From b11f61b922748949ff0b762ec2aed0558de3c28b Mon Sep 17 00:00:00 2001 From: Azul Date: Thu, 24 Mar 2016 11:36:04 +0100 Subject: test: response is blank - not = ' ' --- test/functional/v1/users_controller_test.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'test/functional') diff --git a/test/functional/v1/users_controller_test.rb b/test/functional/v1/users_controller_test.rb index df59c4d..3f7bad3 100644 --- a/test/functional/v1/users_controller_test.rb +++ b/test/functional/v1/users_controller_test.rb @@ -14,7 +14,7 @@ class V1::UsersControllerTest < ActionController::TestCase assert_equal user, assigns[:user] assert_response 204 - assert_equal " ", @response.body + assert @response.body.blank?, "Response should be blank" end test "admin can update user" do -- cgit v1.2.3 From bef4c747e8a6adbf485dc0f466dbee1d03eab9c0 Mon Sep 17 00:00:00 2001 From: Azul Date: Thu, 24 Mar 2016 21:44:25 +0100 Subject: test: use assert_error_response in functional test This way the changed flash hash still is recognized. Also changed the generic 'no_such_thing' i18n key to more specific 'no_such_user'. The former is very hard to translate as the gender of thing may affect the translation of the 'no such' part. --- test/functional/users_controller_test.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'test/functional') diff --git a/test/functional/users_controller_test.rb b/test/functional/users_controller_test.rb index 7b24098..6029c83 100644 --- a/test/functional/users_controller_test.rb +++ b/test/functional/users_controller_test.rb @@ -67,8 +67,8 @@ class UsersControllerTest < ActionController::TestCase nonid = 'thisisnotanexistinguserid' login :is_admin? => true get :show, :id => nonid + assert_error_response :no_such_user assert_response :redirect - assert_equal({:alert => "No such user."}, flash.to_hash) assert_redirected_to users_path end -- cgit v1.2.3 From a7718c19ab96648e37063c05bffe21bc2c315325 Mon Sep 17 00:00:00 2001 From: Azul Date: Tue, 3 May 2016 09:01:18 -0300 Subject: fix type mismatch TokenAuthTest rails 4 mixes model, controller and integration tests. So lets give this one a better name --- .../configs_controller_with_static_tokens_test.rb | 40 ++++++++++++++++++++++ test/functional/token_auth_test.rb | 40 ---------------------- 2 files changed, 40 insertions(+), 40 deletions(-) create mode 100644 test/functional/configs_controller_with_static_tokens_test.rb delete mode 100644 test/functional/token_auth_test.rb (limited to 'test/functional') diff --git a/test/functional/configs_controller_with_static_tokens_test.rb b/test/functional/configs_controller_with_static_tokens_test.rb new file mode 100644 index 0000000..79739fe --- /dev/null +++ b/test/functional/configs_controller_with_static_tokens_test.rb @@ -0,0 +1,40 @@ +# +# tests for authenticating an admin or monitor user +# via static configured tokens. +# + +require 'test_helper' + +class ConfigsControllerWithStaticTokensTest < ActionController::TestCase + tests V1::ConfigsController + + def test_login_via_api_token + with_config(:allow_anonymous_certs => false) do + monitor_auth do + get :index + assert assigns(:token), 'should have authenticated via api token' + assert assigns(:token).is_a? ApiToken + assert @controller.send(:current_user).is_a? ApiMonitorUser + end + end + end + + def test_fail_api_auth_when_ip_not_allowed + with_config(:allow_anonymous_certs => false) do + allowed = "99.99.99.99" + new_config = {api_tokens: APP_CONFIG["api_tokens"].merge(allowed_ips: [allowed])} + with_config(new_config) do + monitor_auth do + request.env['REMOTE_ADDR'] = "1.1.1.1" + get :index + assert_nil assigns(:token), "should not be able to auth with api token when ip restriction doesn't allow it" + request.env['REMOTE_ADDR'] = allowed + get :index + assert assigns(:token), "should have authenticated via api token" + end + end + end + end + +end + diff --git a/test/functional/token_auth_test.rb b/test/functional/token_auth_test.rb deleted file mode 100644 index 53d5fb3..0000000 --- a/test/functional/token_auth_test.rb +++ /dev/null @@ -1,40 +0,0 @@ -# -# tests for authenticating an admin or monitor user -# via static configured tokens. -# - -require_relative '../test_helper' - -class TokenAuthTest < ActionController::TestCase - tests V1::ConfigsController - - def test_login_via_api_token - with_config(:allow_anonymous_certs => false) do - monitor_auth do - get :index - assert assigns(:token), 'should have authenticated via api token' - assert assigns(:token).is_a? ApiToken - assert @controller.send(:current_user).is_a? ApiMonitorUser - end - end - end - - def test_fail_api_auth_when_ip_not_allowed - with_config(:allow_anonymous_certs => false) do - allowed = "99.99.99.99" - new_config = {api_tokens: APP_CONFIG["api_tokens"].merge(allowed_ips: [allowed])} - with_config(new_config) do - monitor_auth do - request.env['REMOTE_ADDR'] = "1.1.1.1" - get :index - assert_nil assigns(:token), "should not be able to auth with api token when ip restriction doesn't allow it" - request.env['REMOTE_ADDR'] = allowed - get :index - assert assigns(:token), "should have authenticated via api token" - end - end - end - end - -end - -- cgit v1.2.3 From 33e2a52f683697ca8489d856df90b39bfbbe7373 Mon Sep 17 00:00:00 2001 From: Azul Date: Tue, 3 May 2016 11:29:45 -0300 Subject: use APP_CONFIG[config_file_paths] for provider.json This avoids overwriting the PROVIDER_JSON constant in the StaticConfigController and thus fixes test warnings. Also moved away from using instance variables in the ControllerExtension::JsonFile - instead querying the corresponding functions now - less sideeffects and easier stubbing. --- test/functional/static_config_controller_test.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'test/functional') diff --git a/test/functional/static_config_controller_test.rb b/test/functional/static_config_controller_test.rb index 9c2cfef..7027bf8 100644 --- a/test/functional/static_config_controller_test.rb +++ b/test/functional/static_config_controller_test.rb @@ -1,7 +1,7 @@ require 'test_helper' # use minitest for stubbing, rather than bloated mocha -require 'minitest/stub_const' +require 'minitest/mock' class StaticConfigControllerTest < ActionController::TestCase @@ -9,7 +9,7 @@ class StaticConfigControllerTest < ActionController::TestCase end def test_provider_success - StaticConfigController.stub_const(:PROVIDER_JSON, file_path('provider.json')) do + @controller.stub(:provider_json, file_path('provider.json')) do get :provider, format: :json assert_equal 'application/json', @response.content_type assert_response :success @@ -17,7 +17,7 @@ class StaticConfigControllerTest < ActionController::TestCase end def test_provider_not_modified - StaticConfigController.stub_const(:PROVIDER_JSON, file_path('provider.json')) do + @controller.stub(:provider_json, file_path('provider.json')) do request.env["HTTP_IF_MODIFIED_SINCE"] = File.mtime(file_path('provider.json')).rfc2822() get :provider, format: :json assert_response 304 -- cgit v1.2.3 From 0ab4b26752c7949840f9168a7e8dc94226debd51 Mon Sep 17 00:00:00 2001 From: Azul Date: Mon, 9 May 2016 08:34:50 +0200 Subject: minor: cleanup debug message in test --- test/functional/v1/messages_controller_test.rb | 1 - 1 file changed, 1 deletion(-) (limited to 'test/functional') diff --git a/test/functional/v1/messages_controller_test.rb b/test/functional/v1/messages_controller_test.rb index 67f34a1..f37cca0 100644 --- a/test/functional/v1/messages_controller_test.rb +++ b/test/functional/v1/messages_controller_test.rb @@ -15,7 +15,6 @@ class V1::MessagesControllerTest < ActionController::TestCase login @user get :index, :locale => 'es' body = JSON.parse(response.body) - p body message1 = "

\"This\" is a very fine message. https://bitmask.net

