Elgato_dark/zammad
1
0
Fork 0
mirror of https://github.com/zammad/zammad synced 2026-05-24 09:48:36 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
zammad/test/controllers/api_auth_controller_test.rb

444 lines
15 KiB
Ruby
Raw Blame History

# encoding: utf-8
require 'test_helper'
class ApiAuthControllerTest < ActionDispatch::IntegrationTest
setup do
# set accept header
@headers = { 'ACCEPT' => 'application/json', 'CONTENT_TYPE' => 'application/json' }
# create agent
roles = Role.where(name: %w(Admin Agent))
groups = Group.all
UserInfo.current_user_id = 1
@admin = User.create_or_update(
login: 'api-admin',
firstname: 'API',
lastname: 'Admin',
email: 'api-admin@example.com',
password: 'adminpw',
active: true,
roles: roles,
groups: groups,
)
# create agent
roles = Role.where(name: 'Agent')
@agent = User.create_or_update(
login: 'api-agent@example.com',
firstname: 'API',
lastname: 'Agent',
email: 'api-agent@example.com',
password: 'agentpw',
active: true,
roles: roles,
groups: groups,
)
# create customer without org
roles = Role.where(name: 'Customer')
@customer = User.create_or_update(
login: 'api-customer1@example.com',
firstname: 'API',
lastname: 'Customer1',
email: 'api-customer1@example.com',
password: 'customer1pw',
active: true,
roles: roles,
)
end
test 'basic auth - admin' do
admin_credentials = ActionController::HttpAuthentication::Basic.encode_credentials('api-admin@example.com', 'adminpw')
Setting.set('api_password_access', false)
get '/api/v1/sessions', {}, @headers.merge('Authorization' => admin_credentials)
assert_response(401)
assert_not(@response.header.key?('Access-Control-Allow-Origin'))
result = JSON.parse(@response.body)
assert_equal(Hash, result.class)
assert_equal('API password access disabled!', result['error'])
Setting.set('api_password_access', true)
get '/api/v1/sessions', {}, @headers.merge('Authorization' => admin_credentials)
assert_response(200)
assert_equal('*', @response.header['Access-Control-Allow-Origin'])
result = JSON.parse(@response.body)
assert_equal(Hash, result.class)
assert(result)
end
test 'basic auth - agent' do
agent_credentials = ActionController::HttpAuthentication::Basic.encode_credentials('api-agent@example.com', 'agentpw')
Setting.set('api_password_access', false)
get '/api/v1/tickets', {}, @headers.merge('Authorization' => agent_credentials)
assert_response(401)
assert_not(@response.header.key?('Access-Control-Allow-Origin'))
result = JSON.parse(@response.body)
assert_equal(Hash, result.class)
assert_equal('API password access disabled!', result['error'])
Setting.set('api_password_access', true)
get '/api/v1/tickets', {}, @headers.merge('Authorization' => agent_credentials)
assert_response(200)
assert_equal('*', @response.header['Access-Control-Allow-Origin'])
result = JSON.parse(@response.body)
assert_equal(Array, result.class)
assert(result)
end
test 'basic auth - customer' do
customer_credentials = ActionController::HttpAuthentication::Basic.encode_credentials('api-customer1@example.com', 'customer1pw')
Setting.set('api_password_access', false)
get '/api/v1/tickets', {}, @headers.merge('Authorization' => customer_credentials)
assert_response(401)
assert_not(@response.header.key?('Access-Control-Allow-Origin'))
result = JSON.parse(@response.body)
assert_equal(Hash, result.class)
assert_equal('API password access disabled!', result['error'])
Setting.set('api_password_access', true)
get '/api/v1/tickets', {}, @headers.merge('Authorization' => customer_credentials)
assert_response(200)
assert_equal('*', @response.header['Access-Control-Allow-Origin'])
result = JSON.parse(@response.body)
assert_equal(Array, result.class)
assert(result)
end
test 'token auth - admin' do
admin_token = Token.create(
action: 'api',
persistent: true,
user_id: @admin.id,
preferences: {
permission: ['admin.session'],
},
)
admin_credentials = "Token token=#{admin_token.name}"
Setting.set('api_token_access', false)
get '/api/v1/sessions', {}, @headers.merge('Authorization' => admin_credentials)
assert_response(401)
assert_not(@response.header.key?('Access-Control-Allow-Origin'))
result = JSON.parse(@response.body)
assert_equal(Hash, result.class)
assert_equal('API token access disabled!', result['error'])
Setting.set('api_token_access', true)
get '/api/v1/sessions', {}, @headers.merge('Authorization' => admin_credentials)
assert_response(200)
assert_equal('*', @response.header['Access-Control-Allow-Origin'])
result = JSON.parse(@response.body)
assert_equal(Hash, result.class)
assert(result)
admin_token.preferences[:permission] = ['admin.session_not_existing']
admin_token.save!
