From e05a1b0f5ae40a2aa17976b3009cd563b8e4660a Mon Sep 17 00:00:00 2001 From: Azul Date: Sun, 1 May 2016 10:55:33 -0300 Subject: api: allow version bumping - bump to 2 --- app/controllers/api/certs_controller.rb | 31 +++++ app/controllers/api/configs_controller.rb | 37 +++++ app/controllers/api/identities_controller.rb | 16 +++ app/controllers/api/messages_controller.rb | 119 ++++++++++++++++ app/controllers/api/services_controller.rb | 8 ++ app/controllers/api/sessions_controller.rb | 44 ++++++ app/controllers/api/smtp_certs_controller.rb | 42 ++++++ app/controllers/api/users_controller.rb | 83 +++++++++++ app/controllers/v1/certs_controller.rb | 31 ----- app/controllers/v1/configs_controller.rb | 37 ----- app/controllers/v1/identities_controller.rb | 16 --- app/controllers/v1/messages_controller.rb | 119 ---------------- app/controllers/v1/services_controller.rb | 8 -- app/controllers/v1/sessions_controller.rb | 44 ------ app/controllers/v1/smtp_certs_controller.rb | 42 ------ app/controllers/v1/users_controller.rb | 83 ----------- app/views/api/sessions/new.json.erb | 3 + app/views/v1/sessions/new.json.erb | 3 - config/routes.rb | 6 +- test/functional/api/certs_controller_test.rb | 60 ++++++++ test/functional/api/identities_controller_test.rb | 24 ++++ test/functional/api/messages_controller_test.rb | 99 +++++++++++++ test/functional/api/services_controller_test.rb | 28 ++++ test/functional/api/sessions_controller_test.rb | 62 +++++++++ test/functional/api/smtp_certs_controller_test.rb | 43 ++++++ test/functional/api/token_auth_test.rb | 40 ++++++ test/functional/api/users_controller_test.rb | 135 ++++++++++++++++++ .../configs_controller_with_static_tokens_test.rb | 40 ------ test/functional/v1/certs_controller_test.rb | 60 -------- test/functional/v1/identities_controller_test.rb | 24 ---- test/functional/v1/messages_controller_test.rb | 99 ------------- test/functional/v1/services_controller_test.rb | 28 ---- test/functional/v1/sessions_controller_test.rb | 62 --------- test/functional/v1/smtp_certs_controller_test.rb | 43 ------ test/functional/v1/users_controller_test.rb | 135 ------------------ test/integration/api/cert_test.rb | 11 +- test/integration/api/signup_test.rb | 2 +- test/integration/api/smtp_cert_test.rb | 14 +- test/integration/api/srp_test.rb | 18 ++- test/integration/api/token_auth_test.rb | 2 +- test/integration/api/update_account_test.rb | 2 +- .../browser/account_livecycle_test.rb.orig | 153 +++++++++++++++++++++ test/integration/browser/security_test.rb | 2 +- test/support/api_integration_test.rb | 4 + 44 files changed, 1068 insertions(+), 894 deletions(-) create mode 100644 app/controllers/api/certs_controller.rb create mode 100644 app/controllers/api/configs_controller.rb create mode 100644 app/controllers/api/identities_controller.rb create mode 100644 app/controllers/api/messages_controller.rb create mode 100644 app/controllers/api/services_controller.rb create mode 100644 app/controllers/api/sessions_controller.rb create mode 100644 app/controllers/api/smtp_certs_controller.rb create mode 100644 app/controllers/api/users_controller.rb delete mode 100644 app/controllers/v1/certs_controller.rb delete mode 100644 app/controllers/v1/configs_controller.rb delete mode 100644 app/controllers/v1/identities_controller.rb delete mode 100644 app/controllers/v1/messages_controller.rb delete mode 100644 app/controllers/v1/services_controller.rb delete mode 100644 app/controllers/v1/sessions_controller.rb delete mode 100644 app/controllers/v1/smtp_certs_controller.rb delete mode 100644 app/controllers/v1/users_controller.rb create mode 100644 app/views/api/sessions/new.json.erb delete mode 100644 app/views/v1/sessions/new.json.erb create mode 100644 test/functional/api/certs_controller_test.rb create mode 100644 test/functional/api/identities_controller_test.rb create mode 100644 test/functional/api/messages_controller_test.rb create mode 100644 test/functional/api/services_controller_test.rb create mode 100644 test/functional/api/sessions_controller_test.rb create mode 100644 test/functional/api/smtp_certs_controller_test.rb create mode 100644 test/functional/api/token_auth_test.rb create mode 100644 test/functional/api/users_controller_test.rb delete mode 100644 test/functional/configs_controller_with_static_tokens_test.rb delete mode 100644 test/functional/v1/certs_controller_test.rb delete mode 100644 test/functional/v1/identities_controller_test.rb delete mode 100644 test/functional/v1/messages_controller_test.rb delete mode 100644 test/functional/v1/services_controller_test.rb delete mode 100644 test/functional/v1/sessions_controller_test.rb delete mode 100644 test/functional/v1/smtp_certs_controller_test.rb delete mode 100644 test/functional/v1/users_controller_test.rb create mode 100644 test/integration/browser/account_livecycle_test.rb.orig diff --git a/app/controllers/api/certs_controller.rb b/app/controllers/api/certs_controller.rb new file mode 100644 index 0000000..46a84d3 --- /dev/null +++ b/app/controllers/api/certs_controller.rb @@ -0,0 +1,31 @@ +class Api::CertsController < ApiController + + before_filter :require_login, :unless => :anonymous_access_allowed? + before_filter :require_enabled + + # GET /cert + # deprecated - we actually create a new cert and that can + # be reflected in the action. GET /cert will eventually go + # away and be replaced by POST /cert + def show + create + end + + # POST /cert + def create + @cert = ClientCertificate.new(:prefix => service_level.cert_prefix) + render text: @cert.to_s, content_type: 'text/plain' + end + + protected + + def require_enabled + if !current_user.is_anonymous? && !current_user.enabled? + access_denied + end + end + + def service_level + current_user.effective_service_level + end +end diff --git a/app/controllers/api/configs_controller.rb b/app/controllers/api/configs_controller.rb new file mode 100644 index 0000000..55ceb4f --- /dev/null +++ b/app/controllers/api/configs_controller.rb @@ -0,0 +1,37 @@ +class Api::ConfigsController < ApiController + include ControllerExtension::JsonFile + + before_filter :require_login, :unless => :anonymous_access_allowed? + before_filter :sanitize_id, only: :show + + def index + render json: {services: service_paths} + end + + def show + send_file lookup_file + end + + protected + + SERVICE_IDS = { + soledad: "soledad-service", + eip: "eip-service", + smtp: "smtp-service" + } + + def service_paths + Hash[SERVICE_IDS.map{|k,v| [k,"/1/configs/#{v}.json"] } ] + end + + def sanitize_id + @id = params[:id].downcase + access_denied unless SERVICE_IDS.values.include? @id + end + + def lookup_file + path = APP_CONFIG[:config_file_paths][@id] + not_found if path.blank? + Rails.root.join path + end +end diff --git a/app/controllers/api/identities_controller.rb b/app/controllers/api/identities_controller.rb new file mode 100644 index 0000000..ab2ac00 --- /dev/null +++ b/app/controllers/api/identities_controller.rb @@ -0,0 +1,16 @@ +module Api + class IdentitiesController < ApiController + before_filter :token_authenticate + before_filter :require_monitor + + def show + @identity = Identity.find_by_address(params[:id]) + if @identity + respond_with @identity + else + render_not_found + end + end + + end +end diff --git a/app/controllers/api/messages_controller.rb b/app/controllers/api/messages_controller.rb new file mode 100644 index 0000000..a69a40a --- /dev/null +++ b/app/controllers/api/messages_controller.rb @@ -0,0 +1,119 @@ +module Api + class MessagesController < ApiController + + before_filter :require_login + + def index + if Dir.exist?(motd_dir) + if !CommonLanguages::available_code?(params[:locale]) + locale = 'en' + else + locale = params[:locale] + end + render json: motd_files_for_locale(locale) + else + render json: [] + end + end + + # disable per-user messages for now, not supported in the client + #def update + # if message = Message.find(params[:id]) + # message.mark_as_read_by(current_user) + # message.save + # render json: success(:marked_as_read) + # else + # render json: error(:not_found), status: :not_found + # end + #end + + private + + # + # returns list of messages, for example: + # + # [ + # {"id": 1, "locale": "en", "text": ""}, + # {"id": 2, "locale": "en", "text": ""} + # ] + # + # Each message is present only once, using the best choice + # for the locale. The order is determined by the id. + # + def motd_files_for_locale(locale) + files = [] + motd_files.keys.each do |id| + if motd_files[id].key?