From 7ad6d054d72d3c76098f689e4e7890265a3604c8 Mon Sep 17 00:00:00 2001 From: Azul Date: Mon, 26 Aug 2013 10:59:18 +0200 Subject: first steps towards enabling token based auth --- users/test/functional/v1/sessions_controller_test.rb | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) (limited to 'users/test') diff --git a/users/test/functional/v1/sessions_controller_test.rb b/users/test/functional/v1/sessions_controller_test.rb index 0c4e325..8a16997 100644 --- a/users/test/functional/v1/sessions_controller_test.rb +++ b/users/test/functional/v1/sessions_controller_test.rb @@ -7,7 +7,7 @@ class V1::SessionsControllerTest < ActionController::TestCase setup do @request.env['HTTP_HOST'] = 'api.lvh.me' - @user = stub_record :user + @user = stub_record :user, {}, true @client_hex = 'a123' end @@ -48,13 +48,24 @@ class V1::SessionsControllerTest < ActionController::TestCase assert_response :success assert json_response.keys.include?("id") assert json_response.keys.include?("token") + assert token = Token.find(json_response['token']) + assert_equal @user.id, token.user_id end test "logout should reset warden user" do expect_warden_logout delete :destroy - assert_response :redirect - assert_redirected_to root_url + assert_response 204 + end + + test "logout should remove token" do + login + expect_warden_logout + skip "TODO: implement token removal" + assert_difference "Token.count", -1 do + delete :destroy + assert_response 204 + end end def expect_warden_logout -- cgit v1.2.3 From e60ee749cab0f80cf23ca57e28c7de6d1b3a395b Mon Sep 17 00:00:00 2001 From: Azul Date: Tue, 27 Aug 2013 11:14:30 +0200 Subject: basic testing for token based auth in tests --- users/test/factories.rb | 3 +++ users/test/functional/helper_methods_test.rb | 2 +- users/test/functional/test_helpers_test.rb | 38 ++++++++++++++++++++++++++++ users/test/support/auth_test_helper.rb | 9 ++++++- users/test/support/stub_record_helper.rb | 2 +- 5 files changed, 51 insertions(+), 3 deletions(-) create mode 100644 users/test/functional/test_helpers_test.rb (limited to 'users/test') diff --git a/users/test/factories.rb b/users/test/factories.rb index 777704b..c87e290 100644 --- a/users/test/factories.rb +++ b/users/test/factories.rb @@ -18,4 +18,7 @@ FactoryGirl.define do end end end + + factory :token + end diff --git a/users/test/functional/helper_methods_test.rb b/users/test/functional/helper_methods_test.rb index 2b2375c..44226ae 100644 --- a/users/test/functional/helper_methods_test.rb +++ b/users/test/functional/helper_methods_test.rb @@ -11,7 +11,7 @@ class HelperMethodsTest < ActionController::TestCase # we test them right in here... include ApplicationController._helpers - # they all reference the controller. + # the helpers all reference the controller. def controller @controller end diff --git a/users/test/functional/test_helpers_test.rb b/users/test/functional/test_helpers_test.rb new file mode 100644 index 0000000..d1bdb64 --- /dev/null +++ b/users/test/functional/test_helpers_test.rb @@ -0,0 +1,38 @@ +# +# There are a few test helpers for dealing with login etc. +# We test them here and also document their behaviour. +# + +require 'test_helper' + +class TestHelpersTest < ActionController::TestCase + tests ApplicationController # testing no controller in particular + + def test_login_stubs_warden + login + assert_equal @current_user, request.env['warden'].user + end + + def test_login_token_authenticates + login + assert_equal @current_user, @controller.send(:token_authenticate) + end + + def test_login_stubs_token + login + assert @token + assert_equal @current_user.id, @token.user_id + end + + def test_login_adds_token_header + login + token_present = @controller.authenticate_with_http_token do |token, options| + assert_equal @token.id, token + end + # authenticate_with_http_token just returns nil and does not + # execute the block if there is no token. So we have to also + # ensure it was run: + assert token_present + end +end + diff --git a/users/test/support/auth_test_helper.rb b/users/test/support/auth_test_helper.rb index 555b5db..ab6b1ac 100644 --- a/users/test/support/auth_test_helper.rb +++ b/users/test/support/auth_test_helper.rb @@ -13,8 +13,9 @@ module AuthTestHelper if user_or_method_hash.respond_to?