summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--test/integration/browser/account_livecycle_test.rb (renamed from test/integration/browser/account_test.rb)64
-rw-r--r--test/integration/browser/admin_test.rb18
-rw-r--r--test/integration/browser/security_test.rb52
3 files changed, 71 insertions, 63 deletions
diff --git a/test/integration/browser/account_test.rb b/test/integration/browser/account_livecycle_test.rb
index 50adb23..604f456 100644
--- a/test/integration/browser/account_test.rb
+++ b/test/integration/browser/account_livecycle_test.rb
@@ -1,6 +1,6 @@
require 'test_helper'
-class AccountTest < BrowserIntegrationTest
+class AccountLivecycleTest < BrowserIntegrationTest
teardown do
Identity.destroy_all_orphaned
@@ -80,24 +80,6 @@ class AccountTest < BrowserIntegrationTest
assert page.has_content?('has already been taken')
end
- test "default user actions" do
- login
- click_on "Account Settings"
- assert page.has_content? I18n.t('destroy_my_account')
- assert page.has_no_css? '#update_login_and_password'
- assert page.has_no_css? '#update_pgp_key'
- end
-
- test "default admin actions" do
- login
- with_config admins: [@user.login] do
- click_on "Account Settings"
- assert page.has_content? I18n.t('destroy_my_account')
- assert page.has_no_css? '#update_login_and_password'
- assert page.has_css? '#update_pgp_key'
- end
- end
-
test "change pgp key" do
with_config user_actions: ['change_pgp_key'] do
pgp_key = FactoryGirl.build :pgp_key
@@ -116,42 +98,6 @@ class AccountTest < BrowserIntegrationTest
end
end
-
- # trying to seed an invalid A for srp login
- test "detects attempt to circumvent SRP" do
- InviteCodeValidator.any_instance.stubs(:validate)
-
- user = FactoryGirl.create :user
- visit '/login'
- fill_in 'Username', with: user.login
- fill_in 'Password', with: "password"
- inject_malicious_js
- click_on 'Log In'
- assert page.has_content?("Invalid random key")
- assert page.has_no_content?("Welcome")
- user.destroy
- end
-
- test "reports internal server errors" do
- V1::UsersController.any_instance.stubs(:create).raises
- submit_signup
- assert page.has_content?("server failed")
- end
-
- test "does not render signup form without js" do
- Capybara.current_driver = :rack_test # no js
- visit '/signup'
- assert page.has_no_content?("Username")
- assert page.has_no_content?("Password")
- end
-
- test "does not render login form without js" do
- Capybara.current_driver = :rack_test # no js
- visit '/login'
- assert page.has_no_content?("Username")
- assert page.has_no_content?("Password")
- end
-
def attempt_login(username, password)
click_on 'Log In'
fill_in 'Username', with: username
@@ -165,12 +111,4 @@ class AccountTest < BrowserIntegrationTest
assert page.has_no_selector? '.btn-primary.disabled'
end
- def inject_malicious_js
- page.execute_script <<-EOJS
- var calc = new srp.Calculate();
- calc.A = function(_a) {return "00";};
- calc.S = calc.A;
- srp.session = new srp.Session(null, calc);
- EOJS
- end
end
diff --git a/test/integration/browser/admin_test.rb b/test/integration/browser/admin_test.rb
index 902c981..0b43c29 100644
--- a/test/integration/browser/admin_test.rb
+++ b/test/integration/browser/admin_test.rb
@@ -2,6 +2,24 @@ require 'test_helper'
class AdminTest < BrowserIntegrationTest
+ test "default user actions" do
+ login
+ click_on "Account Settings"
+ assert page.has_content? I18n.t('destroy_my_account')
+ assert page.has_no_css? '#update_login_and_password'
+ assert page.has_no_css? '#update_pgp_key'
+ end
+
+ test "default admin actions" do
+ login
+ with_config admins: [@user.login] do
+ click_on "Account Settings"
+ assert page.has_content? I18n.t('destroy_my_account')
+ assert page.has_no_css? '#update_login_and_password'
+ assert page.has_css? '#update_pgp_key'
+ end
+ end
+
test "clear blocked handle" do
id = FactoryGirl.create :identity
submit_signup(id.login)
diff --git a/test/integration/browser/security_test.rb b/test/integration/browser/security_test.rb
new file mode 100644
index 0000000..c13acd8
--- /dev/null
+++ b/test/integration/browser/security_test.rb
@@ -0,0 +1,52 @@
+require 'test_helper'
+
+class SecurityTest < BrowserIntegrationTest
+
+ teardown do
+ Identity.destroy_all_orphaned
+ end
+
+ # trying to seed an invalid A for srp login
+ test "detects attempt to circumvent SRP" do
+ InviteCodeValidator.any_instance.stubs(:validate)
+
+ user = FactoryGirl.create :user
+ visit '/login'
+ fill_in 'Username', with: user.login
+ fill_in 'Password', with: "password"
+ inject_malicious_js
+ click_on 'Log In'
+ assert page.has_content?("Invalid random key")
+ assert page.has_no_content?("Welcome")
+ user.destroy
+ end
+
+ test "reports internal server errors" do
+ V1::UsersController.any_instance.stubs(:create).raises
+ submit_signup
+ assert page.has_content?("server failed")
+ end
+
+ test "does not render signup form without js" do
+ Capybara.current_driver = :rack_test # no js
+ visit '/signup'
+ assert page.has_no_content?("Username")
+ assert page.has_no_content?("Password")
+ end
+
+ test "does not render login form without js" do
+ Capybara.current_driver = :rack_test # no js
+ visit '/login'
+ assert page.has_no_content?("Username")
+ assert page.has_no_content?("Password")
+ end
+
+ def inject_malicious_js
+ page.execute_script <<-EOJS
+ var calc = new srp.Calculate();
+ calc.A = function(_a) {return "00";};
+ calc.S = calc.A;
+ srp.session = new srp.Session(null, calc);
+ EOJS
+ end
+end