(locale) + msg_locale = locale + elsif motd_files[id].key?('en') + msg_locale = 'en' + else + msg_locale = motd_files[id].keys.first + end + files << { + "id" => id, + "locale" => msg_locale, + "text" => motd_files[id][msg_locale] + } + end + files.sort! {|a,b| a["id"].to_i <=> b["id"].to_i } + return files + end + + # + # returns messages of the day as a hash: + # { "1": {"en": "message"}, "2": {"en": "message"} } + # + def motd_files + if motd_changed? || @motd_files.nil? + @motd_files = load_motd_files + else + @motd_files + end + end + + def motd_changed? + newest = Dir.glob(File.join(motd_dir, '*.{html,md}')).collect{|file| File.mtime(file)}.max + if @timestamp.nil? + @timestamp = newest + return true + elsif @timestamp < newest + @timestamp = newest + return true + else + return false + end + end + + def load_motd_files + files = {} + Dir.glob(File.join(motd_dir, '*.{html,md}')).each do |file| + id, locale, msg = parse_motd_file(file) + next unless id + files[id] ||= {} + files[id][locale] = msg + end + files + end + + def parse_motd_file(file) + id, locale, ext = File.basename(file).split('.') + if id.nil? || locale.nil? || ext.nil? || id.to_i.to_s != id || !['md', 'html'].include?(ext) + Rails.logger.error "ERROR: Could not parse MOTD file #{file}" + return nil + end + contents = File.read(file) + if ext == "md" + msg = RDiscount.new(contents, :autolink).to_html + elsif ext == "html" + msg = File.read(file) + end + return id, locale, msg + end + + def motd_dir + File.join(APP_CONFIG['customization_directory'], 'motd') + end + + end +end diff --git a/app/controllers/api/services_controller.rb b/app/controllers/api/services_controller.rb new file mode 100644 index 0000000..da2774b --- /dev/null +++ b/app/controllers/api/services_controller.rb @@ -0,0 +1,8 @@ +class Api::ServicesController < ApiController + + before_filter :require_login, :unless => :anonymous_access_allowed? + + def show + respond_with current_user.effective_service_level + end +end diff --git a/app/controllers/api/sessions_controller.rb b/app/controllers/api/sessions_controller.rb new file mode 100644 index 0000000..c8deb7a --- /dev/null +++ b/app/controllers/api/sessions_controller.rb @@ -0,0 +1,44 @@ +module Api + class SessionsController < ApiController + + before_filter :require_login, only: :destroy + + def new + @session = Session.new + if authentication_errors + @errors = authentication_errors + render :status => 422 + end + end + + def create + logout if logged_in? + if params['A'] + authenticate! + else + @user = User.find_by_login(params['login']) + render :json => {salt: @user.salt} + end + end + + def update + authenticate! + @token = Token.create(:user_id => current_user.id) + session[:token] = @token.id + render :json => login_response + end + + def destroy + logout + head :no_content + end + + protected + + def login_response + handshake = session.delete(:handshake) || {} + handshake.to_hash.merge(:id => current_user.id, :token => @token.to_s) + end + + end +end diff --git a/app/controllers/api/smtp_certs_controller.rb b/app/controllers/api/smtp_certs_controller.rb new file mode 100644 index 0000000..d9eab7d --- /dev/null +++ b/app/controllers/api/smtp_certs_controller.rb @@ -0,0 +1,42 @@ +class Api::SmtpCertsController < ApiController + + before_filter :require_login + before_filter :require_email_account + before_filter :fetch_identity + before_filter :require_enabled + + # POST /1/smtp_cert + def create + @cert = ClientCertificate.new common_name: current_user.email_address + @identity.register_cert(@cert) + @identity.save + render text: @cert.to_s, content_type: 'text/plain' + end + + protected + + # + # Filters + # + + def require_email_account + access_denied unless service_level.provides? 'email' + end + + def require_enabled + access_denied unless current_user.enabled? + end + + def fetch_identity + @identity = current_user.identity + end + + # + # Helper methods + # + + def service_level + current_user.effective_service_level + end + +end diff --git a/app/controllers/api/users_controller.rb b/app/controllers/api/users_controller.rb new file mode 100644 index 0000000..e64d21f --- /dev/null +++ b/app/controllers/api/users_controller.rb @@ -0,0 +1,83 @@ +module Api + class UsersController < ApiController + include ControllerExtension::FetchUser + + # allow optional access to this controller using API auth tokens: + before_filter :token_authenticate + + before_filter :fetch_user, :only => [:update, :destroy] + before_filter :require_monitor, :only => [:index, :show] + before_filter :require_login, :only => [:index, :update, :destroy] + + respond_to :json + + # used for autocomplete for admins in the web ui + def index + if params[:query] + @users = User.login_starts_with(params[:query]) + respond_with @users.map(&:login).sort + else + render :json => {'error' => 'query required', 'status' => :unprocessable_entity} + end + end + + def show + if params[:login] + @user = User.find_by_login(params[:login]) + elsif params[:id] + @user = User.find(params[:id]) + end + if @user + respond_with @user + else + not_found + end + end + + def create + if current_user.is_monitor? + create_test_account + elsif APP_CONFIG[:allow_registration] + create_account + else + head :forbidden + end + end + + def update + @user.account.update params[:user] + respond_with @user + end + + def destroy + destroy_identity = current_user.is_monitor? || params[:identities] == "destroy" + @user.account.destroy(destroy_identity) + if @user == current_user + logout + end + render :json => {'success' => 'user deleted'} + end + + private + + # tester auth can only create test users. + def create_test_account + if User::is_test?(params[:user][:login]) + @user = Account.create(params[:user], :invite_required => false) + respond_with @user + else + head :forbidden + end + end + + def create_account + if APP_CONFIG[:allow_registration] + @user = Account.create(params[:user]) + respond_with @user # return ID instead? + else + head :forbidden + end + end + + end +end diff --git a/app/controllers/v1/certs_controller.rb b/app/controllers/v1/certs_controller.rb deleted file mode 100644 index ffa6e35..0000000 --- a/app/controllers/v1/certs_controller.rb +++ /dev/null @@ -1,31 +0,0 @@ -class V1::CertsController < ApiController - - before_filter :require_login, :unless => :anonymous_access_allowed? - before_filter :require_enabled - - # GET /cert - # deprecated - we actually create a new cert and that can - # be reflected in the action. GET /cert will eventually go - # away and be replaced by POST /cert - def show - create - end - - # POST /cert - def create - @cert = ClientCertificate.new(:prefix => service_level.cert_prefix) - render text: @cert.to_s, content_type: 'text/plain' - end - - protected - - def require_enabled - if !current_user.is_anonymous? && !current_user.enabled? - access_denied - end - end - - def service_level - current_user.effective_service_level - end -end diff --git a/app/controllers/v1/configs_controller.rb b/app/controllers/v1/configs_controller.rb deleted file mode 100644 index f0b284e..0000000 --- a/app/controllers/v1/configs_controller.rb +++ /dev/null @@ -1,37 +0,0 @@ -class V1::ConfigsController < ApiController - include ControllerExtension::JsonFile - - before_filter :require_login, :unless => :anonymous_access_allowed? - before_filter :sanitize_id, only: :show - - def index - render json: {services: service_paths} - end - - def show - send_file lookup_file - end - - protected - - SERVICE_IDS = { - soledad: "soledad-service", - eip: "eip-service", - smtp: "smtp-service" - } - - def service_paths - Hash[SERVICE_IDS.map{|k,v| [k,"/1/configs/#{v}.json"] } ] - end - - def sanitize_id - @id = params[:id].downcase - access_denied unless SERVICE_IDS.values.include? @id - end - - def lookup_file - path = APP_CONFIG[:config_file_paths][@id] - not_found if path.blank? - Rails.root.join path - end -end diff --git a/app/controllers/v1/identities_controller.rb b/app/controllers/v1/identities_controller.rb deleted file mode 100644 index 4efd1f5..0000000 --- a/app/controllers/v1/identities_controller.rb +++ /dev/null @@ -1,16 +0,0 @@ -module V1 - class IdentitiesController < ApiController - before_filter :token_authenticate - before_filter :require_monitor - - def show - @identity = Identity.find_by_address(params[:id]) - if @identity - respond_with @identity - else - render_not_found - end - end - - end -end diff --git a/app/controllers/v1/messages_controller.rb b/app/controllers/v1/messages_controller.rb deleted file mode 100644 index c0ca0c7..0000000 --- a/app/controllers/v1/messages_controller.rb +++ /dev/null @@ -1,119 +0,0 @@ -module V1 - class MessagesController < ApiController - - before_filter :require_login - - def index - if Dir.exist?