jro_apps/redmine Files · test/integration/api_test/authentication_test.rb

Fixed STARTTLS option key (#19232)....

Fixed STARTTLS option key (#19232). git-svn-id: http://svn.redmine.org/redmine/trunk@14047 e93f8b46-1217-0410-a6f0-8f06a7374b81

Jean-Philippe Lang - - Load All Authors

File last commit:

r13490:000124f44f53


                r13665:2800598832d2

Download file

             authentication_test.rb
        
                    158 lines
            
             | 5.5 KiB
            
                | text/x-ruby
            
             |
                RubyLexer
            
             / test / integration / api_test / authentication_test.rb
          
                    History
                
                 |
                  Source
                 | Raw
                 |Copy content
                 |Copy permalink

        Jean-Philippe Lang
    
Do not user user session for API requests....

              r9902
            
      # Redmine - project management software

        Jean-Philippe Lang
    
Copyright update....

              r13490
            
      # Copyright (C) 2006-2015  Jean-Philippe Lang

        Jean-Philippe Lang
    
Do not user user session for API requests....

              r9902
            
      #

      # This program is free software; you can redistribute it and/or

      # modify it under the terms of the GNU General Public License

      # as published by the Free Software Foundation; either version 2

      # of the License, or (at your option) any later version.

      #

      # This program is distributed in the hope that it will be useful,

      # but WITHOUT ANY WARRANTY; without even the implied warranty of

      # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

      # GNU General Public License for more details.

      #

      # You should have received a copy of the GNU General Public License

      # along with this program; if not, write to the Free Software

      # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

      require File.expand_path('../../../test_helper', __FILE__)

        Jean-Philippe Lang
    
Adds a subclass of ActionDispatch::IntegrationTest for API tests....

              r11023
            
      class Redmine::ApiTest::AuthenticationTest < Redmine::ApiTest::Base

        Jean-Philippe Lang
    
Do not user user session for API requests....

              r9902
            
        fixtures :users

        Jean-Philippe Lang
    
Test API authentification once....

              r13293
            
        def test_api_should_deny_without_credentials

          get '/users/current.xml', {}

          assert_response 401

          assert_equal User.anonymous, User.current

          assert response.headers.has_key?('WWW-Authenticate')

        end

        def test_api_should_accept_http_basic_auth_using_username_and_password

          user = User.generate! do |user|

            user.password = 'my_password'

          end

          get '/users/current.xml', {}, credentials(user.login, 'my_password')

          assert_response 200

          assert_equal user, User.current

        end

        def test_api_should_deny_http_basic_auth_using_username_and_wrong_password

          user = User.generate! do |user|

            user.password = 'my_password'

          end

          get '/users/current.xml', {}, credentials(user.login, 'wrong_password')

          assert_response 401

          assert_equal User.anonymous, User.current

        end

        def test_api_should_accept_http_basic_auth_using_api_key

          user = User.generate!

          token = Token.create!(:user => user, :action => 'api')

          get '/users/current.xml', {}, credentials(token.value, 'X')

          assert_response 200

          assert_equal user, User.current

        end

        def test_api_should_deny_http_basic_auth_using_wrong_api_key

          user = User.generate!

          token = Token.create!(:user => user, :action => 'feeds') # not the API key

          get '/users/current.xml', {}, credentials(token.value, 'X')

          assert_response 401

          assert_equal User.anonymous, User.current

        end

        def test_api_should_accept_auth_using_api_key_as_parameter

          user = User.generate!

          token = Token.create!(:user => user, :action => 'api')

          get "/users/current.xml?key=#{token.value}", {}

          assert_response 200

          assert_equal user, User.current

        end

        def test_api_should_deny_auth_using_wrong_api_key_as_parameter

          user = User.generate!

          token = Token.create!(:user => user, :action => 'feeds') # not the API key

          get "/users/current.xml?key=#{token.value}", {}

          assert_response 401

          assert_equal User.anonymous, User.current

        end

        def test_api_should_accept_auth_using_api_key_as_request_header

          user = User.generate!