(:reverse_merge) user_or_method_hash.reverse_merge! :is_admin? => false end - @current_user = stub_record(:user, user_or_method_hash, true) + @current_user = find_record(:user, user_or_method_hash) request.env['warden'] = stub :user => @current_user + request.env['HTTP_AUTHORIZATION'] = header_for_token_auth return @current_user end @@ -37,6 +38,12 @@ module AuthTestHelper end end + protected + + def header_for_token_auth + @token = find_record(:token, :user_id => @current_user.id) + ActionController::HttpAuthentication::Token.encode_credentials @token.id + end end class ActionController::TestCase diff --git a/users/test/support/stub_record_helper.rb b/users/test/support/stub_record_helper.rb index 8aa1973..b3460d2 100644 --- a/users/test/support/stub_record_helper.rb +++ b/users/test/support/stub_record_helper.rb @@ -1,7 +1,7 @@ module StubRecordHelper # - # We will stub find_by_param or find_by_id to be called on klass and + # We will stub find_by_param or find to be called on klass and # return the record given. # # If no record is given but a hash or nil will create a stub based on -- cgit v1.2.3 From 420bfb326f974eec14b04d6a170ed2d28c14180f Mon Sep 17 00:00:00 2001 From: Azul Date: Tue, 27 Aug 2013 14:36:27 +0200 Subject: clear token on logout with test --- users/test/functional/v1/sessions_controller_test.rb | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) (limited to 'users/test') diff --git a/users/test/functional/v1/sessions_controller_test.rb b/users/test/functional/v1/sessions_controller_test.rb index 8a16997..ff9fca1 100644 --- a/users/test/functional/v1/sessions_controller_test.rb +++ b/users/test/functional/v1/sessions_controller_test.rb @@ -52,20 +52,18 @@ class V1::SessionsControllerTest < ActionController::TestCase assert_equal @user.id, token.user_id end - test "logout should reset warden user" do + test "logout should reset session" do expect_warden_logout delete :destroy assert_response 204 end - test "logout should remove token" do + test "logout should destroy token" do login expect_warden_logout - skip "TODO: implement token removal" - assert_difference "Token.count", -1 do - delete :destroy - assert_response 204 - end + @token.expects(:destroy) + delete :destroy + assert_response 204 end def expect_warden_logout @@ -76,5 +74,4 @@ class V1::SessionsControllerTest < ActionController::TestCase request.env['warden'].expects(:logout) end - end -- cgit v1.2.3 From 0b8df3c03f440147f36858246e1003a2d0e2e54a Mon Sep 17 00:00:00 2001 From: Azul Date: Tue, 27 Aug 2013 14:51:56 +0200 Subject: make sure find_record still works with real records --- users/test/support/stub_record_helper.rb | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) (limited to 'users/test') diff --git a/users/test/support/stub_record_helper.rb b/users/test/support/stub_record_helper.rb index b3460d2..5bccb66 100644 --- a/users/test/support/stub_record_helper.rb +++ b/users/test/support/stub_record_helper.rb @@ -1,15 +1,14 @@ module StubRecordHelper # - # We will stub find_by_param or find to be called on klass and + # We will stub find_by_param or find_by_id to be called on klass and # return the record given. # # If no record is given but a hash or nil will create a stub based on # that instead and returns the stub. # - def find_record(factory, attribs_hash = {}) - attribs_hash = attribs_hash.reverse_merge(:id => Random.rand(10000).to_s) - record = stub_record factory, attribs_hash + def find_record(factory, record_or_attribs_hash = {}) + record = stub_record factory, record_or_attribs_hash, true klass = record.class finder = klass.respond_to?(:find_by_param) ? :find_by_param : :find klass.stubs(finder).with(record.to_param.to_s).returns(record) -- cgit v1.2.3 From 5e6a2a2995598489372676bf8e045dc2dfda6c81 Mon Sep 17 00:00:00 2001 From: Azul Date: Tue, 27 Aug 2013 14:55:43 +0200 Subject: token.user will get you the right user This way we can stub the token to return the user directly. Stubbing User.find_by_param is not a good idea as it will make all calls to User#find_by_param with a different id fail. --- users/test/functional/test_helpers_test.rb | 2 +- users/test/support/auth_test_helper.rb | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) (limited to 'users/test') diff --git a/users/test/functional/test_helpers_test.rb b/users/test/functional/test_helpers_test.rb index d1bdb64..9bd01ad 100644 --- a/users/test/functional/test_helpers_test.rb +++ b/users/test/functional/test_helpers_test.rb @@ -21,7 +21,7 @@ class TestHelpersTest < ActionController::TestCase def test_login_stubs_token login assert @token - assert_equal @current_user.id, @token.user_id + assert_equal @current_user, @token.user end def test_login_adds_token_header diff --git a/users/test/support/auth_test_helper.rb b/users/test/support/auth_test_helper.rb index ab6b1ac..47147fc 100644 --- a/users/test/support/auth_test_helper.rb +++ b/users/test/support/auth_test_helper.rb @@ -13,7 +13,7 @@ module AuthTestHelper if user_or_method_hash.respond_to?