(motd_dir) - if !CommonLanguages::available_code?(params[:locale]) - locale = 'en' - else - locale = params[:locale] - end - render json: motd_files_for_locale(locale) - else - render json: [] - end - end - - # disable per-user messages for now, not supported in the client - #def update - # if message = Message.find(params[:id]) - # message.mark_as_read_by(current_user) - # message.save - # render json: success(:marked_as_read) - # else - # render json: error(:not_found), status: :not_found - # end - #end - - private - - # - # returns list of messages, for example: - # - # [ - # {"id": 1, "locale": "en", "text": ""}, - # {"id": 2, "locale": "en", "text": ""} - # ] - # - # Each message is present only once, using the best choice - # for the locale. The order is determined by the id. - # - def motd_files_for_locale(locale) - files = [] - motd_files.keys.each do |id| - if motd_files[id].key?(locale) - msg_locale = locale - elsif motd_files[id].key?('en') - msg_locale = 'en' - else - msg_locale = motd_files[id].keys.first - end - files << { - "id" => id, - "locale" => msg_locale, - "text" => motd_files[id][msg_locale] - } - end - files.sort! {|a,b| a["id"].to_i <=> b["id"].to_i } - return files - end - - # - # returns messages of the day as a hash: - # { "1": {"en": "message"}, "2": {"en": "message"} } - # - def motd_files - if motd_changed? || @motd_files.nil? - @motd_files = load_motd_files - else - @motd_files - end - end - - def motd_changed? - newest = Dir.glob(File.join(motd_dir, '*.{html,md}')).collect{|file| File.mtime(file)}.max - if @timestamp.nil? - @timestamp = newest - return true - elsif @timestamp < newest - @timestamp = newest - return true - else - return false - end - end - - def load_motd_files - files = {} - Dir.glob(File.join(motd_dir, '*.{html,md}')).each do |file| - id, locale, msg = parse_motd_file(file) - next unless id - files[id] ||= {} - files[id][locale] = msg - end - files - end - - def parse_motd_file(file) - id, locale, ext = File.basename(file).split('.') - if id.nil? || locale.nil? || ext.nil? || id.to_i.to_s != id || !['md', 'html'].include?(ext) - Rails.logger.error "ERROR: Could not parse MOTD file #{file}" - return nil - end - contents = File.read(file) - if ext == "md" - msg = RDiscount.new(contents, :autolink).to_html - elsif ext == "html" - msg = File.read(file) - end - return id, locale, msg - end - - def motd_dir - File.join(APP_CONFIG['customization_directory'], 'motd') - end - - end -end diff --git a/app/controllers/v1/services_controller.rb b/app/controllers/v1/services_controller.rb deleted file mode 100644 index 523eb44..0000000 --- a/app/controllers/v1/services_controller.rb +++ /dev/null @@ -1,8 +0,0 @@ -class V1::ServicesController < ApiController - - before_filter :require_login, :unless => :anonymous_access_allowed? - - def show - respond_with current_user.effective_service_level - end -end diff --git a/app/controllers/v1/sessions_controller.rb b/app/controllers/v1/sessions_controller.rb deleted file mode 100644 index a343d9b..0000000 --- a/app/controllers/v1/sessions_controller.rb +++ /dev/null @@ -1,44 +0,0 @@ -module V1 - class SessionsController < ApiController - - before_filter :require_login, only: :destroy - - def new - @session = Session.new - if authentication_errors - @errors = authentication_errors - render :status => 422 - end - end - - def create - logout if logged_in? - if params['A'] - authenticate! - else - @user = User.find_by_login(params['login']) - render :json => {salt: @user.salt} - end - end - - def update - authenticate! - @token = Token.create(:user_id => current_user.id) - session[:token] = @token.id - render :json => login_response - end - - def destroy - logout - head :no_content - end - - protected - - def login_response - handshake = session.delete(:handshake) || {} - handshake.to_hash.merge(:id => current_user.id, :token => @token.to_s) - end - - end -end diff --git a/app/controllers/v1/smtp_certs_controller.rb b/app/controllers/v1/smtp_certs_controller.rb deleted file mode 100644 index 5760645..0000000 --- a/app/controllers/v1/smtp_certs_controller.rb +++ /dev/null @@ -1,42 +0,0 @@ -class V1::SmtpCertsController < ApiController - - before_filter :require_login - before_filter :require_email_account - before_filter :fetch_identity - before_filter :require_enabled - - # POST /1/smtp_cert - def create - @cert = ClientCertificate.new common_name: current_user.email_address - @identity.register_cert(@cert) - @identity.save - render text: @cert.to_s, content_type: 'text/plain' - end - - protected - - # - # Filters - # - - def require_email_account - access_denied unless service_level.provides? 'email' - end - - def require_enabled - access_denied unless current_user.enabled? - end - - def fetch_identity - @identity = current_user.identity - end - - # - # Helper methods - # - - def service_level - current_user.effective_service_level - end - -end diff --git a/app/controllers/v1/users_controller.rb b/app/controllers/v1/users_controller.rb deleted file mode 100644 index 6640d10..0000000 --- a/app/controllers/v1/users_controller.rb +++ /dev/null @@ -1,83 +0,0 @@ -module V1 - class UsersController < ApiController - include ControllerExtension::FetchUser - - # allow optional access to this controller using API auth tokens: - before_filter :token_authenticate - - before_filter :fetch_user, :only => [:update, :destroy] - before_filter :require_monitor, :only => [:index, :show] - before_filter :require_login, :only => [:index, :update, :destroy] - - respond_to :json - - # used for autocomplete for admins in the web ui - def index - if params[:query] - @users = User.login_starts_with(params[:query]) - respond_with @users.map(&:login).sort - else - render :json => {'error' => 'query required', 'status' => :unprocessable_entity} - end - end - - def show - if params[:login] - @user = User.find_by_login(params[:login]) - elsif params[:id] - @user = User.find(params[:id]) - end - if @user - respond_with @user - else - not_found - end - end - - def create - if current_user.is_monitor? - create_test_account - elsif APP_CONFIG[:allow_registration] - create_account - else - head :forbidden - end - end - - def update - @user.account.update params[:user] - respond_with @user - end - - def destroy - destroy_identity = current_user.is_monitor? || params[:identities] == "destroy" - @user.account.destroy(destroy_identity) - if @user == current_user - logout - end - render :json => {'success' => 'user deleted'} - end - - private - - # tester auth can only create test users. - def create_test_account - if User::is_test?(params[:user][:login]) - @user = Account.create(params[:user], :invite_required => false) - respond_with @user - else - head :forbidden - end - end - - def create_account - if APP_CONFIG[:allow_registration] - @user = Account.create(params[:user]) - respond_with @user # return ID instead? - else - head :forbidden - end - end - - end -end diff --git a/app/views/api/sessions/new.json.erb b/app/views/api/sessions/new.json.erb new file mode 100644 index 0000000..36154b8 --- /dev/null +++ b/app/views/api/sessions/new.json.erb @@ -0,0 +1,3 @@ +{ +"errors": <%= raw @errors.to_json %> +} diff --git a/app/views/v1/sessions/new.json.erb b/app/views/v1/sessions/new.json.erb deleted file mode 100644 index 36154b8..0000000 --- a/app/views/v1/sessions/new.json.erb +++ /dev/null @@ -1,3 +0,0 @@ -{ -"errors": <%= raw @errors.to_json %> -} diff --git a/config/routes.rb b/config/routes.rb index be3b3be..a1a5b3c 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -24,10 +24,10 @@ LeapWeb::Application.routes.draw do get '/provider.json' => 'static_config#provider' - namespace "api", { module: "v1", - path: "/1/", + namespace "api", { module: "api", + path: "/:version/", defaults: {format: 'json'}, - :constraints => { :id => /[^\/]+(?=\.json\z)|[^\/]+/ } + :constraints => { :id => /[^\/]+(?