From 67f17e65b9e9e8ad2991b9c4002dba5203baa77f Mon Sep 17 00:00:00 2001 From: Azul Date: Sat, 8 Feb 2014 11:13:10 +0100 Subject: refactor tests to ease the testing of token only auth --- users/test/integration/api/account_flow_test.rb | 114 +++++------------------- users/test/integration/api/login_test.rb | 3 +- users/test/integration/api/pgp_key_test.rb | 35 ++++++++ users/test/integration/api/rack_test.rb | 9 -- users/test/integration/api/srp_test.rb | 83 +++++++++++++++++ 5 files changed, 141 insertions(+), 103 deletions(-) create mode 100644 users/test/integration/api/pgp_key_test.rb delete mode 100644 users/test/integration/api/rack_test.rb create mode 100644 users/test/integration/api/srp_test.rb (limited to 'users/test/integration/api') diff --git a/users/test/integration/api/account_flow_test.rb b/users/test/integration/api/account_flow_test.rb index edd0859..b56d07b 100644 --- a/users/test/integration/api/account_flow_test.rb +++ b/users/test/integration/api/account_flow_test.rb @@ -1,50 +1,10 @@ require 'test_helper' -require_relative 'rack_test' +require_relative 'srp_test' -class AccountFlowTest < RackTest +class AccountFlowTest < SrpTest setup do - @login = "integration_test_user" - Identity.find_by_address(@login + '@' + APP_CONFIG[:domain]).tap{|i| i.destroy if i} - User.find_by_login(@login).tap{|u| u.destroy if u} - @password = "srp, verify me!" - @srp = SRP::Client.new @login, :password => @password - @user_params = { - :login => @login, - :password_verifier => @srp.verifier.to_s(16), - :password_salt => @srp.salt.to_s(16) - } - post 'http://api.lvh.me:3000/1/users.json', :user => @user_params - @user = User.find_by_login(@login) - end - - teardown do - if @user.reload - @user.identity.destroy - @user.destroy - end - Warden.test_reset! - end - - # this test wraps the api and implements the interface the ruby-srp client. - def handshake(login, aa) - post "http://api.lvh.me:3000/1/sessions.json", - :login => login, - 'A' => aa, - :format => :json - response = JSON.parse(last_response.body) - if response['errors'] - raise RECORD_NOT_FOUND.new(response['errors']) - else - return response['B'] - end - end - - def validate(m) - put "http://api.lvh.me:3000/1/sessions/" + @login + '.json', - :client_auth => m, - :format => :json - return JSON.parse(last_response.body) + register_user end test "signup response" do @@ -53,25 +13,22 @@ class AccountFlowTest < RackTest end test "signup and login with srp via api" do - server_auth = @srp.authenticate(self) + authenticate assert last_response.successful? assert_nil server_auth["errors"] assert server_auth["M2"] end test "signup and wrong password login attempt" do - srp = SRP::Client.new @login, :password => "wrong password" - server_auth = srp.authenticate(self) + authenticate password: "wrong password" assert_json_error "base" => "Not a valid username/password combination" assert !last_response.successful? assert_nil server_auth["M2"] end test "signup and wrong username login attempt" do - srp = SRP::Client.new "wrong_login", :password => @password - server_auth = nil assert_raises RECORD_NOT_FOUND do - server_auth = srp.authenticate(self) + authenticate login: "wrong login" end assert_json_error "base" => "Not a valid username/password combination" assert !last_response.successful? @@ -79,58 +36,31 @@ class AccountFlowTest < RackTest end test "update password via api" do - @srp.authenticate(self) - @password = "No! Verify me instead." - @srp = SRP::Client.new @login, :password => @password - @user_params = { - # :login => @login, - :password_verifier => @srp.verifier.to_s(16), - :password_salt => @srp.salt.to_s(16) - } - put "http://api.lvh.me:3000/1/users/" + @user.id + '.json', - :user => @user_params, - :format => :json - server_auth = @srp.authenticate(self) + authenticate + update_user password: "No! Verify me instead." + authenticate assert last_response.successful? assert_nil server_auth["errors"] assert server_auth["M2"] end + test "change login with password_verifier" do + authenticate + new_login = 'zaph' + cleanup_user new_login + update_user login: new_login, password: @password + assert last_response.successful? + assert_equal new_login, @user.reload.login + end + test "prevent changing login without changing password_verifier" do - server_auth = @srp.authenticate(self) + authenticate original_login = @user.login new_login = 'zaph' - User.find_by_login(new_login).try(:destroy) - Identity.by_address.key(new_login + '@' + APP_CONFIG[:domain]).each do |identity| - identity.destroy - end - put "http://api.lvh.me:3000/1/users/" + @user.id + '.json', :user => {:login => new_login}, :format => :json + cleanup_user new_login + update_user login: new_login assert last_response.successful? # does not change login if no password_verifier is present - assert_equal original_login, @user.login - end - - test "upload pgp key" do - server_auth = @srp.authenticate(self) - key = FactoryGirl.build :pgp_key - put "http://api.lvh.me:3000/1/users/" + @user.id + '.json', :user => {:public_key => key}, :format => :json - assert_equal key, Identity.for(@user).keys[:pgp] + assert_equal original_login, @user.reload.login end - - # eventually probably want to remove most