From c63791c7ffacb7c6cfc685e2654ffe66f0a6b185 Mon Sep 17 00:00:00 2001 From: elijah Date: Sun, 20 Mar 2016 01:13:24 -0700 Subject: api tokens: allow for special api tokens that work like session tokens but are configured in the static config, to be used for infrastructure monitoring. --- test/integration/api/token_test.rb | 3 ++- test/unit/api_token_test.rb | 28 ++++++++++++++++++++++++++++ 2 files changed, 30 insertions(+), 1 deletion(-) create mode 100644 test/unit/api_token_test.rb (limited to 'test') diff --git a/test/integration/api/token_test.rb b/test/integration/api/token_test.rb index ad3ac22..dafbfb7 100644 --- a/test/integration/api/token_test.rb +++ b/test/integration/api/token_test.rb @@ -1,4 +1,4 @@ -require 'test_helper' +require_relative '../../test_helper' require_relative 'srp_test' class TokenTest < SrpTest @@ -12,4 +12,5 @@ class TokenTest < SrpTest token = server_auth['token'] assert Token.find(Digest::SHA512.hexdigest(token)) end + end diff --git a/test/unit/api_token_test.rb b/test/unit/api_token_test.rb new file mode 100644 index 0000000..55d7507 --- /dev/null +++ b/test/unit/api_token_test.rb @@ -0,0 +1,28 @@ +require_relative '../test_helper' + +class ApiTokenTest < ActiveSupport::TestCase + + setup do + end + + test "api token only authenticates ApiUser" do + token_string = APP_CONFIG['api_tokens']['test'] + assert !token_string.nil? + assert !token_string.empty? + token = ApiToken.find_by_token(token_string) + user = token.authenticate + assert user, 'api token should authenticate' + assert user.is_a?(ApiUser), 'api token should return api user' + assert user.is_test?, 'api test token should return test user' + assert !user.is_admin?, 'api test token should not return admin user' + end + + test "invalid api tokens can't authenticate" do + assert_nil ApiToken.find_by_token("not a token") + with_config({"api_tokens" => {"test" => ""}}) do + assert_equal "", APP_CONFIG['api_tokens']['test'] + assert_nil ApiToken.find_by_token("") + end + end + +end \ No newline at end of file -- cgit v1.2.3 From 67b5aa4198e0f6ab2cd29767aedcb4bf5b5dc4d9 Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 28 Mar 2016 15:52:21 -0700 Subject: api tokens - clarify terms: "monitors" are admins that authenticated via api token, "tmp" users are users that exist only in tmp db, "test" users are either tmp users or users named "test_user_x" --- test/factories.rb | 4 ++++ test/integration/api/tmp_user_test.rb | 2 +- test/unit/api_token_test.rb | 8 ++++---- test/unit/tmp_user_test.rb | 4 ++-- 4 files changed, 11 insertions(+), 7 deletions(-) (limited to 'test') diff --git a/test/factories.rb b/test/factories.rb index b6e1475..5d49729 100644 --- a/test/factories.rb +++ b/test/factories.rb @@ -26,6 +26,10 @@ FactoryGirl.define do end end + factory :test_user do + login {"test_user_" + Faker::Internet.user_name + '_' + SecureRandom.hex(4)} + end + factory :premium_user do effective_service_level_code 2 end diff --git a/test/integration/api/tmp_user_test.rb b/test/integration/api/tmp_user_test.rb index 4c1e659..bf5f99d 100644 --- a/test/integration/api/tmp_user_test.rb +++ b/test/integration/api/tmp_user_test.rb @@ -4,7 +4,7 @@ require_relative 'srp_test' class TmpUserTest < SrpTest setup do - register_user('test_user_'+SecureRandom.hex(5)) + register_user('tmp_user_'+SecureRandom.hex(5)) end test "login with srp" do diff --git a/test/unit/api_token_test.rb b/test/unit/api_token_test.rb index 55d7507..266a370 100644 --- a/test/unit/api_token_test.rb +++ b/test/unit/api_token_test.rb @@ -6,15 +6,15 @@ class ApiTokenTest < ActiveSupport::TestCase end test "api token only authenticates ApiUser" do - token_string = APP_CONFIG['api_tokens']['test'] - assert !token_string.nil? + token_string = APP_CONFIG['api_tokens']['monitor'] + assert !token_string.nil?, 'monitor token should be configured' assert !token_string.empty? token = ApiToken.find_by_token(token_string) user = token.authenticate assert user, 'api token should authenticate' assert user.is_a?