          token = Token.create!(:user => user, :action => 'api')

          get "/users/current.xml", {}, {'X-Redmine-API-Key' => token.value.to_s}

          assert_response 200

          assert_equal user, User.current

        end

        def test_api_should_deny_auth_using_wrong_api_key_as_request_header

          user = User.generate!

          token = Token.create!(:user => user, :action => 'feeds') # not the API key

          get "/users/current.xml", {}, {'X-Redmine-API-Key' => token.value.to_s}

          assert_response 401

          assert_equal User.anonymous, User.current

        end

        Jean-Philippe Lang
    
Trigger basic HTTP authentication only when Basic authorization header is present (#16107)....

              r12640
            
        def test_api_should_trigger_basic_http_auth_with_basic_authorization_header

          ApplicationController.any_instance.expects(:authenticate_with_http_basic).once

        Jean-Philippe Lang
    
Strip invalid UTF-8 bytes in User#find_by_login (#16107)....

              r12641
            
          get '/users/current.xml', {}, credentials('jsmith')

        Toshi MARUYAMA
    
add "assert_response 401" to tests (#16107)...

              r12642
            
          assert_response 401

        Jean-Philippe Lang
    
Trigger basic HTTP authentication only when Basic authorization header is present (#16107)....

              r12640
            
        end

        def test_api_should_not_trigger_basic_http_auth_with_non_basic_authorization_header

          ApplicationController.any_instance.expects(:authenticate_with_http_basic).never

          get '/users/current.xml', {}, 'HTTP_AUTHORIZATION' => 'Digest foo bar'

        Toshi MARUYAMA
    
add "assert_response 401" to tests (#16107)...

              r12642
            
          assert_response 401

        Jean-Philippe Lang
    
Trigger basic HTTP authentication only when Basic authorization header is present (#16107)....

              r12640
            
        end

        Jean-Philippe Lang
    
Strip invalid UTF-8 bytes in User#find_by_login (#16107)....

              r12641
            
        def test_invalid_utf8_credentials_should_not_trigger_an_error

        Jean-Philippe Lang
    
Merged rails-4.1 branch (#14534)....

              r13100
            
          invalid_utf8 = "\x82".force_encoding('UTF-8')

          assert !invalid_utf8.valid_encoding?

        Jean-Philippe Lang
    
Strip invalid UTF-8 bytes in User#find_by_login (#16107)....

              r12641
            
          assert_nothing_raised do

        Toshi MARUYAMA
    
explicitly set encoding UTF-8 (#16107)...

              r12643
            
            get '/users/current.xml', {}, credentials(invalid_utf8, "foo")

        Jean-Philippe Lang
    
Strip invalid UTF-8 bytes in User#find_by_login (#16107)....

              r12641
            
          end

        end

        Jean-Philippe Lang
    
Do not user user session for API requests....

              r9902
            
        def test_api_request_should_not_use_user_session

          log_user('jsmith', 'jsmith')

          get '/users/current'

          assert_response :success

          get '/users/current.json'

          assert_response 401

        end

        Jean-Philippe Lang
    
Adds an optional X-Redmine-Switch-User header to let admin users swicth user in API calls (#11755)....

              r10397
            
        def test_api_should_accept_switch_user_header_for_admin_user

          user = User.find(1)

          su = User.find(4)

          get '/users/current', {}, {'X-Redmine-API-Key' => user.api_key, 'X-Redmine-Switch-User' => su.login}

          assert_response :success

          assert_equal su, assigns(:user)

          assert_equal su, User.current

        end

        def test_api_should_respond_with_412_when_trying_to_switch_to_a_invalid_user

          get '/users/current', {}, {'X-Redmine-API-Key' => User.find(1).api_key, 'X-Redmine-Switch-User' => 'foobar'}

          assert_response 412

        end

        def test_api_should_respond_with_412_when_trying_to_switch_to_a_locked_user

          user = User.find(5)

          assert user.locked?