get '/api/v1/sessions', {}, @headers.merge('Authorization' => admin_credentials)
assert_response(401)
result = JSON.parse(@response.body)
assert_equal(Hash, result.class)
assert_equal('Not authorized (token)!', result['error'])
admin_token.preferences[:permission] = []
admin_token.save!
get '/api/v1/sessions', {}, @headers.merge('Authorization' => admin_credentials)
assert_response(401)
result = JSON.parse(@response.body)
assert_equal(Hash, result.class)
assert_equal('Not authorized (token)!', result['error'])
@admin.active = false
@admin.save!
get '/api/v1/sessions', {}, @headers.merge('Authorization' => admin_credentials)
assert_response(401)
result = JSON.parse(@response.body)
assert_equal(Hash, result.class)
assert_equal('User is inactive!', result['error'])
admin_token.preferences[:permission] = ['admin.session']
admin_token.save!
get '/api/v1/sessions', {}, @headers.merge('Authorization' => admin_credentials)
assert_response(401)
result = JSON.parse(@response.body)
assert_equal(Hash, result.class)
assert_equal('User is inactive!', result['error'])
@admin.active = true
@admin.save!
get '/api/v1/sessions', {}, @headers.merge('Authorization' => admin_credentials)
assert_response(200)
result = JSON.parse(@response.body)
assert_equal(Hash, result.class)
assert(result)
get '/api/v1/roles', {}, @headers.merge('Authorization' => admin_credentials)
assert_response(401)
result = JSON.parse(@response.body)
assert_equal(Hash, result.class)
assert_equal('Not authorized (token)!', result['error'])
admin_token.preferences[:permission] = ['admin.session_not_existing', 'admin.role']
admin_token.save!
get '/api/v1/roles', {}, @headers.merge('Authorization' => admin_credentials)
assert_response(200)
result = JSON.parse(@response.body)
assert_equal(Array, result.class)
assert(result)
admin_token.preferences[:permission] = ['ticket.agent']
admin_token.save!
get '/api/v1/organizations', {}, @headers.merge('Authorization' => admin_credentials)
assert_response(200)
result = JSON.parse(@response.body)
assert_equal(Array, result.class)
assert(result)
name = "some org name #{rand(999_999_999)}"
post '/api/v1/organizations', { name: name }.to_json, @headers.merge('Authorization' => admin_credentials)
assert_response(201)
result = JSON.parse(@response.body)
assert_equal(Hash, result.class)
assert_equal(name, result['name'])
assert(result)
name = "some org name #{rand(999_999_999)} - 2"
put "/api/v1/organizations/#{result['id']}", { name: name }.to_json, @headers.merge('Authorization' => admin_credentials)
assert_response(200)
result = JSON.parse(@response.body)
assert_equal(Hash, result.class)
assert_equal(name, result['name'])
assert(result)
admin_token.preferences[:permission] = ['admin.organization']
admin_token.save!
get '/api/v1/organizations', {}, @headers.merge('Authorization' => admin_credentials)
assert_response(200)
result = JSON.parse(@response.body)
assert_equal(Array, result.class)
assert(result)
name = "some org name #{rand(999_999_999)}"
post '/api/v1/organizations', { name: name }.to_json, @headers.merge('Authorization' => admin_credentials)
assert_response(201)
result = JSON.parse(@response.body)
assert_equal(Hash, result.class)
assert_equal(name, result['name'])
assert(result)
name = "some org name #{rand(999_999_999)} - 2"
put "/api/v1/organizations/#{result['id']}", { name: name }.to_json, @headers.merge('Authorization' => admin_credentials)
assert_response(200)
result = JSON.parse(@response.body)
assert_equal(Hash, result.class)
assert_equal(name, result['name'])
assert(result)
admin_token.preferences[:permission] = ['admin']
admin_token.save!
