mirrors
/
redmine
mirror of https://github.com/redmine/redmine.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 199 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
17596 Commits
33 Branches
Tree: 1481c721a2
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '1481c721a2'
${ noResults }
redmine/test/integration/api_test/authentication_test.rb

authentication_test.rb 5.5KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162 
  1. # frozen_string_literal: true

  2. 

  3. # Redmine - project management software

  4. # Copyright (C) 2006-2023  Jean-Philippe Lang

  5. #

  6. # This program is free software; you can redistribute it and/or

  7. # modify it under the terms of the GNU General Public License

  8. # as published by the Free Software Foundation; either version 2

  9. # of the License, or (at your option) any later version.

  10. #

  11. # This program is distributed in the hope that it will be useful,

  12. # but WITHOUT ANY WARRANTY; without even the implied warranty of

  13. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

  14. # GNU General Public License for more details.

  15. #

  16. # You should have received a copy of the GNU General Public License

  17. # along with this program; if not, write to the Free Software

  18. # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

  19. 

  20. require_relative '../../test_helper'

  21. 

  22. class Redmine::ApiTest::AuthenticationTest < Redmine::ApiTest::Base

  23.   fixtures :users

  24. 

  25.   def teardown

  26.     User.current = nil

  27.   end

  28. 

  29.   def test_api_should_deny_without_credentials

  30.     get '/users/current.xml'

  31.     assert_response 401

  32.     assert response.headers.has_key?('WWW-Authenticate')

  33.   end

  34. 

  35.   def test_api_should_accept_http_basic_auth_using_username_and_password

  36.     user = User.generate! do |user|

  37.       user.password = 'my_password'

  38.     end

  39.     get '/users/current.xml', :headers => credentials(user.login, 'my_password')

  40.     assert_response 200

  41.   end

  42. 

  43.   def test_api_should_deny_http_basic_auth_using_username_and_wrong_password

  44.     user = User.generate! do |user|

  45.       user.password = 'my_password'

  46.     end

  47.     get '/users/current.xml', :headers => credentials(user.login, 'wrong_password')

  48.     assert_response 401

  49.   end

  50. 

  51.   def test_api_should_deny_http_basic_auth_if_twofa_is_active

  52.     user = User.generate! do |user|

  53.       user.password = 'my_password'

  54.       user.update(twofa_scheme: 'totp')

  55.     end

  56.     get '/users/current.xml', :headers => credentials(user.login, 'my_password')

  57.     assert_response 401

  58.   end

  59. 

  60.   def test_api_should_accept_http_basic_auth_using_api_key

  61.     user = User.generate!

  62.     token = Token.create!(:user => user, :action => 'api')

  63.     get '/users/current.xml', :headers => credentials(token.value, 'X')

  64.     assert_response 200

  65.   end

  66. 

  67.   def test_api_should_deny_http_basic_auth_using_wrong_api_key

  68.     user = User.generate!

  69.     token = Token.create!(:user => user, :action => 'feeds') # not the API key

  70.     get '/users/current.xml', :headers => credentials(token.value, 'X')

  71.     assert_response 401

  72.   end

  73. 

  74.   def test_api_should_accept_auth_using_api_key_as_parameter

  75.     user = User.generate!

  76.     token = Token.create!(:user => user, :action => 'api')

  77.     get "/users/current.xml?key=#{token.value}"

  78.     assert_response 200

  79.   end

  80. 

  81.   def test_api_should_deny_auth_using_wrong_api_key_as_parameter

  82.     user = User.generate!

  83.     token = Token.create!(:user => user, :action => 'feeds') # not the API key

  84.     get "/users/current.xml?key=#{token.value}"

  85.     assert_response 401

  86.   end

  87. 

  88.   def test_api_should_accept_auth_using_api_key_as_request_header

  89.     user = User.generate!

  90.     token = Token.create!(:user => user, :action => 'api')

  91.     get "/users/current.xml", :headers => {'X-Redmine-API-Key' => token.value.to_s}

  92.     assert_response 200

  93.   end

  94. 

  95.   def test_api_should_deny_auth_using_wrong_api_key_as_request_header

  96.     user = User.generate!

  97.     token = Token.create!(:user => user, :action => 'feeds') # not the API key

  98.     get "/users/current.xml", :headers => {'X-Redmine-API-Key' => token.value.to_s}

  99.     assert_response 401

  100.   end

  101. 

  102.   def test_api_should_trigger_basic_http_auth_with_basic_authorization_header

  103.     ApplicationController.any_instance.expects(:authenticate_with_http_basic).once

  104.     get '/users/current.xml', :headers => credentials('jsmith')

  105.     assert_response 401

  106.   end

  107. 

  108.   def test_api_should_not_trigger_basic_http_auth_with_non_basic_authorization_header

  109.     ApplicationController.any_instance.expects(:authenticate_with_http_basic).never

  110.     get '/users/current.xml', :headers => {'HTTP_AUTHORIZATION' => 'Digest foo bar'}

  111.     assert_response 401

  112.   end

  113. 

  114.   def test_invalid_utf8_credentials_should_not_trigger_an_error

  115.     invalid_utf8 = "\x82"

  116.     assert !invalid_utf8.valid_encoding?

  117.     assert_nothing_raised do

  118.       get '/users/current.xml', :headers => credentials(invalid_utf8, "foo")

  119.     end

  120.   end

  121. 

  122.   def test_api_request_should_not_use_user_session

  123.     log_user('jsmith', 'jsmith')

  124. 

  125.     get '/users/current'

  126.     assert_response :success

  127. 

  128.     get '/users/current.json'

  129.     assert_response 401

  130.   end

  131. 

  132.   def test_api_should_accept_switch_user_header_for_admin_user

  133.     user = User.find(1)

  134.     su = User.find(4)

  135. 

  136.     get '/users/current', :headers => {'X-Redmine-API-Key' => user.api_key, 'X-Redmine-Switch-User' => su.login}

  137.     assert_response :success

  138.     assert_select 'h2', :text => su.name

  139.   end

  140. 

  141.   def test_api_should_respond_with_412_when_trying_to_switch_to_a_invalid_user

  142.     get '/users/current', :headers => {'X-Redmine-API-Key' => User.find(1).api_key, 'X-Redmine-Switch-User' => 'foobar'}

  143.     assert_response 412

  144.   end

  145. 

  146.   def test_api_should_respond_with_412_when_trying_to_switch_to_a_locked_user

  147.     user = User.find(5)

  148.     assert user.locked?

  149. 

  150.     get '/users/current', :headers => {'X-Redmine-API-Key' => User.find(1).api_key, 'X-Redmine-Switch-User' => user.login}

  151.     assert_response 412

  152.   end

  153. 

  154.   def test_api_should_not_accept_switch_user_header_for_non_admin_user

  155.     user = User.find(2)

  156.     su = User.find(4)

  157. 

  158.     get '/users/current', :headers => {'X-Redmine-API-Key' => user.api_key, 'X-Redmine-Switch-User' => su.login}

  159.     assert_response :success

  160.     assert_select 'h2', :text => user.name

  161.   end

  162. end