\n" assert_equal 2, body.size, 'there should be two messages' assert_equal message1, body.first["text"], 'first message text should match files/motd/1.en.md' -- cgit v1.2.3 From e05a1b0f5ae40a2aa17976b3009cd563b8e4660a Mon Sep 17 00:00:00 2001 From: Azul Date: Sun, 1 May 2016 10:55:33 -0300 Subject: api: allow version bumping - bump to 2 --- test/functional/api/certs_controller_test.rb | 60 +++++++++ test/functional/api/identities_controller_test.rb | 24 ++++ test/functional/api/messages_controller_test.rb | 99 +++++++++++++++ test/functional/api/services_controller_test.rb | 28 +++++ test/functional/api/sessions_controller_test.rb | 62 ++++++++++ test/functional/api/smtp_certs_controller_test.rb | 43 +++++++ test/functional/api/token_auth_test.rb | 40 ++++++ test/functional/api/users_controller_test.rb | 135 +++++++++++++++++++++ .../configs_controller_with_static_tokens_test.rb | 40 ------ test/functional/v1/certs_controller_test.rb | 60 --------- test/functional/v1/identities_controller_test.rb | 24 ---- test/functional/v1/messages_controller_test.rb | 99 --------------- test/functional/v1/services_controller_test.rb | 28 ----- test/functional/v1/sessions_controller_test.rb | 62 ---------- test/functional/v1/smtp_certs_controller_test.rb | 43 ------- test/functional/v1/users_controller_test.rb | 135 --------------------- 16 files changed, 491 insertions(+), 491 deletions(-) create mode 100644 test/functional/api/certs_controller_test.rb create mode 100644 test/functional/api/identities_controller_test.rb create mode 100644 test/functional/api/messages_controller_test.rb create mode 100644 test/functional/api/services_controller_test.rb create mode 100644 test/functional/api/sessions_controller_test.rb create mode 100644 test/functional/api/smtp_certs_controller_test.rb create mode 100644 test/functional/api/token_auth_test.rb create mode 100644 test/functional/api/users_controller_test.rb delete mode 100644 test/functional/configs_controller_with_static_tokens_test.rb delete mode 100644 test/functional/v1/certs_controller_test.rb delete mode 100644 test/functional/v1/identities_controller_test.rb delete mode 100644 test/functional/v1/messages_controller_test.rb delete mode 100644 test/functional/v1/services_controller_test.rb delete mode 100644 test/functional/v1/sessions_controller_test.rb delete mode 100644 test/functional/v1/smtp_certs_controller_test.rb delete mode 100644 test/functional/v1/users_controller_test.rb (limited to 'test/functional') diff --git a/test/functional/api/certs_controller_test.rb b/test/functional/api/certs_controller_test.rb new file mode 100644 index 0000000..137ed92 --- /dev/null +++ b/test/functional/api/certs_controller_test.rb @@ -0,0 +1,60 @@ +require_relative '../../test_helper' + +class Api::CertsControllerTest < ActionController::TestCase + + test "create unlimited cert without login" do + with_config allow_anonymous_certs: true do + cert = expect_cert('UNLIMITED') + post :create + assert_response :success + assert_equal cert.to_s, @response.body + end + end + + test "create limited cert" do + with_config allow_limited_certs: true do + login + cert = expect_cert('LIMITED') + post :create + assert_response :success + assert_equal cert.to_s, @response.body + end + end + + test "fail to create cert when disabled" do + login :enabled? => false + post :create + assert_access_denied + end + + test "create unlimited cert" do + login effective_service_level: ServiceLevel.new(id: 2) + cert = expect_cert('UNLIMITED') + post :create + assert_response :success + assert_equal cert.to_s, @response.body + end + + test "GET still works as an alias" do + login effective_service_level: ServiceLevel.new(id: 2) + cert = expect_cert('UNLIMITED') + get :show + assert_response :success + assert_equal cert.to_s, @response.body + end + + test "redirect if no eip service offered" do + post :create + assert_response :redirect + end + + protected + + def expect_cert(prefix) + cert = stub :to_s => "#{prefix.downcase} cert" + ClientCertificate.expects(:new). + with(:prefix => prefix). + returns(cert) + return cert + end +end diff --git a/test/functional/api/identities_controller_test.rb b/test/functional/api/identities_controller_test.rb new file mode 100644 index 0000000..e803ee7 --- /dev/null +++ b/test/functional/api/identities_controller_test.rb @@ -0,0 +1,24 @@ +require_relative '../../test_helper' + +class Api::IdentitiesControllerTest < ActionController::TestCase + + test "api monitor can fetch identity" do + monitor_auth do + identity = FactoryGirl.create :identity + get :show, :id => identity.address, :format => 'json' + assert_response :success + assert_equal identity, assigns(:identity) + + get :show, :id => "blahblahblah", :format => 'json' + assert_response :not_found + end + end + + + test "anonymous cannot fetch identity" do + identity = FactoryGirl.create :identity + get :show, :id => identity.address, :format => 'json' + assert_response :forbidden + end + +end diff --git a/test/functional/api/messages_controller_test.rb b/test/functional/api/messages_controller_test.rb new file mode 100644 index 0000000..01641d4 --- /dev/null +++ b/test/functional/api/messages_controller_test.rb @@ -0,0 +1,99 @@ +require 'test_helper' + +class Api::MessagesControllerTest < ActionController::TestCase + + setup do + @user = FactoryGirl.build(:user) + @user.save + end + + # NOTE: the available languages for test are :en and :de + # so :es will result in english response. + + test "get the motd" do + with_config("customization_directory" => Rails.root+'test/files') do + login @user + get :index, :locale => 'es' + body = JSON.parse(response.body) + message1 = "

\"This\" is a very fine message. https://bitmask.net

\n" + assert_equal 2, body.size, 'there should be two messages' + assert_equal message1, body.first["text"], 'first message text should match files/motd/1.en.md' + end + end + + test "get localized motd" do + with_config("customization_directory" => Rails.root+'test/files') do + login @user + get :index, :locale => 'de' + body = JSON.parse(response.body) + message1 = "

Dies ist eine sehr feine Nachricht. https://bitmask.net

\n" + assert_equal message1, body.first["text"], 'first message text should match files/motd/1.de.md' + end + end + + test "get empty motd" do + login @user + get :index + assert_equal "[]", response.body, "motd response should be empty if no motd directory exists" + end + + ## + ## For now, only the static file MOTD is supported, not messages in the db. + ## so, this is disabled: + ## +=begin + setup do + InviteCodeValidator.any_instance.stubs(:validate) + @user = FactoryGirl.build(:user) + @user.save + @message = Message.new(:text => 'a test message') + @message.user_ids_to_show << @user.id + @message.save + end + + teardown do + @message.destroy + @user.destroy + end + + test "get messages for user" do + login @user + get :index + assert response.body.include? @message.text + assert response.body.include? @message.id + end + + test "mark message read for user" do + login @user + assert @message.user_ids_to_show.include?(@user.id) + assert !@message.user_ids_have_shown.include?(@user.id) + put :update, :id => @message.id + @message.reload + assert !@message.user_ids_to_show.include?(@user.id) + assert @message.user_ids_have_shown.include?(@user.id) + assert_success :marked_as_read + end + + test "do not get seen messages" do + login @user + put :update, :id => @message.id + @message.reload + get :index + assert !(response.body.include? @message.text) + assert !