          get '/users/current', {}, {'X-Redmine-API-Key' => User.find(1).api_key, 'X-Redmine-Switch-User' => user.login}

          assert_response 412

        end

        def test_api_should_not_accept_switch_user_header_for_non_admin_user

          user = User.find(2)

          su = User.find(4)

          get '/users/current', {}, {'X-Redmine-API-Key' => user.api_key, 'X-Redmine-Switch-User' => su.login}

          assert_response :success

          assert_equal user, assigns(:user)

          assert_equal user, User.current

        end

        Jean-Philippe Lang
    
Do not user user session for API requests....

              r9902
            
      end

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

Jean-Philippe Lang Do not user user session for API requests....	r9902	# Redmine - project management software
Jean-Philippe Lang Copyright update....	r13490	# Copyright (C) 2006-2015 Jean-Philippe Lang
Jean-Philippe Lang Do not user user session for API requests....	r9902	#
		# This program is free software; you can redistribute it and/or
		# modify it under the terms of the GNU General Public License
		# as published by the Free Software Foundation; either version 2
		# of the License, or (at your option) any later version.
		#
		# This program is distributed in the hope that it will be useful,
		# but WITHOUT ANY WARRANTY; without even the implied warranty of
		# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
		# GNU General Public License for more details.
		#
		# You should have received a copy of the GNU General Public License
		# along with this program; if not, write to the Free Software
		# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.

		require File.expand_path('../../../test_helper', __FILE__)

Jean-Philippe Lang Adds a subclass of ActionDispatch::IntegrationTest for API tests....	r11023	class Redmine::ApiTest::AuthenticationTest < Redmine::ApiTest::Base
Jean-Philippe Lang Do not user user session for API requests....	r9902	fixtures :users

Jean-Philippe Lang Test API authentification once....	r13293	def test_api_should_deny_without_credentials
		get '/users/current.xml', {}
		assert_response 401
		assert_equal User.anonymous, User.current
		assert response.headers.has_key?('WWW-Authenticate')
		end

		def test_api_should_accept_http_basic_auth_using_username_and_password
		user = User.generate! do \|user\|
		user.password = 'my_password'
		end
		get '/users/current.xml', {}, credentials(user.login, 'my_password')
		assert_response 200
		assert_equal user, User.current
		end

		def test_api_should_deny_http_basic_auth_using_username_and_wrong_password
		user = User.generate! do \|user\|
		user.password = 'my_password'
		end
		get '/users/current.xml', {}, credentials(user.login, 'wrong_password')
		assert_response 401
		assert_equal User.anonymous, User.current
		end

		def test_api_should_accept_http_basic_auth_using_api_key
		user = User.generate!
		token = Token.create!(:user => user, :action => 'api')
		get '/users/current.xml', {}, credentials(token.value, 'X')
		assert_response 200
		assert_equal user, User.current
		end

		def test_api_should_deny_http_basic_auth_using_wrong_api_key
		user = User.generate!
		token = Token.create!(:user => user, :action => 'feeds') # not the API key
		get '/users/current.xml', {}, credentials(token.value, 'X')
		assert_response 401
		assert_equal User.anonymous, User.current
		end

		def test_api_should_accept_auth_using_api_key_as_parameter
		user = User.generate!
		token = Token.create!(:user => user, :action => 'api')
		get "/users/current.xml?key=#{token.value}", {}
		assert_response 200
		assert_equal user, User.current
		end

		def test_api_should_deny_auth_using_wrong_api_key_as_parameter
		user = User.generate!
		token = Token.create!(:user => user, :action => 'feeds') # not the API key
		get "/users/current.xml?key=#{token.value}", {}
		assert_response 401
		assert_equal User.anonymous, User.current
		end

		def test_api_should_accept_auth_using_api_key_as_request_header
		user = User.generate!
		token = Token.create!(:user => user, :action => 'api')
		get "/users/current.xml", {}, {'X-Redmine-API-Key' => token.value.to_s}
		assert_response 200
		assert_equal user, User.current
		end

		def test_api_should_deny_auth_using_wrong_api_key_as_request_header
		user = User.generate!
		token = Token.create!(:user => user, :action => 'feeds') # not the API key
		get "/users/current.xml", {}, {'X-Redmine-API-Key' => token.value.to_s}
		assert_response 401
		assert_equal User.anonymous, User.current
		end