=\.json\z)|[^\/]+/, :version => /[12]/ } } do resources :sessions, :only => [:new, :create, :update] delete "logout" => "sessions#destroy", :as => "logout" diff --git a/test/functional/api/certs_controller_test.rb b/test/functional/api/certs_controller_test.rb new file mode 100644 index 0000000..137ed92 --- /dev/null +++ b/test/functional/api/certs_controller_test.rb @@ -0,0 +1,60 @@ +require_relative '../../test_helper' + +class Api::CertsControllerTest < ActionController::TestCase + + test "create unlimited cert without login" do + with_config allow_anonymous_certs: true do + cert = expect_cert('UNLIMITED') + post :create + assert_response :success + assert_equal cert.to_s, @response.body + end + end + + test "create limited cert" do + with_config allow_limited_certs: true do + login + cert = expect_cert('LIMITED') + post :create + assert_response :success + assert_equal cert.to_s, @response.body + end + end + + test "fail to create cert when disabled" do + login :enabled? => false + post :create + assert_access_denied + end + + test "create unlimited cert" do + login effective_service_level: ServiceLevel.new(id: 2) + cert = expect_cert('UNLIMITED') + post :create + assert_response :success + assert_equal cert.to_s, @response.body + end + + test "GET still works as an alias" do + login effective_service_level: ServiceLevel.new(id: 2) + cert = expect_cert('UNLIMITED') + get :show + assert_response :success + assert_equal cert.to_s, @response.body + end + + test "redirect if no eip service offered" do + post :create + assert_response :redirect + end + + protected + + def expect_cert(prefix) + cert = stub :to_s => "#{prefix.downcase} cert" + ClientCertificate.expects(:new). + with(:prefix => prefix). + returns(cert) + return cert + end +end diff --git a/test/functional/api/identities_controller_test.rb b/test/functional/api/identities_controller_test.rb new file mode 100644 index 0000000..e803ee7 --- /dev/null +++ b/test/functional/api/identities_controller_test.rb @@ -0,0 +1,24 @@ +require_relative '../../test_helper' + +class Api::IdentitiesControllerTest < ActionController::TestCase + + test "api monitor can fetch identity" do + monitor_auth do + identity = FactoryGirl.create :identity + get :show, :id => identity.address, :format => 'json' + assert_response :success + assert_equal identity, assigns(:identity) + + get :show, :id => "blahblahblah", :format => 'json' + assert_response :not_found + end + end + + + test "anonymous cannot fetch identity" do + identity = FactoryGirl.create :identity + get :show, :id => identity.address, :format => 'json' + assert_response :forbidden + end + +end diff --git a/test/functional/api/messages_controller_test.rb b/test/functional/api/messages_controller_test.rb new file mode 100644 index 0000000..01641d4 --- /dev/null +++ b/test/functional/api/messages_controller_test.rb @@ -0,0 +1,99 @@ +require 'test_helper' + +class Api::MessagesControllerTest < ActionController::TestCase + + setup do + @user = FactoryGirl.build(:user) + @user.save + end + + # NOTE: the available languages for test are :en and :de + # so :es will result in english response. + + test "get the motd" do + with_config("customization_directory" => Rails.root+'test/files') do + login @user + get :index, :locale => 'es' + body = JSON.parse(response.body) + message1 = "

\"This\" is a very fine message. https://bitmask.net

\n" + assert_equal 2, body.size, 'there should be two messages' + assert_equal message1, body.first["text"], 'first message text should match files/motd/1.en.md' + end + end + + test "get localized motd" do + with_config("customization_directory" => Rails.root+'test/files') do + login @user + get :index, :locale => 'de' + body = JSON.parse(response.body) + message1 = "

Dies ist eine sehr feine Nachricht. https://bitmask.net

\n" + assert_equal message1, body.first["text"], 'first message text should match files/motd/1.de.md' + end + end + + test "get empty motd" do + login @user + get :index + assert_equal "[]", response.body, "motd response should be empty if no motd directory exists" + end + + ## + ## For now, only the static file MOTD is supported, not messages in the db. + ## so, this is disabled: + ## +=begin + setup do + InviteCodeValidator.any_instance.stubs(:validate) + @user = FactoryGirl.build(:user) + @user.save + @message = Message.new(:text => 'a test message') + @message.user_ids_to_show << @user.id + @message.save + end + + teardown do + @message.destroy + @user.destroy + end + + test "get messages for user" do + login @user + get :index + assert response.body.include? @message.text + assert response.body.include? @message.id + end + + test "mark message read for user" do + login @user + assert @message.user_ids_to_show.include?(@user.id) + assert !@message.user_ids_have_shown.include?(@user.id) + put :update, :id => @message.id + @message.reload + assert !@message.user_ids_to_show.include?(@user.id) + assert @message.user_ids_have_shown.include?(@user.id) + assert_success :marked_as_read + end + + test "do not get seen messages" do + login @user + put :update, :id => @message.id + @message.reload + get :index + assert !(response.body.include? @message.text) + assert !(response.body.include? @message.id) + end + + + test "mark read responds even with bad inputs" do + login @user + put :update, :id => 'more nonsense' + assert_not_found + end + + test "fails if not authenticated" do + get :index, :format => :json + assert_login_required + end +=end + +end diff --git a/test/functional/api/services_controller_test.rb b/test/functional/api/services_controller_test.rb new file mode 100644 index 0000000..b1dc9f3 --- /dev/null +++ b/test/functional/api/services_controller_test.rb @@ -0,0 +1,28 @@ +require 'test_helper' + +class Api::ServicesControllerTest < ActionController::TestCase + + test "anonymous user gets login required service info" do + get :show, format: :json + assert_json_response error: 'not_authorized_login', + message: 'Please log in to perform that action.' + end + + test "anonymous user gets vpn service info" do + with_config allow_anonymous_certs: true do + get :show, format: :json + assert_json_response name: 'anonymous', + eip_rate_limit: false, + description: 'anonymous access to the VPN' + end + end + + test "user can see their service info" do + login + get :show, format: :json + default_level = APP_CONFIG[:default_service_level] + assert_json_response APP_CONFIG[:service_levels][default_level] + end + +end + diff --git a/test/functional/api/sessions_controller_test.rb b/test/functional/api/sessions_controller_test.rb new file mode 100644 index 0000000..0633578 --- /dev/null +++ b/test/functional/api/sessions_controller_test.rb @@ -0,0 +1,62 @@ +require 'test_helper' + +# This is a simple controller unit test. +# We're stubbing out both warden and srp. +# There's an integration test testing the full rack stack and srp +class Api::SessionsControllerTest < ActionController::TestCase + + setup do + @request.env['HTTP_HOST'] = 'api.lvh.me' + @user = stub_record :user, {}, true + @client_hex = 'a123' + end + + test "renders json" do + get :new, :format => :json + assert_response :success + assert_json_error nil + end + + test "renders warden errors" do + request.env['warden.options'] = {attempted_path: 'path/to/controller'} + strategy = stub :message => {:field => :translate_me} + request.env['warden'].stubs(:winning_strategy).returns(strategy) + I18n.expects(:t).with(:translate_me).at_least_once.returns("translation stub") + get :new, :format => :json + assert_response 422 + assert_json_error :field => "translation stub" + end + + # Warden takes care of parsing the params and + # rendering the response. So not much to test here. + test "should perform handshake" do + request.env['warden'].expects(:authenticate!) + # make sure we don't get a template missing error: + @controller.stubs(:render) + post :create, :login => @user.login, 'A' => @client_hex + end + + test "should authenticate" do + request.env['warden'].expects(:authenticate!) + @controller.stubs(:current_user).returns(@user) + handshake = stub(:to_hash => {h: "ash"}) + session[:handshake] = handshake + + post :update, :id => @user.login, :client_auth => @client_hex + + assert_nil session[:handshake] + assert_response :success + assert json_response.keys.include?("id") + assert json_response.keys.include?