of this into a non-integration - # functional test - test "prevent uploading invalid key" do - server_auth = @srp.authenticate(self) - put "http://api.lvh.me:3000/1/users/" + @user.id + '.json', :user => {:public_key => :blah}, :format => :json - assert_nil Identity.for(@user).keys[:pgp] - end - - test "prevent emptying public key" do - server_auth = @srp.authenticate(self) - key = FactoryGirl.build :pgp_key - put "http://api.lvh.me:3000/1/users/" + @user.id + '.json', :user => {:public_key => key}, :format => :json - put "http://api.lvh.me:3000/1/users/" + @user.id + '.json', :user => {:public_key => ""}, :format => :json - assert_equal key, Identity.for(@user).keys[:pgp] - end - end diff --git a/users/test/integration/api/login_test.rb b/users/test/integration/api/login_test.rb index fb761e5..a760d38 100644 --- a/users/test/integration/api/login_test.rb +++ b/users/test/integration/api/login_test.rb @@ -1,7 +1,6 @@ require 'test_helper' -require_relative 'rack_test' -class AccountFlowTest < RackTest +class LoginTest < RackTest setup do @login = "integration_test_user" diff --git a/users/test/integration/api/pgp_key_test.rb b/users/test/integration/api/pgp_key_test.rb new file mode 100644 index 0000000..4c7fb4c --- /dev/null +++ b/users/test/integration/api/pgp_key_test.rb @@ -0,0 +1,35 @@ +require 'test_helper' +require_relative 'srp_test' + +class PgpKeyTest < SrpTest + + setup do + # todo: prepare user and login without doing the srp dance + register_user + authenticate + end + + test "upload pgp key" do + update_user public_key: key + assert_equal key, Identity.for(@user).keys[:pgp] + end + + # eventually probably want to remove most of this into a non-integration + # functional test + test "prevent uploading invalid key" do + update_user public_key: "invalid key" + assert_nil Identity.for(@user).keys[:pgp] + end + + test "prevent emptying public key" do + update_user public_key: key + update_user public_key: "" + assert_equal key, Identity.for(@user).keys[:pgp] + end + + protected + + def key + @key ||= FactoryGirl.build :pgp_key + end +end diff --git a/users/test/integration/api/rack_test.rb b/users/test/integration/api/rack_test.rb deleted file mode 100644 index 9a69f52..0000000 --- a/users/test/integration/api/rack_test.rb +++ /dev/null @@ -1,9 +0,0 @@ -class RackTest < ActiveSupport::TestCase - include Rack::Test::Methods - include Warden::Test::Helpers - include LeapWebCore::AssertResponses - - def app - OUTER_APP - end -end diff --git a/users/test/integration/api/srp_test.rb b/users/test/integration/api/srp_test.rb new file mode 100644 index 0000000..b291269 --- /dev/null +++ b/users/test/integration/api/srp_test.rb @@ -0,0 +1,83 @@ +class SrpTest < RackTest + + teardown do + if @user + cleanup_user + end + Warden.test_reset! + end + + # this test wraps the api and implements the interface the ruby-srp client. + def handshake(login, aa) + post "http://api.lvh.me:3000/1/sessions.json", + :login => login, + 'A' => aa, + :format => :json + response = JSON.parse(last_response.body) + if response['errors'] + raise RECORD_NOT_FOUND.new(response['errors']) + else + return response['B'] + end + end + + def validate(m) + put "http://api.lvh.me:3000/1/sessions/" + @login + '.json', + :client_auth => m, + :format => :json + return JSON.parse(last_response.body) + end + + protected + + attr_reader :server_auth + + def register_user(login = "integration_test_user", password = 'srp, verify me!') + cleanup_user(login) + post 'http://api.lvh.me:3000/1/users.json', + user: user_params(login: login, password: password), + format: :json + @user = User.find_by_login(login) + @login = login + @password = password + end + + def update_user(params) + put "http://api.lvh.me:3000/1/users/" + @user.id + '.json', + :user => user_params(params), + :format => :json + end + + def authenticate(params = nil) + @server_auth = srp(params).authenticate(self) + end + + def cleanup_user(login = nil) + login ||= @user.login + Identity.by_address.key(login + '@' + APP_CONFIG[:domain]).each do |identity| + identity.destroy + end + if user = User.find_by_login(login) + user.destroy + end + end + + def user_params(params) + # if there is no srp magic needed just return the params + return params unless params.keys.include?(:password) + params.reverse_merge! login: @login, salt: @salt + @srp = SRP::Client.new params[:login], password: params.delete(:password) + @salt = srp.salt.to_s(16) + params.merge :password_verifier => srp.verifier.to_s(16), + :password_salt => @salt + end + + def srp(params = nil) + if params.nil? + @srp + else + params.reverse_merge! password: @password + SRP::Client.new(params.delete(:login) || @login, params) + end + end +end -- cgit v1.2.3 From 758b9a3c30a73fd985943fb7a887f0373be3a833 Mon Sep 17 00:00:00 2001 From: Azul Date: Sat, 8 Feb 2014 12:29:08 +0100 Subject: split up and expand account integration test --- users/test/integration/api/account_flow_test.rb | 66 ----------------------- users/test/integration/api/login_test.rb | 38 +++++++++++-- users/test/integration/api/signup_test.rb | 20 +++++++ users/test/integration/api/srp_test.rb | 5 ++ users/test/integration/api/update_account_test.rb | 44 +++++++++++++++ 5 