Jean-Philippe Lang Trigger basic HTTP authentication only when Basic authorization header is present (#16107)....	r12640	def test_api_should_trigger_basic_http_auth_with_basic_authorization_header
		ApplicationController.any_instance.expects(:authenticate_with_http_basic).once
Jean-Philippe Lang Strip invalid UTF-8 bytes in User#find_by_login (#16107)....	r12641	get '/users/current.xml', {}, credentials('jsmith')
Toshi MARUYAMA add "assert_response 401" to tests (#16107)...	r12642	assert_response 401
Jean-Philippe Lang Trigger basic HTTP authentication only when Basic authorization header is present (#16107)....	r12640	end

		def test_api_should_not_trigger_basic_http_auth_with_non_basic_authorization_header
		ApplicationController.any_instance.expects(:authenticate_with_http_basic).never
		get '/users/current.xml', {}, 'HTTP_AUTHORIZATION' => 'Digest foo bar'
Toshi MARUYAMA add "assert_response 401" to tests (#16107)...	r12642	assert_response 401
Jean-Philippe Lang Trigger basic HTTP authentication only when Basic authorization header is present (#16107)....	r12640	end

Jean-Philippe Lang Strip invalid UTF-8 bytes in User#find_by_login (#16107)....	r12641	def test_invalid_utf8_credentials_should_not_trigger_an_error
Jean-Philippe Lang Merged rails-4.1 branch (#14534)....	r13100	invalid_utf8 = "\x82".force_encoding('UTF-8')
		assert !invalid_utf8.valid_encoding?
Jean-Philippe Lang Strip invalid UTF-8 bytes in User#find_by_login (#16107)....	r12641	assert_nothing_raised do
Toshi MARUYAMA explicitly set encoding UTF-8 (#16107)...	r12643	get '/users/current.xml', {}, credentials(invalid_utf8, "foo")
Jean-Philippe Lang Strip invalid UTF-8 bytes in User#find_by_login (#16107)....	r12641	end
		end

Jean-Philippe Lang Do not user user session for API requests....	r9902	def test_api_request_should_not_use_user_session
		log_user('jsmith', 'jsmith')

		get '/users/current'
		assert_response :success

		get '/users/current.json'
		assert_response 401
		end
Jean-Philippe Lang Adds an optional X-Redmine-Switch-User header to let admin users swicth user in API calls (#11755)....	r10397
		def test_api_should_accept_switch_user_header_for_admin_user
		user = User.find(1)
		su = User.find(4)

		get '/users/current', {}, {'X-Redmine-API-Key' => user.api_key, 'X-Redmine-Switch-User' => su.login}
		assert_response :success
		assert_equal su, assigns(:user)
		assert_equal su, User.current
		end

		def test_api_should_respond_with_412_when_trying_to_switch_to_a_invalid_user
		get '/users/current', {}, {'X-Redmine-API-Key' => User.find(1).api_key, 'X-Redmine-Switch-User' => 'foobar'}
		assert_response 412
		end

		def test_api_should_respond_with_412_when_trying_to_switch_to_a_locked_user
		user = User.find(5)
		assert user.locked?

		get '/users/current', {}, {'X-Redmine-API-Key' => User.find(1).api_key, 'X-Redmine-Switch-User' => user.login}
		assert_response 412
		end

		def test_api_should_not_accept_switch_user_header_for_non_admin_user
		user = User.find(2)
		su = User.find(4)

		get '/users/current', {}, {'X-Redmine-API-Key' => user.api_key, 'X-Redmine-Switch-User' => su.login}
		assert_response :success
		assert_equal user, assigns(:user)
		assert_equal user, User.current
		end
Jean-Philippe Lang Do not user user session for API requests....	r9902	end