("token") + assert token = Token.find_by_token(json_response['token']) + assert_equal @user.id, token.user_id + end + + test "destroy should logout" do + login + expect_logout + delete :destroy + assert_response 204 + end + +end diff --git a/test/functional/api/smtp_certs_controller_test.rb b/test/functional/api/smtp_certs_controller_test.rb new file mode 100644 index 0000000..2142675 --- /dev/null +++ b/test/functional/api/smtp_certs_controller_test.rb @@ -0,0 +1,43 @@ +require 'test_helper' + +class Api::SmtpCertsControllerTest < ActionController::TestCase + + test "no smtp cert without login" do + with_config allow_anonymous_certs: true do + post :create + assert_login_required + end + end + + test "require service level with email" do + login + post :create + assert_access_denied + end + + test "send cert with username" do + login effective_service_level: ServiceLevel.new(id: 2) + cert = expect_cert(@current_user.email_address) + cert.expects(:fingerprint).returns('fingerprint') + post :create + assert_response :success + assert_equal cert.to_s, @response.body + end + + test "fail to create cert when disabled" do + login :enabled? => false + post :create + assert_access_denied + end + + protected + + def expect_cert(email) + cert = stub to_s: "#{email.downcase} cert", + expiry: 1.month.from_now.utc.at_midnight + ClientCertificate.expects(:new). + with(:common_name => email). + returns(cert) + return cert + end +end diff --git a/test/functional/api/token_auth_test.rb b/test/functional/api/token_auth_test.rb new file mode 100644 index 0000000..17a4775 --- /dev/null +++ b/test/functional/api/token_auth_test.rb @@ -0,0 +1,40 @@ +# +# tests for authenticating an admin or monitor user +# via static configured tokens. +# + +require 'test_helper' + +class Api::TokenAuthTest < ActionController::TestCase + tests Api::ConfigsController + + def test_login_via_api_token + with_config(:allow_anonymous_certs => false) do + monitor_auth do + get :index + assert assigns(:token), 'should have authenticated via api token' + assert assigns(:token).is_a? ApiToken + assert @controller.send(:current_user).is_a? ApiMonitorUser + end + end + end + + def test_fail_api_auth_when_ip_not_allowed + with_config(:allow_anonymous_certs => false) do + allowed = "99.99.99.99" + new_config = {api_tokens: APP_CONFIG["api_tokens"].merge(allowed_ips: [allowed])} + with_config(new_config) do + monitor_auth do + request.env['REMOTE_ADDR'] = "1.1.1.1" + get :index + assert_nil assigns(:token), "should not be able to auth with api token when ip restriction doesn't allow it" + request.env['REMOTE_ADDR'] = allowed + get :index + assert assigns(:token), "should have authenticated via api token" + end + end + end + end + +end + diff --git a/test/functional/api/users_controller_test.rb b/test/functional/api/users_controller_test.rb new file mode 100644 index 0000000..bc2e312 --- /dev/null +++ b/test/functional/api/users_controller_test.rb @@ -0,0 +1,135 @@ +require_relative '../../test_helper' + +class Api::UsersControllerTest < ActionController::TestCase + + test "user can change settings" do + user = find_record :user + changed_attribs = record_attributes_for :user_with_settings + account_settings = stub + account_settings.expects(:update).with(changed_attribs) + Account.expects(:new).with(user).returns(account_settings) + + login user + put :update, :user => changed_attribs, :id => user.id, :format => :json + + assert_equal user, assigns[:user] + assert_response 204 + assert @response.body.blank?, "Response should be blank" + end + + test "admin can update user" do + user = find_record :user + changed_attribs = record_attributes_for :user_with_settings + account_settings = stub + account_settings.expects(:update).with(changed_attribs) + Account.expects(:new).with(user).returns(account_settings) + + login :is_admin? => true + put :update, :user => changed_attribs, :id => user.id, :format => :json + + assert_equal user, assigns[:user] + assert_response 204 + end + + test "user cannot update other user" do + user = find_record :user + login + put :update, id: user.id, + user: record_attributes_for(:user_with_settings), + :format => :json + assert_access_denied + end + + test "should create new user" do + user_attribs = record_attributes_for :user + user = User.new(user_attribs) + Account.expects(:create).with(user_attribs).returns(user) + + post :create, :user => user_attribs, :format => :json + + assert_nil session[:user_id] + assert_json_response user + assert_response :success + end + + test "should redirect to signup form on failed attempt" do + user_attribs = record_attributes_for :user + user_attribs.slice!('login') + user = User.new(user_attribs) + assert !user.valid? + Account.expects(:create).with(user_attribs).returns(user) + + post :create, :user => user_attribs, :format => :json + + assert_json_error user.errors.messages + assert_response 422 + end + + test "admin can autocomplete users" do + login :is_admin? => true + get :index, :query => 'a', :format => :json + + assert_response :success + assert assigns(:users) + end + + test "create returns forbidden if registration is closed" do + user_attribs = record_attributes_for :user + with_config(allow_registration: false) do + post :create, :user => user_attribs, :format => :json + assert_response :forbidden + end + end + + test "admin can show user" do + user = FactoryGirl.create :user + login :is_admin? => true + get :show, :id => 0, :login => user.login, :format => :json + assert_response :success + assert_json_response user + get :show, :id => user.id, :format => :json + assert_response :success + assert_json_response user + get :show, :id => "0", :format => :json + assert_response :not_found + end + + test "normal users cannot show user" do + user = find_record :user + login + get :show, :id => 0, :login => user.login, :format => :json + assert_access_denied + end + + test "api monitor auth can create and destroy test users" do + # should work even with registration off and/or invites required + with_config(allow_registration: false, invite_required: true) do + monitor_auth do + user_attribs = record_attributes_for :test_user + post :create, :user => user_attribs, :format => :json + assert_response :success + delete :destroy, :id => assigns(:user).id, :format => :json + assert_response :success + end + end + end + + test "api monitor auth cannot create normal users" do + monitor_auth do + user_attribs = record_attributes_for :user + post :create, :user => user_attribs, :format => :json + assert_response :forbidden + end + end + + test "api monitor auth cannot delete normal users" do + post :create, :user => record_attributes_for(:user), :format => :json + assert_response :success + normal_user_id = assigns(:user).id + monitor_auth do + delete :destroy, :id => normal_user_id, :format => :json + assert_response :forbidden + end + end + +end diff --git a/test/functional/configs_controller_with_static_tokens_test.rb b/test/functional/configs_controller_with_static_tokens_test.rb deleted file mode 100644 index 79739fe..0000000 --- a/test/functional/configs_controller_with_static_tokens_test.rb +++ /dev/null @@ -1,40 +0,0 @@ -# -# tests for authenticating an admin or monitor user -# via static configured tokens. -# - -require 'test_helper' - -class ConfigsControllerWithStaticTokensTest < ActionController::TestCase - tests V1::ConfigsController - - def test_login_via_api_token - with_config(:allow_anonymous_certs => false) do - monitor_auth do - get :index - assert assigns(:token), 'should have authenticated via api token' - assert assigns(:token).is_a? ApiToken - assert @controller.send(:current_user).is_a? ApiMonitorUser - end - end - end - - def test_fail_api_auth_when_ip_not_allowed - with_config(:allow_anonymous_certs => false) do - allowed = "99.99.99.99" - new_config = {api_tokens: APP_CONFIG["api_tokens"].merge(allowed_ips: [allowed])} - with_config(new_config) do - monitor_auth do - request.env['REMOTE_ADDR'] = "1.1.1.1" - get :index - assert_nil assigns(:token), "should not be able to auth with api token when ip restriction doesn't allow it" - request.env['REMOTE_ADDR'] = allowed - get :index - assert assigns(:token), "should have authenticated via api token" - end - end - end - end - -end - diff --git a/test/functional/v1/certs_controller_test.rb b/test/functional/v1/certs_controller_test.rb