get '/api/v1/organizations', {}, @headers.merge('Authorization' => admin_credentials)
assert_response(200)
result = JSON.parse(@response.body)
assert_equal(Array, result.class)
assert(result)
name = "some org name #{rand(999_999_999)}"
post '/api/v1/organizations', { name: name }.to_json, @headers.merge('Authorization' => admin_credentials)
assert_response(201)
result = JSON.parse(@response.body)
assert_equal(Hash, result.class)
assert_equal(name, result['name'])
assert(result)
name = "some org name #{rand(999_999_999)} - 2"
put "/api/v1/organizations/#{result['id']}", { name: name }.to_json, @headers.merge('Authorization' => admin_credentials)
assert_response(200)
result = JSON.parse(@response.body)
assert_equal(Hash, result.class)
assert_equal(name, result['name'])
assert(result)
end
test 'token auth - agent' do
agent_token = Token.create(
action: 'api',
persistent: true,
user_id: @agent.id,
)
agent_credentials = "Token token=#{agent_token.name}"
Setting.set('api_token_access', false)
get '/api/v1/tickets', {}, @headers.merge('Authorization' => agent_credentials)
assert_response(401)
assert_not(@response.header.key?('Access-Control-Allow-Origin'))
result = JSON.parse(@response.body)
assert_equal(Hash, result.class)
assert_equal('API token access disabled!', result['error'])
Setting.set('api_token_access', true)
get '/api/v1/tickets', {}, @headers.merge('Authorization' => agent_credentials)
assert_response(200)
assert_equal('*', @response.header['Access-Control-Allow-Origin'])
result = JSON.parse(@response.body)
assert_equal(Array, result.class)
assert(result)
get '/api/v1/organizations', {}, @headers.merge('Authorization' => agent_credentials)
assert_response(200)
result = JSON.parse(@response.body)
assert_equal(Array, result.class)
assert(result)
name = "some org name #{rand(999_999_999)}"
post '/api/v1/organizations', { name: name }.to_json, @headers.merge('Authorization' => agent_credentials)
assert_response(401)
end
test 'token auth - customer' do
customer_token = Token.create(
action: 'api',
persistent: true,
user_id: @customer.id,
)
customer_credentials = "Token token=#{customer_token.name}"
Setting.set('api_token_access', false)
get '/api/v1/tickets', {}, @headers.merge('Authorization' => customer_credentials)
assert_response(401)
assert_not(@response.header.key?('Access-Control-Allow-Origin'))
result = JSON.parse(@response.body)
assert_equal(Hash, result.class)
assert_equal('API token access disabled!', result['error'])
Setting.set('api_token_access', true)
get '/api/v1/tickets', {}, @headers.merge('Authorization' => customer_credentials)
assert_equal('*', @response.header['Access-Control-Allow-Origin'])
assert_response(200)
result = JSON.parse(@response.body)
assert_equal(Array, result.class)
assert(result)
get '/api/v1/organizations', {}, @headers.merge('Authorization' => customer_credentials)
assert_response(200)
result = JSON.parse(@response.body)
assert_equal(Array, result.class)
assert(result)
name = "some org name #{rand(999_999_999)}"
post '/api/v1/organizations', { name: name }.to_json, @headers.merge('Authorization' => customer_credentials)
assert_response(401)
end
test 'token auth - invalid user - admin' do
admin_token = Token.create(
action: 'api',
persistent: true,
user_id: @admin.id,
)
admin_credentials = "Token token=#{admin_token.name}"
@admin.active = false
@admin.save!
Setting.set('api_token_access', false)
get '/api/v1/sessions', {}, @headers.merge('Authorization' => admin_credentials)
assert_response(401)
assert_not(@response.header.key?('Access-Control-Allow-Origin'))
result = JSON.parse(@response.body)
assert_equal(Hash, result.class)
assert_equal('API token access disabled!', result['error'])
Setting.set('api_token_access', true)
get '/api/v1/sessions', {}, @headers.merge('Authorization' => admin_credentials)
assert_response(401)
assert_not(@response.header.key?('Access-Control-Allow-Origin'))
result = JSON.parse(@response.body)
assert_equal(Hash, result.class)
assert_equal('User is inactive!', result['error'])
end
test 'token auth - expired' do
Setting.set('api_token_access', true)
admin_token = Token.create(
action: 'api',
persistent: true,
user_id: @admin.id,
expires_at: Time.zone.today
)
admin_credentials = "Token token=#{admin_token.name}"
get '/api/v1/tickets', {}, @headers.merge('Authorization' => admin_credentials)
assert_response(401)
assert_not(@response.header.key?('Access-Control-Allow-Origin'))
result = JSON.parse(@response.body)
assert_equal(Hash, result.class)
assert_equal('Not authorized (token expired)!', result['error'])
admin_token.reload
assert_in_delta(admin_token.last_used_at, Time.zone.now, 1.second)
end
test 'token auth - not expired' do
Setting.set('api_token_access', true)
admin_token = Token.create(
action: 'api',
persistent: true,
user_id: @admin.id,
expires_at: Time.zone.tomorrow
)
admin_credentials = "Token token=#{admin_token.name}"
get '/api/v1/tickets', {}, @headers.merge('Authorization' => admin_credentials)
assert_response(200)
assert_equal('*', @response.header['Access-Control-Allow-Origin'])
result = JSON.parse(@response.body)
assert_equal(Array, result.class)
assert(result)
admin_token.reload
assert_in_delta(admin_token.last_used_at, Time.zone.now, 1.second)
end
test 'session auth - admin' do
post '/api/v1/signin', { username: 'api-admin@example.com', password: 'adminpw', fingerprint: '123456789' }
assert_not(@response.header.key?('Access-Control-Allow-Origin'))
assert_response(201)
get '/api/v1/sessions', {}
assert_response(200)
assert_not(@response.header.key?('Access-Control-Allow-Origin'))
result = JSON.parse(@response.body)
assert_equal(Hash, result.class)
assert(result)
end
end
Reference in a new issue View git blame Copy permalink