(response.body.include? @message.id) + end + + + test "mark read responds even with bad inputs" do + login @user + put :update, :id => 'more nonsense' + assert_not_found + end + + test "fails if not authenticated" do + get :index, :format => :json + assert_login_required + end +=end + +end diff --git a/test/functional/api/services_controller_test.rb b/test/functional/api/services_controller_test.rb new file mode 100644 index 0000000..b1dc9f3 --- /dev/null +++ b/test/functional/api/services_controller_test.rb @@ -0,0 +1,28 @@ +require 'test_helper' + +class Api::ServicesControllerTest < ActionController::TestCase + + test "anonymous user gets login required service info" do + get :show, format: :json + assert_json_response error: 'not_authorized_login', + message: 'Please log in to perform that action.' + end + + test "anonymous user gets vpn service info" do + with_config allow_anonymous_certs: true do + get :show, format: :json + assert_json_response name: 'anonymous', + eip_rate_limit: false, + description: 'anonymous access to the VPN' + end + end + + test "user can see their service info" do + login + get :show, format: :json + default_level = APP_CONFIG[:default_service_level] + assert_json_response APP_CONFIG[:service_levels][default_level] + end + +end + diff --git a/test/functional/api/sessions_controller_test.rb b/test/functional/api/sessions_controller_test.rb new file mode 100644 index 0000000..0633578 --- /dev/null +++ b/test/functional/api/sessions_controller_test.rb @@ -0,0 +1,62 @@ +require 'test_helper' + +# This is a simple controller unit test. +# We're stubbing out both warden and srp. +# There's an integration test testing the full rack stack and srp +class Api::SessionsControllerTest < ActionController::TestCase + + setup do + @request.env['HTTP_HOST'] = 'api.lvh.me' + @user = stub_record :user, {}, true + @client_hex = 'a123' + end + + test "renders json" do + get :new, :format => :json + assert_response :success + assert_json_error nil + end + + test "renders warden errors" do + request.env['warden.options'] = {attempted_path: 'path/to/controller'} + strategy = stub :message => {:field => :translate_me} + request.env['warden'].stubs(:winning_strategy).returns(strategy) + I18n.expects(:t).with(:translate_me).at_least_once.returns("translation stub") + get :new, :format => :json + assert_response 422 + assert_json_error :field => "translation stub" + end + + # Warden takes care of parsing the params and + # rendering the response. So not much to test here. + test "should perform handshake" do + request.env['warden'].expects(:authenticate!) + # make sure we don't get a template missing error: + @controller.stubs(:render) + post :create, :login => @user.login, 'A' => @client_hex + end + + test "should authenticate" do + request.env['warden'].expects(:authenticate!) + @controller.stubs(:current_user).returns(@user) + handshake = stub(:to_hash => {h: "ash"}) + session[:handshake] = handshake + + post :update, :id => @user.login, :client_auth => @client_hex + + assert_nil session[:handshake] + assert_response :success + assert json_response.keys.include?("id") + assert json_response.keys.include?("token") + assert token = Token.find_by_token(json_response['token']) + assert_equal @user.id, token.user_id + end + + test "destroy should logout" do + login + expect_logout + delete :destroy + assert_response 204 + end + +end diff --git a/test/functional/api/smtp_certs_controller_test.rb b/test/functional/api/smtp_certs_controller_test.rb new file mode 100644 index 0000000..2142675 --- /dev/null +++ b/test/functional/api/smtp_certs_controller_test.rb @@ -0,0 +1,43 @@ +require 'test_helper' + +class Api::SmtpCertsControllerTest < ActionController::TestCase + + test "no smtp cert without login" do + with_config allow_anonymous_certs: true do + post :create + assert_login_required + end + end + + test "require service level with email" do + login + post :create + assert_access_denied + end + + test "send cert with username" do + login effective_service_level: ServiceLevel.new(id: 2) + cert = expect_cert(@current_user.email_address) + cert.expects(:fingerprint).returns('fingerprint') + post :create + assert_response :success + assert_equal cert.to_s, @response.body + end + + test "fail to create cert when disabled" do + login :enabled? => false + post :create + assert_access_denied + end + + protected + + def expect_cert(email) + cert = stub to_s: "#{email.downcase} cert", + expiry: 1.month.from_now.utc.at_midnight + ClientCertificate.expects(:new). + with(:common_name => email). + returns(cert) + return cert + end +end diff --git a/test/functional/api/token_auth_test.rb b/test/functional/api/token_auth_test.rb new file mode 100644 index 0000000..17a4775 --- /dev/null +++ b/test/functional/api/token_auth_test.rb @@ -0,0 +1,40 @@ +# +# tests for authenticating an admin or monitor user +# via static configured tokens. +# + +require 'test_helper' + +class Api::TokenAuthTest < ActionController::TestCase + tests Api::ConfigsController + + def test_login_via_api_token + with_config(:allow_anonymous_certs => false) do + monitor_auth do + get :index + assert assigns(:token), 'should have authenticated via api token' + assert assigns(:token).is_a? ApiToken + assert @controller.send(:current_user).is_a? ApiMonitorUser + end + end + end + + def test_fail_api_auth_when_ip_not_allowed + with_config(:allow_anonymous_certs => false) do + allowed = "99.99.99.99" + new_config = {api_tokens: APP_CONFIG["api_tokens"].merge(allowed_ips: [allowed])} + with_config(new_config) do + monitor_auth do + request.env['REMOTE_ADDR'] = "1.1.1.1" + get :index + assert_nil assigns(:token), "should not be able to auth with api token when ip restriction doesn't allow it" + request.env['REMOTE_ADDR'] = allowed + get :index + assert assigns(:token), "should have authenticated via api token" + end + end + end + end + +end + diff --git a/test/functional/api/users_controller_test.rb b/test/functional/api/users_controller_test.rb new file mode 100644 index 0000000..bc2e312 --- /dev/null +++ b/test/functional/api/users_controller_test.rb @@ -0,0 +1,135 @@ +require_relative '../../test_helper' + +class Api::UsersControllerTest < ActionController::TestCase + + test "user can change settings" do + user = find_record :user + changed_attribs = record_attributes_for :user_with_settings + account_settings = stub + account_settings.expects(:update).with(changed_attribs) + Account.expects(:new).with(user).returns(account_settings) + + login user + put :update, :user => changed_attribs, :id => user.id, :format => :json + + assert_equal user, assigns[:user] + assert_response 204 + assert @response.body.blank?, "Response should be blank" + end + + test "admin can update user" do + user = find_record :user + changed_attribs = record_attributes_for :user_with_settings + account_settings = stub + account_settings.expects(:update).with(changed_attribs) + Account.expects(:new).with(user).returns(account_settings) + + login :is_admin? => true + put :update, :user => changed_attribs, :id => user.id, :format => :json + + assert_equal user, assigns[:user] + assert_response 204 + end + + test "user cannot update other user" do + user = find_record :user + login + put :update, id: user.id, + user: record_attributes_for(:user_with_settings), + :format => :json + assert_access_denied + end + + test "should create new user" do + user_attribs = record_attributes_for :user + user = User.new(user_attribs) + Account.expects(:create).with(user_attribs).returns(user) + + post :create, :user => user_attribs, :format => :json + + assert_nil session[:user_id] + assert_json_response user + assert_response :success + end + + test "should redirect to signup form on failed attempt" do + user_attribs = record_attributes_for :user + user_attribs.slice!