(:reverse_merge) user_or_method_hash.reverse_merge! :is_admin? => false end - @current_user = find_record(:user, user_or_method_hash) + @current_user = stub_record(:user, user_or_method_hash) request.env['warden'] = stub :user => @current_user request.env['HTTP_AUTHORIZATION'] = header_for_token_auth return @current_user @@ -41,7 +41,7 @@ module AuthTestHelper protected def header_for_token_auth - @token = find_record(:token, :user_id => @current_user.id) + @token = find_record(:token, :user => @current_user) ActionController::HttpAuthentication::Token.encode_credentials @token.id end end -- cgit v1.2.3 From 1e6e6d82ed53b1db558b7c1f4e14740962cc406a Mon Sep 17 00:00:00 2001 From: Azul Date: Tue, 27 Aug 2013 14:56:41 +0200 Subject: separate different tests for showing non existant user This way the failed stubbing errors were more telling --- users/test/functional/users_controller_test.rb | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) (limited to 'users/test') diff --git a/users/test/functional/users_controller_test.rb b/users/test/functional/users_controller_test.rb index 0ce5cc2..96ae48c 100644 --- a/users/test/functional/users_controller_test.rb +++ b/users/test/functional/users_controller_test.rb @@ -59,19 +59,23 @@ class UsersControllerTest < ActionController::TestCase assert_access_denied end - test "show for non-existing user" do + test "may not show non-existing user without auth" do nonid = 'thisisnotanexistinguserid' - # when unauthenticated: get :show, :id => nonid assert_access_denied(true, false) + end - # when authenticated but not admin: + test "may not show non-existing user without admin" do + nonid = 'thisisnotanexistinguserid' login + get :show, :id => nonid assert_access_denied + end - # when authenticated as admin: + test "redirect admin to user list for non-existing user" do + nonid = 'thisisnotanexistinguserid' login :is_admin? => true get :show, :id => nonid assert_response :redirect -- cgit v1.2.3 From d4a253d0564d4b1735fb8be5faac6a0fed174238 Mon Sep 17 00:00:00 2001 From: Azul Date: Tue, 27 Aug 2013 16:20:27 +0200 Subject: use token to update user password --- users/test/integration/api/python/flow_with_srp.py | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'users/test') diff --git a/users/test/integration/api/python/flow_with_srp.py b/users/test/integration/api/python/flow_with_srp.py index d37c6af..72c513f 100755 --- a/users/test/integration/api/python/flow_with_srp.py +++ b/users/test/integration/api/python/flow_with_srp.py @@ -16,7 +16,8 @@ def id_generator(size=6, chars=string.ascii_lowercase + string.digits): return ''.join(random.choice(chars) for x in range(size)) # using globals for a start -server = 'https://dev.bitmask.net/1' +# server = 'https://dev.bitmask.net/1' +server = 'http://api.lvh.me:3000/1' login = 'test_' + id_generator() password = id_generator() + id_generator() @@ -41,15 +42,16 @@ def signup(session): } return session.post(server + '/users.json', data = user_params, verify = False) -def change_password(session): +def change_password(token): password = id_generator() + id_generator() salt, vkey = srp.create_salted_verification_key( login, password, srp.SHA256, srp.NG_1024 ) user_params = { 'user[password_verifier]': binascii.hexlify(vkey), 'user[password_salt]': binascii.hexlify(salt) } + auth_headers = { 'Authorization': 'Token token="' + token + '"'} print user_params - print_and_parse(session.put(server + '/users/' + auth['id'] + '.json', data = user_params, verify = False)) + print_and_parse(requests.put(server + '/users/' + auth['id'] + '.json', data = user_params, verify = False, headers = auth_headers)) return srp.User( login, password, srp.SHA256, srp.NG_1024 ) @@ -84,7 +86,7 @@ auth = print_and_parse(authenticate(session, user['login'])) verify_or_debug(auth) assert usr.authenticated() -usr = change_password(session) +usr = change_password(auth['token']) auth = print_and_parse(authenticate(session, user['login'])) verify_or_debug(auth) -- cgit