1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
|
require 'test_helper'
class AccountTest < BrowserIntegrationTest
teardown do
Identity.destroy_all_disabled
end
test "normal account workflow" do
username, password = submit_signup
assert page.has_content?("Welcome #{username}")
click_on 'Logout'
assert page.has_content?("Log In")
assert_equal '/', current_path
assert user = User.find_by_login(username)
user.account.destroy
end
test "successful login" do
username, password = submit_signup
click_on 'Logout'
attempt_login(username, password)
assert page.has_content?("Welcome #{username}")
within('.sidenav li.active') do
assert page.has_content?("Overview")
end
User.find_by_login(username).account.destroy
end
test "failed login" do
visit '/'
attempt_login("username", "wrong password")
assert_invalid_login(page)
end
test "account destruction" do
username, password = submit_signup
click_on I18n.t('account_settings')
click_on I18n.t('destroy_my_account')
assert page.has_content?(I18n.t('account_destroyed'))
attempt_login(username, password)
assert_invalid_login(page)
end
test "handle blocked after account destruction" do
username, password = submit_signup
click_on I18n.t('account_settings')
click_on I18n.t('destroy_my_account')
submit_signup(username)
assert page.has_content?('has already been taken')
end
test "default user actions" do
username, password = submit_signup
click_on "Account Settings"
assert page.has_content? I18n.t('destroy_my_account')
assert page.has_no_css? '#update_login_and_password'
assert page.has_no_css? '#update_pgp_key'
end
test "default admin actions" do
username, password = submit_signup
with_config admins: [username] do
click_on "Account Settings"
assert page.has_content? I18n.t('destroy_my_account')
assert page.has_no_css? '#update_login_and_password'
assert page.has_css? '#update_pgp_key'
end
end
test "change password" do
with_config user_actions: ['change_password'] do
username, password = submit_signup
click_on "Account Settings"
within('#update_login_and_password') do
fill_in 'Password', with: "other password"
fill_in 'Password confirmation', with: "other password"
click_on 'Save'
end
click_on 'Logout'
attempt_login(username, "other password")
assert page.has_content?("Welcome #{username}")
User.find_by_login(username).account.destroy
end
end
test "change pgp key" do
with_config user_actions: ['change_pgp_key'] do
pgp_key = FactoryGirl.build :pgp_key
username, password = submit_signup
click_on "Account Settings"
within('#update_pgp_key') do
fill_in 'Public key', with: pgp_key
click_on 'Save'
end
page.assert_selector 'input[value="Saving..."]'
# at some point we're done:
page.assert_no_selector 'input[value="Saving..."]'
assert page.has_field? 'Public key', with: pgp_key.to_s
user = User.find_by_login(username)
assert_equal pgp_key, user.public_key
user.account.destroy
end
end
# trying to seed an invalid A for srp login
test "detects attempt to circumvent SRP" do
user = FactoryGirl.create :user
visit '/login'
fill_in 'Username', with: user.login
fill_in 'Password', with: "password"
inject_malicious_js
click_on 'Log In'
assert page.has_content?("Invalid random key")
assert page.has_no_content?("Welcome")
user.destroy
end
test "reports internal server errors" do
V1::UsersController.any_instance.stubs(:create).raises
submit_signup
assert page.has_content?("server failed")
end
def attempt_login(username, password)
click_on 'Log In'
fill_in 'Username', with: username
fill_in 'Password', with: password
click_on 'Log In'
end
def assert_invalid_login(page)
assert page.has_selector? '.btn-primary.disabled'
assert page.has_content? I18n.t(:invalid_user_pass)
assert page.has_no_selector? '.btn-primary.disabled'
end
def inject_malicious_js
page.execute_script <<-EOJS
var calc = new srp.Calculate();
calc.A = function(_a) {return "00";};
calc.S = calc.A;
srp.session = new srp.Session(null, calc);
EOJS
end
end
|