('login') + user = User.new(user_attribs) + assert !user.valid? + Account.expects(:create).with(user_attribs).returns(user) + + post :create, :user => user_attribs, :format => :json + + assert_json_error user.errors.messages + assert_response 422 + end + + test "admin can autocomplete users" do + login :is_admin? => true + get :index, :query => 'a', :format => :json + + assert_response :success + assert assigns(:users) + end + + test "create returns forbidden if registration is closed" do + user_attribs = record_attributes_for :user + with_config(allow_registration: false) do + post :create, :user => user_attribs, :format => :json + assert_response :forbidden + end + end + + test "admin can show user" do + user = FactoryGirl.create :user + login :is_admin? => true + get :show, :id => 0, :login => user.login, :format => :json + assert_response :success + assert_json_response user + get :show, :id => user.id, :format => :json + assert_response :success + assert_json_response user + get :show, :id => "0", :format => :json + assert_response :not_found + end + + test "normal users cannot show user" do + user = find_record :user + login + get :show, :id => 0, :login => user.login, :format => :json + assert_access_denied + end + + test "api monitor auth can create and destroy test users" do + # should work even with registration off and/or invites required + with_config(allow_registration: false, invite_required: true) do + monitor_auth do + user_attribs = record_attributes_for :test_user + post :create, :user => user_attribs, :format => :json + assert_response :success + delete :destroy, :id => assigns(:user).id, :format => :json + assert_response :success + end + end + end + + test "api monitor auth cannot create normal users" do + monitor_auth do + user_attribs = record_attributes_for :user + post :create, :user => user_attribs, :format => :json + assert_response :forbidden + end + end + + test "api monitor auth cannot delete normal users" do + post :create, :user => record_attributes_for(:user), :format => :json + assert_response :success + normal_user_id = assigns(:user).id + monitor_auth do + delete :destroy, :id => normal_user_id, :format => :json + assert_response :forbidden + end + end + +end diff --git a/test/functional/configs_controller_with_static_tokens_test.rb b/test/functional/configs_controller_with_static_tokens_test.rb deleted file mode 100644 index 79739fe..0000000 --- a/test/functional/configs_controller_with_static_tokens_test.rb +++ /dev/null @@ -1,40 +0,0 @@ -# -# tests for authenticating an admin or monitor user -# via static configured tokens. -# - -require 'test_helper' - -class ConfigsControllerWithStaticTokensTest < ActionController::TestCase - tests V1::ConfigsController - - def test_login_via_api_token - with_config(:allow_anonymous_certs => false) do - monitor_auth do - get :index - assert assigns(:token), 'should have authenticated via api token' - assert assigns(:token).is_a? ApiToken - assert @controller.send(:current_user).is_a? ApiMonitorUser - end - end - end - - def test_fail_api_auth_when_ip_not_allowed - with_config(:allow_anonymous_certs => false) do - allowed = "99.99.99.99" - new_config = {api_tokens: APP_CONFIG["api_tokens"].merge(allowed_ips: [allowed])} - with_config(new_config) do - monitor_auth do - request.env['REMOTE_ADDR'] = "1.1.1.1" - get :index - assert_nil assigns(:token), "should not be able to auth with api token when ip restriction doesn't allow it" - request.env['REMOTE_ADDR'] = allowed - get :index - assert assigns(:token), "should have authenticated via api token" - end - end - end - end - -end - diff --git a/test/functional/v1/certs_controller_test.rb b/test/functional/v1/certs_controller_test.rb deleted file mode 100644 index 04c1c86..0000000 --- a/test/functional/v1/certs_controller_test.rb +++ /dev/null @@ -1,60 +0,0 @@ -require_relative '../../test_helper' - -class V1::CertsControllerTest < ActionController::TestCase - - test "create unlimited cert without login" do - with_config allow_anonymous_certs: true do - cert = expect_cert('UNLIMITED') - post :create - assert_response :success - assert_equal cert.to_s, @response.body - end - end - - test "create limited cert" do - with_config allow_limited_certs: true do - login - cert = expect_cert('LIMITED') - post :create - assert_response :success - assert_equal cert.to_s, @response.body - end - end - - test "fail to create cert when disabled" do - login :enabled? => false - post :create - assert_access_denied - end - - test "create unlimited cert" do - login effective_service_level: ServiceLevel.new(id: 2) - cert = expect_cert('UNLIMITED') - post :create - assert_response :success - assert_equal cert.to_s, @response.body - end - - test "GET still works as an alias" do - login effective_service_level: ServiceLevel.new(id: 2) - cert = expect_cert('UNLIMITED') - get :show - assert_response :success - assert_equal cert.to_s, @response.body - end - - test "redirect if no eip service offered" do - post :create - assert_response :redirect - end - - protected - - def expect_cert(prefix) - cert = stub :to_s => "#{prefix.downcase} cert" - ClientCertificate.expects(:new). - with(:prefix => prefix). - returns(cert) - return cert - end -end diff --git a/test/functional/v1/identities_controller_test.rb b/test/functional/v1/identities_controller_test.rb deleted file mode 100644 index 6410c44..0000000 --- a/test/functional/v1/identities_controller_test.rb +++ /dev/null @@ -1,24 +0,0 @@ -require_relative '../../test_helper' - -class V1::IdentitiesControllerTest < ActionController::TestCase - - test "api monitor can fetch identity" do - monitor_auth do - identity = FactoryGirl.create :identity - get :show, :id => identity.address, :format => 'json' - assert_response :success - assert_equal identity, assigns(:identity) - - get :show, :id => "blahblahblah", :format => 'json' - assert_response :not_found - end - end - - - test "anonymous cannot fetch identity" do - identity = FactoryGirl.create :identity - get :show, :id => identity.address, :format => 'json' - assert_response :forbidden - end - -end diff --git a/test/functional/v1/messages_controller_test.rb b/test/functional/v1/messages_controller_test.rb deleted file mode 100644 index f37cca0..0000000 --- a/test/functional/v1/messages_controller_test.rb +++ /dev/null @@ -1,99 +0,0 @@ -require 'test_helper' - -class V1::MessagesControllerTest < ActionController::TestCase - - setup do - @user = FactoryGirl.build(:user) - @user.save - end - - # NOTE: the available languages for test are :en and :de - # so :es will result in english response. - - test "get the motd" do - with_config("customization_directory" => Rails.root+'test/files') do - login @user - get :index, :locale => 'es' - body = JSON.parse(response.body) - message1 = "

\"This\" is a very fine message. https://bitmask.net

\n" - assert_equal 2, body.size, 'there should be two messages' - assert_equal message1, body.first["text"], 'first message text should match files/motd/1.en.md' - end - end - - test "get localized motd" do - with_config("customization_directory" => Rails.root+'test/files') do - login @user - get :index, :locale => 'de' - body = JSON.parse(response.body) - message1 = "

Dies ist eine sehr feine Nachricht. https://bitmask.net

\n" - assert_equal message1, body.first["text"], 'first message text should match files/motd/1.de.md' - end - end - - test "get empty motd" do - login @user - get :index - assert_equal "[]", response.body, "motd response should be empty if no motd directory exists" - end - - ## - ## For now, only the static file MOTD is supported, not messages in the db. - ## so, this is disabled: - ## -=begin - setup do - InviteCodeValidator.any_instance.stubs(:validate) - @user = FactoryGirl.build(:user) - @user.save - @message = Message.new(:text => 'a test message') - @message.user_ids_to_show << @user.id - @message.save - end - - teardown do - @message.destroy - @user.destroy - end - - test "get messages for user" do - login @user - get :index - assert response.body.include? @message.text - assert response.body.include? @message.id - end - - test "mark message read for user" do - login @user - assert @message.user_ids_to_show.include?(@user.id) - assert !@message.user_ids_have_shown.include?(@user.id) - put :update, :id => @message.id - @message.reload - assert !@message.user_ids_to_show.include?(@user.id) - assert @message.user_ids_have_shown.include?(@user.id) - assert_success :marked_as_read - end - - test "do not get seen messages" do - login @user - put :update, :id => @message.id - @message.reload - get :index - assert !(response.body.include? @message.text) - assert !