v1.2.3 From fdf9c5f9ea605020ea371de8e221efe8e5d5ba32 Mon Sep 17 00:00:00 2001 From: Azul Date: Tue, 27 Aug 2013 16:35:09 +0200 Subject: refactor: Changing the py test to use less globals and session only locally. --- users/test/integration/api/python/flow_with_srp.py | 59 +++++++++++----------- 1 file changed, 30 insertions(+), 29 deletions(-) (limited to 'users/test') diff --git a/users/test/integration/api/python/flow_with_srp.py b/users/test/integration/api/python/flow_with_srp.py index 72c513f..9fc168b 100755 --- a/users/test/integration/api/python/flow_with_srp.py +++ b/users/test/integration/api/python/flow_with_srp.py @@ -11,16 +11,31 @@ import binascii safe_unhexlify = lambda x: binascii.unhexlify(x) if (len(x) % 2 == 0) else binascii.unhexlify('0'+x) +# using globals for now +# server = 'https://dev.bitmask.net/1' +server = 'http://api.lvh.me:3000/1' + +def run_tests(): + login = 'test_' + id_generator() + password = id_generator() + id_generator() + usr = srp.User( login, password, srp.SHA256, srp.NG_1024 ) + print_and_parse(signup(login, password)) + + auth = print_and_parse(authenticate(usr)) + verify_or_debug(auth, usr) + assert usr.authenticated() + + usr = change_password(auth['id'], login, auth['token']) + + auth = print_and_parse(authenticate(usr)) + verify_or_debug(auth, usr) + # At this point the authentication process is complete. + assert usr.authenticated() + # let's have some random name def id_generator(size=6, chars=string.ascii_lowercase + string.digits): return ''.join(random.choice(chars) for x in range(size)) -# using globals for a start -# server = 'https://dev.bitmask.net/1' -server = 'http://api.lvh.me:3000/1' -login = 'test_' + id_generator() -password = id_generator() + id_generator() - # log the server communication def print_and_parse(response): request = response.request @@ -33,16 +48,16 @@ def print_and_parse(response): except ValueError: return None -def signup(session): +def signup(login, password): salt, vkey = srp.create_salted_verification_key( login, password, srp.SHA256, srp.NG_1024 ) user_params = { 'user[login]': login, 'user[password_verifier]': binascii.hexlify(vkey), 'user[password_salt]': binascii.hexlify(salt) } - return session.post(server + '/users.json', data = user_params, verify = False) + return requests.post(server + '/users.json', data = user_params, verify = False) -def change_password(token): +def change_password(user_id, login, token): password = id_generator() + id_generator() salt, vkey = srp.create_salted_verification_key( login, password, srp.SHA256, srp.NG_1024 ) user_params = { @@ -51,11 +66,12 @@ def change_password(token): } auth_headers = { 'Authorization': 'Token token="' + token + '"'} print user_params - print_and_parse(requests.put(server + '/users/' + auth['id'] + '.json', data = user_params, verify = False, headers = auth_headers)) + print_and_parse(requests.put(server + '/users/' + user_id + '.json', data = user_params, verify = False, headers = auth_headers)) return srp.User( login, password, srp.SHA256, srp.NG_1024 ) -def authenticate(session, login): +def authenticate(usr): + session = requests.session() uname, A = usr.start_authentication() params = { 'login': uname, @@ -63,10 +79,10 @@ def authenticate(session, login): } init = print_and_parse(session.post(server + '/sessions', data = params, verify=False)) M = usr.process_challenge( safe_unhexlify(init['salt']), safe_unhexlify(init['B']) ) - return session.put(server + '/sessions/' + login, verify = False, + return session.put(server + '/sessions/' + uname, verify = False, data = {'client_auth': binascii.hexlify(M)}) -def verify_or_debug(auth): +def verify_or_debug(auth, usr): if ( 'errors' in auth ): print ' u = "%x"' % usr.u print ' x = "%x"' % usr.x @@ -77,19 +93,4 @@ def verify_or_debug(auth): else: usr.verify_session( safe_unhexlify(auth["M2"]) ) -usr = srp.User( login, password, srp.SHA256, srp.NG_1024 ) -session = requests.session() -user = print_and_parse(signup(session)) - -# SRP signup would happen here and calculate M hex -auth = print_and_parse(authenticate(session, user['login'])) -verify_or_debug(auth) -assert usr.authenticated() - -usr = change_password(auth['token']) - -auth = print_and_parse(authenticate(session, user['login'])) -verify_or_debug(auth) -# At this point the authentication process is complete. -assert usr.authenticated() - +run_tests() -- cgit v1.2.3