files changed, 102 insertions(+), 71 deletions(-) delete mode 100644 users/test/integration/api/account_flow_test.rb create mode 100644 users/test/integration/api/signup_test.rb create mode 100644 users/test/integration/api/update_account_test.rb (limited to 'users/test/integration/api') diff --git a/users/test/integration/api/account_flow_test.rb b/users/test/integration/api/account_flow_test.rb deleted file mode 100644 index b56d07b..0000000 --- a/users/test/integration/api/account_flow_test.rb +++ /dev/null @@ -1,66 +0,0 @@ -require 'test_helper' -require_relative 'srp_test' - -class AccountFlowTest < SrpTest - - setup do - register_user - end - - test "signup response" do - assert_json_response :login => @login, :ok => true - assert last_response.successful? - end - - test "signup and login with srp via api" do - authenticate - assert last_response.successful? - assert_nil server_auth["errors"] - assert server_auth["M2"] - end - - test "signup and wrong password login attempt" do - authenticate password: "wrong password" - assert_json_error "base" => "Not a valid username/password combination" - assert !last_response.successful? - assert_nil server_auth["M2"] - end - - test "signup and wrong username login attempt" do - assert_raises RECORD_NOT_FOUND do - authenticate login: "wrong login" - end - assert_json_error "base" => "Not a valid username/password combination" - assert !last_response.successful? - assert_nil server_auth - end - - test "update password via api" do - authenticate - update_user password: "No! Verify me instead." - authenticate - assert last_response.successful? - assert_nil server_auth["errors"] - assert server_auth["M2"] - end - - test "change login with password_verifier" do - authenticate - new_login = 'zaph' - cleanup_user new_login - update_user login: new_login, password: @password - assert last_response.successful? - assert_equal new_login, @user.reload.login - end - - test "prevent changing login without changing password_verifier" do - authenticate - original_login = @user.login - new_login = 'zaph' - cleanup_user new_login - update_user login: new_login - assert last_response.successful? - # does not change login if no password_verifier is present - assert_equal original_login, @user.reload.login - end -end diff --git a/users/test/integration/api/login_test.rb b/users/test/integration/api/login_test.rb index a760d38..82219d0 100644 --- a/users/test/integration/api/login_test.rb +++ b/users/test/integration/api/login_test.rb @@ -1,15 +1,43 @@ require 'test_helper' +require_relative 'srp_test' -class LoginTest < RackTest +class LoginTest < SrpTest setup do - @login = "integration_test_user" + register_user end - test "require json requests" do - put "http://api.lvh.me:3000/1/sessions/" + @login, - :client_auth => "This is not a valid login anyway" + test "requires handshake before validation" do + validate("bla") assert_json_error login: I18n.t(:all_strategies_failed) end + test "login with srp" do + authenticate + assert last_response.successful? + assert_nil server_auth["errors"] + assert server_auth["M2"] + end + + test "wrong password login attempt" do + authenticate password: "wrong password" + assert_json_error "base" => "Not a valid username/password combination" + assert !last_response.successful? + assert_nil server_auth["M2"] + end + + test "wrong username login attempt" do + assert_raises RECORD_NOT_FOUND do + authenticate login: "wrong login" + end + assert_json_error "base" => "Not a valid username/password combination" + assert !last_response.successful? + assert_nil server_auth + end + + test "logout" do + authenticate + logout + assert_equal 204, last_response.status + end end diff --git a/users/test/integration/api/signup_test.rb b/users/test/integration/api/signup_test.rb new file mode 100644 index 0000000..236c547 --- /dev/null +++ b/users/test/integration/api/signup_test.rb @@ -0,0 +1,20 @@ +require 'test_helper' +require_relative 'srp_test' + +class SignupTest < SrpTest + + setup do + register_user + end + + test "signup response" do + assert_json_response :login => @login, :ok => true + assert last_response.successful? + end + + test "signup creates user" do + assert @user + assert_equal @login, @user.login + end +end + diff --git a/users/test/integration/api/srp_test.rb b/users/test/integration/api/srp_test.rb index b291269..bb24f5f 100644 --- a/users/test/integration/api/srp_test.rb +++ b/users/test/integration/api/srp_test.rb @@ -52,6 +52,11 @@ class SrpTest < RackTest @server_auth = srp(params).authenticate(self) end + def logout + delete "http://api.lvh.me:3000/1/logout.json", + format: :json + end + def cleanup_user(login = nil) login ||= @user.login Identity.by_address.key(login + '@' + APP_CONFIG[:domain]).each do |identity| diff --git a/users/test/integration/api/update_account_test.rb b/users/test/integration/api/update_account_test.rb new file mode 100644 index 0000000..16c2357 --- /dev/null +++ b/users/test/integration/api/update_account_test.rb @@ -0,0 +1,44 @@ +require 'test_helper' +require_relative 'srp_test' + +class UpdateAccountTest < SrpTest + + setup do + register_user + end + + test "require authentication" do + update_user password: "No! Verify me instead." + assert_access_denied + end + + test "update password via api" do + authenticate + update_user password: "No! Verify me instead." + authenticate + assert last_response.successful? + assert_nil server_auth["errors"] + assert server_auth["M2"] + end + + test "change login with password_verifier" do + authenticate + new_login = 'zaph' + cleanup_user new_login + update_user login: new_login, password: @password + authenticate + assert last_response.successful? + assert_equal new_login, @user.reload.login + end + + test "prevent changing login without changing password_verifier" do + authenticate + original_login = @user.login + new_login = 'zaph' + cleanup_user new_login + update_user login: new_login + assert last_response.successful? + # does not change login if no password_verifier is present + assert_equal original_login, @user.reload.login + end +end -- cgit v1.2.3 From cbd757cf151cd61bfdd5637d09f43e4831fec3bb Mon Sep 17 00:00:00 2001 From: Azul Date: Sat, 8 Feb 2014 16:15:46 +0100 Subject: require token when updating user via API --- users/test/integration/api/login_test.rb | 1 + users/test/integration/api/srp_test.rb | 29 +++++++++++++++++------ users/test/integration/api/update_account_test.rb | 7 ++++++ 3 files changed, 30 insertions(+), 7 deletions(-) (limited to 'users/test/integration/api') diff --git a/users/test/integration/api/login_test.rb b/users/test/integration/api/login_test.rb index 82219d0..d56dfd1 100644 --- a/users/test/integration/api/login_test.rb +++ b/users/test/integration/api/login_test.rb @@ -14,6 +14,7 @@ class LoginTest < SrpTest test "login with srp" do authenticate + assert_equal ["M2", "id", "token"], server_auth.keys assert last_response.successful? assert_nil server_auth["errors"] assert server_auth["M2"] diff --git a/users/test/integration/api/srp_test.rb b/users/test/integration/api/srp_test.rb index bb24f5f..fcda187 100644 --- a/users/test/integration/api/srp_test.rb +++ b/users/test/integration/api/srp_test.rb @@ -35,8 +35,7 @@ class SrpTest < RackTest def register_user(login = "integration_test_user", password = 'srp, verify me!') cleanup_user(login) post 'http://api.lvh.me:3000/1/users.json', - user: user_params(login: login, password: password), - format: :json + user_params(login: login, password: password) @user = User.find_by_login(login) @login = login @password = password @@ -44,14 +43,25 @@ class SrpTest < RackTest def update_user(params) put "http://api.lvh.me:3000/1/users/" + @user.id + '.json', - :user => user_params(params), - :format => :json + user_params(params), + auth_headers end def authenticate(params = nil) @server_auth = srp(params).authenticate(self) end + def auth_headers + return {} if @server_auth.nil? + { + "HTTP_AUTHORIZATION" => encoded_token + } + end + + def encoded_token + ActionController::HttpAuthentication::Token.encode_credentials(server_auth["token"]) + end + def logout delete "http://api.lvh.me:3000/1/logout.json", format: :json @@ -68,12 +78,17 @@ class SrpTest < RackTest end def user_params(params) - # if there is no srp magic needed just return the params - return params unless params.keys.include?(:password) + if params.keys.include?(:password) + srp_process_password(params) + end + return { user: params, format: :json } + end + + def srp_process_password(params) params.reverse_merge! login: @login, salt: @salt @srp = SRP::Client.new params[:login], password: params.delete(:password) @salt = srp.salt.to_s(16) - params.merge :password_verifier => srp.verifier.to_s(16), + params.merge! :password_verifier => srp.verifier.to_s(16), :password_salt => @salt end diff --git a/users/test/integration/api/update_account_test.rb b/users/test/integration/api/update_account_test.rb index 16c2357..63429e7 100644 --- a/users/test/integration/api/update_account_test.rb +++ b/users/test/integration/api/update_account_test.rb @@ -12,6 +12,13 @@ class UpdateAccountTest < SrpTest assert_access_denied end + test "require token" do + authenticate + put "http://api.lvh.me:3000/1/users/" + @user.id + '.json', + user_params(password: "No! Verify me instead.") + assert_access_denied + end + test "update password via api" do authenticate update_user password: "No! Verify me instead." -- cgit v1.2.3 From c8fcd0d26c3ad5c1c3cfbaf6b57239f907925ed6 Mon Sep 17 00:00:00 2001 From: Azul Date: Sat, 8 Feb 2014 16:20:37 +0100 Subject: require token when logging out via API --- users/test/integration/api/login_test.rb | 6 ++++++ users/test/integration/api/srp_test.rb | 5 +++-- 2 files changed, 9 insertions(+), 2 deletions(-) (limited to 'users/test/integration/api') diff --git a/users/test/integration/api/login_test.rb b/users/test/integration/api/login_test.rb index d56dfd1..92d153f 100644 --- a/users/test/integration/api/login_test.rb +++ b/users/test/integration/api/login_test.rb @@ -41,4 +41,10 @@ class LoginTest < SrpTest logout assert_equal 204, last_response.status end + + test "logout requires token" do + authenticate + logout(nil, {}) + assert_equal 422, last_response.status + end end diff --git a/users/test/integration/api/srp_test.rb b/users/test/integration/api/srp_test.rb index fcda187..946450e 100644 --- a/users/test/integration/api/srp_test.rb +++ b/users/test/integration/api/srp_test.rb @@ -62,9 +62,10 @@ class SrpTest < RackTest ActionController::HttpAuthentication::Token.encode_credentials(server_auth["token"]) end - def logout + def logout(params=nil, headers=nil) delete "http://api.lvh.me:3000/1/logout.json", - format: :json + params || {format: :json}, + headers || auth_headers end def cleanup_user(login = nil) -- cgit v1.2.3 From b6d14dc19dd350a807826e3e097738a36613e083 Mon Sep 17 00:00:00 2001 From: Azul Date: Tue, 8 Apr 2014 11:49:14 +0200 Subject: moving users: app and test files --- users/test/integration/api/Readme.md | 23 ----- users/test/integration/api/login_test.rb | 50 ---------- users/test/integration/api/pgp_key_test.rb | 35 ------- users/test/integration/api/python/flow_with_srp.py | 96 ------------------- .../integration/api/python/login_wrong_username.py | 19 ---- users/test/integration/api/python/signup.py | 20 ---- .../integration/api/python/signup_and_login.py | 44 --------- .../api/python/signup_and_login_wrong_password.py | 43 --------- users/test/integration/api/python/umlauts.py | 79 ---------------- users/test/integration/api/signup_test.rb | 20 ---- users/test/integration/api/srp_test.rb | 104 --------------------- users/test/integration/api/update_account_test.rb | 51 ---------- 12 files changed, 584 deletions(-) delete mode 100644 users/test/integration/api/Readme.md delete mode 100644 users/test/integration/api/login_test.rb delete mode 100644 users/test/integration/api/pgp_key_test.rb delete mode 100755 users/test/integration/api/python/flow_with_srp.py delete mode 100755 users/test/integration/api/python/login_wrong_username.py delete mode 100755 users/test/integration/api/python/signup.py delete mode 100755 users/test/integration/api/python/signup_and_login.py delete mode 100755 users/test/integration/api/python/signup_and_login_wrong_password.py delete mode 100755 users/test/integration/api/python/umlauts.py delete mode 100644 users/test/integration/api/signup_test.rb delete mode 100644 users/test/integration/api/srp_test.rb delete mode 100644 users/test/integration/api/update_account_test.rb (limited to 'users/test/integration/api') diff --git a/users/test/integration/api/Readme.md b/users/test/integration/api/Readme.md deleted file mode 100644 index 04363bd..0000000 --- a/users/test/integration/api/Readme.md +++ /dev/null @@ -1,23 +0,0 @@ -API tests -========== - - -Testing the restful api from a simple python client as that's what we'll be using. - -This test so far mostly demoes the API. We have no SRP calc in there. - -TODO: keep track of the cookies during login. The server uses the session to keep track of the random numbers A and B. - -The output of signup_and_login_wrong_password pretty well describes the SRP API: - -``` -POST: http://localhost:9292/users.json - {"user[password_salt]": "54321", "user[password_verifier]": "12345", "user[login]": "SWQ055"} - -> {"password_salt":"54321","login":"SWQ055"} -POST: http://localhost:9292/sessions - {"A": "12345", "login": "SWQ055"} - -> {"B":"1778367531e93a4c7713c76f67649f35a4211ebc520926ae8c3848cd66171651"} -PUT: http://localhost:9292/sessions/SWQ055 - {"M": "123ABC"} - -> {"errors":[{"login":"Not a valid username/password combination"},{"password":"Not a valid username/password combination"}]} -``` diff --git a/users/test/integration/api/login_test.rb b/users/test/integration/api/login_test.rb deleted file mode 100644 index 92d153f..0000000 --- a/users/test/integration/api/login_test.rb +++ /dev/null @@ -1,50 +0,0 @@ -require 'test_helper' -require_relative 'srp_test' - -class LoginTest < SrpTest - - setup do - register_user - end - - test "requires handshake before validation" do - validate("bla") - assert_json_error login: I18n.t(:all_strategies_failed) - end - - test "login with srp" do - authenticate - assert_equal ["M2", "id", "token"], server_auth.keys - assert last_response.successful? - assert_nil server_auth["errors"] - assert server_auth["M2"] - end - - test "wrong password login attempt" do - authenticate password: "wrong password" - assert_json_error "base" => "Not a valid username/password combination" - assert !last_response.successful? - assert_nil server_auth["M2"] - end - - test "wrong username login attempt" do - assert_raises RECORD_NOT_FOUND do - authenticate login: "wrong login" - end - assert_json_error "base" => "Not a valid username/password combination" - assert !last_response.successful? - assert_nil server_auth - end - - test "logout" do - authenticate - logout - assert_equal 204, last_response.status - end - - test "logout requires token" do - authenticate - logout(nil, {}) - assert_equal 422, last_response.status - end -end diff --git a/users/test/integration/api/pgp_key_test.rb b/users/test/integration/api/pgp_key_test.rb deleted file mode 100644 index 4c7fb4c..0000000 --- a/users/test/integration/api/pgp_key_test.rb +++ /dev/null @@ -1,35 +0,0 @@ -require 'test_helper' -require_relative 'srp_test' - -class PgpKeyTest < SrpTest - - setup do - # todo: prepare user and login without doing the srp dance - register_user - authenticate - end - - test "upload pgp key" do - update_user public_key: key - assert_equal key, Identity.for(@user).keys[:pgp] - end - - # eventually probably want to remove most of this into a non-integration - # functional test - test "prevent uploading invalid key" do - update_user public_key: "invalid key" - assert_nil Identity.for(@user).keys[:pgp] - end - - test "prevent emptying public key" do - update_user public_key: key - update_user public_key: "" - assert_equal key, Identity.for(@user).keys[:pgp] - end - - protected - - def key - @key ||= FactoryGirl.build :pgp_key - end -end diff --git a/users/test/integration/api/python/flow_with_srp.py b/users/test/integration/api/python/flow_with_srp.py deleted file mode 100755 index 9fc168b..0000000 --- a/users/test/integration/api/python/flow_with_srp.py +++ /dev/null @@ -1,96 +0,0 @@ -#!