(response.body.include? @message.id) - end - - - test "mark read responds even with bad inputs" do - login @user - put :update, :id => 'more nonsense' - assert_not_found - end - - test "fails if not authenticated" do - get :index, :format => :json - assert_login_required - end -=end - -end diff --git a/test/functional/v1/services_controller_test.rb b/test/functional/v1/services_controller_test.rb deleted file mode 100644 index 039eb27..0000000 --- a/test/functional/v1/services_controller_test.rb +++ /dev/null @@ -1,28 +0,0 @@ -require 'test_helper' - -class V1::ServicesControllerTest < ActionController::TestCase - - test "anonymous user gets login required service info" do - get :show, format: :json - assert_json_response error: 'not_authorized_login', - message: 'Please log in to perform that action.' - end - - test "anonymous user gets vpn service info" do - with_config allow_anonymous_certs: true do - get :show, format: :json - assert_json_response name: 'anonymous', - eip_rate_limit: false, - description: 'anonymous access to the VPN' - end - end - - test "user can see their service info" do - login - get :show, format: :json - default_level = APP_CONFIG[:default_service_level] - assert_json_response APP_CONFIG[:service_levels][default_level] - end - -end - diff --git a/test/functional/v1/sessions_controller_test.rb b/test/functional/v1/sessions_controller_test.rb deleted file mode 100644 index 8bb6acd..0000000 --- a/test/functional/v1/sessions_controller_test.rb +++ /dev/null @@ -1,62 +0,0 @@ -require 'test_helper' - -# This is a simple controller unit test. -# We're stubbing out both warden and srp. -# There's an integration test testing the full rack stack and srp -class V1::SessionsControllerTest < ActionController::TestCase - - setup do - @request.env['HTTP_HOST'] = 'api.lvh.me' - @user = stub_record :user, {}, true - @client_hex = 'a123' - end - - test "renders json" do - get :new, :format => :json - assert_response :success - assert_json_error nil - end - - test "renders warden errors" do - request.env['warden.options'] = {attempted_path: 'path/to/controller'} - strategy = stub :message => {:field => :translate_me} - request.env['warden'].stubs(:winning_strategy).returns(strategy) - I18n.expects(:t).with(:translate_me).at_least_once.returns("translation stub") - get :new, :format => :json - assert_response 422 - assert_json_error :field => "translation stub" - end - - # Warden takes care of parsing the params and - # rendering the response. So not much to test here. - test "should perform handshake" do - request.env['warden'].expects(:authenticate!) - # make sure we don't get a template missing error: - @controller.stubs(:render) - post :create, :login => @user.login, 'A' => @client_hex - end - - test "should authenticate" do - request.env['warden'].expects(:authenticate!) - @controller.stubs(:current_user).returns(@user) - handshake = stub(:to_hash => {h: "ash"}) - session[:handshake] = handshake - - post :update, :id => @user.login, :client_auth => @client_hex - - assert_nil session[:handshake] - assert_response :success - assert json_response.keys.include?("id") - assert json_response.keys.include?("token") - assert token = Token.find_by_token(json_response['token']) - assert_equal @user.id, token.user_id - end - - test "destroy should logout" do - login - expect_logout - delete :destroy - assert_response 204 - end - -end diff --git a/test/functional/v1/smtp_certs_controller_test.rb b/test/functional/v1/smtp_certs_controller_test.rb deleted file mode 100644 index 1b03995..0000000 --- a/test/functional/v1/smtp_certs_controller_test.rb +++ /dev/null @@ -1,43 +0,0 @@ -require 'test_helper' - -class V1::SmtpCertsControllerTest < ActionController::TestCase - - test "no smtp cert without login" do - with_config allow_anonymous_certs: true do - post :create - assert_login_required - end - end - - test "require service level with email" do - login - post :create - assert_access_denied - end - - test "send cert with username" do - login effective_service_level: ServiceLevel.new(id: 2) - cert = expect_cert(@current_user.email_address) - cert.expects(:fingerprint).returns('fingerprint') - post :create - assert_response :success - assert_equal cert.to_s, @response.body - end - - test "fail to create cert when disabled" do - login :enabled? => false - post :create - assert_access_denied - end - - protected - - def expect_cert(email) - cert = stub to_s: "#{email.downcase} cert", - expiry: 1.month.from_now.utc.at_midnight - ClientCertificate.expects(:new). - with(:common_name => email). - returns(cert) - return cert - end -end diff --git a/test/functional/v1/users_controller_test.rb b/test/functional/v1/users_controller_test.rb deleted file mode 100644 index 3f7bad3..0000000 --- a/test/functional/v1/users_controller_test.rb +++ /dev/null @@ -1,135 +0,0 @@ -require_relative '../../test_helper' - -class V1::UsersControllerTest < ActionController::TestCase - - test "user can change settings" do - user = find_record :user - changed_attribs = record_attributes_for :user_with_settings - account_settings = stub - account_settings.expects(:update).with(changed_attribs) - Account.expects(:new).with(user).returns(account_settings) - - login user - put :update, :user => changed_attribs, :id => user.id, :format => :json - - assert_equal user, assigns[:user] - assert_response 204 - assert @response.body.blank?, "Response should be blank" - end - - test "admin can update user" do - user = find_record :user - changed_attribs = record_attributes_for :user_with_settings - account_settings = stub - account_settings.expects(:update).with(changed_attribs) - Account.expects(:new).with(user).returns(account_settings) - - login :is_admin? => true - put :update, :user => changed_attribs, :id => user.id, :format => :json - - assert_equal user, assigns[:user] - assert_response 204 - end - - test "user cannot update other user" do - user = find_record :user - login - put :update, id: user.id, - user: record_attributes_for(:user_with_settings), - :format => :json - assert_access_denied - end - - test "should create new user" do - user_attribs = record_attributes_for :user - user = User.new(user_attribs) - Account.expects(:create).with(user_attribs).returns(user) - - post :create, :user => user_attribs, :format => :json - - assert_nil session[:user_id] - assert_json_response user - assert_response :success - end - - test "should redirect to signup form on failed attempt" do - user_attribs = record_attributes_for :user - user_attribs.slice!('login') - user = User.new(user_attribs) - assert !user.valid? - Account.expects(:create).with(user_attribs).returns(user) - - post :create, :user => user_attribs, :format => :json - - assert_json_error user.errors.messages - assert_response 422 - end - - test "admin can autocomplete users" do - login :is_admin? => true - get :index, :query => 'a', :format => :json - - assert_response :success - assert assigns(:users) - end - - test "create returns forbidden if registration is closed" do - user_attribs = record_attributes_for :user - with_config(allow_registration: false) do - post :create, :user => user_attribs, :format => :json - assert_response :forbidden - end - end - - test "admin can show user" do - user = FactoryGirl.create :user - login :is_admin? => true - get :show, :id => 0, :login => user.login, :format => :json - assert_response :success - assert_json_response user - get :show, :id => user.id, :format => :json - assert_response :success - assert_json_response user - get :show, :id => "0", :format => :json - assert_response :not_found - end - - test "normal users cannot show user" do - user = find_record :user - login - get :show, :id => 0, :login => user.login, :format => :json - assert_access_denied - end - - test "api monitor auth can create and destroy test users" do - # should work even with registration off and/or invites required - with_config(allow_registration: false, invite_required: true) do - monitor_auth do - user_attribs = record_attributes_for :test_user - post :create, :user => user_attribs, :format => :json - assert_response :success - delete :destroy, :id => assigns(:user).id, :format => :json - assert_response :success - end - end - end - - test "api monitor auth cannot create normal users" do - monitor_auth do - user_attribs = record_attributes_for :user - post :create, :user => user_attribs, :format => :json - assert_response :forbidden - end - end - - test "api monitor auth cannot delete normal users" do - post :create, :user => record_attributes_for(:user), :format => :json - assert_response :success - normal_user_id = assigns(:user).id - monitor_auth do - delete :destroy, :id => normal_user_id, :format => :json - assert_response :forbidden - end - end - -end -- cgit v1.2.3 From e542a3056c27fd662ef767b6720861035f6dbb1c Mon Sep 17 00:00:00 2001 From: Azul Date: Wed, 18 May 2016 21:00:42 +0200 Subject: api: set defaults for version in routes This way we do not need to specify it all the times. In the functional tests defaults do not get added automatically. Introduced api_{get,put,post,delete} to add format and version default. One to two functional tests failing, everything else passes. --- test/functional/api/certs_controller_test.rb | 16 +++++----- test/functional/api/identities_controller_test.rb | 8 ++--- test/functional/api/messages_controller_test.rb | 14 ++++----- test/functional/api/services_controller_test.rb | 8 ++--- test/functional/api/sessions_controller_test.rb | 12 +++---- test/functional/api/smtp_certs_controller_test.rb | 10 +++--- test/functional/api/token_auth_test.rb | 8 ++--- test/functional/api/users_controller_test.rb | 38 +++++++++++------------ 8 files changed, 57 insertions(+), 57 deletions(-) (limited to 'test/functional') diff --git a/test/functional/api/certs_controller_test.rb b/test/functional/api/certs_controller_test.rb index 137ed92..f23b4c8 100644 --- a/test/functional/api/certs_controller_test.rb +++ b/test/functional/api/certs_controller_test.rb @@ -1,11 +1,11 @@ -require_relative '../../test_helper' +require 'test_helper' -class Api::CertsControllerTest < ActionController::TestCase +class Api::CertsControllerTest < ApiControllerTest test "create unlimited cert without login" do with_config allow_anonymous_certs: true do cert = expect_cert('UNLIMITED') - post :create + api_post :create assert_response :success assert_equal cert.to_s, @response.body end @@ -15,7 +15,7 @@ class Api::CertsControllerTest < ActionController::TestCase with_config allow_limited_certs: true do login cert = expect_cert('LIMITED') - post :create + api_post :create assert_response :success assert_equal cert.to_s, @response.body end @@ -23,14 +23,14 @@ class Api::CertsControllerTest < ActionController::TestCase test "fail to create cert when disabled" do login :enabled? => false - post :create + api_post :create assert_access_denied end test "create unlimited cert" do login effective_service_level: ServiceLevel.new(id: 2) cert = expect_cert('UNLIMITED') - post :create + api_post :create assert_response :success assert_equal cert.to_s, @response.body end @@ -38,13 +38,13 @@ class Api::CertsControllerTest < ActionController::TestCase test "GET still works as an alias" do login effective_service_level: ServiceLevel.new(id: 2) cert = expect_cert('UNLIMITED') - get :show + api_get :show assert_response :success assert_equal cert.to_s, @response.body end test "redirect if no eip service offered" do - post :create + api_post :create assert_response :redirect end diff --git a/test/functional/api/identities_controller_test.rb b/test/functional/api/identities_controller_test.rb index e803ee7..57345c8 100644 --- a/test/functional/api/identities_controller_test.rb +++ b/test/functional/api/identities_controller_test.rb @@ -1,15 +1,15 @@ require_relative '../../test_helper' -class Api::IdentitiesControllerTest < ActionController::TestCase +class Api::IdentitiesControllerTest < ApiControllerTest test "api monitor can fetch identity" do monitor_auth do identity = FactoryGirl.create :identity - get :show, :id => identity.address, :format => 'json' + api_get :show, :id => identity.address, :format => 'json' assert_response :success assert_equal identity, assigns(:identity) - get :show, :id => "blahblahblah", :format => 'json' + api_get :show, :id => "blahblahblah", :format => 'json' assert_response :not_found end end @@ -17,7 +17,7 @@ class Api::IdentitiesControllerTest < ActionController::TestCase test "anonymous cannot fetch identity" do identity = FactoryGirl.create :identity - get :show, :id => identity.address, :format => 'json' + api_get :show, :id => identity.address, :format => 'json' assert_response :forbidden end diff --git a/test/functional/api/messages_controller_test.rb b/test/functional/api/messages_controller_test.rb index 01641d4..e586980 100644 --- a/test/functional/api/messages_controller_test.rb +++ b/test/functional/api/messages_controller_test.rb @@ -1,6 +1,6 @@ require 'test_helper' -class Api::MessagesControllerTest < ActionController::TestCase +class Api::MessagesControllerTest < ApiControllerTest setup do @user = FactoryGirl.build(:user) @@ -13,7 +13,7 @@ class Api::MessagesControllerTest < ActionController::TestCase test "get the motd" do with_config("customization_directory" => Rails.root+'test/files') do login @user - get :index, :locale => 'es' + api_get :index, :locale => 'es' body = JSON.parse(response.body) message1 = "

\"This\" is a very fine message. https://bitmask.net

\n" assert_equal 2, body.size, 'there should be two messages' @@ -24,7 +24,7 @@ class Api::MessagesControllerTest < ActionController::TestCase test "get localized motd" do with_config("customization_directory" => Rails.root+'test/files') do login @user - get :index, :locale => 'de' + api_get :index, :locale => 'de' body = JSON.parse(response.body) message1 = "

Dies ist eine sehr feine Nachricht. https://bitmask.net

\n" assert_equal message1, body.first["text"], 'first message text should match files/motd/1.de.md' @@ -33,7 +33,7 @@ class Api::MessagesControllerTest < ActionController::TestCase test "get empty motd" do login @user - get :index + api_get :index assert_equal "[]", response.body, "motd response should be empty if no motd directory exists" end @@ -58,7 +58,7 @@ class Api::MessagesControllerTest < ActionController::TestCase test "get messages for user" do login @user - get :index + api_get :index assert response.body.include? @message.text assert response.body.include? @message.id end @@ -78,7 +78,7 @@ class Api::MessagesControllerTest < ActionController::TestCase login @user put :update, :id => @message.id @message.reload - get :index + api_get :index assert !(response.body.include? @message.text) assert !(response.body.include? @message.id) end @@ -91,7 +91,7 @@ class Api::MessagesControllerTest < ActionController::TestCase end test "fails if not authenticated" do - get :index, :format => :json + api_get :index, :format => :json assert_login_required end =end diff --git a/test/functional/api/services_controller_test.rb b/test/functional/api/services_controller_test.rb index b1dc9f3..cb85edf 100644 --- a/test/functional/api/services_controller_test.rb +++ b/test/functional/api/services_controller_test.rb @@ -1,16 +1,16 @@ require 'test_helper' -class Api::ServicesControllerTest < ActionController::TestCase +class Api::ServicesControllerTest < ApiControllerTest test "anonymous user gets login required service info" do - get :show, format: :json + api_get :show, format: :json assert_json_response error: 'not_authorized_login', message: 'Please log in to perform that action.' end test "anonymous user gets vpn service info" do with_config allow_anonymous_certs: true do - get :show, format: :json + api_get :show, format: :json assert_json_response name: 'anonymous', eip_rate_limit: false, description: 'anonymous access to the VPN' @@ -19,7 +19,7 @@ class Api::ServicesControllerTest < ActionController::TestCase test "user can see their service info" do login - get :show, format: :json + api_get :show, format: :json default_level = APP_CONFIG[:default_service_level] assert_json_response