deleted file mode 100644 index 04c1c86..0000000 --- a/test/functional/v1/certs_controller_test.rb +++ /dev/null @@ -1,60 +0,0 @@ -require_relative '../../test_helper' - -class V1::CertsControllerTest < ActionController::TestCase - - test "create unlimited cert without login" do - with_config allow_anonymous_certs: true do - cert = expect_cert('UNLIMITED') - post :create - assert_response :success - assert_equal cert.to_s, @response.body - end - end - - test "create limited cert" do - with_config allow_limited_certs: true do - login - cert = expect_cert('LIMITED') - post :create - assert_response :success - assert_equal cert.to_s, @response.body - end - end - - test "fail to create cert when disabled" do - login :enabled? => false - post :create - assert_access_denied - end - - test "create unlimited cert" do - login effective_service_level: ServiceLevel.new(id: 2) - cert = expect_cert('UNLIMITED') - post :create - assert_response :success - assert_equal cert.to_s, @response.body - end - - test "GET still works as an alias" do - login effective_service_level: ServiceLevel.new(id: 2) - cert = expect_cert('UNLIMITED') - get :show - assert_response :success - assert_equal cert.to_s, @response.body - end - - test "redirect if no eip service offered" do - post :create - assert_response :redirect - end - - protected - - def expect_cert(prefix) - cert = stub :to_s => "#{prefix.downcase} cert" - ClientCertificate.expects(:new). - with(:prefix => prefix). - returns(cert) - return cert - end -end diff --git a/test/functional/v1/identities_controller_test.rb b/test/functional/v1/identities_controller_test.rb deleted file mode 100644 index 6410c44..0000000 --- a/test/functional/v1/identities_controller_test.rb +++ /dev/null @@ -1,24 +0,0 @@ -require_relative '../../test_helper' - -class V1::IdentitiesControllerTest < ActionController::TestCase - - test "api monitor can fetch identity" do - monitor_auth do - identity = FactoryGirl.create :identity - get :show, :id => identity.address, :format => 'json' - assert_response :success - assert_equal identity, assigns(:identity) - - get :show, :id => "blahblahblah", :format => 'json' - assert_response :not_found - end - end - - - test "anonymous cannot fetch identity" do - identity = FactoryGirl.create :identity - get :show, :id => identity.address, :format => 'json' - assert_response :forbidden - end - -end diff --git a/test/functional/v1/messages_controller_test.rb b/test/functional/v1/messages_controller_test.rb deleted file mode 100644 index f37cca0..0000000 --- a/test/functional/v1/messages_controller_test.rb +++ /dev/null @@ -1,99 +0,0 @@ -require 'test_helper' - -class V1::MessagesControllerTest < ActionController::TestCase - - setup do - @user = FactoryGirl.build(:user) - @user.save - end - - # NOTE: the available languages for test are :en and :de - # so :es will result in english response. - - test "get the motd" do - with_config("customization_directory" => Rails.root+'test/files') do - login @user - get :index, :locale => 'es' - body = JSON.parse(response.body) - message1 = "

\"This\" is a very fine message. https://bitmask.net

\n" - assert_equal 2, body.size, 'there should be two messages' - assert_equal message1, body.first["text"], 'first message text should match files/motd/1.en.md' - end - end - - test "get localized motd" do - with_config("customization_directory" => Rails.root+'test/files') do - login @user - get :index, :locale => 'de' - body = JSON.parse(response.body) - message1 = "

Dies ist eine sehr feine Nachricht. https://bitmask.net

\n" - assert_equal message1, body.first["text"], 'first message text should match files/motd/1.de.md' - end - end - - test "get empty motd" do - login @user - get :index - assert_equal "[]", response.body, "motd response should be empty if no motd directory exists" - end - - ## - ## For now, only the static file MOTD is supported, not messages in the db. - ## so, this is disabled: - ## -=begin - setup do - InviteCodeValidator.any_instance.stubs(:validate) - @user = FactoryGirl.build(:user) - @user.save - @message = Message.new(:text => 'a test message') - @message.user_ids_to_show << @user.id - @message.save - end - - teardown do - @message.destroy - @user.destroy - end - - test "get messages for user" do - login @user - get :index - assert response.body.include? @message.text - assert response.body.include? @message.id - end - - test "mark message read for user" do - login @user - assert @message.user_ids_to_show.include?(@user.id) - assert !@message.user_ids_have_shown.include?(@user.id) - put :update, :id => @message.id - @message.reload - assert !@message.user_ids_to_show.include?(@user.id) - assert @message.user_ids_have_shown.include?(@user.id) - assert_success :marked_as_read - end - - test "do not get seen messages" do - login @user - put :update, :id => @message.id - @message.reload - get :index - assert !(response.body.include? @message.text) - assert !(response.body.include? @message.id) - end - - - test "mark read responds even with bad inputs" do - login @user - put :update, :id => 'more nonsense' - assert_not_found - end - - test "fails if not authenticated" do - get :index, :format => :json - assert_login_required - end -=end - -end diff --git a/test/functional/v1/services_controller_test.rb b/test/functional/v1/services_controller_test.rb deleted file mode 100644 index 039eb27..0000000 --- a/test/functional/v1/services_controller_test.rb +++ /dev/null @@ -1,28 +0,0 @@ -require 'test_helper' - -class V1::ServicesControllerTest < ActionController::TestCase - - test "anonymous user gets login required service info" do - get :show, format: :json - assert_json_response error: 'not_authorized_login', - message: 'Please log in to perform that action.' - end - - test "anonymous user gets vpn service info" do - with_config allow_anonymous_certs: true do - get :show, format: :json - assert_json_response name: 'anonymous', - eip_rate_limit: false, - description: 'anonymous access to the VPN' - end - end - - test "user can see their service info" do - login - get :show, format: :json - default_level = APP_CONFIG[:default_service_level] - assert_json_response APP_CONFIG[:service_levels][default_level] - end - -end - diff --git a/test/functional/v1/sessions_controller_test.rb b/test/functional/v1/sessions_controller_test.rb deleted file mode 100644 index 8bb6acd..0000000 --- a/test/functional/v1/sessions_controller_test.rb +++ /dev/null @@ -1,62 +0,0 @@ -require 'test_helper' - -# This is a simple controller unit test. -# We're stubbing out both warden and srp. -# There's an integration test testing the full rack stack and srp -class V1::SessionsControllerTest < ActionController::TestCase - - setup do - @request.env['HTTP_HOST'] = 'api.lvh.me' - @user = stub_record :user, {}, true - @client_hex = 'a123' - end - - test "renders json" do - get :new, :format => :json - assert_response :success - assert_json_error nil - end - - test "renders warden errors" do - request.env['warden.options'] = {attempted_path: 'path/to/controller'} - strategy = stub :message => {:field => :translate_me} - request.env['warden'].stubs(:winning_strategy).returns(strategy) - I18n.expects(:t).with(:translate_me).at_least_once.returns("translation stub") - get :new, :format => :json - assert_response 422 - assert_json_error :field => "translation stub" - end - - # Warden takes care of parsing the params and - # rendering the response. So not much to test here. - test "should perform handshake" do - request.env['warden'].expects(:authenticate!) - # make sure we don't get a template missing error: - @controller.stubs(:render) - post :create, :login => @user.login, 'A' => @client_hex - end - - test "should authenticate" do - request.env['warden'].expects(:authenticate!) - @controller.stubs(:current_user).returns(@user) - handshake = stub(:to_hash => {h: "ash"}) - session[:handshake] = handshake - - post :update, :id => @user.login, :client_auth => @client_hex - - assert_nil session[:handshake] - assert_response :success - assert json_response.keys.include?("id") - assert json_response.keys.include?