/usr/bin/env python - -# under development - -import requests -import json -import string -import random -import srp._pysrp as srp -import binascii - -safe_unhexlify = lambda x: binascii.unhexlify(x) if (len(x) % 2 == 0) else binascii.unhexlify('0'+x) - -# using globals for now -# server = 'https://dev.bitmask.net/1' -server = 'http://api.lvh.me:3000/1' - -def run_tests(): - login = 'test_' + id_generator() - password = id_generator() + id_generator() - usr = srp.User( login, password, srp.SHA256, srp.NG_1024 ) - print_and_parse(signup(login, password)) - - auth = print_and_parse(authenticate(usr)) - verify_or_debug(auth, usr) - assert usr.authenticated() - - usr = change_password(auth['id'], login, auth['token']) - - auth = print_and_parse(authenticate(usr)) - verify_or_debug(auth, usr) - # At this point the authentication process is complete. - assert usr.authenticated() - -# let's have some random name -def id_generator(size=6, chars=string.ascii_lowercase + string.digits): - return ''.join(random.choice(chars) for x in range(size)) - -# log the server communication -def print_and_parse(response): - request = response.request - print request.method + ': ' + response.url - if hasattr(request, 'data'): - print " " + json.dumps(response.request.data) - print " -> " + response.text - try: - return json.loads(response.text) - except ValueError: - return None - -def signup(login, password): - salt, vkey = srp.create_salted_verification_key( login, password, srp.SHA256, srp.NG_1024 ) - user_params = { - 'user[login]': login, - 'user[password_verifier]': binascii.hexlify(vkey), - 'user[password_salt]': binascii.hexlify(salt) - } - return requests.post(server + '/users.json', data = user_params, verify = False) - -def change_password(user_id, login, token): - password = id_generator() + id_generator() - salt, vkey = srp.create_salted_verification_key( login, password, srp.SHA256, srp.NG_1024 ) - user_params = { - 'user[password_verifier]': binascii.hexlify(vkey), - 'user[password_salt]': binascii.hexlify(salt) - } - auth_headers = { 'Authorization': 'Token token="' + token + '"'} - print user_params - print_and_parse(requests.put(server + '/users/' + user_id + '.json', data = user_params, verify = False, headers = auth_headers)) - return srp.User( login, password, srp.SHA256, srp.NG_1024 ) - - -def authenticate(usr): - session = requests.session() - uname, A = usr.start_authentication() - params = { - 'login': uname, - 'A': binascii.hexlify(A) - } - init = print_and_parse(session.post(server + '/sessions', data = params, verify=False)) - M = usr.process_challenge( safe_unhexlify(init['salt']), safe_unhexlify(init['B']) ) - return session.put(server + '/sessions/' + uname, verify = False, - data = {'client_auth': binascii.hexlify(M)}) - -def verify_or_debug(auth, usr): - if ( 'errors' in auth ): - print ' u = "%x"' % usr.u - print ' x = "%x"' % usr.x - print ' v = "%x"' % usr.v - print ' S = "%x"' % usr.S - print ' K = "' + binascii.hexlify(usr.K) + '"' - print ' M = "' + binascii.hexlify(usr.M) + '"' - else: - usr.verify_session( safe_unhexlify(auth["M2"]) ) - -run_tests() diff --git a/users/test/integration/api/python/login_wrong_username.py b/users/test/integration/api/python/login_wrong_username.py deleted file mode 100755 index 390f250..0000000 --- a/users/test/integration/api/python/login_wrong_username.py +++ /dev/null @@ -1,19 +0,0 @@ -#!/usr/bin/env python - -server = 'http://localhost:3000' - -import requests -import json -import string -import random - -def id_generator(size=6, chars=string.ascii_uppercase + string.digits): - return ''.join(random.choice(chars) for x in range(size)) - -params = { - 'login': 'python_test_user_'+id_generator(), - 'A': '12345', - } -r = requests.post(server + '/sessions', data = params) -print r.url -print r.text diff --git a/users/test/integration/api/python/signup.py b/users/test/integration/api/python/signup.py deleted file mode 100755 index 0d3a4e0..0000000 --- a/users/test/integration/api/python/signup.py +++ /dev/null @@ -1,20 +0,0 @@ -#!/usr/bin/env python - -server = 'http://localhost:3000' - -import requests -import json -import string -import random - -def id_generator(size=6, chars=string.ascii_uppercase + string.digits): - return ''.join(random.choice(chars) for x in range(size)) - -user_params = { - 'user[login]': 'python_test_user_'+id_generator(), - 'user[password_verifier]': '12345', - 'user[password_salt]': '54321' - } -r = requests.post(server + '/users.json', data = user_params) -print r.url -print r.text diff --git a/users/test/integration/api/python/signup_and_login.py b/users/test/integration/api/python/signup_and_login.py deleted file mode 100755 index ac611d7..0000000 --- a/users/test/integration/api/python/signup_and_login.py +++ /dev/null @@ -1,44 +0,0 @@ -#!