From e072ac2fa8bc93ed782df1ff95130f4794f9640f Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 28 Mar 2016 15:55:19 -0700 Subject: api: added allow ability to limit what IPs can access api using a static configured auth token. --- test/functional/v1/identities_controller_test.rb | 20 +++++++++ test/functional/v1/users_controller_test.rb | 52 +++++++++++++++++++++++- 2 files changed, 71 insertions(+), 1 deletion(-) create mode 100644 test/functional/v1/identities_controller_test.rb (limited to 'test/functional') diff --git a/test/functional/v1/identities_controller_test.rb b/test/functional/v1/identities_controller_test.rb new file mode 100644 index 0000000..3e88402 --- /dev/null +++ b/test/functional/v1/identities_controller_test.rb @@ -0,0 +1,20 @@ +require_relative '../../test_helper' + +class V1::IdentitiesControllerTest < ActionController::TestCase + + test "api monitor can fetch identity" do + monitor_auth do + identity = FactoryGirl.create :identity + get :show, :id => identity.address, :format => 'json' + assert_response :success + assert_equal identity, assigns(:identity) + end + end + + test "anonymous cannot fetch identity" do + identity = FactoryGirl.create :identity + get :show, :id => identity.address, :format => 'json' + assert_response :forbidden + end + +end diff --git a/test/functional/v1/users_controller_test.rb b/test/functional/v1/users_controller_test.rb index ffe2484..7afbb02 100644 --- a/test/functional/v1/users_controller_test.rb +++ b/test/functional/v1/users_controller_test.rb @@ -1,4 +1,4 @@ -require 'test_helper' +require_relative '../../test_helper' class V1::UsersControllerTest < ActionController::TestCase @@ -81,4 +81,54 @@ class V1::UsersControllerTest < ActionController::TestCase end end + test "admin can show user" do + user = FactoryGirl.create :user + login :is_admin? => true + get :show, :id => 0, :login => user.login, :format => :json + assert_response :success + assert_json_response user + get :show, :id => user.id, :format => :json + assert_response :success + assert_json_response user + get :show, :id => "0", :format => :json + assert_response :not_found + end + + test "normal users cannot show user" do + user = find_record :user + login + get :show, :id => 0, :login => user.login, :format => :json + assert_access_denied + end + + test "api monitor auth can create and destroy test users" do + with_config(allow_registration: false) do + monitor_auth do + user_attribs = record_attributes_for :test_user + post :create, :user => user_attribs, :format => :json + assert_response :success + delete :destroy, :id => assigns(:user).id, :format => :json + assert_response :success + end + end + end + + test "api monitor auth cannot create normal users" do + monitor_auth do + user_attribs = record_attributes_for :user + post :create, :user => user_attribs, :format => :json + assert_response :forbidden + end + end + + test "api monitor auth cannot delete normal users" do + post :create, :user => record_attributes_for(:user), :format => :json + assert_response :success + normal_user_id = assigns(:user).id + monitor_auth do + delete :destroy, :id => normal_user_id, :format => :json + assert_response :forbidden + end + end + end -- cgit v1.2.3 From 9a8577a2d19aa51318dce6ff9ffe1bd26f25c09e Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 28 Mar 2016 15:56:21 -0700 Subject: api: added get(:show) to identities and users, allow monitors to create/delete test & tmp users. --- test/functional/token_auth_test.rb | 40 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 test/functional/token_auth_test.rb (limited to 'test/functional') diff --git a/test/functional/token_auth_test.rb b/test/functional/token_auth_test.rb new file mode 100644 index 0000000..53d5fb3 --- /dev/null +++ b/test/functional/token_auth_test.rb @@ -0,0 +1,40 @@ +# +# tests for authenticating an admin or monitor user +# via static configured tokens. +# + +require_relative '../test_helper' + +class TokenAuthTest < ActionController::TestCase + tests V1::ConfigsController + + def test_login_via_api_token + with_config(:allow_anonymous_certs => false) do + monitor_auth do + get :index + assert assigns(:token), 'should have authenticated via api token' + assert assigns(:token).is_a? ApiToken + assert @controller.send(:current_user).is_a? ApiMonitorUser + end + end + end + + def test_fail_api_auth_when_ip_not_allowed + with_config(:allow_anonymous_certs => false) do + allowed = "99.99.99.99" + new_config = {api_tokens: APP_CONFIG["api_tokens"].merge(allowed_ips: [allowed])} + with_config(new_config) do + monitor_auth do + request.env['REMOTE_ADDR'] = "1.1.1.1" + get :index + assert_nil assigns(:token), "should not be able to auth with api token when ip restriction doesn't allow it" + request.env['REMOTE_ADDR'] = allowed + get :index + assert assigns(:token), "should have authenticated via api token" + end + end + end + end + +end + -- cgit v1.2.3 From 48acca107b9bd7a59bacb1449b042eb753e63917 Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 30 Mar 2016 17:06:32 -0700 Subject: api: return proper 404 for GET /1/identities/:id.json --- test/functional/v1/identities_controller_test.rb | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'test/functional') diff --git a/test/functional/v1/identities_controller_test.rb b/test/functional/v1/identities_controller_test.rb index 3e88402..6410c44 100644 --- a/test/functional/v1/identities_controller_test.rb +++ b/test/functional/v1/identities_controller_test.rb @@ -8,9 +8,13 @@ class V1::IdentitiesControllerTest < ActionController::TestCase get :show, :id => identity.address, :format => 'json' assert_response :success assert_equal identity, assigns(:identity) + + get :show, :id => "blahblahblah", :format => 'json' + assert_response :not_found end end + test "anonymous cannot fetch identity" do identity = FactoryGirl.create :identity get :show, :id => identity.address, :format => 'json' -- cgit v1.2.3