summaryrefslogtreecommitdiff
path: root/test/functional
diff options
context:
space:
mode:
Diffstat (limited to 'test/functional')
-rw-r--r--test/functional/token_auth_test.rb40
-rw-r--r--test/functional/v1/identities_controller_test.rb24
-rw-r--r--test/functional/v1/users_controller_test.rb52
3 files changed, 115 insertions, 1 deletions
diff --git a/test/functional/token_auth_test.rb b/test/functional/token_auth_test.rb
new file mode 100644
index 0000000..53d5fb3
--- /dev/null
+++ b/test/functional/token_auth_test.rb
@@ -0,0 +1,40 @@
+#
+# tests for authenticating an admin or monitor user
+# via static configured tokens.
+#
+
+require_relative '../test_helper'
+
+class TokenAuthTest < ActionController::TestCase
+ tests V1::ConfigsController
+
+ def test_login_via_api_token
+ with_config(:allow_anonymous_certs => false) do
+ monitor_auth do
+ get :index
+ assert assigns(:token), 'should have authenticated via api token'
+ assert assigns(:token).is_a? ApiToken
+ assert @controller.send(:current_user).is_a? ApiMonitorUser
+ end
+ end
+ end
+
+ def test_fail_api_auth_when_ip_not_allowed
+ with_config(:allow_anonymous_certs => false) do
+ allowed = "99.99.99.99"
+ new_config = {api_tokens: APP_CONFIG["api_tokens"].merge(allowed_ips: [allowed])}
+ with_config(new_config) do
+ monitor_auth do
+ request.env['REMOTE_ADDR'] = "1.1.1.1"
+ get :index
+ assert_nil assigns(:token), "should not be able to auth with api token when ip restriction doesn't allow it"
+ request.env['REMOTE_ADDR'] = allowed
+ get :index
+ assert assigns(:token), "should have authenticated via api token"
+ end
+ end
+ end
+ end
+
+end
+
diff --git a/test/functional/v1/identities_controller_test.rb b/test/functional/v1/identities_controller_test.rb
new file mode 100644
index 0000000..6410c44
--- /dev/null
+++ b/test/functional/v1/identities_controller_test.rb
@@ -0,0 +1,24 @@
+require_relative '../../test_helper'
+
+class V1::IdentitiesControllerTest < ActionController::TestCase
+
+ test "api monitor can fetch identity" do
+ monitor_auth do
+ identity = FactoryGirl.create :identity
+ get :show, :id => identity.address, :format => 'json'
+ assert_response :success
+ assert_equal identity, assigns(:identity)
+
+ get :show, :id => "blahblahblah", :format => 'json'
+ assert_response :not_found
+ end
+ end
+
+
+ test "anonymous cannot fetch identity" do
+ identity = FactoryGirl.create :identity
+ get :show, :id => identity.address, :format => 'json'
+ assert_response :forbidden
+ end
+
+end
diff --git a/test/functional/v1/users_controller_test.rb b/test/functional/v1/users_controller_test.rb
index ffe2484..7afbb02 100644
--- a/test/functional/v1/users_controller_test.rb
+++ b/test/functional/v1/users_controller_test.rb
@@ -1,4 +1,4 @@
-require 'test_helper'
+require_relative '../../test_helper'
class V1::UsersControllerTest < ActionController::TestCase
@@ -81,4 +81,54 @@ class V1::UsersControllerTest < ActionController::TestCase
end
end
+ test "admin can show user" do
+ user = FactoryGirl.create :user
+ login :is_admin? => true
+ get :show, :id => 0, :login => user.login, :format => :json
+ assert_response :success
+ assert_json_response user
+ get :show, :id => user.id, :format => :json
+ assert_response :success
+ assert_json_response user
+ get :show, :id => "0", :format => :json
+ assert_response :not_found
+ end
+
+ test "normal users cannot show user" do
+ user = find_record :user
+ login
+ get :show, :id => 0, :login => user.login, :format => :json
+ assert_access_denied
+ end
+
+ test "api monitor auth can create and destroy test users" do
+ with_config(allow_registration: false) do
+ monitor_auth do
+ user_attribs = record_attributes_for :test_user
+ post :create, :user => user_attribs, :format => :json
+ assert_response :success
+ delete :destroy, :id => assigns(:user).id, :format => :json
+ assert_response :success
+ end
+ end
+ end
+
+ test "api monitor auth cannot create normal users" do
+ monitor_auth do
+ user_attribs = record_attributes_for :user
+ post :create, :user => user_attribs, :format => :json
+ assert_response :forbidden
+ end
+ end
+
+ test "api monitor auth cannot delete normal users" do
+ post :create, :user => record_attributes_for(:user), :format => :json
+ assert_response :success
+ normal_user_id = assigns(:user).id
+ monitor_auth do
+ delete :destroy, :id => normal_user_id, :format => :json
+ assert_response :forbidden
+ end
+ end
+
end