/usr/bin/env python - -# FAILS -# -# This test is currently failing for me because the session is not kept. -# Played with it a bunch - is probably messed up right now as well. - - -server = 'http://localhost:3000' - -import requests -import json -import string -import random - -def id_generator(size=6, chars=string.ascii_uppercase + string.digits): - return ''.join(random.choice(chars) for x in range(size)) - -def print_and_parse(response): - print response.request.method + ': ' + response.url - print " " + json.dumps(response.request.data) - print " -> " + response.text - return json.loads(response.text) - -def signup(session): - user_params = { - 'user[login]': id_generator(), - 'user[password_verifier]': '12345', - 'user[password_salt]': 'AB54321' - } - return session.post(server + '/users.json', data = user_params) - -def authenticate(session, login): - params = { - 'login': login, - 'A': '12345', - } - init = print_and_parse(session.post(server + '/sessions', data = params)) - return session.put(server + '/sessions/' + login, data = {'client_auth': '123'}) - -session = requests.session() -user = print_and_parse(signup(session)) -# SRP signup would happen here and calculate M hex -auth = print_and_parse(authenticate(session, user['login'])) diff --git a/users/test/integration/api/python/signup_and_login_wrong_password.py b/users/test/integration/api/python/signup_and_login_wrong_password.py deleted file mode 100755 index 9efffa1..0000000 --- a/users/test/integration/api/python/signup_and_login_wrong_password.py +++ /dev/null @@ -1,43 +0,0 @@ -#!/usr/bin/env python - -server = 'http://localhost:9292' - -import requests -import json -import string -import random - -def id_generator(size=6, chars=string.ascii_uppercase + string.digits): - return ''.join(random.choice(chars) for x in range(size)) - -def print_and_parse(response): - print response.request.method + ': ' + response.url - print " " + json.dumps(response.request.data) - print " -> " + response.text -# print " () " + json.dumps(requests.utils.dict_from_cookiejar(response.cookies)) - return json.loads(response.text) - -def signup(): - user_params = { - 'user[login]': id_generator(), - 'user[password_verifier]': '12345', - 'user[password_salt]': '54321' - } - return requests.post(server + '/users.json', data = user_params) - -def handshake(login): - params = { - 'login': login, - 'A': '12345', - } - return requests.post(server + '/sessions', data = params) - -def authenticate(login, M): - return requests.put(server + '/sessions/' + login, data = {'M': M}) - - -user = print_and_parse(signup()) -handshake = print_and_parse(handshake(user['login'])) -# SRP signup would happen here and calculate M hex -M = '123ABC' -auth = print_and_parse(authenticate(user['login'], M)) diff --git a/users/test/integration/api/python/umlauts.py b/users/test/integration/api/python/umlauts.py deleted file mode 100755 index 96fecbf..0000000 --- a/users/test/integration/api/python/umlauts.py +++ /dev/null @@ -1,79 +0,0 @@ -#!/usr/bin/env python -# coding: utf-8 - -# under development - -import requests -import json -import string -import random -import srp._pysrp as srp -import binascii - -safe_unhexlify = lambda x: binascii.unhexlify(x) if (len(x) % 2 == 0) else binascii.unhexlify('0'+x) - -# using globals for now -# server = 'https://dev.bitmask.net/1' -server = 'http://api.lvh.me:3000/1' - -def run_tests(): - login = 'test_' + id_generator() - password = id_generator() + "äöì" + id_generator() - usr = srp.User( login, password, srp.SHA256, srp.NG_1024 ) - print_and_parse(signup(login, password)) - - auth = print_and_parse(authenticate(usr)) - verify_or_debug(auth, usr) - assert usr.authenticated() - - -# let's have some random name -def id_generator(size=6, chars=string.ascii_lowercase + string.digits): - return ''.join(random.choice(chars) for x in range(size)) - -# log the server communication -def print_and_parse(response): - request = response.request - print request.method + ': ' + response.url - if hasattr(request, 'data'): - print " " + json.dumps(response.request.data) - print " -> " + response.text - try: - return json.loads(response.text) - except ValueError: - return None - -def signup(login, password): - salt, vkey = srp.create_salted_verification_key( login, password, srp.SHA256, srp.NG_1024 ) - user_params = { - 'user[login]': login, - 'user[password_verifier]': binascii.hexlify(vkey), - 'user[password_salt]': binascii.hexlify(salt) - } - print json.dumps(user_params) - return requests.post(server + '/users.json', data = user_params, verify = False) - -def authenticate(usr): - session = requests.session() - uname, A = usr.start_authentication() - params = { - 'login': uname, - 'A': binascii.hexlify(A) - } - init = print_and_parse(session.post(server + '/sessions', data = params, verify=False)) - M = usr.process_challenge( safe_unhexlify(init['salt']), safe_unhexlify(init['B']) ) - return session.put(server + '/sessions/' + uname, verify = False, - data = {'client_auth': binascii.hexlify(M)}) - -def verify_or_debug(auth, usr): - if ( 'errors' in auth ): - print ' u = "%x"' % usr.u - print ' x = "%x"' % usr.x - print ' v = "%x"' % usr.v - print ' S = "%x"' % usr.S - print ' K = "' + binascii.hexlify(usr.K) + '"' - print ' M = "' + binascii.hexlify(usr.M) + '"' - else: - usr.verify_session( safe_unhexlify(auth["M2"]) ) - -run_tests() diff --git a/users/test/integration/api/signup_test.rb b/users/test/integration/api/signup_test.rb deleted file mode 100644 index 236c547..0000000 --- a/users/test/integration/api/signup_test.rb +++ /dev/null @@ -1,20 +0,0 @@ -require 'test_helper' -require_relative 'srp_test' - -class SignupTest < SrpTest - - setup do - register_user - end - - test "signup response" do - assert_json_response :login => @login, :ok => true - assert last_response.successful? - end - - test "signup creates user" do - assert @user - assert_equal @login, @user.login - end -end - diff --git a/users/test/integration/api/srp_test.rb b/users/test/integration/api/srp_test.rb deleted file mode 100644 index 946450e..0000000 --- a/users/test/integration/api/srp_test.rb +++ /dev/null @@ -1,104 +0,0 @@ -class SrpTest < RackTest - - teardown do - if @user - cleanup_user - end - Warden.test_reset! - end - - # this test wraps the api and implements the interface the ruby-srp client. - def handshake(login, aa) - post "http://api.lvh.me:3000/1/sessions.json", - :login => login, - 'A' => aa, - :format => :json - response = JSON.parse(last_response.body) - if response['errors'] - raise RECORD_NOT_FOUND.new(response['errors']) - else - return response['B'] - end - end - - def validate(m) - put "http://api.lvh.me:3000/1/sessions/" + @login + '.json', - :client_auth => m, - :format => :json - return JSON.parse(last_response.body) - end - - protected - - attr_reader :server_auth - - def register_user(login = "integration_test_user", password = 'srp, verify me!') - cleanup_user(login) - post 'http://api.lvh.me:3000/1/users.json', - user_params(login: login, password: password) - @user = User.find_by_login(login) - @login = login - @password = password - end - - def update_user(params) - put "http://api.lvh.me:3000/1/users/" + @user.id + '.json', - user_params(params), - auth_headers - end - - def authenticate(params = nil) - @server_auth = srp(params).authenticate(self) - end - - def auth_headers - return {} if @server_auth.nil? - { - "HTTP_AUTHORIZATION" => encoded_token - } - end - - def encoded_token - ActionController::HttpAuthentication::Token.encode_credentials(server_auth["token"]) - end - - def logout(params=nil, headers=nil) - delete "http://api.lvh.me:3000/1/logout.json", - params || {format: :json}, - headers || auth_headers - end - - def cleanup_user(login = nil) - login ||= @user.login - Identity.by_address.key(login + '@' + APP_CONFIG[:domain]).each do |identity| - identity.destroy - end - if user = User.find_by_login(login) - user.destroy - end - end - - def user_params(params) - if params.keys.include?(:password) - srp_process_password(params) - end - return { user: params, format: :json } - end - - def srp_process_password(params) - params.reverse_merge! login: @login, salt: @salt - @srp = SRP::Client.new params[:login], password: params.delete(:password) - @salt = srp.salt.to_s(16) - params.merge! :password_verifier => srp.verifier.to_s(16), - :password_salt => @salt - end - - def srp(params = nil) - if params.nil? - @srp - else - params.reverse_merge! password: @password - SRP::Client.new(params.delete(:login) || @login, params) - end - end -end diff --git a/users/test/integration/api/update_account_test.rb b/users/test/integration/api/update_account_test.rb deleted file mode 100644 index 63429e7..0000000 --- a/users/test/integration/api/update_account_test.rb +++ /dev/null @@ -1,51 +0,0 @@ -require 'test_helper' -require_relative 'srp_test' - -class UpdateAccountTest < SrpTest - - setup do - register_user - end - - test "require authentication" do - update_user password: "No! Verify me instead." - assert_access_denied - end - - test "require token" do - authenticate - put "http://api.lvh.me:3000/1/users/" + @user.id + '.json', - user_params(password: "No! Verify me instead.") - assert_access_denied - end - - test "update password via api" do - authenticate - update_user password: "No! Verify me instead." - authenticate - assert last_response.successful? - assert_nil server_auth["errors"] - assert server_auth["M2"] - end - - test "change login with password_verifier" do - authenticate - new_login = 'zaph' - cleanup_user new_login - update_user login: new_login, password: @password - authenticate - assert last_response.successful? - assert_equal new_login, @user.reload.login - end - - test "prevent changing login without changing password_verifier" do - authenticate - original_login = @user.login - new_login = 'zaph' - cleanup_user new_login - update_user login: new_login - assert last_response.successful? - # does not change login if no password_verifier is present - assert_equal original_login, @user.reload.login - end -end -- cgit v1.2.3