From 0ac511a31a6652ab00bbc765079b1c56128b191f Mon Sep 17 00:00:00 2001
From: Azul <azul@riseup.net>
Date: Thu, 24 Mar 2016 09:03:30 +0100
Subject: split up integration account test

AccountLivecycleTest -> CRUD accounts
SecurityTest -> security specific tests
AdminTest -> admin specific tests
---
 test/integration/browser/security_test.rb | 52 +++++++++++++++++++++++++++++++
 1 file changed, 52 insertions(+)
 create mode 100644 test/integration/browser/security_test.rb

(limited to 'test/integration/browser/security_test.rb')

diff --git a/test/integration/browser/security_test.rb b/test/integration/browser/security_test.rb
new file mode 100644
index 0000000..c13acd8
--- /dev/null
+++ b/test/integration/browser/security_test.rb
@@ -0,0 +1,52 @@
+require 'test_helper'
+
+class SecurityTest < BrowserIntegrationTest
+
+  teardown do
+    Identity.destroy_all_orphaned
+  end
+
+  # trying to seed an invalid A for srp login
+  test "detects attempt to circumvent SRP" do
+    InviteCodeValidator.any_instance.stubs(:validate)
+
+    user = FactoryGirl.create :user
+    visit '/login'
+    fill_in 'Username', with: user.login
+    fill_in 'Password', with: "password"
+    inject_malicious_js
+    click_on 'Log In'
+    assert page.has_content?("Invalid random key")
+    assert page.has_no_content?("Welcome")
+    user.destroy
+  end
+
+  test "reports internal server errors" do
+    V1::UsersController.any_instance.stubs(:create).raises
+    submit_signup
+    assert page.has_content?("server failed")
+  end
+
+  test "does not render signup form without js" do
+    Capybara.current_driver = :rack_test # no js
+    visit '/signup'
+    assert page.has_no_content?("Username")
+    assert page.has_no_content?("Password")
+  end
+
+  test "does not render login form without js" do
+    Capybara.current_driver = :rack_test # no js
+    visit '/login'
+    assert page.has_no_content?("Username")
+    assert page.has_no_content?("Password")
+  end
+
+  def inject_malicious_js
+    page.execute_script <<-EOJS
+      var calc = new srp.Calculate();
+      calc.A = function(_a) {return "00";};
+      calc.S = calc.A;
+      srp.session = new srp.Session(null, calc);
+    EOJS
+  end
+end
-- 
cgit v1.2.3


From e05a1b0f5ae40a2aa17976b3009cd563b8e4660a Mon Sep 17 00:00:00 2001
From: Azul <azul@riseup.net>
Date: Sun, 1 May 2016 10:55:33 -0300
Subject: api: allow version bumping - bump to 2

---
 test/integration/browser/security_test.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'test/integration/browser/security_test.rb')

diff --git a/test/integration/browser/security_test.rb b/test/integration/browser/security_test.rb
index c13acd8..825d50b 100644
--- a/test/integration/browser/security_test.rb
+++ b/test/integration/browser/security_test.rb
@@ -22,7 +22,7 @@ class SecurityTest < BrowserIntegrationTest
   end
 
   test "reports internal server errors" do
-    V1::UsersController.any_instance.stubs(:create).raises
+    Api::UsersController.any_instance.stubs(:create).raises
     submit_signup
     assert page.has_content?("server failed")
   end
-- 
cgit v1.2.3