(ApiUser), 'api token should return api user' - assert user.is_test?, 'api test token should return test user' - assert !user.is_admin?, 'api test token should not return admin user' + assert user.is_monitor?, 'api monitor token should return monitor user' + assert !user.is_admin?, 'api monitor token should not return admin user' end test "invalid api tokens can't authenticate" do diff --git a/test/unit/tmp_user_test.rb b/test/unit/tmp_user_test.rb index 9494377..1dea5f9 100644 --- a/test/unit/tmp_user_test.rb +++ b/test/unit/tmp_user_test.rb @@ -6,7 +6,7 @@ class TmpUserTest < ActiveSupport::TestCase InviteCodeValidator.any_instance.stubs(:validate) end - test "test_user saved to tmp_users" do + test "tmp_user saved to tmp_users" do begin assert User.ancestors.include?(TemporaryUser) @@ -17,7 +17,7 @@ class TmpUserTest < ActiveSupport::TestCase end assert_difference('User.tmp_database.info["doc_count"]') do - tmp_user = User.create!(:login => 'test_user_'+SecureRandom.hex(5).downcase, + tmp_user = User.create!(:login => 'tmp_user_'+SecureRandom.hex(5).downcase, :password_verifier => 'ABCDEF0010101', :password_salt => 'ABCDEF') assert tmp_user.database.to_s.include?('tmp') end -- cgit v1.2.3 From e072ac2fa8bc93ed782df1ff95130f4794f9640f Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 28 Mar 2016 15:55:19 -0700 Subject: api: added allow ability to limit what IPs can access api using a static configured auth token. --- test/functional/v1/identities_controller_test.rb | 20 +++++++++ test/functional/v1/users_controller_test.rb | 52 +++++++++++++++++++++++- test/support/auth_test_helper.rb | 15 +++++++ 3 files changed, 86 insertions(+), 1 deletion(-) create mode 100644 test/functional/v1/identities_controller_test.rb (limited to 'test') diff --git a/test/functional/v1/identities_controller_test.rb b/test/functional/v1/identities_controller_test.rb new file mode 100644 index 0000000..3e88402 --- /dev/null +++ b/test/functional/v1/identities_controller_test.rb @@ -0,0 +1,20 @@ +require_relative '../../test_helper' + +class V1::IdentitiesControllerTest < ActionController::TestCase + + test "api monitor can fetch identity" do + monitor_auth do + identity = FactoryGirl.create :identity + get :show, :id => identity.address, :format => 'json' + assert_response :success + assert_equal identity, assigns(:identity) + end + end + + test "anonymous cannot fetch identity" do + identity = FactoryGirl.create :identity + get :show, :id => identity.address, :format => 'json' + assert_response :forbidden + end + +end diff --git a/test/functional/v1/users_controller_test.rb b/test/functional/v1/users_controller_test.rb index ffe2484..7afbb02 100644 --- a/test/functional/v1/users_controller_test.rb +++ b/test/functional/v1/users_controller_test.rb @@ -1,4 +1,4 @@ -require 'test_helper' +require_relative '../../test_helper' class V1::UsersControllerTest < ActionController::TestCase @@ -81,4 +81,54 @@ class V1::UsersControllerTest < ActionController::TestCase end end + test "admin can show user" do + user = FactoryGirl.create :user + login :is_admin? => true + get :show, :id => 0, :login => user.login, :format => :json + assert_response :success + assert_json_response user + get :show, :id => user.id, :format => :json + assert_response :success + assert_json_response user + get :show, :id => "0", :format => :json + assert_response :not_found + end + + test "normal users cannot show user" do + user = find_record :user + login + get :show, :id => 0, :login => user.login, :format => :json + assert_access_denied + end + + test "api monitor auth can create and destroy test users" do + with_config(allow_registration: false) do + monitor_auth do + user_attribs = record_attributes_for :test_user + post :create, :user => user_attribs, :format => :json + assert_response :success + delete :destroy, :id => assigns(:user).id, :format => :json + assert_response :success + end + end + end + + test "api monitor auth cannot create normal users" do + monitor_auth do + user_attribs = record_attributes_for :user + post :create, :user => user_attribs, :format => :json + assert_response :forbidden + end + end + + test "api monitor auth cannot delete normal users" do + post :create, :user => record_attributes_for(:user), :format => :json + assert_response :success + normal_user_id = assigns(:user).id + monitor_auth do + delete :destroy, :id => normal_user_id, :format => :json + assert_response :forbidden + end + end + end diff --git a/test/support/auth_test_helper.rb b/test/support/auth_test_helper.rb index 7af3341..acc6076 100644 --- a/test/support/auth_test_helper.rb +++ b/test/support/auth_test_helper.rb @@ -29,6 +29,21 @@ module AuthTestHelper @token.expects(:destroy) if @token end + # authenticate as the api monitor + def monitor_auth(&block) + token_auth(APP_CONFIG['api_tokens']['monitor'], &block) + end + + # authenticate with a token + def token_auth(token_str) + original = request.env['HTTP_AUTHORIZATION'] + request.env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Token.encode_credentials(token_str) + if block_given? + yield + request.env['HTTP_AUTHORIZATION'] = original + end + end + protected def header_for_token_auth -- cgit v1.2.3 From 9a8577a2d19aa51318dce6ff9ffe1bd26f25c09e Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 28 Mar 2016 15:56:21 -0700 Subject: api: added get(:show) to identities and users, allow monitors to create/delete test & tmp users. --- test/functional/token_auth_test.rb | 40 +++++++++++++++++++++++++++++++++++++ test/integration/api/signup_test.rb | 4 ++-- 2 files changed, 42 insertions(+), 2 deletions(-) create mode 100644 test/functional/token_auth_test.rb (limited to 'test') diff --git a/test/functional/token_auth_test.rb b/test/functional/token_auth_test.rb new file mode 100644 index 0000000..53d5fb3 --- /dev/null +++ b/test/functional/token_auth_test.rb @@ -0,0 +1,40 @@ +# +# tests for authenticating an admin or monitor user +# via static configured tokens. +# + +require_relative '../test_helper' + +class TokenAuthTest < ActionController::TestCase + tests V1::ConfigsController + + def test_login_via_api_token + with_config(:allow_anonymous_certs => false) do + monitor_auth do + get :index + assert assigns(:token), 'should have authenticated via api token' + assert assigns(:token).is_a? ApiToken + assert @controller.send(:current_user).is_a? ApiMonitorUser + end + end + end + + def test_fail_api_auth_when_ip_not_allowed + with_config(:allow_anonymous_certs => false) do + allowed = "99.99.99.99" + new_config = {api_tokens: APP_CONFIG["api_tokens"].merge(allowed_ips: [allowed])} + with_config(new_config) do + monitor_auth do + request.env['REMOTE_ADDR'] = "1.1.1.1" + get :index + assert_nil assigns(:token), "should not be able to auth with api token when ip restriction doesn't allow it" + request.env['REMOTE_ADDR'] = allowed + get :index + assert assigns(:token), "should have authenticated via api token" + end + end + end + end + +end + diff --git a/test/integration/api/signup_test.rb b/test/integration/api/signup_test.rb index 236c547..7216496 100644 --- a/test/integration/api/signup_test.rb +++ b/test/integration/api/signup_test.rb @@ -1,4 +1,4 @@ -require 'test_helper' +require_relative '../../test_helper' require_relative 'srp_test' class SignupTest < SrpTest @@ -8,7 +8,7 @@ class SignupTest < SrpTest end test "signup response" do - assert_json_response :login => @login, :ok => true + assert_json_response :login => @login, :ok => true, :id => @user.id, :enabled => true assert last_response.successful? end -- cgit v1.2.3 From 48acca107b9bd7a59bacb1449b042eb753e63917 Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 30 Mar 2016 17:06:32 -0700 Subject: api: return proper 404 for GET /1/identities/:id.json --- test/functional/v1/identities_controller_test.rb | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'test') diff --git a/test/functional/v1/identities_controller_test.rb b/test/functional/v1/identities_controller_test.rb index 3e88402..6410c44 100644 --- a/test/functional/v1/identities_controller_test.rb +++ b/test/functional/v1/identities_controller_test.rb @@ -8,9 +8,13 @@ class V1::IdentitiesControllerTest < ActionController::TestCase get :show, :id => identity.address, :format => 'json' assert_response :success assert_equal identity, assigns(:identity) + + get :show, :id => "blahblahblah", :format => 'json' + assert_response :not_found end end + test "anonymous cannot fetch identity" do identity = FactoryGirl.create :identity get :show, :id => identity.address, :format => 'json' -- cgit v1.2.3