("token") - assert token = Token.find_by_token(json_response['token']) - assert_equal @user.id, token.user_id - end - - test "destroy should logout" do - login - expect_logout - delete :destroy - assert_response 204 - end - -end diff --git a/test/functional/v1/smtp_certs_controller_test.rb b/test/functional/v1/smtp_certs_controller_test.rb deleted file mode 100644 index 1b03995..0000000 --- a/test/functional/v1/smtp_certs_controller_test.rb +++ /dev/null @@ -1,43 +0,0 @@ -require 'test_helper' - -class V1::SmtpCertsControllerTest < ActionController::TestCase - - test "no smtp cert without login" do - with_config allow_anonymous_certs: true do - post :create - assert_login_required - end - end - - test "require service level with email" do - login - post :create - assert_access_denied - end - - test "send cert with username" do - login effective_service_level: ServiceLevel.new(id: 2) - cert = expect_cert(@current_user.email_address) - cert.expects(:fingerprint).returns('fingerprint') - post :create - assert_response :success - assert_equal cert.to_s, @response.body - end - - test "fail to create cert when disabled" do - login :enabled? => false - post :create - assert_access_denied - end - - protected - - def expect_cert(email) - cert = stub to_s: "#{email.downcase} cert", - expiry: 1.month.from_now.utc.at_midnight - ClientCertificate.expects(:new). - with(:common_name => email). - returns(cert) - return cert - end -end diff --git a/test/functional/v1/users_controller_test.rb b/test/functional/v1/users_controller_test.rb deleted file mode 100644 index 3f7bad3..0000000 --- a/test/functional/v1/users_controller_test.rb +++ /dev/null @@ -1,135 +0,0 @@ -require_relative '../../test_helper' - -class V1::UsersControllerTest < ActionController::TestCase - - test "user can change settings" do - user = find_record :user - changed_attribs = record_attributes_for :user_with_settings - account_settings = stub - account_settings.expects(:update).with(changed_attribs) - Account.expects(:new).with(user).returns(account_settings) - - login user - put :update, :user => changed_attribs, :id => user.id, :format => :json - - assert_equal user, assigns[:user] - assert_response 204 - assert @response.body.blank?, "Response should be blank" - end - - test "admin can update user" do - user = find_record :user - changed_attribs = record_attributes_for :user_with_settings - account_settings = stub - account_settings.expects(:update).with(changed_attribs) - Account.expects(:new).with(user).returns(account_settings) - - login :is_admin? => true - put :update, :user => changed_attribs, :id => user.id, :format => :json - - assert_equal user, assigns[:user] - assert_response 204 - end - - test "user cannot update other user" do - user = find_record :user - login - put :update, id: user.id, - user: record_attributes_for(:user_with_settings), - :format => :json - assert_access_denied - end - - test "should create new user" do - user_attribs = record_attributes_for :user - user = User.new(user_attribs) - Account.expects(:create).with(user_attribs).returns(user) - - post :create, :user => user_attribs, :format => :json - - assert_nil session[:user_id] - assert_json_response user - assert_response :success - end - - test "should redirect to signup form on failed attempt" do - user_attribs = record_attributes_for :user - user_attribs.slice!('login') - user = User.new(user_attribs) - assert !user.valid? - Account.expects(:create).with(user_attribs).returns(user) - - post :create, :user => user_attribs, :format => :json - - assert_json_error user.errors.messages - assert_response 422 - end - - test "admin can autocomplete users" do - login :is_admin? => true - get :index, :query => 'a', :format => :json - - assert_response :success - assert assigns(:users) - end - - test "create returns forbidden if registration is closed" do - user_attribs = record_attributes_for :user - with_config(allow_registration: false) do - post :create, :user => user_attribs, :format => :json - assert_response :forbidden - end - end - - test "admin can show user" do - user = FactoryGirl.create :user - login :is_admin? => true - get :show, :id => 0, :login => user.login, :format => :json - assert_response :success - assert_json_response user - get :show, :id => user.id, :format => :json - assert_response :success - assert_json_response user - get :show, :id => "0", :format => :json - assert_response :not_found - end - - test "normal users cannot show user" do - user = find_record :user - login - get :show, :id => 0, :login => user.login, :format => :json - assert_access_denied - end - - test "api monitor auth can create and destroy test users" do - # should work even with registration off and/or invites required - with_config(allow_registration: false, invite_required: true) do - monitor_auth do - user_attribs = record_attributes_for :test_user - post :create, :user => user_attribs, :format => :json - assert_response :success - delete :destroy, :id => assigns(:user).id, :format => :json - assert_response :success - end - end - end - - test "api monitor auth cannot create normal users" do - monitor_auth do - user_attribs = record_attributes_for :user - post :create, :user => user_attribs, :format => :json - assert_response :forbidden - end - end - - test "api monitor auth cannot delete normal users" do - post :create, :user => record_attributes_for(:user), :format => :json - assert_response :success - normal_user_id = assigns(:user).id - monitor_auth do - delete :destroy, :id => normal_user_id, :format => :json - assert_response :forbidden - end - end - -end diff --git a/test/integration/api/cert_test.rb b/test/integration/api/cert_test.rb index 772901d..289d3c6 100644 --- a/test/integration/api/cert_test.rb +++ b/test/integration/api/cert_test.rb @@ -5,7 +5,7 @@ class CertTest < ApiIntegrationTest test "retrieve eip cert" do login - get '/1/cert', {}, RACK_ENV + get cert_url, {}, RACK_ENV assert_text_response assert_response_includes "BEGIN RSA PRIVATE KEY" assert_response_includes "END RSA PRIVATE KEY" @@ -14,13 +14,13 @@ class CertTest < ApiIntegrationTest end test "fetching certs requires login by default" do - get '/1/cert', {}, RACK_ENV + get cert_url, {}, RACK_ENV assert_login_required end test "retrieve anonymous eip cert" do with_config allow_anonymous_certs: true do - get '/1/cert', {}, RACK_ENV + get cert_url, {}, RACK_ENV assert_text_response assert_response_includes "BEGIN RSA PRIVATE KEY" assert_response_includes "END RSA PRIVATE KEY" @@ -28,4 +28,9 @@ class CertTest < ApiIntegrationTest assert_response_includes "END CERTIFICATE" end end + + def cert_url + "/#{api_version}/cert" + end + end diff --git a/test/integration/api/signup_test.rb b/test/integration/api/signup_test.rb index 7216496..dc24420 100644 --- a/test/integration/api/signup_test.rb +++ b/test/integration/api/signup_test.rb @@ -1,4 +1,4 @@ -require_relative '../../test_helper' +require 'test_helper' require_relative 'srp_test' class SignupTest < SrpTest diff --git a/test/integration/api/smtp_cert_test.rb b/test/integration/api/smtp_cert_test.rb index 681d509..53382c1 100644 --- a/test/integration/api/smtp_cert_test.rb +++ b/test/integration/api/smtp_cert_test.rb @@ -11,7 +11,7 @@ class SmtpCertTest < ApiIntegrationTest test "retrieve smtp cert" do @user = FactoryGirl.create :user, effective_service_level_code: 2, :invite_code => @testcode.invite_code login - post '/1/smtp_cert', {}, RACK_ENV + post smtp_cert_url, {}, RACK_ENV assert_text_response assert_response_includes "BEGIN RSA PRIVATE KEY" assert_response_includes "END RSA PRIVATE KEY" @@ -22,7 +22,7 @@ class SmtpCertTest < ApiIntegrationTest test "cert and key" do @user = FactoryGirl.create :user, effective_service_level_code: 2, :invite_code => @testcode.invite_code login - post '/1/smtp_cert', {}, RACK_ENV + post smtp_cert_url, {}, RACK_ENV assert_text_response cert = OpenSSL::X509::Certificate.new(get_response.body) key = OpenSSL::PKey::RSA.new(get_response.body) @@ -34,7 +34,7 @@ class SmtpCertTest < ApiIntegrationTest test "fingerprint is stored with identity" do @user = FactoryGirl.create :user, effective_service_level_code: 2, :invite_code => @testcode.invite_code login - post '/1/smtp_cert', {}, RACK_ENV + post smtp_cert_url, {}, RACK_ENV assert_text_response cert = OpenSSL::X509::Certificate.new(get_response.body) fingerprint = OpenSSL::Digest::SHA1.hexdigest(cert.to_der).scan(/../).join(':') @@ -48,14 +48,18 @@ class SmtpCertTest < ApiIntegrationTest test "fetching smtp certs requires email account" do login - post '/1/smtp_cert', {}, RACK_ENV + post smtp_cert_url, {}, RACK_ENV assert_access_denied