APP_CONFIG[:service_levels][default_level] end diff --git a/test/functional/api/sessions_controller_test.rb b/test/functional/api/sessions_controller_test.rb index 0633578..03a1ef9 100644 --- a/test/functional/api/sessions_controller_test.rb +++ b/test/functional/api/sessions_controller_test.rb @@ -3,7 +3,7 @@ require 'test_helper' # This is a simple controller unit test. # We're stubbing out both warden and srp. # There's an integration test testing the full rack stack and srp -class Api::SessionsControllerTest < ActionController::TestCase +class Api::SessionsControllerTest < ApiControllerTest setup do @request.env['HTTP_HOST'] = 'api.lvh.me' @@ -12,7 +12,7 @@ class Api::SessionsControllerTest < ActionController::TestCase end test "renders json" do - get :new, :format => :json + api_get :new, :format => :json assert_response :success assert_json_error nil end @@ -22,7 +22,7 @@ class Api::SessionsControllerTest < ActionController::TestCase strategy = stub :message => {:field => :translate_me} request.env['warden'].stubs(:winning_strategy).returns(strategy) I18n.expects(:t).with(:translate_me).at_least_once.returns("translation stub") - get :new, :format => :json + api_get :new, :format => :json assert_response 422 assert_json_error :field => "translation stub" end @@ -33,7 +33,7 @@ class Api::SessionsControllerTest < ActionController::TestCase request.env['warden'].expects(:authenticate!) # make sure we don't get a template missing error: @controller.stubs(:render) - post :create, :login => @user.login, 'A' => @client_hex + api_post :create, :login => @user.login, 'A' => @client_hex end test "should authenticate" do @@ -42,7 +42,7 @@ class Api::SessionsControllerTest < ActionController::TestCase handshake = stub(:to_hash => {h: "ash"}) session[:handshake] = handshake - post :update, :id => @user.login, :client_auth => @client_hex + api_post :update, :id => @user.login, :client_auth => @client_hex assert_nil session[:handshake] assert_response :success @@ -55,7 +55,7 @@ class Api::SessionsControllerTest < ActionController::TestCase test "destroy should logout" do login expect_logout - delete :destroy + api_delete :destroy assert_response 204 end diff --git a/test/functional/api/smtp_certs_controller_test.rb b/test/functional/api/smtp_certs_controller_test.rb index 2142675..393f090 100644 --- a/test/functional/api/smtp_certs_controller_test.rb +++ b/test/functional/api/smtp_certs_controller_test.rb @@ -1,17 +1,17 @@ require 'test_helper' -class Api::SmtpCertsControllerTest < ActionController::TestCase +class Api::SmtpCertsControllerTest < ApiControllerTest test "no smtp cert without login" do with_config allow_anonymous_certs: true do - post :create + api_post :create assert_login_required end end test "require service level with email" do login - post :create + api_post :create assert_access_denied end @@ -19,14 +19,14 @@ class Api::SmtpCertsControllerTest < ActionController::TestCase login effective_service_level: ServiceLevel.new(id: 2) cert = expect_cert(@current_user.email_address) cert.expects(:fingerprint).returns('fingerprint') - post :create + api_post :create assert_response :success assert_equal cert.to_s, @response.body end test "fail to create cert when disabled" do login :enabled? => false - post :create + api_post :create assert_access_denied end diff --git a/test/functional/api/token_auth_test.rb b/test/functional/api/token_auth_test.rb index 17a4775..c7f91c7 100644 --- a/test/functional/api/token_auth_test.rb +++ b/test/functional/api/token_auth_test.rb @@ -5,13 +5,13 @@ require 'test_helper' -class Api::TokenAuthTest < ActionController::TestCase +class Api::TokenAuthTest < ApiControllerTest tests Api::ConfigsController def test_login_via_api_token with_config(:allow_anonymous_certs => false) do monitor_auth do - get :index + api_get :index assert assigns(:token), 'should have authenticated via api token' assert assigns(:token).is_a? ApiToken assert @controller.send(:current_user).is_a? ApiMonitorUser @@ -26,10 +26,10 @@ class Api::TokenAuthTest < ActionController::TestCase with_config(new_config) do monitor_auth do request.env['REMOTE_ADDR'] = "1.1.1.1" - get :index + api_get :index assert_nil assigns(:token), "should not be able to auth with api token when ip restriction doesn't allow it" request.env['REMOTE_ADDR'] = allowed - get :index + api_get :index assert assigns(:token), "should have authenticated via api token" end end diff --git a/test/functional/api/users_controller_test.rb b/test/functional/api/users_controller_test.rb index bc2e312..32afd0a 100644 --- a/test/functional/api/users_controller_test.rb +++ b/test/functional/api/users_controller_test.rb @@ -1,6 +1,6 @@ -require_relative '../../test_helper' +require 'test_helper' -class Api::UsersControllerTest < ActionController::TestCase +class Api::UsersControllerTest < ApiControllerTest test "user can change settings" do user = find_record :user @@ -10,7 +10,7 @@ class Api::UsersControllerTest < ActionController::TestCase Account.expects(:new).with(user).returns(account_settings) login user - put :update, :user => changed_attribs, :id => user.id, :format => :json + api_put :update, :user => changed_attribs, :id => user.id, :format => :json assert_equal user, assigns[:user] assert_response 204 @@ -25,7 +25,7 @@ class Api::UsersControllerTest < ActionController::TestCase Account.expects(:new).with(user).returns(account_settings) login :is_admin? => true - put :update, :user => changed_attribs, :id => user.id, :format => :json + api_put :update, :user => changed_attribs, :id => user.id, :format => :json assert_equal user, assigns[:user] assert_response 204 @@ -34,7 +34,7 @@ class Api::UsersControllerTest < ActionController::TestCase test "user cannot update other user" do user = find_record :user login - put :update, id: user.id, + api_put :update, id: user.id, user: record_attributes_for(:user_with_settings), :format => :json assert_access_denied @@ -45,7 +45,7 @@ class Api::UsersControllerTest < ActionController::TestCase user = User.new(user_attribs) Account.expects(:create).with(user_attribs).returns(user) - post :create, :user => user_attribs, :format => :json + api_post :create, :user => user_attribs, :format => :json assert_nil session[:user_id] assert_json_response user @@ -59,7 +59,7 @@ class Api::UsersControllerTest < ActionController::TestCase assert !user.valid? Account.expects(:create).with(user_attribs).returns(user) - post :create, :user => user_attribs, :format => :json + api_post :create, :user => user_attribs, :format => :json assert_json_error user.errors.messages assert_response 422 @@ -67,7 +67,7 @@ class Api::UsersControllerTest < ActionController::TestCase test "admin can autocomplete users" do login :is_admin? => true - get :index, :query => 'a', :format => :json + api_get :index, :query => 'a', :format => :json assert_response :success assert assigns(:users) @@ -76,7 +76,7 @@ class Api::UsersControllerTest < ActionController::TestCase test "create returns forbidden if registration is closed" do user_attribs = record_attributes_for :user with_config(allow_registration: false) do - post :create, :user => user_attribs, :format => :json + api_post :create, :user => user_attribs, :format => :json assert_response :forbidden end end @@ -84,20 +84,20 @@ class Api::UsersControllerTest < ActionController::TestCase test "admin can show user" do user = FactoryGirl.create :user login :is_admin? => true - get :show, :id => 0, :login => user.login, :format => :json + api_get :show, :id => 0, :login => user.login, :format => :json assert_response :success assert_json_response user - get :show, :id => user.id, :format => :json + api_get :show, :id => user.id, :format => :json assert_response :success assert_json_response user - get :show, :id => "0", :format => :json + api_get :show, :id => "0", :format => :json assert_response :not_found end test "normal users cannot show user" do user = find_record :user login - get :show, :id => 0, :login => user.login, :format => :json + api_get :show, :id => 0, :login => user.login, :format => :json assert_access_denied end @@ -106,9 +106,9 @@ class Api::UsersControllerTest < ActionController::TestCase with_config(allow_registration: false, invite_required: true) do monitor_auth do user_attribs = record_attributes_for :test_user - post :create, :user => user_attribs, :format => :json + api_post :create, :user => user_attribs, :format => :json assert_response :success - delete :destroy, :id => assigns(:user).id, :format => :json + api_delete :destroy, :id => assigns(:user).id, :format => :json assert_response :success end end @@ -117,17 +117,17 @@ class Api::UsersControllerTest < ActionController::TestCase test "api monitor auth cannot create normal users" do monitor_auth do user_attribs = record_attributes_for :user - post :create, :user => user_attribs, :format => :json + api_post :create, :user => user_attribs, :format => :json assert_response :forbidden end end - test "api monitor auth cannot delete normal users" do - post :create, :user => record_attributes_for(:user), :format => :json + test "api monitor auth cannot api_delete normal users" do + api_post :create, :user => record_attributes_for(:user), :format => :json assert_response :success normal_user_id = assigns(:user).id monitor_auth do - delete :destroy, :id => normal_user_id, :format => :json + api_delete :destroy, :id => normal_user_id, :format => :json assert_response :forbidden end end -- cgit v1.2.3 From f47fc9d6522886cf81cfea26ec1f396219c539ba Mon Sep 17 00:00:00 2001 From: Azul Date: Mon, 23 May 2016 12:17:31 +0200 Subject: move signup from users to account_controller There was a lot of special case handling going on in the users_controller for this. Lot simpler this way. --- test/functional/account_controller_test.rb | 26 ++++++++++++++++++++++++++ test/functional/users_controller_test.rb | 22 +--------------------- 2 files changed, 27 insertions(+), 21 deletions(-) create mode 100644 test/functional/account_controller_test.rb (limited to 'test/functional') diff --git a/test/functional/account_controller_test.rb b/test/functional/account_controller_test.rb new file mode 100644 index 0000000..f5f1446 --- /dev/null +++ b/test/functional/account_controller_test.rb @@ -0,0 +1,26 @@ +require 'test_helper' + +class AccountControllerTest < ActionController::TestCase + + test "should get new" do + get :new + assert_equal User, assigns(:user).class + assert_response :success + end + + test "new should redirect logged in users" do + login + get :new + assert_response :redirect + assert_redirected_to home_path + end + + test "new redirects if registration is closed" do + with_config(allow_registration: false) do + get :new + assert_response :redirect + assert_redirected_to home_path + end + end +end + diff --git a/test/functional/users_controller_test.rb b/test/functional/users_controller_test.rb index 6029c83..2794422 100644 --- a/test/functional/users_controller_test.rb +++ b/test/functional/users_controller_test.rb @@ -1,20 +1,7 @@ -require_relative '../test_helper' +require 'test_helper' class UsersControllerTest < ActionController::TestCase - test "should get new" do - get :new - assert_equal User, assigns(:user).class - assert_response :success - end - - test "new should redirect logged in users" do - login - get :new - assert_response :redirect - assert_redirected_to home_path - end - test "failed show without login" do user = find_record :user get :show, :id => user.id @@ -163,11 +150,4 @@ class UsersControllerTest < ActionController::TestCase assert !assigns(:user).enabled? end - test "new redirects if registration is closed" do - with_config(allow_registration: false) do - get :new - assert_response :redirect - assert_redirected_to home_path - end - end end -- cgit v1.2.3 From ab1917c5fe0f03e7719863a5598ad575d9fef302 Mon Sep 17 00:00:00 2001 From: NavaL Date: Thu, 14 Jul 2016 15:06:20 +0200 Subject: [feature] restrict is_admin in the user api, to only allow querying for him/herself So that it we do not expose the is_admin property to anyone else including other admins. --- test/functional/api/users_controller_test.rb | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) (limited to 'test/functional') diff --git a/test/functional/api/users_controller_test.rb b/test/functional/api/users_controller_test.rb index 32afd0a..b69770d 100644 --- a/test/functional/api/users_controller_test.rb +++ b/test/functional/api/users_controller_test.rb @@ -86,14 +86,22 @@ class Api::UsersControllerTest < ApiControllerTest login :is_admin? => true api_get :show, :id => 0, :login => user.login, :format => :json assert_response :success - assert_json_response user + assert_json_response user.to_hash api_get :show, :id => user.id, :format => :json assert_response :success - assert_json_response user + assert_json_response user.to_hash api_get :show, :id => "0", :format => :json assert_response :not_found end + test "admin can show is_admin property" do + user = FactoryGirl.create :user, login: "admin2" + login user + api_get :show, :id => user.id, :format => :json + assert_response :success + assert_json_response user.to_hash.merge(:is_admin => true) + end + test "normal users cannot show user" do user = find_record :user login -- cgit v1.2.3 From 20bb76848b852bba9ab3c99b1c2a68464585bd56 Mon Sep 17 00:00:00 2001 From: Azul Date: Wed, 17 Aug 2016 16:11:46 +0200 Subject: bugfix: send 406 if an unexpected format is asked for It used to run the action and then trigger a 500 because the template was not found. fixes !3 . --- test/functional/home_controller_test.rb | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 test/functional/home_controller_test.rb (limited to 'test/functional') diff --git a/test/functional/home_controller_test.rb b/test/functional/home_controller_test.rb new file mode 100644 index 0000000..cafaac5 --- /dev/null +++ b/test/functional/home_controller_test.rb @@ -0,0 +1,16 @@ +require 'test_helper' + +class HomeControllerTest < ActionController::TestCase + + def test_renders_okay + get :index + assert_response :success + end + + def test_other_formats_trigger_406 + assert_raises ActionController::UnknownFormat do + get :index, format: :xml + end + end + +end -- cgit v1.2.3 From fbad882075e745ab7afbe5f89c67544fb3c607c3 Mon Sep 17 00:00:00 2001 From: Azul Date: Thu, 18 Aug 2016 11:00:16 +0200 Subject: respond_to on a per controller basis If you inherit respond to and call it again in your controller it will not overwrite the previous but add to it. Since we always have some exceptions from the rules it's probably easiest to be explicit in the controllers that require it themselves. --- test/functional/api/certs_controller_test.rb | 6 ++++++ test/functional/api/sessions_controller_test.rb | 3 ++- 2 files changed, 8 insertions(+), 1 deletion(-) (limited to 'test/functional') diff --git a/test/functional/api/certs_controller_test.rb b/test/functional/api/certs_controller_test.rb index f23b4c8..25ceb8e 100644 --- a/test/functional/api/certs_controller_test.rb +++ b/test/functional/api/certs_controller_test.rb @@ -57,4 +57,10 @@ class Api::CertsControllerTest < ApiControllerTest returns(cert) return cert end + + # overwrite defaults from ApiController because we don't do json here. + def add_api_defaults(args) + add_defaults args, version: '2' + end + end diff --git a/test/functional/api/sessions_controller_test.rb b/test/functional/api/sessions_controller_test.rb index 03a1ef9..06a3c22 100644 --- a/test/functional/api/sessions_controller_test.rb +++ b/test/functional/api/sessions_controller_test.rb @@ -44,7 +44,8 @@ class Api::SessionsControllerTest < ApiControllerTest api_post :update, :id => @user.login, :client_auth => @client_hex - assert_nil session[:handshake] + assert_nil session[:handshake], + 'session should be cleared to prevent session fixation attacks' assert_response :success assert json_response.keys.include?("id") assert json_response.keys.include?("token") -- cgit v1.2.3