++ b/test/support/auth_test_helper.rb
@@ -29,6 +29,21 @@ module AuthTestHelper
     @token.expects(:destroy) if @token
   end
 
+  # authenticate as the api monitor
+  def monitor_auth(&block)
+    token_auth(APP_CONFIG['api_tokens']['monitor'], &block)
+  end
+
+  # authenticate with a token
+  def token_auth(token_str)
+    original = request.env['HTTP_AUTHORIZATION']
+    request.env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Token.encode_credentials(token_str)
+    if block_given?
+      yield
+      request.env['HTTP_AUTHORIZATION'] = original
+    end
+  end
+
   protected
 
   def header_for_token_auth
diff --git a/test/unit/api_token_test.rb b/test/unit/api_token_test.rb
new file mode 100644
index 0000000..266a370
--- /dev/null
+++ b/test/unit/api_token_test.rb
@@ -0,0 +1,28 @@
+require_relative '../test_helper'
+
+class ApiTokenTest < ActiveSupport::TestCase
+
+  setup do
+  end
+
+  test "api token only authenticates ApiUser" do
+    token_string = APP_CONFIG['api_tokens']['monitor']
+    assert !token_string.nil?, 'monitor token should be configured'
+    assert !token_string.empty?
+    token = ApiToken.find_by_token(token_string)
+    user = token.authenticate
+    assert user, 'api token should authenticate'
+    assert user.is_a?(ApiUser), 'api token should return api user'
+    assert user.is_monitor?, 'api monitor token should return monitor user'
+    assert !user.is_admin?, 'api monitor token should not return admin user'
+  end
+
+  test "invalid api tokens can't authenticate" do
+    assert_nil ApiToken.find_by_token("not a token")
+    with_config({"api_tokens" => {"test" => ""}}) do
+      assert_equal "", APP_CONFIG['api_tokens']['test']
+      assert_nil ApiToken.find_by_token("")
+    end
+  end
+
+end
\ No newline at end of file
diff --git a/test/unit/tmp_user_test.rb b/test/unit/tmp_user_test.rb
index 9494377..1dea5f9 100644
--- a/test/unit/tmp_user_test.rb
+++ b/test/unit/tmp_user_test.rb
@@ -6,7 +6,7 @@ class TmpUserTest < ActiveSupport::TestCase
     InviteCodeValidator.any_instance.stubs(:validate)
   end
 
-  test "test_user saved to tmp_users" do
+  test "tmp_user saved to tmp_users" do
     begin
       assert User.ancestors.include?(TemporaryUser)
 
@@ -17,7 +17,7 @@ class TmpUserTest < ActiveSupport::TestCase
       end
 
       assert_difference('User.tmp_database.info["doc_count"]') do
-        tmp_user = User.create!(:login => 'test_user_'+SecureRandom.hex(5).downcase,
+        tmp_user = User.create!(:login => 'tmp_user_'+SecureRandom.hex(5).downcase,
           :password_verifier => 'ABCDEF0010101', :password_salt => 'ABCDEF')
         assert tmp_user.database.to_s.include?('tmp')
       end