end test "no anonymous smtp certs" do with_config allow_anonymous_certs: true do - post '/1/smtp_cert', {}, RACK_ENV + post smtp_cert_url, {}, RACK_ENV assert_login_required end end + + def smtp_cert_url + "/#{api_version}/smtp_cert" + end end diff --git a/test/integration/api/srp_test.rb b/test/integration/api/srp_test.rb index 463abcd..b9605f9 100644 --- a/test/integration/api/srp_test.rb +++ b/test/integration/api/srp_test.rb @@ -14,7 +14,7 @@ class SrpTest < RackTest # this test wraps the api and implements the interface the ruby-srp client. def handshake(login, aa) - post "http://api.lvh.me:3000/1/sessions.json", + post api_url("sessions.json"), :login => login, 'A' => aa, :format => :json @@ -27,7 +27,7 @@ class SrpTest < RackTest end def validate(m) - put "http://api.lvh.me:3000/1/sessions/" + @login + '.json', + put api_url("sessions/#{@login}.json"), :client_auth => m, :format => :json return JSON.parse(last_response.body) @@ -39,7 +39,7 @@ class SrpTest < RackTest def register_user(login = "integration_test", password = 'srp, verify me!', invite_code = @testcode.invite_code) cleanup_user(login) - post 'http://api.lvh.me:3000/1/users.json', + post api_url('users.json'), user_params(login: login, password: password, invite_code: invite_code) assert(@user = User.find_by_login(login), 'user should have been created: %s' % last_response_errors) @login = login @@ -47,7 +47,7 @@ class SrpTest < RackTest end def update_user(params) - put "http://api.lvh.me:3000/1/users/" + @user.id + '.json', + put api_url("users/#{@user.id}.json"), user_params(params), auth_headers end @@ -68,7 +68,7 @@ class SrpTest < RackTest end def logout(params=nil, headers=nil) - delete "http://api.lvh.me:3000/1/logout.json", + delete api_url("logout.json"), params || {format: :json}, headers || auth_headers end @@ -112,4 +112,12 @@ class SrpTest < RackTest rescue "" end + + def api_url(path) + "http://api.lvh.me:3000/#{api_version}/#{path}" + end + + def api_version + 2 + end end diff --git a/test/integration/api/token_auth_test.rb b/test/integration/api/token_auth_test.rb index 3b83f23..7b20b00 100644 --- a/test/integration/api/token_auth_test.rb +++ b/test/integration/api/token_auth_test.rb @@ -1,4 +1,4 @@ -require_relative '../../test_helper' +require 'test_helper' require_relative 'srp_test' class TokenAuthTest < SrpTest diff --git a/test/integration/api/update_account_test.rb b/test/integration/api/update_account_test.rb index 16bbb8c..1492006 100644 --- a/test/integration/api/update_account_test.rb +++ b/test/integration/api/update_account_test.rb @@ -14,7 +14,7 @@ class UpdateAccountTest < SrpTest test "require token" do authenticate - put "http://api.lvh.me:3000/1/users/" + @user.id + '.json', + put "http://api.lvh.me:3000/2/users/" + @user.id + '.json', user_params(password: "No! Verify me instead.") assert_login_required end diff --git a/test/integration/browser/account_livecycle_test.rb.orig b/test/integration/browser/account_livecycle_test.rb.orig new file mode 100644 index 0000000..d1f800b --- /dev/null +++ b/test/integration/browser/account_livecycle_test.rb.orig @@ -0,0 +1,153 @@ +require 'test_helper' + +class AccountLivecycleTest < BrowserIntegrationTest + + teardown do + Identity.destroy_all_orphaned + end + + test "signup successfully when invited" do + username, password = submit_signup + assert page.has_content?("Welcome #{username}") + click_on 'Log Out' + assert page.has_content?("Log In") + assert_equal '/', current_path + assert user = User.find_by_login(username) + user.account.destroy + end + + test "signup successfully without invitation" do + with_config invite_required: false do + + username ||= "test_#{SecureRandom.urlsafe_base64}".downcase + password ||= SecureRandom.base64 + + visit '/users/new' + fill_in 'Username', with: username + fill_in 'Password', with: password + fill_in 'Password confirmation', with: password + click_on 'Sign Up' + + assert page.has_content?("Welcome #{username}") + end + end + + test "signup with username ending in dot json" do + username = Faker::Internet.user_name + '.json' + submit_signup username + assert page.has_content?("Welcome #{username}") + end + + test "signup with reserved username" do + username = 'certmaster' + submit_signup username + assert page.has_content?("is reserved.") + end + + test "successful login" do + username, password = submit_signup + click_on 'Log Out' + attempt_login(username, password) + assert page.has_content?("Welcome #{username}") + within('.sidenav li.active') do + assert page.has_content?("Overview") + end + User.find_by_login(username).account.destroy + end + + test "failed login" do + visit '/' + attempt_login("username", "wrong password") + assert_invalid_login(page) + end + + test "account destruction" do + username, password = submit_signup + + click_on I18n.t('account_settings') + click_on I18n.t('destroy_my_account') + assert page.has_content?(I18n.t('account_destroyed')) + assert_equal 1, Identity.by_address.key("#{username}@test.me").count + attempt_login(username, password) + assert_invalid_login(page) + end + + test "handle blocked after account destruction" do + username, password = submit_signup + click_on I18n.t('account_settings') + click_on I18n.t('destroy_my_account') + submit_signup(username) + assert page.has_content?('has already been taken') + end + + test "change pgp key" do + with_config user_actions: ['change_pgp_key'] do + pgp_key = FactoryGirl.build :pgp_key + login + click_on "Account Settings" + within('#update_pgp_key') do + fill_in 'Public key', with: pgp_key + click_on 'Save' + end + page.assert_selector 'input[value="Saving..."]' + # at some point we're done: + page.assert_no_selector 'input[value="Saving..."]' + assert page.has_field? 'Public key', with: pgp_key.to_s + @user.reload + assert_equal pgp_key, @user.public_key + end + end + +<<<<<<< HEAD:test/integration/browser/account_livecycle_test.rb +======= + + # trying to seed an invalid A for srp login + test "detects attempt to circumvent SRP" do + InviteCodeValidator.any_instance.stubs(:validate) + + user = FactoryGirl.create :user + visit '/login' + fill_in 'Username', with: user.login + fill_in 'Password', with: "password" + inject_malicious_js + click_on 'Log In' + assert page.has_content?("Invalid random key") + assert page.has_no_content?("Welcome") + user.destroy + end + + test "reports internal server errors" do + Api::UsersController.any_instance.stubs(:create).raises + submit_signup + assert page.has_content?("server failed") + end + + test "does not render signup form without js" do + Capybara.current_driver = :rack_test # no js + visit '/signup' + assert page.has_no_content?("Username") + assert page.has_no_content?("Password") + end + + test "does not render login form without js" do + Capybara.current_driver = :rack_test # no js + visit '/login' + assert page.has_no_content?("Username") + assert page.has_no_content?("Password") + end + +>>>>>>> api: allow version bumping - bump to 2:test/integration/browser/account_test.rb + def attempt_login(username, password) + click_on 'Log In' + fill_in 'Username', with: username + fill_in 'Password', with: password + click_on 'Log In' + end + + def assert_invalid_login(page) + assert page.has_selector? '.btn-primary.disabled' + assert page.has_content? I18n.t(:invalid_user_pass) + assert page.has_no_selector? '.btn-primary.disabled' + end + +end diff --git a/test/integration/browser/security_test.rb b/test/integration/browser/security_test.rb index c13acd8..825d50b 100644 --- a/test/integration/browser/security_test.rb +++ b/test/integration/browser/security_test.rb @@ -22,7 +22,7 @@ class SecurityTest < BrowserIntegrationTest end test "reports internal server errors" do - V1::UsersController.any_instance.stubs(:create).raises + Api::UsersController.any_instance.stubs(:create).raises submit_signup assert page.has_content?("server failed") end diff --git a/test/support/api_integration_test.rb b/test/support/api_integration_test.rb index 3b3481b..cea480c 100644 --- a/test/support/api_integration_test.rb +++ b/test/support/api_integration_test.rb @@ -3,6 +3,10 @@ class ApiIntegrationTest < ActionDispatch::IntegrationTest DUMMY_TOKEN = Token.new RACK_ENV = {'HTTP_AUTHORIZATION' => %Q(Token token="#{DUMMY_TOKEN.to_s}")} + def api_version + 2 + end + setup do @testcode = InviteCode.new @testcode.save! -- cgit v1.2.3